Nortel Networks 2300 User Manual

Download

Page 1

Part No. 320657-A September 2005

4655 Great America Parkway

Santa Clara, CA 95054

Nortel WLAN Security Switch 2300 Series Configuration Guide

Release 4.0

*320657-A*

Page 2

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

Trademarks

*Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks. *Microsoft, MS, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. All other trademarks and registered trademarks are the property of their respective owners.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial computer Software-Restricted Rights clause at FAR 52.227-19.

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Inc. reserves the right to make changes to the products described in this document without notice.

Nortel Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.

SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

320657-A

Page 3

USA requirements only

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy. If it is not installed and used in accordance with the instruction manual, it may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to take whatever measures may be necessary to correct the interference at their own expense.

Nortel Inc. software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.

“Software” is owned or licensed by Nortel, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software.

1.Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel or certify its destruction. Nortel may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel to include additional or different terms, Customer agrees to abide by such terms provided by Nortel with respect to such third party software.

2.Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply.

3.Limitation of Remedies. IN NO EVENT SHALL Nortel OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE,

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 4

OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF Nortel NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.

4.General a)If Customer is the United States Government, the following paragraph shall apply: All Nortel Software available under

this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).

b)Customer may terminate the license at any time. Nortel may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel or certify its destruction.

c)Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations.

d)Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e)The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer

and Nortel. f)This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the

Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.

Legal Information

This section includes the following legal information:

• “Limited Product Warranty” on page 4

• “Software License Agreement” on page 6

• “SSH Source Code Statement” on page 8

• “OpenSSL Project License Statements” on page 9

• “Trademarks and Service Marks” on page 9

Limited Product Warranty

The following sections describe the Nortel standard Product Warranty for End Users.

Products

WLAN—Wireless Security Switch (23x0) Family

WLAN—Access Points (2330) Family

320657-A

Page 5

Limited Warranty

Nortel standard warranty for hardware is one (1) year. Nortel warrants software materials to be defect free for 90 Days from time of purchase. Nortel requires purchasing the software subscription if a customer would like to receive new WLAN—Wireless Security Switch (23x0), Nortel WLAN — Management System software. This limited warranty extends only to you the original purchaser of the Product.

Exclusive Remedy

Your sole remedy under the limited warranty described above is, at Nortel’s sole option and expense, the repair or replacement of the non-conforming Product or refund of the purchase price of the non-conforming Products. Nortel’s obligation under this limited warranty is subject to compliance with Nortel’s then-current Return Material Authorization (“RMA”) procedures. All replaced Products will become the property of Nortel. Exchange Products not returned to Nortel will be invoiced at full Product list prices. Replacement Products may be new, reconditioned or contain refurbished materials. In connection with any warranty services hereunder, Nortel may in its sole discretion modify the Product at no cost to you to improve its reliability or performance.

Warranty Claim Procedures

Should a Product fail to conform to the limited warranty during the applicable warranty period as described above, Nortel must be notified during the applicable warranty period in order to have any obligation under the limited warranty.

The End Customer or their designated reseller must obtain a Return Material Authorization number (RMA number) from Nortel for the non-conforming Product and the non-conforming Product must be returned to Nortel according to the then-current RMA procedures. The End Customer or their designated reseller is responsible to ensure that the shipments are insured, with the transportation charges prepaid and that the RMA number is clearly marked on the outside of the package. Nortel will not accept collect shipments or those returned without an RMA number clearly visible on the outside of the package.

Exclusions and Restrictions Nortel shall not be responsible for any software, firmware, information or memory data contained in, stored on

or integrated with any Product returned to Nortel pursuant to any warranty or repair. Upon return of repaired or replaced Products by Nortel, the warranty with respect to such Products will

continue for the remaining unexpired warranty or sixty (60) days, whichever is longer. Nortel may provide out-of-warranty repair for the Products at its then-prevailing repair rates.

The limited warranty for the Product does not apply if, in the judgment of Nortel, the Product fails due to damage from shipment, handling, storage, accident, abuse or misuse, or it has been used or maintained in a manner not conforming to Product manual instructions, has been modified in any way, or has had any Serial Number removed or defaced. Repair by anyone other than Nortel or an approved agent will void this warranty.

EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel SET FORTH ABOVE, THE PRODUCT IS PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO PRODUCT OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. Nortel’S SUPPLIERS MAKE NO DIRECT WARRANTY OF ANY KIND TO END CUSTOMER FOR THE LICENSED MATERIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 6

MATERIALS OR ANY PART THEREOF WILL MEET END CUSTOMER'S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE PRODUCT WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO END CUSTOMER. THIS LIMITED WARRANTY GIVES END CUSTOMER SPECIFIC LEGAL RIGHTS. END CUSTOMER MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/ JURISDICTION.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR RELATED TO THE PRODUCT OR ANY USE OR INABILITY TO USE THE PRODUCT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THE PRODUCT, OR USE OR INABILITY TO USE THE PRODUCT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE PRODUCT. THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. Nortel NEITHER ASSUMES NOR AUTHORIZES ANY OTHER PERSON TO ASSUME FOR IT ANY OTHER LIABILITY IN CONNECTION WITH THE SALE, INSTALLATION, MAINTENANCE OR USE OF ITS PRODUCTS.

Software License Agreement

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE USING THE SOFTWARE AND ASSOCIATED DOCUMENTATION THAT IS PROVIDED WITH THIS AGREEMENT (“SOFTWARE,” “DOCUMENTATION,” AND COLLECTIVELY, “LICENSED MATERIALS”).

BY USING ANY LICENSED MATERIALS, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT AND YOU WILL BE CONSENTING TO BE BOUND BY THEM. IF YOU DO NOT ACCEPT THESE TERMS AND CONDITIONS, DO NOT USE THE LICENSED MATERIALS AND RETURN THE LICENSED MATERIALS AND ANY EQUIPMENT PROVIDED BY Nortel IN CONNECTION THEREWITH (“EQUIPMENT”) UNUSED IN THE ORIGINAL SHIPPING CONTAINER TO THE PLACE OF PURCHASE FOR A FULL REFUND.

Software may be provided by Nortel on a standalone basis (“Standalone Software”) or it may be provided embedded in Equipment (“Embedded Software”).

1. License.

(a) Subject to the terms and conditions of this Agreement, Nortel (“Nortel”), grants to you (“Licensee”) a limited, non-exclusive, non-transferable license, without the right to sublicense: (i) to install and use the Standalone Software, in object code format only, on computer hardware for which all corresponding license fees have been paid; (ii) use one (1) copy of the Embedded Software, in object code format only, solely as embedded in Equipment, each solely in accordance with the Documentation for Licensee’s internal business purposes.

(b) The license set forth above does not include any rights to and Licensee shall not (i) reproduce (except as set forth in Section 1(c)), modify, translate or create any derivative work of all or any portion of the Licensed Materials or Equipment, (ii) sell, rent, lease, loan, provide, distribute or otherwise transfer all or any portion of the Licensed Materials (except as set forth in Section 1(f)), (iii) reverse engineer, reverse assemble or otherwise attempt to gain access to the source code of all or any portion of the Licensed Materials or Equipment, (iv) use the Licensed Materials for third-party training, commercial time-sharing or service bureau use, (v) remove, alter, cover or obfuscate any copyright notices, trademark notices or other proprietary rights notices placed or embedded on or in the Licensed Materials or Equipment, (vi) use any component of the Software or Equipment other than solely in conjunction with operation of the Software and as applicable, Equipment, (vii) unbundle any component of the Software or Equipment, (viii) use any component of the Software for the development of or in conjunction with any software application intended for resale that employs any such component, (ix) use the Licensed Materials or Equipment in life support systems, human implantation, nuclear facilities or systems or any other application where failure could lead to a loss of life or catastrophic property damage, or (x) cause or permit any third party to do any of the foregoing.

320657-A

Page 7

If Licensee is a European Union resident, Licensee acknowledges that information necessary to achieve interoperability of the Software with other programs is available upon request.

(c) Licensee may make a single copy of the Standalone Software and Documentation solely for its back-up purposes; provided that any such copy is the exclusive property of Nortel and its suppliers and includes all copyright and other intellectual property right notices that appear on the original.

(d) Nortel may provide updates, corrections, enhancements, modifications or bug fixes for the Licensed Materials (“Updates”) to Licensee. Any such Update shall be deemed part of the Licensed Materials and subject to the license and all other terms and conditions hereunder.

(e) Nortel shall have the right to inspect and audit Licensee’s use, deployment, and exploitation of the Licensed Materials for compliance with the terms and conditions of this Agreement.

(f) Licensee shall have the right to transfer the Embedded Software as embedded in Equipment in connection with a transfer of all of Licensee’s right, title and interest in such Equipment to a third party; provided, that, Licensee transfers the Embedded Software and any copies thereof subject to the terms and conditions of this Agreement and such third party agrees in writing to be bound by all the terms and conditions of this Agreement.

(g) Notwithstanding anything to the contrary herein, certain portions of the Software are licensed under and Licensee's use of such portions are only subject to the GNU General Public License version 2. If Licensee or any third party sends a request in writing to Nortel at 110 Nortech Parkway, San Jose CA 95134, ATTN: Contracts Administration, Nortel will provide a complete machine-readable copy of the source code of such portions for a nominal cost to cover Nortel's cost in physically providing such code.

2. Ownership. Nortel or its suppliers own and shall retain all right, title and interest (including without limitation all intellectual property rights), in and to the Licensed Materials and any Update, whether or not made by Nortel. Licensee acknowledges that the licenses granted under this Agreement do not provide Licensee with title to or ownership of the Licensed Materials, but only a right of limited use under the terms and conditions of this Agreement. Except as expressly set forth in Section 1, Nortel reserves all rights and grants Licensee no licenses of any kind hereunder. All information or feedback provided by Licensee to Nortel with respect to the Software or Equipment shall be Nortel’s property and deemed confidential information of Nortel.

3. Confidentiality. Licensee agrees that the Licensed Materials contain confidential information, including trade secrets, know-how, and information pertaining to the technical structure or performance of the Software, that is the exclusive property of Nortel as between Licensee and Nortel. In addition, Nortel’s confidential information includes any confidential or trade secret information related to the Licensed Materials. During the period this Agreement is in effect and at all times thereafter, Licensee shall maintain Nortel’s confidential information in confidence and use the same degree of care, but in no event less than reasonable care, to avoid disclosure of Nortel’s confidential information as it uses with respect to its own confidential and proprietary information of similar type and importance. Licensee agrees to only disclose Nortel’s confidential information to its directors, officers and employees who have a bona fide need to know solely to exercise Licensee’s rights under this Agreement and to only use Nortel’s confidential information incidentally in the customary operation of the Software and Equipment. Licensee shall not sell, license, sublicense, publish, display, distribute, disclose or otherwise make available Nortel’s confidential information to any third party nor use such information except as authorized by this Agreement. Licensee agrees to immediately notify Nortel of the unauthorized disclosure or use of the Licensed Materials and to assist Nortel in remedying such unauthorized use or disclosure. It is further understood and agreed that any breach of this Section 3 or Section 1(b) is a material breach of this Agreement and any such breach would cause irreparable harm to Nortel and its suppliers, entitling Nortel or its suppliers to injunctive relief in addition to all other remedies available at law.

4. Limited Warranty & Disclaimer. Any limited warranty for the Licensed Materials and Nortel’s sole and exclusivity liability thereunder is as set forth in Nortel’s standard warranty documentation. In addition, any limited warranty for the Software does not apply to any component of the Software but only to the Software as a whole. EXCEPT FOR ANY EXPRESS LIMITED WARRANTIES FROM Nortel IN SUCH DOCUMENTATION, THE LICENSED MATERIALS ARE PROVIDED “AS IS”, AND Nortel AND ITS SUPPLIERS MAKE NO WARRANTY, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO LICENSED MATERIALS OR ANY PART THEREOF, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THOSE ARISING FROM COURSE OF PE RFORMANC E, DEALING , USAGE O R TRADE. No rtel’S SU PPLIERS M AKE NO DIRE CT WARRA NTY OF ANY K IND TO LICE NSEE FOR THE LICENSED MATERIALS. NEITHER Nortel NOR ANY OF ITS SUPPLIERS WARRANT THAT THE LICENSED MATERIALS OR ANY PART THEREOF WILL MEET LICENSEE’S REQUIREMENTS OR BE UNINTERRUPTED, OR ERROR-FREE, OR THAT ANY ERRORS IN THE LICENSED MATERIALS WILL BE CORRECTED. SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY NOT APPLY TO LICENSEE. THIS LIMITED WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS. LICENSEE MAY ALSO HAVE OTHER RIGHTS, WHICH VARY FROM STATE/JURISDICTION TO STATE/JURISDICTION.

5. Term and Termination. This Agreement is effective until terminated. License may terminate this Agreement at any time by destroying all copies of the Software. This Agreement and all licenses granted hereunder will terminate immediately without notice from Nortel if Licensee fails to comply with any provision of this Agreement. Upon any termination, Licensee must destroy all copies of the Licensed Materials. Sections 1(b), 2, 3, 4(b), 5, 6, 7, 8, 9 and 10 shall survive any termination of this Agreement.

6. Export. The Software is specifically subject to U.S. Export Administration Regulations. Licensee agrees to strictly comply with all export, re-export and import restrictions and regulations of the Department of Commerce or other agency or authority of the United States or other applicable countries, and not to transfer, or authorize the transfer of, directly or indirectly, the Software or any direct product thereof to a prohibited country or otherwise in violation of any such restrictions or regulations. Licensee’s failure to comply with this Section is a material breach of this Agreement. Licensee acknowledges that Licensee is not a national of Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria or a party listed in the U.S. Table of Denial Orders or U.S. Treasury Department List of Specially Designated Nationals.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 8

7. Government Restricted Rights. As defined in FAR section 2.101, DFAR section 252.227-7014(a)(1) and DFAR section

252.227-7014(a)(5) or otherwise, the Software provided in connection with this Agreement are “commercial items,” “commercial computer software” and/or “commercial computer software documentation.” Consistent with DFAR section

227.7202, FAR section 12.212 and other sections, any use, modification, reproduction, release, performance, display, disclosure or distribution thereof by or for the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. Any technical data provided that is not covered by the above provisions shall be deemed “technical data-commercial items” pursuant to DFAR section

227.7015(a). Any use, modification, reproduction, release, performance, display or disclosure of such technical data shall be governed by the terms of DFAR section 227.7015(b).

8. Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Nortel OR ITS SUPPLIERS BE LIABLE FOR THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, LOSS OF PROFITS, OR FOR ANY SPECIAL, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR INDIRECT DAMAGES (OR DIRECT DAMAGES IN THE CASE OF Nortel’S SUPPLIERS) ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE ARISING OUT OF OR UNDER THIS AGREEMENT OR ANY USE OR INABILITY TO USE THE LICENSED MATERIALS OR EQUIPMENT, OR FOR BREACH OF THIS AGREEMENT. Nortel’S TOTAL LIABILITY ARISING OUT OF OR UNDER THIS AGREEMENT, OR USE OR INABILITY TO USE THE LICENSED MATERIALS OR EQUIPMENT, OR FOR BREACH OF THIS AGREEMENT, WHETHER IN CONTRACT, TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID FOR THE SOFTWARE (FOR THE STANDALONE SOFTWARE) AND THE PRICE PAID FOR THE EQUIPMENT (FOR THE EMBEDDED SOFTWARE AND EQUIPMENT). THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY EVEN IF Nortel AND/OR ITS SUPPLIERS ARE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.

9. Third Party Beneficiaries. Nortel’s suppliers are intended third party beneficiaries of this Agreement. The terms and conditions herein are made expressly for the benefit of and are enforceable by Nortel’s suppliers; provided, however, that Nortel’s suppliers are not in any contractual relationship with Licensee. Nortel’s suppliers include without limitation: (a) Hifn, Inc., a Delaware corporation with principal offices at 750 University Avenue, Los Gatos, California; and (b) Wind River Systems, Inc. and its suppliers.

10. General. This Agreement is governed and interpreted in accordance with the laws of the State of California, U.S.A. without reference to conflicts of laws principles and excluding the United Nations Convention on Contracts for the Sale of Goods. The parties consent to the exclusive jurisdiction of, and venue in, Santa Clara County, California, U.S.A. Licensee shall not transfer, assign or delegate this Agreement or any rights or obligations hereunder, whether voluntarily, by operation of law or otherwise, without the prior written consent of Nortel (except as expressly set forth in Section 1(f)). Subject to the foregoing, the terms and conditions of this Agreement shall be binding upon and inure to the benefit of the parties to it and their respective heirs, successors, assigns and legal representatives. This Agreement constitutes the entire agreement between Nortel and Licensee with respect to the subject matter hereof, and merges all prior negotiations and drafts of the parties with regard thereto. No modification of or amendment to this Agreement, nor any waiver of any rights under this Agreement, by Nortel shall be effective unless in writing. If any of the provisions of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable under any applicable statute or rule of law, such provision shall, to that extent, be deemed omitted.

SSH Source Code Statement

C 1995 - 2004 SAFENET, Inc. This software is protected by international copyright laws. All rights reserved. SafeNet is a registered trademark of SAFENET, Inc., in the United States and in certain other jurisdictions. SAFENET and the SAFENET logo are trademarks of SAFENET, Inc., and may be registered in certain jurisdictions. All other names and marks are property of their respective owners.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:

o Markus Friedl

o Theo de Raadt

o Niels Provos

o Dug Song

oAaron Campbell

320657-A

Page 9

o Damien Miller

o Kevin Steves

o Daniel Kouril

o Per Allansson

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

OpenSSL Project License Statements

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEAPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Trademarks and Service Marks

Nortel, and the Nortel logo are registered trademarks, and management software is a trademark of Nortel All other trademarks belong to their respective holders.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 10

FCC Statements for WLAN—Security Switches (23xx)

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

FCC Statements for WLAN—Access Points (2330)

This section includes the following FCC statements for WLAN—Access Points (2330):

• “Class A Statement” on page 10

• “RF Radiation Hazard Warning” on page 10

• “Non-Modification Statement” on page 10

• “Deployment Statement” on page 11

Class A Statement

RF Radiation Hazard Warning

To ensure compliance with FCC RF exposure requirements, this device must be installed in a location such that the antenna of the device will be greater than 20 cm (8 in.) from all persons. Using higher gain antennas and types of antennas not covered under the FCC certification of this product is not allowed.

Installers of the radio and end users of the Nortel 2300 Series must adhere to the installation instructions provided in this manual.

Non-Modification Statement

Use only the supplied internal antenna, or external antennas supplied by the manufacturer. Unauthorized antennas, modifications, or attachments could damage the badge and could violate FCC regulations and void the user’s authority to operate the equipment.

Note: Refer to the Nortel 2300 Series Release Notes for 802.11a external antenna information.

Contact Nortel for a list of FCC-approved 802.11a and 802.11b/g external antennas.

320657-A

Page 11

Deployment Statement

This product is certified for indoor deployment only. Do not install or use this product outdoors.

Industry Canada Required User Information for WLAN—Access Points (2330)

This device has been designed to operate with antennae having maximum gains of 7.8 dBi (2.4 GHz) and

7.4 dBi (5 GHz).

Antennae having higher gains is strictly prohibited per regulations of Industry Canada. The required antenna impedance is 50 ohms.

To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (EIRP) is not more than that required for successful communication.

To ensure compliance with EMC standards applied to the Nortel WLAN—Wireless Security Switches (23x0), shielded twisted pair (STP) 10/100Base-T cabling must be used.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 12

320657-A

Page 13

How to get Help 29

Introducing the Nortel WLAN 2300 System 31

Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Safety and Advisory Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Using the Command-Line Interface 35

CLI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Syntax Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Text Entry Conventions and Allowed Characters . . . . . . . . . . . . . . . . . . . . . . 38

User Wildcards, MAC Address Wildcards, and VLAN Wildcards . . . . . . . . . . 39

Port Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Virtual LAN Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Command-Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

History Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Single-Asterisk (*) Wildcard Character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Double-Asterisk (**) Wildcard Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Understanding Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring AAA for Administrative and Local Access 51

Overview of AAA for Administrative and Local Access . . . . . . . . . . . . . . . . . . . . . 51

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Access Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Types of Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

First-Time Configuration using the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Enabling an Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 14

14 Contents

Setting the WSS Switch Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Authenticating at the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Customizing AAA with “Wildcards” and Groups . . . . . . . . . . . . . . . . . . . . . . . 61

Setting User Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Adding and Clearing Local Users for Administrative Access . . . . . . . . . . . . . 63

Configuring Accounting for Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . 63

Displaying the AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Saving the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Administrative AAA Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Local Authentication for Console Users and RADIUS Authentication

for Telnet Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Local Override and Backup Local Authentication . . . . . . . . . . . . . . . . . . . . . . 69

Authentication When RADIUS Servers Do Not Respond . . . . . . . . . . . . . . . . 70

Configuring and Managing Ports and VLANs 71

Configuring and Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Setting the Port Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

WSS 2380 40 AP Software License Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuring a Port Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Interface Preference on a Dual-Interface Gigabit Ethernet Port

(WSS-400 only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Configuring Port Operating Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Displaying Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring Load-Sharing Port Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring and Managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Understanding VLANs in Nortel WSS Software . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Changing Tunneling Affinity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Displaying VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Managing the Layer 2 Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Types of Forwarding Database Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

How Entries Enter the Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . . 98

Displaying Forwarding Database Information . . . . . . . . . . . . . . . . . . . . . . . . . 99

Adding an Entry to the Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . 100

Removing Entries from the Forwarding Database . . . . . . . . . . . . . . . . . . . . 101

320657-A

Page 15

Contents 15

Configuring the Aging Timeout Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Port and VLAN Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Configuring and Managing IP Interfaces and Services 107

MTU Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring and Managing IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Adding an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Disabling or Reenabling an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Removing an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Displaying IP Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Designating the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Displaying the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Clearing the System IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Configuring and Managing IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Displaying IP Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Adding a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Removing a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Managing the Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Managing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Managing Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Managing HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configuring and Managing DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Enabling or Disabling the DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Configuring DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring a Default Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Displaying DNS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Configuring and Managing Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Adding an Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Removing an Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Displaying Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Configuring and Managing Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Setting the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Configuring the Summertime Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Statically Configuring the System Time and Date . . . . . . . . . . . . . . . . . . . . . 139

Displaying the Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 16

16 Contents

Configuring and Managing NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Adding an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Removing an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Changing the NTP Update Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Resetting the Update Interval to the Default . . . . . . . . . . . . . . . . . . . . . . . . . 145

Enabling the NTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Displaying NTP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Managing the ARP Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Displaying ARP Table Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Adding an ARP Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Changing the Aging Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Pinging Another Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Logging In to a Remote Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Tracing a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

IP Interfaces and Services Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . 152

Configuring SNMP 155

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Setting the System Location and Contact Strings . . . . . . . . . . . . . . . . . . . . . 156

Enabling SNMP Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Configuring Community Strings (SNMPv1 and SNMPv2c Only) . . . . . . . . . . 158

Creating a USM User for SNMPv3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Setting SNMP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Configuring a Notification Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Configuring a Notification Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Enabling the SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Displaying SNMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Displaying SNMP Version and Status Information . . . . . . . . . . . . . . . . . . . . 168

Displaying the Configured SNMP Community Strings . . . . . . . . . . . . . . . . . 169

Displaying USM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Displaying Notification Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Displaying Notification Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Displaying SNMP Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

320657-A

Page 17

Contents 17

Configuring and Managing Mobility Domain Roaming 175

About the Mobility Domain Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring a Mobility Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuring the Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Configuring Member WSSs on the Seed . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Configuring a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Displaying Mobility Domain Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Displaying the Mobility Domain Configuration . . . . . . . . . . . . . . . . . . . . . . . . 181

Clearing a Mobility Domain from a WSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Clearing a Mobility Domain Member from a Seed . . . . . . . . . . . . . . . . . . . . 183

Monitoring the VLANs and Tunnels in a Mobility Domain . . . . . . . . . . . . . . . . . . 183

Displaying Roaming Stations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Displaying Roaming VLANs and Their Affinities . . . . . . . . . . . . . . . . . . . . . . 185

Displaying Tunnel Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Understanding the Sessions of Roaming Users . . . . . . . . . . . . . . . . . . . . . . . . . 186

Requirements for Roaming to Succeed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Effects of Timers on Roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Monitoring Roaming Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Mobility Domain Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Configuring User Encryption 191

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

WPA Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

TKIP Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

WPA Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

WPA Information Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Client Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Configuring WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Configuring RSN (802.11i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Configuring WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Setting Static WEP Key Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Assigning Static WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Encryption Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Enabling WPA with TKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Enabling Dynamic WEP in a WPA Network . . . . . . . . . . . . . . . . . . . . . . . . . 215

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 18

18 Contents

Configuring Encryption for MAC Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring AP access points 221

AP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Directly Connected APs and Distributed APs . . . . . . . . . . . . . . . . . . . . . . . . 224

Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Radio Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Configuring AP access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Specifying the Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring a Template for Automatic AP Configuration . . . . . . . . . . . . . . . . 251

Configuring AP Port Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Configuring AP-WSS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Configuring a Service Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Configuring a Radio Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Configuring Radio-Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Mapping the Radio Profile to Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . 276

Assigning a Radio Profile and Enabling Radios . . . . . . . . . . . . . . . . . . . . . . 277

Disabling or Reenabling Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Enabling or Disabling Individual Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Disabling or Reenabling All Radios Using a Profile . . . . . . . . . . . . . . . . . . . 279

Resetting a Radio to its Factory Default Settings . . . . . . . . . . . . . . . . . . . . . 280

Restarting an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Displaying AP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Displaying AP Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Displaying a List of Distributed APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Displaying a List of Distributed APs that Are Not Configured . . . . . . . . . . . . 284

Displaying Connection Information for Distributed APs . . . . . . . . . . . . . . . . 285

Displaying Service Profile Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Displaying Radio Profile Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Displaying AP Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Displaying AP Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

320657-A

Configuring RF Auto-Tuning 291

RF Auto-Tuning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Initial Channel and Power Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Page 19

Contents 19

Channel and Power Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

RF Auto-Tuning Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Changing RF Auto-Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Changing Channel Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Changing Power Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Changing the Minimum Transmit Data Rate . . . . . . . . . . . . . . . . . . . . . . . . . 300

Displaying RF Auto-Tuning Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Displaying RF Auto-Tuning Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Displaying RF Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Displaying RF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Wi-Fi Multimedia 305

How WMM Works in WSS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

QoS on the WSS Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

QoS on an AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Disabling or Reenabling WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Displaying WMM Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Configuring and Managing Spanning Tree Protocol 311

Enabling the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Changing Standard Spanning Tree Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 313

Changing the Bridge Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Changing STP Port Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Changing Spanning Tree Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Configuring and Managing STP Fast Convergence Features . . . . . . . . . . . . . . . 319

Configuring Port Fast Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Displaying Port Fast Convergence Information . . . . . . . . . . . . . . . . . . . . . . . 322

Configuring Backbone Fast Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Displaying the Backbone Fast Convergence State . . . . . . . . . . . . . . . . . . . . 324

Configuring Uplink Fast Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Displaying Uplink Fast Convergence Information . . . . . . . . . . . . . . . . . . . . . 326

Displaying Spanning Tree Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Displaying STP Bridge and Port Information . . . . . . . . . . . . . . . . . . . . . . . . . 327

Displaying the STP Port Cost on a VLAN Basis . . . . . . . . . . . . . . . . . . . . . . 328

Displaying Blocked STP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Displaying Spanning Tree Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 20

20 Contents

Clearing STP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Spanning Tree Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Configuring and Managing IGMP Snooping 335

Disabling or Reenabling IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Disabling or Reenabling Proxy Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Enabling the Pseudo-Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Changing IGMP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Changing the Query Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Changing the Other-Querier-Present Interval . . . . . . . . . . . . . . . . . . . . . . . . 338

Changing the Query Response Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Changing the Last Member Query Interval . . . . . . . . . . . . . . . . . . . . . . . . . . 340

Changing Robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Enabling Router Solicitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Changing the Router Solicitation Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Configuring Static Multicast Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Adding or Removing a Static Multicast Router Port . . . . . . . . . . . . . . . . . . . 343

Adding or Removing a Static Multicast Receiver Port . . . . . . . . . . . . . . . . . . 344

Displaying Multicast Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Displaying Multicast Configuration Information and Statistics . . . . . . . . . . . . 345

Displaying Multicast Queriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Displaying Multicast Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Displaying Multicast Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

320657-A

Configuring and Managing Security ACLs 351

About Security Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Overview of Security ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Security ACL Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Creating and Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Setting a Source IP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Setting an ICMP ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Setting TCP and UDP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Determining the ACE Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Committing a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Viewing Security ACL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Clearing Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Page 21

Contents 21

Mapping Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Mapping User-Based Security ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed APs . 368

Modifying a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Adding Another ACE to a Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Placing One ACE before Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Modifying an Existing Security ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Clearing Security ACLs from the Edit Buffer . . . . . . . . . . . . . . . . . . . . . . . . . 373

Using ACLs to Change CoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Filtering Based on DSCP Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Enabling Prioritization for Legacy Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . 376

Enabling SVP Optimization for SpectraLink Phones . . . . . . . . . . . . . . . . . . . 377

Security ACL Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Managing Keys and Certificates 379

Why Use Keys and Certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Wireless Security through TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

PEAP-MS-CHAP-V2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

About Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Public Key Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Public and Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

PKCS #7, PKCS #10, and PKCS #12 Object Files . . . . . . . . . . . . . . . . . . . . 385

Creating Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Choosing the Appropriate Certificate Installation Method for Your Network . 387

Creating Public-Private Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Generating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Installing a Key Pair and Certificate from a PKCS #12 Object File . . . . . . . . 390

Creating a CSR and Installing a Certificate from a PKCS #7 Object File . . . 391

Installing a CA’s Own Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Displaying Certificate and Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Key and Certificate Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Creating Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Installing CA-Signed Certificates from PKCS #12 Object Files . . . . . . . . . . . 397

Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR)

and a PKCS #7 Object File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 22

22 Contents

Configuring AAA for Network Users 401

About AAA for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

Summary of AAA Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

AAA Tools for Network Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

“Wildcards” and Groups for Network User Classification . . . . . . . . . . . . . . . 411

AAA Methods for IEEE 802.1X and Web Network Access . . . . . . . . . . . . . . 412

IEEE 802.1X Extensible Authentication Protocol Types . . . . . . . . . . . . . . . . 415

Ways an WSS Switch Can Use EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Effects of Authentication Type on Encryption Method . . . . . . . . . . . . . . . . . . 417

Configuring 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Configuring 802.1X Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Using Pass-Through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Authenticating through a Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Binding User Authentication to Machine Authentication . . . . . . . . . . . . . . . . 421

Configuring Authentication and Authorization by MAC Address . . . . . . . . . . . . . 425

Adding and Clearing MAC Users and User Groups Locally . . . . . . . . . . . . . 426

Configuring MAC Authentication and Authorization . . . . . . . . . . . . . . . . . . . 427

Changing the MAC Authorization Password for RADIUS . . . . . . . . . . . . . . . 428

Configuring Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

How Portal Web-based AAA Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Web-based AAA Requirements and Recommendations . . . . . . . . . . . . . . . 430

Configuring Portal Web-based AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Using a Custom Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

Using Dynamic Fields in Web-based AAA Redirect URLs . . . . . . . . . . . . . . 439

Configuring Last-Resort Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Configuring AAA for Users of Third-Party APs . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Authentication Process for 802.1X Users of a Third-Party AP . . . . . . . . . . . 442

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Configuring Authentication for 802.1X Users of a Third-Party AP . . . . . . . . 444

Assigning Authorization Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Assigning Attributes to Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Assigning a Security ACL to a User or a Group . . . . . . . . . . . . . . . . . . . . . . 451

320657-A

Page 23

Contents 23

Clearing a Security ACL from a User or Group . . . . . . . . . . . . . . . . . . . . . . . 453

Assigning Encryption Types to Wireless Users . . . . . . . . . . . . . . . . . . . . . . . 454

Overriding or Adding Attributes Locally with a Location Policy . . . . . . . . . . . . . . 455

About the Location Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

How the Location Policy Differs from a Security ACL . . . . . . . . . . . . . . . . . . 457

Setting the Location Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Clearing Location Policy Rules and Disabling the Location Policy . . . . . . . . 460

Configuring Accounting for Wireless Network Users . . . . . . . . . . . . . . . . . . . . . . 460

Viewing Local Accounting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Viewing Roaming Accounting Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Displaying the AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Avoiding AAA Problems in Configuration Order . . . . . . . . . . . . . . . . . . . . . . . . . 465

Using the Wildcard “Any” as the SSID Name in Authentication Rules . . . . . 465

Using Authentication and Accounting Rules Together . . . . . . . . . . . . . . . . . 467

Configuring a Mobility Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Network User Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

General Use of Network User Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Enabling RADIUS Pass-Through Authentication . . . . . . . . . . . . . . . . . . . . . 472

Enabling PEAP-MS-CHAP-V2 Authentication . . . . . . . . . . . . . . . . . . . . . . . 473

Enabling PEAP-MS-CHAP-V2 Offload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Combining 802.1X Acceleration with Pass-Through Authentication . . . . . . . 475

Overriding AAA-Assigned VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Configuring Communication with RADIUS 477

RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Configuring RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Configuring Global RADIUS Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

Setting the System IP Address as the Source Address . . . . . . . . . . . . . . . . 481

Configuring Individual RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Configuring RADIUS Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Creating Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Deleting a Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

RADIUS and Server Group Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . 487

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 24

24 Contents

Managing 802.1X on the WSS Switch 489

Managing 802.1X on Wired Authentication Ports . . . . . . . . . . . . . . . . . . . . . . . . 489

Enabling and Disabling 802.1X Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Setting 802.1X Port Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Managing 802.1X Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Enabling 802.1X Key Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Configuring 802.1X Key Transmission Time Intervals . . . . . . . . . . . . . . . . . 493

Managing WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Setting EAP Retransmission Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Managing 802.1X Client Reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Enabling and Disabling 802.1X Reauthentication . . . . . . . . . . . . . . . . . . . . . 496

Setting the Maximum Number of 802.1X Reauthentication Attempts . . . . . . 497

Setting the 802.1X Reauthentication Period . . . . . . . . . . . . . . . . . . . . . . . . . 498

Setting the Bonded Authentication Period . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Managing Other Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Setting the 802.1X Quiet Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Setting the 802.1X Timeout for an Authorization Server . . . . . . . . . . . . . . . . 501

Setting the 802.1X Timeout for a Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Displaying 802.1X Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Viewing 802.1X Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Viewing the 802.1X Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Viewing 802.1X Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

320657-A

Managing Sessions 507

About the Session Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Displaying and Clearing Administrative Sessions . . . . . . . . . . . . . . . . . . . . . . . . 507

Displaying and Clearing All Administrative Sessions . . . . . . . . . . . . . . . . . . 508

Displaying and Clearing an Administrative Console Session . . . . . . . . . . . . 509

Displaying and Clearing Administrative Telnet Sessions . . . . . . . . . . . . . . . 510

Displaying and Clearing Client Telnet Sessions . . . . . . . . . . . . . . . . . . . . . . 511

Displaying and Clearing Network Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Displaying Verbose Network Session Information . . . . . . . . . . . . . . . . . . . . 512

Displaying and Clearing Network Sessions by Username . . . . . . . . . . . . . . 513

Displaying and Clearing Network Sessions by MAC Address . . . . . . . . . . . 514

Displaying and Clearing Network Sessions by VLAN Name . . . . . . . . . . . . . 515

Page 25

Contents 25

Displaying and Clearing Network Sessions by Session ID . . . . . . . . . . . . . . 516

Managing System Files 517

About System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Displaying Software Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Displaying Boot Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Working with Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

Displaying a List of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Copying a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Deleting a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

Creating a Subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Removing a Subdirectory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Managing Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Displaying the Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Saving Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Specifying the Configuration File to Use After the Next Reboot . . . . . . . . . . 530

Loading a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531

Resetting to the Factory Default Configuration . . . . . . . . . . . . . . . . . . . . . . . 532

Backing Up and Restoring the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532

Managing Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Backup and Restore Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Upgrading the System Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Rogue Detection and Countermeasures 537

About Rogues and RF Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Rogue access points and Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

RF Detection Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Summary of Rogue Detection Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Configuring Rogue Detection Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Configuring a Permitted Vendor List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

Configuring a Permitted SSID List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

Configuring a Client Black List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

Configuring an Attack List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Configuring an Ignore List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Enabling Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 26

26 Contents

Disabling or Reenabling Active Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Enabling AP Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Disabling or Reenabling Logging of Rogues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

Enabling Rogue and Countermeasures Notifications . . . . . . . . . . . . . . . . . . . . . 550

IDS and DoS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

Flood Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Netstumbler and Wellenreiter Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 553

Wireless Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Ad-Hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Weak WEP Key Used by Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Disallowed Devices or SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

Displaying Statistics Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

IDS Log Message Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

Displaying RF Detection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561

Displaying Rogue Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

Displaying Rogue Detection Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

Displaying SSID or BSSID Information for a Mobility Domain . . . . . . . . . . . 565

Displaying RF Detect Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Displaying the APs Detected by an AP Radio . . . . . . . . . . . . . . . . . . . . . . . . 568

Displaying Countermeasures Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

320657-A

Troubleshooting a WS Switch 571

Fixing Common WSS Setup Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

Recovering the System Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

WSS-2350 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

WSS-2370, WSS-2380, or WSS-2360 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Configuring and Managing the System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Log Message Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Logging Destinations and Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Using Log Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

Running Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

Using the Trace Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

Displaying a Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

Stopping a Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

About Trace Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

Page 27

Contents 27

Displaying Trace Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584

Copying Trace Results to a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Clearing the Trace Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

List of Trace Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Using Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Viewing VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Viewing AAA Session Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Viewing FDB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

Viewing ARP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

Remotely Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

How Remote Traffic Monitoring Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588

Best Practices for Remote Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 588

Configuring a Snoop Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Mapping a Snoop Filter to a Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

Enabling or Disabling a Snoop Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592

Displaying Remote Traffic Monitoring Statistics . . . . . . . . . . . . . . . . . . . . . . 594

Preparing an Observer and Capturing Traffic . . . . . . . . . . . . . . . . . . . . . . . . 594

Capturing System Information for Technical Support . . . . . . . . . . . . . . . . . . . . . 595

Displaying Technical Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

Sending Information to NETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Supported RADIUS Attributes 599

Supported Standard and Extended Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

Nortel Vendor-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Mobility Domain Traffic Ports 605

DHCP Server 607

How the WSS Software DHCP Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Configuring the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Displaying DHCP Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Glossary 611

Index 633

Command Index 653

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 28

28 Contents

320657-A

Page 29

How to get Help

This section explains how to get help for Nortel products and services.

Getting Help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support web site:

http://www.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. More specifically, the site enables you to:

 download software, documentation, and product bulletins  search the Technical Support Web site and the Nortel Knowledge Base for answers to

technical issues

 sign up for automatic notification of new software and documentation for Nortel

equipment

 open and manage technical support cases

Getting Help over the phone from a Nortel Solutions Center

If you don’t find the information you require on the Nortel Technical Support Web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835).

Outside North America, go to the following Web site to obtain the phone number for your region:

http://www.nortel.com/callus

Getting Help from a specialist by using an Express Routing Code

To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to:

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 30

30 How to get Help

http://www.nortel.com/erc

Getting Help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

320657-A

Page 31

Introducing the Nortel WLAN 2300 System

Nortel WLAN 2300 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

This guide explains how to configure and manage a Nortel WLAN 2300 System wireless LAN (WLAN) using the WLAN 2300 System Software command line interface (CLI) commands that you enter on a WLAN—Security Switch (WSS).

Read this guide if you are a network administrator or other person configuring and managing one or more switches and Access Points (AP) in a network.

Nortel WLAN 2300 System

The Nortel WLAN 2300 System is an enterprise-class WLAN solution that seamlessly integrates with an existing wired enterprise network. The Nortel system provides secure connectivity to both wireless and wired users in large environments such as office buildings, hospitals, and university campuses and in small environments such as branch offices.

The Nortel WLAN 2300 System fulfills the three fundamental requirements of an enterprise WLAN: It eliminates the distinction between wired and wireless networks, allows users to work safely from anywhere (secure mobility), and provides a comprehensive suite of intuitive tools for planning and managing the network before and after deployment, greatly easing the operational burden on IT resources.

The Nortel WLAN 2300 System consists of the following components:

• WLAN Management Software tool suite—A full-featured graphical user interface (GUI) client application used

to plan, configure, and deploy a WLAN and its users. It also provides a centralized service application for WLAN and user monitoring, reporting, and diagnostics

• One or more WLAN—Security Switch (WSS) —Distributed, intelligent machines for managing user

connectivity, connecting and powering Access Points (AP) access ports, and connecting the WLAN to the wired network backbone

• Multiple Access Points (AP) —Wireless access points (AP) that transmit and receive radio frequency (RF) signals

to and from wireless users and connect them to a WSS

• WLAN 2300 System Software (WSS Software)—The operating system that runs all WSSs and AP access ports in

a WLAN, and is accessible through a command-line interface (CLI), the Web View interface, or the WLAN Management Software GUI

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 32

32 Introducing the Nortel WLAN 2300 System

Documentation

Consult the following documents to plan, install, configure, and manage a Nortel WLAN 2300 System.

Planning, Configuration, and Deployment

Nortel WLAN Management Software User’s Guide. Instructions for planning, configuring, deploying, and managing the entire WLAN with the WLAN Management Software tool suite. Read this guide to learn how to plan wireless services, how to configure and deploy Nortel equipment to provide those services, and how to optimize and manage your WLAN.

Nortel WLAN Management Software Reference Manual. Detailed instructions and information for all WLAN Management Software planning, configuration, and management features.

Installation

• Nortel WLAN 2300 System Software Quick Start Guide. Instructions for performing basic setup of secure (802.1X)

and guest (Web-based AAA™) access, for configuring a Mobility Domain for roaming, and for accessing a sample network plan in WLAN Management Software for advanced configuration and management

• Nortel WLAN—Security Switch Installation and Basic Configuration Guide. Instructions and specifications for

installing an WSS switch in a Nortel WLAN 2300 System WLAN, and basic instructions for deploying a secure IEEE 802.11 wireless service

• Nortel Access Port Installation Guide. Instructions and specifications for installing an AP access point and

connecting it to a WSS

• Nortel Regulatory Information. important safety instructions and compliance information that you must read before

installing Nortel products

Note. Nortel Regulatory Information is updated frequently. See

http://www.nortel.com for the most current version.

Configuration and Management

• Nortel WLAN Management Software Reference Manual. Instructions for planning, configuring, deploying, and

managing the entire WLAN with the WLAN Management Software tool suite

• Nortel Mobility System Software Configuration Guide. Instructions for configuring and managing the system

through the WSS Software CLI

• Nortel Mobility System Software Command Reference. Functional and alphabetic reference to all WSS Software

commands supported on WSSs and AP access points

320657-A

Page 33

Introducing the Nortel WLAN 2300 System 33

Safety and Advisory Notices

The following kinds of safety and advisory notices appear in this manual.

Caution! This situation or condition can lead to data loss or damage to the product or

other property.

Note. This information is of special interest.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 34

34 Introducing the Nortel WLAN 2300 System

Text and Syntax Conventions

Nortel manuals use the following text and syntax conventions:

Convention Use

Monospace text Sets off command syntax or sample commands and system

Bold text Highlights commands that you enter or items you select.

Italic text Designates command variables that you replace with

Menu Name > Command Indicates a menu item that you select. For example, File > New

[ ] (square brackets) Enclose optional parameters in command syntax. { } (curly brackets) Enclose mandatory parameters in command syntax. | (vertical bar) Separates mutually exclusive options in command syntax.

responses.

appropriate values, or highlights publication titles or words requiring special emphasis.

indicates that you select New from the File menu.

320657-A

Page 35

Using the Command-Line Interface

CLI Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Command-Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Understanding Command Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

WLAN 2300 System Software (WSS Software) operates a Nortel WLAN 2300 System wireless LAN (WLAN) consisting of WLAN Management Software software, WLAN—Security Switch (WSS) switches, and Access Point (AP) access points. WSS Software has a command-line interface (CLI) on the WSS switch that you can use to configure and manage the switch and its attached AP access points.

You configure the WSS and AP access points primarily with set, clear, and show commands. Use set commands to change parameters. Use clear commands to reset parameters to their defaults. In many cases, you can overwrite a parameter with another set command. Use show commands to display the current configuration and monitor the status of network operations.

The WSS supports two connection modes:

• Administrative access mode, which enables the network administrator to connect to the WSS and configure the

network

• Network access mode, which enables network users to connect through the WSS to access the network

CLI Conventions

Be aware of the following WSS Software CLI conventions for command entry:

• “Command Prompts” on page 36

• “Syntax Notation” on page 37

• “Text Entry Conventions and Allowed Characters” on page 38

• “User Wildcards, MAC Address Wildcards, and VLAN Wildcards” on page 39

• “Port Lists” on page 41

• “Virtual LAN Identification” on page 42

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 36

36 Using the Command-Line Interface

Command Prompts

By default, the WSS Software CLI provides the following prompt for restricted users. The mm portion shows the WSS switch model number (for example, 2370) and the nnnnnn portion shows the last 6 digits of the switch’s media access control (MAC) address.

NT-mm-nnnnnn>

After you become enabled as an administrative user by typing enable and supplying a suitable password, WSS Software displays the following prompt:

NT-mm-nnnnnn#

For ease of presentation, this manual shows the restricted and enabled prompts as follows:

23xx>

23xx#

For information about changing the CLI prompt on a WSS, see the set prompt command description in the Nortel WLAN 2300 Series System Software Command Reference.

320657-A

Page 37

Using the Command-Line Interface 37

Syntax Notation

The WSS Software CLI uses standard syntax notation:

• Bold monospace font identifies the command and keywords you must type. For example:

set enablepass

• Italic monospace font indicates a placeholder for a value. For example, you replace vlan-id in the

following command with a virtual LAN (VLAN) ID:

clear interface vlan-id ip

• Curly brackets ({ }) indicate a mandatory parameter, and square brackets ([ ]) indicate an optional

parameter. For example, you must enter dynamic or port and a port list in the following command, but a VLAN ID is optional:

clear fdb {dynamic | port port-list} [vlan vlan-id]

• A vertical bar (|) separates mutually exclusive options within a list of possibilities. For example, you enter

either enable or disable, not both, in the following command:

set port {enable | disable} port-list

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 38

38 Using the Command-Line Interface

Text Entry Conventions and Allowed Characters

Unless otherwise indicated, the WSS Software CLI accepts standard ASCII alphanumeric characters, except for tabs and spaces, and is case-insensitive.

The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to group usernames, MAC addresses, virtual LAN (VLAN) names, and ports in a single command.

Nortel recommends that you do not use the same name with different capitalizations for VLANs or access control lists (ACL). For example, do not configure two separate VLANs with the names red and RED.

The CLI does not support the use of special characters including the following in any named elements such as SSIDs and VLANs: ampersand (&), angle brackets (< >), number sign (#), question mark (?), or quotation marks (“”).

In addition, the CLI does not support the use of international characters such as the accented É in DÉCOR.

MAC Address Notation

WSS Software displays MAC addresses in hexadecimal numbers with a colon (:) delimiter between bytes—for example, 00:01:02:1a:00:01. You can enter MAC addresses with either hyphen (-) or colon (:) delimiters, but colons are preferred.

For shortcuts:

• You can exclude leading zeros when typing a MAC address. WSS Software displays of MAC addresses include all

leading zeros.

• In some specified commands, you can use the single-asterisk (*) wildcard character to represent an entire MAC

address or from 1 byte to 5 bytes of the address. (For more information, see “MAC Address Wildcards” on

page 39.)

IP Address and Mask Notation

WSS Software displays IP addresses in dotted decimal notation—for example, 192.168.1.111. WSS Software makes use of both subnet masks and wildcard masks.

Subnet Masks

Unless otherwise noted, use classless interdomain routing (CIDR) format to express subnet masks—for example,

192.168.1.112/24. You indicate the subnet mask with a forward slash (/) and specify the number of bits in the mask.

Wildcard Masks

Security access control lists (ACL) use source and destination IP addresses and wildcard masks to determine whether the WSS filters or forwards IP packets. Matching packets are either permitted or denied network access. The ACL checks the bits in IP addresses that correspond to any 0s (zeros) in the mask, but does not check the bits that correspond to 1s (ones) in the mask. You specify the wildcard mask in dotted decimal notation.

For example, the address 10.0.0.0 and mask 0.255.255.255 match all IP addresses that begin with 10 in the first octet.

320657-A

Page 39

Using the Command-Line Interface 39

User Wildcards, MAC Address Wildcards, and VLAN Wildcards

Name “globbing” is a way of using a wildcard pattern to expand a single element into a list of elements that match the pattern. WSS Software accepts user globs, MAC address globs, and VLAN globs. The order in which globs appear in the configuration is important, because once a wildcard is matched, processing stops on the list of globs

User Wildcards

A user wildcard is shorthand method for matching an authentication, authorization, and accounting (AAA) command to either a single user or a set of users.

A user wildcard can be up to 80 characters long and cannot contain spaces or tabs. The double-asterisk (**) wildcard characters with no delimiter characters match all usernames. The single-asterisk (*) wildcard character matches any number of characters up to, but not including, a delimiter character in the wildcard. Valid user wildcard delimiter characters are the at (@) sign and the period (.).

For example, the following globs identify the following users:

User Wildcard User Designated

jose@example.com User jose at example.com *@example.com All users at example.com whose usernames do not contain

*@marketing.example.com All marketing users at example.com whose usernames do

*.*@marketing.example.com All marketing users at example.com whose usernames

* All users with usernames that have no delimiters EXAMPLE\* All users in the Windows Domain EXAMPLE with

EXAMPLE\*.* All users in the Windows Domain EXAMPLE whose

** All users

periods—for example, jose@example.com and tamara@example.com, but not nin.wong@example.com, because nin.wong contains a period

not contain periods

contain a period

usernames that have no delimiters

usernames contain a period

MAC Address Wildcards

A media access control (MAC) address wildcard is a similar method for matching some authentication, authorization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6-byte MAC addresses. In a MAC address wildcard, you can use a single asterisk (*) as a wildcard to match all MAC addresses, or as follows to match from 1 byte to 5 bytes of the MAC address:

00:*

00:01:*

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 40

40 Using the Command-Line Interface

00:01:02:* 00:01:02:03:* 00:01:02:03:04:*

For example, the MAC address wildcard 02:06:8c* represents all MAC addresses starting with 02:06:8c. Specifying only the first 3 bytes of a MAC address allows you to apply commands to MAC addresses based on an organizationally unique identity (OUI).

VLAN Wildcards

A VLAN wildcard is a method for matching one of a set of local rules on an WSS switch, known as the location policy, to one or more users. WSS Software compares the VLAN wildcard, which can optionally contain wildcard characters, against the VLAN-Name attribute returned by AAA, to determine whether to apply the rule.

To match all VLANs, use the double-asterisk (**) wildcard characters with no delimiters. To match any number of characters up to, but not including, a delimiter character in the wildcard, use the single-asterisk (*) wildcard. Valid VLAN wildcard delimiter characters are the at (@) sign and the period (.).

For example, the VLAN wildcard bldg4.* matches bldg4.security and bldg4.hr and all other VLAN names with bldg4. at the beginning.

Matching Order for Wildcards

In general, the order in which you enter AAA commands determines the order in which WSS Software matches the user, MAC address, or VLAN to a wildcard. To verify the order, view the output of the show aaa or show config command. WSS Software checks globs that appear higher in the list before items lower in the list and uses the first successful match.

320657-A

Page 41

Using the Command-Line Interface 41

Port Lists

The physical Ethernet ports on a WSS can be set for connection to AP access points, authenticated wired users, or the network backbone. You can include a single port or multiple ports in one WSS Software CLI command by using the appropriate list format.

The ports on a WSS are numbered 1 through 22. No port 0 exists on the switch. You can include a single port or multiple ports in a command that includes port port-list. Use one of the following formats for port-list:

• A single port number. For example:

23x0# set port enable 16

• A comma-separated list of port numbers, with no spaces. For example:

23x0# show port poe 1,2,4,13

• A hyphen-separated range of port numbers, with no spaces. For example:

23x0# reset port 12-16

• Any combination of single numbers, lists, and ranges. Hyphens take precedence over commas. For example:

23x0# show port status 1-3,14

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 42

42 Using the Command-Line Interface

Virtual LAN Identification

The names of virtual LANs (VLAN), which are used in Mobility Domain™ communications, are set by you and can be changed. In contrast, VLAN ID numbers, which the WSS uses locally, are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can refer to a VLAN by either its VLAN name or its VLAN number. CLI set and show commands use a VLAN’s name or number to uniquely identify the VLAN within the WSS.

320657-A

Page 43

Using the Command-Line Interface 43

Command-Line Editing

WSS Software editing functions are similar to those of many other network operating systems.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 44

44 Using the Command-Line Interface

Keyboard Shortcuts

The following keyboard shortcuts are available for entering and editing CLI commands:

Keyboard Shortcuts Function

Ctrl+A Jumps to the first character of the command line. Ctrl+B or Left Arrow key Moves the cursor back one character. Ctrl+C Escapes and terminates prompts and tasks. Ctrl+D Deletes the character at the cursor. Ctrl+E Jumps to the end of the current command line. Ctrl+F or Right Arrow key Moves the cursor forward one character. Ctrl+K Deletes from the cursor to the end of the command line. Ctrl+L or Ctrl+R Repeats the current command line on a new line. Ctrl+N or Down Arrow key Enters the next command line in the history buffer. Ctrl+P or Up Arrow key Enters the previous command line in the history buffer. Ctrl+U or Ctrl+X Deletes characters from the cursor to the beginning of the

Ctrl+W Deletes the last word typed. Esc B Moves the cursor back one word. Esc D Deletes characters from the cursor forward to the end of the

Delete key or Backspace key Erases mistake made during command entry. Reenter the

command line.

word.

command after using this key.

320657-A

Page 45

Using the Command-Line Interface 45

History Buffer

The history buffer stores the last 63 commands you entered during a terminal session. You can use the Up Arrow and Down Arrow keys to select a command that you want to repeat from the history buffer.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 46

46 Using the Command-Line Interface

Tabs

The WSS Software CLI uses the Tab key for command completion. You can type the first few characters of a command and press the Tab key to display the commands that begin with those characters. For example:

23x0# show i <Tab> ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information

320657-A

Page 47

Using the Command-Line Interface 47

Single-Asterisk (*) Wildcard Character

You can use the single-asterisk (*) wildcard character in globbing. (For details, see “User Wildcards, MAC Address

Wildcards, and VLAN Wildcards” on page 39.)

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 48

48 Using the Command-Line Interface

Double-Asterisk (**) Wildcard Characters

The double-asterisk (**) wildcard character matches all usernames. For details, see “User Wildcards” on page 39.

320657-A

Page 49

Using the Command-Line Interface 49

Using CLI Help

The CLI provides online help. To see the full range of commands available at your access level, type the following command:

23x0# help

Commands:

----------------------------------------------------------------------clear Clear, use 'clear help' for more information commit Commit the content of the ACL table copy Copy from filename (or url) to filename (or url) crypto Crypto, use 'crypto help' for more information delete Delete url dir Show list of files on flash device disable Disable privileged mode exit Exit from the Admin session help Show this help screen history Show contents of history substitution buffer hit-sample-rate Set NP hit-counter sample rate load Load, use 'load help' for more information logout Exit from the Admin session monitor Monitor, use 'monitor help' for more information ping Send echo packets to hosts quit Exit from the Admin session reset Reset, use 'reset help' for more information rollback Remove changes to the edited ACL table save Save the running configuration to persistent storage set Set, use 'set help' for more information show Show, use 'show help' for more information telnet telnet IP address [server port] traceroute Print the route packets take to network host

For more information on help, see the help command description in the Nortel WLAN Security Switch 2300 Software Command Reference.

To see a subset of the online help, type the command for which you want more information. For example, the following command displays all the commands that begin with the letter i:

23x0# show i?

ifm Show interfaces maintained by the interface manager igmp Show igmp information interface Show interfaces ip Show ip information

To see all the variations, type one of the commands followed by a question mark (?). For example:

23x0# show ip ?

alias Show ip aliases dns show DNS status https show ip https route Show ip route table telnet show ip telnet

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 50

50 Using the Command-Line Interface

To determine the port on which Telnet is running, type the following command:

23x0# show ip telnet

Server Status Port

---------------------------------Enabled 23

Understanding Command Descriptions

Each command description in the Nortel WLAN Security Switch 2300 Software Command Reference contains the following elements:

• A command name, which shows the keywords but not the variables. For example, the following command name

appears at the top of a command description and in the index:

set {ap | dap} name

The set {ap | dap} name command has the following complete syntax:

set {ap port-list | dap dap-num} name name

• A brief description of the command’s functions.

• The full command syntax.

• Any command defaults.

• The command access, which is either enabled or all. All indicates that anyone can access this command. Enabled

indicates that you must enter the enable password before entering the command.

• The command history, which identifies the WSS Software version in which the command was introduced and the

version numbers of any subsequent updates.

• Special tips for command usage. These are omitted if the command requires no special usage.

• One or more examples of the command in context, with the appropriate system prompt and response.

• One or more related commands.

320657-A

Page 51

Configuring AAA for Administrative and Local Access

Overview of AAA for Administrative and Local Access . . . . . . . . . . . . . . . . . . . . . . 51

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

About Administrative Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

First-Time Configuration using the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Configuring Accounting for Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Displaying the AAA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Saving the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Administrative AAA Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Overview of AAA for Administrative and Local Access

Nortel WLAN 2300 System Software (WSS Software) supports authentication, authorization, and accounting (AAA) for secure network connections. As administrator, you must establish administrative access for yourself and optionally other local users before you can configure the WSS for operation.

Here is an overview of configuration topics:

1 Console connection. By default, any administrator can connect to the console port and manage the

switch, because no authentication is enforced. (Nortel recommends that you enforce authentication on the console port after initial connection.)

2 Telnet or SSH connection. Administrators cannot establish a Telnet or Secure Shell (SSH) connection to

the WSS by default. To provide Telnet or SSH access, you must add a username and password entry to the local database or, optionally, set the authentication method for Telnet users to a Remote Authentication Dial-In User Service (RADIUS) server.

Note. A CLI Telnet connection to the WSS is not secure, unlike SSH, WLAN

Management Software and Web View connections. (For details, see Chapter ,

“Managing Keys and Certificates,” on page 379.)

3 Restricted mode. When you initially connect to the WSS, your mode of operation is restricted. In this

mode, only a small subset of status and monitoring commands is available. Restricted mode is useful for

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 52

52 Configuring AAA for Administrative and Local Access

administrators with basic monitoring privileges who are not allowed to change the configuration or run traces.

4 Enabled mode. To enter the enabled mode of operation, you type the enable command at the

command prompt. In enabled mode, you can use all CLI commands. Although WSS Software does not require an enable password, Nortel highly recommends that you set one.

5 Customized authentication. You can require authentication for all users or for only a subset of

users. Username globbing (see “User Wildcards, MAC Address Wildcards, and VLAN

Wildcards” on page 39) allows different users or classes of user to be given different

authentication treatments. You can configure console authentication and Telnet authentication separately, and you can apply different authentication methods to each.

For any user, authorization uses the same methods as authentication for that user.

6 Local override. A special authentication technique called local override lets you attempt

authentication through the local database before attempting authentication through a RADIUS server. The WSS attempts administrative authentication in the local database first. If it finds no match, the WSS attempts administrative authentication on the RADIUS server. (For information about setting a WSS to use RADIUS servers, see Chapter , “Configuring

Communication with RADIUS,” on page 477.)

7 Accounting for administrative access sessions. Accounting records can be stored and

displayed locally or sent to a RADIUS server. Accounting records provide an audit trail of the time an administrative user logged in, the administrator’s username, the number of bytes transferred, and the time the session started and ended.

Figure 1 on page 53 illustrates a typical WSS, AP access points, and network administrator in an enterprise

network. As network administrator, you initially access the WSS through the console. You can then optionally configure authentication, authorization, and accounting for administrative access mode.

Nortel recommends enforcing authentication for administrative access using usernames and passwords stored either locally or on RADIUS servers.

320657-A

Page 53

Configuring AAA for Administrative and Local Access 53

Figure 1: Typical Nortel WLAN 2300 System

Floor 3

Layer 2 switches

Floor 2

Core router

Floor 1

Data center

Layer 2 or Layer 3 switches

RADIUS or AAA Servers

Before You Start

Building 1

WSS switches

WSS switch

840-9502-0071

Before reading more of this chapter, read the Nortel WLAN—Security Switch 2300 Series Installation and Basic Configuration Guide for information about setting up a WSS switch and the attached AP access points for basic service. The

following tasks are covered in Chapter 4 of that guide.

1 Accessing the CLI 2 Configuring an enable password 3 Configuring the time and date 4 Installing the software license 5 Configuring IP connectivity 6 Enabling secure communication for WLAN Management Software or Web View 7 Specifying the country of operation 8 Specifying a system IP address 9 Configuring ports for authenticating users 10 Configuring Mobility Domain parameters 11 Configuring user authentication

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 54

54 Configuring AAA for Administrative and Local Access

12 Displaying and saving the configuration

Except for software license installation, these tasks are covered in greater depth in this manual so that you can reconfigure your network as needed.

About Administrative Access

The authentication, authorization, and accounting (AAA) framework helps secure network connections by identifying who the user is, what the user can access, and the amount of network resources the user can consume.

320657-A

Page 55

Configuring AAA for Administrative and Local Access 55

Access Modes

WSS Software provides AAA either locally or through remote servers to authenticate valid users. WSS Software provides two modes of access:

• Administrative access mode—Allows a network administrator to access the WSS and configure it.

You must establish administrative access in enabled mode before adding users. See “Enabling an

Administrator” on page 57.

• Network access mode—Allows network users to connect through the WSS. For information about configuring

network users, see Chapter , “Configuring AAA for Network Users,” on page 401.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 56

56 Configuring AAA for Administrative and Local Access

Types of Administrative Access

WSS Software allows you access to the WSS with the following types of administrative access:

• Console—Access through only the console port. For more information, see “First-Time Configuration

using the Console” on page 56.

• Telnet—Users who access WSS Software through the Telnet protocol. For information about setting up a

WSS for Telnet access, see Chapter , “Configuring and Managing IP Interfaces and Services,” on

page 107.

• Secure Shell (SSH)—Users who access WSS Software through the SSH protocol. For information about

setting up an WSS switch for SSH access, see Chapter , “Configuring and Managing IP Interfaces and

Services,” on page 107.

• WLAN Management Software —After you configure the WSS as described in the Nortel WLAN—

Security Switch Installation and Basic Configuration Guide, you can further configure the WSS using the WMS tool suite. For more information, see the Nortel WLAN Management Software Reference Manual.

• Web View—A Web-based application for configuring and managing a single WSS through a Web

browser. Web View uses a secure connection through Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS).

First-Time Configuration using the Console

Administrators must initially configure the WSS with a computer or terminal connected to the WSS console port through a serial cable. Telnet access is not initially enabled.

To configure a previously unconfigured WSS through the console, you must complete the following tasks:

• Enable an administrator. (See “Enabling an Administrator” on page 57.)

• Configure authentication. (See “Authenticating at the Console” on page 60.)

• Optionally, configure accounting. (see “Configuring Accounting for Administrative Users” on page 63.)

• Save the configuration. (See “Saving the Configuration” on page 65.)

320657-A

Page 57

Configuring AAA for Administrative and Local Access 57

Enabling an Administrator

To enable yourself as an administrator, you must log in to the WSS from the console. Until you set the enable password and configure authentication, the default username and password are blank. Press Enter when prompted for them.

To enable an administrator:

1 Log in to the WSS from the serial console, and press Enter when the WSS displays a username prompt:

Username:

2 Press Enter when the WSS displays a password promptprompt.

Password:

3 Type enable to go into enabled mode.

23x0> enable

4 Press Enter to display an enabled-mode command prompt:

23x0#

Once you see this prompt after you have typed the enable command, you have administrative privileges, which allow you to further configure the WSS.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 58

58 Configuring AAA for Administrative and Local Access

Setting the WSS Switch Enable Password

There is one enable password for the entire WSS. You can optionally change the enable password from the default.

Caution! Nortel recommends that you change the enable password from the default

(no password) to prevent unauthorized users from entering configuration commands.

Setting the WSS Enable Password for the First Time

To set the enable password for the first time:

1 At the enabled prompt, type set enablepass. 2 At the “Enter old password” prompt, press Enter. 3 At the “Enter new password” prompt, enter an enable password of up to 32 alphanumeric characters with

no spaces. The password is not displayed as you type it.

Note. The enable password is case-sensitive.

4 Type the password again to confirm it.

WSS Software lets you know the password is set.

23x0# set enablepass

Enter old password: Enter new password: Retype new password: Password changed

Caution! Be sure to use a password that you will remember. If you lose the

enable password, the only way to restore it causes the system to return to its default settings and wipes out any saved configuration. (For details, see

“Recovering the System Password” on page 574.)

5 Store the configuration into nonvolatile memory by typing the following command:

23x0# save config success: configuration saved.

WMS Enable Password

If you are using WMS, you must use the same enable password on WMS that you use on the WSS. After you install the administrative certificate on the WSS and configure basic connectivity, you can configure the rest of your Nortel network AAA settings in WMS.

320657-A

Page 59

Configuring AAA for Administrative and Local Access 59

For connectivity information, see the Nortel WLAN—Security Switch Installation and Basic Configuration Guide. For WMS information, see the Nortel WLAN Management Software Reference Manual.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 60

60 Configuring AAA for Administrative and Local Access

Authenticating at the Console

You can configure the console so that authentication is required, or so that no authentication is required. Nortel recommends that you enforce authentication on the console port.

To enforce console authentication, take the following steps:

1 Add a user in the local database by typing the following command with a username and password:

23x0# set user username password password success: change accepted.

2 To enforce the use of console authentication through the local database, type the following command:

Caution! If you type this command before you have created a local username

and password, you can lock yourself out of the WSS. Before entering this command, you must configure a local username and password.

23x0# set authentication console * local

3 To store this configuration into nonvolatile memory, type the following command:

23x0# save config success: configuration saved.

By default, no authentication is required at the console. If you have previously required authentication and have decided not to require it (during testing, for example), type the following command to configure the console so that it does not require username and password authentication:

23x0# set authentication console * none

320657-A

Note. The authentication method none you can specify for administrative access is

different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the WSS switch by an administrator. The fallthru authentication type None denies access to a network user. (For information about the fallthru authentication types, see “Authentication Algorithm” on page 4039.)

Page 61

Configuring AAA for Administrative and Local Access 61

Customizing AAA with “Wildcards” and Groups

“Wildcards” lets you classify users by username or media access control (MAC) address for different AAA treatments. A user wildcard is a string, possibly containing wildcards, for matching AAA and IEEE 802.1X authentication methods to a user or set of users. The WSS switch supports the following wildcard characters for user globs:

• Single asterisk (*) matches the characters in a username up to but not including a separator character, which can be

an at (@) sign or a period (.).

• Double asterisk (**) matches all usernames. In a similar fashion, MAC address globs match authentication methods to a MAC address or set of MAC addresses. For

details, see “User Wildcards, MAC Address Wildcards, and VLAN Wildcards” on page 39.

A user group is a named collection of users or MAC addresses sharing a common authorization policy. For example, you might group all users on the first floor of building 17 into the group bldg-17-1st-floor, or group all users in the IT group into the group infotech-people. Individual user entries override group entries if they both configure the same attribute.

(For information about configuring users and user groups, see “Adding and Clearing Local Users for Administrative

Access” on page 63.)

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 62

62 Configuring AAA for Administrative and Local Access

Setting User Passwords

Like usernames, passwords are case-sensitive. To make passwords secure, make sure they contain uppercase and lowercase letters and numbers. Nortel recommends that all users create passwords that are memorable to themselves, difficult for others to guess, and not subject to a dictionary attack.

User passwords are automatically encrypted when entered in the local database. However, the encryption is not strong. It is designed only to discourage someone looking over your shoulder from memorizing your password as you display the configuration. To maintain security, WSS Software displays only the encrypted form of the password in show commands.

Note. Although WSS Software allows you to configure a user password for the special

“last-resort” guest user, the password has no effect. Last-resort users can never access an WSS in administrative mode and never require a password.

320657-A

Page 63

Configuring AAA for Administrative and Local Access 63

Adding and Clearing Local Users for Administrative Access

Usernames and passwords can be stored locally on the WSS switch. Nortel recommends that you enforce console authentication after the initial configuration to prevent anyone with unauthorized access to the console from logging in. The local database on the WSS switch is the simplest way to store user information in a Nortel system.

To configure a user in the local database, type the following command:

set user username password password

For example, to configure user Jose with the password spRin9 in the local database on the WSS, type the following command:

23x0# set user Jose password spRin9

success: User Jose created

To clear a user from the local database, type the following command:

clear user username

Configuring Accounting for Administrative Users

Accounting allows you to track network resources. Accounting records can be updated for three important events: when the user is first connected, when the user roams from one AP access point to another, and when the user terminates his or her session. The default for accounting is off.

To configure accounting for administrative logins, use the following command:

set accounting {admin | console} {user-wildcard} {start-stop | stop-only} method1

[method2] [method3] [method4]

To configure accounting for administrative logins over the network at EXAMPLE, enter the following command:

set accounting admin EXAMPLE\* start-stop | stop-only aaa-method

You can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, whereas start-stop sends both start and stop records, effectively doubling the number of accounting records. In most cases, stop-only is entirely adequate for administrative accounting, because a stop record contains all the information you

might need about a session. In the set accounting command, you must include AAA methods that specify whether to use the local database or

RADIUS server to receive the accounting records. Specify local, which causes the processing to be done on the WSS switch, or specify a RADIUS server group. For information about configuring a RADIUS server group, see “Config-

uring RADIUS Server Groups” on page 483.

For example, you can set accounting for administrative users using the start-stop mode through the local database:

23x0# set accounting admin EXAMPLE\* start-stop local success: change accepted.

The accounting records show the date and time of activity, the user’s status and name, and other attributes. The show accounting statistics command displays accounting records for administrative users after they have logged in to the

WSS switch.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 64

64 Configuring AAA for Administrative and Local Access

For example, the following accounting records show information about user Geetha’s sessions:

23x0# show accounting statistics

Sep 26 11:01:48 Acct-Status-Type=START Acct-Authentic=0 User-Name=Geetha AAA_TTY_ATTR=2 Event-Timestamp=1064599308 Sept 26 12:50:21 Acct-Status-Type=STOP Acct-Authentic=0 User-Name=Geetha AAA_TTY_ATTR=2 Acct-Session-Time=6513 Event-Timestamp=1064605821 Acct-Output-Octets=332 Acct-Input-Octets=61 Sep 26 12:50:33 Acct-Status-Type=START Acct-Authentic=0 User-Name=Geetha AAA_TTY_ATTR=2 Event-Timestamp=1064605833

(For information about network user accounting, see “Configuring Accounting for Wireless Network Users” on

page 460. For information about the fields in the show accounting statistics output, see the Nortel WLAN Security

Switch 2300 Software Command Reference.)

320657-A

Page 65

Configuring AAA for Administrative and Local Access 65

Displaying the AAA Configuration

To display your AAA configuration, type the following command:

23x0# show aaa

Default Values authport=1812 acctport=1813 timeout=5 acct-timeout=5 retrans=3 deadtime=0 key=(null) author-pass=(null)

Radius Servers

Server Addr Ports T/o Tries Dead State

------------------------------------------------------------------r1 192.168.253.1 1812 1813 5 3 0 UP

Server groups

sg1: r1

set authentication console * local

set authentication admin * local set accounting admin Geetha stop-only local set accounting admin * start-stop local

user Geetha

Password = 1214253d1d19 (encrypted)

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

Saving the Configuration

You must save the configuration for all commands that you enter and want to use for future sessions. After you enter the administrator’s AAA configuration, type the following command to maintain these commands in WSS nonvolatile memory:

23x0# save config

success: configuration saved.

You can also specify a filename for the configuration—for example, configday. To do this, type the following command:

23x0# save config configday

Configuration saved to configday.

You must type the save config command to save all configuration changes since the last time you rebooted the WSS switch or saved the configuration. If the WSS switch is rebooted before you have saved the configuration, all changes are lost.

You can also type the load config command, which reloads the WSS switch to the last saved configuration or loads a particular configuration filename. (For more information, see “Managing Configuration Files” on page 526.)

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 66

66 Configuring AAA for Administrative and Local Access

Administrative AAA Configuration Scenarios

The following scenarios illustrate typical configurations for administrative and local authentication. For all scenarios, the administrator is Natasha with the password m@Jor. (For RADIUS server configuration details, see Chapter ,

“Configuring Communication with RADIUS,” on page 477.)

• “Local Authentication” on page 67

• “Local Authentication for Console Users and RADIUS Authentication for Telnet Users” on page 68

• “Local Override and Backup Local Authentication” on page 69

• “Authentication When RADIUS Servers Do Not Respond” on page 70

320657-A

Page 67

Configuring AAA for Administrative and Local Access 67

Local Authentication

The first time you access an WSS switch, it requires no authentication. (For more information, see “First-Time Configu-

ration using the Console” on page 56.) In this scenario, after the initial configuration of the WSS switch, Natasha is

connected through the console and has enabled access.

To enable local authentication for a console user, you must configure a local username. Natasha types the following commands in this order:

23x0# set user natasha password m@Jor

User natasha created

23x0# set authentication console * local

success: change accepted.

23x0# save config

success: configuration saved.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 68

68 Configuring AAA for Administrative and Local Access

Local Authentication for Console Users and RADIUS Authentication for Telnet Users

This scenario illustrates how to enable local authentication for console users and RADIUS authentication for Telnet administrative users. To do so, you configure at least one local username for console authentication and set up a RADIUS server for Telnet administrators. Natasha types the following commands in this order:

23x0# set user natasha password m@Jor

User natasha created

23x0# set authentication console * local

success: change accepted.

23x0# set radius server r1 address 192.168.253.1 key sunFLOW#$

success: change accepted.

Natasha also adds the RADIUS server (r1) to the RADIUS server group sg1, and configures Telnet administrative users for authentication through the group. She types the following commands in this order:

23x0# set server group sg1 members r1

success: change accepted.

23x0# set authentication admin * sg1

success: change accepted.

23x0# save config

success: configuration saved.

320657-A

Page 69

Configuring AAA for Administrative and Local Access 69

Local Override and Backup Local Authentication

This scenario illustrates how to enable local override authentication for console users. Local override means that WSS Software attempts authentication first through the local database. If it finds no match for the user in the local database, WSS Software then tries a RADIUS server—in this case, server r1 in server group sg1. Natasha types the following commands in this order:

23x0# set user natasha password m@Jor

User natasha created

23x0# set radius server r1 address 192.168.253.1 key sunFLOW#$

success: change accepted.

23x0# set server group sg1 members r1

success: change accepted.

23x0# set authentication console * local sg1

success: change accepted.

23x0# save config

success: configuration saved.

Natasha also enables backup RADIUS authentication for Telnet administrative users. If the RADIUS server does not respond, the user is authenticated by the local database in the WSS switch. Natasha types the following commands:

23x0# set authentication admin * sg1 local

success: change accepted.

23x0# save config

success: configuration saved.

The order in which Natasha enters authentication methods in the set authentication command determines the method WSS Software attempts first. The local database is the first method attempted for console users and the last method attempted for Telnet administrators.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 70

70 Configuring AAA for Administrative and Local Access

Authentication When RADIUS Servers Do Not Respond

This scenario illustrates how to enable RADIUS authentication for both console and administrative users, but to unconditionally allow access for administrative and console users if the RADIUS server (in this case, server r1 in server group sg1) does not respond. To configure unconditional authentication, Natasha sets the authentication method to none. She types the following commands in this order:

23x0# set user natasha password m@Jor

User natasha created

23x0# set radius server r1 address 192.168.253.1 key sunFLOW#$

success: change accepted.

23x0# set server group sg1 members r1

success: change accepted.

23x0# set authentication console * sg1 none

success: change accepted.

23x0# set authentication admin * sg1 none

success: change accepted.

23x0# save config

success: configuration saved.

320657-A

Page 71

Configuring and Managing Ports and VLANs

Configuring and Managing Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring and Managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Managing the Layer 2 Forwarding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Port and VLAN Configuration Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Configuring and Managing Ports

You can configure and display information for the following port parameters:

• Port type

•Name

• Speed and autonegotiation

• Port state

• Power over Ethernet (PoE) state

• Load sharing

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 72

72 Configuring and Managing Ports and VLANs

Setting the Port Type

A WSS port can be one of the following types:

• Network port. A network port is a Layer 2 switch port that connects the WSS switch to other networking devices

such as switches and routers.

• AP access port. An AP access point connects the WSS to an AP access port. The port also can provide power to the

AP access point. Wireless users are authenticated to the network through an AP access port.

Note. A Distributed AP, which is connected to WSS switches through

intermediate Layer 2 or Layer 3 networks, does not use an AP access port. To configure for a Distributed AP, see “Configuring for a Distributed AP” on page 76 and “Configuring AP access points,” on page 221.

• Wired authentication port. A wired authentication port connects the WSS switch to user devices, such as

workstations, that must be authenticated to access the network.

All WSS switch ports are network ports by default. You must set the port type for ports directly connected to AP access points and to wired user stations that must be authenticated to access the network. When you change port type, WSS Software applies default settings appropriate for the port type. Table 1 lists the default settings applied for each port type. For example, the AP access point column lists default settings that WSS Software applies when you change a port type to ap (AP access port).

Table 1: Port Defaults Set By Port Type Change

Port type

Parameter

AP Access Wired Authentication Network

VLAN membership

Spanning Tree Protocol (STP)

802.1X Uses authentication

Port groups Not applicable Not applicable None

Removed from all VLANs. You cannot assign an AP access point to a VLAN. WSS Software automatically assigns AP access ports to VLANs based on user traffic.

Not applicable Not applicable Based on the STP states of

parameters configured for users.

Removed from all VLANs. You cannot assign a wired authentication port to a VLAN. WSS Software automatically assigns wired authentication ports to VLANs based on user traffic.

Uses authentication parameters configured for users.

None

Note: If you clear a port, WSS Software resets the port as a network port but does not add the port back to any VLANs. You must explicitly add the port to the desired VLANs.

the VLANs the port is in. No authentication.

320657-A

Page 73

Configuring and Managing Ports and VLANs 73

Table 1: Port Defaults Set By Port Type Change (continued)

Parameter

Port type

AP Access Wired Authentication Network

IGMP snooping Enabled as users are

Maximum user sessions

Table 2 lists how many APs you can configure on a WSS, and how many APs a switch can boot. The numbers are for

directly connected and Distributed APs combined.

authenticated and join VLANs.

Not applicable 1 (one) Not applicable

Enabled as users are authenticated and join VLANs.

Enabled as the port is added to VLANs.

Table 2: Maximum APs Supported Per Switch

WSS Switch Model

WSS-2380 300 40, 80, or 120, depending

WSS-2370 100 40 WSS-2360 30 12 WSS-2350 8 3

Maximum That Can Be Configured

Maximum That Can Be Booted

on the license level

WSS 2380 40 AP Software License Upgrade

The License Certificate is used to provide a single software license and its associated License Activation Key. The number of supported Access Points for your Nortel WLAN WSS 2380 will depend on the upgrade License Activation Key that is installed and active. This License upgrade supports an additional 40 APs and is only valid for use on these products running Version Software 4.0 and higher.

To enable the additional support of Access Points, you must obtain a License Activation Key from Nortel, and load the License Activation Key into WLAN WSS 2380 to activate the support.

To use this certificate to obtain a License Activation Key, follow these instructions:

1 Record the serial number of the WSS 2380 on which you wish to enable the additional Access Points. To

display the switch’s serial number establish a management session with the WSS 2380. Use the CLI to display the serial number, type the following command: show version (In the following example, the switch serial number is 1234567890:

2380> show version Mobility System Software, Version 4.0.1 Copyright (c) 2002, 2003, 2004, 2005 Nortel Inc. All rights reserved Build Information: (build#73) REL 2005-05-16 11:09:00 Model 2380 Hardware Mainboard: version 24: revision 3: FPGA version 24 PoE board: version 1: FPGA version 6 Serial number 1234567890

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 74

74 Configuring and Managing Ports and VLANs

Flash: 4.0.0.172 - md0a Kernel: 3.0.0#253: Mon May 9 17:44:47 PDT 2005 BootLoader: 4.1/4.0.8

2 Contact Nortel using the email address to the left. 3 In the email, please include the coupon code (shown to the left) and serial number. Provide in

the body of the email the contact information, including organization or company name, contact name, phone number, mailing address and e-mail address.

4 Nortel will verify the validity of the coupon code, and reply to your email with the

authorization key unique for the serial number of the switch provided. Nortel will record the license activation key and associated serial number. A record of the serial number and activation key will be kept at Nortel for future reference.

5 This certificate should be stored in a secure place for future reference.

When the proper License Activation Key has been obtained, follow the instructions below to enable the WLAN WSS 2380 features:

1 Use the following command at the enable (configuration) level of the CLI to install the

activation key: set license activation-key

2 Type in the entire activation key and press enter

In the following example, an activation key for additional AP’s is installed: 2380# set license 3B02-D821-6C19-CE8B-F20E success: license accepted

3 Verify installation of the new license by typing the following command: show license Support

for the additional AP’s begins immediately. The switch does not need to be restarted for the upgrade to be effective.

Setting a Port for a Directly Connected AP access port

Note. Before configuring a port as an AP access port, you must use the set system

countrycode command to set the IEEE 802.11 country-specific regulations on the WSS

switch. (See “Specifying the Country of Operation” on page 248.)

To set a port for an AP access port, use the following command:

set port type ap port-list

model {AP2750 | AP-52 | AP-101 | AP-122 | AP-241 | AP-252 | AP-262 | AP-341 | AP-352 | AP-2330} poe {enable | disable} [radiotype {11a | 11 b| 11g}]

You must specify a port list of one or more port numbers, the AP model number, and the PoE state. (For details about port lists, see “Port Lists” on page 41.)

320657-A

Page 75

Configuring and Managing Ports and VLANs 75

AP access point models AP2750, AP-241 and AP-341 have a single radio that can be configured for 802.11a or 802.11b/ g. Other AP models have two radios. One radio is always 802.11a. The other radio is 802.11b/g, but can be configured for 802.11b or 802.11g exclusively. If the country of operation specified by the set system countrycode command does not allow 802.11g, the default is 802.11b.

Note. All AP models except the 2330 and AP2750 have been discontinued but

are still supported by the command.

AP radios configured for 802.11g also allow associations from 802.11b clients by default. To disable support for

802.11b associations, use the set radio-profile 11g-only command on the radio profile that contains the radio.

Note. You cannot configure any gigabit Ethernet port, or port 7 or 8 on a WSS-2360

switch, or port 1 on a WSS-2350, as an AP port. To manage an AP access point on a WSS-2380 switch, configure a Distributed AP connection on the switch. (See “Configuring

for a Distributed AP” on page 76.)

AP model AP-262 requires an external antenna for the 802.11b/g radio. You must specify the Nortel antenna model. AP-3xx models have an internal 802.1b/g antenna as well as a connector for an external antenna, so use of an external antenna is optional on these models. The 2330 also has a connector for an optional external 802.11a antenna. To specify the antenna model, use the set {ap | dap} radio antennatype command. (See “Configuring the External Antenna

Model” on page 274.)

To set ports 4 through 6 for AP access point model 2330 and enable PoE on the ports, type the following command:

23x0# set port type ap 4-6 model 2330 poe enable

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.

To set port 7 for AP access point model AP-241, enable PoE on the port, and set the radio type to 802.11b only, type the following command:

23x0# set port type ap 7 model AP-241 poe enable radiotype 11b

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.

To set port 11 for AP access point model AP-341, enable PoE on the port, and change the radio type to 802.11a, type the following command:

23x0# set port type ap 11 model AP-341 poe enable radiotype 11a

This may affect the power applied on the configured ports. Would you like to continue? (y/n) [n]y success: change accepted.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 76

76 Configuring and Managing Ports and VLANs

Note. Additional configuration is required to place an AP access point into operation. For

information, see “Configuring AP access points,” on page 221.

Configuring for a Distributed AP

To configure a connection for a Distributed AP (referred to as a DAP in the CLI), use the following command:

set dap dap-num serial-id serial-ID

model {MP2750 | MP-52 | MP-101 | MP-122 | MP-241 | MP-252 | MP-262 | MP-341 | MP-352 | AP-2330} [radiotype {11a | 11 b| 11g}]

The dap-num parameter identifies the Distributed AP connection for the AP. The range of valid connection ID numbers depends on the WSS switch model:

• For a WSS-2380, you can specify a number from 1 to 300.

• For a WSS-2370, you can specify a number from 1 to 100.

• For a WSS-2360, you can specify a number from 1 to 30.

• For a WSSR-2350, you can specify a number from 1 to 8. For the serial-id parameter, specify the serial ID of the AP. The serial ID is listed on the AP case. To display

the serial ID using the CLI, use the show version details command. The model and radiotype parameters have the same options as they do with the set port type ap command.

Because the WSS does not supply power to an indirectly connected AP, the set dap command does not use the poe parameter.

To configure Distributed AP connection 1 for AP model 2330 with serial-ID 0322199999, type the following command:

23x0# set dap 1 serial-id 0322199999 model 2330

success: change accepted.

To configure Distributed AP connection 2 for AP model AP-241 with serial-ID 0322188888 and radio type

802.11a, type the following command:

23x0# set dap 2 serial-id 0322188888 model MP-241 radiotype 11a

success: change accepted.

Setting a Port for a Wired Authentication User

To set a port for a wired authentication user, use the following command:

set port type wired-auth port-list [tag tag-list] [max-sessions num]

[auth-fall-thru {last-resort | none | web-portal}]

320657-A

Page 77

Configuring and Managing Ports and VLANs 77

You must specify a port list. Optionally, you also can specify a tag-list to subdivide the port into virtual ports, set the maximum number of simultaneous user sessions that can be active on the port, and change the fallthru authentication method.

By default, one user session can be active on the port at a time.

The fallthru authentication type is used if the user does not support 802.1X and is not authenticated by MAC authentication. The default is none, which means the user is automatically denied access if neither 802.1X authentication or MAC authentication is successful.

To set port 17 as a wired authentication port, type the following command:

23x0# set port type wired-auth 17

success: change accepted

This command configures port 17 as a wired authentication port supporting one interface and one simultaneous user session.

Note. If clients are connected to a wired authentication port through a downstream

third-party switch, the WSS switch attempts to authenticate based on any traffic coming from the switch, such as Spanning Tree Protocol (STP) BPDUs. In this case, disable repetitive traffic emissions such as STP BPDUs from downstream switches. If you want to provide a management path to a downstream switch, use MAC authentication.

Clearing a Port

Caution! When you clear a port, WSS Software ends user sessions that are using the

port.

To change a port’s type from AP access point or wired authentication port, you must first clear the port, then set the port type.

Clearing a port removes all the port’s configuration settings and resets the port as a network port.

• If the port is an AP access port, clearing the port disables PoE and 802.1X authentication.

• If the port is a wired authenticated port, clearing the port disables 802.1X authentication.

• If the port is a network port, the port must first be removed from all VLANs, which removes the port from

all spanning trees, load-sharing port groups, and so on.

Note. A cleared port is not placed in any VLANs, not even the default VLAN (VLAN 1).

To clear a port, use the following command:

clear port type port-list

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 78

78 Configuring and Managing Ports and VLANs

For example, to clear the port-related settings from port 5 and reset the port as a network port, type the following command:

23x0# clear port type 5

This may disrupt currently authenticated users. Are you sure? (y/n) [n]y success: change accepted.

Clearing a Distributed AP

Caution! When you clear a Distributed AP, WSS Software ends user sessions that

are using the AP.

To clear a Distributed AP, use the following command:

clear dap dap-num

320657-A

Page 79

Configuring and Managing Ports and VLANs 79

Configuring a Port Name

Each WSS switch port has a number but does not have a name by default.

Setting a Port Name

To set a port name, use the following command:

set port port name name

You can specify only a single port number with the command.

To set the name of port 17 to adminpool, type the following command:

23x0# set port 17 name adminpool

success: change accepted.

Note. To avoid confusion, Nortel recommends that you do not use numbers as port

names.

Removing a Port Name

To remove a port name, use the following command:

clear port port-list name

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 80

80 Configuring and Managing Ports and VLANs

Configuring Interface Preference on a Dual-Interface Gigabit Ethernet Port (WSS-400 only)

The gigabit Ethernet ports on an WSS-2380 switch have two physical interfaces: a 1000BASE-TX copper interface and a 1000BASE-SX or 1000BASE-LX fiber interface. The copper interface is provided by a built-in RJ-45 connector. The fiber interface is optional and requires insertion of a Gigabit interface converter (GBIC).

Only one interface can be active on a port. By default, WSS Software prefers the GBIC (fiber) interface. You can configure a port to prefer the RJ-45 (copper) interface instead.

If you set the preference to RJ-45 on a port that already has an active fiber link, WSS Software immediately changes the link to the copper interface.

To configure a port to prefer the copper interface, use the following command:

set port preference port-list rj45

To remove the preference setting from a port so that GBIC (fiber) is preferred again, use the following command:

clear port preference port-list

To display preference settings, use the following command:

show port preference [port-list]

To set the preference of port 2 on an WSS-2380 switch to copper and verify the change, type the following commands:

320657-A

WSS-2380# set port preference 2 rj45

WSS-2380# show port preference

Port Preference =========================================================== 1 GBIC 2 RJ45 3 GBIC 4 GBIC

Page 81

Configuring and Managing Ports and VLANs 81

Configuring Port Operating Parameters

Autonegotiation is enabled by default on an WSS switch’s 10/100 Ethernet ports and gigabit Ethernet ports.

Note. All ports on the WSS-2370 and WSS-2380 switches support full-duplex operating

mode only. They do not support half-duplex operation. Ports on the WSS-2360 switch support half-duplex and full-duplex operation.

You can configure the following port operating parameters:

•Speed

• Autonegotiation

• Port state

• PoE state You also can toggle a port’s administrative state and PoE setting off and back on to reset the port.

10/100 Ports—Autonegotiation and Port Speed

WSS 10/100 Ethernet ports use autonegotiation by default to determine the appropriate port speed. To explicitly set the port speed of a 10/100 port, use the following command:

set port speed port-list {10 | 100 | auto}

Note. If you explicitly set the port speed (by selecting an option other than auto) of a 10/

100 Ethernet port, the operating mode is set to full-duplex.

To set the port speed on ports 1, 7 through 11, and 14 to 10 Mbps, type the following command:

23x0# set port speed 1,7-11,14 10

Gigabit Ports—Autonegotiation and Flow Control

WSS gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. The gigabit ports can respond to IEEE 802.3z flow control packets. Some devices use this capability to prevent packet loss by temporarily pausing data transmission.

To disable flow control negotiation on an WSS gigabit port, use the following command:

set port negotiation port-list {enable | disable}

10/100 Ethernet Ports—Full-Duplex-Only Operation (WSS-2370 only)

WSS-2360 10/100 Ethernet ports support half-duplex and full-duplex operation. WSS-2370 10/100 Ethernet ports do not support half-duplex operation. As a result, there are restrictions when WSS-20

10/100 Ethernet ports are interoperating with other vendors’ devices. For a link to occur, the autonegotiation settings on

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 82

82 Configuring and Managing Ports and VLANs

a WSS-2370 switch port and the device at the other end of the link must be the same. In addition, the other device must support full-duplex operation. When autonegotiation is enabled on a WSS-2370 switch port, the port advertises support for full-duplex mode only. Table 3 lists the supported configurations.

Table 3: Supported 10/100 Ethernet Speeds and Operating Modes for WSS-2370 Switch

WSS-2370 Setting

Other Device’s Setting

100 Mbps Full-duplex

10 Mbps Full-duplex

100 Mbps Half-duplex

10 Mbps

100 Mbps Full-duplex

100 Mbps full-duplex

Not supported 10 Mbps

Not supported Not supported Not supported

10 Mbps Full-duplex

Not supported Not supported

full-duplex

Autonegotiation

Not supported

Half-duplex

Autonegotiation

Not supported Not supported 100 Mbps

full-duplex

Disabling or Reenabling a Port

All ports are enabled by default. To administratively disable a port, use the following command:

set port {enable | disable} port-list

A port that is administratively disabled cannot send or receive packets. This command does not affect the link state of the port.

Disabling or Reenabling Power over Ethernet

Power over Ethernet (PoE) supplies DC power to a device connected to an AP access port. The PoE state depends on whether you enable or disable PoE when you set the port type. (See “Setting the Port Type” on

page 72.)

Caution! Use the WSS switch’s PoE only to power Nortel AP access ports. If you

enable PoE on ports connected to other devices, damage can result.

320657-A

Page 83

Configuring and Managing Ports and VLANs 83

Note. PoE is supported only on 10/100 Ethernet ports. PoE is not supported on any

gigabit Ethernet ports, or on ports 7 and 8 on an WSS-2360 switch.

To change the PoE state on a port, use the following command:

set port poe port-list enable | disable

Resetting a Port

You can reset a port by toggling its link state and PoE state. WSS Software disables the port’s link and PoE (if applicable) for at least one second, then reenables them. This feature is useful for forcing an AP access point that is connected to two WSS switches to reboot using the port connected to the other switch.

To reset a port, use the following command:

reset port port-list

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 84

84 Configuring and Managing Ports and VLANs

Displaying Port Information

You can use CLI commands to display the following port information:

• Port configuration and status

• PoE state

• Port statistics You also can configure WSS Software to display and regularly update port statistics in a separate window.

Displaying Port Configuration and Status

To display port configuration and status information, use the following command:

show port status [port-list]

To display information for all ports, type the following command:

23x0# show port status Port Name Admin Oper Config Actual Type Media =============================================================================== 1 1 up up auto 100/full network 10/100BaseTx 2 2 up down auto network 10/100BaseTx 3 3 up down auto network 10/100BaseTx 4 4 up down auto network 10/100BaseTx 5 5 up down auto network 10/100BaseTx 6 6 up down auto network 10/100BaseTx 7 7 up down auto network 10/100BaseTx 8 8 up down auto network 10/100BaseTx 9 9 up up auto 100/full ap 10/100BaseTx 10 10 up up auto 100/full network 10/100BaseTx 11 11 up down auto network 10/100BaseTx 12 12 up down auto network 10/100BaseTx 13 13 up down auto network 10/100BaseTx 14 14 up down auto network 10/100BaseTx 15 15 up down auto network 10/100BaseTx 16 16 up down auto network 10/100BaseTx 17 17 up down auto network 10/100BaseTx 18 18 up down auto network 10/100BaseTx 19 19 up down auto network 10/100BaseTx 20 20 up down auto network 10/100BaseTx 21 21 up down auto network no connector 22 22 up down auto network no connector

In this example, three of the switch’s ports, 1, 9, and 10, have an operational status of up, indicating the links on the ports are available. Ports 1 and 10 are network ports. Port 9 is an AP access port.

(For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

Displaying PoE State

To display the PoE state of a port, use the following command:

show port poe [port-list]

To display PoE information for ports 7 and 9, type the following command:

320657-A

Page 85

Configuring and Managing Ports and VLANs 85

23x0# show port poe 7,9

Link Port PoE PoE

Port Name Status Type config Draw ===============================================================================

7 7 down AP disabled off 9 9 up AP enabled 1.44

In this example, PoE is disabled on port 7 and enabled on port 9. The AP access point connected to port 9 is drawing 1.44 W of power from the WSS.

(For more information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

Displaying Port Statistics

To display port statistics, use the following command:

show port counters [octets | packets | receive-errors | transmit-errors |

collisions | receive-etherstats | transmit-etherstats] [port port-list]

You can specify one statistic type with the command. For example, to display octet statistics for port 3, type the following command:

23x0# show port counters octets port 3

Port Status Rx Octets Tx Octets =============================================================================== 3 Up 27965420 34886544

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

Note. To display all types of statistics with the same command, use the monitor port

counters command. (See “Monitoring Port Statistics” on page 85.)

Clearing Statistics Counters

To clear all port statistics counters, use the following command:

clear port counters

The counters begin incrementing again, starting from 0.

Monitoring Port Statistics

You can display port statistics in a format that continually updates the counters. When you enable monitoring of port statistics, WSS Software clears the CLI session window and displays the statistics at the top of the window. WSS Software refreshes the statistics every 5 seconds. This interval cannot be configured.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 86

86 Configuring and Managing Ports and VLANs

To monitor port statistics, use the following command:

receive-etherstats | transmit-etherstats]

Statistics types are displayed in the following order by default:

•Octets

•Packets

• Receive errors

• Transmit errors

• Collisions

• Receive Ethernet statistics

• Transmit Ethernet statistics Each type of statistic is displayed separately. Press the Spacebar to cycle through the displays for each type.

If you use an option to specify a statistic type, the display begins with that statistic type. You can use one statistic option with the command.

Use the keys listed in Table 4 to control the monitor display.

Table 4: Key Controls for Monitor Port Counters Display

Key Effect on monitor display

Spacebar Advances to the next statistics type. Esc Exits the monitor. WSS Software stops displaying the statistics

c Clears the statistics counters for the currently displayed statistics

To monitor port statistics beginning with octet statistics (the default), type the following command:

and displays a new command prompt.

type. The counters begin incrementing again.

23x0# monitor port counters

As soon as you press Enter, WSS Software clears the window and displays statistics at the top of the window. In this example, the octet statistics are displayed first.

Port Status Rx Octets Tx Octets =============================================================================== 1 Up 27965420 34886544 ...

To cycle the display to the next set of statistics, press the Spacebar. In this example, packet statistics are displayed next:

Port Status Rx Unicast Rx NonUnicast Tx Unicast Tx NonUnicast

===============================================================================

1 Up 54620 62144 68318 62556

...

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

320657-A

Page 87

Configuring and Managing Ports and VLANs 87

Configuring Load-Sharing Port Groups

A port group is a set of physical ports that function together as a single link and provide load sharing and link redundancy. Only network ports can participate in a port group.

You can configure up to 16 ports in a port group, in any combination of ports. The port numbers do not need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same port group.

Load Sharing

An WSS switch balances the port group traffic among the group’s physical ports by assigning traffic flows to ports based on the traffic’s source and destination MAC addresses. The switch assigns a traffic flow to an individual port and uses the same port for all subsequent traffic for that flow.

Link Redundancy

A port group ensures link stability by providing redundant connections for the same link. If an individual port in a group fails, the WSS reassigns traffic to the remaining ports. When the failed port starts operating again, the WSS switch begins using it for new traffic flows. Traffic that belonged to the port before it failed continues to be assigned to other ports.

Configuring a Port Group

To configure a port group, use the following command:

set port-group name group-name port-list mode {on | off}

Enter a name for the group and the ports contained in the group.

The mode parameter adds or removes ports for a group that is already configured. To modify a group:

• Adding ports—Enter the ports you want to add, then enter mode on.

• Removing ports—Enter the ports you want to remove, then enter mode off. To configure a port group named server1 containing ports 1 through 5 and enable the link, type the following command:

23x0# set port-group name server1 1-5 mode on

success: change accepted.

After you configure a port group, you can use the port group name with commands that change Layer 2 configuration parameters to apply configuration changes to all ports in the port group. For example, Spanning Tree Protocol (STP) and VLAN membership changes affect the entire port group instead of individual ports. When you make Layer 2 configuration changes, you can use a port group name in place of the port list. Ethernet port statistics continue to apply to individual ports, not to port groups.

To configure a port group named server2 containing ports 15 and 17 and add the ports to the default VLAN, type the following commands:

23x0# set port-group name server2 15,17 mode on

success: change accepted.

23x0# set vlan default port server2

success: change accepted.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 88

88 Configuring and Managing Ports and VLANs

To verify the configuration change, type the following command:

23x0# show vlan config

Admin VLAN Tunl Port

VLAN Name Status State Affin Port Tag State

---- ---------------- ------ ----- ----- ---------------- ----- ---- 1 default Up Up 5

server2noneUp

To indicate that the ports are configured as a port group, the show vlan config output lists the port group name instead of the individual port numbers.

Removing a Port Group

To remove a port group, use the following command:

clear port-group name name

Displaying Port Group Information

To display port group information, use the following command:

show port-group [all | name group-name]

To display the configuration and status of port group server2, type the following command:

23x0# show port-group name server2

Port group: server2 is up Ports: 15, 17

Interoperating with Cisco Systems EtherChannel

Load-sharing port groups are interoperable with Cisco Systems EtherChannel capabilities. To configure a Cisco Catalyst

switch to interoperate with a Nortel WSS, use the following command on the Catalyst switch:

set port channel port-list mode on

Configuring and Managing VLANs

Note. The CLI commands in this chapter configure VLANs on WSS network ports. The

commands do not configure VLAN membership for wireless or wired authentication users. To assign a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name vendor specific attribute (VSA) for that user. (For more information, see

“Configuring AAA for Network Users,” on page 401.)

320657-A

Page 89

Configuring and Managing Ports and VLANs 89

Understanding VLANs in Nortel WSS Software

A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each VLAN is a separate logical network and, if you configure IP interfaces on the VLANs, WSS Software treats each VLAN as a separate IP subnet.

Only network ports can be preconfigured to be members of one or more VLANs. You configure VLANs on a WSS’s network ports by configuring them on the switch itself. You configure a VLAN by assigning a name and network ports to the VLAN. Optionally, you can assign VLAN tag values on individual network ports. You can configure multiple VLANs on a WSS’s network ports. Optionally, each VLAN can have an IP address.

VLANs are not configured on AP access ports or wired authentication ports, because the VLAN membership of these types of ports is determined dynamically through the authentication and authorization process. Users who require authentication connect through WSS switch ports that are configured for AP access ports or wired authentication access. Users are assigned to VLANs automatically through authentication and authorization mechanisms such as 802.1X.

By default, none of an WSS switch’s ports are in VLANs. A switch cannot forward traffic on the network until you configure VLANs and add network ports to those VLANs.

Note. A wireless client cannot join a VLAN if the physical network ports on the WSS

switch in the VLAN are down. However, a wireless client that is already in a VLAN whose physical network ports go down remains in the VLAN even though the VLAN is down.

VLANs, IP Subnets, and IP Addressing

Generally, VLANs are equivalent to IP subnets. If a WSS is connected to the network by only one IP subnet, the switch must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP addresses on the switch can belong to the same IP subnet.

You must assign the system IP address to one of the VLANs, for communications between WSSs and for unsolicited communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a WSS can be used for management access unless explicitly restricted. (For more information about the system IP address, see

“Configuring and Managing IP Interfaces and Services,” on page 107.)

Users and VLANs

When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associated with the same VLAN throughout the user’s session on the network, even when roaming from one WSS to another within the Mobility Domain.

You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local user database:

• Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol

Support.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 90

90 Configuring and Managing Ports and VLANs

• VLAN-Name—This attribute is a Nortel vendor-specific attribute (VSA).

Note. You cannot configure the Tunnel-Private-Group-ID attribute in the local user

database.

Specify the VLAN name, not the VLAN number. The examples in this chapter assume the VLAN is assigned on a RADIUS server with either of the valid attributes. (For more information, see “Configuring AAA for

Network Users,” on page 401.)

VLAN Names

To create a VLAN, you must assign a name to it. VLAN names must be globally unique across a Mobility Domain to ensure the intended user connectivity as determined through authentication and authorization.

Every VLAN on a WSS has both a VLAN name, used for authorization purposes, and a VLAN number. VLAN numbers can vary uniquely for each WSS switch and are not related to 802.1Q tag values.

You cannot use a number as the first character in a VLAN name.

Roaming and VLANs

WSS switches in a Mobility Domain contain a user’s traffic within the VLAN that the user is assigned to. For example, if you assign a user to VLAN red, the WSSs in the Mobility Domain contain the user’s traffic within VLAN red configured on the switches.

The WSS switch through which a user is authenticated is not required to be a member of the VLAN the user is assigned to. You are not required to configure the VLAN on all WSSs in the Mobility Domain. When a user roams to a switch that is not a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a member of the VLAN. The traffic can be of any protocol type. (For more information about Mobility Domains, see “Configuring and Managing Mobility Domain Roaming,” on

page 175.)

Note. Because the default VLAN (VLAN 1) might not be in the same subnet on each

switch, Nortel recommends that you do not rename the default VLAN or use it for user traffic. Instead, configure other VLANs for user traffic.

Traffic Forwarding

An WSS switch switches traffic at Layer 2 among ports in the same VLAN. For example, suppose you configure ports 4 and 5 to belong to VLAN 2 and ports 6 and 7 to belong to VLAN 3. As a result, traffic between port 4 and port 5 is switched, but traffic between port 4 and port 6 is not switched and needs to be routed by an external router.

320657-A

Page 91

Configuring and Managing Ports and VLANs 91

802.1Q Tagging

The tagging capabilities of the WSS are very flexible. You can assign 802.1Q tag values on a per-VLAN, per-port basis. The same VLAN can have different tag values on different ports. In addition, the same tag value can be used by different VLANs but on different network ports.

If you use a tag value, Nortel recommends that you use the same value as the VLAN number. WSS Software does not require the VLAN number and tag value to be the same, but some other vendors’ devices do.

Note. Do not assign the same VLAN multiple times using different tag values to the

same network port. Although WSS Software does not prohibit you from doing so, the configuration is not supported.

Tunnel Affinity

WSS switches configured as a Mobility Domain allow users to roam seamlessly across AP access ports and even across WSSs. Although a switch that is not a member of a user’s VLAN cannot directly forward traffic for the user, the switch can tunnel the traffic to another WSS switch that is a member of the user’s VLAN.

If the WSS that is not in the user’s VLAN has a choice of more than one other WSS switch through which to tunnel the user’s traffic, the switch selects the other switch based on an affinity value. This is a numeric value that each WSS switch within a Mobility Domain advertises, for each of its VLANs, to all other switches in the Mobility Domain. A switch outside the user’s VLAN selects the other operational switch that has the highest affinity value for the user’s VLAN to forward traffic for the user.

If more than one WSS switch has the highest affinity value, WSS Software randomly selects one of the switches for the tunnel.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 92

92 Configuring and Managing Ports and VLANs

Configuring a VLAN

You can configure the following VLAN parameters:

• VLAN number

•VLAN name

• Port list (the ports in the VLAN)

• Per-port tag value (an 802.1Q value representing a virtual port in the VLAN)

• Tunnel affinity (a value that influences tunneling connections for roaming)

Creating a VLAN

To create a VLAN, use the following command:

set vlan vlan-num name name

Specify a VLAN number from 2 to 4095, and specify a name up to 16 alphabetic characters long.

You cannot use a number as the first character in a VLAN name. Nortel recommends that you do not use the same name with different capitalizations for VLANs or ACLs. For example, do not configure two separate VLANs with the names red and RED.

Note. Nortel recommends that you do not use the name default. This name is already

used for VLAN 1. Nortel also recommends that you do not rename the default VLAN.

You must assign a name to a VLAN before you can add ports to the VLAN. You can configure the name and add ports with a single set vlan command or separate set vlan commands.

Once you assign a VLAN number to a VLAN, you cannot change the number. However, you can change a VLAN’s name.

For example, to assign the name red to VLAN 2, type the following command:

23x0# set vlan 2 name red

After you create a VLAN, you can use the VLAN number or the VLAN name in commands. In addition, the VLAN name appears in CLI and WLAN Management Software displays.

Adding Ports to a VLAN

To add a port to a VLAN, use the following command:

set vlan vlan-id port port-list [tag tag-value]

320657-A

Page 93

Configuring and Managing Ports and VLANs 93

You can specify a tag value from 1 through 4095.

Note. WSS Software does not remove a port from other VLANs when you add the port

to a new VLAN. If a new VLAN causes a configuration conflict with an older VLAN, remove the port from the older VLAN before adding the port to the new VLAN.

For example, to add ports 9 through 11 and port 21 to VLAN red, type the following command:

23x0# set vlan red port 9-11,21

success: change accepted.

Optionally, you also can specify a tag value to be used on trunked 802.1Q ports. To assign the name marigold to VLAN 4, add ports 12 through 19 and port 22, and assign tag value 11 to port

22, type the following commands:

23x0# set vlan 4 name marigold port 12-19

success: change accepted.

23x0# set vlan 4 name marigold port 22 tag 11

success: change accepted.

Removing an Entire VLAN or a VLAN Port

To remove an entire VLAN or a specific port and tag value from a VLAN, use the following command:

clear vlan vlan-id [port port-list [tag tag-value]]

Caution! When you remove a VLAN, WSS Software completely removes the VLAN

from the configuration and also removes all configuration information that uses the VLAN. If you want to remove only a specific port from the VLAN, make sure you specify the port number in the command.

The clear vlan command with a VLAN ID but without a port list or tag value clears all ports and tag values from the VLAN.

To remove port 21 from VLAN red, type the following command:

23x0# clear vlan red port 21

This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

To clear port 13, which uses tag value 11, from VLAN marigold, type the following command:

23x0# clear vlan marigold port 13 tag 11

This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 94

94 Configuring and Managing Ports and VLANs

To completely remove VLAN ecru, type the following command:

23x0# clear vlan ecru

This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y success: change accepted.

Note. You cannot remove the default VLAN (VLAN 1). However, you can add and

remove ports. You can also rename the default VLAN, but Nortel recommends against it.

320657-A

Page 95

Changing Tunneling Affinity

To change the tunneling affinity, use the following command:

set vlan vlan-id tunnel-affinity num

Specify a value from 1 through 10. The default is 5.

Configuring and Managing Ports and VLANs 95

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 96

96 Configuring and Managing Ports and VLANs

Displaying VLAN Information

To display VLAN configuration information, use the following command:

show vlan config [vlan-id]

To display information for VLAN burgundy, type the following command:

23x0# show vlan config burgundy

Admin VLAN Tunl Port VLAN Name Status State Affin Port Tag State

---- ---------------- ------ ----- ----- ---------------- ----- ---- 2 burgundy Up Up 5 2 none Up 3 none Up 4 none Up 6 none Up 11 none Up

Note. The display can include AP access ports and wired authentication ports, because

WSS Software dynamically adds these ports to a VLAN when handling user traffic for the VLAN.

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

Managing the Layer 2 Forwarding Database

An WSS switch uses a Layer 2 forwarding database (FDB) to forward traffic within a VLAN. The entries in the forwarding database map MAC addresses to the physical or virtual ports connected to those MAC addresses within a particular VLAN. To forward a packet to another device in a VLAN, the WSS switch searches the forwarding database for the packet’s destination MAC address, then forwards the packet out the port associated with the MAC address.

320657-A

Page 97

Configuring and Managing Ports and VLANs 97

Types of Forwarding Database Entries

The forwarding database can contain the following types of entries:

• Dynamic—A dynamic entry is a temporary entry that remains in the database only until the entry is no longer used.

By default, a dynamic entry ages out if it remains unused for 300 seconds (5 minutes). All dynamic entries are removed if the WSS is powered down or rebooted.

• Static—A static entry does not age out, regardless of how often the entry is used. However, like dynamic entries,

static entries are removed if the WSS is powered down or rebooted.

• Permanent—A permanent entry does not age out, regardless of how often the entry is used. In addition, a

permanent entry remains in the forwarding database even following a reboot or power cycle.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 98

98 Configuring and Managing Ports and VLANs

How Entries Enter the Forwarding Database

An entry enters the forwarding database in one of the following ways:

• Learned from traffic received by the WSS —When the WSS receives a packet, the switch adds the

packet’s source MAC address to the forwarding database if the database does not already contain an entry for that MAC address.

• Added by the system administrator—You can add static and permanent unicast entries to the forwarding

database. (You cannot add a multicast or broadcast address as a permanent or static forwarding database entry.)

• Added by the WSS itself—For example, the authentication protocols can add entries for wired and

wireless authentication users. The WSS also adds any static entries added by the system administrator and saved in the configuration file.

320657-A

Page 99

Configuring and Managing Ports and VLANs 99

Displaying Forwarding Database Information

You can display the forwarding database size and the entries contained in the database.

Displaying the Size of the Forwarding Database

To display the number of entries contained in the forwarding database, use the following command:

show fdb count {perm | static | dynamic} [vlan vlan-id]

For example, to display the number of dynamic entries that the forwarding database contains, type the following command:

23x0# show fdb count dynamic

Total Matching Entries = 2

Displaying Forwarding Database Entries

To display the entries in the forwarding database, use either of the following commands:

show fdb [mac-addr-wildcard [vlan vlan-id]]

show fdb {perm | static | dynamic | system | all} [port port-list | vlan vlan-id]

The mac-addr-wildcard parameter can be an individual address, or a portion of an address with the asterisk (*) wildcard character representing from 1 to 5 bytes. The wildcard allows the parameter to indicate a list of MAC addresses that match all the characters except the asterisk.

Use a colon between each byte in the address (for example, 11:22:33:aa:bb:cc or 11:22:33:*). You can enter the asterisk (*) at the beginning or end of the address as a wildcard, on any byte boundary.

To display all entries in the forwarding database, type the following command:

23x0# show fdb all

* = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type]

---- ---- ------------------ ----- ---------------------------------------- 1 00:01:97:13:0b:1f 1 [ALL] 1 aa:bb:cc:dd:ee:ff * 3 [ALL] 1 00:0b:0e:02:76:f5 1 [ALL] Total Matching FDB Entries Displayed = 3

To display all entries that begin with 00, type the following command:

23x0# show fdb 00:*

* = Static Entry. + = Permanent Entry. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type]

---- ---- ------------------ ----- ---------------------------------------- 1 00:01:97:13:0b:1f 1 [ALL]

1 00:0b:0e:02:76:f5 1 [ALL]

Total Matching FDB Entries Displayed = 2

(For information about the fields in the output, see the Nortel WLAN Security Switch 2300 Software Command Reference.)

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 100

100 Configuring and Managing Ports and VLANs

Adding an Entry to the Forwarding Database

To add an entry to the forwarding database, use the following command:

set fdb {perm | static} mac-addr port port-list vlan vlan-id [tag tag-value]

To add a permanent entry for MAC address 00:bb:cc:dd:ee:ff on ports 3 and 5 in VLAN blue, type the following command:

23x0# set fdb perm 00:bb:cc:dd:ee:ff port 3,5 vlan blue

success: change accepted.

To add a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the default VLAN, type the following command:

23x0# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default

success: change accepted.

320657-A

Nortel Networks 2300 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Nortel WLAN Security Switch 2300 Series Configuration Guide

Contents

How to get Help

Introducing the Nortel WLAN 2300 System

Nortel WLAN 2300 System

Documentation

Safety and Advisory Notices

Text and Syntax Conventions

Using the Command-Line Interface

CLI Conventions

Command Prompts

Syntax Notation

Text Entry Conventions and Allowed Characters

MAC Address Notation

IP Address and Mask Notation

User Wildcards, MAC Address Wildcards, and VLAN Wildcards

User Wildcards

MAC Address Wildcards

VLAN Wildcards

Matching Order for Wildcards

Port Lists

Virtual LAN Identification

Command-Line Editing

Keyboard Shortcuts

History Buffer

Tabs

Single-Asterisk (*) Wildcard Character

Double-Asterisk (**) Wildcard Characters

Using CLI Help

Understanding Command Descriptions

Configuring AAA for Administrative and Local Access

Overview of AAA for Administrative and Local Access

Before You Start

About Administrative Access

Access Modes

Types of Administrative Access

First-Time Configuration using the Console

Enabling an Administrator

Setting the WSS Switch Enable Password

Setting the WSS Enable Password for the First Time

WMS Enable Password

Authenticating at the Console

Customizing AAA with “Wildcards” and Groups

Setting User Passwords

Adding and Clearing Local Users for Administrative Access

Configuring Accounting for Administrative Users

Displaying the AAA Configuration

Saving the Configuration

Administrative AAA Configuration Scenarios

Local Authentication

Local Authentication for Console Users and RADIUS Authentication for Telnet Users

Local Override and Backup Local Authentication

Authentication When RADIUS Servers Do Not Respond

Configuring and Managing Ports and VLANs

Configuring and Managing Ports

Setting the Port Type

WSS 2380 40 AP Software License Upgrade

Setting a Port for a Directly Connected AP access port

Configuring for a Distributed AP

Setting a Port for a Wired Authentication User

Clearing a Port

Clearing a Distributed AP

Configuring a Port Name

Setting a Port Name

Removing a Port Name

Configuring Interface Preference on a Dual-Interface Gigabit Ethernet Port (WSS-400 only)

Configuring Port Operating Parameters

Disabling or Reenabling a Port

Disabling or Reenabling Power over Ethernet

Resetting a Port

Displaying Port Information

Displaying Port Configuration and Status

Displaying PoE State

Displaying Port Statistics

Clearing Statistics Counters

Monitoring Port Statistics