Symbol WS5000 Series System Reference Manual

Page 1

WS5000 Series Switch

System Reference Guide

Page 2

No part of this publication can be modified or adapted in any way, for any purposes without permission in writing from Symbol. The material in this manual is subject to change without notice.

Symbol reserves the right to make changes to any product to improve reliability, function, or design.

No license is granted, either expressly or by implication, estoppel, or otherwise under any Symbol Technologies, Inc., intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Symbol products.

Symbol, the Symbol logo are registered trademarks of Symbol Technologies, Inc.

IBM is a registered trademark of International Business Machine Corporation. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and LAN Workplace are registered trademarks of Novell Inc. Toshiba is a trademark of Toshiba Corporation. All other product names referred to in this guide might be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Patents

This product is covered by one or more of the patents listed on the website: http://www.symbol.com/patents.

Page 3

Contents

Chapter 1. WS5000 Series Switch Overview

1.1 Key Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

1.1.1 Installation Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

1.1.2 Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

1.1.3 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

1.1.4 Networking Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

1.1.5 Access Port Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

1.2 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

1.2.1 Physical Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

1.2.1.1 Power Cord Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

1.2.1.2 Power Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

1.2.1.3 Cabling Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

1.2.2 System Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

1.2.3 10/100/1000 Port Status LED Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Page 4

WS5000 Series Switch System Reference Guide

1.3 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

1.3.1 Accessing and Configuring the Switch Software. . . . . . . . . . . . . . . . . . . . . . . . 1-8

1.3.2 Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

1.3.3 Access Port Adoption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

1.3.4 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

1.3.4.1 Different Dimensions of QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10

1.3.4.2 Packet Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10

1.3.4.3 Weighted Fair Queuing (WFQ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-11

1.3.4.4 QoS via Wi-Fi Multimedia Extension (WME). . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

1.3.5 Multi-BSSID and ESSID Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

1.3.6 Standby Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

1.3.7 WLAN to VLAN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

1.4 New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

1.4.1 WME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

1.4.2 RF Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

1.4.3 GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

1.4.4 Dual DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

1.4.5 SNMP Trap on Config Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

1.4.6 AP to AP Beacons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

1.4.7 DTIM per BSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

1.4.8 WIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17

1.4.9 CPU Temperature Monitoring in WS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

1.4.10 Active Primary Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

1.4.11 Access Port Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

1.4.12 Upgrade/Downgrade Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

1.5 Other Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

1.5.1 AP-4131 Port Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

1.5.2 Automatic Channel Select . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

1.5.3 Event Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

1.5.4 Hot Standby. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

1.5.5 Integrated Radius/AAA ServerRadius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

1.5.6 On-Board DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

1.5.6.1 Configuring DHCP Server using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20

1.5.6.2 Viewing DHCP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-21

1.5.6.3 Importing a dhcpd.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

1.5.6.4 DHCP Option 60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22

1.5.7 On-Board KDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

1.5.8 Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

1.5.9 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . . . . . . 1-23

1.5.10 WTLS VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Page 5

Chapter 2. Installing the System Image

2.1 Before Installing the Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

2.2 Upgrading the Switch Software to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.2.1 Upgrading Using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.2.1.1 Upgrading the Switch from 2.0 to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

2.2.1.2 Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1. . . . . . . . . . . 2-4

2.3 Recovering from Upgrade Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

2.4 Downgrading from 2.1 to 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

2.5 Downgrading from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.0 . . . . . . . . . . . . . . . . . . . . . 2-14

2.5.1 Running the PreDowngrade Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

2.5.1.1 Executing the Predowngrade Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

2.5.2 Running the Downgrade.exe Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

2.5.3 Downgrading the Image Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

2.5.3.1 Executing the Downgrade Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17

Chapter 3. Configuring the WS5000 Series Switch Automatically

3.1 DHCP Auto-install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.2 Command File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.3 Command File Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

3.3.1 Event Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

3.3.2 TFTP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

3.3.3 General Network Configuration and Standby Management . . . . . . . . . . . . . . . 3-4

3.3.4 Kerberos Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

3.3.5 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

3.3.6 Syslog Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

3.3.7 CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

3.3.7.1 Command File Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

3.4 Upgrading Using AutoInstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

3.4.1 Using AutoInstall to Upgrade from 2.0 to 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

3.4.2 Using AutoInstall to Upgrade from 1.4.X.X/1.4.1.0/1.4.1.1/1.4.2 /1.4.3 to 2.1 3-11

3.4.3 Using AutoInstall to Upgrade From WS5000 Series Switch Build 49 . . . . . . . 3-12

3.4.3.1 Installing the Patch File Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13

3.5 Manual Auto-install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Chapter 4. Using the WS5000 Series Switch GUI

4.1 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

4.2 Key Distribution Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

4.2.1 Configuring Master KDC Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

4.2.2 Configuring Slave KDC Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

4.2.2.1 Configuring the KDC Slave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

4.2.2.2 Configuring the Master KDC to Recognize the Slave . . . . . . . . . . . . . . . . . . . . . . 4-5

Page 6

WS5000 Series Switch System Reference Guide

4.2.3 Creating Kerberos User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

4.2.4 Setting Kerberos Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Chapter 5. Configuring User and Management Authentication

5.1 WS5000 as a RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

5.2 Configuring an On-board RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

5.2.1 Configuring the Radius Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

5.2.2 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

5.2.2.1 Importing and Installing CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

5.2.2.2 Uploading Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-6

5.2.2.3 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7

5.2.2.4 Configuring Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

5.2.2.5 Configuring the Radius Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10

5.2.3 Configuring Radius Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

5.2.3.1 Adding Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-13

5.2.3.2 Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-14

5.2.3.3 Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

5.2.4 Configuring Radius Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

5.3 Configuring Management User Authentication . . . . . . . . . . . . . . . . . . . . . . 5-15

5.3.1 Using External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

5.3.2 Using On-board RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

5.3.3 Physical Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16

5.3.4 Configuring WS5000. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

5.4 LDAP and Certificate Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18

5.4.1 OpenLdap in Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-18

5.4.2 User/Group Configuration with LdapBrowser . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

5.4.3 ActiveDirectory in Windows server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

5.4.3.1 LDAP configuration for accessing Openldap/ActiveDirectory. . . . . . . . . . . . . . .5-19

5.4.4 LDAP Configuration in switch for Active Directory. . . . . . . . . . . . . . . . . . . . . . 5-20

5.4.5 Certificate Management with Win-2003 server. . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.4.5.1 Configuration in MU (client). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.4.5.2 Signing certificate request from WS5000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-21

5.4.5.3 Installing CA & Server Certificate in WS5k: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.5 Configuring Windows Server 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

5.5.1 Installing Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

5.5.2 Configuring Active Directory Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32

5.5.3 Installing Internet Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36

5.5.4 Configuring Internet Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . 5-40

5.5.5 Testing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54

Page 7

Chapter 6. Configuring Policies

6.1 Configuring Network Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

6.1.1 Classifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

6.1.1.1 Creating a Classifier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

6.1.2 Classification Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5

6.1.2.1 Creating a Classification Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6

6.1.2.2 Modifying a Classification Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-7

6.1.3 Creating a Network Input Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9

6.1.4 Creating a Network Output Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

6.1.5 Creating a Network Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

6.1.5.1 Configuring the Switch from the Default Configuration (Example). . . . . . . . . . . 6-14

6.1.5.2 GUI Configration t oset up a switch (EXAMPLE) . . . . . . . . . . . . . . . . . . . . . . . . . 6-17

6.1.6 Modifying a Network Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38

6.2 Switch Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39

6.2.1 Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39

6.2.1.1 Creating a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-40

6.2.2 Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-47

6.2.2.1 Creating an Access Control List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-48

6.2.2.2 Modifying an Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49

6.2.3 WLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-50

6.2.3.1 Creating a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51

6.2.3.2 Modifying a WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-53

6.2.4 Ethernet Port Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55

6.2.4.1 Creating an Ethernet Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55

6.2.4.2 Modifying an Ethernet Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-58

6.2.4.3 Configuring VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59

6.2.5 Access Port Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59

6.2.5.1 Creating an Access Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-59

6.2.5.2 Modifying an Access Port Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-64

6.2.6 Setting the Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66

6.2.7 Creating a Switch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-66

6.2.8 Defining/Activating an Emergency Switch Policy . . . . . . . . . . . . . . . . . . . . . . 6-71

vii

Chapter 7. Configuring Rogue AP Detection

7.1 Configuring Rogue AP Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

7.1.1 Defining the Detection Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

7.1.2 Specifying Detector APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

7.1.3 Configuring Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

7.1.4 Examining Approved and Rogue Access Ports. . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

7.1.5 Viewing Details of the Rogue AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

7.1.6 SNMP Traps for Rogue AP Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

7.1.7 Rogue AP Syslog Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Page 8

viii

WS5000 Series Switch System Reference Guide

Chapter 8. CLI Command Reference

8.1 CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

8.1.1 About Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

8.1.2 CLI Indexing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

8.1.3 About Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

8.1.4 Basic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

8.2 Common Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6

8.2.1 .. or end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

8.2.2 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-7

8.2.3 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-7

8.2.4 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

8.2.5 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-8

8.2.6 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8

8.2.7 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

8.2.8 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-9

8.3 System Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

8.3.1 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

8.3.2 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

8.3.3 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

8.3.4 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12

8.3.5 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13

8.3.6 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-14

8.3.7 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

8.3.8 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

8.3.9 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

8.3.10 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16

8.3.11 history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-16

8.3.12 install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17

8.3.13 logdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18

8.3.14 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19

8.3.15 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19

8.3.16 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20

8.3.17 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

8.3.18 rfping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21

8.3.19 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22

8.3.20 service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22

8.4 show commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23

8.4.1 show aaa-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25

8.4.2 show accessports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25

8.4.3 show acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

8.4.4 show allconfig. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

8.4.5 show appolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

Page 9

8.4.6 show arp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

8.4.7 show autoinstalllog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

8.4.8 show ce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27

8.4.9 show cfghistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27

8.4.10 show cg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28

8.4.11 show channelinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28

8.4.12 show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-31

8.4.13 show configaccess. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

8.4.14 show ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

8.4.15 show etherpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

8.4.16 show events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

8.4.17 show ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

8.4.18 show history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

8.4.19 show host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

8.4.20 show https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

8.4.21 show interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34

8.4.22 show kdc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

8.4.23 show knownap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

8.4.24 show lan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

8.4.25 show mu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

8.4.26 show musummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36

8.4.27 show np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36

8.4.28 show po . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36

8.4.29 show radius-server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36

8.4.30 show rfstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37

8.4.31 show rfthreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37

8.4.32 show rogueap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

8.4.33 show routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

8.4.34 show securitypolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

8.4.35 show sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

8.4.36 show snmpclients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

8.4.37 show snmpstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

8.4.38 show ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

8.4.39 show standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

8.4.40 show switchpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

8.4.41 show sysalerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

8.4.42 show syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

8.4.43 show system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

8.4.44 show telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41

8.4.45 show time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41

8.4.46 show traphosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41

8.4.47 show tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-41

8.4.48 show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

Page 10

WS5000 Series Switch System Reference Guide

8.4.49 show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

8.4.50 show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

8.4.51 show vpnsupportstatus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

8.4.52 show wlan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42

8.4.53 show wme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

8.4.54 show WSrfstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

8.4.55 show wtls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

8.4.56 show wvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

8.5 Configuration (Cfg) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-45

8.5.1 .. or end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47

8.5.2 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47

8.5.3 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

8.5.4 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

8.5.5 aaa. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48

8.5.6 accessport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49

8.5.7 acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49

8.5.8 appolicy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50

8.5.9 banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50

8.5.10 ce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50

8.5.11 cg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-51

8.5.12 chassis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-51

8.5.13 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52

8.5.14 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52

8.5.15 date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-53

8.5.16 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

8.5.17 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55

8.5.18 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55

8.5.19 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56

8.5.20 encrypt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56

8.5.21 ethernet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56

8.5.22 etherpolicy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

8.5.23 events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

8.5.24 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59

8.5.25 ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59

8.5.26 fw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60

8.5.27 host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60

8.5.28 install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61

8.5.29 kdc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61

8.5.30 logdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62

8.5.31 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62

8.5.32 np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63

8.5.33 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63

8.5.34 po. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-65

Page 11

8.5.35 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-65

8.5.36 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66

8.5.37 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66

8.5.38 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67

8.5.39 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67

8.5.40 rougeap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68

8.5.41 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68

8.5.42 runacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69

8.5.43 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69

8.5.44 securitypolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69

8.5.45 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-70

8.5.46 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-70

8.5.47 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-81

8.5.48 shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-81

8.5.49 snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-82

8.5.50 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-82

8.5.51 ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-83

8.5.52 standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-83

8.5.53 switchpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-84

8.5.54 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-84

8.5.55 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-85

8.5.56 user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-85

8.5.57 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-85

8.5.58 wme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-86

8.5.59 wvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-86

8.6 AAA Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-88

8.6.1 acct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-88

8.6.2 client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-89

8.6.3 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-89

8.6.4 eap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-90

8.6.5 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-90

8.6.6 ldap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-90

8.6.7 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-91

8.6.8 proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-91

8.6.9 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-92

8.6.10 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-92

8.6.11 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-93

8.6.12 userdb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-93

8.7 AAA Client Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-94

8.7.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-94

8.7.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-95

8.7.3 show. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-95

8.8 AAA EAP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-96

Page 12

xii

WS5000 Series Switch System Reference Guide

8.8.1 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-96

8.8.2 peap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-97

8.8.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-97

8.8.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-98

8.8.5 ttls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-98

8.9 AAA LDAP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-100

8.9.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-100

8.9.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-101

8.10 AAA Policy Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-103

8.10.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103

8.10.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-103

8.10.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-104

8.10.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-105

8.11 AAA Proxy Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-106

8.11.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-106

8.11.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-107

8.11.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-107

8.11.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-108

8.12 AAA User Database Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-109

8.12.1 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-109

8.12.2 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-110

8.13 AAA User Database - Group Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-111

8.13.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-111

8.13.2 adduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-112

8.13.3 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-112

8.13.4 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-113

8.13.5 remuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-113

8.14 AAA User Database - User Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-114

8.14.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-114

8.14.2 adduser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115

8.14.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115

8.14.4 remuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-115

8.14.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-116

8.14.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-116

8.15 Access Port (APort) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-118

8.15.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-118

8.15.2 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-119

8.15.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-120

8.15.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-121

8.16 Access Port Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-123

8.16.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123

8.16.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-123

8.16.3 reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124

Page 13

8.16.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-124

8.16.5 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-127

8.17 Access Control List (ACL) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-129

8.17.1 acl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-129

8.17.2 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-130

8.17.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-130

8.17.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-131

8.18 ACL Instance Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132

8.18.1 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132

8.18.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-132

8.18.2.1 set name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-133

8.18.2.2 set addItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-133

8.18.2.3 set remItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134

8.18.2.4 set editItem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134

8.18.2.5 set defaultAction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-134

8.18.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-135

8.19 Access Port Policy (APPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136

8.19.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-136

8.19.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-137

8.19.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-138

8.19.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-138

8.20 Access Port Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-139

8.20.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-139

8.20.2 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-140

8.20.3 map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-141

8.20.4 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-141

8.20.5 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-142

8.20.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-142

8.20.7 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-143

8.20.7.1 set basicRates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-144

8.20.7.2 set beacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-145

8.20.7.3 set dTim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-145

8.20.7.4 set nonSpectrumMgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-146

8.20.7.5 set np . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-147

8.20.7.6 set preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-147

8.20.7.7 set rtsThreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-147

8.20.7.8 set supportedRates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-148

8.20.7.9 set wmm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-149

8.21 Access Port Map Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-150

8.21.1 select . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-151

8.21.2 set bss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152

8.21.3 set bw. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-152

8.21.4 set primaryWLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153

8.21.5 unselect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-153

xiii

Page 14

xiv

WS5000 Series Switch System Reference Guide

8.21.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-154

8.22 Classifier Context (CE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-155

8.22.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-155

8.22.2 ce. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-156

8.22.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-156

8.22.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-157

8.23 Classifier Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158

8.23.1 addMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-158

8.23.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-160

8.23.3 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-160

8.23.4 removeMC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-161

8.23.5 setMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-161

8.23.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-162

8.24 Classification Group (CG) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-163

8.24.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-163

8.24.2 cg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-164

8.24.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-164

8.24.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-165

8.25 Classification Group Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-166

8.25.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-166

8.25.2 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-167

8.25.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-167

8.25.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-168

8.26 Chassis Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-170

8.26.1 set notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-170

8.26.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-171

8.27 Ethernet Port Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-172

8.27.1 port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-172

8.27.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-173

8.28 Ethernet Port Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-174

8.28.1 ipAddress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-174

8.28.2 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-175

8.28.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-177

8.29 Ethernet Policy (EtherPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-178

8.29.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-178

8.29.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179

8.29.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179

8.29.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-179

8.30 Ethernet Policy Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-181

8.30.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-181

8.30.2 add tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182

8.30.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-182

8.30.4 remove tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-183

Page 15

8.30.5 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-183

8.30.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-184

8.30.7 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-185

8.30.8 vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-185

8.31 Event Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-186

8.31.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-186

8.31.2 syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-187

8.31.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-187

8.32 Syslog Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-189

8.32.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-189

8.32.2 local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-190

8.32.3 logdir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-190

8.32.4 logsubsys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-191

8.32.5 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-192

8.32.6 purgelocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-192

8.32.7 remlocal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-193

8.32.8 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-193

8.32.9 save local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-194

8.32.10 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-194

8.32.11 show. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-196

8.32.12 start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-196

8.32.13 stop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-197

8.33 FTP Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198

8.33.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198

8.33.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-198

8.33.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-199

8.34 FW (Firewall) Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-200

8.34.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-200

8.34.2 addnat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-201

8.34.3 addnp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-202

8.34.4 addpf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-203

8.34.5 lan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-204

8.34.6 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-204

8.34.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-205

8.35 FW Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-207

8.35.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-207

8.35.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-208

8.36 Host Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-209

8.36.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-209

8.36.2 host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-210

8.36.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-210

8.36.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-210

8.37 Host Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212

Page 16

xvi

WS5000 Series Switch System Reference Guide

8.37.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-212

8.37.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-213

8.38 KDC Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-214

8.38.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-214

8.38.2 authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-215

8.38.3 dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-216

8.38.4 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-216

8.38.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-217

8.38.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-219

8.38.7 synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-221

8.39 Network Policy (NP) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-222

8.39.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-222

8.39.2 np. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-223

8.39.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-223

8.39.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-224

8.40 Network Policy Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-225

8.40.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-225

8.40.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-226

8.41 Policy Object (PO) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-228

8.41.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-228

8.41.2 po. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-229

8.41.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-230

8.41.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-230

8.42 Policy Object Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-232

8.42.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-232

8.42.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-234

8.43 Radius Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-235

8.43.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-235

8.43.1.1 set authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-235

8.43.1.2 set primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-236

8.43.1.3 set secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-236

8.43.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-237

8.44 Rogueap Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-239

8.44.1 approvedlist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-239

8.44.2 detectorap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240

8.44.3 roguelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240

8.44.4 rulelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-240

8.44.5 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-241

8.44.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-242

8.45 Security Policy Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-243

8.45.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-243

8.45.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-244

8.45.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-244

Page 17

8.45.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-245

8.46 Security Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-246

8.46.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-247

8.46.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-251

8.47 Sensor Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-252

8.47.1 convert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-252

8.47.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253

8.47.3 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253

8.47.4 revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-253

8.47.5 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-254

8.47.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-254

8.48 Sensor Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256

8.48.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256

8.48.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-256

8.48.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-257

8.49 SNMP Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-258

8.49.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-258

8.49.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-259

8.49.3 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-259

8.49.4 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260

8.49.4.1 set kdcconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-260

8.49.4.2 set snmptrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-260

8.49.4.3 set traphost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-261

8.49.5 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-262

8.49.6 v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-263

8.49.7 v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-263

8.50 v2 Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-264

8.50.1 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-264

8.50.2 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265

8.50.2.1 set client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265

8.50.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-265

8.51 v3 Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267

8.51.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267

8.51.1.1 set profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-267

8.51.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-268

8.52 SSH (Secure Shell) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-269

8.52.1 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-269

8.52.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-270

8.53 SSL (Secure Socket Layer) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271

8.53.1 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271

8.53.2 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-271

8.53.3 revert certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-272

8.53.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-272

xvii

Page 18

xviii

WS5000 Series Switch System Reference Guide

8.54 Standby Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-273

8.54.1 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274

8.54.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274

8.54.3 set autorevert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-274

8.54.4 set arDelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275

8.54.5 set heartbeat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275

8.54.6 set mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-275

8.54.7 set mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-276

8.54.8 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-276

8.55 Switch Policy (SPolicy) Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-278

8.55.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-278

8.55.2 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-279

8.55.3 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-280

8.55.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-280

8.56 Switch Policy Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-283

8.56.1 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-283

8.56.2 edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-284

8.56.3 name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-284

8.56.4 restrictedchannel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-285

8.56.5 set adoptionList. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-285

8.56.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-286

8.56.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-287

8.57 Restricted Channel Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-289

8.57.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-289

8.57.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-290

8.57.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-290

8.58 Telnet Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-291

8.58.1 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-291

8.58.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-292

8.58.3 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-292

8.58.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-293

8.59 Tunnel Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-294

8.59.1 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-294

8.59.2 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-295

8.60 Tunnel Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-296

8.60.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-296

8.60.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-297

8.61 User Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-298

8.61.2 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-299

8.61.3 user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-300

8.61.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-300

8.62 User Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-302

8.62.2 deny. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303

Page 19

8.62.3 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-303

8.62.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-304

8.63 WLAN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-305

8.63.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-306

8.63.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-307

8.63.4 wlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-307

8.64 WLAN Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-309

8.64.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-309

8.64.2 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-310

8.64.3 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-310

8.64.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-311

8.65 WME Context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-312

8.65.2 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314

8.65.3 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314

8.65.4 wme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-314

8.66 WME Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-316

8.66.1 description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-316

8.66.2 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-317

8.66.3 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-317

8.66.4 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-318

8.67 WVPN Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-319

8.67.1 auth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-319

8.67.2 cert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-320

8.67.3 ddns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-321

8.67.4 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-321

8.67.5 disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-322

8.67.6 enable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-322

8.67.7 ip_pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-323

8.67.8 rt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-323

8.67.9 set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-324

8.67.10 show. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-324

8.67.11 wtls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-326

8.68 cert Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-327

8.68.1 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-327

8.68.2 dump cert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-328

8.68.3 import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-328

8.68.4 purge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-329

8.68.5 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-329

8.68.6 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-330

8.68.7 tftpImport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-330

8.69 ddns Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-332

8.69.1 add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-332

8.69.2 clearClientDns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-333

xix

Page 20

WS5000 Series Switch System Reference Guide

8.69.3 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334

8.69.4 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-334

8.69.5 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-335

8.69.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-336

8.69.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-336

8.69.8 updateClientDns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-337

8.70 ip pools Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-338

8.70.1 add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-338

8.70.2 disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-339

8.70.3 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-339

8.70.4 ip_pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-340

8.70.5 remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-341

8.70.6 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-342

8.70.7 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-342

8.71 rt Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-344

8.71.1 Kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-344

8.71.2 Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-345

8.72 wtls Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-347

8.72.1 set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-347

8.72.2 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-348

Chapter 9. Service Mode CLI

9.1 CLI Service Mode Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

9.1.1 Logging into the Service Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.1.2 Basic Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.2 SM-WS5000> Command Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2

9.2.1 ? or help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

9.2.2 logout or bye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

9.2.3 exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-5

9.2.4 capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5

9.2.5 cleanapdbglog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

9.2.6 clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-6

9.2.7 configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6

9.2.8 copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

9.2.9 debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

9.2.10 delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

9.2.11 description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

9.2.12 diag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

9.2.13 directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

9.2.14 emergencymode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

9.2.15 enablecclog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

9.2.16 execute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

9.2.17 export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Page 21

9.2.18 ftpPasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

9.2.19 getcclogfile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15

9.2.20 install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15

9.2.21 launch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

9.2.22 ledcolor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

9.2.23 logdir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

9.2.24 name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

9.2.25 password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

9.2.26 ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

9.2.27 remove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

9.2.28 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

9.2.29 rfping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

9.2.30 save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

9.2.31 setThresholds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

9.2.32 shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

9.2.33 show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23

9.2.34 showAPFirmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

9.2.35 showBuildInfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

9.2.36 showDiskUsage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26

9.2.37 showHardwareInfo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26

9.2.38 showMemUsage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27

9.2.39 showThresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27

9.2.40 watchdogtimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28

9.2.41 wvpnctl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-28

9.3 Diagnosing problems in WS5000/WS5100 Switch. . . . . . . . . . . . . . . . . . . . 9-29

9.3.1 Diagnose User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-29

9.3.2 Finding whether a particular process is running or not . . . . . . . . . . . . . . . . . . 9-30

9.3.3 Encrypt, Launch and Execute commands of Service mode CLI . . . . . . . . . . . . 9-30

9.3.3.1 encrypt Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-30

9.3.3.2 launch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30

9.3.4 execute Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-30

xxi

Chapter 10. Antennas and Power

Chapter 11. Converting AP-4131 Access Points to RF Ports

11.1 AP-4131 Features in the WS5000 Series Switch . . . . . . . . . . . . . . . . . . . . 11-2

11.1.1 AP-4131 Port Adoption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

11.1.2 AP-4131 Radio Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

11.1.3 Multiple BSS and ESS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

11.1.4 Rate Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2

11.1.5 AP-4131 Features Unavailable after Conversion. . . . . . . . . . . . . . . . . . . . . . 11-2

11.2 Converting AP-4131 to Access Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Page 22

xxii

WS5000 Series Switch System Reference Guide

11.2.1 Updating the Access Point Firmware Using the TFTP Program . . . . . . . . . . . 11-3

11.2.2 Updating the Access Point Firmware Using the XMODEM . . . . . . . . . . . . . . 11-3

11.2.3 Adding an Access Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

11.2.4 Mapping BSS and ESS IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

11.3 Reverting to Access Point Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

11.4 WS5000 Switch Applet Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5

Chapter 12. Configuring the WS5100 WTLS VPN

12.1 Onboard DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

12.2 On Board VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2

12.2.1 DHCP Relay and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

12.2.2 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

12.2.3 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

12.2.3.1 PKI and PKCS12 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

12.2.4 WVPN Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

12.2.4.1 Simple Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6

12.2.4.2 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-6

12.2.4.3 IP Pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7

12.2.4.4 Certificate configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-9

12.2.4.5 VPN Session License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

12.2.5 AES versus 3DES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

12.2.6 Wireless Transport Layer Security (WTLS). . . . . . . . . . . . . . . . . . . . . . . . . . 12-12

12.2.6.1 WTLS versus IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-12

12.2.6.2 WTLS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-12

12.3 VPN Session Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

12.3.1 Switch Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

12.3.2 WVPN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

12.3.3 Starting VPN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

12.3.4 Client Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

12.3.4.1 Installing Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

12.3.5 Testing VPN Session Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

12.3.6 TroubleShooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18

12.4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19

12.5 Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

12.5.1 Twice NAT Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21

Chapter 13. Neighboring APs

13.1 ccPortalBeaconRptTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

13.2 ccMuProbeRptTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2

13.3 Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

Page 23

Chapter 14. Enhanced RF Statistics

14.1 ccApTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

14.2 ccPortal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

14.2.1 ccPortalTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2

14.2.2 ccPortalLast Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

14.2.3 ccPortalLastReason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

14.2.4 ccPortalSystemStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4

14.2.5 ccPortalStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

14.2.6 ccPortalRxPktsTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6

14.2.7 ccPortalTxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-6

14.2.8 ccPortalRxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7

14.2.9 ccPortalTxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-8

14.2.10 ccPortalTxRetriesPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9

14.2.11 ccPortalTxRetriesOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10

14.2.12 ccPortalSigStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-12

14.2.13 ccPortalSumStatsShortTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13

14.2.14 ccPortalSumStatsLongTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16

14.3 ccMus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19

14.3.1 ccMuInfoTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19

14.3.2 ccMuStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19

14.3.3 ccMuRxPktsTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20

14.3.4 ccMuTxPktsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-21

14.3.5 ccMuRxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22

14.3.6 ccMuTxOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22

14.3.7 ccMuTxRetriesTable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-23

14.4 ccMuRfSum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-24

14.4.1 ccMuTxRetriesOctetsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-24

14.4.2 ccMuSigStatsTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-25

14.4.3 ccMuSumStatsShortTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-26

14.4.4 ccMuSumStatsLongTable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-28

14.5 RF-Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-30

14.6 Explanation of Enhanced RF Statisitcs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32

14.6.1 A Sample Usage Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-38

14.6.1.1 Watching min, max, or average is not enough . . . . . . . . . . . . . . . . . . . . . . . . 14-42

14.6.1.2 Who calculates Standard Deviation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-43

14.6.1.3 How is Standard Deviation calculated from running sums? . . . . . . . . . . . . . .14-44

xxiii

Chapter 15. AP-300 Sensor Conversion

15.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

15.1.1 Sensor Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1

15.2 Functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

15.2.1 Sensor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

Page 24

xxiv

WS5000 Series Switch System Reference Guide

15.2.2 Sensor Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2

15.2.3 Sensor Revert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

15.3 GUI and CLI Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

15.3.1 Converting an AP300 into a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3

15.3.2 Converting an Sensor into AP300 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7

Chapter 16. Syslog and Traps

16.1 List of Traps and Syslog Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1

Chapter 17. DDNS

17.1 Update Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17-1

Appendix A. DOM Firmware Upgrade

Appendix B. DTIM Interval per BSS

Appendix C. AP300 LED Codes

Appendix D. Customer Support

Page 25

About this Guide

This preface introduces the WS5000 Series Switch System Reference Guide and contains the following sections:

• Who Should Use this Guide

• How to Use this Guide

• Conventions Used in this Guide

• Service Information

Who Should Use this Guide

The WS5000 Series Switch System Reference Guide is intended for system administrators responsible for the implementing, configuring, and maintaining the WS5000 Series Switch within the wireless local area network. It also serves as a reference for configuring and modifying most common system settings. The administrator should be familiar with wireless technologies, network concepts, ethernet concepts, as well as IP addressing and SNMP concepts.

Page 26

xxvi

WS5000 Series Switch System Reference Guide

How to Use this Guide

This guide will help you implement, configure, and administer the WS5000 Series Switch and associated network elements. This guide is organized into the following sections:

Table 1 Quick Reference on How This Guide Is Organized

Chapter Jump to this section if you want to...

Chapter 1, “WS5000 Series Switch Overview”

Chapter 2, “Installing the System Image”

Chapter 3, “Configuring the WS5000 Series Switch Automatically”

Chapter 4, “Using the WS5000 Series Switch GUI”

Chapter 5, “Configuring User and Management Authentication”

Chapter 6, “Configuring Policies”

Chapter 7, “Configuring Rogue AP Detection”

Chapter 8, “CLI Command Reference”

Review the overall feature set of the WS5000 Series Switch, as well as the many configuration options available.

Install the System Image. This includes uploading the system image to a TFTP server, deleting prior configuration or system files, saving a backup version of the existing configuration, and uploading the system image file, and restoring the site configuration file.

Review details about the Command File, its syntax, options, specific settings, and an example.

Learn about working within the WS5000 Series Switch GUI to perform most daily administration tasks for the switch and its associated devices.

Configure the Radius server (for both User and Management authentication).

Configure network policies and switch policies.

Configure rogue access port (an access port in the network that is not valid and might be unsafe) detection.

Review the CLI command reference for all configuration command details, for when the administrator will use the CLI interface instead of the GUI interface.

Chapter 9, “Service Mode CLI”

Chapter 10, “Antennas and Power”

Chapter 11, “Converting AP4131 Access Points to RF Ports”

Chapter 12, “Configuring the WS5100 WTLS VPN”

Chapter 13, “Neighboring APs”

Chapter 14, “Enhanced RF Statistics”

Chapter 15, “AP-300 Sensor Conversion”

Review the CLI command reference for all the service mode command details for use in debugging and problem resolution while troubleshooting the WS5000 Series Switch configuration.

Review antenna and power settings for numerous field installation demographics.

Convert the AP-4131 access point to WS5000 RF ports.

Configure WS5100 WTLS VPN.

Configure AP to AP beacon using SNMP.

Learn about RF Stats configuration.

Learn about the concepts and functionality of AP300 Sensor conversion.

Page 27

Table 1 Quick Reference on How This Guide Is Organized (Continued)

Chapter Jump to this section if you want to...

xxvii

Chapter 16, “Syslog and Traps”

Chapter 17, “DDNS” Learn about the DDNS updateall mechanism.

Appendix , “DOM Firmware Upgrade”

Appendix , “DTIM Interval per BSS”

Appendix , “AP300 LED Codes”

Appendix , “Customer Support”

See all the syslog and traps generated by WS5000 2.1.

Learn about the new DOM firmware upgrade implemented in this release.

Learn about the new DTIM interval per BSS implemented in this release.

Learn about the AP300’s LED color code functionality.

Contact the customer support department for any queries.

Conventions Used in this Guide

This section describes the following topics:

• Annotated Symbols

• Notational Conventions

Annotated Symbols

Note This symbol signals recommended behavior or reference information that might be important to consider. It may include tips or special requirements.

IMPORTANT! THIS SYMBOL SIGNALS INFORMATION ABOUT A PROCESS OR CONDITION THAT COULD CAUSE DAMAGE TO EQUIPMENT, INTERRUPTION OF SERVICE, OR LOSS OF

DATA.

Warning! This symbol indicated information about conditions that could cause bodily injury. Before working on any equipment, be aware of physical and electrical hazards and follow practices for preventing accidents.

Page 28

xxviii

WS5000 Series Switch System Reference Guide

Notational Conventions

The following notational conventions are used in this document:

• Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents.

• Bullets (•) indicate:

• action items

• lists of alternatives

• lists of required steps that are not necessarily sequential

• Sequential lists (those describing step-by-step procedures) appear as numbered lists.

Service Information

If a problem with is encountered with the WS5000 Series Switch, contact Symbol Customer Support. See Symbol’s Web site (http://www.symbol.com/services/online_support/online_support.html) for Symbol Customer Support contact information and policies.

Note Before calling Symbol Customer Support, have the model number and serial number for the WS5000 Series Switch on hand.

If the problem cannot be solved over the phone, you may need to return your equipment for servicing. If that is necessary, you will be given specific directions.

Symbol Technologies is not responsible for any damages incurred during shipment if the approved shipping container is not used. Shipping the units improperly can possibly void the warranty. If the original shipping container was not kept, contact Symbol to have another sent to you.

Page 29

WS5000 Series Switch Overview

The WS5000 Series Switch provides a centralized management solution for wireless networking components across the wired network infrastructure. Unlike traditional wireless network infrastructures that reside at the edge of a network, the switch uses centralized, policy-based management for all devices on the wireless network.

The switch connects to the network through the Ethernet and a Layer 2 switch or hub. The access ports are connected to a POE-enabled hub which is connected to a Layer 2 switch or hub on the network.

The switch functions as the center of the wireless network. The access ports function as radio antennas for data traffic management and routing. All of the system configuration and intelligence for the wireless network resides in the switch.

The switch uses access ports to bridge data from the associated wireless devices to the wireless switch. The wireless switch applies policies to the data packets before routing them to their destinations. Data packets destined for devices on the wired network are processed by the switch where appropriate policies are applied before they are encapsulated and sent to their destination.

Page 30

1-2

WS5000 Series Switch System Reference Guide

Access port configuration is managed by the switch through the Graphical User Interface (GUI) or the Command Line Interface (CLI). A WS5000 Series Switch streamlines management of a large wireless system and allows for network management features such as Quality of Service (QoS), virtual WLANs and packet forwarding.

1.1 Key Features

WS5000 Series Switch includes a robust set of features. These features are briefly listed and described in the following sections:

• Installation Features

• Management Features

• Security Features

• Networking Features

• Access Port Support

1.1.1 Installation Features

A WS5000 Series Switch includes the following installation features:

• Single file upgrade

• Automatic installation and configuration of local or remote wireless switches using a command file.

• Automatic discovery and adoption of access ports

• Upgrade/downgrade using auto-install script.

1.1.2 Management Features

WS5000 Series Switch includes the following security features:

• Policy-based centralized management

• Secure browser-based management console

• Command Line Interface (CLI) is accessible via a Telnet session through the serial port or through a secure shell (SSH) application

• CLI service mode enables the capture of system status information that can be sent to Symbol personnel for use in problem resolution

• “Emergency override” enables the definition of an Emergency Switch Policy that can be activated when required without system interruption

• Kerberos principal file can update the wireless switch’s internal KDC

• Support for Simple Network Management Protocol (SNMP) version 3 as well as SNMP version 2 (including SNMP version 1 support).

• TFTP upload and download of access port firmware and configuration files

• Each access port can support multiple WLANs (with the exception being FH APs)

• System redundancy with auto-revert

• CPU temperature and fan monitoring

Page 31

WS5000 Series Switch Overview

1-3

•IP-Redirect VoIP

• Multicast support

• DFS/TPC jumbo packet

• Support for Proxy ARP statistics applet operation with Sun JRE

• Service mode features

• The WS5000 Series Switch GUI applet only supports Sun Java Runtime Environment (JRE) including the Sun Java Virtual Machine (JVM). Support for the Microsoft Virtual Machine is discontinued with the 1.4 release and WS5000 Series Switch. This is an extension of the JRE support changes implemented in

1.4. The Sun JRE version support on Windows platforms is JRE 1.4.2_06 or greater. JRE 5.0 Update 2 is recommended.

1.1.3 Security Features

A WS5000 Series Switch includes the following security features:

• On-board Radius server

• Rogue AP detection

• VPN functionality with an integrated DHCP server, firewall, Twice NAT, and integrated VPN server

• Remote administrator login authentication via external Radius server

• MAC address-based access control list

• WEP 40/128

• KeyGuard Mobile Computing Mode (MCM) support (Symbol’s TKIP encryption implementation based on the 802.11i standard)

• Wi-Fi Protected Access (WPA) support with Temporal Key Integrity Protocol (TKIP)

• Optional broadcast key rotation support, which improves broadcast traffic security

• On-board Kerberos Key Distribution Center (KDC) v5 on WNMP

• EAP/TLS on 802.1x

• VLAN segregation

• No serial interface on the access ports to prevent tampering

• Multiple ESSID/BSSID for AP 100, AP-4121 and AP-4131 access point conversions

• Secure beacon

• Mobile unit to mobile unit disallow or drop

• PSP support for mobile units

•Proxy ARP

• AES WPAII

• Short preamble support

• Load balancing

• International roaming

• Power over Ethernet capability

Page 32

1-4

WS5000 Series Switch System Reference Guide

• 802.1Q functionality and interoperability

• Report to cell controller tuning

• Mobile unit roaming between RF ports

• RF port adoption

• 802.1p support

1.1.4 Networking Features

A WS5000 Series Switch includes the following networking features:

• Quality of service (QoS) support, including:

•

802.1p support

• DiffServ (advanced TOS)

• Multiple Tx power settings

• Bandwidth allocation

• Congestion management

• Customizable classifiers and classification groups (packet filters)

• Support for VLANs and virtual WLANs

•IP redirection

• Ethernet load balancing

• DHCP option 60 support

• Layer 2 filtering

• Layer 3 filtering

• Multiple WLAN

1.1.5 Access Port Support

Access ports work on any VLAN with connectivity to the wireless switch. The WS5000 Series Switch supports the following access ports:

• AP 100 (supports 802.11b)

• AP 300 (supports 802.11a/b/g)

• Access points converted to access ports, including:

• AP 4131

• AP 4121

• AP-3020, AP-3021

Page 33

WS5000 Series Switch Overview

1-5

1.2 Hardware Overview

A WS5000 Series Switch contains types of hardware: a wireless switch and a set of access ports.

The wireless switch is a rack-mountable device that manages all inbound and outbound traffic on the wireless network. It provides security, network services, and system management applications.

Unlike traditional wireless infrastructure devices that reside at the edge of a network, the WS5000 Series Switch uses centralized, policy-based management to apply sets of rules or actions to all devices on the wireless network. It collects management “intelligence” from individual access points and moves the collected information into the centralized wireless switch. Then, it replaces the access points with “dumb” radio antennas called access ports.

Access ports (APs) are 48V power-over-Ethernet devices that are connected to the WS5000 Series Switch by an Ethernet cable. An access port receives 802.11x data from mobile units and forwards this data to the switch, which applies the appropriate policies and routes the packets to their destinations. Depending on the model, an AP can support as many as 16 WLANs.

Access ports do not have software or firmware upon initial receipt from the factory. When the access port is first powered on and cleared for the network, the wireless switch initializes the access port and installs a small firmware file automatically. Therefore, installation and upgrades of firmware is automatic and transparent.

1.2.1 Physical Specifications

The physical dimensions and operating parameters for the WS5000 Series Switch are:

Width 48.1 cm / 18.93 in. (with mounting brackets)

42.9 cm / 16.89 in. (without mounting brackets)

Height 4.39 cm / 1.73 in.

Depth 40.46 cm / 15.93 in.

Weight 6.25 kg / 13.75 lbs.

Max Power Consumption 100 VAC, 50/60 Hz, 3A

240 VAC, 50/60 Hz, 1.5A

Operating Temperature 10°C - 35°C / 50°F - 95°F

Operating Humidity 5% - 85% without condensation

1.2.1.1 Power Cord Specifications

A power cord is not supplied with the device. Use only a correctly rated power cord certified for the country of operation

1.2.1.2 Power Protection

To best protect the WS5000 series switch from unexpected power surges or other power-related problems, ensure the system installation meets the following power protection guidelines:

• If possible, use a circuit that is dedicated to data processing equipment. Commercial electrical contractors are familiar with wiring for data processing equipment and can help with the load balancing of these circuits.

Page 34

1-6

WS5000 Series Switch System Reference Guide

• Install surge protection. Use a surge protection device between the electricity source and the WS5000 Series Switch.

• Install an Uninterruptible Power Supply (UPS). A UPS provides continuous power during a power outage. Some UPS devices have integral surge protection. UPS equipment requires periodic maintenance to ensure reliability. A UPS of the proper capacity for the data processing equipment must be purchased.

1.2.1.3 Cabling Requirements

Two Category 6 Ethernet cables (not supplied) are required to connect the switch to the LAN and the WLAN. The cables are used with the two Ethernet ports on the front panel of the device.

The console cable shipped with the switch is used to connect the switch to a computer running a serial terminal emulator program to access the switch’s Command Line Interface (CLI) for initial configuration. Initial configuration steps are described in the WS5000 Series Switch Installation Guide.

1.2.2 System Status LED Codes

A WS5000 Series Switch has two LEDs on the front panel, adjacent to the RJ45 ports. The System Status LEDs display three colors—blue, amber, or red —and three “lit” states—solid, blinking, or off. Table 1.1 decodes the combinations of LED colors and states.

Table 1.1 System Status LED Codes

Event Top LED Bottom LED

System Start Up LED Codes

Power off Off Off

Power On Self Test (POST) running All colors in rotation All colors in rotation

POST succeeded Blue solid Blue solid

Software initializing Blue solid Off

Software initialized Blue blinking Off

Configured as a Primary Switch

Active Blue blinking Blue solid

Monitoring Blue blinking Amber solid

Standby missing or not enabled Blue blinking Off

Inactive Amber blinking Blue blinking

Configured as a Standby Switch

Active (acting as primary) Blue blinking Blue blinking

Monitoring Blue blinking Amber solid

Standby not enabled Blue blinking Off

Inactive Amber blinking Amber blinking

Error Codes

Page 35

WS5000 Series Switch Overview

Table 1.1 System Status LED Codes (Continued)

Event Top LED Bottom LED

POST failed (critical error) Red blinking Red blinking

Software initialization failed Amber solid Off

Country code not configured

No access ports have been adopted Blue blinking Amber blinking

Primary inactive or failed Amber blinking Blue blinking

a. During first time setup, the LEDs will remain in this state until the country code is configured.

Amber solid Amber blinking

1.2.3 10/100/1000 Port Status LED Codes

A WS5000 Series Switch includes two indicators for the RJ-45 ports:

• Upper left (amber/green) for link rate

• Upper right (green) for link activity

1-7

Table 1.2 provides additional information about the status of the 10/100/1000 Port Status LED codes.

Table 1.2 10/100/1000 Port Status LED Codes

LED State Meaning

Upper left Off 10 Mbps link rate

Green steady 100 Mbps link rate

Amber steady 1 Gigabit link rate

Upper right Off The port isn’t linked

Green steady The port is linked

Green blinking The port is linked and active

1.3 Software Overview

This section provides an overview of the WS5000 Series Switch software and features. It contains:

• 1.3.1 Accessing and Configuring the Switch Software on page 8

• 1.3.2 Switch Policies on page 8

• 1.3.3 Access Port Adoption Process on page 9

• 1.3.4 Quality of Service on page 9

• 1.3.5 Multi-BSSID and ESSID Access Ports on page 13

• 1.3.6 Standby Management on page 14

• 1.3.7 WLAN to VLAN Mapping on page 14

Page 36

1-8

WS5000 Series Switch System Reference Guide

1.3.1 Accessing and Configuring the Switch Software

To access and configure the WS5000 Series Switch administration controls and options, the administrator can access a CLI through a Telnet session, or log into a Web-based graphical user interface.

The CLI is accessible via Telnet, through the console port on the front of the wireless switch, or through a SSH application (which enables protected access to the switch over the CLI). All configuration and management functions can be performed through the CLI.

The Web-based graphical user interface (GUI) can be accessed securely from any Web browser on the network. The GUI provides tools to configure and maintain the wireless system. It also provides real-time graphs for displaying system load and traffic on the wireless network.

1.3.2 Switch Policies

A WS5000 Series Switch uses a set of rules, or “policies,” to configure the wireless LAN (WLAN), the access ports that it adopts, and to integrate the wired LANs and VLANs. The policy-based management architecture lets a network administrator create a class of service (CoS) by defining network access, type of WLAN security, and quality of service (QoS) for a group of users.

Figure 1.1 displays the WS5000 Series Switch principal policies. The following section describes these

policies:

•Switch Policy – Acts as a container for all the other policies. It also contains an adoption list, which controls the types of access ports (APs) that can be adopted.

• Ethernet Port Policy – Configures the switch’s Ethernet ports, and associates multiple WLANs with multiple LANs or VLANs. There are two Ethernet ports on WS5000 Series Switches. By convention, port 1 (the left port) connects to the wireless LAN, and port 2 (the right port) connects to the wired LAN.

• Access Port Policy – Defines access port configuration details such as an APs beacon interval, RTS threshold, and its set of supported data rates. The AP policy is also responsible for adding WLANs to the AP and for attaching a security policy, access control list, and network policy (or packet filter) to each AP.

• WLAN Policy – Defines attributes (such as ESS ID, beacon rate, DTIM interval) applied to mobile units on a portion of the wireless LAN.

• Security Policy – Defines the authentication and encryption methods used to secure communication between the WS5000 Series Switch and the mobile units through the APs. Each WLAN can have a different security policy associated with it.

• Network Policy – Filters and prioritizes packets as they are sent across the wireless network. it can reject packets completely. Use the network policy to implement QoS and types of service (ToS) protocols.

Page 37

Figure 1.1 Principal Policies of a WS5000 Series Switch

WS5000 Series Switch Overview

1-9

1.3.3 Access Port Adoption Process

The process in which the WS5000 Series Switch takes on a 802.11 access port and configures it is called adoption. It includes configuring adoption lists, loading the firmware image on the access port, and configuring the access port radios according to the switch policy.

The adoption process works as follows:

1. The access port sends a packet to the wireless switch to provide a way for the switch to declare its intention to adopt.

2. If the switch can adopt the access port, it replies with a message indicating its intention to adopt.

3. After the access port receives the message, it requests a firmware image download.

4. After the firmware image downloads, the access port sends a configuration request packet from the MAC address of each of its radios. The configuration request informs the switch of the radio capabilities, including the radio MAC address, radio type, radio serial number, and whether the radio is equipped with an internal or external antenna.

5. The switch checks the adoption list for policies and configures the radios accordingly. The power, channel (or if Automatic Channel Selection is enabled—a set of legal channels), BSS IDs, ESSIDs, and data rates are configured.

1.3.4 Quality of Service

QoS is used to give a user or an application relative precedence or priority over another. QoS applies in the case of congestion that may occur from excessive traffic or different data rates and link speeds—10 Mbps Ethernet, 100 Mbps Ethernet, 11 Mbps Wireless, and so on—that exist in the same network.

If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. When total bandwidth is shared by different users and applications, QoS is required to provide policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements.

Page 38

1-10

WS5000 Series Switch System Reference Guide

1.3.4.1 Different Dimensions of QoS

Different methods of QoS are applied for distinction between users and applications. The two main categories are:

• QoS via Queuing – A network shared by different users such as in a revenue-based, shared office building or a public hotspot is implemented with Service Level Agreements (SLA) based on how much each group of users pay for bandwidth. In this case, one or all points of aggregation, such as the switch and some high-end routers or policy managers, can allocate different percentages of the total bandwidth to different groups of users through the use of queues. Bandwidth allocation can also be further divided and applied to different applications again using Queues.

• Application QoS via Packet Marking – A network or a portion of the allocated bandwidth can be shared by different applications. Voice communication (for example) can be more latency-sensitive or more mission-critical than others. In this case, a priority is assigned to the traffic by adding the appropriate QoS marking or tags to network traffic to provide higher precedence while the data is passed through points of aggregation—routers, switch(es), and gateways—and the medium of transfer. Packet marking provides configurable upstream devices and helps QoS end-to-end.

1.3.4.2 Packet Filtering

Packet filtering allows or discards packets matching certain criteria defined by Classification Groups (CG) on an output packet port. Classification groups on an output port are defined with allow decisions, discard decisions or a combination of both. A CG defined with an allow condition is associated with a priority number in the range of 0 – 7, seven being the highest priority. shows the types of packet filtering that the WS5000 Series Switch supports.

Table 1.3 Packet Filters Supported

Packet filter Filters

MACsource Source MAC addresses.

MACdestination Destination MAC addresses.

ethertype Ethernet specifier: Speed.

vlanid Virtual LAN IDs

userpriority User Priority

protocol Protocol Type

tos Type of Service

IPsource Source IP

IPdestination Destination IP

sourceport Source Port

destinationport Destination Port.

MCMask Destination multicast group MAC address.

Page 39

WS5000 Series Switch Overview

1-11

1.3.4.3 Weighted Fair Queuing (WFQ)

Weighted Fair Queuing (WFQ) enables a mechanism on the switch that uses up to eight queues to store data— network packets—and prioritize RF transmission to and from MUs depending on the data type. After the switch classifies the data (as voice or data), WFQ stores the packets (assuming the network traffic demands that the data be queued by data type) and then transmits the packets at a rate specified by the WFQ allocation percentage setting.

You can assign WFQs to classification groups. There is a WFQ for inbound traffic. WFQ for a classification group must have a nonzero value to enable the classification group.

Note You can use WFQ to prioritize only UDP traffic along with the filters.

WFQ uses one queue for each classification group, up to eight queues total, and one queue for all other data. For example, if the network has only one classification group for VoIP and no other groups, then WGQ automatically uses two queues: one for VoIP and the other for all other data (data not defined in the classification group). Each additional classification group uses another queue and keeps one queue open for other data.

The allocation setting determines the percentage of available network bandwidth for data from a classification group. For example, if the WFQ allocation for VoIP data is set to 80%, then the switch sends four packets of VoIP data every one packet of other data during periods of network congestion.

WFQ is implemented for the different types of traffic on the same ESSID and Access Port (AP) as well as between different ESSIDs on the same AP. This implementation shares voice and non-voice traffic across different network paths, thereby balancing the traffic load. A large volume of non-voice traffic on one ESSID does not deplete the voice traffic on another ESSID on the same AP.

1.3.4.4 QoS via Wi-Fi Multimedia Extension (WME)

Quality of Service (QoS) is required to support multimedia applications and advanced traffic management. WME (Wi-Fi Multimedia Extension) adds prioritized QoS capabilities to Wi-Fi networks and optimizes their performance when multiple concurring applications, each with different latency and throughput requirements, compete for network resources.

By using WME, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM provides prioritized media access and is based on the Enhanced Distributed Channel Access (EDCA) method.

It defines four priority classes to manage traffic from different applications:

•Voice

• Video

• Best effort,

• Background

Typically, networks operate on a best-effort delivery basis. All traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped. Applications such as voice, video and music streaming, and interactive gaming generate data streams that have strict latency and throughput requirements. To ensure a good user experience, traffic from different applications has to be managed and prioritized using QoS.

Page 40

1-12

WS5000 Series Switch System Reference Guide

When QoS is configured on the switch, users can select specific network traffic, prioritize it, and use congestion management and congestion avoidance techniques to provide preferential treatment. Implementing QoS on wireless LANs makes network performance more predictable and bandwidth utilization more effective. The benefits of QoS become more obvious as the load on the wireless LAN increases, keeping the latency, jitter, and loss for selected traffic types within an acceptable range.

WMM introduces traffic prioritization capabilities based on the four “Access Categories" (AC). In the default configuration, the higher the access categories, the higher the probability to transmit.

The ACs were designed to correspond to 802.1d priorities to facilitate interoperability with QoS policy management mechanisms, such as UPnP.

Table 1.4

Access Category Description 802.1d Tags

WMM Voice (AC 3)

WMM Video (AC 2)

WMM Best Effort (AC 1)

WMM Background (AC 0)

Highest priority. Allows Multiple concurrent VoIP calls, with low latency and toll voice quality.

Prioritize video traffic above other data traffic. One 802.11g or 802.11a channel support 3-4 SD TV streams or 1 HDTV

stream.

Traffic from legacy devices, traffic from applications or device that lack QoS capabilities.

Traffic less sensitive to latency, but effected by long delays, such as internet browsing.

low priority traffic (file downloads, print jobs) tat do not have strict latency and throughput requirements.

7,6

5,4

0,3

2,1

The Access Category of a packets is part of the 802.11 header.

Packets from the wired side to WLAN do not contain any AC information. This traffic is classified into one of the four WMM ACs:

• If it contains VLAN tags/DSCP priority, use this information to obtain the AC

• In addition, existing classifiers (CE/CG) can be used to match traffic of a particular type, it can be

assigned to an AC as an action.

Traffic from a WMM enabled WLAN, when sent to RON (rest of network) retains the priority information in the VLAN tag (if present) as well as the IP header (if an IP packet). Mapping from AC to 802.1d tags is according to WMM standards.

Packets not assigned to a specific AC are categorized by default as having best effort priority.

WME can be enabled on a per AP policy basis as well as on a per WLAN basis. A WLAN will use WME only if both the WLAN, as well as the AP Policy it is under have WME enabled. By default, WME is disabled in WLANs as well as AP Policies.

WME is only supported on AP300s. WMM enabled switches/ APs coexist with legacy devices (devices that are not WMM-enabled).

The default WME AC parameters (which determines the prioritization of traffic under each AC) are as specified by the WME standard. The configuration of each AC can be modified. Four parameters can be configured per AC: CWmin, CWmax, AIFSN and TXOP. The parameters are explained below

Page 41

WS5000 Series Switch Overview

1-13

AC Parameters

Packets are then added to one of four independent transmit queues (one per AC; i.e., voice, video, best effort, or background) in the AP. The AP has an internal collision resolution mechanism to address collision among different queues, which selects the frames with the highest priority to transmit. The same mechanism deals with external collision, to determine which client should be granted the “Opportunity to Transmit” (TXOP).

The collision resolution algorithm that is responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each AC.

• The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN)

• The Contention Window (CW), sometimes referred to as the Random Backoff Wait.

Both values are smaller for high-priority traffic.

For each AC, a backoff value is calculated as the sum of the AIFSN and a random value from zero to the CW.

• The value of the CW varies through time.

• Initially the CW is set to a value that depends on the AC (CWmin)

After each collision, the CW is doubled until a maximum value (CWmax), also dependent on the AC, is reached.

• After successful transmission, the CW is reset to its initial, AC dependant value.

The AC with the lowest backoff value gets the TXOP.

• As frames with the highest AC tend to have the lowest backoff values, they are more likely to get a TXOP.

Once a client gains a TXOP, it is allowed to transmit for a given time depending on the AC and the PHY rate.

• TXOP limit ranges from 0.2 ms (background priority) to 3 ms (video priority) in an 802.11a/g network, and from 1.2 ms to 6 ms in an 802.11b network.

• This bursting capability greatly enhances the efficiency for high data rate traffic, such as AV streaming.

• Also, the devices operating at higher PHY rates are not penalized when devices that support only lower PHY rates (e.g. because of distance) contend for medium access.

1.3.5 Multi-BSSID and ESSID Access Ports

In a networked wireless environment, multiple access ports are connected to a WS5000 Series Switch to provide RF connectivity to MUs. Each access port radio sends and receives RF signals over a range of space, the Basic Service Set (BSS). The BSS coverage area is identified by a Basic Service Set Identifier (BSSID).

The access port beacon contains its BSSID, which enables the MU to recognize the access port and associate with it. Extended Service Sets (ESS) are a logical group of BSSs. ESSs virtualize or increase the number of BSS radio signals.

The beacon contains information about the access port and the network, which enables the MU to rank access ports based on the received signal strength. The beacon can optionally include the Extended Service Set Identifier (ESSID). MUs associate with the most preferable access port in the coverage area.

After association, the MU continues to scan for other beacons to ensure that it is receiving the best, continuous signal strength, in case the signal from the currently associated access port becomes too weak to maintain communications as the MU moves through the area.

Most access ports support multiple BSSs (see Access Port Support on page 1-4). MUs sense each unique BSS as a separate radio signal. Access ports with multiple BSSs solve performance and security issues by isolating broadcast traffic on a specific BSS rather than sending broadcasts to all BSSs. This enables MUs to save

Page 42

1-14

WS5000 Series Switch System Reference Guide

battery power by sensing only for their specific BSS rather than all traffic. An access port with multiple BSSs provides the same functionality as four single-BSS Access Points and requires less time for installation and configuration.

Network administrators add WLANs to BSSs. The BSSIDs are mapped to ESSIDs by default. However, the network administrator can optionally change default settings. The network administrator can map each BSSID to multiple ESSIDs, so the radios on the access ports support multiple WLANs.

As RF traffic changes over time or the MU roams, the MU searches for access ports that have a matching ESSID. The MU associates with an access port with the same ESSID to synchronize communication. As the MU roams from coverage area to coverage area, it switches between access ports.

The MU switches between access ports when the MU analyzes the reception quality at a location and decides to communicate with another access port based on the best signal strength and lowest MU load distribution.

The AP 100, AP 200, AP 300, AP 4121 and AP 4131 access ports support multiple ESSIDs.

1.3.6 Standby Management

“Failover” or Standby Management enables the network administrator to significantly reduce the chance of a disruption in service to the switch and associated MUs by placing one or more additional WS5000 Series Switches as backup to a Primary wireless switch if it fails.

After configuring a Primary and Standby switch, the Primary switch issues a Discovery packet on each configured interface. Assuming there is a properly configured Standby switch, the Standby receives the Discover packet and starts sending heartbeats to the Primary. This establishes connectivity between the Primary and the Standby. The Primary switch executes various internal monitors, in addition to any necessary to communicate with the Standby switch.

If heartbeats fail after being properly established, a failover event is incurred by the Standby wireless switch, and thus assumes the duties of the Primary switch including adopting all access ports. The Standby switch sends an administrative alert—SNMP trap, etc.—to the administrator that a failover event has taken place.

Warning! You cannot configure a WS5000 model switch as a standby for a WS5100 model switch.

1.3.7 WLAN to VLAN Mapping

Virtual LANs (VLANs) segment large subnets of a network, which enables network administrators to control broadcasts and heighten network security. The WS5000 Series switch connects to the wired network through one of two Ethernet ports (typically through NIC 2). Each access port associated with the switch can be connected to either a trunked or non-trunked Ethernet port of the switch. Administrators configure an Ethernet policy so it maps each WLAN to a non-trunked Ethernet port or to one of the VLANs visible to the trunked Ethernet port. Further, administrators enable WLANs to communicate with a VLAN by configuring each WLAN so that the rest of the network connects through a common router or Layer 2 switch.

Access ports in a VLAN are able to broadcast and multicast only within that VLAN. Using VLANs, wireless switch administrators limit the general traffic in the wireless network, including broadcast packets because large numbers of broadcast packets can affect network performance. By segmenting a network into VLANs, wireless switch administrators limit the spread of broadcast packets.

Page 43

WS5000 Series Switch Overview

Using VLANs:

• Limits broadcast and multicast traffic

• Increases security by limiting communication between groups

• Allocates network resources, such as servers, to specific groups

Map WLANs on a one-to-one basis, configuring switch policies such as:

• Ethernet Policy mapping one WLAN to a VLAN

• Access Port Policy mapping one or more WLANs to a BSSID

• Security Policy mapping one security policy to a WLAN policy.

1.4 New Features

This section describes the key enhancements in the WS5000 Series Switch:

• WME

• RF Statistics

• GRE Tunnel

1-15

• Dual DHCP Server

• SNMP Trap on Config Change

• AP to AP Beacons

• DTIM per BSS

• WIPS Support

• CPU Temperature Monitoring in WS5000

• Active Primary Revert

• Access Port Ping

• Upgrade/Downgrade Process

1.4.1 WME

WME is quality of service implementation based on the subset of the IEEE 802.11e draft specification. WME support will enable the wireless infrastructure network based on WS5000 to handle the multimedia traffic with Quality of Service (QoS). WS5000 will be able to provide the enhanced service for WME capable stations associated on access-Port that has the WME capability.

To learn more about WME refer to QoS via Wi-Fi Multimedia Extension (WME) on page 1-11.

1.4.2 RF Statistics

The switch shall support approximately 24 new MIB tables, giving various details of the RF statistics. The purpose of these new (enhanced) statistics is to provide better RF monitoring and troubleshooting capabilities to network administrators.

Page 44

1-16

WS5000 Series Switch System Reference Guide

The salient features of enhnaced RF stats are:

• It supports 350 RF stats, on a per APPortal and per MU basis.

• Provides Long and Short statistics, Traps and Thresholds.

• It is accessible using SNMP.

To learn more about enhanced RF Stats, refer to Chapter 14, Enhanced RF Statistics.

1.4.3 GRE Tunnel

GRE Tunneling capability provides the ability to create a GRE tunnel from a switch to a switch/router at the remote end through an IP backbone. The primary functionality is to provide IP services (from the remote end / core of the network) to the MUs on particular WLANs that are mapped to the GRE tunnels. The data arriving from a MU associated a particular WLAN would be sent across to that GRE endpoint.

This functionality inWS5000 v2.1 is based on v1.4.3 when GRE tunneling capability was first introduced. V2.1 will also provide the capability to enable up to 4 GRE tunnels and provide the necessary WLAN mapping and other required configuration parameters (including Remote IP Address, Time To Live and Keep Alive).

Common tunneling protocols include:

• Generic Routing Encapsulation (GRE)

• Layer2 Tunneling (L2TP)

• IPSec VPN

• Multi Protocol Label Switching (MPLS) VPN

• IP over IP

The entire GRE tunnel CLI configuration can be referred at tunnel on page 8-85

1.4.4 Dual DHCP Server

Currently the DHCP server is used along with the VPN server to serve public addresses to the wireless clients. It can be enabled only on one NIC at one time. It is required that the DHPC server should be able to serve IP addresses on both the interfaces, and should be able to serve IP addresses from different pool of addresses on both interfaces.

Since the DHCP server may be used directly with WPA/WPA2 (without VPN), the requirement is that the DHCP configuration should be available, even when VPN is not enabled.

Also, there is a requirement to restrict serving of the IP-addresses only to the primary (native) VLAN. So, a new configuration is provided to meet this requirement.

To learn more about Dual DHCP server, refer to Chapter 12, Configuring the WS5100 WTLS VPN.

Page 45

WS5000 Series Switch Overview

1-17

1.4.5 SNMP Trap on Config Change

For improved system administration,WS5000 v2.1 supports the following:

1. Send out a SNMP Trap whenever configuration in the switch changes. The change could be initiated by CLI, GUI or SNMP.

2. The trap contains the time when the config was changed. The trap will not contain any details of the config change itself.

3. The Switch stores the time when the config was last modified. This will not be persistent across switch reboots.

4. Switch will maintain a count of total configuration changes. This will not be persistent across switch reboots.

Chapter 16, Syslog and Traps lists all the traps and syslog messages.

1.4.6 AP to AP Beacons

The purpose of this functionality is to measure and report the signal strength of beacons heard by each Portal (radio) connected to the switch, periodically. Normally, any given Portal would hear beacons from at most all the other Portals on its assigned channel. It may also hear beacons from 'nearby' Portals on adjacent channels.

This information will be reported by the switch as a new doubly-indexed table. The primary index is the PortalIndex of the Portal that heard the beacons. The second index is the PortalIndex of the Portal from which the beacons were heard. For each such combination, 7 pieces of data are tracked in a cumulative fashion, (since switch reboot).

To learn more about AP to AP beacon, refer to Chapter 13, Neighboring APs.

1.4.7 DTIM per BSS

This would allow for the setting of the DTIM on a per BSS basis. Each Access Port can run one WLAN for data devices with DTIM 10 and another WLAN with DTIM 2 for VoIP phones. With this feature, not all the WLANS need to have a lower DTIM value because that would drastically impact the battery performance of data devices

This would involve sending new information elements, while doing a configuration of the Access Port.

The AP policy context will be enhanced to enable the user to set 4 separate DTIM interval values for 4 different BSSIDs. DTIM value 1 will be used for BSS1, DTIM value 2 for BSS2, and so on. The first DTIM interval value will also be the default, to be used when the AP does not support setting of DTIM per BSS. This will help the user to know what DTIM values are actually used, depending on the BSS-ESS mapping, and will be indicated as such through the user interfaces.

To learn more about DTIM per BSS, refer to Appendix B, DTIM Interval per BSS

1.4.8 WIPS Support

The Wireless Intrusion Prevention System (WIPS), introduced in 2005 as an overlay system (to the wireless infrastructure) to provide intrusion detection and prevention services. The system comprises of a WIPS server (typically located at the NOC / Data Center) and the AP300 Access Ports that act as "sensors" and forward all

Page 46

1-18

WS5000 Series Switch System Reference Guide

the necessary traffic to the WIPS server that analyzes the network for any sort of unwanted traffic and protects against various types of Denial of Service attacks.

The idea of using AP300 is to provide an easy to deploy system for intrusion detection / prevention re-using existing hardware (typical WIPS systems require a dedicated, expensive sensor). The AP300 needs to be converted to a "sensor" (with a special Firmware downloaded to it).

WS5000 v2.1 addresses the requirement to integrate the capability of converting a standard AP300 to a sensor (and back as required) from the switch itself (and not have the administrators use a standalone tool to the do the same).

To learn more about WIPS support, refer to Converting an AP300 into a Sensor on page 15-3.

1.4.9 CPU Temperature Monitoring in WS5000

Some CPU fan failures have been observed in the field; these failures are typically fatal for the processor of the switch unless rapid servicing of the switch can take place. To assist in the detection of failure-prone switches, WS5000 Series 2.1 will expose the following information through the different interfaces:

• The CPU temperature

• The CPU fan speed

• The chassis fans

• The Chassis temperature

This information is available via the CLI, SNMP, Applet, and XML interface for the WS5100 platform. This functionality will also be available for the WS5000 (SME) platform in WS5000 v2.1.

Additionally to help identify switches that are about to fail, the switch will poll the hardware every 30 seconds. An event will be generated when threshold values are passed. As for other events, this may result in a syslog message and/or an SNMP trap depending on the event manager configuration. On the WS5100 platform, this will also result in an "alert" visual indication on the LEDs.

Refer to Chassis Context on page 8-170 to configure the CPU tempreture in WS5000.

1.4.10 Active Primary Revert

Support issuing 'set mode rev', from the "cfg> standby" context with an "Active" Primary. This is needed for troubleshooting a suspected issue with the Primary "Active" box.

Refer to Standby Context on page 8-273 to configure the Auto Revert feature.

1.4.11 Access Port Ping

This will allow the Admin to ping an Access Port - at Layer 2 (the access port does not support IP). This uses Symbol's WNMP protocol's Ping Request and Ping Response to check the connectivity between the switch and the access port.

Refer to rfping in Chapter 9, Service Mode CLI learn more about rfping.

Page 47

WS5000 Series Switch Overview

1.4.12 Upgrade/Downgrade Process

The WS5000 Series Switch provides an autoinstall script that enables you to upgrade to version 2.1 automatically. See Chapter 2, Installing the System Image.

1.5 Other Features

• 1.5.1 AP-4131 Port Conversion on page 19

• 1.5.2 Automatic Channel Select on page 19

• 1.5.3 Event Manager on page 19

• 1.5.4 Hot Standby on page 20

• 1.5.5 Integrated Radius/AAA ServerRadius on page 20

• 1.5.6 On-Board DHCP on page 20

• 1.5.7 On-Board KDC on page 22

• 1.5.8 Rogue AP Detection on page 22

• 1.5.9 Simple Network Management Protocol (SNMP) on page 23

1-19

• 1.5.10 WTLS VPN on page 23

1.5.1 AP-4131 Port Conversion

You can convert the Symbol AP-4131 model access points to RF Ports for use with the WS5000. The port conversion enables existing customers to utilize an existing Symbol wireless infrastructure with the WS5000 Series Switch. See Chapter 11, Converting AP-4131 Access Points to RF Ports.

1.5.2 Automatic Channel Select

The Automatic Channel Selection (ACS) feature enables the switch to determine the best radio frequency or channel for an access port. The switch determines the best channel for each access port through a set of algorithms that analyze the channels permitted by country regulations and the relative signal strength of each access port in the wireless coverage area.

Using ACS optimizes channel selection, which is helpful in areas where coverage is dynamic because either the site itself changes or coverage needs change. As conditions change, ACS is used to adapt and obtain the best coverage.

1.5.3 Event Manager

An event notification system monitors an administrator-configured set of events in network performance. The switch uses the Event Notification manager to log and collect application and system events on remote or local system log (Syslog) collectors or servers.

Events are conditions about which the network administrator should be notified. The network administrator can configure the switch to send event notifications using SNMP to an SNMP trap server, to the switch local log, or to a Syslog server. The administrator can select the events to be notified about and the appropriate severity level.

Page 48

1-20

WS5000 Series Switch System Reference Guide

1.5.4 Hot Standby

You can use the WS5000 Series Switch in the hot standby mode, but when the switch is in this mode it will not adopt primary access ports. The hot standby system only adopts APs after it detects that the primary system it monitors failed. The system administrator should export the primary system’s configuration into the backup switch. After importing, the administrator should place the switch in the backup mode. The backup switch can monitor only one primary machine at a time.

The hot standby switch adopts the APs defined by the switch policy rules. The primary switch license determines the number of APs. The primary switch sends the current number of licenses during its regular communication with the standby switch. The primary switch does not communicate policy configuration information; the system administrator must manually export or import it. The communication between the switches is an ongoing process, so if you change the number of active licenses on the primary switch while it runs, the standby adopts the appropriate number of access ports during a fail-over. For maximum robustness, it is recommended both primary and standby switches run the same version of the switch.

1.5.5 Integrated Radius/AAA ServerRadius

The WS5000 Wireless Switch provides an integrated Radius server as well as the ability to work with external Radius and LDAP servers to provide user database information and user authentication. Radius configuration supports:

• Configuring appropriate authentication types

• Configuring Clients

• Configuring External Proxy Servers

• Configuring LDAP Servers

1.5.6 On-Board DHCP

Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to computers using TCP/IP. A DHCP server assigns addresses to computers configured as DHCP clients.

The DHCP configuration can be done on both ethernet interfaces independently.

1.5.6.1 Configuring DHCP Server using CLI

You must run all DHCP CLI commands in the Configuration.Ethernet.[N] context. Table 1.5 lists and describes the DHCP commands:

Table 1.5 DHCP CLI Commands

Command Description

set dhcpsrv <enable | disable> Enables or disables the WS5000 Series Switch’s

internal DHCP server (for this NIC).

set dhcp_IP_Range startIP [ endIP ] Sets the DHCP server’s IP pool range. If endIP isn’t

supplied, the pool consists of the single startIP address.

Page 49

Command Description

WS5000 Series Switch Overview

1-21

set dhcp_Static_IP <static_IP_Address> <MAC> <hostname>

set dhcp_DefLease <seconds> Sets the DHCP server’s default lease time, in seconds,

Note The default lease time is always less than or equal to the maximum lease time. If you set

Assigns the static_IP_Address to the device with the given MAC address. The device is also assigned a hostname.

Enables the DHCP server to recognize DHCP option number code_num. The option takes on the given name and value. Currently, the only types that are recognized are ip-address and text.

to seconds.

the default lease time to be greater than the maximum lease time, the maximum lease time is automatically reset to match the default. Conversely, if you set the maximum lease time to be less than the default lease time, the default is reset to the (new) maximum.

set dhcp_MaxLease <seconds> Sets the DHCP server’s maximum lease time, in

seconds, to seconds.

set dhcp_DomainName <domain.suffix> Sets the DHCP server’s domain name; for example,

“symbol.com”. To clear the domain name, pass a NULL argument.

set dhcp_PriDNS_IP <IP_address> Sets the IP address that the DHCP server will use as its

primary Domain Name System server. To clear the primary DNS IP, pass a NULL argument.

set dhcp_SecDNS_IP <IP_address> Sets the IP address that the DHCP server will use as its

secondary Domain Name System server. To clear the secondary DNS IP, pass a NULL argument.

set dhcp_Router_IP <IP_address> Sets the IP address that the DHCP server will use as its

router. To clear the secondary DNS IP, pass a NULL argument.

set dhcp_PriVLAN_only <IP_address> Serves DHCP requests only on the primary VLAN for

the interface.

1.5.6.2 Viewing DHCP Configurations

To view the current DHCP server settings for an Ethernet port, use the show command. The DHCP server settings are grouped and indented at the end of the output:

WS5100_VPN.(Cfg).Ethernet.[1]> show

DHCP Server details Configured State : Disable Status : Disable

Page 50

1-22

WS5000 Series Switch System Reference Guide

Subnet IP : 192.000.000.0 Netmask IP : 255.255.255.0

etc...

1.5.6.3 Importing a dhcpd.conf File

You can use a DHCP configuration file to configure the DHCP servers on the WS5000 Series Switch. The configuration file must be named

system

command from the Configuration context:

WS5100_VPN.(Cfg)> copy tftp system Enter the file name to be copied from TFTP server : dhcpd.conf IP address of the TFTP server : 192.168.xxx.xxx Copying 'dhcpd.conf' from tftp://192.168.90.158 to Switch... File: dhcpd.conf copied successfully from 192.168.90.158 Verifying conf file... Valid conf file format.

The format of the dhcpd.conf file follows the convention declared in RFC 2131 (http://rfc.net/

rfc2131.html).

Note When you copy a dhcpd.conf file to the WS5000 Series Switch, the previous version of the file (on the switch) is overwritten.

dhcpd.conf. To install the file on the switch, use the copy tftp

1.5.6.4 DHCP Option 60

A feature of DHCP (Option 60) enables a DHCP server to recognize a DHCP client’s equipment identifier, and assign the device an IP drawn from an equipment-specific set of addresses (an IP pool). DHCP servers that respond to Option 60 should only use DHCP Option 43 to return vendor-specific information to the DHCP client.

1.5.7 On-Board KDC

The WLAN Switch has an on-board Key Distribution Center (KDC) or Kerberos authentication server. The WS5000 Series Switch provides a secure means for authenticating users/clients associated to a WLAN or ESS with the Kerberos security policy applied.

The on-board KDC can be configured to use up to three Network Time Protocol servers (NTPs). A separate switch with an on-board KDC can be configured as a Slave KDC to support the Master KDC in case of a Master KDC failure.

1.5.8 Rogue AP Detection

Rogue Access Ports (APs) are an area of concern with respect to LAN security. The term Rogue AP denotes an unauthorized access port connected to the production network or operating in a stand-alone mode (perhaps in a parking lot or in a neighbor’s building). Rogue APs are not under the management of network administrators and do not conform to any network security policies.

Although 802.1x security settings should completely protect the LAN, organizations are not always fully compliant with the newest wireless-security best practices. In addition, organizations want the ability to detect and disarm rogue APs. The WS5000 Wireless Switch provides a mechanism for detecting and reporting rogue APs. See Chapter 7, Configuring Rogue AP Detection.

Page 51

WS5000 Series Switch Overview

1-23

1.5.9 Simple Network Management Protocol (SNMP)

SNMP defines the method for obtaining information about network operating characteristics as well as router and gateway behaviors. This application-layer protocol initiates the exchange of configuration and management information between network devices. The SNMP architecture allows a variety of relationships among network entities.

The WS5000 Series Switch v2.0 supports SNMP v3.0 as well as SNMP v2.0 and v1.0. To configure SNMP on the WS5000 Series Switch, see SNMP Context on page 8-258.

The switch GUI and CLI help you enable or disable certain SNMP features. Disabling these features (“hardening” of the switch) helps manage security. Hardening of the KDC only is also permitted.

SNMP is also managed by the SNMP manager through a third-party SNMP client, software permitting the manipulation and configuration of SNMP components. There are three elements in this process:

• Management Stations – Software managing SNMP protocol parameters and communicating with SNMP Agents. The SNMP manager is responsible for this element.

• SNMP Agent – Local to the Wireless Switch, this SNMP server provides the network device information. It processes information requests from the SNMP manager via the management station using SNMP.

• Management Information Base (MIB)

– The storage area for network-management information. It

consists of collections of managed objects, such as SNMP parameters and events. These objects describe the state of a particular network device.

1.5.10 WTLS VPN

Wireless Transport Layer Security (WTLS) is a security level protocol specifically designed to provide authentication and data integrity for wireless traffic where access devices can change dynamically; such as access port change due to environmental changes or roaming.

A Virtual Private Network (VPN) is a protected network connection that tunnels through an unprotected connection. The WS5000 Series Switch uses a VPN connection to protect wireless transmissions on the untrusted side of the switch.

The WS5000 Series Switch provides WTLS VPN functionality, which includes:

• On Board DHCP server

• On Board VPN server

• Firewall

•NAT

•Twice NAT

For details, see Chapter 12, Configuring the WS5100 WTLS VPN.

Page 52

1-24

WS5000 Series Switch System Reference Guide

Page 53

Installing the System Image

This chapter describes how to install a new system image with the latest software on the WS5000 Series Switch. It also guides you through the CLI commands for restoring the site configuration file for the switch. This chapter contains:

• Before Installing the Image

• Upgrading the Switch Software to 2.1

2.1 Before Installing the Image

Before upgrading the software on the WS5000 Series Switch, verify the current software version and update path as described in the following section.

Symbol recommends you save the configuration of the system to be upgraded onto the network using the save configuration command.

Page 54

2-2

WS5000 Series Switch System Reference Guide

Note The WS5000 Series Switch Graphical User Interface does not support this process.

After you log into the WS5000 series switch, it displays the software version. For example:.

user name: cli Symbol Wireless Switch WS 5000 Series. Please enter your username and password to access the Command Line Interface. userid: admin password: ****** Retrieving user and system information... Setting user permissions flags.. Checking KDC access permissions... Welcome... Creating the Event list... System information... System Name : WS5000 Description : WS5000 Wireless Network Switch Location : Software Ver. : 2.1.0.0-xxxR Licensed to : Symbol Technologies Copyright : Copyright (c) 2000-2006. All

rights reserved. Serial Number : 00A0F8545254 Number of Licenses : 48 Max Access Ports : 48 Max Mobile Clients : 4096 MU Idle Timeout value : 1800 seconds Active Switch Policy : symbol2006 Emergency Switch Policy : Not defined Switch Uptime : 00d:00h:35m Global RF stats : Disabled # of Unassigned Access Ports : 0 CLI AutoInstall Status : Enabled WS5000>

Table 2.1 lists the procedures to upgrade the WS5000 Series Switch to the latest software version (xxx):

Table 2.1 Procedure to Upgrade to 2.1-xxx

If Your Switch Version is To Update to 2.1-xxx

2.1.0.0-xxx Do nothing. The wireless switch software is up to date.

2.0.0.0-xxx Follow the procedures in Upgrading the Switch from 2.0 to 2.1 on page 2-4.

1.4.3.0-xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3

Page 55

Installing the System Image

Table 2.1 Procedure to Upgrade to 2.1-xxx

If Your Switch Version is To Update to 2.1-xxx

1.4.2.0-xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3

1.4.1.0.

xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.

1.4.0.

xxx Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.

WS5100 1.1v49 Follow the procedures in Upgrading the Switch Software to 2.1 on page 2-3.

Any other version Contact your Symbol Support representative.

2.2 Upgrading the Switch Software to 2.1

The WS5000 Series Switch release 2.1 enables you to upgrade to the 2.1 baseline from the platforms:

• WS5000 or 5100 running the 2.0/1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3/2.0 baseline.

You can upgrade the switch using the following methods:

• Upgrading Using the CLI on page 2-3

2-3

If you encounter an error during the upgrade process, then refer Recovering from Upgrade Errors on page 2-12

Note There are certain key combinations that might stop the WS5000 Boot Loader (in 1.4.x.x baseline) so that it accepts user inputs. To avoid this, do no press any key and do not enable the scroll lock on the serial console window when the upgrade or downgrade is in progress.

2.2.1 Upgrading Using the CLI

Use either ssh, telnet or a serial access cable to log into the CLI.

The WS5000 Series Switch software package contains:

• vdate — This binary is used to get the firmware version from the DOM.This binary fails to operate over a Simpletech DOM and is used only with a Kouwell DOM.

• dominfo — This binary is used to get the DOM manufacturer information, either Simpletech DOM or Kouwell DOM. This binary is helpful when a Simpletech DOM using the latest firmware is used and the vdate fails over it.

• PreUpgradeScript - This script uses the dominfo to get the DOM manufacturers information. If the script detects that the DOM is a Kouwell DOM only then it calls the vdate to get the firmware version. The Simpletech DOM, by default, always has the latest firmaware.

• WS5000_v2.1.0.0-xxxx.sys.kdi — The image needed for the upgrade.

To upgrade to 2.1 using the CLI, use the following steps:

1. Upgrading the Switch from 2.0 to 2.1.

2. Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1

Page 56

2-4

WS5000 Series Switch System Reference Guide

a. Copy the vdate to the switch

b. Copy the dominfo to the switch

c. Copy the PreUpgradeScript to the switch.

Note You must run the PreUpgradeScript before you upgrade the switch.This is valid only when you upgrade the switch from 1.4.x to 2.1

2.2.1.1 Upgrading the Switch from 2.0 to 2.1

To upgrade from WS5000 2.0 to the WS5000 2.1 baseline:

1. Copy the WS5000_v2.1.0.0-xxxx.sys.img image (using ftp) to the system to be upgraded. Use the following command under the cfg mode of the CLI:

WS5000.(Cfg)> copy ftp system -u ftpuser -m bin Enter the file name to be copied from FTP server :

WS5000_v2.1.0.0-xxxR.sys.img

IP address of the FTP server : 111.111.111.111 Enter the user password : ******* Copying 'WS5000_v2.1.0.0-xxxR.sys.img' from ftp://

111.111.111.111 to Switch... Data connection mode : BINARY (Connecting as 'ftpuser') Status : Transfer completed successfully 17091650 bytes received in 10.3 seconds (1666803 bytes/s) Verifying imagefile... Valid imagefile. Completing verification. WS5000.(Cfg)>

2. Run the following command

WS5000.(Cfg)> restore system WS5000_v2.1.0.0-xxxR.sys.img This command will reset the system and boot up with the new restored image. Do you want to continue (yes/no) : yes Restoring system image and configuration from WS5000_v2.1.0.0-

xxxR.sys.img

It might take a few minutes.......

2.2.1.2 Upgrading the Switch from 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to 2.1

To determine whether your WS5000 Series Switch has the memory required for upgrading to xxx, run the PreUgradeScript. If the switch has the memory, the script tells you how to upgrade. If the switch does not have enough memory, the script enables you to free the memory to upgrade.

To upgrade from WS5000 1.4.0/1.4.1.0/1.4.1.1/1.4.2/1.4.3 to the WS5000 2.1 baseline:

Copy the vdate to the switch

WS5000.(Cfg)> copy ftp system -u ftpuser -m bin

Enter the file name to be copied from FTP server : vdate

IP address of the FTP server : 111.111.111.111

Enter the user password : *******

Page 57

Copying 'vdate' from ftp://111.111.111.111 to Switch...

Data connection mode : BINARY (Connecting as 'ftpuser')

Status : Transfer completed successfully

202311 bytes received in 0.036 seconds (5.5e+03 Kbytes/s)

WS5000.(Cfg)>

Copy the dominfo to the switch

WS5000.(Cfg)> copy ftp system -u ftpuser -m bin

Enter the file name to be copied from FTP server : dominfo

IP address of the FTP server : 111.111.111.111

Enter the user password : *******

Copying 'dominfo' from ftp://111.111.111.111 to Switch...

Data connection mode : BINARY (Connecting as 'ftpuser')

Status : Transfer completed successfully

48346 bytes received in 0.018 seconds (2.6e+03 Kbytes/s)

WS5000.(Cfg)>

Installing the System Image

2-5

Copy the PreUpgradeScript to the switch.

1. Copy the PreUpgradeScript script using tftp/ftp to the system to be upgraded using the following command under the cfg mode of the CLI. This example uses ftp.

WS5000.(Cfg)> copy ftp system -u ftpuser -m bin

Enter the file name to be copied from FTP server : PreUpgradeScript

IP address of the FTP server : 111.111.111.111

Enter the user password : *******

Copying 'PreUpgradeScript' from ftp://111.111.111.111 to Switch...

Data connection mode : BINARY (Connecting as 'ftpuser')

Status : Transfer completed successfully

12514 bytes received in 0.021 seconds (5.8e+02 Kbytes/s)

/bin/dedos: line 69: syntax error near unexpected token `dir'

/bin/dedos: line 69: `dedos -R <dir> # recursive from dir'

WS5000.(Cfg)>

Note When ftping the PreUpgradeScript, the switch displays the error messages:

/bin/dedos: line 69: syntax error near unexpected token 'dir'

Ignore these messages because they do not indicate a problem in ftp'ing the

Page 58

2-6

WS5000 Series Switch System Reference Guide

script.

Just verify the size of the script ftp'ed matches with the actual one.

2. Enter the CLI service mode:

WS5000.(Cfg)> ..

WS5000> service

Enter CLI Service Mode password: ********

Enabling CLI Service Mode commands...... done.

SM-WS5000>

3. Change the script’s access permissions to make it executable (x):

SM-WS5000> launch -c chmod +x /image/PreUpgradeScript

4. Run the script.

SM-WS5000> launch -c /image/PreUpgradeScript freemem

The script looks for free space on the disk. If it finds the space, it displays the following:

SM-WS5000> launch -c /image/PreUpgradeScript freemem Verifying dominfo Checksum dominfo Checksum Verification Passed checking type of DOM Showing details of DOM Model Number______________________: Kouwell DOM Serial Number_____________________: HyFlash 00003768 Controller Revision Number________: 14/05/02 Able to do Double Word Transfer___: No Controller buffer size (bytes)____: 512 Transfer Speed____________________: > 10 Mbit/sec Drive Type________________________: Removable IORDY Supported___________________: No Can IORDY be disabled by device___: No LBA Mode supported________________: Yes DMA Supported_____________________: No Number of ECC bytes transferred___: 4 Number of sectors per interrupt___: 1 Number of Cylinders_______________: 980 Number of Heads___________________: 16 Number of Sectors per Track_______: 32 This is a Kouwell DOM which needs to check for the version of

DOM firmware checking DOM firmware Verifying vdate Checksum vdate Checksum Verification Passed Current Firmware Version Version Date: 040928b9

Page 59

Installing the System Image

2-7

Dom Firmware up to date - Done Finding out the Free Space Needed ... !! Total Free Space on the System: 150 (in MB) OK. Required space to do the upgrade exists .. !! SM-WS5000>

Note While running the PreUpgradeScript, you may encounter two problems. Scenario 1: The switch may not have enough space to upgrade. Scenario 2: The switch may ask you to upgrade the DOM firmware before upgrading.

Scenario 1

If there is not enough space for the upgrade procedure, the script displays:

Type________________________: IORDY Su pported___________________: No Can IORDY be disabled by device___: No

LBA Mode supported________________: Yes DMA Supported_____________________: No Number of ECC bytes transferred___: 4 Number of sectors per interrupt___: 1 Number of Cylinders_______________: 1004 Number of Heads___________________: 8 Number of Sectors per Track_______: 32 This is a Kouwell DOM which needs to check for the version of DOM firmware Checking DOM firmware Verifying vdate Checksum vdate Checksum Verification Passed Current Firmware Version Version Date: 040928b9 Dom Firmware up to date - Done Finding out the Free Space Needed ... !! Total Free Space on the System: 33 (in MB) Not enough space to continue with upgrade ... !! NOTE: Freeing up the space makes you committed for upgrade .. !!

Page 60

2-8

WS5000 Series Switch System Reference Guide

Please continue with upgrade after this, as freeing might make the current system unusable .. !! Do you want to free some space (y/n):

If the script does not find the required space, it displays:

Do you want to free some space (y/n): y Trying to find out how much space can be freed .. !! /image/*.img: File or directory doesn't exist /image/*.txt: File or directory doesn't exist /WS5x00Switch/CC/*txt*: File or directory doesn't exist Image Space 0 Txt Space 0 PG Space 3 Apache Space 7 SNMP Space 2 Log Space 0 Total Space that can be freed : 12 Saving the Configuration before Freeing the space .. !! Saving wireless network management configuration... Configuration saved successfully. Found the space to be freed .. Freeing .. !! SM-WS5000>

Scenario 2

At times you may also need to update the DOM firmware when the switch fails to run the preupgrade script. In such a case the script displays:

Note If you do not wish to upgrade the firmware, then you can use the following CLI command:

launch -c /image/PreUpgradeScript freemem nofwcheck

Page 61

Installing the System Image

DMA Supported_____________________: No Number of ECC bytes transferred___: 4 Number of sectors per interrupt___: 1 Number of Cylinders_______________: 1004 Number of Heads___________________: 8 Number of Sectors per Track_______: 32 This is a Kouwell DOM which needs to check for the version of DOM firmware checking DOM firmware Verifying vdate Checksum vdate Checksum Verification Passed Current Firmware Version Version Date: 011012b9 Need Dom Firmware Upgrade..Aborting upgrade Please upgrade the DOM Firmware before upgrading SM-WS5000>

Execute the following steps to upgrade the DOM firmware:

2-9

• Copy the WS5k_domfix.cfg file to the switch

SM-WS5000> copy ftp system -u ftpuser -m bin Enter the file name to be copied from FTP server : WS5k_domfix04.cfg IP address of the FTP server : 111.111.111.111 Enter the user password : ******* Copying 'WS5k_domfix04.cfg' from ftp://111.111.111.111 to

Switch... Data connection mode : BINARY (Connecting as 'ftpuser') Status : Transfer completed successfully 12514 bytes received in 0.021 seconds (5.8e+02 Kbytes/s) /bin/dedos: line 69: syntax error near unexpected token `dir' /bin/dedos: line 69: `dedos -R <dir> # recursive from dir' SM-WS5000>

• Enter the CLI service mode and execute the WS5k_domfix.cfg file.

SM-WS5000> exec

Executing CLI Service Mode command file ....

Enter the command file name: WS5k_domfix.cfg Current firmware version Version Date: 011012b9 Version Date: 011012b9 Need firmware upgrade

Shutting down Cell controller..

Shutting down snmpd agent.....done.

Shutting down apache server...done.

Shutting down cell controller......done.

Cell controller successfully shut down.

Page 62

2-10

WS5000 Series Switch System Reference Guide

Shutting down database main thread...done. Resetting the System.. SKDB kernel debugger installed. SKDB kernel debugger installed. Configuring ethernet ports ...

Waiting for network elements to get initialized....done.

Flushing stale dns entries......done.

Checking database integrity...done. Launching auto-configuration procedure... Waiting for DHCP lease file to be created... DHCP lease file found. Begin parsing DHCP lease file... Results:

--------------------------TFTP Server : Command File:

--------------------------TFTP server option not found. Exiting auto-configuration...

Starting cell controller....done.

Waiting for the corba file to be created.......done.

Starting apache server in SSL mode...done. Starting snmpd daemon...done. SM-WS5000>

5. Copy the WS5000_v2.1.0.0-xxxx.sys.kdi image (using ftp) to the system to be upgraded. Use the following command under the cfg mode of the CLI:

Note You cannot use tftp to acquire this image because the file size exceeds 32 MB.

SM-WS5000> copy ftp system -u ftpuser -m bin Enter the file name to be copied from FTP server : WS5000_v2.1.0.0-xxxR.sys.kdi IP address of the FTP server : 1111.111.111.111 Enter the user password : *******

Copying 'WS5000_v2.1.0.0-xxxR.sys.kdi' from ftp://111.111.111.111 to Switch... Data connection mode : BINARY (Connecting as 'ftpuser')

Status : Transfer completed successfully 39661568 bytes received in 25 seconds (1.5e+03 Kbytes/s) SM-WS5000>

Page 63

Installing the System Image

Note If you do not wish to upgrade the firmware, use the following CLI command:

launch -c /image/PreUpgradeScript upgrade nofwcheck

6. Run the following command:

SM-WS5000> launch -c /image/PreUpgradeScript upgrade

The following details are displayed on your monitor. Enter WS5000_v2.1.0.0-xxxx.sys.kdi as image name when the procedure prompts you to - “Enter the image name”.

SM-WS5000> launch -c /image/PreUpgradeScript upgrade Verifying dominfo Checksum dominfo Checksum Verification Passed checking type of DOM Showing details of DOM

Model Number______________________: Kouwell DOM Serial Number_____________________: HyFlash 00003768 Controller Revision Number________: 14/05/02

2-11

Able to do Double Word Transfer___: No Controller buffer size (bytes)____: 512 Transfer Speed____________________: > 10 Mbit/sec Drive Type________________________: Removable IORDY Supported___________________: No Can IORDY be disabled by device___: No LBA Mode supported________________: Yes DMA Supported_____________________: No Number of ECC bytes transferred___: 4 Number of sectors per interrupt___: 1

Number of Cylinders_______________: 980 Number of Heads___________________: 16 Number of Sectors per Track_______: 32 This is a Kouwell DOM which needs to be checked for the version of DOM firmware Checking DOM firmware Verifying vdate Checksum vdate Checksum Verification Passed Current Firmware Version Version Date: 040928b9 Dom Firmware up to date - Done Enter the Image Name: WS5000_v2.1.0.0-xxxR.sys.kdi Verifying Image Checksum Image Checksum Verification Passed Saving the Configuration before upgrading

Page 64

2-12

WS5000 Series Switch System Reference Guide

Saving wireless network management configuration... Configuration saved successfully. Creating the configuration tar tar: Removing leading / from absolute path names in the archive. image/upgrade.cfg Copying the image Rebooting the system

Shutting down snmpd agent.....done.

Shutting down apache server...done.

Shutting down cell controller......done.

Shutting down database main thread...done. Rebooting the switch...

Note You can also provide the image name a command line argument to the PreUpgradeScript. If you do this, the script does not prompt for the image name.

Example:

launch -c /image/PreUpgradeScript upgrade<filename>

The switch reboots three times in approximately five minutes, and then displays the 2.1 image. The image has the same configuration it had before the upgrade. The serial console displays the system logs.

The logs display the switch passing through each reboot state before it finally displays the 2.1 image. The telnet or ssh window displays the logs until the switch reboots the first time.

2.3 Recovering from Upgrade Errors

In the unlikely event a power failure occurs during the file writing portion of the upgrade process the system may no longer boot. The most likely symptoms would be the system continuously restarting or never showing any activity on the serial console. Any system with these symptoms will need to be returned to the local Symbol Service Center for repair. See the Symbol Service Web-site http ://www.symbol.com/services/msc/msc.html for RMA procedures.

If a serial console is attached to the system during the software upgrade process and the escape key is pressed at during a specific stage of the process automatic loading will be stopped. If the following message is displayed for more than 20 seconds, then a key was pressed. This problem can be rectified by pressing the ENTER key to boot the image.

Note Power cycling the system when any of these screens appears will cause an unrecoverable error just like a power failure.

GNU GRUB version 0.95 (639K lower / 130048K upper memory) WS5000-2.x Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, or 'c' for a command-line.

Page 65

Installing the System Image

2-13

If any of the below two messages are displayed then press the escape key (ESC) to return to the boot selection screen

Minimal BASH-like line editing is supported. For the first word, TABlists possible command completions. Anywhere else TAB lists the possiblecompletions of a device/filename. ESC at any time exits.

grub>

kernel (hd0,0)/boot/vmlinuz-2.4.20_mvl31 console=ttyS0,19200 quiet initrd (hd0,0)/boot/ramdisk.img

2.4 Downgrading from 2.1 to 2.0

1. To downgrade the WS5000 switch from version 2.1 to 2.0 you need to download – Downgrade2.0.0.0-034R.sys.img. Follow the steps mentioned below to download the image:

WS5000.(Cfg)> copy ftp system -u ftpuser -m bin Enter the file name to be copied from FTP server : /home/ WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/downgrade/ Downgrade2.0.0.0-034R.sys.img

IP address of the FTP server : 111.111.111.111 Enter the user password : *******

Copying 'Downgrade2.0.0.0-034R.sys.img' from ftp://

111.111.111.111 to Switch...

Data connection mode : BINARY (Connecting as 'ftpuser') Status : Transfer completed successfully 15872271 bytes received in 1.9 seconds (8364374 bytes/s) Verifying imagefile... Valid imagefile. Completing verification.

2. Run the following command:

WS5000.(Cfg)> restore system Downgrade2.0.0.0-034R.sys.img This command will reset the system and boot up with the new restored image. Do you want to continue (yes/no) : yes Restoring system image and configuration from Downgrade2.0.0.0034R.sys.img

It might take a few minutes.......

Page 66

2-14

WS5000 Series Switch System Reference Guide

2.5 Downgrading from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.0

You can downgrade a switch running WS5000 Series Switch 2.1 image to the switch running one of the following versions:

• WS5000 Series Switch 1.4.0.0 (026R)

• WS5000 Series Switch 1.4.1.0 (014R)

• WS5000 Series Switch 1.4.1.1 (009R)

• WS5000 Series Switch 1.4.2.0 (005R)

• WS5000 Series Switch 1.4.3.0 (012R)

Note Save the current system configuration and image files on the network before downgrading because after you downgrade the switch, it uses the default configuration settings and the downgraded image files.

After you downgrade from 2.1 to 1.4.3/1.4.2/1.4.1/1.4.1/1.4.0 WS5000 Series Switch, the switch obtains the following files:

• Running the PreDowngrade Script

• Running the Downgrade.exe Script

• Downgrading the Image Version.

2.5.1 Running the PreDowngrade Script

To check the system has sufficient memory for the downgrade, run the PreDowngrade script.

1. Copy the PreDowngrade script to the switch using copy ftp/tftp command:

copy ftp system -u <user_name> -m bin

2. Enter the PreDowngrade script filename, IP Address, and password at the system prompt.

The switch downloads the PreDowngrade script.

3. Log into the service mode CLI using service command from the cfg context (under system context).

4. Run the following service mode CLI command:

exec <CR>

Executing CLI Service Mode command file ....

Enter the command file name: PreDowngrade.exe

This script determines whether the switch has the memory required for the downgrade. If the memory is not sufficient, the script provides an option to free the memory needed. If it does not find the required memory to be freed, it stops and displays an error message.

Note If you use the PreDowngrade.exe script to release memory, you must proceed with the downgrade.

Page 67

Installing the System Image

2-15

Example

WS5000.(Cfg)> copy ftp system -u ftpuser -m bin

Enter the file name to be copied from FTP server : /home/ WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/ downgrade/PreDowngrade.exe

IP address of the FTP server : 111.111.111.111

Enter the user password : *******

Copying 'PreDowngrade.exe' from ftp://111.111.111.111 to Switch...

Data connection mode : BINARY (Connecting as 'ftpuser')

Status : Transfer completed successfully

1059 bytes received in 0.0232 seconds (45617 bytes/s)

WS5000.(Cfg)>

2.5.1.1 Executing the Predowngrade Script

You have to execute the predowngrade script from the service mode. The example below explains how to execute the predowngrade scipt.

WS5000> service Enter CLI Service Mode password: ********

Enabling CLI Service Mode commands...... done.

SM-WS5000> exec

Executing CLI Service Mode command file ....

Enter the command file name: PreDowngrade.exe Finding out the Free Space Needed ... !! Total Free Space on the System: 101 (in MB) OK. Required space to do the downgrade exists .. !!

SM-WS5000>

2.5.2 Running the Downgrade.exe Script

After you verify the switch has enough memory for the downgrade, run the Downgrade.exe script as follows:

1. Copy the Downgrade.exe and Downgrade<x.x.x.x-xxxR>.image file to the switch using copy ftp system command

copy ftp system -u <user_name> -m bin

2. Enter the Downgrade.exe filename, IP Address, and password at the system prompt.

3. Log into the service mode CLI using service command from the cfg context (under system context).

4. Run the following service mode CLI command:

Page 68

2-16

WS5000 Series Switch System Reference Guide

exec <CR>

Executing CLI Service Mode command file ....

Enter the command file name: Downgrade.exe

5. Enter Downgrade<x.x.x.x-xxxR>.image as the image filename (<x.x.x.x-xxxR> corresponds to the version to which you downgrade the switch from 2.0).

The switch is downgraded to the corresponding version.

Example

SM-WS5000> copy ftp system -u ftpuser -m bin

Enter the file name to be copied from FTP server : /home/ WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/ downgrade/Downgrade.exe

IP address of the FTP server : 111.111.111.111

Enter the user password : *******

Copying 'Downgrade.exe' from ftp://111.111.111.111 to Switch...

Data connection mode : BINARY (Connecting as 'ftpuser')

Status : Transfer completed successfully

3500535 bytes received in 0.447 seconds (7823770 bytes/s)

SM-WS5000>

2.5.3 Downgrading the Image Version

1. Copy the Downgrade<version>.image file to the switch using copy ftp system command

copy ftp system -u <user_name> -m bin

2. Enter the Downgrade<version>.image filename, IP Address, and password at the system prompt.

3. Log into the service mode CLI using service command from the cfg context (under system context).

4. Enter Downgrade<x.x.x.x-xxxR>.image as the image filename (x.x.x.x-xxxR corresponds to the version to which you downgrade the switch from 2.1).

5. Run the following service mode CLI command:

exec Downgrade<x.x.x.x-xxxR>.image

The switch is downgraded to the corresponding version.

Example

SM-WS5000> copy ftp system -u ftpuser -m bin Enter the file name to be copied from FTP server : /home/ WS5x00Switch/builds/bf-2.1.0.0/R_BF_2.1.0.0-xxxR/downgrade/

Downgrade1.4.0.0-026R.image IP address of the FTP server :

111.111.111.111 Enter the user password : ******* Copying 'Downgrade1.4.0.0-026R.image' from ftp://111.111.111.111

to Switch... Data connection mode : BINARY (Connecting as 'ftpuser')

Page 69

Installing the System Image

2-17

Status : Transfer completed successfully 25608008 bytes received in 8.56 seconds (2990804 bytes/s)

SM-WS5000>

2.5.3.1 Executing the Downgrade Script

You have to execute the Downgrade.exe from the service mode. The example below explains how to execute the Downgrade scipt.

SM-WS5000> exec

Executing CLI Service Mode command file ....

Enter the command file name: Downgrade.exe Enter the Image Name: Downgrade1.4.0.0-xxxR.image Verifying Image Checksum Image Checksum: 60504983eac60093823e2c890ef0143b Image Checksum Saved: 60504983eac60093823e2c890ef0143b Image Checksum Verification Passed Moving the Boot Loader !!! Moving the Kernel !!! Moving the Initrd !!! Moving the Scripts !!! GNU GRUB version 0.95 (640K lower / 3072K upper memory) [ Minimal BASH-like line editing is supported. For the first

word, TAB lists possible command completions. Anywhere else TAB lists the possible completions of a device/filename. ] grub> root (hd0,0) Filesystem type is ext2fs, partition type 0x83 grub> setup --stage2=/boot/grub/stage2 --prefix=/boot/grub (hd0) Checking if "/boot/grub/stage1" exists... yes Checking if "/boot/grub/stage2" exists... yes Checking if "/boot/grub/e2fs_stage1_5" exists... yes Running "embed /boot/grub/e2fs_stage1_5 (hd0)"... failed (this is

not fatal) Running "embed /boot/grub/e2fs_stage1_5 (hd0,0)"... failed (this

is not fatal) Running "install --stage2=/boot/grub/stage2 /boot/grub/stage1 hd0)

/boot/grub/stage2 p /boot/grub/menu.lst "... succeeded Done. grub> reboot Creating License Tar File !!! Rebooting Rebooting the switch... Shutting down dhcp daemon.. done Shutting down apache server in the SSL mode...done.

Shutting down cell controller........ done

Page 70

2-18

WS5000 Series Switch System Reference Guide

Shutting down snmpd agent...done.

Shutting down Postgres....done.

Page 71

Configuring the WS5000 Series Switch

Automatically

There are two types of auto-install to configure the WS5000 Series Switch automatically:

1. DHCP Auto-install, performed as a part of WS5000 boot process

2. Manual Auto-install, performed by executing a CLI command. This requires a reboot.

3.1 DHCP Auto-install

To configure the WS5000 Series Switch automatically, you need:

• An external TFTP server—The switch obtains the IP address of this server through DHCP and stores it in the returned DHCP lease file.

• A command file – This is an ASCII text file that contains site-specific settings for the WS5000 Series Switch (the filename must end with a .sym suffix). The switch obtains this filename through DHCP and stores it in the returned DHCP lease file.

Page 72

3-2

WS5000 Series Switch System Reference Guide

After you extract the configuration file from the DHCP lease file, it downloads, parses, and configures the WS5000 Series Switch

3.2 Command File

The command file option specifies a valid filename for an ASCII text format file that exists on the TFTP server. It contains site-specific settings for the wireless switch. The command file (see Command File Example on

page 3-8) directs the switch to perform the following remote configuration functions:

• Load a new wireless switch configuration file

• Reconfigure the Ethernet IP, DNS, gateway, and DHCP settings on the switch

• Reconfigure the master and slave Kerberos settings.

• Manually or automatically update Kerberos user database entries, with automatic propagation to the slave KDC, if present

• Enable or disable “hot standby” mode on the switch

• Optionally provide status and error logging of the automatic configuration operations

• Reconfiguration of the Primary and Standby settings

• Reconfiguration of Master and Slave Kerberos settings.

Several site-specific settings are available in the command file. The settings available in the command file include:

• Automatic installation command event logging

• Automatic installation command file TFTP server

• Automatic installation command file network

3.3 Command File Description

The command file is an ASCII text file that contains case sensitive letters, digits, and the underscore ( _ ) character. The command file name uses the .sym extension. The command file contains all options necessary to perform a limited switch configuration or reconfiguration.

When the system parses this file, it ignores any option that it does not understand. The switch keeps the current configuration for that specific option unchanged. The following lines are considered equivalent.

#<option> <value> <option> #<value> <option> #some comment

All values of the command file are case insensitive except for SNMP community strings, domain names, realms, and filenames. The system converts the hostname value into lowercase even when specified using a combination of lower/upper case. The command file option items do have to be in any sequential order.

A template of the command file, called Wireless Switch system CD. Copy this file to a local host computer, then edit, save and rename it to serve as a command file (the .sym extension is required for the command file to be recognized by the wireless switch).

Save the file to the system used to configure the wireless switch. Use the CLI copy tftp system command (see the copy command on Chapter 8, CLI Command Reference) to copy the command file from the host computer to the switch.

The command file example shows the configuration of most options (see Command File Example on page 3-8).

cmd_template.sym, is available and located on the WS5000

Page 73

Configuring the WS5000 Series Switch Auto-

3-3

Note The command file is not invoked automatically using this method. The correct method is to use the DHCP option to send the file to the switch.

3.3.1 Event Logging

The service option is a setting to turn on or off the logging feature, which pushes auto-installation event messages to a log file named CmdProcErrors.txt. This error log file is automatically generated in the same directory as the system image/configuration/command files if logging is turned on.

These log messages are generated when events such as firmware/configuration upgrades/downgrades occur, and/or the command file contains errors such as improper syntax, files that are not present on specified TFTP server, etc.

Table 3.1 Event Logging (Service) Section

Option Value Notes

AutoConfig Log <on|off>

This selection allows the user to enable or disable the use of the logging facility. The default is on.

3.3.2 TFTP Server Settings

This section specifies the location of the TFTP server used to download, the names of the system image, configuration and Kerberos files that need to be downloaded. These settings are used when upgrading/ downgrading firmware, changing configuration files or updating the user database of the Wireless Switch’s built-in Kerberos KDC.

Table 3.2 TFTP Server (Files to Download) Section

Option <Value> Notes

TFTP Server <xxx.xxx.xx.xx>

ImageRestore <image file(.sys.img)>

This is the TFTP server from where the configuration file, the image file, and the Kerberos file are downloaded. If the TFTP server is not specified, it is assumed that the user downloaded these files manually via CLI copy command or the auto install will look for them in the Wireless Switch.

If the revision levels are different, then the image file will be downloaded from the TFTP server. After this step has completed successfully, the switch will perform a reset and continue to reboot with the most recent (and valid) system image available. If any error occurred during the file processing, the firmware will not be upgraded and an error message will be logged.

Page 74

3-4

WS5000 Series Switch System Reference Guide

Table 3.2 TFTP Server (Files to Download) Section (Continued)

Option <Value> Notes

ConfigFile <config_name (.cfg)>

KerberosFile <kerberos_name (.krb)>

This is the name of a WS5000 Series Switch configuration. This file is downloaded automatically from a specified TFTP server or though the CLI copy command.

If the file is not found, or if there were errors during the TFTP download, the installation software will abort the configuration immediately and exit. This is considered a fatal error and any locally specific configurations should not be applied as well since they can be interrelated to the general configuration settings. The IP address of the WS will also remain unchanged. The file name is case sensitive.

This is the name of a Kerberos username/password (Kerberos MIT DB file format) file and it is used to configure the primary Kerberos database of the on board KDC server. The database is completely flushed before the new principals are added.

If an error occurs during the file downloading or processing, the installation software logs an error message and skips the Kerberos configuration. The installation software tries to find the file in the Wireless Switch.

If it is not there, it logs an error message and continues. Once a Kerberos DB .krb file is provided for download and installation, this new file replaces the current database file. There is no automatic attempt to save the previous copy of this file on the master KDC. The file name is case sensitive.

3.3.3 General Network Configuration and Standby Management

Configure the network settings in this section such as; enabling/disabling DHCP, setting subnet masks, DNS servers and gateway settings. When the switch’s Standby Management capability is used, configure the settings for enabling/disabling Standby Management, and assigning hostnames and IP addresses to the Ethernet interfaces of the Primary and Standby wireless switches.

Utilizing the Standby Management feature requires a pair of switches. Settings for both types (Primary and Standby) are in the command file so that a single file can be used at a site to install both the Primary and Standby switch. When a switch begins Standby configuration, it pings the Primary switch’s IP address, as specified in the command file. If it does not receive a response, it assumes the role of Primary as long as it does not have a zero-port license key. The second switch will subsequently configure itself as the Standby switch.

Page 75

Warning! A WS5000 model switch cannot be configured as a standby for a WS5100 model switch.

Table 3.3 General Network Configuration and Standby Management

Option Value Notes

Configuring the WS5000 Series Switch Auto-

3-5

Eth1DNSServer1 <ip_address> Eth1DNSServer2 <ip_address> Eth2DNSServer1 <ip_address> Eth2DNSServer2 <ip_address>

Eth1SubnetMask <ip_subnet_mask> Eth2SubnetMask <ip_subnet_mask>

Eth1Domain Eth2Domain

Eth1DHCP Eth2DHCP

Gateway

DNS server configuration for each interface. Users can configure up to two DNS servers per interface. If it is not supplied, the DHCP configuration will be kept.

Subnet mask for Ethernet port 1. Subnet mask for Ethernet port 2. If an Ethernet ports IP address is specified without an associated

subnet mask, an error is logged and the network configuration is not completed.

Domain name for Ethernet port 1. Domain name for Ethernet port 2.

Indicates whether DHCP is on/off for Ethernet port 1. Indicates whether DHCP is on/off for Ethernet port 2. If DHCP is on for an interface, all IP settings provided in the

command file will be ignored and the interface will be configured as a DHCP client.

Note DHCP can only be enabled on a single interface at a time.

Default gateway. There should only be one value since the switch currently does not allow gateway settings per interface. If this configuration is not specified, the DHCP settings apply.

HostnamePrimary HostnameStandby

Eth1PrimaryIP Eth2PrimaryIP Eth1StandbyIP Eth2StandbyIP

StandbyMgt

Hostname of Primary switch. Hostname of Standby switch.

IP address of Primary switch. IP address of Primary switch. IP address of Standby switch. IP address of Standby switch. If these IP addresses are not specified in the command file, the

DHCP settings are kept. When an image upgrade is performed, it will not change the existing Ethernet configuration.

Indicates whether Standby Management is on/off (enabled/ disabled).

If enabled, the installation software queries the database for the number of licenses. If the switch is able to acquire a license, it may become a Primary switch. If no license is available, it can only be considered as a Standby switch.

Page 76

3-6

WS5000 Series Switch System Reference Guide

3.3.4 Kerberos Configuration

The Wireless Switch features a built-in kerberos KDC, for authentication services, a site may require settings for configuring kerberos functionality. The settings in the command file for configuring the KDC include primary or slave status, hostname, IP address, realm and domain. When applicable, up to three NTP (Network Time Protocol) servers can be specified. A list of all available Kerberos actions is included in the command file.

Table 3.4 Kerberos Configuration Section

Option Value Notes

NTPServer1 <NTP xxx.xxx.xx.xx>

NTPServer2 <NTP xxx.xxx.xx.xx>

NTPServer3 <NTP xxx.xxx.xx.xx>

KDCRealm <KDC realm name>

KDCInterface <KDC interface

name>

KDCBackupHostname <xxx.xxx.xx.xx>

KDCBackupIP <xxx.xxx.xx.xx>

KDCBackupDomain <server name>

Note All Security Policies which are configured for Kerberos Authentication will automatically be populated with the Master/Slave/Remote server’s IP addresses if present in this file.

NTP server IP address (for the on-board KDC server). The primary and standby switches need to be defined with the same NTP service host to insure that the time source is consistent.

Second alternate NTP server IP address.

Third alternate NTP server IP address or name.

Kerberos realm name

The interface on which the KDC is configured (1 or 2).

Hostname of the backup slave.

IP address for the backup slave. If this IP address belongs to any of the ethernet ports and the hostnames match, the switch is configured as a slave KDC.

Kerberos Master Hostname where the KDC resides.

3.3.5 SNMP Configuration

The SNMP section of the command file contains settings for community attributes and trap actions, used by SNMP-based network management tools to get/set MIB variables to configure the Wireless Switch along with gathering and monitoring device status.

Table 3.5 SNMP Configuration

Option Value Notes

SNMPCommunity[1-4] <string>

SNMPCommunity[1-4]IP <ip_address>

This is the SNMP community for the designated group selection of [1..4]

SNMP community IP address.

Page 77

Configuring the WS5000 Series Switch Auto-

3-7

Table 3.5 SNMP Configuration (Continued)

Option Value Notes

SNMPCommunity[1-4]Perm <RO | RW

permissions>

3.3.6 Syslog Configuration

The syslog section of the command file contains settings for adding syslog hosts to which log messages will be sent. It also allows specifying the severity level for the log messages.

Table 3.6 Syslog Configuration

Option <value > Notes

SyslogHostname[1-2] <host_name>

SyslogIP[1-2] <ip_address>

SyslogSev[1-2] <severity numbers from 1 to 8>

Host name of the syslog collector

IP address of the syslog collector

Severity level for syslog logging

3.3.7 CLI Commands

In this section you can place any CLI command. There is no limit on the number of commands that you can place here. Each CLI command should be placed in the file at the CLI# prompt, as mentioned in the CLI Section of the attached cmd_template.sym file. After execution of a command, enter

CLI#cfg ce add testce

The current context now will be

WS5000.(Cfg).CE.[testce]>

To execute some other command make sure you go to context of that command. This can be done using the same CLI commands. For example to go to the following lines in the .sym file

CLI#..

cfg context after executing the above command you need to use

This will take you to WS5000.(Cfg)> context.

This way you can execute any number of CLI commands by just placing that command in a separate line at the

CLI# command prompt. Before placing any CLI command, ensure that you are at the correct context level that

you are executing.This context is determined by the execution of the previous command.

The context of the very first command that you execute in the CLI section is System context

WS5000>

This is an optional section in the .sym file and can be omitted.

Page 78

3-8

WS5000 Series Switch System Reference Guide

3.3.7.1 Command File Example

The following command file example shows the configuration of several options in the WS5000 Series Switch’s command file.

You can use the same command file to configure both a primary wireless switch and an associated standby wireless switch.

Figure 3.1 Example

############################################################################# # # Copyright (c) 2005, Symbol Technologies, Inc. # All rights reserved. # # cmd_template.sym file # # This is a template file to illustrate the format of auto configuration command files. # The command file must end with the .sym extension and contain options to # perform switch configuration. The format of the file is as follows: # # <option> <value> #comment # # Each line is composed of an option name and its value. All options are # case sensitive. # # When this file is parsed, any option that is not found or has no value is ignored, # which means that the switch will keep the current configuration for this option # unchanged. The following lines are considered equivalent. # # #<option> <value> # <option> #<value> # <option> #some comment # #############################################################################

############################################################################# # SECTION: Special Options # ############################################################################# AutoConfigLog #on/off: Log errors and events to CmdProcErrors.txt #Default is 'on'.

############################################################################# # SECTION: Files to download # ############################################################################# TFTPServer #tftp server where files are located ImageRestore #image file (.sys.img) ConfigFile #configuration file (.cfg) KerberosFile #kerberos username/passwd (.krb)

############################################################################# # SECTION: General Network Configuration and Standby Management # ############################################################################# # # DNS configuration # Eth1DNSServer1 #dns server Eth1DNSServer2 #dns server Eth2DNSServer1 #dns server Eth2DNSServer2 #dns server

# # Switch configuration # Eth1SubnetMask #subnet mask Eth2SubnetMask #subnet mask Eth1Domain #domain name Eth2Domain #domain name Eth1DHCP #on/off

Page 79

Configuring the WS5000 Series Switch Auto-

Eth2DHCP #on/off Gateway #default gateway

# # Primary IP configuration # HostnamePrimary #Hostname of primary CC Eth1PrimaryIP #ip address of primary CC Eth2PrimaryIP #ip address of primary CC

# # Standby IP configuration # HostnameStandby #Hostname of standby CC Eth1StandbyIP #ip address of standby CC Eth2StandbyIP #ip address of standby CC

# # Enable or disable the standby management # StandbyMgt #on/off

############################################################################# # SECTION: Kerberos Configuration # ############################################################################# # # NTP server configuration # NTPServer1 #NTP server 1 NTPServer2 #NTP server 2 NTPServer3 #NTP server 3

3-9

# # Kerberos Master and Slave configuration # KDCRealm #kerberos realm KDCInterface #Interface on which KDC is configured (1 or 2)

# # Add a remote backup master # (excluding the main Master/Primary & Slave/Standby from above) # KDCBackupHostname #Hostname of the backup slave KDCBackupIP #IP address of backup slave KDCBackupDomain #Domain of the backup slave

# # NOTE: All Security Policies which are configured for Kerberos Authentication # will automatically be populated with the Master/Slave/Remote servers IP # addresses if present in this file. #

############################################################################# # SECTION: SNMP Configuration # ############################################################################# # # SNMP community attributes # SNMPCommunity1 #SNMP community name SNMPCommunity1IP #IP address for the community SNMPCommunity1Perm #RO/RW: Access permissions

SNMPCommunity2 #SNMP community name SNMPCommunity2IP #IP address for the community SNMPCommunity2Perm #RO/RW: Access permissions

SNMPCommunity3 #SNMP community name SNMPCommunity3IP #IP address for the community SNMPCommunity3Perm #RO/RW: Access permissions

SNMPCommunity4 #SNMP community name SNMPCommunity4IP #IP address for the community

Page 80

3-10

WS5000 Series Switch System Reference Guide

SNMPCommunity4Perm #RO/RW: Access permissions

# # SNMP Traps # SNMPCommunity1Trap #SNMP community trap SNMPCommunity1TrapIP #SNMP community trap IP

SNMPCommunity2Trap #SNMP community trap SNMPCommunity2TrapIP #SNMP community trap IP

SNMPCommunity3Trap #SNMP community trap SNMPCommunity3TrapIP #SNMP community trap IP

SNMPCommunity4Trap #SNMP community trap SNMPCommunity4TrapIP #SNMP community trap IP

############################################################################# # SECTION: SYSLOG Configuration # ############################################################################# # # Syslog severities #

# Name Number #----------- -------# Emergency 1 # Alert 2 # Critical 3 # Error 4 # Warning 5 # Notice 6 # Info 7 # Debug 8

# # Syslog host 1 # SysLogHostname1 #Hostname of syslog collector SysLogIP1 #IP address of syslog collector SysLogSev1 #Enter a list of severity numbers #separated by white spaces EX: 2 3 6 8

# # Syslog host 2 # SysLogHostname2 #Hostname of syslog collector SysLogIP2 #IP address of syslog collector SysLogSev2 #Enter a list of severity numbers #separated by white spaces EX: 2 3 6 8 # # CLI Commands Section # #Example CLI Commands

CLI# CLI# CLI# CLI#

Page 81

Configuring the WS5000 Series Switch Auto-

3-11

3.4 Upgrading Using AutoInstall

This section describes how to upgrade to 2.1 using the autoinstall procedure.

3.4.1 Using AutoInstall to Upgrade from 2.0 to 2.1

1. Copy the new image (WS5000_v2.1.0.0-xxx.sys.img) to the TFTP Server.

2. Change the parameters in the cmd_template as mentioned below

TFTPServer<IP address of the TFTP Server>

ImageRestore <System image filename *.sys.img>

3. Reboot the Switch. As part of boot up process the auto-install will begin and TFTP Server should supply the new sys.img file.

If all the above parameters are correct, the upgrade will be performed successfully. It is advised the template file be edited and checked before starting the auto-install process.

Note The following file must be available on the TFTP server before beginning the upgrade process using Auto Install:

WS5000_v2.0.0.0-034R.sys.img (should be in the TFTP server) Cmd_template.sym (Should be in the TFTP Server)

3.4.2 Using AutoInstall to Upgrade from 1.4.X.X / 1.4.1.0 / 1.4.1.1 / 1.4.2 /1.4.3 to 2.1

To upgrade the switch from 1.4/1.4.1.0/1.4.1.1/1.4.2/1.4.3/Mantis to 2.1 using the automatic installation:

1. Copy the patch supplied to switch.

copy ftp system -u <user_name>

2. Enter the patch filename, IP Address, and password at the system prompt.

The switch downloads the patch file specified.

3. Log into the service mode CLI using service command from the system context.

4. Run the following service mode CLI command

exec

5. Enter the patch filename when the system prompts. The switch installs the patch file.

6. Before the reboot ensure that the FTP root directory contains the following:

• PreUpgradeScript

•vdate

• dominfo

• WS5000_v2.1.0.0-xxx.sys.kdi

Page 82

3-12

WS5000 Series Switch System Reference Guide

7. Reboot the switch.

As part of boot up process, the auto-install begins.

The DHCP server provides the TFTP server IP and command filename. The command file is present on TFTP server and it should contain the following name - value pairs for the upgrade.

FTPServer <ftp_server_ip_address> FTPUser<ftp_user_name> FTPPassword<ftp_user_password> UpgradeFile<upgrade_file_name_present_on_the_ftp_server>

The upgrade file is the. sys.kdi file in the ftp user home directory on the ftp server.

If you enter all of these parameters, the switch upgrades successfully.

3.4.3 Using AutoInstall to Upgrade From WS5000 Series Switch Build 49

To upgrade from WS5000 Series Switch to 2.1 as part of Auto-install.

1. Copy the patch supplied to the switch running WS5000 Series Switch (build 49):

copy ftp system -u <user_name>

2. Enter the patch filename, IP Address, and password at the system prompt.

The switch downloads the patch file specified.

3. Log into the service mode CLI using service command from the cfg context (under system context).

4. Run the following service mode CLI command:

patch <patch_file>

5. Enter the patch filename when the system prompts. The switch installs the patch file.

6. Before the reboot ensure that the FTP root directory contains the following:

• PreUpgradeScript

•vdate

• dominfo

• WS5000_v2.1.0.0-xxx.sys.kdi

7. Reboot the switch.

As part of boot up process, the auto-install begins.

The DHCP server provides the TFTP server IP and command filename. The command file is present on TFTP server and it should contain the following name - value pairs for the upgrade.

FTPServer <ftp_server_ip_address> FTPUser<ftp_user_name> FTPPassword<ftp_user_password> UpgradeFile<upgrade_file_name_present_on_the_ftp_server>

The upgrade file is the. sys.kdi file in the ftp user home directory on the ftp server.

If you enter all of these parameters, the switch upgrades successfully.

Page 83

Configuring the WS5000 Series Switch Auto-

3-13

3.4.3.1 Installing the Patch File Automatically

You can install the patch files used during the upgrade procedure either manually or automatically using the Expect program as described below:

Before you run the automatic patch file installation, check that you have:

• A linux machine with the Expect program installed.

• Telnet or SSH enabled on the WS5000 Series Switch.

There is no need to have a patch update for WS5000 from version 2.0 to 2.1.

Installing the Patch File in 2.1 Switches

To install the patch file for 2.1 switches:

1. Download the files bfly_caller.sh and bfly.exp to the linux machine with the Expect program installed. Download both bfly_caller.sh and bfly.exp to the same directory.

2. Enter the following command from the directory where you download the files:

./bfly_caller.sh <telnet/ssh> ftp <service_password> <file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename> <ftp_ip> <ftp_user> <ftp_password>

If you are using tftp, enter the command:

./bfly_caller.sh <telnet/ssh> tftp <service_password> <file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename> <tftp_ip>

where:

•

<telnet/ssh>: Program (telnet or ssh) enabled on the list of WS5000 Series Switches specified by the

file_containing_ip_of_WS5000 Series Switch_switches>.

•

ftp or tftp: Method used to download the patch file.

•

service_password: Service mode CLI password.

•

file_containing_ip_of_WS5000 Series Switch_switches: Filename containing the list of

IP Addresses of WS5000 Series Switch Switches (one IP Address per line).

•

patch_filename: Name of the patch file downloaded; bfly_patch.tar by default. If you use ftp,

the patch file is in the home directory of the ftp user on the ftp server specified by <ftp_ip>. If you use TFTP, the patch file is in the tftp server public directory.

•

ftp_ip: IP Address of the FTP Server.

•

tftp_ip: IP Address of the TFTP Server.

•

ftp_user: Name of the ftp user

•

ftp_password: ftp user’s password.

Page 84

3-14

WS5000 Series Switch System Reference Guide

Automatically Installing the Patch File in WS5000 Series Switches

1. Download the files mantis_caller.sh and mantis.exp in the same directory of a linux machine with the Expect program installed.

2. Run the following command from the directory where you downloaded the files:

If you use ftp to download the file:

./mantis_caller.sh ftp <file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename> <ftp_ip> <ftp_user> <ftp_password>

If you use tftp to download the file:

./mantis_caller.sh tftp <file_containing_ip_of_WS5000 Series Switch_switches> <patch_filename> <tftp_ip>

where:

<telnet/ssh>: Program (telnet or ssh) enabled on the list of WS5000 Series Switches specified by the

• <file_containing_ip_of_WS5000 Series Switch_switches>.

•

ftp: Method used to download the patch file.

•

tftp: Method used to download the patch file.

•

service_password: Service mode CLI password.

•

file_containing_ip_of_WS5000 Series Switch_switches: Filename with the list of IP

Addresses of WS5000 Series Switches (one IP Address per line).

•

patch_filename: Name of the patch file downloaded; mantis_patch.tar by default. If you

use ftp, the patch file is in the home directory of the ftp user on the ftp server specified by <ftp_ip>. If you use TFTP, the patch file is in the tftp server public directory.

•

ftp_ip: IP Address of the FTP Server.

•

tftp_ip: IP Address of the TFTP Server.

•

ftp_user: Name of the FTP user

•

ftp_password: FTP user’s password.

There is no need to have a patch update for WS5000 from version 2.0 to 2.1.

Page 85

Configuring the WS5000 Series Switch Auto-

3-15

3.5 Manual Auto-install

There are two types of file you can use for manual auto-install:

1. The Command File Example shown above. This file has .sym extension.

2. The .cli file, which contains just the CLI section of command file (.sym file).See CLI Commands section for more details about this file. A sample CLI file used for radius configuration is shown below:

############################################################################# # # Copyright (c) 2005, Symbol Technologies, Inc. # All rights reserved. # # radius_template.sym file # # This is a template file to configure WS5000 for MU authentication by onboard

RADIUS Server. # Requires Server Certificate (cert-srv.pem) and CA Certificate (cacert.pem)

to be present on the TFTP Server # Username to be used at MU = aaauser0 # Password to be used at MU = aaaaaa # SSID to be associated to = aaawlan # #############################################################################

#Example CLI Commands

# Go to Config context

CLI#cfg

############################################################################# #TFTP Server Certificate to be installed for RADIUS server #############################################################################

CLI#copy tftp system CLI#cacert.pem CLI#157.235.208.179

#TFTP CA Certificate to be installed for RADIUS server CLI#copy tftp system CLI#cert-srv.pem CLI#157.235.208.179

############################################################################# #Install Server Certificate to be installed for RADIUS server #WS5000 is the password used while generating this certificate #############################################################################

CLI#aaa CLI#eap CLI#import servcert cert-srv.pem CLI#WS5000 CLI#import cacert cacert.pem CLI#.. CLI#..

############################################################################# #create a security policy. #this example uses WEP and 802.1x authentication using Onboard RADIUS server #shared secret to be used is WS5000 #############################################################################

CLI#securitypolicy

Page 86

3-16

WS5000 Series Switch System Reference Guide

CLI#add aaasecuritypolicy CLI#set encryption wep40 enable CLI#2 CLI#157.235.208.234 CLI#1812 CLI#WS5000 CLI#set radius server 1 127.0.0.1 CLI#.. CLI#..

############################################################################# #create a WLAN. Use the security policy that was created above #############################################################################

CLI#wlan CLI#add aaawlan aaawlan CLI#set security aaasecuritypolicy CLI#.. CLI#..

############################################################################# #Create an APPolicy. Add this WLAN #############################################################################

CLI#appolicy CLI#add aaaappolicy CLI#add aaawlan CLI#.. CLI#..

############################################################################# #Create a Switch Policy. Use APPolicy and EtherPolicy created above. #Set Country to US #Activate this Switch Policy #############################################################################

CLI#switchpolicy CLI#add aaaswitchpolicy CLI#set appolicy aaaappolicy CLI#set etherpolicy aaaetherpolicy CLI#set adoptionlist a default allow aaaappolicy CLI#set adoptionlist b default allow aaaappolicy CLI#set adoptionlist g default allow aaaappolicy CLI#set adoptionlist fh default allow aaaappolicy CLI#set country us CLI#yes CLI#.. CLI#.. CLI#set switchpolicy aaaswitchpolicy

############################################################################# # AAA Configuration # Add AAA users

# aaauser0, aaauser1, aaauser2 .....

# passwords for all are aaaaaa # CLI prompts for the passwords twice. #############################################################################

CLI#aaa CLI#userdb CLI#user CLI#add aaauser0 CLI#aaaaaa CLI#aaaaaa CLI#add aaauser1 CLI#aaaaaa CLI#aaaaaa CLI#add aaauser2 CLI#aaaaaa CLI#aaaaaa CLI#add aaauser3 CLI#aaaaaa

Page 87

Configuring the WS5000 Series Switch Auto-

CLI#aaaaaa CLI#add aaauser4 CLI#aaaaaa CLI#aaaaaa CLI#..

############################################################################# #Add a RADIUS Group #############################################################################

CLI#group CLI#add aaagroup CLI#..

############################################################################# # Add aaauser0 to this created group #############################################################################

CLI#adduser aaauser0 aaagroup CLI#.. CLI#..

############################################################################# # Set this access policy for this Group to allow the WLAN #############################################################################

CLI#policy CLI#add wlan aaagroup aaawlan CLI#..

3-17

############################################################################# #Issue Save command to save these configurations # Start the RADIUS server using "enable" #############################################################################

CLI#save CLI#enable CLI#..

CLI#bye

To execute a .sym file, use the following commands:

•

install primary <.sym file name> on a primary switch

•

install standby <.sym file name> on a standby switch

To execute the

• install runcli <.cli file name>

.cli file, use the following command:

Page 88

3-18

WS5000 Series Switch System Reference Guide

Page 89

Using the WS5000 Series Switch GUI

You can configure the WS5000 switch and access ports using one of the following methods:

• The GUI through a web browser

• SNMP commands

• CLI from a Telnet connection through the wireless switch console port or a secure shell (SSH) application.

However, not all areas of the system can be configured solely by the GUI, CLI, or SNMP.

If you need to use a specific interface for a system configuration, this is specified at the beginning of the configuration process. For information on using the CLI, see Chapter 8, CLI Command Reference.

Page 90

4-2

WS5000 Series Switch System Reference Guide

4.1 Logging In

To log into the WS5000 Series Switch graphical user interface:

1. Open a compatible browser.

2. Connect to the WS5000 Series Switch by typing GUI Login Page is displayed.

Note You must have Java Runtime version 1.4.2-06 (j2re-1_4_2_06-windows-i586p.exe) or greater running on the console machine, to access the WS5000 Series Switch GUI. This file is included on the CD that ships with the product.

Figure 4.1 WS5000 Series Switch GUI Console Login

https:// and the switch’s IP address. The WS5000

3. Type a User ID and Password and click the Login button. The default is “admin” and “symbol”, respectively.

4.2 Key Distribution Center

The WS5000 Series wireless switch has an on-board Key Distribution Center (KDC), or Kerberos authentication server. Properly configured, the KDC provides a secure means for authenticating users/clients associated to a WLAN or ESS with the Kerberos security policy applied. A separate switch with an on-board KDC can be configured as a slave KDC to support the master KDC in case of a master KDC failure.

The KDC can use the system time or up to three Network Time Protocol servers (NTPs) when available. Configuration of an NTP server in the KDC is optional, except in a master/slave configuration. When an NTP server is configured for use, the KDC contacts the NTP server every 30 minutes to synchronize the system time.

When a slave KDC is present, use of an NTP server is recommended so the master and slave KDC times are synchronized. Not using an NTP server in a master/slave configuration requires periodic, manual time synchronization to propagate the master database to the slave KDC. This time synchronization step is not necessary if the master and slave KDC times are within 5 minutes of each other.

Page 91

Using the WS5000 Series Switch GUI

Use the WS5000 Series Switch GUI (graphical user interface), the command line interface, or SNMP to configure the onboard KDC. To configure the KDC via the former, perform the steps in the following sections:

1. Configuring Master KDC Information on page 4-3

2. Setting Kerberos Time Synchronization on page 4-6 (optionally)

3. Creating Kerberos User Accounts on page 4-5

4. Configuring Slave KDC Information on page 4-4 (optionally)

4-3

4.2.1 Configuring Master KDC Information

This procedure configures the switch to act as the master KDC authentication server for all Kerberos enabled WLANs.

Note If using a master and slave switch configuration, ensure that each switch is named appropriately (using the CLI) in order to avoid two devices with the same name on the network.

To configure master KDC information:

1. From the WS5000 Series Switch GUI main window, click System Settings > Kerberos >

Configuration > KDC. The Kerberos Security Manager dialog box appears.

Figure 4.2 Kerberos Security Manager—Configuring the Master KDC

2. Select Master from the Configure As list.

3. Enter the Kerberos Realm where the KDC resides.

IMPORTANT! A DOMAIN NAME MUST BE ASSIGNED TO THE ETHERNET PORT PRIOR TO ASSIGNING A REALM NAME TO THE KDC.

Page 92

4-4

WS5000 Series Switch System Reference Guide

4. By default, “ethernet1” is selected as the wireless switch’s interface that connects to the wireless traffic. You can also select “ethernet2” if required.

5. Click Save to complete the Master KDC setup.

4.2.2 Configuring Slave KDC Information

To use the wireless switch’s on-board KDC in a master/slave KDC configuration, the network requires at least two wireless switches: one for the master KDC and the other for the Slave KDC.

Setting slave KDC information is a two step process as described in the following sections:

• Configuring the KDC Slave

• Configuring the Master KDC to Recognize the Slave

4.2.2.1 Configuring the KDC Slave

IMPORTANT! BEFORE ADDING A SLAVE KDC, A MASTER KDC MUST ALREADY BE CONFIGURED.

To configure a KDC as a slave KDC:

1. Click System Settings > Kerberos > Configuration > KDC from the WS5000 Series Switch GUI main window. The Kerberos Security Manager dialog box appears.

Figure 4.3 Kerberos Security Manager—Configuring a Slave KDC

2. Enter the Hostname, IP Address, and Domain for Kerberos authentication.

3. Select New Slave in the left panel, and configure the slave KDC server details, such as Hostname, IP address, and Domain.

4. Click Add to set the slave KDC information.

5. Continue with the steps described in Configuring the Master KDC to Recognize the Slave.

Page 93

Using the WS5000 Series Switch GUI

4.2.2.2 Configuring the Master KDC to Recognize the Slave

To configure the master KDC to recognize the slave KDC, follow these steps:

1. Complete the steps described in Configuring the KDC Slave.

1. Click System Settings > Kerberos > Configuration > Slave from the WS5000 Series Switch GUI main window.

2. Select the slave KDC from the list in the left pane. Enter the hostname, IP address, and domain of the master KDC server.

Figure 4.4 KDC Add Slave

4-5

3. Click Add to complete adding the slave to the master KDC. The KDC Add Slave dialog box appears.

Note Click the Synchronize Database button to force the Master KDC to push its database to the selected slave (even though the database is automatically synchronized whenever you make a change such as adding a KDC user).

4.2.3 Creating Kerberos User Accounts

A Kerberos user account is required for authentication on the WLAN. However, before a user account can be added, the master KDC must be configured. See Configuring Master KDC Information on page 4-3 for more details.

To create a Kerberos user account:

1. From the WS5000 Series Switch GUI main window, select System Settings > Kerberos > Administration > Users. The Kerberos User Administration dialog box appears.

Page 94

4-6

WS5000 Series Switch System Reference Guide

Figure 4.5 Kerberos User Administration

2. Select New User in the left panel, and configure the user account details as described in Table 4.1,

Table 4.1 Kerberos User Administration Field Descriptions

Field Description

Name A unique (1-20 characters) value that corresponds to the name of the user being

added to or removed from the Key Distribution Center (KDC).

Ticket Life (min) The minimum lifetime of a ticket (value ranges from 1-600 minutes).

Password The Kerberos password for the specific user.

Confirm Enter the password a second time to confirm.

3. When done, click Save to save the new Kerberos user account information.

4.2.4 Setting Kerberos Time Synchronization

This procedure synchronizes the NTP server with the switch’s on board KDC. The KDC can use the system time or an NTP server (when available). When an NTP server is configured for use, the KDC contacts the NTP server every 30 minutes to synchronize the system time and propagate the master KDC database to the slave KDC. Except in a master/slave configuration, KDC NTP time configuration is optional.

To synchronize the NTP server with the switch’s on board KDC, follow these steps:

1. From the WS5000 Series Switch GUI main window, click System Settings > Kerberos > Configuration > NTP.

The KDC Time Configuration dialog box appears.

Page 95

Figure 4.6 KDC Time Configuration

Using the WS5000 Series Switch GUI

4-7

2. Enter the IP addresses for the Preferred Time Server, the First Alternate Time Server, and the Second Alternate Time Server. The alternate servers are optional, but recommended.

3. Click Save to apply settings.

Page 96

4-8

WS5000 Series Switch System Reference Guide

Page 97

Configuring User and Management

Authentication

The WS5000 Series Switch provides an integrated Radius server as well as the ability to work with External Radius and LDAP servers to provide user database information and user authentication. Management users may also be authenticated using external/integrated RADIUS server. The External Radius server cannot be completely configured through the tools provided by the wireless switch, refer EAP Authentication Settings on

page 6-44 to configure an External Radius server. This association remains unused unless the Radius server

also adds the external switch as a client.The WS5000 Series Switch provides:

• Configuring an On-board RADIUS Server (Internal Radius server)

• Configuring Management User Authentication

• Configuring Remote RADIUS Server (External Radius server), refer EAP Authentication Settings on page

6-44.

• Configuring Windows Server 2000, provides you information about - How to Configure Windows 2000 Server.

Page 98

5-2

WS5000 Series Switch System Reference Guide

5.1 WS5000 as a RADIUS Client

The format of the Calling Station and the Called Station ID are changed, to confirm to the RFC-3580 (IEEE

802.1x RADIUS Usage Guidelines), as follows:

• The 6 byte MAC address now separated by an (-) hyphen when compared to the earlier separator used (:) colon. An example for Calling Station ID would be – 00-10-A4-23-19-CO.

• The Called Station ID now has the SSID name suffixed to it using a colon (:). For example, the Called Station ID for the MAC address of 00-10-A4-23-19-CO with an SSID of API would now be “00-10-A4-

23-19-CO:API”.

5.2 Configuring an On-board RADIUS Server

The WS5000 Series Switch provides an integrated Radius server as well as the ability to work with external Radius and LDAP servers to provide user database information and user authentication.

5.2.1 Configuring the Radius Server

The Radius Server screen allows the admin to set up data sources, as well as specify authentication information for the built-in Radius server.

To configure the Radius server, select System Settings -> Radius -> Configuration.

Figure 5.1 System Settings

The following Radius Configuration screen appears:

Page 99

Figure 5.2 Radius Configuration

Configuring User and Management Authenti-

5-3

1. Use the Data Source drop-down menu to select the data source for the local Radius server.

• If you select Local, the internal User Database serves as the data source. Refer to the Users screen to enter the user data. For more information, see

Configuring Radius Users on page 5-12.

• If you select LDAP, the switch uses the data in an LDAP server. Configure the LDAP server settings on the LDAP screen under Radius Server on the menu tree. For more information, see Configuring

LDAP Authentication on page 5-7.

2. Use the Default EAP Type drop-down menu in the TTLS/PEAP Configuration field to specify the EAP type for the Radius server. The options are PEAP and TTLS.

• Protected EAP (PEAP) uses a TLS layer on top of EAP as a carrier for other EAP modules. PEAP is an ideal choice for networks using legacy EAP authentication methods.

• Tunneled TLS EAP (EAP-TTLS) is similar to EAP-TLS, but the client authentication portion of the protocol is not performed until after a secure transport tunnel has been established. This allows EAP-TTLS to protect legacy authentication methods used by some Radius servers.

3. Specify an EAP Authentication Type from the drop-down menu in the TTLS/PEAP Configuration field. The authentication type for PEAP are GTC and MSCHAP-V2. The authentication type for TTLS are PAP, MD5 and MS-CHAP-V2

• EAP Generic Token Card (GTC) is a challenge handshake authentication protocol that uses a hardware token card to provide the response string.

• Microsoft CHAP (MSCHAP-V2) is an encrypted authentication method based on Microsoft's challenge/response authentication protocol.

Page 100

5-4

WS5000 Series Switch System Reference Guide

• PAP provides a simple method for a remote node to establish its identity using a two-way handshake. After the PPP link establishment phase is complete, a username and password pair is repeatedly sent by the remote node across the link (in clear text) until authentication is acknowledged, or until the connection is terminated

• MD5 provides a simple method for a remote node to establish its identity using a two-way handshake. After the PPP link establishment phase is complete, a username and password pair is repeatedly sent by the remote node across the link (in clear text) until authentication is acknowledged, or until the connection is terminated

4. Click one of the following buttons in the screen:

Apply

Undo

Saves your changes

Closes the screen without saving your changes. This reverts the screen back to the last saved configuration.

Cancel

Help

Exits the applet and terminate this session

Displays the online help

5.2.2 Managing Certificates

To generate a certificate request from the WS5000 Series Switch:

1. Select System Settings > Radius > Certificate Management > Self Certificate.

2. Click the Add button.

3. Enter the certificate signing request (CSR) information and click the Generate button.

4. Copy the generated CSR to a file (with a .req extension) in a Windows 2003 server PC that contains the CA.

5. Run the certreq command from the command prompt on the Windows 2003 server PC.

The command prompts you for the CSR file.

Enter the name of the CSR file generated from the switch.

The command prompts for the destination to place the server certificate.

6. Copy the ROOT certificate of the CA on the Windows 2003 server PC used to sign the server certificate into the same location as the server certificate. You must upload this certificate on the switch. See

5.2.2.2 Uploading Certificates on page 6.

5.2.2.1 Importing and Installing CA Certificates

To import and install the CA and server certificates on the WS5000 Series Switch:

1. Ensure the time in the switch is synchronized with the Windows 2003 server PC.

2. Select System Settings > Radius > Certificate Management > Self Certificate to load the CA certificate.

Symbol WS5000 Series System Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual