Extreme Networks AP3917E Wireless 802.11 a/ac+b/g/n Access Point User Manual WiNG 5 9 1 WC CLI

Extreme Networks, Inc. Wireless 802.11 a/ac+b/g/n Access Point WiNG 5 9 1 WC CLI

WiNG 5.9.1 CLI Reference Guide Part 2

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2197.1.36.3.2 descriptioninterface-config-vlan-instanceDefines this VLAN interface’s description. Use this command to provide additional information about the VLAN.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <WORD>Parameters• description <WORD>Examplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#description “This VLAN interface is configured for the Sales Team”rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  description "This VLAN interface is configured for the Sales Team"  crypto map map1rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandsdescription <WORD> Configures a description for this VLAN interface (should not exceed 64 characters in length)• <WORD> – Specify a description unique to the VLAN’s specific configuration, to help differentiate it from other VLANs with similar configurations.no Removes the VLAN interface description
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2207.1.36.3.3 dhcpinterface-config-vlan-instanceEnables inclusion of optional fields (client identifier) in DHCP client requests. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp client include client-identifierParameters• dhcp client include client-identifierExamplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#dhcp client include client-identifierrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  dhcp client include client-identifierrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandsdhcp client include client-identifierEnables inclusion of client identifier in DHCP client requestsno Disables inclusion of client identifier in DHCP client requests
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2217.1.36.3.4 dhcp-relay-incominginterface-config-vlan-instanceAllows an onboard DHCP server to respond to relayed DHCP packets. This option is disabled by default. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-relay-incomingParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#dhcp-relay-incomingrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  description "This VLAN interface is configured for the Sales Team"  crypto map map1  dhcp-relay-incomingrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandsno Disables or reverts interface VLAN settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2227.1.36.3.5 ipinterface-config-vlan-instanceConfigures the VLAN interface’s IP settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [address|dhcp|helper-address|nat|ospf]ip helper-address <IP>ip address [<IP/M>|<NETWORK-ALIAS-NAME>|dhcp|zeroconf]ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}ip address dhcpip dhcp client request options allip nat [inside|outside]ip ospf [authentication|authentication-key|bandwidth|cost|message-digest-key|priority]ip ospf authentication [message-digest|null|simple-password]ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]Parameters• ip helper-address <IP>• ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}helper-address <IP> Enables DHCP and BOOTP requests forwarding for a set of clients. Configure a helper address on the VLAN interface connected to the client. The helper address should specify the address of the BOOTP or DHCP servers to receive the requests. If you have multiple servers, configure one helper address for each server.• <IP> – Specify the IP address of the DHCP or BOOTP server.address Sets the VLAN interface’s IP address<IP/M> Specifies the interface IP address in the A.B.C.D/M format• secondary – Optional. Sets the specified IP address as a secondary address<NETWORK-ALIAS-NAME>Uses a pre-defined network alias to provide this VLAN interface’s IP address. Specify the network alias name.• secondary – Optional. Sets the network-alias provided IP address as the secondary addresszeroconf {secondary} Uses Zero Configuration Networking (zeroconf) to generate an IP address for this interfaceContd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 223• ip address dhcp• ip dhcp client request options all• ip nat [inside|outside]• ip ospf authentication [message-digest|null|simple-password]• ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]• ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device.• secondary – Optional. Sets the generated IP address as a secondary addressaddress Sets the VLAN interface’s IP addressdhcp Uses a DHCP client to obtain an IP address for this VLAN interfacedhcp Uses a DHCP client to configure a request on this VLAN interfaceclient Configures a DHCP clientrequest Configures DHCP client requestoptions Configures DHCP client request optionsall Configures all DHCP client request optionsnat [inside|outside] Defines NAT settings for the VLAN interface. NAT is disabled by default.• inside – Enables NAT on the inside interface. The inside network is transmitting data over the network to the intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address.• outside – Enables NAT on the outside interface. Packets passing through the NAT on the way back to the managed LAN are searched against the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network.ospf authentication Configures OSPF authentication scheme. Options are message-digest, null, and simple-password.message-digest Configures md5 based authenticationnull No authentication requiredsimple-password Configures simple password based authenticationospf authentication-keyConfigures an OSPF authentication keysimple-password[0 <WORD>|2 <WORD>]Configures a simple password OSPF authentication key• 0 <WORD> – Configures clear text key• 2 <WORD> – Configures encrypted keybandwidth<1-10000000>Configures bandwidth for the physical port mapped to this layer 3 interface• <1-10000000> – Specify the bandwidth from 1 - 10000000.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 224• ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip address 10.0.0.1/8rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip nat insiderfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip helper-address 172.16.10.3rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip dhcp client request options allrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  description "This VLAN interface is configured for the Sales Team"  ip address 10.0.0.1/8  ip dhcp client request options all  ip helper-address 172.16.10.3  ip nat inside  crypto map map1  dhcp-relay-incomingrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandscost <1-65535> Configures OSPF cost• <1-65535> – Specify OSPF cost value from 1 - 65535.priority <0-255> Configures OSPF priority• <0-255> – Specify OSPF priority value from 0 - 255.ospf message-digest Configures message digest authentication parameterskey-id <1-255> Configures message digest authentication key ID from 0 - 255md5[0 <WORD>|2 <WORD>]Configures md5 key• 0 <WORD> – Configures clear text key• 2 <WORD> – Configures encrypted keyno Removes or resets IP settings on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2257.1.36.3.6 ipv6interface-config-vlan-instanceConfigures the VLAN interface’s IPv6 settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [accept|address|dhcp|enable|enforce-dad|mtu|redirects|request-dhcpv6-options|router-advertisements]ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}ipv6 address [<IPv6/M>|autoconfig|eui-64|link-local|prefix-from-provider]ipv6 address [<IPv6/M>|autoconfig]ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>]ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>ipv6 address link-local <LINK-LOCAL-ADD>ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination <DEST-IPv6-ADD>]ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcpv6-options]ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>] {no-autoconfig|off-link|site-prefix|valid-lifetime}Parameters• ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}ipv6 accept ra Enables processing of router advertisements (RAs) on this VLAN interface. This option is enabled by default.When enabled, IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to the request with a router advertisement packet containing Internet layer configuration parameters.no-default-router Optional. Disables inclusion of routers on this interface in the default router selection process. This option is disabled by default.no-hop-limit Optional. Disables the use of RA advertised hop-count value on this interface. This option is disabled by default.no-mtu Optional. Disables the use of RA advertised MTU value on this interface. This option is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 226• ipv6 address [<IPv6/M>|autoconfig]• ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>]ipv6 address[<IPv6/M>|autoconfig]Configures IPv6 address related settings on this VLAN interface• <IPv6> – Specify the non-link local static IPv6 address and prefix length of the interface in the X:X::X:X/M format.• autoconfig – Enables stateless auto-configuration of IPv6 address, based on the prefixes received from RAs (with auto-config flag set). These prefixes are used to auto-configure the IPv6 address. This option is enabled by default. Use the no > ipv6 > address > autoconfig command to negate the use of prefixes received in RAs.ipv6 address eui-64 Configures the IPv6 prefix and prefix length. This prefix is used to auto-generate the static IPv6 address (for this interface) in the modified Extended Unique Identifier (EUI)-64 format.Implementing the IEEE's 64-bit EUI64 format enables a host to automatically assign itself a unique 64-bit IPv6 interface identifier, without manual configuration or DHCP. This is accomplished on a virtual interface by referencing the already unique 48-bit MAC address, and reformatting it to match the EUI-64 specification.In the EUI-64 IPv6 address the prefix and host portions are each 64 bits in length.<IPv6/M> Specify the IPv6 prefix and prefix length. This configured value is used as the prefix portion of the auto-generated IPv6 address, and the host portion is derived from the MAC address of the interface.Any bits of the configured value exceeding the prefix-length “M” are ignored and replaced by the host portion derived from the MAC address.For example:Prefix portion provided using this command: ipv6 > address > eui-64 > 2004:b055:15:dead::1111/64.Host portion derived using the interface’s MAC address (00-15-70-37-FB-5E): 215:70ff:fe37:fb5eAuto-configured IPv6 address using the above prefix and host portions: 2004:b055:15:dead:215:70ff:fe37:fb5e/64In this example, the host part “::1111” is ignored and replaced with the modified eui-64 formatted host address.prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>Configures the “prefix-from-provider” named object and the associated IPv6 prefix and prefix length. This configured value is used as the prefix portion of the auto-generated IPv6 address, and the host portion is derived from the MAC address of the interface.• <WORD> – Specify the IPv6 “prefix-from-provider” object’s name. This is the IPv6 general prefix (32 character maximum) name provided by the Internet service provider.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 227• ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>]• ipv6 address link-local <LINK-LOCAL-ADD>• ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination <DEST-IPv6-ADD>]• <IPv6-PREFIX/PREFIX-LENGTH> – Specify the IPv6 address subnet and host parts along with prefix length (site-renumbering).For example:Prefix portion provided using this command: ipv6 > address > eui-64 > prefix-from-provider > ISP1-prefix > 2002::/64Host portion derived using the interface’s MAC address (00-15-70-37-FB-5E): 215:70ff:fe37:fb5eAuto-configured IPv6 address using the above prefix and host portions: 2002::215:70ff:fe37:fb5e/64ipv6 address Configures the IPv6 address related settings on this VLAN interfaceprefix-from-provider <WORD> <HOST-PORTION/LENGTH>Configures the “prefix-from-provider” named object and the host portion of the IPv6 interface address. The prefix derived from the specified “prefix-from-provide” and the host portion (second parameter) are combined together (using the prefix-length of the specified “prefix-from-provide”) to generate the interface’s IPv6 address.• <WORD> – Provide the “prefix-from-provider” object’s name. This is the IPv6 general prefix (32 character maximum) name provided by the service provider.• <HOST-PORTION/LENGTH> – Provide the subnet number, host portion, and prefix length used to form the actual address along with the prefix derived from the “prefix-from-provider” object identified by the <WORD> keyword.ipv6 address Configures the IPv6 address related settings on this VLAN interfacelink-local <LINK-LOCAL-ADD>Configures IPv6 link-local address on this interface. The configured value overrides the default link-local address derived from the interface’s MAC address. Use the no > ipv6 > link-local command to restore the default link-local address derived from MAC address.It is mandatory for an IPv6 interface to always have a link-local address.ipv6 dhcp client [information|prefix-from-provider <WORD>]Configures DHCPv6 client-related settings on this VLAN interface• information – Configures stateless DHCPv6 client on this interface. When enabled. the device can request configuration information from the DHCPv6 server using stateless DHCPv6. This option is disabled by default.• prefix-from-provider – Configures prefix-delegation client on this interface. Enter the IPv6 general prefix (32 character maximum) name provided by the service provider. This option is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 228• ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcp-options]• ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>] {no-autoconfig|off-link|site-prefix <SITE-PREFIX>|valid-lifetime}relay destination <DEST-IPv6-ADD>Enables DHCPv6 packet forwarding on this VLAN interface• destination – Forwards DHCPv6 packets to a specified DHCPv6 relay• <DEST-IPv6-ADD> – Specify the destination DHCPv6 relay’s address.DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When a DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client.ipv6 Configures IPv6 settings on this VLAN interfaceenable Enables IPv6 on this interface. This option is disabled by default.enforce-dad Enforces Duplicate Address Detection (DAD) on wired ports. This option is enabled by default.mtu <1280-1500> Configures the Maximum Transmission Unit (MTU) for IPv6 packets on this interface• <1280-1500> – Specify a value from 1280 - 1500. The default is 1500.redirects Enables ICMPv6 redirect messages sending on this interface. This option is enabled by default.request-dhcp-options Requests options from DHCPv6 server on this interface. This option is disabled by default.ipv6 router-advertisementsConfigures IPv6 RA related settings on this VLAN interfaceprefix <IPv6-PREFIX> Configures a static prefix and its related parameters. The configured value is advertised on RAs.• <IPv6-PREFIX> – Specify the IPv6 prefix.prefix-from-provider <WORD>Configures a static “prefix-from-provider” named object and its related parameters on this VLAN interface. The configured value is advertised on RAs.• <WORD> – Specify the “prefix-from-provider” named object’s nameno-autoconfig This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• no-autoconfig – Optional. Disables the setting of the auto configuration flag in the prefix. When configured, the configured prefixes are not used for IPv6 address generation. The autoconfiguration option is enabled by default. Using no-autoconfig disables it.off-link This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• off-link – Optional. Disables the setting of the on-link flag in the prefix. The on-link option is enabled by default. Using off-link disables it.site-prefix <SITE-PREFIX>This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• site-prefix <SITE-PREFIX> – Configures subnet (site) prefix
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 229Examplerfs6000-81742D(config-profile-test-if-vlan4)#ipv6 enablerfs6000-81742D(config-profile-test-if-vlan4)#ipv6 accept ra no-mturfs6000-81742D(config-profile-test-if-vlan4)#ipv6 address eui-64 prefix-from-provider ISP1-prefix 2002::/64rfs6000-81742D(config-profile-test-if-vlan4)#show context interface vlan4  ipv6 enable  ipv6 address eui-64 prefix-from-provider ISP1-prefix 2002::/64  ipv6 accept ra no-mturfs6000-81742D(config-profile-test-if-vlan4)#Related Commandsvalid-lifetime [<30-4294967294>|at|infinite] (preferred-lifetime)This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• valid-lifetime – Configures the valid lifetime for the prefix• preferred-lifetime – Configures preferred lifetime for the prefix• <30-4294967294> – Configures the valid/preferred lifetime in seconds• at – Configures expiry time and date of the valid/preferred lifetime• infinite – Configures the valid/preferred lifetime as infiniteno Removes or resets IPv6 settings on this VLAN interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2307.1.36.3.7 n ointerface-config-vlan-instanceNegates a command or reverts to defaults. The no command, when used in the Config Interface VLAN mode, negates VLAN interface settings or reverts them to their default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [crypto|description|dhcp|dhcp-relay-incoming|ip|ipv6|shutdown|use]no dhcp client include client-identifierno [crypto map|description|dhcp-relay-incoming|shutdown]no ip [address|dhcp|helper-address|nat|ospf]no ip [helper-address <IP>|nat]no ip address {<IP/M> {secondary}|<NETWORK-ALIAS-NAME> {secondary}|dhcp|zeroconf {secondary}}no ip dhcp client request options allno ip ospf [authentication|authentication-key|bandwidth|cost|message-digest-key|priority]no ipv6 [accept|address|dhcp|enable|enforce-dad|mtu|redirects|request-dhcpv6-options|router-advertisement]no ipv6 [accept ra|enable|enforce-dad|mtu|redirects|request-dhcpv6-options]no ipv6 address [<IPv6/M>|autoconfig|eui-64|link-local|prefix-from-provider>]no ipv6 dhcp [client|relay]no ipv6 router-advertisement [prefix <WORD>|prefix-from-provider <WORD>]no use [bonjour-gw-discovery-policy>|ip-access-list in|ipv6-access-list in|ipv6-router-advertisement-policy|url-filter]Parameters• no <PARAMETERS>ExampleThe following example shows the VLAN interface settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  description "This VLAN interface is configured for the Sales Team"  ip address 10.0.0.1/8  ip dhcp client request options all  ip helper-address 172.16.10.3  ip nat inside  crypto map map1  dhcp-relay-incomingrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no crypto maprfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no descriptionrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no dhcp-relay-incomingrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no ip dhcp client request options allno <PARAMETERS> Removes or reverts this VLAN interface’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 231The following example shows the VLAN interface settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  ip address 10.0.0.1/8  ip helper-address 172.16.10.3  ip nat insiderfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2327.1.36.3.8 shutdowninterface-config-vlan-instanceShuts down the selected interface. Use the no shutdown command to enable an interface.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxshutdownParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#shutdownrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  ip address 10.0.0.1/8  ip helper-address 172.16.10.3  shutdownrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandsno Disables or reverts interface VLAN settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2337.1.36.3.9 useinterface-config-vlan-instanceAssociates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-router-advertisement policy with this VLAN interfaceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>]Parameters• use [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>]bonjour-gw-discovery-policy <POLICY-NAME>Uses an existing Bonjour GW Discovery policy with this VLAN interface. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming over the VLAN interface.• <POLICY-NAME> – Specify the Bonjour GW Discovery policy name (should be existing and configured).For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-policy.ip-access-list in <IP-ACCESS-LIST-NAME>Uses a specified IPv4 access list with this interface• in – Applies IPv4 ACL to incoming packets• <IP-ACCESS-LIST-NAME> – Specify the IPv4 access list name.ipv6-access-list in <IPv6-ACCESS-LIST-NAME>Uses a specified IPv6 access list with this interface• in – Applies IPv6 ACL to incoming packets• <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list name.ipv6-router-advertisement-policy <POLICY-NAME>Uses an existing IPv6 router advertisement policy with this VLAN interface.• <POLICY-NAME> – Specify the IPv6 router advertisement policy name (should be existing and configured).url-filter <URL-FILTER-NAME>Enforces URL filtering on this VLAN interface by associating a URL filter• <URL-FILTER-NAME> – Specify the URL filter name (should be existing and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 234Examplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#use ip-access-list in testrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  ip address 10.0.0.1/8  use ip-access-list in test  ip helper-address 172.16.10.3rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandsno Disables or reverts interface VLAN settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2357.1.36.4  interface-config-port-channel-instanceinterfaceProfiles can utilize customized port channel configurations as part of their interface settings. Existing port channel profile configurations can be overridden as they become obsolete for specific device deployments.The following example uses the config-profile-testNX9000 instance to configure a port-channel interface:nx9500-6C8809(config-profile-testNX9000)#interface port-channel 1nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Port Channel Mode commands:  description      Port description  duplex           Set duplex to interface  ip               Internet Protocol (IP)  ipv6             Internet Protocol version 6 (IPv6)  no               Negate a command or set its defaults  port-channel     Portchannel commands  qos              Quality of service  remove-override  Remove configuration item override from the device (so                   profile value takes effect)  shutdown         Shutdown the selected interface  spanning-tree    Spanning tree commands  speed            Configure speed  switchport       Set switching mode characteristics  use              Set setting to use  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Commands Description Referencedescription Configures a brief description for this port-channel interface page 7-236duplex Configures the duplex-mode (that is the data transmission mode) for this port-channel interfacepage 7-237ip Configures ARP and DHCP related security parameters on this port-channel interfacepage 7-106ipv6 Configures IPv6 related parameters on this port-channel interface page 7-239no Removes or reverts to default this port-channel interface’s settings page 7-242shutdown Shutsdown this port-channel interface page 7-244spanning-tree Configures spanning-tree related parameters on this port channel interfacepage 7-245speed Configures the speed at which this port-channel interface receives and transmits datapage 7-248switchport Configures the packet switching parameters for this port-channel interfacepage 7-249use Configures access controls on this port-channel interface page 7-251
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2367.1.36.4.1 descriptioninterface-config-port-channel-instanceConfigures a brief description for this port channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#description "This port-channel is for enabling dynamic LACP."nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsdescription <LINE> Configures a description for this port-channel interface that uniquely identifies it from other port channel interfaces• <LINE> – Provide a description not exceeding 64 characters in length.no Removes this port-channel interface’s description
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2377.1.36.4.2 dupl exinterface-config-port-channel-instanceConfigures the duplex-mode (that is the data transmission mode) for this port channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxduplex [auto|half|full]Parameters• duplex [auto|half|full]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#duplex fullnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  duplex fullnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsduplex [auto|half|full] Configures the mode of data transmission as auto, full, or half• auto – Select this option to enable the controller, service platform, or access point to dynamically duplex as port channel performance needs dictate. This is the default setting.• full – Select this option to simultaneously transmit data to and from the port channel.• half – Select this option to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted.no Reverts the duplex-mode to the default value (auto)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2387.1.36.4.3 i pinterface-config-port-channel-instanceConfigures ARP and DHCP related security parameters on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [arp|dhcp]ip arp [header-mismatch-validation|trust]ip dhcp trustParameters• ip arp [header-mismatch-validation|trust]• ip dhcp trustExamplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ip arp trustnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  duplex full  ip arp trustnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsip arp [header-mismatch-validation|trust]Configures ARP related parameters on this port-channel interface• header-mismatch-validation – Enables a source MAC mismatch check in both the ARP and ethernet headers. This option is enabled by default.• trust – Enables ARP trust on this port channel. If enabled, ARP packets received on this port are considered trusted, and information from these packets is used to identify rogue devices. This option is disabled by default.ip dhcp trust Enables DHCP trust. If enabled, only DHCP responses are trusted and forwarded on this port channel, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.no Removes or reverts to default the ARP and DHCP security parameters configured
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2397.1.36.4.4 ipv6interface-config-port-channel-instanceConfigures IPv6 related parameters on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [dhcpv6|nd]ipv6 dhcpv6 trustipv6 nd [header-mismatch-validation|raguard|trust]Parameters• ipv6 dhcpv6 trust• ipv6 nd [header-mismatch-validation|raguard|trust]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ipv6 nd header-mismatch-validationnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ipv6 nd trustnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  duplex full  ipv6 nd trust  ipv6 nd header-mismatch-validation  ip arp trustnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsipv6 dhcpv6 trust Enables DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. This option is enabled by default.ipv6 nd [header-mismatch-validation|raguard|trust]Configures IPv6 neighbor discovery (ND) parameters• header-mismatch-validation – Enables a mismatch check for the source MAC in both the ND header and link layer options. This option is disabled by default.raguard Enables router advertisements or IPv6 redirects from this port. Router advertisements are periodically sent to hosts or are sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is enabled by default.trust Enables DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. This option is enabled by default.no Removes or reverts to default the IPv6 related parameters on this port-channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2407.1.36.4.5 p o rt-ch a nne linterface-config-port-channel-instanceConfigures client load balancing parameters on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxport-channel load-balance [src-dst-ip|src-dst-mac]Parameters• port-channel load-balance [src-dst-ip|src-dst-mac]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#port-channel load-balance src-dst-macnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  duplex full  ipv6 nd trust  ipv6 nd header-mismatch-validation  ip arp trust  port-channel load-balance src-dst-macnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsport-channel load-balance [src-dst-ip|src-dst-mac]Specifies whether port channel load balancing is conducted using a source/destination IP or a source/destination MAC. • src-dst-ip – Uses a source/destination IP to conduct client load balancing. This is the default setting.• src-dst-mac – Uses a source/destination MAC to conduct client load balancingno Removes or reverts to default the client load balancing parameters on this port-channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2417.1.36.4.6 q o sinterface-config-port-channel-instanceConfigures Quality of Service (QoS) related parameters on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxqos trust [802.1p|dscp]Parameters• qos trust [802.1p|dscp]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#qos trust dscpnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show contextRelated Commandsqos trust [802.1p|dscp]Configures the following QoS related parameters:•802.1p – Trusts 802.1p class of service (COS) values ingressing on this port channel. This option is enabled by default.• dscp – Trusts IP DSCP QOS values ingressing on this port channel. This option is enabled by default.no Removes the QoS related parameters configured on this port-channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2427.1.36.4.7 nointerface-config-port-channel-instanceRemoves or reverts to default this port-channel interface’s settingsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno beacon [description|duplex|ip|ipv6|port-channel|qos|shutdown|spanning-tree|speed|switchport|use]Parameters• no <PARAMETERS>ExampleThe following example shows the port-channel interface’s interface settings before the ‘no’ commands are executed:nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show contextdescription "This port-channel is for enabling dynamic LACP."  speed 100  duplex full  switchport mode trunk  switchport trunk native vlan 1  no switchport trunk native tagged  switchport trunk allowed vlan 1  use ip-access-list in BROADCAST-MULTICAST-CONTROL  ipv6 nd trust  ipv6 nd header-mismatch-validation  spanning-tree portfast  spanning-tree bpduguard enable  spanning-tree bpdufilter enable  spanning-tree mst 1 port-priority 1  spanning-tree mst 1 cost 20000  ip arp trust  port-channel load-balance src-dst-macnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no duplexnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no ip arp trustnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no ipv6 nd trustnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no port-channel load-balanceno <PARAMETERS> Removes or reverts to default this port-channels interface’s settings based on the parameters passed• <PARAMETERS> – Specify the parameters.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 243The following example shows the port-channel interface’s interface settings after the ‘no’ commands are executed:nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  speed 100  switchport mode trunk  switchport trunk native vlan 1  no switchport trunk native tagged  switchport trunk allowed vlan 1  use ip-access-list in BROADCAST-MULTICAST-CONTROL  ipv6 nd header-mismatch-validation  spanning-tree portfast  spanning-tree bpduguard enable  spanning-tree bpdufilter enable  spanning-tree mst 1 port-priority 1  spanning-tree mst 1 cost 20000  no qos trust dscpnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2447.1.36.4.8 s h u td owninterface-config-port-channel-instanceShutsdown this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxshutdownParametersNoneExamplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#shutdownRelated Commandsno Re-enables this port-channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2457.1.36.4.9 spanning-treeinterface-config-port-channel-instanceConfigures spanning-tree related parameters on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxspanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|port-cisco-interoperability|portfast]spanning-tree [bpdufilter|bpduguard] [default|disable|enable]spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability [disable|enable]]spanning-tree link-type [point-to-point|shared]spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]]Parameters• spanning-tree [bpdufilter|bpduguard] [default|disable|enable]• spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability [disable|enable]]spanning-tree [bpdufilter|bpduguard]Configures the following BPDU related parameters for this port channel:• bpdufilter – Configures the BPDU filtering options. The options are:• default – When selected, makes the bridge BPDU filter value to take effect. This isthe default setting.• disable – Disables BPDU filtering• enable – Enables BPDU filtering. Enabling the BPDU filter feature ensures this portchannel does not transmit or receive any BPDUs.• bpduguard – Configures the BPDU guard options. The options are• default – When selected, makes the bridge BPDU guard value to take effect. This isthe default setting.• disable – Disables guarding this port from receiving BPDUs• enable – Enables BPDU guarding. Enabling the BPDU guard feature means this portwill shutdown on receiving a BPDU. Thus, no BPDUs are processed.Execute the portfast command to ensure that fast transitions is enabled on this port channel before configuring BPDU filtering and guarding.spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability [disable|enable]Configures the following MSTP related parameters for this port channel:• force-version <0-3> – Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting• guard root – Enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. Contd...
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 246• spanning-tree link-type [point-to-point|shared]• spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree portfastnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree bpdufilter enablenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree bpduguard enablenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree force-version 3nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree mst 1 cost 20000nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree mst 1 port-priority 1If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port. Thus, the guard root enforces the root bridge position.• portfast – Enables fast transitions on this port channel. When enabled, BPDU filtering and guarding can be enforced on this port. Enable the portfast option and then use the ‘bpdufilter’ and bpduguard’ options to configure BPDU filtering and guarding parameters. This option is disabled by default.• port-cisco-interoperability [disable|enable] – Enables or disables interoperability with Cisco's version of MSTP, which is incompatible with standard MSTP. This option is disabled by default.spanning-tree link-type [point-to-point|shared]Configures the link type applicable on this port channel. The options are:• point-to-point – Configures a point-to-point link, which indicates the port should be treated as connected to a point-to-point link. Note, a port connected to the wireless device is a point-to-point link. This is the default setting.• shared – Configures a shared link, which indicates this port should be treated as having a shared connection. Note, A port connected to a hub is on a shared link.spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]Configures the following Multiple Spanning Tree (MST) parameters on this port:• mst <0-15> – Select the MST instance from 0 - 15.• cost <1-200000000> – Configures the port cost from 1 - 200000000. The defaultpath cost depends on the user defined port speed.The cost helps determine the role ofthe port channel in the MSTP network. The designated cost is the cost for a packet totravel from this port to the root in the MSTP configuration. The slower the media, high-er the cost.• port-priority <0-240> – Configures the port priority from 0 - 240. The lower the priority, greater is the likelihood of the port becoming a designated port.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 247nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  duplex full  ipv6 nd trust  ipv6 nd header-mismatch-validation  spanning-tree portfast  spanning-tree bpduguard enable  spanning-tree bpdufilter enable  spanning-tree mst 1 port-priority 1  spanning-tree mst 1 cost 20000  ip arp trust  port-channel load-balance src-dst-macnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsno Removes or reverts to default the spanning-tree related parameters configured on this port channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2487.1.36.4.10 speedinterface-config-port-channel-instanceConfigures the speed at which this port-channel interface receives and transmits dataSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxspeed [10|100|1000|auto]]]Parameters• speed [10|100|1000|auto]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#speed 100nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  speed 100  duplex full  ipv6 nd trust  ipv6 nd header-mismatch-validation  spanning-tree portfast  spanning-tree bpduguard enable  spanning-tree bpdufilter enable  spanning-tree mst 1 port-priority 1  spanning-tree mst 1 cost 20000  ip arp trust  port-channel load-balance src-dst-macnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsspeed [10|100|1000|auto]Configure the data receive-transmit speed for this port channel. The options are:• 10 – 10 Mbps• 100 – 100 mbps• 1000 – 1000 Mbps• auto – Enables the system to auto select the speed. This is the default setting.Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port. The auto option enables the port-channel to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful in an environment where different devices are connected and disconnected on a regular basis.no Removes or reverts to default the speed at which this port-channel interface receives and transmits data
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2497.1.36.4.11 sw i tc hpor tinterface-config-port-channel-instanceConfigures the VLAN switching parameters for this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxswitchport [access|mode|trunk]switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]switchport mode [access|trunk]switchport trunk [allowed|native]switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Parameters• switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]• switchport mode [access|trunk]• switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]access vlan [<1-4094>|<VLAN-ALIAS-NAME>]Configures the VLAN to which this port-channel interface is mapped when the switching mode is set to access.• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name (should be existing and configured).mode [access|trunk] Configures the VLAN switching mode over the port channel• access – If selected, the port channel accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. This is the default setting.• trunk – If selected, the port channel allows packets from a list of VLANs you add to the trunk. A port channel configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged.trunk allowed If configuring the VLAN switching mode as trunk, use this option to configure the VLANs allowed on this port channel. Add VLANs that exclusively send packets over the port channel.vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>Use this keyword to add/remove the allowed VLANs• <VLAN-ID> – Allows a group of VLAN IDs. Specify the VLAN IDs, can be either a range (55-60) or a comma-separated list (35, 41, etc.)• none – Allows no VLANs to transmit or receive through the layer 2 interfaceContd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 250• switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#switchport mode trunknx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  speed 100  duplex full  switchport mode trunk  switchport trunk native vlan 1  no switchport trunk native tagged  switchport trunk allowed vlan 1  ipv6 nd trust  ipv6 nd header-mismatch-validation  spanning-tree portfast  spanning-tree bpduguard enable  spanning-tree bpdufilter enable  spanning-tree mst 1 port-priority 1  spanning-tree mst 1 cost 20000  ip arp trust  port-channel load-balance src-dst-macnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commands• add <VLAN-ID> – Adds VLANs to the current list• <VLAN-ID> – Specify the VLAN IDs. Can be either a range of VLAN (55-60) or alist of comma separated IDs (35, 41, etc.)• remove <VLAN-ID> – Removes VLANs from the current list• <VLAN-ID> – Specify the VLAN IDs. Can be either a range of VLAN (55-60) or alist of comma separated IDs (35, 41, etc.)Allowed VLANs are configured only when the switching mode is set to “trunk”.trunk If configuring the VLAN switching mode as trunk, use this option to configure the native VLAN on this port channel.native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Configures the native VLAN ID for the trunk-mode portThe native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode.• tagged – Tags the native VLAN. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header enabling upstream Ethernet devices to know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Sets the native VLAN for classifying untagged traffic when the interface is in trunking mode. • <1-4094> – Specify a value from 1 - 4094.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name used to identify theVLANs. The VLAN alias should be existing and configured.no Removes the packet switching parameters configured on this port-channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2517.1.36.4.12 useinterface-config-port-channel-instanceConfigures access controls on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [ip-access-list|ipv6-access-list|mac-access-list] in <IP/IPv6/MAC-ACCESS-LIST-NAME>]]Parameters• use [ip-access-list|ipv6-access-list|mac-access-list] in <IP/IPv6/MAC-ACCESS-LIST-NAME>]Examplenx9500-6C8809(config-profile-testNX9000-if-port-channel1)#use ip-access-list inBROADCAST-MULTICAST-CONTROLnx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1  description "This port-channel is for enabling dynamic LACP."  speed 100  duplex full  switchport mode trunk  switchport trunk native vlan 1  no switchport trunk native tagged  switchport trunk allowed vlan 1  use ip-access-list in BROADCAST-MULTICAST-CONTROL  ipv6 nd trust  ipv6 nd header-mismatch-validation  spanning-tree portfast--More--nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#Related Commandsuse [ip-access-list|ipv6-access-list|mac-access-list] <IP/IPv6/MAC-ACCESS-LIST-NAME>]Associates an access list controlling the inbound traffic on this port channel.• ip-access-list – Specify the IPv4 specific firewall rules to apply to this profile’s port channel configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.• ipv6-access-list – Specify the IPv6 specific firewall rules to apply to this profile’s port channel configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.• mac-access-list – Specify the MAC specific firewall rules to apply to this profile’s port channel configuration.• <IP/IPv6/MAC-ACCESS-LIST-NAME> – Provide the IPv4, IPv6, or MAC access listname based on the option selected. The access list specified should be existing andconfigured.no Removes the access controls configured on this port-channel interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2527.1.36.5  interface-config-radio-instanceinterfaceThis section documents radio interface configuration parameters applicable only to the access point profiles.The access point radio interface can be radio1, radio2, or radio3. The AP7161 models contain either a single or a dual radio configuration. Newer AP7161N model access points support single, dual, or triple radio configurations. To enter the AP/RFS4000 profile > radio interface context, use the following commands:<DEVICE>(config)#profile <AP-TYPE> <PROFILE-NAME>rfs6000-37FABE(config)#profile ap71xx 71xxTestProfilerfs6000-37FABE(config-profile-71xxTestProfile)#rfs6000-37FABE(config-profile-71xxTestProfile)#interface radio 1rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#?Radio Mode commands:  adaptivity                  Adaptivity  aeroscout                   Aeroscout Multicast MAC/Enable  aggregation                 Configure 802.11n aggregation related parameters  airtime-fairness            Enable fair access to medium for clients based                              on their usage of airtime  antenna-diversity           Transmit antenna diversity for non-11n transmit                              rates  antenna-downtilt            Enable ADEPT antenna mode  antenna-elevation           Specifies the antenna elevation gain  antenna-gain                Specifies the antenna gain of this radio  antenna-mode                Configure the antenna mode (number of transmit                              and receive antennas) on the radio  assoc-response              Configure transmission parameters for                              Association Response frames    association-list            Configure the association list for the radio  beacon                      Configure beacon parameters  bridge                      Bridge rf-mode related configuration  channel                     Configure the channel of operation for this                              radio  data-rates                  Specify the 802.11 rates to be supported on this                              radio  description                 Configure a description for this radio  dfs-rehome                  Revert to configured home channel once dfs                              evacuation period expires  dynamic-chain-selection     Automatic antenna-mode selection (single antenna                              for non-11n transmit rates)  ekahau                      Ekahau Multicast MAC/Enable  extended-range              Configure extended range  fallback-channel            Configure the channel to be used for falling                              back in the event of radar being detected on the                              current operating channel  guard-interval              Configure the 802.11n guard interval  ldpc                        Configure support for Low Density Parity Check                              Code  lock-rf-mode                Retain user configured rf-mode setting for this                              radio  max-clients                 Maximum number of wireless clients allowed to                              associate subject to AP limit  mesh                        Configure radio mesh parameters  meshpoint                   Enable meshpoints on this radio  mu-mimo                     Enable multi user MIMO on this radio (selected                              platforms only)  no                          Negate a command or set its defaults
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 253  non-unicast                 Configure handling of non-unicast frames  off-channel-scan            Enable off-channel scanning on the radio  placement                   Configure the location where this radio is                              operating  power                       Configure the transmit power of the radio  preamble-short              Use short preambles on this radio  probe-response              Configure transmission parameters for Probe                              Response frames  radio-resource-measurement  Configure support for 802.11k Radio Resource                              Measurement  radio-share-mode            Configure the radio-share mode of operation for                              this radio  rate-selection              Default or Opportunistic rate selection  remove-override             Negate a command or set its defaults  rf-mode                     Configure the rf-mode of operation for this                              radio  rifs                        Configure Reduced Interframe Spacing (RIFS)                              parameters  rts-threshold               Configure the RTS threshold  shutdown                    Shutdown the selected radio interface  smart-rf                    Configure radio specific smart-rf settings  sniffer-redirect            Capture packets and redirect to an IP address                              running a packet capture/analysis tool  stbc                        Configure Space-Time Block Coding (STBC)                              parameters  transmit-beamforming        Enable Transmit Beamforming  use                         Set setting to use  wips                        Wireless intrusion prevention related                              configuration  wireless-client             Configure wireless client related parameters  wlan                        Enable wlans on this radio  clrscr                      Clears the display screen  commit                      Commit all changes made in this session  do                          Run commands from Exec mode  end                         End current mode and change to EXEC mode  exit                        End current mode and down to previous mode  help                        Description of the interactive help system  revert                      Revert changes  service                     Service Commands  show                        Show running system information  write                       Write running configuration to memory or                              terminalrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#The following table summarizes the radio interface configuration commands:Commands Description Referenceadaptivity Configures an adaptivity timeout value, in minutes, for avoidance of channels detected with radar or high levels of interferencepage 7-256aeroscout Enables Aeroscout multicast packet forwarding page 7-257aggregation Configures 802.11n aggregation parameters page 7-258airtime-fairness Enables fair access for clients based on airtime usage page 7-261antenna-diversity Transmits antenna diversity for non-11n transmit rates page 7-262antenna-downtilt Enables Advanced Element Panel Technology (ADEPT) antenna mode page 7-263antenna-elevationConfigures the antenna’s elevation gain. This command is applicable only to the AP7562 model access pointpage 7-264antenna-gain Specifies the antenna gain for the selected radio page 7-266antenna-mode Configures the radio antenna mode page 7-267
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 254assoc-response Enables an access point to ignore or respond to an association/authorization request based on the configured Received Signal Strength Index (RSSI) threshold and deny-threshold valuespage 7-268association-list Associates an existing global association list with this radio interface page 7-269beacon Configures beacon parameters page 7-270bridge Configures client-bridge related parameters, if the selected radio’s RF mode is set to bridgepage 7-272channel Configures a radio’s channel of operation page 7-278data-rates Specifies the 802.11 rates supported on a radio page 7-280description Configures the selected radio’s description page 7-284dfs-rehome Reverts to configured home channel once Dynamic Frequency Selection (DFS) evacuation period expirespage 7-285dynamic-chain-selectionEnables automatic antenna mode selection page 7-286ekahau Enables Ekahau multicast packet forwarding page 7-287extended-range Configures extended range page 7-288fallback-channel Configures the channel to which the radio switches in case of radar detection on the current channelpage 7-289guard-interval Configures the 802.11n guard interval page 7-290ldpc Enables support for Low Density Parity Check (LDPC) on the radio interfacepage 7-291lock-rf-mode Retains user configured RF mode settings for the selected radio page 7-292max-clients Configures the maximum number of wireless clients allowed to associate with this radiopage 7-293mesh Configures radio mesh parameters page 7-294meshpoint Maps an existing meshpoint to this radio interface page 7-296mu-mimo Enables multi-user multiple input multiple output (MU-MIMO) support on a radiopage 7-297no Negates or resets radio interface settings configures on a profile or a devicepage 7-298non-unicast Configures the handling of non unicast frames on this radio page 7-301off-channel-scan Enables selected radio’s off channel scanning parameters page 7-303placement Defines selected radio’s deployment location page 7-305power Configures the transmit power on this radio page 7-306preamble-short Enables the use of short preamble on this radio page 7-307probe-response Configures transmission parameters for probe response frames page 7-308radio-resource-measurementEnables 802.11k radio resource measurement page 7-309radio-share-modeConfigures the mode of operation, for this radio, as radio-share page 7-310rate-selection Sets the rate selection method to standard or opportunistic page 7-311Commands Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 255rf-mode Configures the radio’s RF mode page 7-312rifs Configures Reduced Interframe Spacing (RIFS) parameters on this radiopage 7-314rts-threshold Configures the Request to Send (RTS) threshold value on this radio page 7-315service Enables dynamic control function. This dynamic function controls performance of the radio receiver's low noise amplifiers (LNAs).page 7-316shutdown Terminates or shuts down selected radio interface page 7-317smart-rf Overrides Smart RF channel width setting on the selected radio interfacepage 7-318sniffer-redirect Captures and redirects packets to an IP address running a packet capture/analysis toolpage 7-319stbc Configures radio’s Space Time Block Coding (STBC) mode page 7-321transmit-beamformingEnables transmit beamforming on the selected radio interface page 7-322use Enables use of an association ACL policy and a radio QoS policy by selected radio interfacepage 7-323wips Enables access point to change its channel of operation in order to terminate rogue devicespage 7-324wireless-client Configures wireless client parameters on selected radio page 7-325wlan Enables a WLAN on selected radio page 7-326Commands Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2567.1.36.5.1 adaptivityinterface-config-radio-instanceConfigures an interval, in minutes, for avoiding channels detected with high levels of interferenceAs per the European Telecommunications Standards Institute’s (ETSI) EN 300 328 V1.8.1/ ETSI EN 301 893 V1.7.1 requirements, access points have to monitor interference levels on operating channels, and stop functioning on channels with interference levels exceeding ETSI-specified threshold values.This command configures the interval for which a channel is avoided on detection of interference, and is applicable only if the channel selection mode is set to ACS, Random, or Fixed.When configured, this feature ensures recovery by switching the radio to a new operating channel. Once adaptivity is triggered, the evacuated channel becomes inaccessible and is available again only after the adaptivity timeout, specified here, expires. In case of fixed channel, the radio switches back to the original channel of operation after the adaptivity timeout expires. On the other hand, ACS-enabled radios continue operating on the new channel even after the adaptivity timeout period expires.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxadaptivity [recovery|timeout <30-3600>]Parameters• adaptivity [recovery|timeout <30-3600>]Examplenx4500-5CFA2B(config-profile-testAP7532-if-radio1)#adaptivity timeout 200nx4500-5CFA2B(config-profile-testAP7532-if-radio1)#show context interface radio1 adaptivity timeout 200nx4500-5CFA2B(config-profile-testAP7532-if-radio1)#Related CommandsNOTE: If the channel selection mode is set to Smart, in the Smart-RF policy mode, use the avoidance-time > [adaptivity|dfs] > <30-3600> command to specify the interval for which a channel is avoided on detection of high levels of interference or radar. For more information, see avoidance-time.adaptivity Configures adaptivity parameters on the radio. These parameters are: recovery and timeout.recovery Enables switching of channels when an access point’s radio is in the adaptivity mode. In the adaptivity mode, an access point monitors interference on its set channel and stops functioning when the radio’s defined interference tolerance level is exceeded. When the defined adaptivity timeout is exceeded, the radio resumes functionality on adifferent channel. This option is enabled by default.timeout <30-3600>Configures an adaptivity timeout• <30-3600> – Specify a value from 30 - 3600 minutes. The default is 90 minutes.no Removes the configured adaptivity timeout value and disables adaptivity recovery
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2577.1.36.5.2 aeroscoutinterface-config-radio-instanceEnables Aeroscout multicast packet forwarding. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6532, AP7502, AP7522Syntaxaeroscout [forward ip <IP> port <0-65535>|mac <MAC>]Parameters• aeroscout [forward ip <IP> port <0-65535>|mac <MAC>]Examplenx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#aeroscout forward ip 10.233.84.206 port 22nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#show context interface radio2  aeroscout forward ip 10.233.84.206 port 22nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#Related Commandsaeroscout Enables Aeroscout packet forwarding and configures the packet forwarding parametersforward ip <IP> port <0-65535>Configures the following Aeroscout locationing engine details:• ip – Configures Aeroscout engine’s IP address• <IP> – Specify the Aeroscout engine’s IP address. When specified, the AP forwardsAeroscout beacons directly to the Aeroscout locationing engine without proxyingthrough the controller or RF Domain manager.• port – Configures the port on which the Aeroscout engine is reachable• <0-65535> – Specify the port number from 0 - 65535.mac <MAC> Configures the multicast MAC address to forward the Aeroscout packets• <MAC> – Specify the MAC address in the AA-BB-CC-DD-EE-FF format. The default value is 01-0C-CC-00-00-00.no Disables Aeroscout packet forwarding
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2587.1.36.5.3 aggregationinterface-config-radio-instanceConfigures 802.11n frame aggregation parameters. Frame aggregation increases throughput by sending two or more data frames in a single transmission. There are two types of frame aggregation: MAC Service Data Unit (MSDU) aggregation and MAC Protocol Data Unit (MPDU) aggregation. Both modes group several data frames into one large data frame.Supported in the following platforms:• Access Points — AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxaggregation [ampdu|amsdu]aggregation ampdu [rx-only|tx-only|tx-rx|none|max-aggr-size|min-spacing]aggregation ampdu [rx-only|tx-only|tx-rx|none]aggregation ampdu max-aggr-size [rx|tx]aggregation ampdu max-aggr-size rx [8191|16383|32767|65535]aggregation ampdu max-aggr-size tx <2000-65535>aggregation ampdu min-spacing [0|1|2|4|8|16]aggregation amsdu [rx-only|tx-rx]Parameters• aggregation ampdu [rx-only|tx-only|tx-rx|none]• aggregation ampdu max-aggr-size rx [8191|16383|32767|65535]aggregation Configures 802.11n frame aggregation parametersampdu Configures Aggregate MAC Protocol Data Unit (AMPDU) frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.tx-only Supports the transmission of AMPDU aggregated frames onlyrx-only Supports the receipt of AMPDU aggregated frames onlytx-rx Supports the transmission and receipt of AMPDU aggregated frames (default setting)none Disables support for AMPDU aggregationaggregation Configures 802.11n frame aggregation parametersampdu Configures AMPDU frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.max-aggr-size Configures AMPDU packet size limits. Configure the packet size limit on packets both transmitted and received.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 259• aggregation ampdu max-aggr-size tx <2000-65535>• aggregation ampdu min-spacing [0|1|2|4|8|16|auto]• aggregation amsdu [rx-only|tx-rx]rx [8191|16383|32767|65535]Configures the maximum limit (in bytes) advertised for received frames• 8191 – Advertises a maximum of 8191 bytes• 16383 – Advertises a maximum of 16383 bytes• 32767 – Advertises a maximum of 32767 bytes• 65535 – Advertises a maximum of 65535 bytes (default setting)aggregation Configures 802.11n frame aggregation parametersampdu Configures AMPDU frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.max-aggr-size Configures AMPDU packet size limits. Configure the packet size limit on packets both transmitted and received.tx <2000-65535> Configures the maximum size (in bytes) for AMPDU aggregated transmitted frames • <2000-65535> – Sets the limit from 2000 - 65535 bytes. The default is 65535 bytes.aggregation Configures 802.11n frame aggregation parametersampdu Configures AMPDU frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.mn-spacing [0|1|2|4|8|16]Configures the minimum gap, in microseconds, between AMPDU frames• 0 – Configures the minimum gap as 0 microseconds• 1 – Configures the minimum gap as 1 microseconds• 2 – Configures the minimum gap as 2 microseconds• 4 – Configures the minimum gap as 4 microseconds• 8 – Configures the minimum gap as 8 microseconds• 16 – Configures the minimum gap as 16 microseconds• auto – Auto configures the minimum gap depending on the platform and radio type (default setting)aggregation Configures 802.11n frame aggregation parametersamsdu Configures Aggregated MAC Service Data Unit (AMSDU) frame aggregation parameters. AMSDU aggregation collects Ethernet frames addressed to a single destination. But, unlike AMPDU, it wraps all frames in a single 802.11n frame.rx-only Supports the receipt of AMSDU aggregated frames only (default setting)tx-rx Supports the transmission and receipt of AMSDU aggregated frames
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 260Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#aggregation ampdu tx-onlyrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  aggregation ampdu tx-only  aeroscout forwardrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Disables 802.11n aggregation parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2617.1.36.5.4 airtime-fairnessinterface-config-radio-instanceEnables fair access to the medium for wireless clients based on their airtime usage (i.e. regardless of whether the client is a high-throughput (802.11n) or legacy client). This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxairtime-fairness {prefer-ht} {weight <1-10>}Parameters• airtime-fairness {prefer-ht} {weight <1-10>}Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#airtime-fairness prefer-ht weight 6rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  aggregation ampdu tx-only  aeroscout forward  airtime-fairness prefer-ht weight 6rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsairtime-fairness Enables fair access to the medium for wireless clients based on their airtime usageprefer-ht Optional. Prioritizes high throughput (802.11n) clients over clients with slower throughput (802.11 a/b/g) and legacy clientsweight <1-10> Optional. Configures the relative weightage for 11n clients over legacy clients.• <1-10> – Sets a weightage ratio for 11n clients from 1 - 10no Disables fair access for wireless clients (provides access on a round-robin mode)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2627.1.36.5.5 antenna-diversityinterface-config-radio-instanceConfigures transmit antenna diversity for non-11n transmit ratesAntenna diversity uses two or more antennas to increase signal quality and strength. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxantenna-diversityParametersNoneExamplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-diversityrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  aggregation ampdu tx-only  aeroscout forward  antenna-diversity  airtime-fairness prefer-ht weight 6rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Uses single antenna for non-11n transmit rates
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2637.1.36.5.6 antenna-downtiltinterface-config-radio-instanceEnables the Advanced Element Panel Technology (ADEPT) antenna mode. The ADEPT mode increases the probability of parallel data paths enabling multiple spatial data streams. This option is disabled by default.Supported in the following platforms:• Access Point — AP7161Syntaxantenna-downtiltParametersNoneExamplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  antenna-diversity  airtime-fairness prefer-ht weight 6  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related CommandsNOTE: This feature is not supported on AP6521, AP6522, AP6532, AP6562, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, and AP8533.no Disables the ADEPT antenna mode
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2647.1.36.5.7 antenna-elevationinterface-config-radio-instanceConfigures an antenna's elevation gain. Antenna gain is the ratio of an antenna's radiation intensity in a given direction to the intensity produced by a no-loss, isotropic antenna radiating equally in all directions. An antenna's gain along the horizon and at an elevation of 30 degree may vary. The elevation gain is defined as the maximum antenna gain at 30 to 150 degrees above the horizon. If elevation gain is configured, the transmit (TX) power calculations maximize the allowable TX power for an elevation below 30 degree.Access Points must conform to U.S. Federal Communications Commission's (FCC) limitations. FCC has now stipulated a 21dBm Effective Isotropic Radiated Power (EIRP) limit for power directed 30 degrees above the horizon.For Extreme Networks -supplied antennas, compatible with 5.0 GHz on the AP7562 access point, refer to the Antenna Guide for "Elevation Gain" information. If using a third-party antenna, it is required that you obtain the antenna-elevation gain information from the antenna manufacturer.The elevation gain should be configured if the access point:• Is deployed outdoors, and • Is used with a dipole antenna (panel antenna and polarized antenna are for point to point only, and are excluded from this requirement), and• Is transmitting in the 5.15 - 5.25 GHz Unlicensed National Information Infrastructure-1 (UNII-1) band.Professional installers must complete the following steps to ensure compliance with the FCC rule:1 Configure the antenna type. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#service antenna-type dipole2 Configure the antenna peak gain. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-gain 7.03 Configure the antenna placement. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#placement outdoor4 Configure the antenna elevation gain. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0After the professional installer enters the antenna type, gain, placement, and elevation gain using the CLI as outlined above, the firmware will use this information and hardcoded maximum limits determined during testing (See Annex C in FCC Report #FR4D0448AB) to limit the EIRP below 21dBm for outdoor use in UNII-1 band. The antenna information is provided in the Installation guide and antenna guide.Supported in the following platforms:• Access Points — AP7562Syntaxantenna-elevation <-30.0-36.0>NOTE: The antenna elevation gain feature is supported only on the AP7562 model access point.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 265Parameters• antenna-elevation <-30.0-36.0>Exampleap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#show contextinterface radio2  antenna-elevation 5.0ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#Related Commandsantenna-elevation <-30.0-36.0>Configures the antenna elevation gain from -30.0 - 36.0 dB. Refer to the antenna specifications for antenna-elevation gain information.The default value is 0 dB.no Resets antenna elevation gain to default (0 dB)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2667.1.36.5.8 antenna-gaininterface-config-radio-instanceConfigures the antenna gain for the selected radioAntenna gain is the ability of an antenna to convert power into radio waves and vice versa. The access point or wireless controller’s Power Management Antenna Configuration File (PMACF) automatically configures the access point orwireless controller’s radio transmit power based on the antenna type, its antenna gain (provided here) and the deployed country’s regulatory domain restrictions. Once provided, the access point or wireless controller calculates the power range. Antenna gain relates the intensity of an antenna in a given direction to the intensity that would be produced ideally by an antenna that radiates equally in all directions (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. It is recommended that only a professional installer set the antenna gain.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxantenna-gain <0.0-15.0>Parameters• antenna-gain <0.0-15.0>Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-gain 12.0rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  antenna-diversity  airtime-fairness prefer-ht weight 6  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsantenna-gain <0.0-15.0>Sets the antenna gain from 0.0 - 15.0 dBi. The default is 0.00 dBi.no Resets the radio’s antenna gain parameter
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2677.1.36.5.9 antenna-modeinterface-config-radio-instanceConfigures the antenna mode (the number of transmit and receive antennas) on the access pointThis command sets the number of transmit and receive antennas on the access point. The 1x1 mode is used for transmissions over just the single -A- antenna, 1xALL is used for transmissions over the -A- antenna and all three antennas for receiving. The 2x2 mode is used for transmissions and receipts over two antennas for dual antenna models. 3x3x3 is used for transmissions and receipts over three antennas for AP81XX models. The default setting is dynamic based on the access point model deployed and its transmit power settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxantenna-mode [1*1|1*ALL|2*2|3*3|default]Parameters• antenna-mode [1*1|1*ALL|2*2|default]Usage GuidelinesTo support STBC feature on AP7161 profile, the antenna-mode should not be configured to 1*1.Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-mode 2x2rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  antenna-mode 2x2  antenna-diversity  airtime-fairness prefer-ht weight 6  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsantenna-mode Configures the antenna mode1*1 Uses only antenna A to receive and transmit1*ALL Uses antenna A to transmit and receives on all antennas2*2 Uses antennas A and C for both transmit and receive3*3 Uses antenna A, B, and C for both transmit and receivedefault Uses default antenna settings. This is the default setting.no Resets the radio antenna mode (the number of transmit and receive antennas) to its default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2687.1.36.5.10 ass o c - re s pons einterface-config-radio-instanceConfigures the parameters determining whether the access point ignores or responds to an association/authorization requestSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxassoc-response [deny-threshold <1-12>|rssi-threshold <-128--40>]Parameters• assoc-response [deny-threshold <1-12>|rssi-threshold <-128--40>]Examplerfs6000-37FABE(config-profile-71XXTestProfile-if-radio1)#assoc-response rssi-threshold -128rfs6000-37FABE(config-profile-71XXTestProfile-if-radio1)#show context interface radio1  assoc-response rssi-threshold -128rfs6000-37FABE(config-profile-71XXTestProfile-if-radio1)#Related Commandsassoc-response Configures the following thresholds, based on which the AP ignores or responds to an association/authorization request: deny-threshold and rssi-threshold. Both these options are disabled by default.deny-threshold <1-12>Configures the number of times the AP ignores association/authorization requests, if the RSSI is below the configured RSSI threshold value• <1-12> – Specify a value from 1 - 12.Note: The AP always ignores association/authorization requests when deny-threshold is not specified and rssi-threshold is specified.rssi-threshold <-128--40>Configures the RSSI threshold. If the RSSI is lower than the threshold configured here, the AP ignores the association/authorization request.• <128--40> – Specify the RSSI threshold from -128 - -40 dBi.no Removes the RSSI threshold, based on which an association/authorization request is either ignored or responded.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2697.1.36.5.11 association-listinterface-config-radio-instanceAssociates an existing global association list with this radio interfaceAn association ACL is a policy-based access control list (ACL) that either prevents or allows wireless clients from connecting to a managed access point radio. An ACL is a sequential collection of permit and deny rules that apply to incoming and outgoing packets. When a packet is received on an interface, the controller, service platform, or access point compares the fields in the packet against the applied ACLs to verify the packet has the required permissions to be forwarded. If a packet does not meet any of the criteria specified in the ACL, it is dropped.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxassociation-list global <GLOBAL-ASSOC-LIST-NAME>Parameters• association-list global <GLOBAL-ASSOC-LIST-NAME>Examplerfs4000-880DA7(config-profile-test-if-radio1)#association-list global testrfs4000-880DA7(config-profile-test-if-radio1)#show context interface radio1  association-list global testrfs4000-880DA7(config-profile-test-if-radio1)#Related Commandsassociation-list global <GLOBAL-ASSOC-LIST-NAME>Associates an existing global association list with this radio interfaceno Removes the global association list associated with this radio interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2707.1.36.5.12 be a co ninterface-config-radio-instanceConfigures radio beacon parametersA beacon is a packet broadcasted by adopted radios to keep the network synchronized. Included in a beacon is information, such as the WLAN service area, the radio address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a Delivery Traffic Indication Message (DTIM). Increase the DTIM/beacon settings (lengthening the time) to let nodes sleep longer and preserve battery life. Decrease these settings (shortening the time) to support streaming-multicast audio and video applications that are jitter sensitive.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxbeacon [dtim-period|period]beacon dtim-period [<1-50>|bss]beacon dtim-period [<1-50>|bss <1-16> <1-50>]beacon period [50|100|200]Parametersd• beacon dtim-period [<1-50>|bss <1-8> <1-50>]• beacon period [50|100|200]beacon Configures radio beacon parametersdtim-period Configures the radio DTIM interval. A DTIM is a message that informs wireless clients about the presence of buffered multicast or broadcast data. These are simple data frames that require no acknowledgement, so nodes sometimes miss them. Increase the DTIM/ beacon settings (lengthening the time) to let nodes sleep longer and preserve their battery life. Decrease these settings (shortening the time) to support streaming multicast audio and video applications that are jitter-sensitive.<1-50> Configures a single value to use on the radio. Specify a value between 1 and 50.bss <1-16> <1-50> Configures a separate DTIM for a Basic Service Set (BSS) on this radio interface• <1-16> – Sets the BSS number from 1 - 16• <1-50> – Sets the BSS DTIM from 1 - 50. The default is 2.period [50|100|200] Configures the beacon period (the interval between consecutive radio beacons)• 50 – Configures 50 K-uSec interval between beacons• 100 – Configures 100 K-uSec interval between beacons (default)• 200 – Configures 200 K-uSec interval between beacons
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 271Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#beacon dtim-period bss 2 20rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#beacon period 50rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  beacon period 50  beacon dtim-period bss 1 2  beacon dtim-period bss 2 20  beacon dtim-period bss 3 2  --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Removes the configured beacon parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2727.1.36.5.13 br i dgeinterface-config-radio-instanceConfigures the client-bridge parameters for radios with rf-mode set to bridge. When configured as a client bridge, the radio can authenticate and associate to the Wireless LAN (WLAN) hosted on the infrastructure access point. After successfully associating with the infrastructure WLAN, the client-bridge access point switches frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources.Supported in the following platforms:• Access Points — AP6522, AP6562, AP7522, AP7532, AP7562, AP7602, AP7622Syntaxbridge [authentication-type [eap|none]|channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-bridges|eap [password <PASSWORD>|type [peap-mschapv2|tls]|username <USERNAME>]|encryption-type [ccmp|none|tkip]|inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|interval <0-36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--40>]|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]Parameters• bridge [authentication-type [eap|none]|channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-bridges|eap [password <PASSWORD>]|type [peap-mschapv2|tls]|username <USERNAME>]|encryption-type [ccmp|none|tkip]|inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|interval <0-36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--40>]|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]NOTE: The radio interface configured to form the client-bridge will not be able to service wireless clients as its RF mode is set to bridge and not 2.5 GHz or 5.0 GHz.bridge Configures client-bridge related parameters on the selected radioPrior to configuring the client-bridge parameters, set the radio’s rf-mode to bridge.authentication-type [eap|none]Configures the authentication method used to authenticate with the infrastructure WLAN. The authentication mode specified here should be the same as that configured on the infrastructure WLAN. The options are:• eap – Uses EAP authentication (802.1X). If using EAP, use the ‘eap’ keyword to configure EAP related parameters.• none – Uses no authentication. This is the default setting.channel-dwell-time <50-2000>Configures the channel-dwell time in milliseconds. This is the time the client-bridge radio dwells on each channel (configured in the channel-list) when scanning for an infrastructure WLAN.• <50-2000> – Specify a value from 50 -2000 milliseconds. The default is 150 milliseconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 273channel-list [2.4GHz|5GHz] <LIST>Configures the list of channels the radio scans when scanning for an infrastructure WLAN access point to associate• 2.4GHz <LIST> – Configures a list of channels for scanning across all the channels in the 2.4GHz radio band• 5GHz <LIST> – Configures a list of channels for scanning across all the channels in the 5.0 GHz radio bandThe following parameter is common to both of the 2.5 GHz and 5.0 GHz bands:• <LIST> – Provide the list of channels separated by commas.connect-through-bridgesEnables the client-bridge access point radio to connect to an infrastructure WLAN, which already has other client-bridge radios associated with it. The client-bridge access points, in this scenario, are said to be daisy chained together.eap [password [<PASSWORD>]|type [peap-mschapv2|tls]|username <UESERNAME>]Configures EAP authentication parameters if the authentication mode is set as EAP• password [0|2|<PASSWORD>] – Configures the EAP authentication password to use with the infrastructure WLAN. The password type depends on the EAP authentication type configured.PEAP-MSCHAPv2 - PEAP passwordTLS – PKCS #12 certificate secretUse of EAP-TLS authentication is recommended since it is stronger than PEAP-MSCHAPv2.• <PASSWORD> – Enter the password.• type [peap-mschapv2|tls] – Configures the EAP authentication type as:• PEAP-MSCHAPv2 – Configures the EAP authentication type as PEAP-MSCHAPv2.This is the default setting.• TLS – Configures the EAP authentication type as TLS• username <USERNAME> – Configures the EAP authentication user name to use with the infrastructure WLAN.• <USERNAME> – Specify the EAP username.PEAP-MSCHAPv2 – PEAP username (example client-bridge)TLS – Username in the CN field of the installed PKCS #12 client certificate (example client-bridge@example.com)encryption-type [ccmp|none|tkip]Configures the encryption mode. The encryption mode specified here should be the same as that configured on the infrastructure WLAN. The options are:• ccmp – Uses WPA/WPA2 CCMP encryption• none – Uses no encryption method. This is the default setting.• tkip – Uses WPA/WPA2 TKIP encryptionIf using CCMP or TKIP, use the ‘wpa2-wpa2’ keyword to configure the pre-shared key (PSK).inactivity-timeout <0-864000>Configures the inactivity timeout for each bridge MAC address. This is the time for which the client-bridge access point waits before deleting a MAC address from which a frame has not been received for more than the time specified here. For example, if the inactivity time is set at 120 seconds, and if no frames are received from a MAC address for 120 seconds, it is deleted. The default value is 600 seconds.• <0-864000> – Specify a value from 0 - 864000 seconds. The default is 600 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 274keepalive [frame-type [null-data|wnmp]|interval <0-36000>]Configures the keep-alive frame type and interval• frame-type – Configures the keepalive frame type exchanged between the client-bridge access point and the infrastructure access point/controller. The options are:• null-data – Transmits 802.11 NULL data frames. This is the default setting.• wnmp – Transmits Wireless Network Management Protocol (WNMP) multicastpacket• interval <0-36000> – Configures the interval, in seconds, between two successive keep-alive frame transmission.• <0-36000> – Specify a value from 0 - 36000 seconds. The default is 300 seconds.max-clients <1-64> Configures the maximum number of clients that the client-bridge AP can support• <1-14> – Specify a value from 1 - 64. The default is 64.on-link-loss shutdown-other-radio <1-1800>Configures the radio-link behaviour when the link between the client-bridge and infrastructure access points is lost.• shutdown-other-radio – Enables shutting down of the non-client bridge radio (this is the radio to which wireless-clients associate) when the link between the client-bridge and infrastructure access points is lost. When enabled, clients associated with the non-client bridge radio are pushed to search for and associate with other access points having backhaul connectivity. This option is disabled by default.• <1-1800> – If enabling this option, use this parameter to configure the time, in sec-onds, for which the non-client bridge radio is shut down. Specify a value from 1 - 1800seconds.on-link-up refresh-vlan-interfaceConfigures the radio-link behaviour when the link between the client-bridge and infrastructure access points comes up.• refresh-vlan-interface – Enables the SVI to refresh on re-establishing client bridge link to infrastructure Access Point. And, if using a DHCP assigned IP address, causes a DHCP renew. This option is enabled by default.roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--40>]Configures the following roaming criteria parameters• missed-beacons <1-60> – Configures the missed beacon interval from 0 - 60 seconds.This is the time for which the client-bridge Access Point waits for after missing a beacon from the associated infrastructure Access Point, before roaming to another infrastructure Access Point. For example, if the missed-beacon time is set to 30 seconds, and if more than 30 seconds have passed since the last received beacon, from the associated infrastructure Access Point, the client-bridge Access Point resumes scanning for another infrastructure Access Point. The default value s 20 seconds.• <1-60> – Specify a value from 1 - 60 seconds. The default is 20 seconds.• rssi-threshold <-128--40> – Configures the minimum signal strength, received from target AP, for the bridge connection to be maintained before roaming• <-128--40> – Specify a value from -128 - -40 dBm. If the RSSI value of signals re-ceived from the infrastructure access point falls below the specified value, the client-bridge access point resumes scanning for another infrastructure access point. Thedefault is -75 dBm.ssid <SSID> Configures the infrastructure WLAN SSID the client bridge connects to• <SSID> – Specify the SSID.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 275Usage Guidelines EAP AuthenticationUse the following commands to view client-bridge configuration:1 show > wireless > bridge > configShows the current client bridge configuration.2 show > wireless > bridge > candidate-apShows the available infrastructure WLAN candidates that are found during the last scan.3 show > wireless > bridge > hostShows the wired/wireless clients that are being bridged.4 show > wireless > bridge > statistics > rfShows the client bridge RF statistics.5 show > wireless > bridge > statistics > trafficShows the client bridge traffic statistics.6 show > wireless > bridge > certificate > statusShows the client bridge authentication certificate status.ExampleThe following examples show the basic parameters that need to be configured on the Infrastructure and the client-bridge APs in order to enable the client-bridge AP to associate with the Infrastructure WLAN. Note, in this example, the authentication mode is set to ‘none’ and the encryption-type is set to ‘ccmp’. The authentication and encryption modes used will vary as per requirement.1 Configuring the Infrastructure WLAN:InfrastrNOC(config)#wlan cb-pskInfrastrNOC(config-wlan-cb-psk)#ssid cb-pskInfrastrNOC(config-wlan-cb-psk)#encryption-type ccmpInfrastrNOC(config-wlan-cb-psk)#wpa-wpa2 psk extreme@123InfrastrNOC(config-wlan-cb-psk)#authentication-type noneInfrastrNOC(config)#show running-config wlan cb-psk   wlan cb-psk ssid cb-psk bridging-mode local encryption-type ccmp authentication-type none wpa-wpa2 psk 0 extreme@123InfrastrNOC(config)#2 Associating the ‘cb-psk’ WLAN to the Infrastructure AP’s radio.Infra7131-5F5078(config-device-B4-C7-99-5F-50-78-if-radio2)#wlan cb-pskwpa-wpa2 psk [0|2|<LINE>]Configures the encryption pre-shared key (PSK) to use with the infrastructure WLAN• 0 – Configures clear text psk• 2 – Configures encrypted psk• <LINE> – Enter the keyNote: Pre-shared keys are valid only when the authentication-type is set to none and the encryption-type is set to tkip or ccmp.Note: The PSK should be 8 - 32 characters in length.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 276Infra7131-5F5078(config-device-B4-C7-99-5F-50-78)#show contextap71xx B4-C7-99-5F-50-78 use profile default-ap71xx use rf-domain default hostname Infra7131-5F5078 country-code us channel-list 5GHz 149,153,157,161,165 trustpoint radius-ca TP-infra-AP trustpoint radius-server TP-infra-AP use radius-server-policy cb-rad-srvr interface radio2  rf-mode 5GHz-wlan  channel smart  power smart  data-rates default  wlan cb-psk bss 1 primary  no preamble-short  bridge ssid cb-psk  bridge encryption-type ccmp  bridge authentication-type none  bridge wpa-wpa2 psk 0 extreme@123 logging on logging console debugging controller host 192.168.9.31Infra7131-5F5078(config-device-B4-C7-99-5F-50-78)#3 Confirming the Infrastructure AP’s radio interface status.Infra7131-5F5078(config)#show wireless radio----------------------------------------------------------------------------------------------RADIO                RADIO-MAC             RF-MODE        STATE       CHANNEL    POWER #CLIENT----------------------------------------------------------------------------------------------Infra7131-5F5078:R1  B4-C7-99-5E-51-40 2.4GHz-wlan          Off   N/A (  smt)  0 (smt)       0Infra7131-5F5078:R2  B4-C7-99-5E-1A-40   5GHz-wlan           On   165 (  165) 17 (smt)       2----------------------------------------------------------------------------------------------Total number of radios displayed: 2Infra7131-5F5078(config)#4 Configuring the client-bridge AP’s radio parameters.ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#bridge ssid cb-pskap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#bridge encryption-typeccmpap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#bridge authentication-type noneap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#wpa-wpa2 psk extreme@123ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#show context interface radio2  bridge ssid cb-psk  bridge encryption-type ccmp  bridge authentication-type nonebridge wpa-wpa2 psk 0 extreme@123ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#Note, the SSID, encryption-type, and authentication mode are the same as that of the Infrastructure WLAN.5 Confirming the client-bridge AP’s radio interface status.ap7532-85B274#show wireless radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 277----------------------------------------------------------------------------------------------RADIO                RADIO-MAC             RF-MODE        STATE       CHANNEL    POWER #CLIENT----------------------------------------------------------------------------------------------ap7532-85B274:R1     84-24-8D-AC-2D-B0 2.4GHz-wlan          Off   N/A (  smt)  0 (smt)       0ap7532-85B274:R2     84-24-8D-AC-CC-10      bridge           On   165 (  smt) 20 (smt)       0----------------------------------------------------------------------------------------------Total number of radios displayed: 2===================================================ap7532-85B274(config-device-84-24-8D-85-B2-74)#6Viewing the candidate-ap (connected Infrastructure AP’s) details on the client-bridge AP.ap7532-85B274(config-device-84-24-8D-85-B2-74)#show wireless bridge candidate-ap 84-24-8D-AC-CC-10 Client Bridge Candidate APs:  AP-MAC             BAND    CHANNEL SIGNAL(dbm) STATUS  B4-C7-99-5E-1A-40  5 GHz   165     -21         selectedTotal number of candidates displayed: 1Total number of client bridges displayed: 1=======================================================ap7532-85B274(config-device-84-24-8D-85-B2-74)#7 Viewing the bridge host details on the client-bridge AP.ap7532-85B274(config-device-84-24-8D-85-B2-74)#show wireless bridge hosts-----------------------------------------------------------------------------HOST MAC             BRIDGE MAC         IP             BRIDGING STATUS ACTIVITY                                                                   (sec ago)-----------------------------------------------------------------------------84-24-8D-85-B2-74    84-24-8D-AC-CC-10 10.1.0.249      UP           00:00:07-----------------------------------------------------------------------------Total number of hosts displayed: 1ap7532-85B274(config-device-84-24-8D-85-B2-74)#Related Commandsno Removes or resets this client-bridge settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2787.1.36.5.14 channelinterface-config-radio-instanceConfigures a radio’s channel of operationOnly a trained installation professional should define the radio channel. Select Smart for the radio to scan non-overlapping channels listening for beacons from other access points. After the channels are scanned, the radio selects the channel with the fewest access points. In case of multiple access points on the same channel, it selects the channel with the lowest average power level.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxchannel [smart|acs|random|1|2|3|4|-------]Parameters• channel [smart|acs|random|1|2|3|4|-------]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#channel 1rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  channel 1  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  ........................................................................  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  antenna-mode 2x2  antenna-diversity--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#NOTE: Channels with a “w” appended to them are unique to the 40 MHz band. Channels with a “ww” appended to them are 802.11ac specific, and appear only when using an AP8232, and are unique to the 80 MHz band.channel Configures a radio’s channel of operation[smart|acs|random|1|2|3|4|-------]Configures a radio’s channel of operation. The options are:• smart – Uses Smart RF to assign a channel (uses uniform spectrum spreading if Smart RF is not enabled). This is the default setting.•acs – Uses automatic channel selection (ACS) to assign a channel• random – Randomly assigns a channel• 1 – Channel 1 in 20 MHz mode• 2 – Channel 2 in 20 MHz mode
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 279Related Commandsno Resets a radio’s channel of operation
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2807.1.36.5.15 data-ratesinterface-config-radio-instanceConfigures the 802.11 data rates on this radioThis command sets the rate options depending on the 802.11 protocol and the radio band selected. If 2.4 GHz is selected as the radio band, select separate 802.11b, 802.11g and 802.11n rates and define how they are used in combination. If 5.0 GHz is selected as the radio band, select separate 802.11a and 802.11n rates then define how they are used together.If dedicating the radio to either 2.4 or 5.0 GHz support, use the custom keyword to set a 802.11n modulation and coding scheme (MCS) in respect to the radio’s channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non-11n basic rates).Data rates are fixed and not user configurable for radios functioning as sensors.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxdata-rates [b-only|g-only|a-only|bg|bgn|gn|an|default|custom|mcs]data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54|mcs-1s|mcs-2s|mcs-3s|basic-1|basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|basic-36|basic-48|basic-54|basic-mcs-1s]data-rates mcs qam-onlyParameters• data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]NOTE: Use the rf-mode command to configure a radio’s mode of operation.NOTE: The MCS-1s and MCS-2s options are available for each supported access point. However, the MCS-3s option is only available to the AP8232 model access point, and its ability to provide 3x3x3 MIMO support.data-rates Configures the 802.11 data rates on this radiob-only Supports operation in the 802.11b mode only (applicable for 2.4 and 4.9 GHz bands)g-only Uses rates that support operation in the 802.11g mode only (applicable for 2.4 and 4.9 GHz bands)a-only Uses rates that support operation in the 802.11a mode only (applicable for 5.0 GHz band only)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 281• data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54||mcs-1s|mcs-2s|mcs-3s|basic-1|basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|basic-36|basic-48|basic-54|basic-mcs-1s]bg Uses rates that support 802.11b and 802.11g wireless clients (applicable for 2.4 and 4.9 GHz bands)bgn Uses rates that support 802.11b, 802.11g, and 802.11n wireless clients (applicable for 2.4 and 4.9 GHz bands)gn Uses rates that support 802.11g and 802.11n wireless clients (applicable for 2.4 and 4.9 GHz bands)an Uses rates that support 802.11a and 802.11n wireless clients (applicable for 5.0 GHz band only)default Enables the default data rates according to the radio’s band of operationdata-rates Configures the 802.11 data rates on this radiocustom Configures a list of data rates by specifying each rate individually. Use 'basic-' prefix before a rate to indicate it’s used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11')• 1 – 1-Mbps• 2 – 2-Mbps• 5.5 – 5.5-Mbps• 6 – 6-Mbps• 9 – 9-Mbps• 11 – 11-Mbps• 12 – 12-Mbps• 18 – 18-Mbps• 24 – 24-Mbps• 36 – 36-Mbps• 48 – 48-Mbps• 54 – 54-Mbps• mcs-1s – Applicable to 1-spatial stream data rates• mcs-2s – Applicable to 2-spatial stream data rates• mcs-3s – Applicable to 3-spatial stream data rates (supported only on AP8232 for the MIMO feature)• basic-1 – Basic 1-Mbps• basic-2 – Basic 2-Mbps• basic-5.5 – Basic 5.5-Mbps• basic-6 – Basic 6-Mbps• basic-9 – Basic 9-Mbps• basic-11 – Basic 11-Mbps• basic-12 – Basic 12-Mbps• basic-18 – Basic 18-Mbps• basic-24 – Basic 24-Mbps• basic-36 – Basic 36-MbpsContd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 282• data-rates mcs qam-onlyUsage Guidelines (Supported data rates)The following table defines the 802.11n MCS for MCS 1 streams, both with and without SGI:The following table defines the 802.11n MCS for MCS 2 streams, both with and without SGI:The following table defines the 802.11n MCS for MCS 3 streams, both with and without SGI:• basic-48 – Basic 48-Mbps• basic-54 – Basic 54-Mbps• basic-mcs-1s – Modulation and Coding Scheme data rates for 1 Spatial StreamNote: Refer to the Usage Guidelines (Supported data rates) section for 802.11an and 802.11ac MCS detailed dates rates for both with and without short guard intervals (SGI).data-rates Configures the 802.11 data rates on this radiomcs qam-only Configures supports for MCS QAM data rates onlyMCS-1Stream Index Number of Streams20 MHz No SGI 20 MHz With SGI40 MHz No SGI 20 MHz With SGI0 1 6.5 7.2 13.5 151 1 13 14.4 27 302 1 19.5 21.7 40.5 453 1 26 28.9 54 60413943.48190515257.81081206 1 58.5 65 121.5 135716572.2135150MCS-2Stream Index Number of Streams20 MHz No SGI 20 MHz With SGI40 MHz No SGI 20 MHz With SGI021314.427301 2 26 28.9 54 60223943.48190325257.81081204 2 78 86.7 162 1805 2 104 115.6 216 240621171302432707 2 130 144.4 270 300MCS-3Stream Index Number of Streams20 MHz No SGI 20 MHz With SGI40 MHz No SGI20 MHz With SGI0 3 19.5 21.7 40.5 45133943.381902 3 58.5 65 121.5 1353 3 78 86.7 162 18043117130.724327053156173.33243606 3 175.5 195 364.5 40573195216.7405450
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 283The following table defines the 802.11ac MCS rates (theoretical throughput for single spatial streams) both with and without SGI:Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#data-rates b-onlyrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  ........................................................  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related CommandsMCS Index 20 MHz No SGI 20 MHz With SGI40 MHz No SGI 40 MHz With SGI80 MHz No SGI 80 MHz No SGI06.5 7.2 13.5 15 29.332.5113 14.427 30 58.5652 19.5 21.7 40.5 45 87.8 97.53 26 28.9 54 60 117 130439 43.381 90 175.5195552 57.8 108 120 234 2606 58.5 65 121.5 135 263.3 292.5765 72.2135 150 292,53258 78 86.7 162 180 351 3909N/A N/A 180 200390 433.3no Resets the 802.11 data rates on a radiorf-mode Configures the radio’s RF mode of operation
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2847.1.36.5.16 de s cri p t ioninterface-config-radio-instanceConfigures the selected radio’s description that helps differentiate it from other radios with similar configurationsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxdescription <WORD>Parameters• description <WORD>Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#description "Primaryradio to use"rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  beacon dtim-period bss 4 5  beacon dtim-period bss 5 5  beacon dtim-period bss 6 5  beacon dtim-period bss 7 5  beacon dtim-period bss 8 5  beacon dtim-period bss 9 5  beacon dtim-period bss 10 5  beacon dtim-period bss 11 5  beacon dtim-period bss 12 5  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  aggregation ampdu tx-only--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsdescription <WORD> Provide a description for the selected radio (should not exceed 64 characters in length).no Removes a radio’s description
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2857.1.36.5.17 dfs -re hom einterface-config-radio-instanceReverts to configured home channel once the Dynamic Frequency Selection (DFS) evacuation period expiresSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxdfs-rehome {holdtime <30-3600>}Parameters• dfs-rehome {holdtime <30-3600>}Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#dfs-rehome holdtime 500rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  dfs-rehome holdtime 500rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related CommandsNOTE: This option is applicable only if the radio’s RF mode is set to ‘5GHz-wlan’.dfs-rehome {holdtime <30-3600>}Enables the radio to revert to the configured home channel once the DFS evacuation period expires• holdtime – Optional. Specifies the duration, in minutes, to stay in the new channel• <30-3600> – Specify the holdtime from 30 - 3600 minutes. The default is 90 min-utes.no Stays on DFS elected channel after evacuation period expires
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2867.1.36.5.18 dynamic-chain-selectioninterface-config-radio-instanceEnables automatic antenna mode selection. When enabled, the radio can dynamically change the number of transmit chains used (uses a single chain/antenna for frames at non-11n transmit rates). This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxdynamic-chain-selectionParametersNoneExamplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#dynamic-chain-selectionrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Uses the configured transmit antenna mode for all clients
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2877.1.36.5.19 ekah a uinterface-config-radio-instanceEnables Ekahau multicast packet forwarding. When enabled, Ekahau small, battery powered Wi-Fi tags are attached to tracked assets or assets carried by people. Ekahau processes locations, rules, messages, and environmental data and turns the information into locationing maps, alerts and reports.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxekahau [forward ip <IP> port <0-65535>|mac <MAC>]Parameters• ekahau [forward ip <IP> port <0-65535>|mac <MAC>]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#ekahau forward ip 172.16.10.1 port 3rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  beacon dtim-period bss 4 5  beacon dtim-period bss 5 5  beacon dtim-period bss 6 5  beacon dtim-period bss 7 5.................................................  beacon dtim-period bss 16 5  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  antenna-mode 2x2--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsekahau Enables Ekahau multicast packet forwarding on this radioforward ip <IP>port <0-65535>Enables multicast packet forwarding to the Ekahau engine• ip <IP> – Configures the IP address of the Ekahau engine in the A.B.C.D format• port <0-65535> – Specifies the TaZman Sniffer Protocol (TZSP) port on Ekahau engine from 0 - 65535TZSP is an encapsulation protocol, which is generally used to wrap 802.11 wireless packets.mac <MAC> Configures the multicast MAC address to forward the Ekahau multicast packets• <MAC> – Specify the MAC address in the AA-BB-CC-DD-EE-FF format.no Uses default Ekahau multicast MAC address
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2887.1.36.5.20 extended-rangeinterface-config-radio-instanceEnables the extended range capability for AP7161 model access point. When enabled, these access points can exchange signals with their clients at greater distances without being timed out. This option is disabled by default.Supported in the following platforms:• Access Point — AP7161Syntaxextended-range <1-25>Parameters• extended-range <1-25>Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#extended-range 15rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  beacon dtim-period bss 4 5  beacon dtim-period bss 5 5  beacon dtim-period bss 6 5  beacon dtim-period bss 7 5  beacon dtim-period bss 8 5  beacon dtim-period bss 9 5  beacon dtim-period bss 10 5  beacon dtim-period bss 11 5  beacon dtim-period bss 12 5  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  antenna-mode 2x2  antenna-diversity  airtime-fairness prefer-ht weight 6  extended-range 15--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsextended-range <1-25> Configures extended range on this radio interface from 1 - 25 kilometers. The default is 2 km on 2.4 GHz band and 7 km on 5.0 GHz band.no Resets the extended range to default (7 km for 2.4 GHz and 5 km for 5.0 GHz)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2897.1.36.5.21 fallback-channelinterface-config-radio-instanceConfigures the channel to which the radio switches in case of radar detection on the current channelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxfallback-channel [100|100w|100ww|104|104w|104ww|108|108w...............]Parameters• fallback-channel [100|100w|100ww|104|104w|104ww|108|108w...............]Examplenx9500-6C8809(config-profile-testAP81XX-if-radio2)#fallback-channel 104NOTE: Functionality is supported only in the US regulatory domain and only a non-dfs channel can be configured as a fallback channelnx9500-6C8809(config-profile-testAP81XX-if-radio2)#show context interface radio2  fallback-channel 104nx9500-6C8809(config-profile-testAP81XX-if-radio2)#Related Commandsfallback-channel [100|100w|...........]Configures the fallback channel. This is the channel the radio switches to in case a radar is detected on the radio’s current operating channel.• [100|100w|100ww|...] – Select the fall back channel from the available options.Note: Channels with a “w” appended to them are unique to the 40 MHz band. Channels with a “ww” appended to them are 802.11ac specific, and appear only when using an AP8232, and are unique to the 80 MHz band.no Removes the fallback-channel configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2907.1.36.5.22 guard-intervalinterface-config-radio-instanceConfigures the 802.11n guard interval. A guard interval ensures distinct transmissions do not interfere with one another. It provides immunity to propagation delays, echoes and reflection of radio signals.The guard interval is the space between transmitted characters. The guard interval eliminates inter symbol interference (ISI). ISI which occurs when echoes or reflections from one symbol interferes with another. Adding time between transmissions allows echoes and reflections to settle before the next symbol is transmitted. A shorter guard interval results in shorter symbol times, which reduces overhead and increases data rates by up to 10%.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxguard-interval [any|long]Parameters• guard-interval [any|long]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#guard-interval longrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  beacon dtim-period bss 4 5  beacon dtim-period bss 5 5  beacon dtim-period bss 6 5  beacon dtim-period bss 7 5  beacon dtim-period bss 8 5  beacon dtim-period bss 9 5  beacon dtim-period bss 10 5  beacon dtim-period bss 11 5  beacon dtim-period bss 12 5  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  guard-interval long--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsguard-interval Configures the 802.11n guard intervalany Enables the radio to use any short (400nSec) or long (800nSec) guard intervallong Enables the use of long guard interval (800nSec). This is the default setting.no Resets the 802.11n guard interval to default (long: 800nSec)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2917.1.36.5.23 ldpcinterface-config-radio-instanceEnables support for Low Density Parity Check (LDPC) codes on the radio interfaceLDPC consists of forward error correcting codes that enable error control in data transmission. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533SyntaxldpcParametersNoneExamplerfs4000-229D58(config-profile-Test81XX-if-radio1)#ldpcrfs4000-229D58(config-profile-Test81XX-if-radio1)#show context interface radio1  ldpcrfs4000-229D58(config-profile-Test81XX-if-radio1)#Related Commandsno Disables LDPC support
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2927.1.36.5.24 lock-rf-modeinterface-config-radio-instanceRetains user configured RF mode settings for the selected radio. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxlock-rf-modeParametersNoneExamplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#lock-rf-moderfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  beacon dtim-period bss 4 5  beacon dtim-period bss 5 5  beacon dtim-period bss 6 5  beacon dtim-period bss 7 5  beacon dtim-period bss 8 5  beacon dtim-period bss 9 5  beacon dtim-period bss 10 5  beacon dtim-period bss 11 5  beacon dtim-period bss 12 5  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  antenna-mode 2x2  antenna-diversity  airtime-fairness prefer-ht weight 6  lock-rf-mode  extended-range 15--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Allows Smart RF to change a radio’s RF mode settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2937.1.36.5.25 max-clientsinterface-config-radio-instanceConfigures the maximum number of wireless clients allowed to associate with this radioSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxmax-clients <0-256>Parameters• max-clients <0-256>Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#max-clients 100rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  ..............................................  beacon dtim-period bss 12 5  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  antenna-mode 2x2  antenna-diversity  max-clients 100  airtime-fairness prefer-ht weight 6  lock-rf-mode  extended-range 15  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsmax-clients <0-256> Configures the maximum number of clients allowed to associate with a radio, subject to the access point’s limit. Specify a value from 0 - 256. The default is 256.Note: The AP6511 and AP6521 model access points can only support 128 clients.no Resets the maximum number of wireless clients allowed to associate with a radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2947.1.36.5.26 meshinterface-config-radio-instanceUse this command to configure radio mesh parameters. A Wireless Mesh Network (WMN) is a network of radio nodes organized in a mesh topology. It consists of mesh clients, mesh routers, and gateways.Each radio setting can have a unique mesh mode and link configuration. This provides a customizable set of connections to other mesh supported radios within the same radio coverage area.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533Syntaxmesh [client|links|portal|preferred-peer|psk]mesh [client|links <1-6>|portal|preferred-peer <1-6> <MAC>|psk [0 <LINE>|2 <LINE>|<LINE>]]Parameters• mesh [client|links <1-6>|portal|preferred-peer <1-6> <MAC>|psk [0 <LINE>|2 <LINE>|<LINE>]]mesh Configures radio mesh parameters, such as maximum number of mesh links, preferred peer device, client operations, etc.client Enables operation as a clientSetting the mesh mode to ‘client’ enables the radio to operate as a mesh client that scans for and connects to mesh portals or nodes that are connected to portals.links <1-6> Configures the maximum number of mesh links a radio attempts to create• <1-6> – Sets the maximum number of mesh links from 1 - 6. The default is 6.portal Enables operation as a portalSetting the mesh mode to ‘portal’ turns the radio into a mesh portal. The radio starts beaconing immediately and accepts connections from other mesh nodes, typically the node with a connection to the wired network.preferred-peer <1-6> <MAC>Configures a preferred peer device• <1-6> – Configures the priority at which the peer node will be addedWhen connecting to the mesh infrastructure, nodes with lower priority are given precedence over nodes with higher priority.• <MAC> – Sets the MAC address of the preferred peer device (Ethernet MAC of either a AP, wireless controller, or service platform with onboard radios)psk [0 <LINE>|2 <LINE>| <LINE>]Configures the pre-shared key. Ensure this key is configured on the access point when staged for mesh, and added to the mesh client and to the portal access point’s configuration on the controller or service platform.• 0 <LINE> – Enter a clear text key• 2 <LINE> – Enter an encrypted key• <LINE> – Enter the pre-shared keyPre-shared keys should be 8 - 64 characters in length.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 295Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#mesh clientrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  mesh client  beacon period 50  --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Disables mesh mode operation of the selected radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2967.1.36.5.27 meshpointinterface-config-radio-instanceMaps an existing meshpoint to this radioUse this command to assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533Syntaxmeshpoint <MESHPOINT-NAME> {bss <1-16>}Parameters• meshpoint <MESHPOINT-NAME> {bss <1-16>}Examplerfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#meshpoint test bss 7rfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#show context interface radio1  meshpoint test bss 7rfs6000-37FABE(config-profile-ap71xxTest-radio1)#Related Commandsmeshpoint <MESHPOINT-NAME>Maps a meshpoint to this radio. Specify the meshpoint name.bss <1-16> Optional. Specifies the radio’s BSS where this meshpoint is mapped• <1-16> – Specify the BSS number from 1 - 16.no Disables meshpoint on the selected radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2977.1.36.5.28 mu-mimointerface-config-radio-instanceEnables multi-user multiple input multiple output (MU-MIMO) support on the selected radio. When enabled, multiple users are able to simultaneously access the same channel using the spatial degrees of freedom offered by MIMO.Supported in the following platforms:• Access Points — AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533Syntaxmu-mimoParametersNoneExamplenx9500-6C8809(config-profile-TestAP81xx-if-radio1)#mu-mimonx9500-6C8809(config-profile-TestAP81xx-if-radio1)#show context include-factory | include mu-mimo  mu-mimonx9500-6C8809(config-profile-TestAP81xx-if-radio1)#ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#mu-mimoap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#show context include-factory | include mu-mimo  mu-mimoap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#Related Commandsno Disables mu-mimo on the selected radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2987.1.36.5.29 nointerface-config-radio-instanceNegates a command or resets settings to their default. When used in the profile/device > radio interface configuration mode, the no command disables or resets radio interface settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxno <PARAMETERS>Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#no ?  adaptivity                  Adaptivity  aeroscout                   Use Default Aeroscout Multicast MAC Address  aggregation                 Configure 802.11n aggregation related parameters  airtime-fairness            Disable fair access to medium for clients,                              provide access in a round-robin mode  antenna-diversity           Use single antenna for non-11n transmit rates  antenna-downtilt            Reset ADEPT antenna mode  antenna-elevation           Reset the antenna elevation of this radio to                              default  antenna-gain                Reset the antenna gain of this radio to default  antenna-mode                Reset the antenna mode (number of transmit and                              receive antennas) on the radio to its default  assoc-response              Configure transmission parameters for                              Association Response frames  association-list            Configure the association list for the radio  beacon                      Configure beacon parameters  bridge                      Bridge rf-mode related configuration  channel                     Reset the channel of operation of this radio to                              default  data-rates                  Reset radio data rate configuration to default  description                 Reset the description of the radio to its                              default  dfs-rehome                  Stay on dfs elected channel after evacuation                              period expires  dynamic-chain-selection     Use the configured transmit antenna mode for all                              clients  ekahau                      Use Default Ekahau Multicast MAC Address  extended-range              Reset extended range to default  fallback-channel            Clear the DFS fallback channel for this radio  guard-interval              Configure default value of 802.11n guard                              interval (long: 800nSec)  ldpc                        Configure support for Low Density Parity Check                              Code  lock-rf-mode                Allow smart-rf to change rf-mode setting for                              this radio  max-clients                 Maximum number of wireless clients allowed to                              associate  mesh                        Disable mesh mode operation of the radiono <PARAMETERS> Removes or reverts this radio interface’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 299  meshpoint                   Disable a meshpoint from this radio  mu-mimo                     Disable multi user MIMO on this radio (selected                              platforms only)  non-unicast                 Configure handling of non-unicast frames  off-channel-scan            Disable off-channel scanning on the radio  placement                   Reset the placement of the radio to its default  power                       Reset the transmit power of this radio to                              default  preamble-short              Disable the use of short-preamble on this radio  probe-response              Configure transmission parameters for Probe                              Response frames  radio-resource-measurement  Configure support for 802.11k Radio Resource                              Measurement  radio-share-mode            Configure the radio-share mode of operation for                              this radio  rate-selection              Monotonic rate selection  rf-mode                     Reset the RF mode of operation for this radio to                              default (2.4GHz on radio1, 5GHz on radio2,                              sensor on radio3)  rifs                        Configure Reduced Interframe Spacing (RIFS)                              parameters  rts-threshold               Reset the RTS threshold to its default (65536)  shutdown                    Re-enable the selected interface  smart-rf                    Reset smart-rf related configuration to default  sniffer-redirect            Disable capture and redirection of packets  stbc                        Configure Space-Time Block Coding (STBC)                              parameters  transmit-beamforming        Disable Transmit Beamforming  use                         Set setting to use  wips                        Wireless intrusion prevention related                              configuration  wireless-client             Configure wireless client related parameters  wlan                        Disable a wlan from this radio  service                     Service Commandsrfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#The following example shows radio interface settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  description "Primary radio to use"  channel 1  data-rates b-only  mesh client  beacon period 50  beacon dtim-period bss 1 5  beacon dtim-period bss 2 2  beacon dtim-period bss 3 5  beacon dtim-period bss 4 5  beacon dtim-period bss 5 5  beacon dtim-period bss 6 5  beacon dtim-period bss 7 5  beacon dtim-period bss 8 5  beacon dtim-period bss 9 5  beacon dtim-period bss 10 5  beacon dtim-period bss 11 5  beacon dtim-period bss 12 5  beacon dtim-period bss 13 5  beacon dtim-period bss 14 5  beacon dtim-period bss 15 5  beacon dtim-period bss 16 5  antenna-gain 12.0  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 300  antenna-mode 2x2  antenna-diversity  max-clients 100  airtime-fairness prefer-ht weight 6  lock-rf-mode  extended-range 15  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no channelrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no antenna-gainrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no descriptionrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no antenna-moderfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no beacon dtim-periodrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no beacon periodThe following example shows radio interface settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  data-rates b-only  mesh client  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  antenna-diversity  max-clients 100  airtime-fairness prefer-ht weight 6  lock-rf-mode  extended-range 15  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3017.1.36.5.30 non-unicastinterface-config-radio-instanceConfigures support for forwarding of non-unicast (multicast and broadcast) frames on this radioSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxnon-unicast [forwarding|queue|tx-rate]non-unicast forwarding [follow-dtim|power-save-aware]non-unicast queue [<1-200>|bss]non-unicast queue [<1-200>|bss <1-16> <1-200>]non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic|lowest-basic]non-unicast tx-rate bss <1-16> [dynamic-all|dynamic-basic|highest-basic|lowest-basic]Parameters• non-unicast forwarding [follow-dtim|power-save-aware]• non-unicast queue [<1-200>|bss <1-16> <1-200>]• non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic|lowest-basic]non-unicast forwarding Enables non-unicast frame forwarding on this radio. Once enabled, select one of the available options to specify whether these frames should always follow DTIM, or only follow DTIM when using power save aware mode.follow-dtim Specifies frames always wait for the DTIM interval to time out. The DTIM interval is configured using the beacon command. This is the default setting.power-save-aware Enables immediate forwarding of frames only if all associated wireless clients are in the power save modenon-unicast queue Enables non-unicast frame forwarding on this radio. Once enabled, specify the number of broadcast packets queued per BSS on this radio. This option is enabled by default.This command also enables you to override the default on a specific BSS.<1-200> Specify a number from 1 - 200. This value applies to all BSSs. The default is 50 frames per BSS.bss <1-16> <1-200> Overrides the default on a specified BSS• <1-16> – Select the BSS number from 1 - 16.• <1-200> – Specify the number of broadcast packets queued for the selected BSSfrom 1 - 200.non-unicast tx-rate Enables non-unicast frame forwarding on this radio. Once enabled, use one of the available options to configure the rate at which these frames are transmitted.bss <1-16> Overrides the default on a specified BSS• <1-16> – Select the BSS number from 1 - 16. The transmit rate selected is applied only to the BSS specified here. The tx-rate options are: dynamic-all, dynamic-basic, highest-basic, lowest-basic.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 302Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#non-unicast queue bss 2 3rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#non-unicast tx-rate bss 1 dynamic-allrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  data-rates b-only  mesh client  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic  non-unicast tx-rate bss 5 highest-basic  non-unicast tx-rate bss 6 highest-basic  non-unicast tx-rate bss 7 highest-basic  non-unicast tx-rate bss 8 highest-basic  non-unicast tx-rate bss 9 highest-basic  non-unicast tx-rate bss 10 highest-basic  non-unicast tx-rate bss 11 highest-basic  non-unicast tx-rate bss 12 highest-basic  non-unicast tx-rate bss 13 highest-basic  non-unicast tx-rate bss 14 highest-basic  non-unicast tx-rate bss 15 highest-basic  non-unicast tx-rate bss 16 highest-basic  non-unicast queue bss 1 50  non-unicast queue bss 2 3--More--  antenna-diversity  max-clients 100  airtime-fairness prefer-ht weight 6  lock-rf-mode  extended-range 15  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsdynamic-all Dynamically selects a rate from all supported rates based on current traffic conditionsdynamic-basic Dynamically selects a rate from all supported basic rates based on current traffic conditionshighest-basic Uses the highest configured basic rate. This is the default setting.lowest-basic Uses the lowest configured basic rateno Resets the handling of non-unicast frames to its default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3037.1.36.5.31 off-channel-scaninterface-config-radio-instanceEnables off channel scanning on this radio. This option is disabled by default.Channel scanning uses the access point’s resources and is time consuming. Therefore, enable this option only if the radio has the bandwidth to support channel scan without negatively impacting client support.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxoff-channel-scan {channel-list|max-multicast|scan-interval|sniffer-redirect}off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}off-channel-scan {sniffer-redirect tzsp <IP>}Parameters• off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}• off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}• off-channel-scan {sniffer-redirect tzsp <IP>}off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified.channel-list [2.4GHz|5GHz]Optional. Selects the 2.4GHz or 5GHz access point radio band. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all channels.• 2.4GHz – Selects the 2.4 GHz band• 5GHz – Selects the 5.0 GHz band<CHANNEL-LIST> Optional. Specifies a list of 20 MHz, 40 MHz, or 80 MHz channels for the selected band (the channels are separated by commas or hyphens)off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified.max-multicast <0-100> Optional. Configures the maximum multicast/broadcast messages used to perform OCS• <0-100> – Specify a value from 0 - 100. The default is 4.scan-interval <2-100> Optional. Configures the scan interval in dtims• <2-100> – Specify a value from 2 - 100. The default is 20 dtims.off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified.sniffer-redirect tzsp <IP> Optional. Captures and redirects packets to a host running a packet capture/analysis tool. Use this command to configure the IP address of the host.• tzsp – Encapsulates captured packets in TZSP before redirecting to the specified host• <IP> – Specify the destination device IP address.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 304Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#off-channel-scan channel-list 2.4GHz 1rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  data-rates b-only  mesh client  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic  non-unicast tx-rate bss 5 highest-basic  non-unicast tx-rate bss 6 highest-basic  non-unicast tx-rate bss 7 highest-basic  non-unicast tx-rate bss 8 highest-basic  non-unicast tx-rate bss 9 highest-basic  non-unicast tx-rate bss 10 highest-basic  non-unicast tx-rate bss 11 highest-basic  non-unicast tx-rate bss 12 highest-basic  non-unicast tx-rate bss 13 highest-basic  non-unicast tx-rate bss 14 highest-basic  non-unicast tx-rate bss 15 highest-basic--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Disables radio off channel scanning
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3057.1.36.5.32 placementinterface-config-radio-instanceDefines the radio’s location (whether the radio is deployed indoors or outdoors). The radio’s placement should depend on the country of operation selected and its regulatory domain requirements for radio emissions.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxplacement [indoor|outdoor]Parameters• placement [indoor|outdoor]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#placement outdoorrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  data-rates b-only  placement outdoor  mesh client  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic  non-unicast tx-rate bss 5 highest-basic  non-unicast tx-rate bss 6 highest-basic  non-unicast tx-rate bss 7 highest-basic  non-unicast tx-rate bss 8 highest-basic  non-unicast tx-rate bss 9 highest-basic  non-unicast tx-rate bss 10 highest-basic  non-unicast tx-rate bss 11 highest-basic  non-unicast tx-rate bss 12 highest-basic  non-unicast tx-rate bss 13 highest-basic  non-unicast tx-rate bss 14 highest-basic--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsplacement Defines the radio’s locationindoor Radio is deployed indoors (uses indoor regulatory rules). This is the default setting.outdoor Radio is deployed outdoors (uses outdoor regulatory rules)no Resets a radio’s deployment location
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3067.1.36.5.33 powerinterface-config-radio-instanceConfigures the radio’s transmit power settingThe transmit power control (TPC) mechanism automatically reduces the used transmission output power when other networks are within range. Reduced power results in reduced interference issues and increased battery capacity.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxpower [<1-30>|smart]Parameters• power [<1-30>|smart]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#power 12rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  power 12  data-rates b-only  placement outdoor  mesh client  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic  non-unicast tx-rate bss 5 highest-basic  non-unicast tx-rate bss 6 highest-basic  non-unicast tx-rate bss 7 highest-basic --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandspower Configures a radio’s transmit power<1-30> Configures the transmit power from 1 - 30 dBm (actual power could be lower based on regulatory restrictions)For APs with dual or three radios, each radio should be configured with a unique transmit power in respect to its intended client support function.smart Enables Smart RF to determine the optimum transmit power needed. By default APs use Smart RF to determine transmit power.no Resets a radio’s transmit power
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3077.1.36.5.34 preamble-shortinterface-config-radio-instanceEnables short preamble on this radio. If using an 802.11bg radio, enable short preamble. Short preambles improve throughput. However, some devices (SpectraLink phones) require long preambles. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533Syntaxpreamble-shortParametersNoneExamplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#preamble-shortrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  power 12  data-rates b-only  placement outdoor  mesh client  off-channel-scan channel-list 2.4GHz 1  preamble-short  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic  non-unicast tx-rate bss 5 highest-basic  non-unicast tx-rate bss 6 highest-basic  non-unicast tx-rate bss 7 highest-basic  non-unicast tx-rate bss 8 highest-basic  non-unicast tx-rate bss 9 highest-basic  non-unicast tx-rate bss 10 highest-basic  non-unicast tx-rate bss 11 highest-basic  non-unicast tx-rate bss 12 highest-basic--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Disables the use of short preamble on a radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3087.1.36.5.35 probe-responseinterface-config-radio-instanceConfigures transmission parameters for probe response framesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxprobe-response [rate|retry|rssi-threshold]probe-response retryprobe-response rate [follow-probe-request|highest-basic|lowest-basic]probe-response rssi-threshold <-128--40>Parameters• probe-response retry• probe-response rate [follow-probe-request|highest-basic|lowest-basic]• probe-response rssi-threshold <-128--40>Examplenx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response rate highest-basicnx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response retrynx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response rssi-threshold -60nx9500-6C8809(config-profile-testAP7161-if-radio1)#show context interface radio1  probe-response rate highest-basic  probe-response rssi-threshold -60nx9500-6C8809(config-profile-testAP7161-if-radio1)#Related Commandsprobe-response retry Enables retransmission of probe-response frames if no acknowledgement is received from the client. This option is enabled by default.probe-response rate Configures the rates used for transmission of probe response frames. The tx-rate options available for transmitting probe response frames are: follow-probe-request, highest-basic, lowest-basic.follow-probe-request Transmits probe responses at the same rate as the received request (default setting)highest-basic Uses the highest configured basic ratelowest-basic Uses the lowest configured basic rateprobe-response rssi-threshold <-128--40>Ignores probe request from client if the received signal strength is less than the RSSI threshold specified here<-128--40> – Specify a value from -128 - -40.no Resets transmission parameters for probe response frames
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3097.1.36.5.36 radio-resource-measurementinterface-config-radio-instanceEnables 802.11k radio resource measurement. When enabled, the radio station sends channel and neighbor reports.The IEEE 802.11 Task Group k defined a set of specifications regarding radio resource measurements. These specifications specify the radio resources to be measured and the mechanism used to communicate measurement requests and results.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxradio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]Parameters• radio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]Examplerfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-measurement attenuation-threshold 20rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-measurement max-entries 10rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#show context interface radio1  radio-resource-measurement max-entries 10  radio-resource-measurement attenuation-threshold 20rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#Related Commandsradio-resource-measurementEnables 802.11k radio resource measurement on the radioattenuation-threshold <1-199>Configures the neighbor attenuation threshold, considered when generating channel and neighbor reports• <1-199> – Specify the attenuation threshold from 1 -199. The default is 90.max-entries <1-12> Configures the maximum number of entries to include in channel and neighbor reports• <1-12> – Specify a value from 1 - 12. The default is 6.no Disables 802.11k radio resource measurement support
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3107.1.36.5.37 radio-share-modeinterface-config-radio-instanceConfigures the radio’s mode of operation as radio share. A radio operating in the radio share mode services clients and also performs sensor functions (defined by the radio’s AirDefense Services Platform (ADSP) licenses and profiles).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533Syntaxradio-share-mode [inline|off|promiscuous]Parameters• radio-share-mode [inline|off|promiscuous]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#radio-share-mode promiscuousrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  power 12  data-rates b-only  placement outdoor  mesh client  off-channel-scan channel-list 2.4GHz 1  preamble-short  guard-interval long  .........................................................  non-unicast queue bss 16 50  antenna-diversity  max-clients 100  radio-share-mode promiscuous  airtime-fairness prefer-ht weight 6  lock-rf-mode  extended-range 15  antenna-downtiltrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related CommandsNOTE: The sensor capabilities of the radio are restricted to the channel and WLANs defined on the radio.radio-share-mode Enables sharing of packets, switched by this radio, with the WIPS sensor module. There are two radio-share modes, these are: inline and promiscuousinline Enables sharing of all WLAN packets (matching the BSSID of the radio) serviced by the radio with the WIPS sensor module.off Disables radio share (no packets shared with the WIPS sensor module)promiscuous Enables the promiscuous radio share mode. In this mode the radio is configured to receive all packets on the channel irrespective of whether the destination address is the radio or not, and shares these packets with the WIPS sensor module for analysis (i.e. without filtering based on BSSI).no Resets the radio share mode for this radio to its default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3117.1.36.5.38 rate-selectioninterface-config-radio-instanceSets the data-rate selection mode to standard or opportunisticSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxrate-selection [opportunistic|standard]Parameters• rate-selection [opportunistic|standard]Examplenx9500-6C8809(config-profile-testAP7161-if-radio1)#rate-selection opportunisticnx9500-6C8809(config-profile-testAP7161-if-radio1)#show context interface radio1  rate-selection opportunisticnx9500-6C8809(config-profile-testAP7161-if-radio1)#Related Commandsrate-selection Sets the rate selection mode to standard or opportunisticstandard Configures the monotonic rate selection mode. This is the default setting.opportunistic Configures the opportunistic radio link adaptation (ORLA) rate selection modeThe ORLA algorithm is designed to select data rates that provide best throughput. Instead of using local conditions to decide whether a data rate is acceptable or not, ORLA pro-actively probes other rates to determine if greater throughput is available. If these other rates do provide improved throughput, ORLA intelligently adjusts its selection tables to favour higher performance. ORLA provides improvements both on the client side of a mesh network as well as in the backhaul capabilities.Note: The ORLA rate selection mode is supported only on the AP7161 and AP8163 model access points.no Resets the rate selection mode to standard (monotonic)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3127.1.36.5.39 rf-modeinterface-config-radio-instanceConfigures the radio’s RF mode of operationThis command sets the mode to either 2.4 GHz WLAN or 5.0 GHz WLAN support depending on the radio’s intended client support. If you are currently licensed to use 4.9 GHz, configure the 4.9 GHz-WLAN option. Set the mode to sensor if using the radio for rogue device detection. The radio cannot support rogue detection when one of the other radios is functioning as a WIPS sensor. To set a radio as a detector, disable sensor support on the other access point radios.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxrf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|bridge|scan-ahead|sensor]Parameters• rf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|bridge|scan-ahead|sensor]rf-mode Configures the radio’s RF mode of operation2.4GHz-wlan Provides WLAN service in the 2.4 GHz bandwidth4.9GHz-wlan Provides WLAN service in the 4.9 GHz bandwidth5GHz-wlan Provides WLAN service in the 5.0 GHz bandwidthbridge Enables this radio to operate as client bridge that can authenticate and associate to a defined infrastructure Wireless LAN (WLAN) access pointNote: This option is applicable only on the AP6522, AP6562, AP7522, AP7532, and AP7562 model access points. Enable this option only if the access point is to provide client-bridge support. Once enabled, configure the client-bridge parameters. For more information, see bridge.scan-ahead Enables this radio to operate as a scan-ahead radioA radio functioning in the scan-ahead mode is used for forward scanning only. The radio does not support WLAN or mesh services.The scan ahead feature is used in Dynamic Frequency Selection (DFS) aware countries for infrastructure devices, static, and vehicular mounted modems (VMMs). It enables a secondary radio to scan ahead for an active channel for backhaul transmission, in the event of a radar trigger on the primary radio. The device then switches radios allowing transmission to continue. This is required in environments where handoff is required and DFS triggers are common.With a secondary radio dedicated for forward scanning, the primary radio, in case of radar hit, hands over the channel availability check (CAC) function to the secondary radio. This avoids a break in data communication, which would have resulted if the primary radio was to do CAC itself.The secondary radio periodically does a scan of the configured channel list, searching for the other available meshpoint roots. When configured on the root meshpoint, the scan-ahead feature also scans for cleaner channels.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 313Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rf-mode sensorrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandssensor Operates as a sensor radio. Configures this radio to function as a scanner, providing scanning services on both 2.4 GHz and 5.0 GHz bands. The radio does not provide WLAN services.no Resets the radio’s RF mode of operationdata-rates Configures the 802.11 data rates on this radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3147.1.36.5.40 rifsinterface-config-radio-instanceConfigures Reduced Interframe Spacing (RIFS) parameters on this radioThis value determines whether interframe spacing is applied to access point transmitted or received packets, both, or none. Inter-frame spacing is the interval between two consecutive Ethernet frames that enable a brief recovery between packets and allow target devices to prepare for the reception of the next packet.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxrifs [none|rx-only|tx-only|tx-rx]Parameters• rifs [none|rx-only|tx-only|tx-rx]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rifs tx-onlyrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  rifs tx-only  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsrifs Configures RIFS parametersnone Disables support for RIFSConsider setting the value to None for high-priority traffic to reduce packet delay.rx-only Supports RIFS possession onlytx-only Supports RIFS transmission onlytx-rx Supports both RIFS transmission and possession (default setting)no Disables radio’s RIFS parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3157.1.36.5.41 rts-thresholdinterface-config-radio-instanceConfigures the Request to Send (RTS) threshold value on this radioRTS is a transmitting station’s signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path.The RTS threshold controls RTS/CTS by initiating an RTS/CTS exchange for data frames larger than the threshold, and sends (without RTS/CTS) any data frames smaller than the threshold.Consider the trade-offs when setting an appropriate RTS threshold for the WLAN’s access point radios. A lower RTS threshold causes more frequent RTS/CTS exchanges. This consumes more bandwidth because of additional latency (RTS/CTS exchanges) before transmissions can commence. A disadvantage is the reduction in data-frame throughput. An advantage is quicker system recovery from electromagnetic interference and data collisions. Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold.A higher RTS threshold minimizes RTS/CTS exchanges, consuming less bandwidth for data transmissions. A disadvantage is less help to nodes that encounter interference and collisions. An advantage is faster data-frame throughput. Environments with less wireless traffic and contention for transmission make the best use of a higher RTS threshold.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxrts-threshold <0-65536>Parameters• rts-threshold <0-65536>Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rts-threshold 100rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  rts-threshold 100  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only--More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsrts-threshold <0-65536> Specify the RTS threshold value from 0 - 65536 bytes. The default is 65536 bytes.no Resets a radio’s RTS threshold to its default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3167.1.36.5.42 serv iceinterface-config-radio-instanceEnables dynamic control function. This dynamic function controls performance of the radio receiver's low noise amplifiers (LNAs).When enabled, the control function, in the presence of very strong received signals, improves the receiver’s performance on radio 1. Strong signals are caused if the distance between the WiFi client and the AP is within two (2) meters. When disabled, the control function is a useful debug tool in case the uplink throughput is less than expected and the AP-to-client separation is greater than two (2) meters. Disabling the control function does not affect the receive sensitivity of the radio.Supported in the following platforms:• Access Points — AP6522, AP6562Syntaxservice radio-lna [agc|ms]Parameters• service radio-lna [agc|ms]Examplenx9500-6C8809(config-profile-testAP6522-if-radio1)#service radio-lna msnx9500-6C8809(config-profile-testAP6522-if-radio1)#show context interface radio1  service radio-lna msnx9500-6C8809(config-profile-testAP6522-if-radio1)#Related Commandsservice radio-lna [agc|ms]Enables dynamic control function• agc – Enables dynamic LNA control function. This is the default setting.• ms – Disables dynamic LNA control functionno Reverts radio-lna mode to default (agc)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3177.1.36.5.43 shutdowninterface-config-radio-instanceTerminates or shuts down selected radio interfaceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533SyntaxshutdownParametersNoneExamplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#shutdownrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Enables a disabled radio interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3187.1.36.5.44 smar t- rfinterface-config-radio-instanceOverrides Smart RF channel width setting on this radio. When configured, the radio overrides the Smart RF selected channel setting and operates in the channel configured using this command.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxsmart-rf preferred-channel-width [20MHz|40MHz|80MHz]Parameters• smart-rf preferred-channel-width [20MHz|40MHz|80MHz]Examplenx9500-6C8809(config-profile-testAP7161-if-radio1)#smart-rf preferred-channel-width 40MHznx9500-6C8809(config-profile-testAP7161-if-radio1)#show context interface radio1  smart-rf preferred-channel-width 40MHz  rate-selection opportunisticnx9500-6C8809(config-profile-testAP7161-if-radio1)#Related Commandssmart-rf preferred-channel-width [20MHz|40MHz|80MHz]Configures the preferred channel width. The options are:• 20MHz – Sets 20 MHz as the preferred channel of operation• 40MHz – Sets 40MHz as the preferred channel of operation• 80MHz – Sets 80MHz as the preferred channel of operation (default setting)no Enables use of Smart RF selected channel of operation
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3197.1.36.5.45 sniffer-redirectinterface-config-radio-instanceCaptures and redirects packets to an IP address running a packet capture/analysis toolSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxsniffer-redirect [omnipeek|tzsp] <IP> channel [1|10|100|100w --------] {snap <1-65535> (append descriptor)}Parameters• sniffer-redirect [omnipeek|tzsp] <IP> channel [1|10|100|100w ---------] {snap <1-65535> (append descriptor)}Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#sniffer-redirect omnipeek 172.16.10.1 channel 1rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  rts-threshold 100  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  rifs tx-only  sniffer-redirect omnipeek 172.16.10.1 channel 1  aeroscout forward  ekahau forward ip 172.16.10.1 port 3sniffer-redirect Captures and redirects packets to an IP address running a packet capture/analysis toolomnipeek Encapsulates captured packets in proprietary header (used with OmniPeek and plug-in)tzsp Encapsulates captured packets in TZSP (used with WireShark and other tools)<IP> Specify the IP address of the device running the capture/analysis tool (the host to which captured off channel scan packets are redirected)[1|10|100|100w ----------] Specify the channel to capture packets• 1 – Channel 1 in 20 MHz mode (default setting)• 10 – Channel 10 in 20 MHz mode• 100 – Channel 100 in 20 MHz mode• 100w – Channels 100w in 40 MHz mode (channels 100*,104)snap <1-65535> Optional. Allows truncating of large captured frames at a specified length (in bytes). This option is useful when capturing traffic with large frames. Use this option when only headers are needed for analysis, since it reduces the bandwidth needed for sniffing, and (for typical values) eliminates any fragmentation of the outer packet.• <1-65535> – Specify the maximum truncated byte length of captured packets.append descriptor Optional – Enables appending of the radio's receive descriptor to the captured packet
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 320  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  non-unicast tx-rate bss 3 highest-basic  non-unicast tx-rate bss 4 highest-basic  non-unicast tx-rate bss 5 highest-basic  non-unicast tx-rate bss 6 highest-basic --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsno Disables packet capture and redirection
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3217.1.36.5.46 st bcinterface-config-radio-instanceConfigures the radio’s Space Time Block Coding (STBC) mode. STBC is a pre-transmission encoding scheme providing an improved SNR ratio (even at a single RF receiver). STBC transmits multiple data stream copies across multiple antennas. The receiver combines the copies into one to retrieve data from the signal. These transmitted data versions provide redundancy to increase the odds of receiving data streams with a good data decode (especially in noisy environments).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxstbc [auto|none|tx-only]Parameters• stbc [auto|none|tx-only]Examplerfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#stbc tx-onlyrfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#show context interface radio1  stbc tx-onlyrfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#Related CommandsNOTE: STBC requires the radio has at least two antennas with the capability to transmit two streams. If the antenna mode is configured to 1x1 (or falls back to 1x1 for some reason), STBC support is automatically disabled.stbc Configures the radio’s STBC modeauto Autoselects STBC settings based on the platform type and other radio interface settings. This is the default setting.none Disables STBC supporttx-only Configures the AP radio to format and broadcast the special stream (enables STBC support for transmit only)no Disables STBC support
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3227.1.36.5.47 tra n smi t - bea m fo r minginterface-config-radio-instanceEnables transmit beamforming on this radio interface. This option is disabled by default.When enabled, this option steers signals to peers in a specific direction to enhance signal strength and improve throughput amongst meshed devices (not clients). Each access point radio supports up to 16 beamforming capable mesh peers. When enabled, a beamformer steers its wireless signals to its peers. A beamformee device assists the beamformer with channel estimation by providing a feedback matrix. The feedback matrix is a set of values sent by the beamformee to assist the beamformer in computing a steering matrix. A steering matrix is an additional set of values used to steer wireless signals at the beamformer so constructive signals arrive at the beamformee for better SNR and throughput. Any beamforming capable mesh peer connecting to a radio whose capacity is exhausted cannot enable beamforming itself.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562,AP8122, AP8132, AP8163, AP8432, AP8533Syntaxtransmit-beamformingParametersNoneExamplenx9500-6C8809(config-profile-testAP81XX-if-radio1)#transmit-beamformingRelated Commandsno Disables transmit beamforming on this radio interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3237.1.36.5.48 useinterface-config-radio-instanceApplies an association ACL policy and a radio QoS policy on this radio interfaceAn association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a controller managed access point radio. An ACL is a sequential collection of permit and deny conditions that apply to controller packets. When a packet is received on an interface, the controller compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. If a packet does not meet any of the criteria specified in the ACL, the packet is dropped.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxuse [association-acl-policy|radio-qos-policy]use [association-acl-policy <ASSOC-ACL-POLICY-NAME>|radio-qos-policy <RADIO-QOS-POLICY-NAME>]Parameters• use [association-acl-policy <ASSOC-ACL-POLICY-NAME>|radio-qos-policy <RADIO-QOS-POLICY-NAME>]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#use association-acl-policy testrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  rts-threshold 100  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  rifs tx-only  use association-acl-policy test  sniffer-redirect omnipeek 172.16.10.1 channel 1  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandsuse Applies an association ACL policy and a radio QoS policy on this radio interfaceassociation-acl-policy Uses a specified association ACL policy with this radio interface• <ASSOC-ACL-POLICY-NAME> – Specify the association ACL policy name (should be existing and fully configured).radio-qos-policy Uses a specified radio QoS policy with this radio interface• <RADIO-QoS-POLICY-NAME> – Specify the radio QoS policy name (should be existing and fully configured).no Dissociates the specified association ACL policy and radio QoS policy
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3247.1.36.5.49 w i psinterface-config-radio-instanceEnables access point to change its channel of operation in order to terminate rogue devices. The radio should be configured to provide WLAN service.This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxwips airtime-termination allow-channel-changeParameters• wips airtime-termination allow-channel-changeExamplenx9500-6C8809(config-profile-testAP81XX-if-radio1)#wips air-termination allow-channel-changeRelated CommandsNOTE: AP7522 and AP7532 access points use Smart RF to perform off-channel scans. Therefore, ensure that a Smart RF policy is configured and applied to AP7522 and AP7532 access points RF Domains to enable them perform rogue detection and termination.wips airtime-termination allow-channel-changeEnables access point to change its channel of operation (to that of the rogue device) in order to terminate the rogue deviceno Disables access point to change its channel of operation in order to terminate rogue devices
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3257.1.36.5.50 wireless-clientinterface-config-radio-instanceConfigures wireless client parameters on this radioSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxwireless-client tx-power [<0-20>|mode]wireless-client <0-20>wireless-client tx-power mode [802.11d {wing-ie}|wing-ie {802.11d}]Parameters• wireless-client tx-power <0-20>• wireless-client tx-power mode [802.11d {wing-ie}|wing-ie {802.11d}]Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#wireless-client tx-power 20rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  rts-threshold 100  wireless-client tx-power 20  off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only   --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commandswireless-client Configures wireless client parameterstx-power <0-20> Configures the transmit power indicated to wireless clients. If using a dual or three radio model access point, each radio should be configured with a unique transmit power in respect to its intended client support function. A setting of 0 defines the radio as using Smart RF to determine its output power. 20 dBm is the default value.• <0-20> – Specify transmit power from 0 - 20 dBm.wireless-client Configures wireless client parameterstx-power[802.11d|wing-ie]Configures the transmit power indicated to wireless clients• 802.11d – Advertises in the IEEE 802.11d country information element• wing-ie – Optional. Advertises in the WiNG information element (173)• wing-ie – Advertises in the WiNG information element (173). This is the default setting.• 802.11d – Optional. Advertises in the IEEE 802.11d country information elementno Resets the transmit power indicated to wireless clients
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3267.1.36.5.51 wlaninterface-config-radio-instanceEnables a WLAN on this radioUse this command to configure WLAN/BSS mappings for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxwlan <WLAN-NAME> {bss|primary}wlan <WLAN-NAME> {bss <1-16>} {primary}Parameters• wlan <WLAN-NAME> {bss <1-16>} {primary}Examplerfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#wlan TestWLAN primaryrfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1  rf-mode sensor  placement outdoor  mesh client  rts-threshold 100  wireless-client tx-power 20  wlan TestWLAN bss 1 primary   off-channel-scan channel-list 2.4GHz 1  guard-interval long  aggregation ampdu tx-only  rifs tx-only  use association-acl-policy test  sniffer-redirect omnipeek 172.16.10.1 channel 1  aeroscout forward  ekahau forward ip 172.16.10.1 port 3  non-unicast tx-rate bss 1 dynamic-all  non-unicast tx-rate bss 2 highest-basic  --More--rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#Related Commands <WLAN-NAME> {bss <1-16> |primary}Specify the WLAN name (it must have been already created and configured)• bss <1-16> – Optional. Specifies a BSS for the radio to map the WLAN• <1-18> – Specify the BSS number from 1 - 16.• primary – Optional. Uses the specified WLAN as the primary WLAN, whenmultiple WLANs exist on the BSS• primary – Optional. Uses the specified WLAN as the primary WLAN, when multiple WLANs exist on the BSSno Disables a WLAN on a radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3277.1.36.6  interface-config-wwan-instanceinterfaceA Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a device to connect, transmit and receive data over a Cellular Wide Area Network. The RFS4000 and RFS6000 each have a PCI Express card slot that supports 3G WWAN cards. The WWAN card uses point to point protocol (PPP) to connect to the Internet Service Provider (ISP) and gain access to the Internet. PPP is the protocol used for establishing Internet links over dial-up modems, DSL connections, and many other types of point-to-point communications. PPP packages your system’s TCP/IP packets and forwards them to the serial device where they can be put on the network. PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.To switch to the WWAN Interface configuration mode, use the following command:<DEVICE>(config)#profile <DEVICE-TYPE> <DEVICE-PROFILE-NAME><DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#interface wwan1<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#?Interface configuration commands:  apn          Enter the access point name provided by the service provider  auth-type    Type of authentication, Eg chap, pap  crypto       Encryption Module  description  Port description  ip           Internet Protocol (IP)  no           Negate a command or set its defaults  password     Enter password provided by the service provider  shutdown     Disable wireless wan feature  use          Set setting to use  username     Enter username provided by the service provider  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminal<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#The following table summarizes WWAN interface configuration commands:Commands Description Referenceapn Configures the access point’s name provided by the service provider page 7-328auth-type Configures the authentication types used on this interface page 7-329crypto Associates a crypto map with this interface page 7-330ip Associates an IP ACL with this interface page 7-331no Removes or reverts the WWAN interface settings page 7-332password Configures a password for this WWAN interface page 7-333use Associates an IP ACL with this interface page 7-335username Configures the names of users accessing this interface page 7-336
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3287.1.36.6.1 apninterface-config-wwan-instanceConfigures the cellular data provider’s name. This setting is needed in areas with multiple cellular data providers using the same protocols, such as Europe and Asia.Supported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxapn <WORD>Parameters• apn <WORD>Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#apn AT&Tnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  apn AT&Tnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandsapn <WORD> Specify the name of the cellular data service provider.no Removes the configured access point name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3297.1.36.6.2 a uth- t ypeinterface-config-wwan-instanceConfigures the authentication type used by the cellular data providerSupported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxauth-type [chap|mschap|mschap-v2|pap]Parameters• auth-type [chap|mschap|mschap-v2|pap]Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#auth-type mschap-v2nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  apn AT&T  auth-type mschap-v2nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandsauth-type Configures the authentication protocol used on this interface. The options are: PAP, CHAP, MSCHAP, and MSCHAP-v2chap Configures Challenge-Handshake Authentication Protocol (CHAP). This is the default value.mschap Configures Microsoft Challenge-Handshake Authentication Protocol (MSCHAP)mschapv2 Configures Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) version 2pap Configures Password Authentication Protocol (PAP)no Removes the authentication protocol configured on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3307.1.36.6.3 c r yptointerface-config-wwan-instanceAssociates a crypto map with this interfaceSupported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxcrypto map <CRYPTO-MAP-NAME>Parameters• crypto map <CRYPTO-MAP-NAME>Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#crypto map testnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  apn AT&T  auth-type mschap-v2  crypto map testnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandscrypto map <CRYPTO-MAP-NAME>Associates a crypto map with this interface• <CRYPTO-MAP-NAME> – Specify the crypto map name (should be existing and configured).no Removes the crypto map associated with this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3317.1.36.6.4 ipinterface-config-wwan-instanceConfigures IP related settings on this interfaceSupported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxip [default-gateway|nat]ip default-gateway priority <1-8000>ip nat [inside|outside]Parameters• ip default-gateway priority <1-8000>• ip nat [inside|outside]Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#ip nat insidenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  apn AT&T  auth-type mschap-v2  crypto map test  ip nat inside  ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandsip Configures IP related settings on this interfacedefault-gateway priority <1-8000>Configures the default-gateway’s (learned by the wireless WAN) priority. • <1-8000> – Specify a value from 1 - 8000. The default is 3000.ip Configures IP related settings on this interfacenat [inside|outside] Configures the NAT settings. This option is disabled by default.• inside – Marks this WWAN interface as NAT inside. The inside network is transmitting data over the network to its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address.• outside – Marks this WWAN interface as NAT outside. Packets passing through the NAT on the way back to the controller or service platform managed LAN are matched against the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network.no Removes IP related settings on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3327.1.36.6.5 n ointerface-config-wwan-instanceRemoves or reverts the WWAN interface settingsSupported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxno [all|apn|auth-type|crypto|description|ip|password|shutdown|use|username]no [all|apn|auth-type|description|password|shutdown|username]no crypto mapno ip [default-gateway priority|nat]no use ip-access-list inParameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleThe following example displays the WWAN interface settings before the ‘no’ commands are executed:nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  apn AT&T  auth-type mschap-v2  crypto map test  ip nat inside  ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#no apnnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#no auth-typeThe following example displays the WWAN interface settings after the ‘no’ commands are executed:nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  crypto map test  ip nat inside  ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#no <PARAMETERS> Removes or reverts this WWAN interface’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3337.1.36.6.6 passwordinterface-config-wwan-instanceConfigures a password for this WWAN interface. The configured value is used for authentication support by the cellular data carrier.Supported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxpassword [2 <WORD>|<WORD>]Parameters• password [2 <WORD>|<WORD>]Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#password 2 TechPubsTesting@123nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  password TechPubsTesting@123  crypto map test  ip nat inside  ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandspassword Configures a password for this WWAN interface2 <WORD> Configures an encrypted password. Use this option when copy pasting the password from another device.<WORD> Enter the password string (should not exceed 32 characters in length.no Removes the configured password
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3347.1.36.6.7 shu tdow ninterface-config-wwan-instanceShuts down this WWAN interface. Use the no > shutdown command to re-start the WWAN interface.Supported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000SyntaxshutdownParametersNoneExamplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#shutdownnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  shutdownnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandsno Re-starts the WWAN interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3357.1.36.6.8 u s einterface-config-wwan-instanceAssociates an IP ACL with this interface. The ACL should be existing and configured.The ACL applies an IP based firewall to all incoming packets. The ACL identifies a single IP or a range of IPs that are to be allowed or denied access on this interface.Supported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxuse ip-access-list in <ACCESS-LIST-NAME>Parameters• use ip-access-list in <ACCESS-LIST-NAME>Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#use ip-access-list in testnx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  password TechPubsTesting@123  crypto map test  ip nat inside  use ip-access-list in test  ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandsuse ip-access-list in <ACCESS-LIST-NAME>Associates an inbound IPv4 ACL with this interface. This setting applies to IPv4 inbound traffic only and not IPv6 traffic. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike TCP). IPv4 hosts can use link local addressing to provide local connectivity.• <ACCESS-LIST-NAME> – Specify the IP ACL name.no Removes the IP ACL associated with this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3367.1.36.6.9 u s ern a meinterface-config-wwan-instanceConfigures the names of users accessing this interfaceSupported in the following platforms:• Access Point — AP7161, AP81XX, AP8232• Wireless Controllers — RFS4000, RFS6000Syntaxusername <WORD>Parameters• username <WORD>Examplenx9500-6C8809(config-profile-testRFS6000-if-wwan1)#username TechPubsUser1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1  username TechPubsUser1  password TechPubsTesting@123  crypto map test  ip nat inside  use ip-access-list in test  ip default-gateway priority 1nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#Related Commandsusername <WORD> Configures the username for authentication support by the cellular data carrier• <WORD> – Specify the username (should not exceed 32 characters).no Removes the configured username
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3377.1.36.7  interface-config-bluetooth-instanceinterfaceAP8432 and AP8533 model access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP8432 and AP8533 models support both Bluetooth classic and Bluetooth low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm.AP8432 and AP8533 model access points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The access point’s Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets periodically. These advertisement packets are short and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. However, portions of the advertising packet are customizable via the Bluetooth radio interface configuration context.To switch to this mode, use the following commands:<DEVICE>(config)#profile <ap8432/ap8533> <PROFILE-NAME><DEVICE>(config-profile-default-ap8432)#interface bluetooth ?  <1-1>  Bluetooth interface index?The following example uses the default-ap8432 profile instance to configure the Bluetooth radio interface:nx9500-6C8809(config-profile-default-ap8432)#interface bluetooth 1nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Bluetooth Radio Mode commands:  beacon       Configure low-energy beacon operation parameters  description  Configure a description for this bluetooth radio  eddystone    Configure eddystone beacon payload parameters  ibeacon      Configure iBeacon beacon payload parameters  mode         Set the bluetooth opreation mode  no           Negate a command or set its defaults  shutdown     Shutdown the selected bluetooth radio interface  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#NOTE: AP8132 model access points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the BLE beaconing functionality available for AP8432 and AP8533 model access points described in this section.Commands Description Referencebeacon Configures the Bluetooth radio’s beacon’s emitted transmission pattern page 7-339description Configures a description for the Bluetooth radio interface page 7-341
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 338eddystone Configures Eddystone beacon payload parameters. Configure these parameters if the operational mode is set to ‘le-beacon’ and the beacon transmission pattern is set to ‘eddystone-url1’ or ‘eddystone-url2’.page 7-342ibeacon Configures iBeacon beacon payload parameters. Configure these parameters if the operational mode is set to ‘le-beacon’ and the beacon transmission pattern is set to ‘ibeacon’.page 7-343mode Configures the Bluetooth radio’s mode of operation page 7-345shutdown Shutdowns the selected Bluetooth radio interface page 7-346no Removes or reverts to default this Bluetooth radio interface’s settings page 7-347Commands Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3397.1.36.7.1 b e aco ninterface-config-bluetooth-instanceConfigures the Bluetooth radio’s beacon’s emitted transmission pattern for Bluetooth radios functioning in the low energy beacon (le-beacon) mode. This option is applicable only if the Bluetooth radio’s operational mode is set to le-beacon.Supported in the following platforms:• Access Points – AP8432, AP8533Syntaxbeacon [pattern|period]beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]beacon period <100-10000>Parameters• beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]• beacon period <100-10000>beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]When the beacon mode is set to ‘le-beacon’, use this command to configure the Bluetooth radio’s beacon’s emitted transmission pattern. Select one of the following beacon patterns:• eddystone-url1 – Transmits an Eddystone-URL beacon using URL 1. This is the default setting.• eddystone-url2 – Transmits an Eddystone-URL beacon using URL 2An Eddystone-URL frame broadcasts a URL using a compressed encoding scheme to better fit within a limited advertisement packet. Once decoded, the URL can be used by a client for Internet access. If an Eddystone-URL beacon broadcasts https:anysite, clients receiving the packet can access that URL. If setting the transmission pattern as ‘eddystone-url1’ or ‘eddystone-ulr2’, use the ‘eddystone’ keyword to configure Eddystone beacon payload parameters. For more information, see eddystone.• ibeacon – Transmits an ibeacon beacon. iBeacon was created by Apple for use in iPhone OS (iOS) devices (beginning with iOS version 7.0). There are three data fields Apple has made available to iOS applications, a Universally Unique IDentifier (UUID) for device identification, a Major value for device class and a Minor value for more refined information like product category. If setting the transmission pattern as ‘ibeacon’, use the ‘ibeacon’ keyword to configure ibeacon beacon payload parameters. For more information, see ibeacon.For more information on configuring the Bluetooth radio’s operational mode, see mode.beacon period <100-10000>Configures the Bluetooth radio’s beacon transmission period, in milliseconds, from 100 - 10000. As the defined period increases, so does the CPU processing time and the number of packets incrementally transmitted (typically one per minute).• <100-10000> – Specify a value from 100 - 10000 milliseconds. The default value is 1000 milliseconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 340Examplenx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#beacon pattern eddystone-url2nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#beacon period 900nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  description AP8432-BLE-Radio1  mode le-beacon  beacon pattern eddystone-url2  beacon period 900nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Related Commandsno Removes or reverts to default this Bluetooth radio’s beacon-related configurations
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3417.1.36.7.2 descriptioninterface-config-bluetooth-instanceConfigures a description for the Bluetooth radio interface, differentiating it from other Bluetooth supported radio’s within the same RF DomainSupported in the following platforms:• Access Points – AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533Syntaxdescription <WORD>Parameters• description <WORD>Examplenx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#description AP8432-BLE-Radio1nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  description AP8432-BLE-Radio1nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Related Commandsdescription <WORD> Configures a description for the AP8432/AP8533 access point’s Bluetooth radio’s description• <WORD> – Provide a description that uniquely identifies this radio interface from other similar Bluetooth supported radios (should not exceed 64 characters) within an RF Domain.no Removes this Bluetooth radio interface’s description
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3427.1.36.7.3 edd ysto neinterface-config-bluetooth-instanceConfigures Eddystone beacon payload parameters. Configure these parameters only if the Bluetooth radio interface’s operational mode is set to ‘le-beacon’, and the beacon’s emitted transmission pattern is set to either ‘eddystone-url1’ or ‘eddystone-ulr2’.Supported in the following platforms:• Access Points – AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533Syntaxeddystone [calibration-rssi <-127-127>|url [1|2] <WORD>]Parameters• eddystone [calibration-rssi|url [1|2] <WORD>]Examplenx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#eddystone calibration-rssi -120nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  description AP8432-BLE-Radio1  mode le-beacon  beacon pattern eddystone-url2  beacon period 900  eddystone calibration-rssi -120nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Related Commandseddystone [calibration-rssi <-127-127>|url [1|2] <WORD>]If the Beacon transmission pattern has been set to either ‘eddystone-url1’ or ‘eddystone-url2’, configure the following Eddystone parameters:• calibration-rssi – Configures the Eddystone beacon measured calibration signal strength, from -127 to 127 dBm, at 0 meters. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 0 meters.• <-127-127> – Specify a value from -127 - 127 dBm. The default value is -19 dBm.• url [1|2] <WORD> – Configures the Eddystone URL as URL1 OR URL2• 1 – Selects the Eddystone URL number 1• 2 – Selects the Eddystone URL number 2The following keyword is common to the ‘eddystone-url1’ and ‘eddystone-url2’ keywrods:• <WORD> – Enter a 64 character maximum eddystone-URL1/eddystone-URL2.The URL must be 18 characters or less once auto-encoding is applied. URL encoding is used when placing text in a query string to avoid confusion with theURL itself. It is typically used when a browser sends data to a Web server.no Removes or reverts to default this Bluetooth radio’s Eddystone beacon payload configurations
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3437.1.36.7.4 ibe a coninterface-config-bluetooth-instanceConfigures iBeacon beacon payload parameters. Configure these parameters only if the Bluetooth radio interface’s operational mode is set to ‘le-beacon’, and the beacon’s emitted transmission pattern is set to ‘ibeacon’.Supported in the following platforms:• Access Points – AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533Syntaxibeacon [calibration-rssi <-127-127>|major <0-65535>|minor <0-65535>|uuid <WORD>]ibeacon [calibration-rssi <-127-127>|uuid <WORD>]ibeacon [major|minor] <0-65535>Parameters• ibeacon [calibration-rssi <-127-127>|major <0-65535>|minor <0-65535>|uuid <WORD>]Examplenx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon calibration-rssi -70nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon major 1110nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon minor 2210nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon uuid f2468da65fa82e841134bc5b71e0893eibeacon Configures following iBeacon beacon payload parameters: calibration-rssi, major, minor, and uuidcalibration-rssi <-127-127>Configures the ibeacon measured calibration signal strength, from -127 to 127 dBm, at 1 meter. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 1 meter.• <-127-127> – Specify a value from -127 - 127 dBm. The default value is -60 dBm.major <0-65535> Configures the iBeacon Major value from 0 - 65535. Major values identify and distinguish groups. For example, each beacon on a specific floor in a building could be assigned a unique major value.• <0-65535> – Specify a value from 0 - 65535. The default value is 1111.minor <0-65535> Configures the iBeacon Minor value from 0 - 65535. Minor values identify and distinguish individual beacons. Minor values help identify individual beacons within a group of beacons assigned a major value. The default setting is 2,222.• <0-65535> – Specify a value from 0 - 65535. The default value is 2222.uuid <WORD> Configures a 32 hex character maximum UUID. The UUID classification contains 32 hexadecimal digits, split into 5 groups, separated by dashes. For example, f2468da65fa82e841134bc5b71e0893e. The UUID distinguishes iBeacons in the network from all other beacons in networks outside of your direct administration.• <WORD> – Specify the UUID (should not exceed 32 hexadecimal characters). The default value is 01F101F101F101F101F101F101F101F1.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 344nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  mode le-beacon  beacon pattern ibeacon  ibeacon calibration-rssi -70  ibeacon major 1110  ibeacon minor 2210  ibeacon uuid f2468da65fa82e841134bc5b71e0893enx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Related Commandsno Removes or reverts to default this Bluetooth radio’s iBeacon beacon payload parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3457.1.36.7.5 mo d einterface-config-bluetooth-instanceConfigures the Bluetooth radio interface’s mode of operation as bt-sensor or le-beaconSupported in the following platforms:• Access Points – AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533Syntaxmode [bt-sensor|le-beacon|le-tracking]Parameters• mode [bt-sensor|le-beacon|le-tracking]Examplenx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#mode le-beaconnx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  mode le-beacon  beacon pattern ibeacon  ibeacon calibration-rssi -70  ibeacon major 1110  ibeacon minor 2210  ibeacon uuid f2468da65fa82e841134bc5b71e0893enx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Related Commandsmode Configures the Bluetooth radio interface’s mode of operation. The options are:• bt-sensor – Select this option to provide Bluetooth support for legacy devices. bt-sensors are Bluetooth classic sensors providing robust wireless connections for legacy devices. Typically these connections are not ideally suited for the newer Bluetooth low energy (BLE) technology supported devices. This is the default setting.• le-beacon – Select this option to provide Bluetooth support for newer BLE technology supported devices. le-beacons are newer Bluetooth low energy beacons ideal for applications requiring intermittent or periodic transfers of small amounts of data. le-beacons are not designed as replacements for classic beacon sensors. If selecting this option, use the beacon keyword to configure the Beacon transmission period and Beacon transmission pattern.• le-tracking – Select this option to provide Bluetooth support for BLE asset tracking. When enabled, it uses the AP’s Bluetooth radio to detect BLE ‘asset tags’ within the managed network. This information is reported to a back-end server (NSight server).no Reverts this Bluetooth radio’s mode of operation to le-beacon
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3467.1.36.7.6 shutdow ninterface-config-bluetooth-instanceShutsdown the selected AP8432/AP8533 Bluetooth radio interfaceSupported in the following platforms:• Access Points – AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533SyntaxshutdownParametersNoneExamplenx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#shutdownnx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  mode le-beacon  beacon pattern ibeacon  ibeacon calibration-rssi -70  ibeacon major 1110  ibeacon minor 2210  ibeacon uuid f2468da65fa82e841134bc5b71e0893enx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#Related Commandsno Reverses shutdown
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3477.1.36.7.7 n ointerface-config-bluetooth-instanceRemoves or reverts to default this AP8432/AP8533 Bluetooth radio interface’s settingsSupported in the following platforms:• Access Points – AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533Syntaxno [beacon|description|eddystone|ibeacon|mode|shutdown]no beacon [pattern|period]no descriptionno eddystone [calibration-rssi|url [1|2]no ibeacon [calibration-rssi|major|minor|uuid]no modeno shutdownParameters• no <PARAMETERS>ExampleThe following example shows the AP8432 default profile’s Bluetooth radio interface settings:nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  shutdown  mode le-beacon  beacon pattern ibeacon  ibeacon calibration-rssi -70  ibeacon major 1110  ibeacon minor 2210  ibeacon uuid f2468da65fa82e841134bc5b71e0893enx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no shutdownnx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no ibeacon minornx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no ibeacon calibration-rssiThe following example shows the AP8432 default profile’s Bluetooth radio interface settings after the ‘no’ commands are executed:nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1  no shutdown  mode le-beacon  beacon pattern ibeacon  ibeacon major 1110  ibeacon uuid f2468da65fa82e841134bc5b71e0893enx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no <PARAMETERS> Removes or reverts to default this Bluetooth radio interface’s settings based on the parameters passed• <PARAMETERS> – Specify the parameters.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3487.1.37 ipProfile Config CommandsThe following table summarizes NAT pool configuration commands:Command Description Referenceip Configures IP components, such as default gateway, DHCP, DNS server forwarding, name server, domain name, routing standards, etc.page 7-349nat-pool-config-instanceInvokes NAT pool configuration parameters page 7-355
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3497.1.37.1  ipipConfigures IPv4 routing components, such as default gateway, DHCP, DNS server forwarding, name server, domain name, routing standards, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxip [default-gateway|dhcp|dns-server-forward|domain-lookup|domain-name|igmp|name-server|nat|route|routing]ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-1800>|static-route <1-1800>]]ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server <IP>|routing]ip dhcp client [hostname|persistent-lease]ip igmp snooping {fast-leave|forward-unknown-multicast|querier}ip igmp snooping {fast-leave|forward-unknown-multicast}ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-3>}ip nat [crypto|inside|outside|pool]ip nat [crypto source pool|pool] <NAT-POOL-NAME>ip nat [inside|outside] [destination|source]ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]ip nat [inside|outside] source [list|static]ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address <IP>|interface <L3-IF-NAME>|overload|pool <NAT-POOL-NAME>)]ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]Parameters• ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-1800>|static-route <1-1800>]]NOTE: The command ‘ip igmp snooping’ can be configured under bridge VLAN context also. For example: rfs7000-37FABE(config-device 00-15-70-37-FA-BE-bridge-vlan-1)#ip igmp snooping forward-unknown-multicastip Configures IPv4 routing components
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 350• ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server <IP>|routing]• ip dhcp client [hostname|persistent-lease]default-gateway Configures default gateway (next-hop router) parameters<IP> Configures default gateway’s IP address• <IP> – Specify the default gateway’s IP address.failover Configures failover to the gateway (with next higher priority) when the current default gateway is unreachable (In case of multiple default gateways). This option is enabled by default.<HOST-ALIAS-NAME> Configures the host alias mapped to the required default gateway• <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and configured). Host alias names begin with a ‘$’.priority [dhcp-client <1-1800>|static-route <1-1800>]Configures default gateway priority• dhcp-client <1-1800> – Defines a priority for the default gateway acquired by the DHCP client on the VLAN interface. The default setting is 1000.• static-route <1-1800> – Defines the weight (priority) assigned to this static route versus others that have been defined to avoid potential congestion. The default setting is 100.The following keyword is common to ‘dhcp-client’ and ‘static-route’ parameters:• <1-1800> – Specify the priority from 1 - 18000 (lower the value higher is the priority).ip Configures IPv4 routing componentsdns-server-forward Enables DNS forwarding. This command enables the forwarding of DNS queries to DNS servers outside of the network. This option is disabled by default.domain-lookup Enables domain lookup. When enabled, human friendly domain names are converted into numerical IP destination addresses. The option is enabled by default.domain-name <DOMAIN-NAME>Configures a default domain name• <DOMAIN-NAME> – Specify a name for the DNS (should not exceed 64 characters in length).name-server <IP> Configures the name server’s IP address• <IP> – Specify the IP address of the name server.routing Enables IP routing of logically addressed packets from their source to their destination. IPv4 routing is enabled by default.ip Configures IPv4 routing componentsdhcp Configures the DHCP client and hostclient[hostname|persistent-lease]Sets the DHCP client• hostname – Includes the hostname in the DHCP lease for the requesting client. This option is enabled by default.• persistent-lease – Retains the last lease across reboots if the DHCP server is unreachable. A persistent DHCP lease assigns the same IP address and other network information to the device each time it renews its DHCP lease. This option is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 351• ip igmp snooping {fast-leave|forward-unknown-multicast}• ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-3>}• ip nat [crypto source pool|pool <NAT-POOL-NAME>]• ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]ip Configures IPv4 routing componentsfats-leave Optional. Enables fast leave processing. When enabled, leave messages are processed quickly, preventing the host from receiving further traffic. Should be configured for one (wired) host network only. This option is disabled by default.This feature is supported only on the AP7502, AP8232, AP8533 model access points.igmp snooping forward-unknown-multicastOptional. Enables unknown multicast data packets to be flooded in the specified VLAN. This option is disabled by default.ip Configures IPv4 routing componentsigmp snooping querierOptional. Enables the IGMP querier functionality for the specified VLAN. By default IGMP snooping querier is disabled.max-response-time <1-25>Configures the IGMP maximum query response interval used in IGMP V2/V3 queries for the given VLAN. The default is 10 seconds.query-interval <1-18000>Configures the IGMP querier query interval in seconds. Specify a value from 1 - 18000 seconds. The default is 60 seconds.robustness-variable <1-7>Configures the IGMP robustness variable from 1 - 7. The default is 2.timer expiry <60-300>Configures the other querier time out value for the given VLAN. The default is 60 seconds.version <1-3> Configures the IGMP query version for the given VLAN. The default is 3.ip Configures IPv4 routing componentsnat Configures the NAT parameterscrypto source pool <NAT-POOL-NAME>Configures the NAT source address translation settings for IPSec tunnels• <NAT-POOL-NAME> – Specify a NAT pool name.pool <NAT-POOL-NAME>Configures a pool of IP addresses for NAT• <NAT-POOL-NAME> – Specify a name for the NAT pool.ip Configures IPv4 routing componentsnat Configures the NAT parameters[inside|outside] Configures inside and outside address translation for the destination• inside – Configures inside address translation• outside – Configures outside address translationdestination static <ACTUAL-IP>The following keywords are common to the ‘inside’ and ‘outside’ parameters:• destination – Specifies destination address translation parameters• static – Specifies static NAT local to global mapping• <ACTUAL-IP> – Specify the actual outside IP address to map.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 352• ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]• ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address <IP>|interface <L3-IF-NAME>|overload|pool <NAT-POOL-NAME>)]<1-65535> [tcp|udp] • <1-65535> – Configures the actual outside port. Specify a value from 1 - 65535.• tcp – Configures Transmission Control Protocol (TCP) port• udp – Configures User Datagram Protocol (UDP) port<NATTED-IP> <1-65535>Enables configuration of the outside natted IP address• <NATTED-IP> – Specify the outside natted IP address.• <1-65535> – Optional. Configures the outside natted port. Specify a value from 1 - 65535.ip Configures IPv4 routing componentsnat Configures the NAT parameters[inside|outside] Configures inside and outside address translation for the source• inside – Configures inside address translation• outside – Configures outside address translationsource static <ACTUAL-IP> The following keywords are common to the’ inside’ and ‘outside’ parameters:• source – Specifies source address translation parameters• static – Specifies static NAT local to global mapping• <ACTUAL-IP> – Specify the actual inside IP address to map.<1-65535> [tcp|udp] • <1-65535> – Configures the actual outside port. Specify a value from 1 - 65535.• tcp – Configures Transmission Control Protocol (TCP) port• udp – Configures User Datagram Protocol (UDP) port<NATTED-IP> <1-65535>Enables configuration of the outside natted IP address• <NATTED-IP> – Specify the outside natted IP address.• <1-65535> – Optional. Configures the outside natted port. Specify a value from 1 - 65535.ip Configures IPv4 routing componentsnat Configures the NAT parameters[inside|outside] Configures inside and outside IP access listsource list <IP-ACCESS-LIST-NAME>Configures an access list describing local addresses• <IP-ACCESS-LIST-NAME> – Specify a name for the IP access list.interface [<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1]Selects an interface to configure. Select a layer 3 router interface or a VLAN interface.• <INTERFACE-NAME> – Selects a layer 3 interface. Specify the layer 3 router interface name.• vlan – Selects a VLAN interface• <1-4094> – Set the SVI VLAN ID of the interface.• pppoe1 – Selects PPP over Ethernet interface• wwan1 – Selects Wireless WAN interfaceaddress <IP> The following keyword is recursive and common to all interface types:• address <IP> – Configures the interface IP address used with NAT
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 353• ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]Examplerfs6000-37FABE(config-profile-default-rfs6000)#ip default-gateway 172.16.10.4rfs6000-37FABE(config-profile-default-rfs6000)#ip dns-server-forwardrfs6000-37FABE(config-profile-default-rfs6000)#ip nat inside source list test interface vlan 1 pool pool1 overloadrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier ip default-gateway 172.16.10.4 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac ........................................................  qos trust 802.1p interface ge3  ip dhcp trust  qos trust dscp  qos trust 802.1p interface ge4  ip dhcp trust  qos trust dscp  qos trust 802.1p interface pppoe1 use firewall-policy default ip dns-server-forward ip nat inside source list test interface vlan1 pool pool1 overload  service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#interface <L3-IF-NAME>The following keyword is recursive and common to all interface types:• interface <L3-IF-NAME> – Configures a wireless controller or service platform’s VLAN interface• <L3IFNAME> – Specify the SVI VLAN ID of the interface.overload The following keyword is recursive and common to all interface types:• overload – Enables use of global address for many local addressespool <NAT-POOL-NAME>The following keyword is recursive and common to all interface types:• pool <NAT-POOL-NAME> – Specifies the NAT pool• <NAT-POOL-NAME> – Specify the NAT pool name.ip Configures IPv4 routing componentsroute Configures the static routes<IP/M> Specify the IP destination prefix in the A.B.C.D/M format.<IP> Specify the IP address of the gateway.<HOST-ALIAS-NAME> Configures the host alias mapped to the required default gateway• <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and configured). Host alias names begin with a ‘$’.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 354rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#?Nat Policy Mode commands:  address  Specify addresses for the nat pool  no       Negate a command or set its defaults  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-profile-default-rfs7000-nat-pool-pool1)Related Commandsno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3557.1.37.2  nat-pool-config-instanceipUse the config-profile-<DEVICE-PROFILE-NAME> instance to configure Network Address Translation (NAT) pool settings.The following example uses the config-profile-default-rfs7000 instance to configure NAT pool settings:rfs6000-37FABE(config-profile-default-rfs6000)#ip nat pool pool1rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#?Nat Policy Mode commands:  address  Specify addresses for the nat pool  no       Negate a command or set its defaults  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)The following table summarizes NAT pool configuration commands:Command Description Referenceaddress Configures NAT pool addresses page 7-356no Negates a command or sets its default page 7-357
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3567.1.37.2.1 addressnat-pool-config-instanceConfigures NAT pool of IP addressesDefine a range of IP addresses hidden from the public Internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device. NAT only provides IP address translation and does not provide a firewall. A branch deployment with NAT by itself will not block traffic from being potentially routed through a NAT device. Consequently, NAT should be deployed with a stateful firewall.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxaddress [<IP>|range <START-IP> <END-IP>]Parameters• address [<IP>|range <START-IP> <END-IP>]Examplerfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#address range 172.16.10.2 172.16.10.8rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#show context ip nat pool pool1  address range 172.16.10.2 172.16.10.8rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#Related Commandsaddress <IP> Adds a single IP address to the NAT poolrange <START-IP> <END-IP>Adds a range of IP addresses to the NAT pool• <START-IP> – Specify the starting IP address of the range.• <END-IP> – Specify the ending IP address of the range.no Removes address(es) configured with this NAT pool
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3577.1.37.2.2 nonat-pool-config-instanceRemoves address(es) configured with this NAT poolSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxno address [<IP>|range <START-IP> <END-IP>]Parameters• no address [<IP>|range <START-IP> <END-IP>]Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#show context ip nat pool pool1  address range 172.16.10.2 172.16.10.8rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#no address range 172.16.10.2 172.16.10.8rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#show context ip nat pool pool1rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#Related Commandsno address [<IP>|range <START-IP> <END-IP>]Removes a single IP address or a range of IP addresses from this NAT pooladdress Configures NAT pool IP address(es)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3587.1.38 ipv6Profile Config CommandsConfigures IPv6 routing components, such as default gateway, DNS server forwarding, name server, routing standards, etc. These IPv6 settings are applied to all devices using this profile.You can also configure IPv6 settings on a device, using the device’s configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxipv6 [default-gateway|dns-server-forward|hop-limit|mld|name-server|nd-reachable-time|neighbor|ns-interval|ra-convert|route|ula-reject-route|unicast-routing]ipv6 [default-gateway <IPv6> {vlan <VLAN-ID>}|dns-server-forward|hop-limit <1-255>|name-server <IPv6>|nd-reachable-time <5000-3600000>|ns-interval <1000-3600000>|ula-reject-route|unicast-routing]ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}ipv6 mld snooping {forward-unknown-multicast|querier}ipv6 mld snooping {forward-unknown-multicast}ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-2>}ipv6 neighbor [<IPv6>|timeout]ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] {dhcp-server|router}ipv6 neighbor timeout <15-86400>ipv6 route <DEST-IPv6-PREFIX/PREFIX-LENGTH> <IPv6-GATEWAY-ADDRESS> {vlan <VLAN-ID>}Parameters• ipv6 [default-gateway <IPv6> {vlan <VLAN-ID>}|dns-server-forward|hop-limit <1-255>|name-server <IPv6>|nd-reachable-time <5000-3600000>|ns-interval <1000-3600000>|ula-reject-route|unicast-routing]NOTE: The IPv6 settings configured at the profile/device level are global configuration settings and not interface-specific.ipv6 Configures IPv6 routing componentsdefault-gateway <IPv6> {vlan <VLAN-ID>}Configures IPv6 default gateway’s address in the ::/0 format• vlan <VLAN-ID> – Optional. Specify the VLAN interface’s ID through which the default gateway is accessible.dns-server-forward Enables DNS server forwarding. This command enables the forwarding of DNS queries to DNS servers outside of the network. This feature is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 359• ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}• ipv6 mld snooping {forward-unknown-multicast}hop-limit <1-255> Configures the IPv6 hop count limit• <1-255> – Specify a value between 1 - 255. The default is 64.name-server <IPv6> Configures the IPv6 name server’s address• <IPv6> – Specify the address of the IPv6 name server.nd-reachable-time <5000-3600000>Configures the time, in milliseconds, that a neighbor is assumed to be reachable after having received neighbor discovery (ND) confirmation for their reachability• <5000-3600000> – Specify a value from 5000 - 3600000 milliseconds. The default is 30,000 milliseconds.ns-interval <1000-3600000>Configures the interval, in milliseconds, between two consecutive retransmitted neighbor solicitation (NS) messages. NS messages are sent by a node to determine the link layer address of a neighbor, or verify a neighbor is still reachable via a cached link-layer address.• <1000-3600000> – Specify a value from 1000 - 3600000. The default is 1000 milliseconds.ula-reject-route Installs a "reject" route for Unique Local Address (ULA) prefixes. This ensures that site-border routers and firewalls do not forward packets with ULA source or destination addresses outside of the site, unless explicitly configured with routing information about specific /48 or longer Local IPv6 prefixes. This option is disabled by default.The ULA is an IPv6 address used in private networks for local communication within a site (for example a company, campus, or within a set of branch office networks). These site local addresses are IPv6 addresses that fall in the block fc00::/7, defined in RFC 4193.unicast-routing Enables IPv6 unicast routing. This feature is enabled by default.ipv6 Configures IPv6 routing componentsra-convert {throttle interval <3-1800> max-RAs <1-256>Enables conversion of multicast router advertisements (RAs) to unicast RAs at the dot11 layer. This feature is disabled by default.• throttle – Optional. Throttles multicast RAs before converting to unicast• interval <3-1800> – Throttles multicast RAs for a specified time period. Specify theinterval from 3 - 1800 seconds. The default is 3 seconds.• max-RAs <1-256> – Specifies the maximum number of RAs per IPv6 routerduring the specified throttle interval. Specify a value from 1 - 256. The default is 1.ipv6 Configures IPv6 routing componentsmld snooping forward-unknown-multicastEnables multicast listener discovery (MLD) protocol snooping. This feature is disabled by default.When enabled, IPv6 devices (access point, wireless controller, or service platform) can examine MLD messages exchanged between hosts and multicast routers to discern which hosts are receiving multicast group traffic. Based on the information gathered these devices forward multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. This prevents VLANs from getting flooded with IPv6 multicast traffic.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 360• ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-2>}• ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] {dhcp-server|router}• forward-unknown-multicast – Optional. Enables unknown multicast forwarding. This feature is enabled by default.ipv6 Configures IPv6 routing componentsmld snooping querier Enables MLD protocol snooping• querier – Optional. Enables the on-board MLD querier. When enabled, IPv6 devices send query messages to discover which network devices are members of a given multicast group.This option is disabled by default.max-response-time <1-25000>Configures the MLD querier’s maximum query response time. This is the time for which the querier waits before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic.• <1-25000> – Specify a value from 1 - 25000 milliseconds. The default is 10 milliseconds.query-interval <1-18000>Configures the interval, in seconds, between two consecutive MLD querier’s queriesThe robustness variable is an indication of how susceptible the subnet is to lost packets. MLD can recover from robustness variable minus 1 lost MLD packets.• <1-18000> – Specify a value from 1 - 18000 seconds. The default is 60 seconds.robustness-variable <1-7>Configures the MLD IGMP robustness variable. This value is used by the sender of a query.• <1-7> – Select a value from 1 - 7. The default is 2.timer expiry <60-300>Configures the MLD other querier (any external querier) timeout• <60-300> – Specify a value from 60 - 300 seconds. The default is 60 seconds.version <1-2> Configures the MLD querier’s version. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2.• <1-2> – Select the MLD version from 1 - 2. The default is 2.ipv6 Configures IPv6 routing componentsneighbor Configures static IPv6 neighbor entries<IPv6> Specify the IPv6 address for which a static neighbor entry is created.<MAC> Specify the MAC address associated with the specified IPv6 address.[<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] Specify the following interface settings:• <INTF-NAME> – Selects the layer 3 router interface. Specify the interface name.• pppoe1 – Selects the PPP over Ethernet interface• vlan <1-4094> – Selects the VLAN interface. Specify the VLAN interface index.• wwan1 – Selects the wireless WAN interface{dhcp-server|router} After specifying interface type, you can optionally specify the device type for this neighbor solicitation.• dhcp-server – Optional. States this neighbor entry is for a DHCP server• router – Optional. States this neighbor entry is for a router
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 361• ipv6 neighbor timeout <15-86400>• ipv6 route <DEST-IPv6-PREFIX/PREFIX-LENGTH> <IPv6-GATEWAY-ADDRESS> {vlan <VLAN-ID>}Examplerfs6000-81742D(config-profile-TestRFS6000)#ipv6 default-gateway 2001:10:10:10:10:10:10:2rfs6000-81742D(config-profile-TestRFS6000)#ipv6 dns-server-forwardrfs6000-81742D(config-profile-TestRFS6000)#ipv6 mld snoopingrfs6000-81742D(config-profile-TestRFS6000)#show contextprofile rfs6000 TestRFS6000 ipv6 mld snooping ipv6 dns-server-forward ipv6 default-gateway 2001:10:10:10:10:10:10:2 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha --More--rfs6000-81742D(config-profile-TestRFS6000)#Related Commandsneighbor Configures static IPv6 neighbor entriestimeout <15-86400> Configures the timeout, in seconds, for the static neighbor entries• <15-86400> – Specify a value from 15 - 86400 seconds. The default is 3600 seconds.ipv6 Configures IPv6 routing componentsroute Configures the static routesThese routes are maintained in the IPv6 Forwarding Information Base (FIB). To view FIB6 routing entries, use the service > show fib6 > <TABLE-ID> command.<DEST-IPv6-PREFIX/PREFIX-LENGTH>Specify the IPv6 destination prefix (IPV6 network) and the prefix length.<IPv6-GATEWAY-ADDRESS>Specify the IPv6 gateway’s address.vlan <VLAN-ID> Optional. specify the VLAN interface’s ID (through which the defalut gateway is accessible)This parameter is needed only if the gateway address is a link local address.no Disables or reverts IPv6 settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3627.1.39 l2tpv3Profile Config CommandsDefines the L2TPV3 settings for tunneling layer 2 payloads using VPNsL2TPv3 is an IETF standard that defines the control and encapsulation protocol settings for tunneling layer 2 frames in an IP network (and access point profile) between two IP nodes. Use L2TPv3 to create tunnels for transporting layer 2 frames. L2TPv3 enables WiNG supported controllers and access points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TPv3 tunnels can be defined between WiNG devices and other vendor devices supporting the L2TPv3 protocol.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxl2tpv3 [hostname <HOSTNAME>|inter-tunnel-bridging|logging|manual-session|router-id [<1-4294967295>|<IP>]|tunnel|udp-listen-port <1024-65535>]l2tpv3 logging ip-address [<IP>|any] hostname [<HOSTNAME>|any] router-id [<IP>|<WORD>|any]Parameters• l2tpv3 [hostname <HOSTNAME>|inter-tunnel-bridging|manual-session|router-id [<1-4294967295>|<IP>]|tunnel|udp-listen-port <1024-65535>]• l2tpv3 logging ip-address [<IP>|any] hostname [<HOSTNAME>|any] router-id [<IP>|<WORD>|any]l2tpv3 Configures the L2TPv3 protocol settings for a profilehostname <HOSTNAME>Configures the host name sent in the L2TPv3 signalling messages. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host.• <HOSTNAME> – Specify the L2TPv3 specific host name.inter-tunnel-bridging Enables inter tunnel bridging of packets. This feature is disabled by default.manual-session Creates/modifies L2TPv3 manual sessionsFor more information, see l2tpv3-manual-session-commands.router-id [<1-4294967295>|<IP>]Configures the router ID sent in the L2TPv3 signaling messages. These signaling (AVP) messages help to identify tunneled peers.• <1-4294967295> – Configures the router ID in decimal format from 1 - 4294967295• <IP> – Configures the router ID in the IP address (A.B.C.D) formattunnel Creates/modifies a L2TPv3 tunnelFor more information, see l2tpv3-tunnel-commands.udp-listen-port <1024-65535>Configures the UDP port used to listen for incoming traffic• <1024-65535> – Specify the UDP port from 1024 - 65535 (default is 1701)l2tpv3 Configures L2TPv3 protocol settings for a profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 363Examplerfs6000-37FABE(config-profile-default-rfs6000)#l2tpv3 hostname l2tpv3Host1rfs6000-37FABE(config-profile-default-rfs6000)#l2tpv3 inter-tunnel-bridgingrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier .................................................  l2tpv3 hostname l2tpv3Host1 l2tpv3 inter-tunnel-bridgingrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandslogging Enables L2TPv3 tunnel event logging and debugging. When enabled, all events relating to Ethernet frames to and from bridge VLANs and physical ports on a specified IP address, host or router ID are logged. This option is disabled by default.ip-address [<IP>|any]Configures the L2TPv3 peer tunnel IP address for which event logging is enabled. The options are:• <IP> – Specify the peer’s IP address. L2TPv3 events are captured and logged for the specified peer.• any – Peer’s IP address is not specified. Enables event logging for all incoming connections from any IP address.hostname [<HOSTNAME>|any] Configures the L2TPv3 peer tunnel hostname for which event logging is enabled. The options are:• <HOSTNAME> – Specify the peer’s host name. L2TPv3 events are captured and logged for specified host.• any – Peer’s hostname is not specified. Enables debugging for all incoming connections from any host.router-id [<IP>|<WORD>|any]Configures the L2TPv3 tunnel router ID for which event logging is enabled. The options are:• <IP> – Specify the router ID in the IP address format.• <WORD> – Specify the router ID in the form of an integer or range. For example 100-200.• any – Router ID is not specified. Enables debugging for all incoming connections from any L2TPv3 router.no Negates a L2TPv3 tunnel settings on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3647.1.40 l3e-lite-tableProfile Config CommandsConfigures L3e lite table aging timeThe L3e Lite table stores information about destinations and their location within a specific IPSec tunnel. This enables quicker packet transmissions. The table is updated as nodes transmit packets.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxl3e-lite-table aging-time <10-1000000>Parameters• l3e-lite-table aging-time <10-1000000>Examplerfs6000-37FABE(config-profile-default-rfs6000)#l3e-lite-table aging-time 1000rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs7000 default-rfs7000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier..........................................................  interface ge4  ip dhcp trust  qos trust dscp  qos trust 802.1p interface pppoe1 use firewall-policy default l3e-lite-table aging-time 1000--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsl3e-lite-table aging-time <10-1000000>Configures the aging time in seconds. The aging time defines the duration a learned L3e entry (IP, VLAN) remains in the L3e Lite table before deletion due to lack of activity. The default is 300 seconds.no Removes the L3e lite table aging time configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3657.1.41 ledProfile Config CommandsTurns on and off access point LEDsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxled {flash-pattern}Parameters• led {flash-pattern}Examplerfs6000-37FABE(config-profile-RFS6000Test)#led flash-patternrfs6000-37FABE(config-profile-RFS6000Test)#show contextprofile rfs6000 RFS6000Test no autoinstall configuration no autoinstall firmware led flash-pattern crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure --More--rfs6000-37FABE(config-profile-RFS6000Test)#Related Commandsled flash-pattern Optional. Enables LED flashing on the device using this profileSelect this option to flash an access point’s LEDs in a distinct manner (different from its operational LED behavior). Enabling this feature allows an administrator to validate an access point has received its configuration (perhaps remotely at the site of deployment) without having to log into the managing controller or service platform. This feature is disabled by default.no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3667.1.42 led-timeoutProfile Config CommandsConfigures the LED-timeout timer in the device or profile configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxled-timeout [<15-1440>|shutdown]Parameters• led-timeout [<15-1440>|shutdown]Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-timeout 25nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show contextnx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 no autogen-uniqueid ip default-gateway 192.168.13.2 led-timeout 25 --More--nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-timeout shutdownnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show contextnx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 no autogen-uniqueid ip default-gateway 192.168.13.2 led-timeout shutdown crypto ikev2 peer IKEv2Peer1--More--nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-time [<15-1440>|shutdown]Sets the LED-timeout timer. The value provided here determines the interval (time to lapse) for which a device’s LEDs are turned off after the last radio state change. For example, if set at 15 minutes, the LEDs are turned off for 15 minutes after the last radio state change.• <15-1440> – Specify a value from 15 - 1400 minutes. The default is 30 minutes.• shutdown – Shuts down the LED-timeout timer. The device LEDs are not turned off.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 367Related Commandsno Disables LED-timeout timer
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3687.1.43 legacy-auto-downgradeProfile Config CommandsEnables device firmware to auto downgrade when legacy devices are detectedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxlegacy-auto-downgradeParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000)#legacy-auto-downgradeRelated Commandsno Prevents device firmware from auto downgrading when legacy devices are detected
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3697.1.44 legacy-auto-updateProfile Config CommandsAuto updates an AP7161 legacy access point firmwareSupported in the following platforms:• Access Points — AP7161 Syntaxlegacy-auto-update ap71xx image <FILE>]Parameters• legacy-auto-update ap71xx image <FILE>Examplerfs6000-37FABE(config-profile-default-rfs6000)#legacy-auto-update ap71xx image flash:/ap47d.imgRelated Commandslegacy-auto-update Updates a legacy AP7161 access point firmwareap71xx image <FILE>Auto updates legacy AP7161 firmware• image – Sets the path to the firmware image• <FILE> – Specify the path and filename in the flash:/ap.img format.no Disables automatic legacy firmware upgrade
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3707.1.45 lldpProfile Config CommandsEnables LLDP on this profile and configures LLDP settingsLLDP or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. Both LLDP snooping and ability to generate and transmit LLDP packets is provided.Information obtained via CDP and LLDP snooping is available in the UI. Information obtained using LLDP is provided during the adoption process, so the layer 2 device detected by the access point can be used as a criteria in the provisioning policy.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlldp [holdtime|med-tlv-select|run|timer]lldp [holdtime <10-1800>|run|timer <5-900>]lldp med-tlv-select [inventory-management|power-management {auto}]Parameters• lldp [holdtime <10-1800>|run|timer <5-900>]• lldp med-tlv-select [inventory-management|power-management {auto}]lldp Enables LLDP on this profile and configures LLDP settingsholdtime <10-1800> Sets the holdtime for transmitted LLDP PDUs. This command specifies the time a receiving device holds information before discarding.• <10-1800> – Specify a holdtime from 10 - 1800 seconds. The default is 180 seconds.run Enables LLDP on this profiletimer <5-900> Sets the transmit interval. This command specifies the transmission frequency of LLDP updates in seconds.• <5-900> – Specify transmit interval from 5 - 900 seconds. The default is 60 seconds.lldp Enables LLDP on this profile and configures LLDP settingsmed-tlv-select [inventory-management|power-management {auto}]Provides additional media endpoint device TLVs to enable inventory and power management discovery. Specifies the LLDP MED TLVs to send or receive.• inventory-management – Enables inventory management discovery. Allows an endpoint to convey detailed inventory information about itself. This information includes details, such as manufacturer, model, and software version, etc. This option is enabled by default.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 371Examplerfs6000-37FABE(config-profile-default-rfs6000)#lldp timer 20rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1 ........................................... use firewall-policy default ip dns-server-forward ip nat pool pool1  address range 172.16.10.2 172.16.10.8 ip nat inside source list test interface vlan1 pool pool1 overload lldp timer 20 --More--rfs6000-37FABE(config-profile-default-rfs7000)#Related Commands• power-management auto – Enables extended power via MDI discovery. Allows endpoints to convey power information, such as how the device is powered, power priority, etc.• auto – Optional. Assigns default value based on device typeno Disables LLDP on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3727.1.46 load-balancingProfile Config CommandsConfigures load balancing parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxload-balancing [advanced-params|balance-ap-loads|balance-band-loads|balance-channel-loads|band-control-startegy|band-ratio|group-id|neighbor-selection-strategy]load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load|equality-margin|hiwater-threshold|max-neighbors|max-preferred-band-load|min-common-clients|min-neighbor-rssi|min-probe-rssi]load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load] [client-weightage|throughput-weightage] <0-100>load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band] <0-100>load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|channel-5GHz]<0-100>load-balancing advanced-params max-preferred-band-load [2.4GHz|5GHz] <0-100>load-balancing advanced-params [max-neighbors <0-16>|min-common-clients <0-256>|min-neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]load-balancing [balance-ap-loads|balance-band-loads|balance-channel-loads [2.4GHz|5GHz]]load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz|prefer-5GHz]load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]load-balancing group-id <GROUP-ID>load-balancing neighbor-selection-strategy [use-common-clients|use-roam-notification|use-smart-rf]Parameters• load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load] [client-weightage|throughput-weightage] <0-100>load-balancing advanced-paramsConfigures advanced load balancing parameters2.4GHz-load [client-weightage|throughput-weightage] <0-100>Configures 2.4 GHz load calculation weightages• client-weightage – Specifies weightage assigned to the client-count when calculating the 2.4 GHz loadContd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 373• load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band] <0-100>• throughput-weightage – Specifies weightage assigned to throughput, when calculating the 2.4 GHz loadThe following keyword is common to the ‘client-weightage’ and ‘throughput-weightage’ parameters:• <0-100> – Sets the margin as a load percentage from 1 - 100. The default client-weightage is 90%. The default throughput-weightage is 10%.5GHz-load [client-weightage|throughput-weightage] <0-100>Configures 5.0 GHz load calculation weightages• client-weightage – Specifies weightage assigned to the client-count when calculating the 5.0 GHz load• throughput-weightage – Specifies weightage assigned to throughput, when calculating the 5.0 GHz loadThe following keyword is common to the ‘client-weightage’ and ‘throughput-weightage’ parameters:• <0-100> – Sets the margin as a load percentage from1 - 100. The default client-weightage is 90%. The default throughput-weightage is 10%.ap-load [client-weightage|throughput-weightage] <0-100>Configures AP load calculation weightages• client-weightage – Specifies weightage assigned to the client-count, when calculating the AP load• throughput-weightage – Specifies weightage assigned to throughput, when calculating the AP loadThe following keyword is common to the ‘client-weightage’ and ‘throughput-weightage’ parameters:• <0-100> – Sets the margin as a load percentage from 1 - 100. The default client-weightage is 90%. The default throughput-weightage is 10%.load-balancing advanced-paramsConfigures advanced load balancing parametersequality-margin [2.4GHz|5GHz|ap|band] <0-100>Configures the maximum load difference considered equal. The load is compared for different 2.4 GHz channels, 5.0 GHz channels, APs, or bands.• 2.4GHz – Configures the maximum load difference considered equal when comparing loads on different 2.4 GHz channels• 5GHz – Configures the maximum load difference considered equal when comparing loads on different 5.0 GHz channels• ap – Configures the maximum load difference considered equal when comparing loads on different APs• band – Configures the maximum load difference considered equal when comparing loads on different bandsThe following keyword is common to 2.4 GHz channels, 5.0 GHz channels, APs, and bands:• <0-100> – Sets the margin as a load percentage from 1 - 100. The default equality-margin for 2.5 GHz, 5.0 GHz, ap, and band loads is 1%.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 374• load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|channel-5GHz] <0-100>• load-balancing advanced-params max-preferred-band-load [2.4GHGz|5GHzd] <0-100>• load-balancing advanced-params [max-neighbors <0-16>|min-common-clients <0-256>|min-neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]load-balancing advanced-paramsConfigures advanced load balancing parametershiwater-threshold Configures the load beyond which load balancing is invoked[ap|channel-2.4GHz|channel-5GHz] <0-100>Select one of the following options:• ap – Configures the AP load beyond which load balancing begins• channel-2.4GHz – Configures the AP load beyond which load balancing begins (for APs on 2.4 GHz channel)• channel-5GHz – Configures the AP load beyond which load balancing begins for (APs on 5.0 GHz channel)The following keyword is common for the ‘AP’, ‘channel-2.4GHz’, and ‘channel-5GHz’ parameters:• <0-100> – Sets the load threshold as a number from 1 - 100. The default hiwater-threshold for channel-2.5GHz, channel-5GHz, and ap loads is 5.load-balancing advanced-paramsConfigures advanced load balancing parametersmax-preferred-band-loadConfigures the maximum load on the preferred band, beyond which the other band is equally preferred[2.4GHz|5GHz] <0-100>Select one of the following options:• 2.4GHz – Configures the maximum load on 2.4 GHz, when it is the preferred band• 5GHz – Configures the maximum load on 5.0 GHz, when it is the preferred bandThe following keyword is common to the 2.4 GHz and 5.0 GHz bands:• <0-100> – Configures the maximum load as a percentage from 0 - 100. The de-fault value for 2.4GHz and 5.GHz is 75%.load-balancing advanced-paramsConfigures advanced load balancing parametersmax-neighbors <0-16> Configures the maximum number of confirmed neighbors to balance• <0-16> – Specify a value from 0 - 16. Optionally configure a minimum of 0 neighbors and a maximum of 16 neighbors. The default is 16.min-common-clients <0-256>Configures the minimum number of common clients that can be shared with the neighbor for load balancing• <0-256> – Specify a value from 0 - 256. Optionally configure a minimum of 0 clients and a maximum of 256 clients. The default is 0.min-neighbor-rssi <-100-30>Configures the minimum signal strength (RSSI) of a neighbor detected• <-100-30> – Sets the signal strength in dBm. Specify a value from -100 - 30 dBm. The default is -65 dBm.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 375• load-balancing [balance-ap-loads|balance-band-loads|balance-channel-loads [2.4GHz|5GHz]]• load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz|prefer-5GHz]• load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]min-probe-rssi <-100-30>Configures the minimum received probe signal strength required to qualify the sender as a common client• <0-100> – Sets the signal strength in dBm. Specify a value from -100 - 30 dBm. The default is -100 dBm.load-balancing Configures the following load balancing parameters: ap-loads, band-loads, and channel-loads.balance-ap-loads Enables neighbor AP load balancing. This option distributes the access point’s radio load amongst other controller managed access point radios. This option is disabled by default.balance-band-loads Enables balancing of the total band load amongst neighbors. This option balances the access point’s radio load by assigning a ratio to both the 2.4 GHz and 5.0 GHz bands. Balancing radio load by band ratio allows an administrator to assign a greater weight to radio traffic on either the 2.4 GHz or 5.0 GHz band. This option is disabled by default.balance-channel-loads [2.4GHz|5GHz]Enables the following:• 2.4GHz – Channel load balancing on 2.4 GHz band. This option is disabled by default.Balances the access point’s 2.4 GHz radio load across channels supported within the country of deployment. This can prevent congestion on the 2.4 GHz radio if a channel is over utilized.• 5GHz – Channel load balancing on 5.0 GHz band. This option is disabled by default.Balances the access point’s 5.0 GHz radio load across channels supported within the country of deployment. This can prevent congestion on the 5.0 GHz radio if a channel is over utilized.load-balancing band-control-strategyConfigures a band control strategyBy default, this option steers 5.0 GHz-capable clients to the 5.0 GHz band. When an access point hears a request from a client to associate on both the 2.4 GHz and 5.0 GHz bands, it knows the client is capable of operation in 5.0 GHz. Band steering steers the client by responding only to the 5.0 GHz association request and not the 2.4 GHz request. Consequently, the client only associates in the 5.0 GHz band.distribute-by-ratio Distributes clients to either band according to the band-ratioprefer-2.4GHz Nudges all dual-band clients to 2.4 GHz bandprefer-5GHz Nudges all dual-band clients to 5.0 GHz band. This is the default setting.load-balancing band-ratioConfigures the relative loading of 2.4 GHz band and 5.0 GHz band.This allows an administrator to weight client traffic load if wishing to prioritize client traffic load on the 2.4 GHz or the radio band. The higher the value set, the greater the weight assigned to radio traffic load on the 2.4 GHz or 5.0 GHz radio band.2.4GHz [0|<1-10>] Configures the relative loading of 2.4 GHz band• 0 – Selecting ‘0’ steers all dual-band clients preferentially to the other band• <0-10> – Configures a relative load as a number from 0 - 10. The default is 0.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 376• load-balancing group-id <GROUP-ID>• load-balancing neighbor-selection-strategy [use-common-clients|use-roam-notification|use-smart-rf]Examplerfs6000-37FABE(config-profile-default-rfs6000)#load-balancing advanced-params 2.4ghz-load throughput-weightage 90rfs6000-37FABE(config-profile-default-rfs6000)#load-balancing advanced-params hiwater-threshold ap 90rfs6000-37FABE(config-profile-default-rfs6000)#load-balancing balance-ap-loadsrfs7000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier ip default-gateway 172.16.10.4 autoinstall configuration autoinstall firmware load-balancing advanced-params 2.4ghz-load throughput-weightage 90 load-balancing advanced-params hiwater-threshold ap 90 load-balancing balance-ap-loads--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commands5ghz [0|<1-10>] Configures the relative loading of 5.0 GHz band• 0 – Selecting ‘0’ steers all dual-band clients preferentially to the other band• <0-10> – Configures a relative load as a number from 0 - 10. The default is 1.load-balancing group-id <GROUP-ID>Configures group ID to facilitate load balancing• <GROUP-ID> – Specify the group ID. This option is enabled only when a group ID is configured.load-balancing neighbor-selection-strategyConfigures a neighbor selection strategy. The options are: use-common-clients, use-roam-notification, and use-smart-rfuse-common-clients Selects neighbors based on probes from clients common to neighbors. This option is enabled by default.use-roam-notification Selects neighbors based on roam notifications from roamed clients. This option is enabled by default.use-smart-rf Selects neighbors detected by Smart RF. This option is enabled by default.no Disables load balancing on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3777.1.47 loggingProfile Config CommandsEnables message logging and configures logging settings. When enabled, the profile logs individual system events to a user-defined log file or a syslog server. Message logging is disabled by default.Enabling message logging is recommended, because system event logs can be analyzed to determine an overall pattern that may be negatively impacting performance.This command can also be executed in the device configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging [aggregation-time|buffered|console|facility|forward|host|on|syslog]logging [aggregation-time <1-60>|host [<IPv4>|<IPv6>] {port <1-65535>}|on]logging [buffered|console|syslog|forward] [<0-7>|emergencies|alerts|critical|errors|warnings|notifications|informational|debugging]logging facility [local0|local1|local2|local3|local4|local5|local6|local7]Parameters• logging [aggregation-time <1-60>|host [<IPv4>|<IPv6>] {port <1-65535>}|on]• logging [buffered|console|syslog|forward] [<0-7>|emergencies|alerts|critical|errors|warnings|notifications|informational|debugging]logging Enables message logging and configures logging settingsaggregation-time <1-60>Sets the number of seconds for aggregating repeated messages. This is the interval at which system events are logged on behalf of this profile. The shorter the interval, the sooner the event is logged.• <1-60> – Specify a value from 1 - 60 seconds. The default value is 0.host [<IPv4>|<IPv6>] {port <1-65535>}Configures a remote host to receive log messages. Defines numerical (non DNS) IPv4 or IPv6 addresses for external resources where logged system events can be sent on behalf of the profile (or device). A maximum of four entries can be made.• <IPv4> – Specify the IPv4 address of the remote host.• <IPv6> – Specify the IPv6 address of the remote host.• port <1-65535> – Optional. Configures the syslog port• <1-65535> – Specify the syslog port from 1 - 65535. The default port is 514.on Enables the logging of system messageslogging Enables message logging and configures logging settingsbuffered Sets the buffered logging levelconsole Sets the console logging levelsyslog Sets the syslog server’s logging level
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 378• logging facility [local0|local1|local2|local3|local4|local5|local6|local7]Examplerfs6000-37FABE(config-profile-default-rfs6000)#logging facility local4rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1 ................................................... ip dns-server-forward logging facility local4 ip nat pool pool1  address range 172.16.10.2 172.16.10.8 ip nat inside source list test interface vlan1 pool pool1 overload lldp timer 20  service pm sys-restart router ospf l2tpv3 hostname l2tpv3Host1 l2tpv3 inter-tunnel-bridgingrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsforward Forwards system debug messages to the wireless controller or service platform[<0-7>|alerts|criticail|debugging|emergencies|errors|informational|notifications|warnings]The following keywords are common to the buffered, console, syslog, and forward parameters.All incoming messages have different severity levels based on their importance. The severity level is fixed on a scale of 0 - 7.• <0-7> – Sets the message logging severity level on a scale of 0 - 7• emergencies – Severity level 0: System is unusable• alerts – Severity level 1: Requires immediate action• critical – Severity level 2: Critical conditions• errors – Severity level 3: Error conditions• warnings – Severity level 4: Warning conditions (default)• notifications – Severity level 5: Normal but significant conditions• informational – Severity level 6: Informational messages• debugging – Severity level 7: Debugging messageslogging Enables message logging and configures logging settingsfacility [local0|local1|local2|local3|local4|local5|local6|local7]Enables the syslog to decide where to send the incoming messageThere are 8 logging facilities, from syslog0 to syslog7.• local0 – Syslog facility local0• local1 – Syslog facility local1• local2 – Syslog facility local2• local3 – Syslog facility local3• local4 – Syslog facility local4• local5 – Syslog facility local5• local6 – Syslog facility local6• local7 – Syslog facility local7no Disables logging on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3797.1.48 mac-address-tableProfile Config CommandsConfigures the MAC address table. Use this command to create MAC address table entries by assigning a static address to the MAC address table.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-address-table [aging-time|detect-gateways|static]mac-address-table aging-time [0|<10-1000000>]mac-address-table detect-gatewaysmac-address-table static <MAC> vlan <1-4094> interface [<L2-INTERFACE>|ge <1-4>|port-channel <1-2>]Parameters• mac-address-table aging-time [0|<10-1000000>]• mac-address-table detect-gateways• mac-address-table static <MAC> vlan <1-4094> interface [<L2-INTERFACE>|ge <1-4>|port-channel <1-2>]mac-address-table aging-time [0|<10-1000000>]Sets the duration a learned MAC address persists after the last update• 0 – Entering the value ‘0’ disables the aging time• <10-1000000> – Sets the aging time from 10 -100000 seconds. The default is 300 seconds.mac-address-table detect-gatewaysEnables automatic detection of gateways. Detected gateways are remembered in the MAC address table.mac-address-table static <MAC>Creates a static MAC address table entry• <MAC> – Specifies the static address to add to the MAC address table. Specify the MAC address in the AA-BB-CC-DD-EE-FF, AA:BB:CC:DD:EE:FF, or AABB.CCDD.EEFF format.vlan <1-4094> Assigns a static MAC address to a specified VLAN port• <1-4094> – Specify the VLAN index from 1 - 4094.interface [<L2-INTERFACE>|ge <1-4>|port-channel <1-2>]Specifies the interface type. The options are: layer 2 Interface, GigabitEthernet interface, and a port channel interface• <L2-INTERFACE> – Specify the layer 2 interface name.• ge – Specifies a GigabitEthernet interface• <1-4> – Specify the GigabitEthernet interface index from 1 - 4.• port-channel – Specifies a port channel interface• <1-2> – Specify the port channel interface index from 1 - 2.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 380Examplerfs6000-37FABE(config-profile-default-rfs6000)#mac-address-table static 00-40-96-B0-BA-2A vlan 1 interface ge 1rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1.........................................................  logging facility local4 mac-address-table static 00-40-96-B0-BA-2A vlan 1 interface ge1 ip nat pool pool1--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3817.1.49 mac-authProfile Config CommandsEnables authentication of a client’s MAC address on wired ports. When configured, MAC authentication will be enabled on devices using this profile.To enable MAC address authentication on a device, enter the device’s configuration mode and execute the mac-auth command.When enabled, the source MAC address of a device, connected to the specified wired port, is authenticated with the RADIUS server. Once authenticated the device is permitted access to the managed network and packets from the authenticated source are processed. If not authenticated the device is either denied access or provided guest access through the guest VLAN (provided guest VLAN access is configured on the port).Enabling MAC authentication requires you to first configure a AAA policy specifying the RADIUS server. Configure the client’s MAC address on the specified RADIUS server. Attach this AAA policy to a profile or a device. Finally, enable MAC authentication on the desired wired port of the device or device-profile.Only one MAC address is supported for every wired port. Consequently, when one source MAC address is authenticated, packets from all other sources are dropped.To enable client MAC authentication on a wired port:1 Configure the user on the RADIUS server. The following examples create a RADIUS server user entry.a <DEVICE>(config)#radius-group <RAD-GROUP-NAME><DEVICE>(config-radius-group-<RAD-GROUP-NAME>)#policy vlan <VLAN-ID>b <DEVICE>(config)#radius-user-pool-policy <RAD-USER-POOL-NAME><DEVICE>(config-radius-user-pool-<RAD-USER-POOL-NAME>)#user <USER-NAME> password <PASSWORD> group <RAD-GROUP-OF-STEP-A>Note: The <USER-NAME> and <PASSWORD> should be the client’s MAC address. This address will be matched against the MAC address of incoming traffic at the specified wired port.c <DEVICE>(config)#radius-server-policy <RAD-SERVER-POL-NAME><DEVICE>(config-radius-server-policy-<RAD-SERVER-POL-NAME>)#use radius-user-pool-policy <RAD-USER-POOL-OF-STEP-B>2 Configure a AAA policy exclusively for wired MAC authentication and specify the authentication (RADIUS) server settings. The following example creates a AAA policy ‘macauth’ and enters its configuration mode:<DEVICE-A>(config)#aaa-policy macauth<DEVICE-A>(config-aaa-policy-macauth)#...a Specify the RADIUS server details.<DEVICE-A>(config)#aaa-policy macauth<DEVICE-A>(config-aaa-policy-macauth)#authentication server <1-6> [host <IP>|onboard]3 Attach the AAA policy to the device or profile. When attached to a profile, the AAA policy is applied to all devices using this profile.<DEVICE>(config-device-aa-bb-cc-dd-ee)#mac-auth use aaa-policy macauth<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#mac-auth use aaa-policy macauth
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3824 Enable mac-auth on the device’s desired GE port. When enabled on a profile, MAC address authentication is enabled, on the specified GE port, of all devices using this profile.<DEVICE>(config-device-aa-bb-cc-dd-ee)#interface ge x<DEVICE>(config-device-aa-bb-cc-dd-ee-gex)#mac-auth<DEVICE>(config-profile-<PROFILE-NAME>)#interface ge x<DEVICE>(config-profile-<PROFILE-NAME>)#mac-authSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-auth use aaa-policy <AAA-POLICY-NAME>Parameters• mac-auth use aaa-policy <AAA-POLICY-NAME>ExampleThe following examples demonstrate the configuration of authentication of MAC addresses on wired ports:rfs4000-229D58(config-aaa-policy-mac-auth)#authentication server 1 onboard controllerrfs4000-229D58(config-aaa-policy-mac-auth)#show contextaaa-policy mac-auth authentication server 1 onboard controllerrfs4000-229D58(config-aaa-policy-mac-auth)#rfs4000-229D58(config)#radius-group RGrfs4000-229D58(config-radius-group-RG)#policy vlan 11rfs4000-229D58(config-radius-group-RG)#show contextradius-group RF policy vlan 11rfs4000-229D58(config-radius-group-RG)#rfs4000-229D58(config)#radius-user-pool-policy RUGrfs4000-229D58(config-radius-user-pool-RUG)#user 00-16-41-55-F8-5D password 00-16-41-55-F8-5D group RGrfs4000-229D58(config-radius-user-pool-RUG)#show contextradius-user-pool-policy RUG user 00-16-41-55-F8-5D password 0 00-16-41-55-F8-5D group RGrfs4000-229D58(config-radius-user-pool-RUG)#rfs4000-229D58(config)#radius-server-policy RSrfs4000-229D58(config-radius-server-policy-RS)#use radius-user-pool-policy RUGrfs4000-229D58(config-radius-server-policy-RS)#show contextmac-auth Enables 802.1X authentication of MAC addresses on this profile. Use the device configuration mode to enable this feature on a device.use aaa-policy <AAA-POLICY-NAME>Associates an existing AAA policy with this profile (or device)• <AAA-POLICY NAME> – Specify the AAA policy name.The AAA policy used should be created especially for MAC authentication.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 383radius-server-policy RS use radius-user-pool-policy RUGrfs4000-229D58(config-radius-server-policy-RS)#rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#show context interface ge4  dot1x authenticator host-mode single-host  dot1x authenticator port-control auto  mac-authrfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context interface ge5  switchport mode access  switchport access vlan 1  dot1x authenticator host-mode single-host  dot1x authenticator guest-vlan 5  dot1x authenticator port-control auto  mac-authrfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 4Mac Auth info for interface GE4----------------------------------- Mac Auth Enabled Mac Auth AuthorizedClient MAC 00-16-41-55-F8-5Drfs4000-229D58(config-device-00-23-68-22-9D-58)#rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 5Mac Auth info for interface GE5----------------------------------- Mac Auth Enabled Mac Auth Not Authorizedrfs4000-229D58(config-device-00-23-68-22-9D-58)#Related Commandsno Disables authentication of MAC addresses on wired ports settings on this profile (or device)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3847.1.50 management-serverProfile Config CommandsConfigures a management server with this profile. This command is also applicable to the device configuration context.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmanagement-server <HOST-NAME> port <1-65535>Parameters• management-server <HOST-NAME> port <1-65535>Examplerfs6000-81742D(config-profile-testRFS6000)#management-server nx9500-6C8809 port 300rfs6000-81742D(config-profile-testRFS6000)#show context include-factory | include management-server management-server nx9500-6C8809 port 300rfs6000-81742D(config-profile-testRFS6000)#Related Commandsmanagement-server <HOST-NAME> port <1-65535>Configures a management server with this profile. Use this command to identify the management server.• <HOST-NAME> – Specify the management server’s host name.• port <1-65535> – Specify the port where the management server is reachable. Thedefault setting is port 443. no Removes the management server configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3857.1.51 memory-profileProfile Config CommandsConfigures memory profile used on the deviceSupported in the following platforms:• Access Points — AP6511, AP6521 Syntaxmemory-profile [adopted|standalone]Parameters• memory-profile [adopted|standalone]Examplenx9500-6C8809(config-profile-testAP6511)#memory-profile adoptedNote: memory-profile change will take effect after device rebootnx9500-6C8809(config-profile-testAP6511)#Related Commandsmemory-profile Configures memory profile used on the deviceadopted Configures adopted mode (no GUI and higher MiNT routes, firewall flows)standalone Configures standalone mode (GUI and fewer MiNT routes, firewall flows)no Resets device's memory profile configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3867.1.52 meshpoint-deviceProfile Config CommandsConfigures meshpoint device parameters. This feature is configurable in the profile and device configuration modes.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmeshpoint-device <MESHPOINT-NAME>Parameters• meshpoint-device <MESHPOINT-NAME>Usage GuidelinesFor Vehicular Mounted Modem (VMM) access points or other mobile devices, set the path selection method as mobile-snr-leaf in the config-meshpoint-device mode. For more information, see path-method.Examplerfs6000-37FABE(config-profile-testAP7161)#meshpoint-device testrfs6000-37FABE(config-profile-testAP7161-meshpoint-test)#?Mesh Point Device Mode commands:  acs          Configure auto channel selection parameters  exclude      Exclude neighboring Mesh Devices  hysteresis   Configure path selection SNR hysteresis values  monitor      Event Monitoring  no           Negate a command or set its defaults  path-method  Path selection method used to find a root node  preferred    Configure preferred path parameters  root         Set this meshpoint as root  root-select  Root selection method parameters  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalrfs6000-37FABE(config-profile-testAP7161-meshpoint-test)#Related Commandsmeshpoint-device <MESHPOINT-NAME>Configures meshpoint device parameters• <MESHPOINT-NAME> – Specify meshpoint name.no Removes a specified meshpoint
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 387NOTE: For more information on the meshpoint-device configuration parameters, see Chapter 26, MESHPOINT.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3887.1.53 meshpoint-monitor-intervalProfile Config CommandsConfigures the meshpoint monitoring interval. This is the interval, in seconds, at which the meshpoint status is checked.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmeshpoint-monitor-interval <1-65535>Parameters• meshpoint-monitor-interval <1-65535>Examplerfs6000-37FABE(config-profile-default-rfs6000)#meshpoint-monitor-interval 100rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier meshpoint-monitor-interval 100 ip default-gateway 172.16.10.4 --More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsmeshpoint-monitor-interval <1-65535>Configures the meshpoint monitoring interval in seconds• <1-65535> – Specify the interval from 1 - 65535 seconds. The default is 30 seconds.no Resets the meshpoint monitoring interval to default (30 seconds)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3897.1.54 min-misconfiguration-recovery-timeProfile Config CommandsConfigures the minimum device connectivity verification timeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmin-misconfiguration-recovery-time <60-3600>Parameters• min-misconfiguration-recovery-time <60-3600>Examplenx9500-6C8809(config-profile-testRFS4000)#min-misconfiguration-recovery-time 500nx9500-6C8809(config-profile-testRFS4000)#show contextprofile rfs4000 testRFS4000 meshpoint-monitor-interval 300 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface radio1 interface radio2 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface wwan1 interface pppoe1 use firewall-policy default min-misconfiguration-recovery-time 500 service pm sys-restart router ospf router bgpnx9500-6C8809(config-profile-testRFS4000)#Related Commandsmin-misconfiguration-recovery-time <60-3600>Configures the minimum connectivity (with the associated device) verification interval• <60-3600> – Specify a value from 60 - 3600 seconds (default is 60 seconds).no Resets setting to default (60 seconds)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3907.1.55 mintProfile Config CommandsConfigures MiNT protocol parameters required for MiNT creation and adoptionMiNT links are required for adoption of a device (APs, wireless controller, and service platform) to a controller. The MiNT link is created on both the adoptee and the adopter. WiNG provides several commands to configure MiNT links and establish adoption for both IPv4 and IPv6 addresses.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmint [dis|inter-tunnel-bridging|level|link|mlcp|rate-limit|spf-latency|tunnel-across-extended-vlan|tunnel-controller-load-balancing]mint dis [priority-adjustment <-255-255>|strict-evis-reachability]mint inter-tunnel-bridgingmint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]mint link [force|ip|listen|vlan]mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2] {adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-secure {gw [<IP>|<HOST-NAME>]}}mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>] {adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-NAME>]}|level [1|2]}mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-NAME>]}|level [1|2]}mint mlcp [ip|ipv6|vlan]mint rate-limit level2 [link|mlcp]mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan <1-4094>]|mlcp [ip|ipv6|vlan]] rate <50-1000000> max-burst-size <2-1024> {red-threshold [background|best-effort|video|voice] <0-100>}mint spf-latency <0-60>mint tunnel-across-extended-vlanmint tunnel-controller-load-balancing level1Parameters• mint dis [priority-adjustment <-255-255>|strict-evis-reachability]mint Configures MiNT protocol parameters required for MiNT link creation and adoption
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 391• mint inter-tunnel-bridging• mint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]• mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2] {adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-NAME>]}}dis priority-adjustment <-255-255>Sets the relative priority for the router to become DIS (designated router)• priority-adjustment – Sets priority adjustment added to base priorityThe Designated IS (DIS) priority adjustment is the value added to the base level DIS priority to influence the DIS election. A value of +1 or greater increases DISiness.• <-255-255> – Specify a value from -255 - 255. The default is 0.Higher numbers result in higher prioritiesstrict-evis-reachability Enables reaching Ethernet Virtualization Interconnect (EVIS) election winners through MiNT. This option is enabled by default.mint Configures MiNT protocol parameters required for MiNT link creation, adoption and communicationinter-tunnel-bridging Enables forwarding of broadcast multicast (BCMC) packets between devices communicating via Level 2 MiNT links. When enabled, MiNT tunnels across Level 2, adopted access points are bridged. One of the advantages of inter-tunnel bridging is the enabling of roaming between these access points. This option is disabled by default.If enabling this option, use ACLs to filter unwanted BCMC traffic.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlevel 1 Configures local MiNT routing settings• 1 – Configures local MiNT routing levelarea-id [<1-16777215>|<NUMBER-ALIAS-NAME>]Specifies the level 1 routing area identifier. Use one of the following options to specify the area ID:• <1-16777215> – Specify a value from 1 - 16777215.• <NUMBER-ALIAS-NAME> – Specify a number alias (should be existing and configured). Aliases are configuration items that can be defined once and used in different configuration contexts. For more information on creating a number alias, see alias.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlink force Creates a MiNT routing link as a forced link• force – Forces a MiNT routing link to be created even if not necessaryip [<IPv4>|<IPv6>] Creates a MiNT tunnel over UDP/IPv4 or IPv6Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for inter-operation when supporting the MINT protocol.• <IPv4> – Specify the MiNT tunnel peer’s IPv4 address.• <IPv6> – Specify the MiNT tunnel peer’s IPv6 address.After specifying the MiNT peer’s address, configure the following MiNT link parameters: UDP port, adjacency-hold-time, cost, hello-interval, IPSec security gateway, and routing level.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 392• mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>] {adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw [<IP>|<HOST-NAME>]}}<1-65535> level 2 Optional. Specifies a custom UDP port for MiNT links. Specify the port from 1 - 65535.• level – Specifies the routing level• 2 – Configures level 2 inter-site MiNT routingadjacency-hold-time <2-600>Optional. Specifies the adjacency lifetime after hello packets cease• <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.cost <1-100000> Optional. Specifies the link cost in arbitrary units• <1-100000> – Specify a value from 1 - 100000. The default is 100.hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets• <1-120> – Specify a value from 1 - 120 seconds. The default is 15 seconds.ipsec-security {gw [<IP>|<HOST-NAME>]}Optional. Enables IPSec secure peer authentication on the MiNT link connection (link). This option is disabled by default.• gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateway’s numerical IP address or administrator defined hostname.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlink listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]Creates a MiNT routing link• listen – Creates a MiNT listening link• ip – Creates a MiNT listening link over UDP/IP or IPv6• <IPv4> – Specify the IPv4 address of the listening UDP/IP link.• <IPv6> – Specify the IPv6 address of the listening UDP/IP link.• <HOST-ALIAS-NAME> – Specify the host alias identifying the MiNT link ad-dress. The host alias should existing and configured.UDP/IP links can be created by configuring a matching pair of links, one on each end point. However, that is error prone and does not scale. So UDP/IP links can also listen (in the TCP sense), and dynamically create connected UDP/IP links when contacted. The typical configuration is to have a listening UDP/IP link on the IP address S.S.S.S, and for all the APs to have a regular UDP/IP link to S.S.S.S.link vlan <1-4094> Enables MiNT routing on VLAN• vlan – Defines a VLAN ID used by peers for inter-operation when supporting the MINT protocol.• <1-4094> – Select VLAN ID from 1 - 4094.adjacency-hold-time <2-600>This parameter is common to the ‘listen’ and ‘vlan’ parameters:• adjacency-hold-time <2-600> – Optional. Specifies the adjacency lifetime after hello packets cease• <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.For MiNT VLAN routing, the default is 13 seconds.cost <1-100000> This parameter is common to the ‘listen’ and ‘vlan’ parameters:• cost <1-100000> – Optional. Specifies the link cost in arbitrary units• <1-100000> – Specify a value from 1 - 100000. The default is 100. For MiNT VLAN routing, the default is 10.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 393• mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw [<IP>|<HOST-NAME>]}}hello-interval <1-120> This parameter is common to the ‘listen’ and ‘vlan’ parameters:• hello-interval <1-120> – Optional. Specifies the interval, in seconds, between successive hello packets• <1-120> – Specify a value from 1 - 120. The default is 15 seconds.For MiNT VLAN routing the default is 4 seconds.level [1|2] This parameter is common to the ‘listen’ and ‘vlan’ parameters:Optional. Specifies the routing levels for this routing link. The options are:• 1 – Configures local routing• 2 – Configures inter-site routingipsec-security {gw [<IP>|<HOST-NAME>]}This parameter is common to the ‘listen’ and ‘vlan’ parameters:• ipsec-security – Optional. Enables IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default.• gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway. Whenenabling IPSec, you can optionally specify the IPSec secure gateway’s numerical IPaddress or administrator defined hostname.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlink ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]Creates a MiNT routing link• ip – Creates a MiNT tunnel over UDP/IP or IPv6Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for inter-operation when supporting the MINT protocol.• <IPv4> – Specify the IPv4 address used by peers.• <IPv6> – Specify the IPv6 address used by peers.• <HOST-ALIAS-NAME> – Specify the host alias identifying the MiNT tunnel peer’saddress. The host alias should existing and configured.<1-65535> Select the peer UDP port from 1 - 65535.adjacency-hold-time <2-600>Optional. Specifies the adjacency lifetime after hello packets cease• <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.cost <1-100000> Optional. Specifies the link cost in arbitrary units• <1-100000> – Specify a value from 1 - 100000. The default is 100.hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets<1-120> – Specify a value from 1 - 120. The default is 15 seconds.level [1|2] Optional. Specifies the routing levels for this routing link. The options are:• 1 – Configures local routing• 2 – Configures inter-site routingipsec-security {gw [<IP>|<HOST-NAME>]}Optional. Enables IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default.• gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateway’s numerical IP address or administrator defined hostname.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 394• mint mlcp [ip|ipv6|vlan]• mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan <1-4094>]|mlcp [ip|ipv6|vlan]] rate <50-1000000> max-burst-size <2-1024> {red-threshold [background|best-effort|video|voice] <0-100>}mint Configures MiNT protocol parameters required for MiNT link creation and adoptionmlcp [ip|ipv6|vlan] Configures the MLCP using the IP address or VLAN. MLCP is used to create a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a wireless controller or service platform, it can be another access point with a path to the wireless controller or service platform.• vlan – Enables MLCP over layer 2 (VLAN) links• ip – Enables MLCP over layer 3 (UDP/IP) links. When enabled, allows adoption over IPv4 address.• ipv6 – Enables MLCP over layer 3 (UDP/IPv6) links. When enabled, allows adoption over IPv6 address.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionmint rate-limit level2 Applies rate limits on extended VLAN trafficExcessive traffic can cause performance issues on an extended VLAN. Excessive traffic can be caused by numerous sources including network loops, faulty devices, or malicious software.Rate limiting reduces the maximum rate sent or received per wireless client. It prevents any single user from overwhelming the wireless network, and also provides differential service for service providers. Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS server’s response. When such attributes are not present, the settings defined on the controller, service platform or access point are applied. You can set separate QoS rate limit configurations for data types transmitted from the network (upstream) and data transmitted from a wireless clients back to associated radios (downstream).link [ip <IPv4/IPv6> <1-65535>|vlan <1-4094>]Configures rate limit parameters applicable for all statically configured MiNT links on level2. Select the link-type as ‘IP’ or ‘VLAN’.• ip <IPv4/IPv6> – Configures rate limits for MiNT link traffic over UDP/IP• <IPv4/IPv6> – Specify the MiNT peer’s IPv4 or IPV6 address in the A.B.C.D andX:X::X:X formats respectively.• <1-65535> – Configures the virtual port used for rate limiting traffic. Specify theUDP port from 1 - 65535.• vlan <1-4094 – Configures rate limits for MiNT link traffic on specified VLAN• <1-4094> – Specify the VLAN ID from 1 - 4094.mlcp [ip|ipv6|vlan] Configures rate limit parameters applicable for MLCPMLCP creates a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be an access point with a path to the controller or service platform.• ip – Configures rate-limits for MLCP over UDP/IPv4 links• ipv6 – Configures rate-limits for MLCP over UDP/IPv6 links• vlan – Configures rate-limits for MLCP over VLAN links
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 395• mint spf-latency <0-60>• mint tunnel-across-extended-vlanrate <50-1000000> Configures the rate limit from 50 - 1000000 KbpsThis limit constitutes a threshold for the maximum number of packets transmitted or received (from all access categories). Traffic exceeding the defined rate is dropped and a log message is generated. The default setting is 5000 Kbps.max-burst-size <2-1024> Configures the maximum burst size from 0 - 1024 KbytesSmaller the burst size, lesser is the probability of the upstream packet transmission resulting in congestion for the WLAN’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 Kbytes.red-threshold [background|best-effort|video|voice] <0-100>Optional. Configures the random early detection (RED) threshold (as a percentage) for the following traffic types:• background – Configures the RED threshold for low priority background traffic. Background packets are dropped and a log message generated if the rate exceeds the set value. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default setting is 50%.• best-effort – Configures the RED threshold for low priority best-effort traffic. Best-effort packets are dropped and a log message generated if the rate exceeds the set value. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 50%.• video – Configures the RED threshold for high priority video traffic. Video packets are dropped and a log message generated if the rate exceeds the set value. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 25%.• voice – Configures the RED threshold for high priority voice traffic. Voice packets are dropped and a log message generated if the rate exceeds the set value. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 0%.• <0-100> – After selecting the traffic type, specify the RED threshold from 0 - 100%.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionspf-latency <0-60> Specifies the latency of SPF routing recalculationThis option allows you to set the latency of routing recalculation option (within the Shortest Path First (SPF) field). This option is disabled by default.• <0-60> – Specify the latency from 0 - 60 seconds.mint Configures MiNT protocol parameters required for MiNT link creation and adoptiontunnel-across-extended-vlanEnables tunneling of MiNT protocol packets across an extended VLAN. This setting is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 396• mint tunnel-controller-load-balancing level1Examplerfs6000-37FABE(config-profile-default-rfs6000)#mint level 1 area-id 88rfs6000-37FABE(config-profile-default-rfs6000)#mint link ip 1.2.3.4 level 2rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 level 2 mint level 1 area-id 88 bridge vlan 1 --More--rfs7000-37FABE(config-profile-default-rfs6000)#nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#show contextap7522 84-24-8D-1B-B9-0C use profile default-ap7522 use rf-domain default hostname ap7522-1BB90C no staging-config-learntnx9500-6C8809(config-device-84-24-8D-1B-B9-0C)nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#mint inter-tunnel-bridgingnx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#show contextap7522 84-24-8D-1B-B9-0C use profile default-ap7522 use rf-domain default hostname ap7522-1BB90C no staging-config-learnt mint inter-tunnel-bridgingnx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#Related CommandsmintConfigures MiNT protocol parameters required for MiNT link creation and adoptiontunnel-controller-load-balancing level1Enables load balancing of MiNT extended VLAN traffic across tunnels• level1 – Enables balancing of load of a tunnel wireless controller or service platform over VLAN linksno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3977.1.56 misconfiguration-recovery-timeProfile Config CommandsVerifies connectivity after a configuration is receivedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmisconfiguration-recovery-time [0|<60-300>]Parameters• misconfiguration-recovery-time [0|<60-300>]Examplerfs6000-37FABE(config-profile-default-rfs6000)#misconfiguration-recovery-time 65rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  .................................................  qos trust 802.1p interface pppoe1 use firewall-policy default misconfiguration-recovery-time 65 service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#Related Commands<60-300> Sets the recovery time from 60 - 300 seconds (default is 180 seconds)0 Disables recovery from misconfigurationno Reverts to default (180 seconds)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 3987.1.57 neighbor-inactivity-timeoutProfile Config CommandsConfigures neighbor inactivity timeoutSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxneighbor-inactivity-timeout <1-1000>Parameters• neighbor-inactivity-timeout <1-1000>Examplerfs6000-37FABE(config-profile-default)#neighbor-inactivity-timeout 500rfs6000-37FABE(config-profile-default-rfs7000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier neighbor-inactivity-timeout 500 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1  ip dhcp trust  qos trust dscp  qos trust 802.1p--More--rfs6000-37FABE(config-profile-default-rfs6000)#<1-1000> Sets neighbor inactivity timeout• <1-1000> – Specify a value from 1 - 1000 seconds. The default is 30 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3997.1.58 neighbor-info-intervalProfile Config CommandsConfigures the neighbor information exchange intervalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxneighbor-info-interval <1-100>Parameters• neighbor-info-interval <1-100>Examplerfs6000-37FABE(config-profile-default-rfs6000)#neighbor-info-interval 6rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier neighbor-info-interval 6 neighbor-inactivity-timeout 500 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1  ip dhcp trust  qos trust dscp--More--rfs6000-37FABE(config-profile-default-rfs6000)#<1-100> Sets interval from 1 - 100 seconds. The default is 10 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4007.1.59 noProfile Config CommandsNegates a command or resets values to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [adopter-auto-provisioning-policy-lookup|adoption|alias||application-policy|area|arp|auto-learn|autogen-uniqueid|autoinstall|bluetooth-detection|bridge|cdp|cluster|configuration-persistence|controller|critical-resource|crypto|database-backup|device-upgrade|diag|dot1x|dpi|dscp-mapping|eguest-server|email-notification|environmental-sensor|events|export|file-sync|floor|gre|http-analyze|interface|ip|ipv6|lacp|l2tpv3|l3e-lite-table|led|led-timeout|legacy-auto-downgrade|legacy-auto-update|lldp|load-balancing|logging|mac-address-table|mac-auth|management-server|memory-profile|meshpoint-device|meshpoint-monitor-interval|min-misconfiguration-recovery-time|mint|misconfiguration-recovery-time|noc|ntp|otls|offline-duration|power-config|preferred-controller-group|preferred-tunnel-controller|radius|raid|rf-domain-manager|router|spanning-tree|traffic-class-mapping|traffic-shape|trustpoint|tunnel-controller|use|virtual-controller|vrrp|vrrp-state-check|zone|wep-shared-key-auth|service]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs6000-81742D(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7no <PARAMETERS> Removes or reverts this profile’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 401 interface ge8 interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp adoption start-delay min 10 max 30rfs6000-81742D(config-profile-default-rfs6000)#rfs6000-81742D(config-profile-default-rfs6000)#no adopter-auto-provisioning-policy-lookuprfs6000-81742D(config-profile-default-rfs6000)#no adoption start-delayrfs6000-81742D(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart router ospf router bgprfs6000-81742D(config-profile-default-rfs6000)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4027.1.60 nocProfile Config CommandsConfigures Network Operations Center (NOC) statistics update interval. This is the interval at which statistical updates are sent by the RF Domain manager to its adopting controller (the NOC controller).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnoc update-interval [<5-3600>|auto]Parameters• noc update-interval [<5-3600>|auto]Examplerfs6000-37FABE(config-profile-default-rfs6000)#noc update-interval 25rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier ................................................... interface pppoe1 use firewall-policy default misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsnoc update-interval [<5-3600>|auto]Configures NOC statistics update interval• <5-3600> – Specify the update interval from 5 - 3600 seconds.• auto – The NOC statistics update interval is automatically adjusted by the wireless controller or service platform based on load. This option is enabled by default.no Resets NOC related parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4037.1.61 nsightProfile Config CommandsConfigures NSight database related parameters. Use this command to configure the data-update periodicity, number of applications posted to the NSight server for a wireless client, and the duration for which data is stored in the NSight database’s buckets. These parameters impact the amount of data stored in the NSight DB and interval at which data is aggregated and expired within the NSight DB. For more information on data aggregation and expiration, see (Data Aggregation and Expiration).Configure these parameters in the NSight server’s profile configuration mode. These parameters are also configurable on the NSight server’s device configuration mode.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxnsight database [statistics|summary]nsight database statistics [avc-update-interval|max-apps-per-client|max-http-usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-metadata|update-interval|wireless-clients-update-interval]nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-interval] [120|30|300|60|600]nsight database statistics max-apps-per-client <1-1000>nsight database statistics [max-http-usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-metadata] <1-1000>nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>Parameters• nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-interval] [120|30|300|60|600]nsight database statisticsConfigures NSight database statistics related parametersavc-update-interval Configures the interval, in seconds, at which Application Visibility and Control (AVC) statistics is updated to the NSight database. This interval represents the rate at which AVC-related data is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting AVC-related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the avc-update-interval configured here.update-interval Configures the interval, in seconds, at which data is updated to the NSIght server. This interval represents the rate at which data (excluding AVC and wireless-clients related statistics) is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).Contd...
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 404• nsight database statistics max-apps-per-client <1-1000>• nsight database statistics [max-http-usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-metadata] <1-1000>contd.. When configured, RF Domain managers posting data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the update-interval configured here.Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ keywords to configure update interval for AVC-related and wireless-clients related information respectively.wireless-clients-update-intervalConfigures the interval, in seconds, at which wireless-client statistics is updated to the NSIght server. This interval represents the rate at which wireless-clients related statistics is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting wireless-client related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the wireless-clients-update-interval configured here.[120|30|300|60|600] The following keywords are common to all of the above parameters:• 120 – Sets the data-update periodicity as 120 seconds (2 minutes)• 30 – Sets the data-update periodicity as 30 seconds• 300 – Sets the data-update periodicity as 300 seconds (5 minutes). This is the default setting for the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ parameters.• 60 – Sets the data-update periodicity as 60 seconds (1 minute). This is the default setting for the ‘update-interval’ parameter.• 600 – Sets the data-update periodicity as 600 seconds (10 minutes)nsight database statisticsConfigures NSight database statistics related parametersmax-apps-per-client Configures the maximum number of applications per wireless-client to be posted to the NSight server within the configured data-update interval. This information is included in the AVC statistics posted by RF Domain managers to the NSight server.<1-1000> Specify the number of applications posted from 1 - 1000. The default is 10 applications per wireless client.nsight database statisticsConfigures NSight database statistics related parameters[max-http-usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-metadata]Configures the number of HTTP and/or SSL metadata posted within an update interval• max-http-usage-metadata – Configures the NSight database maximum http-metadata by usage (rx+tx) to be posted in an update-interval• max-http-visits-metadata – Configures the NSight database’s maximum http-metadata by the number of visits to be posted within an update-interval• max-ssl-usage-metadata – Configures the NSight database maximum ssl-metadata by usage (rx+tx) to be posted in an update-intervalContd...
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 405• nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>Usage Guidelines(Data Aggregation and Expiration)Data Aggregation:The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes within the managed wireless LAN. For large WLAN networks, generating significantly large amount of data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one record by taking an average of them. Although this causes a loss in the data’s granularity, average numbers for any given time period is still available.Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets (database collections) within the NSight database. There are four buckets in total. These are:• First bucket (termed as the RAW bucket) - B1• Second bucket - B2• Third bucket - B3•Fourth bucket - B4On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes the next bucket’s granularity. For example, the B1 records (that have exceeded the data storage duration configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default storage duration for each bucket is as follows:contd... • max-ssl-visits-metadata – Configures the NSight database’s maximum ssl-metadata by the number of visits to be posted within an update-intervalThe following keyword is common to all of the above mentioned metadata options:• <1-1000> – Specify a value from 1 - 1000. The default is 10 metadata for each.nsight database summaryConfigures the NSight database’s per-bucket data storage durationduration <1-24> <1-168> <1-2160> <24-26280>Configures the duration for which data is stored on a per-bucket basis• <1-24> – Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day). The default is 8 hours.• <1-168> – Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7 days).The default is 24 hours.• <1-2160> – Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1 hour to 90days). The default is 7 days (168 hours).• <24-26280> – Specify the bucket 4 duration from 24 - 26280 hours (i.e. 1day to 3 years). The default is 365 days (1 year).A bucket is a database collection that holds statistical data for each RF Domain within the network. (Note, only those RF Domain’s that are using an NSight policy with the NSight server host configured will post data to the NSight server. (For more information, see use in the RF Domain configuration mode.) NSight database has four (4) buckets. The data from each bucket is aggregated and pushed to the next bucket once the data storage duration, specified for the bucket, has exceeded. For more information on data aggregation, see (Data Aggregation and Expiration).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 406•B1: storage duration 8 hours• B2: granularity 10 minutes / storage duration 24 hours • B3: granularity 1 hour / storage duration 7 days• B4: granularity 1 day / storage duration 1 yearLet us consider (with default update-interval settings) the growth of any one of the statistical buckets.• Since B1’s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF Domain after 8 hours (updated at the rate of 30 seconds).• Since B2’s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into a single record and inserted into B2.• Since B2’s default storage duration is 24 hours, it will contain a maximum of 144 records per RF Domain after 24 hours.• Since B3’s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record and inserted into B3.• Since B3’s default storage duration is 7 days, it will contain a maximum of 168 records per RF Domain after 7 days.• Since B4’s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record and inserted into B4.• Since B4’s default storage duration is 365 days, it will contain a maximum of 365 records per RF Domain after 1 year.Data Expiration:The expiration of older records (also referred to as purging or deleting of records) occurs along with data aggregation for each bucket.Let us consider (with default data storage-duration settings) the expiration of data for any one of the statistical buckets.• As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8 hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first 10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is triggered every 10 minutes.• At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10 minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of data.• At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data.• At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records (corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to enable B4 to maintain exactly 365 days worth of data.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 407Examplenx9500-6C8809(config-profile-testNX9500)#nsight database statistics avc-update-interval 120nx9500-6C8809(config-profile-testNX9500)#nsight database statistics update-interval 30nx9500-6C8809(config-profile-testNX9500)#nsight database statistics wireless-clients-update-interval 600nx9500-6C8809(config-profile-testNX9500)#nsight database statistics max-apps-per-client 20nx9500-6C8809(config-profile-testNX9500)#nsight database summary duration 12 30 200 500nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include nsight use nsight-policy nsight-noc nsight database statistics update-interval 30 nsight database statistics wireless-clients-update-interval 600 nsight database summary duration 12 30 200 500 nsight database statistics avc-update-interval 120 nsight database statistics max-apps-per-mu 20nx9500-6C8809(config-profile-testNX9500)#Related Commandsno Reverts the NSight database related parameters configured to default values
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4087.1.62 ntpProfile Config CommandsConfigures the Network Time Protocol (NTP) server settingsNTP manages time and/or network clock synchronization within the network. NTP is a client/server implementation. Controllers, service platforms, and access points (NTP clients) periodically synchronize their clock with a master clock (an NTP server). For example, a controller resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxntp server <PEER-IP/HOSTNAME> {autokey|key|maxpoll|minpoll|prefer|version}ntp server <PEER-IP/HOSTNAME> {autokey}ntp server <PEER-IP/HOSTNAME> {maxpoll [1024|2048|4096|8192]}ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}ntp server <PEER-IP> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4> prefer}Parameters• ntp server <PEER-IP/HOSTNAME> {autokey} {prefer version <1-4>|version <1-4>}• ntp server <PEER-IP/HOSTNAME> {maxpoll [1024|2048|4096|8192]}ntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. autokey Optional. Enables automatic configuration of authentication key for the specified NTP server. This option is disabled by default. If not enabled, use the ‘key’ option to configure an authentication key for the NTP server.ntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. maxpoll [1024|2048|4096|8192]Optional. Configures the maximum polling interval. Once set, the specified NTP server is polled no later than the defined interval. Select one of the following options:• 1024 – Configures the maximum polling interval as 1024 seconds. This is the default setting.• 2048 – Configures the maximum polling interval as 2048 seconds• 4096 – Configures the maximum polling interval as 4096 seconds• 8192 – Configures the maximum polling interval as 8192 seconds
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 409• ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}• ntp server <PEER-IP/HOSTNAME> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}• ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4> prefer}ntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. minpoll [1024|128|256|512|64]Optional. Configures the minimum polling interval. Once set, the specified NTP server is polled no sooner than the defined interval. Select one of the following options:• 1024 – Configures the minimum polling interval as 1024 seconds• 128 – Configures the minimum polling interval as 128 seconds• 256 – Configures the minimum polling interval as 256 seconds• 512 – Configures the minimum polling interval as 512 seconds• 64 – Configures the minimum polling interval as 64 seconds. This is the default setting.ntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME>> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. key <1-65534> md5 [0 <WORD>|2 <WORD>|<WORD>]Optional. Defines the authentication key for the specified NTP server. This option is used to configure the key when ‘autokey’ configuration is not enabled.• <1-65534> – Specify the peer key number. Should not exceed 64 characters in length.• md5 – Sets MD5 authentication• 0 <WORD> – Configures a clear text password• 2 <WORD> – Configures an encrypted password• <WORD> – Sets an authentication keyntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. prefer version <1-4> Optional. Designates the specified NTP server as a preferred NTP resource. This setting is disabled by default.• version – Optional. Configures the NTP version• <1-4> – Select the NTP version from 1 - 4. If not specified, the default value of ‘0’ is applied, which implies that the NTP server’s version is ignored.version <1-4> prefer Optional. Configures the version number used by the specified NTP server resource• <1-4> – Select the NTP version from 1 - 4. The default setting is 0. A value of ‘0’ implies that the NTP server’s version is ignored.• prefer – Optional. Designates the specified NTP server as a preferred NTP resource.This setting is disabled by default. The NTP version number specified using the ‘ver-sion <1-4>’ keyword is applied to this preferred NTP resource.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 410Examplerfs6000-37FABE(config-profile-default-rfs6000)#ntp server 172.16.10.10 version 1 preferrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier............................................... interface pppoe1 use firewall-policy default ntp server 172.16.10.10 prefer version 1 misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4117.1.63 otlsProfile Config CommandsEnables support for OmniTrail Location Server (OTLS) beacon identificationOmniTrail (offered by OmniTrail technologies) is a Wi-Fi based locationing protocol used in positioning and tracking location solutions. Access points supporting OTLS beacon identification lock their radios to scan channels for beacons with OTLS tags. Beacons received by the access point are matched for the OTLS signature, and in case of a match, the beacons are forwarded to the OTLS server as UDP payload.Use this command to configure OTLS server details on the AP and enable OTLS data forwarding. Alternately, OTLS parameters can be configured in the AP’s profile on the controller or service platform, and pushed to adopted access points. When configured, APs establish connection with the OTLS server and forward OTLS locationing feeds to the server.Supported in the following platforms:• Access Points — AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533Syntaxotls [apid|control-port|data-port|forward|server-ip]otls apid <WORD>otls control-port <0-65535>otls data-port [2.4GHz|5GHz] <0-65535>otls forward [2.4GHz|5GHz] [disable|enable]otls server-ip <OTLS-SERVER-IP>Parameters• otls apid <WORD>• otls control-port <0-65535>otls apid <WORD> Configures a unique identification for the OTLS-enabled access point. The access point identifier (APID) enables the OTLS server to identify the AP forwarding the OTLS tag.• <WORD> – Specify an ID for the AP.To ensure that OTLS-enabled APs have unique OTLS ID, it is recommended that the APID is configured in the device context of each AP.otls control-port <0-65535>Configures the port used by the AP to establish and maintain connection with the OTLS server• <0-65535> – Specify the control port from 0 - 655635.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 412• otls data-port [2.4GHz|5GHz] <0-65535>• otls forward [2.4GHz|5GHz] [disable|enable]• otls server-ip <OTLS-SERVER-IP>Exampleap8533-84A224(config-device-84-24-8D-84-A2-24)#otls apid 112233ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 2.4GHz enableap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 5GHz enableap8533-84A224(config-device-84-24-8D-84-A2-24)#otls control-port 8890ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 2.4GHz 8888ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 5GHz 8889ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls server-ip 192.168.13.10ap8533-84A224(config-device-84-24-8D-84-A2-24)#show context include-factory | include otls otls forward 5GHz enable otls forward 2.4GHz enable otls server-ip 192.168.13.10 otls control-port 8890 otls data-port 2.4GHz 8888 otls data-port 5GHz 8889 otls apid 112233ap8533-84A224(config-device-84-24-8D-84-A2-24)otls data-port [2.4GHz|5GHz] <0-65535>Configures the port used by the AP to forward OTLS beacons to the OTLS server. However, OTLS data forwarding has to be enabled on the APs. Use the otls > forward > [2.4GHz|5GHz] > [disable|enable] command to enable data forwarding.• 2.4GHz – Configures the port used to forward OTLS beacons received on the 2.4 GHz band• 5.0GHz – Configures the port used to forward OTLS beacons received on the 5.0 GHz bandThe following keyword is common to the above parameters:• <0-65535> – Specify a data-forwarding port from 0 - 65535. otls forward [2.4GHz|5GHz] [disable|enable]Enables or disables OTLS tag forwarding• 2.4GHz – Enables or disables forwarding of OTLS beacons received on the 2.4 GHz band• 5GHz – Enables or disables forwarding of OTLS beacons received on the 5.0 GHz bandThe following keywords are common to the above parameters:• disable – Disables OTLS tag forwarding. By default OTLS beacon forwarding is dis-abled for both 2.4 GHz and 5.0 GHz bands.• enable – Enables OTLS tag forwardingotls server-ip <OTLS-SERVER-IP>Configures the OTLS server’s IP address• <OTLS-SERVER-IP> – Specify the OTLS server’s IP address.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 413The following example displays OTLS parameters configured on an AP8533 profile:nx9500-6C8809(config-profile-testAP8533)#show context include-factory | include otls otls forward 5GHz enable otls forward 2.4GHz enable otls server-ip 192.168.13.10 otls control-port 8890 otls data-port 2.4GHz 8888 otls data-port 5GHz 8889 otls apid 12345nx9500-6C8809(config-profile-testAP8533)#Related Commandsno Removes the OTLS-related parameters configured on an AP or on an AP’s profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4147.1.64 offline-durationProfile Config CommandsSets the duration, in minutes, for which a device remains unadopted before it generates offline eventThis command is also supported on the device configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoffline-duration <5-43200>Parameters• offline-duration <5-43200>Examplerfs4000-229D58(config-profile-test)#offline-duration 200rfs4000-229D58(config-profile-test)#show contextprofile rfs4000 test no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha ................................................................ interface wwan1 interface pppoe1 use firewall-policy default service pm sys-restart router ospf offline-duration 200rfs4000-229D58(config-profile-test)#Related Commandsoffline-duration <5-43200>Specify a value from 5 - 43200 minutes. The default is 10 minutes.no Resets the offline-duration to default (10 minutes)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4157.1.65 power-configProfile Config CommandsConfigures the power option mode. Use this command in the profile configuration mode to configure the transmit output power of access point radios. This command is also available in the device-config mode.Single radio model access points always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models. When an access point is powered on for the first time, the system determines the power budget available to the access point. If 802.3af is selected, the access point assumes 12.95 watts is available. If the mode is changed, the access point requires a reset to implement the change. If 802.3at is selected, the access point assumes 23 - 26 watts is available.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpower-config [af-option|at-option|mode]power-config [af-option|at-option] [range|throughput]power-config mode [auto|3af]Parameters• power-config [af-option|at-option] [range|throughput]NOTE: Single radio model access points (AP6511 and AP6521) always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models.The access point has to be restarted for power management changes to take effect.power-config Configures the power option modeaf-option [range|throughput]Configures the 802.3.af power mode option. The options are:• range – Configures the af power range mode. This mode provides higher power but fewer transmission (tx) chains.Select range when range is preferred over performance for broadcast/multicast (group) traffic. The data rates used for range are the lowest defined basic rates.• throughput – Configures the af power throughput mode. This mode provides lower power but has more tx chains. This is the default setting.Select throughput to transmit packets at the radio’s highest defined basic rate (based on the radio’s current basic rate settings). This option is optimal in environments where transmission range is secondary to broadcast/multicast transmission performance.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 416• power-config mode [auto|3af]Examplenx9500-6C8809(config-profile-testAP7161)#power-config mode 3afnx9500-6C8809(config-profile-testAP7161)#power-config af-option rangenx9500-6C8809(config-profile-testAP7161)#show contextprofile ap71xx testAP7161 no autoinstall configuration no autoinstall firmware power-config mode 3af power-config af-option range crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac --More--nx9500-6C8809(config-profile-testAP7161)#Related Commandsat-option [range|throughput]Configures the 802.3 at power mode option. The options are:• range – Configures the at power range mode. This mode provides higher power but fewer tx chains.Select range when range is preferred over performance for broadcast/multicast (group) traffic. The data rates used for range are the lowest defined basic rates.• throughput – Configures the at power throughput mode. This mode provides lower power but has more tx chains. This is the default setting.Select throughput to transmit packets at the radio’s highest defined basic rate (based on the radio’s current basic rate settings). This option is optimal in environments where transmission range is secondary to broadcast/multicast transmission performance.power-config Configures the power option modemode [auto|3af] Configures the AP power mode• 3af – Forces an AP to power up in the 802.3af power mode• auto – Sets the detection auto mode (default setting)The automatic power-config mode enables an access point to automatically determine the best power configuration based on the available power budget.no Reverts the power mode setting on this profile to default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4177.1.66 preferred-controller-groupProfile Config CommandsSpecifies the controller group preferred for adoptionAt adoption, an access point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the access point uses to select the optimum controller or service platform for adoption. After selecting the controller or service platform, the access point associates with it and optionally obtains an image upgrade and configuration. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controllers and service platforms. Use this command to specify the controller or service platform preferred for adoption. Once configured, the access point adopts to the specified preferred controller or service platform.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxpreferred-controller-group <WORD>Parameters• preferred-controller-group <WORD>Examplerfs6000-37FABE(config-profile-default-rfs6000)#preferred-controller-group testGrouprfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier...................................................... qos trust 802.1p interface pppoe1 use firewall-policy default ntp server 172.16.10.10 prefer version 1 preferred-controller-group testGroup misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#Related Commands<WORD> Specify the name of the controller (wireless controller or service platform) group preferred for adoption. Devices using this profile are added, on adoption, to the controller group specified here.no Removes the preferred controller group configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4187.1.67 preferred-tunnel-controllerProfile Config CommandsConfigures the tunnel controller's name preferred for tunneling extended VLAN traffic. Devices using this profile will prefer to route their extended VLAN traffic through the specified tunnel controller (wireless controller or service platform).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpreferred-tunnel-controller <NAME>Parameters• preferred-tunnel-controller <NAME>Examplerfs6000-37FABE(config-profile-default-rfs6000)#preferred-tunnel-controller testtunnelRelated Commandspreferred-tunnel-controller <NAME>Configures the preferred tunnel nameno Removes the preferred tunnel configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4197.1.68 radiusProfile Config CommandsConfigures device level RADIUS authentication parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius [nas-identifier|nas-port-id] <WORD>Parameters• radius [nas-identifier|nas-port-id] <WORD>Examplerfs6000-37FABE(config-profile-default-rfs6000)#radius nas-port-id 1rfs6000-37FABE(config-profile-default-rfs6000)#radius nas-identifier testrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier radius nas-identifier test radius nas-port-id 1 neighbor-info-interval 6 neighbor-inactivity-timeout 500--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsradius Configures RADIUS authentication parametersnas-identifier <WORD>Specifies the RADIUS Network Access Server (NAS) identifier attribute used by this device• <WORD> – Specifies the NAS identifiernas-port-id <WORD> Specifies the RADIUS NAS port ID attribute used by this device• <WORD> – Specifies the NAS port IDno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4207.1.69 rf-domain-managerProfile Config CommandsConfigures the RF Domain manager election criteriaSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrf-domain-manager [capable|priority <1-255>]Parameters• rf-domain-manager [capable|priority <1-255>]Examplerfs6000-37FABE(config-profile-default-rfs6000)#rf-domain-manager priority 9rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 .............................................. rf-domain-manager priority 9 preferred-controller-group testGroup misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart preferred-tunnel-controller testtunnel router ospfrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsrf-domain-manager Configures the RF Domain manager election criteriacapable Enables devices using this profile capable of being elected as the RF Domain manager. The RF Domain manager stores and provisions configuration and firmware images for other members of the RF Domain. It also updates state changes, if any, to RF Domain members. This option is enabled by default.priority <1-255> Assigns a priority value for devices using this profile in the RF Domain manager election process. The higher the number set, higher is the device’s priority in the RF Domain manager election process.• <1-255> – Select a priority value from 1 - 255.no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4217.1.70 routerProfile Config CommandsEnables dynamic routing (BGP and/or OSPF) and enters the routing protocol configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouter [bgp|ospf]Parameters• router [bgp|ospf]NOTE: BGP is supported only on RFS4000, RFS6000, NX75XX, and NX9500 model controllers and service platforms.The NX9500 and NX9510 service platforms do not support OSPF routing.The access points only support OSPF routing.router Enables dynamic routing and enters the routing protocol configuration modebgp Enables BGP dynamic routing and configures relevant settingsBGP is an inter-ISP routing protocol, which establishes routing between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP uses TCP as its transport protocol, eliminating the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing.Routing information exchanged through BGP supports destination based forwarding only. It assumes a router forwards packets based on the destination address carried in the IP header of the packet.An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS.For more information on dynamic BGP routing configurations, see BORDER GATEWAY PROTOCOL.ospf Enables OSPF dynamic routing and configures relevant settings. Changes configuration mode to router modeOSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.For more information on dynamic OSPF routing configurations, see ROUTER-MODE COMMANDS.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 422Examplerfs6000-37FABE(config-profile-default-rfs6000)#router ospfrfs6000-37FABE(config-profile default-rfs6000-router-ospf)#?Router OSPF Mode commands:  area                 OSPF area  auto-cost            OSPF auto-cost  default-information  Distribution of default information  ip                   Internet Protocol (IP)  network              OSPF network  no                   Negate a command or set its defaults  ospf                 Ospf  passive              Make OSPF Interface as passive  redistribute         Route types redistributed by OSPF  route-limit          Limit for number of routes handled OSPF process  router-id            Router ID  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-profile default-rfs6000-router-ospf)#Related Commandsno Disables OSPF settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4237.1.71 spanning-treeProfile Config CommandsEnables spanning tree commands. Use these commands to configure the errdisable, multiple spanning tree and portfast settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxspanning-tree [errdisable|mst|portfast]spanning-tree errdisable recovery [cause bpduguard|interval <10-1000000>]spanning-tree mst [<0-15>|cisco-interoperability|enable|forward-time|hello-time|instance|max-age|max-hops|region|revision]spanning-tree mst [<0-15> priority <0-61440>|cisco-interoperability [enable|disable]|enable|forward-time <4-30>|hello-time <1-10>|instance <1-15>|max-age <6-40>|max-hops <7-127>|region <LINE>|revision <0-255>]spanning-tree portfast [bpdufilter|bpduguard] defaultParameters• spanning-tree errdisable recovery [cause bpduguard|interval <10-1000000>]• spanning-tree mst [<0-15> priority <0-61440>|cisco-interoperability [enable|disable]|enable|forward-time <4-30>|hello-time <1-10>|instance <1-15>|max-age <6-40>|max-hops <7-127>|region <LINE>|revision <0-255>]spanning-tree Configures spanning-tree related parameterserrdisable Disables or shuts down ports where traffic is looping, or ports with traffic in one directionrecovery Enables the timeout mechanism for a port to be recovered. This option is disabled by default.cause bpduguard Specifies the reason for errdisable• bpduguard – Recovers from errdisable due to bpduguardinterval <10-1000000>Specifies the interval after which a port is enabled• <10-1000000> – Specify a value from 10 - 1000000 seconds. The default is 300 seconds.spanning-tree Configures spanning-tree related parametersmst Configures Multiple Spanning Tree (MST) commandsThe MSTP provides an extension to STP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 424• spanning-tree portfast [bpdufilter|bpduguard] default<0-15> priority <0-61440>Specifies the number of instances required to configure MST. Select a value from 0 -15.• priority – Sets the bridge priority to the specified value. This value is used to determine the root bridge. Use the no parameter with this command to restore the default bridge priority value.• <0-61440> – Sets the bridge priority in increments (Lower priority indicates greaterlikelihood of becoming root)cisco interoperability [enable|disable]Enables CISCO interoperabilityEnables interoperability with CISCO’s version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default.enable Enables MST protocolforward-time <4-30> Specifies the forwarding delay time in seconds• <4-30> – Specify a value from 4 - 30 seconds. The default is 15 seconds.hello-time <1-10> Specifies the hello BDPU interval in seconds• <1-10> – Specify a value from 1 - 10 seconds. The default is 2 seconds.instance <1-15> Defines the instance ID to which the VLAN is associated• <1-15> – Specify an instance ID from 1 - 10.max-age <6-40> Defines the maximum time to listen for the root bridge• <6-40> – Specify a value from 4 - 60 seconds. The default is 20 seconds.max-hops <7-127> Defines the maximum hops when BPDU is valid• <7-127> – Specify a value from 7 - 127. The default is 20.region <LINE> Specifies the MST region• <LINE> – Specify the region name.revision <0-255> Sets the MST bridge revision number. This enables the retrieval of configuration information.• <0-255> – Specify a value from 0 - 255. This default is 0.spanning-tree Configures spanning-tree related parametersportfast [bpdufilter| bpduguard] defaultEnables PortFast on a bridge• bpdufilter default – Sets the BPDU filter for the port. The BPDU filter is disabled by default. The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU filter ensures that PortFast enabled ports do not transmit or receive BPDUs.• bpduguard default – Guards PortFast ports against BPDU receive. The BPDU guard is disabled by default.Enabling the BPDU guard means this port will shutdown on receiving a BPDU.• default – Enables the BPDU filter and/or BPDU guard on PortFast enabled ports bydefault
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 425Usage GuidelinesIf a bridge does not hear BPDUs from the root bridge within the specified interval, assume the network has changed and recomputed the spanning-tree topology.Generally, spanning tree configuration settings in the config mode define the configuration for bridge and bridge instances.MSTP is based on instances. An instance is a group of VLANs with a common spanning tree. A single VLAN cannot be associated with multiple instances.Wireless Controllers or service platforms with the same instance, VLAN mapping, revision number and region names define a unique region. Wireless Controllers or service platforms in the same region exchange BPDUs with instance record information within.Examplerfs6000-37FABE(config-profile-default-rfs6000)#spanning-tree errdisable recovery cause bpduguardrfs6000-37FABE(config-profile-default-rfs6000)#spanning-tree mst 2 priority 4096rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier radius nas-identifier test radius nas-port-id 1 neighbor-info-interval 6 neighbor-inactivity-timeout 500 spanning-tree mst 2 priority 4096 spanning-tree errdisable recovery cause bpduguard autoinstall configuration--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4267.1.72 traffic-class-mappingProfile Config CommandsMaps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority. This mapping is required to provide priority of service to some packets over others. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. Devices use the traffic class field in the IPv6 header to set this priority. This command allows you to assign a priority for different IPv6 traffic types.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtraffic-class-mapping <IPv6-TRAFFIC-CLASS-VALUE> priority <0-7>Parameters• traffic-class-mapping <IPv6-TRAFFIC-CLASS-VALUE> priority <0-7>traffic-class-mapping Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority<IPv6-TRAFFIC-CLASS-VALUE>Specify the traffic class value of incoming IPv6 untagged packet(s) (could be a single value or a list. For example, 10-20, 25, 30-35). This is the DSCP 6-bit parameter in the header of every IP packet used for packet classification. priority <0-7> Specify the 802.1p priority to map with the traffic-class value specified in the previous step• <0-7> – Specify a value from 0 - 7.The 802.1p priority is a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are:•0 – Best Effort• 1 – Background•2 – Spare• 3 – Excellent Effort• 4 – Controlled Load•5 – Video•6 – Voice•7 – Network Control
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 427Examplerfs4000-229D58(config-profile-TestRFS4000)#traffic-class-mapping 25 priority 2rfs4000-229D58(config-profile-TestRFS4000)#show contextprofile rfs4000 TestRFS4000 traffic-class-mapping 25 priority 2 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client-More-rfs4000-229D58(config-profile-TestRFS4000)#Related Commandsno Removes mapping between IPv6 traffic class value (of incoming IPv6 untagged packets) and 802.1p priority
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4287.1.73 traffic-shapeProfile Config CommandsEnables traffic shaping and configures traffic shaping parameters. This command is applicable to both the profile and device configuration modes.Traffic shaping is a means of regulating data transfers and ensuring a specific level of performance within a network. Traffic shaping does the following:• Controls flow of packets based on their priority value. Prioritized traffic streams are given priority over less important traffic.• Controls traffic on an interface to match its flow to the speed of a remote target’s interface and ensure traffic conforms to applied policies• Shapes traffic to meet downstream requirements and eliminate network congestion when data rates are in conflict.Use this option to apply traffic shaping to specific applications or application categories. Note, in scenarios where a traffic class is matched against an application, application-category, and ACL rule, the application rule will be applied first, followed by the application-category, and finally the ACL. Further, using traffic shaping, an application takes precedence over an application category.To enable traffic shaping, configure QoS values on the basis of which priority of service is provided to some packets over others. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. For configuring IPv6 traffic class mappings, see traffic-class-mapping. And for configuring DSCP traffic class mappings, see dscp-mapping.Supported in the following platforms:• Access Points — AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530Syntaxtraffic-shape [activation-criteria|app-category|application|class|enable|priority-map|total-bandwidth]traffic-shape activation-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>traffic-shape application <APPLICATION-NAME> class <1-4>traffic-shape class <1-4> [max-buffers|max-latency|rate]traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-percent <1-100>}traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-percent <1-100>]
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 429traffic-shape priority-map <0-7>traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]traffic-shape enableParameters• traffic-shape activation-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]• traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>NOTE: The available range for the ‘rate’ field will vary depending on the unit selected. It is 250 - 250000 for Kbps and 1 - 250 for Mbps.NOTE: The available range for the ‘total-bandwidth’ field will vary depending on the unit selected. It is 250 - 1000000 for Kbps and 1 - 1000 for Mbps.traffic-shape activation-criteriaConfigures traffic-shape activation criteria that determines when the device invokes traffic shapingalways Always invokes traffic shaping. This is the default setting.cluster-master Invokes traffic shaping when the device is the cluster master. The solitary cluster master (elected using a priority assignment scheme) is a cluster member that provides management configuration and Smart RF data to other members within the cluster. Cluster requests go through the elected master before dissemination to other cluster members.rf-domain-manager Invokes traffic shaping when the device is the RF Domain manager. The RF Domain manager is the elected member capable of storing and provisioning configuration and firmware images for other members of the RF Domain.vrrp-master <1-255> Invokes traffic shaping when the device is the VRRP master. As the VRRP master, the device responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router.• <1-255> – Specify the VRRP group ID from 1 - 255.traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>Configures an application category to traffic-class mapping. Use this option to apply an application category to traffic-shaper class mapping. Naming and categorizing applications that do not fall into existing groups is an additional means of filtering and potentially limiting network airtime to consumptive non required applications negatively impacting network performance.Note: app-category <APP-CATEGORY-NAME> – Specify the application category name. To list the available application categories, press [TAB] after entering app-category. Select the required category from the displayed list.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 430• traffic-shape application <APPLICATION-NAME> class <1-4>• traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-percent <1-100>}• class <1-4> – Map the specified application category to a traffic-shaper class from 1- 4.Before configuring an application category to class mapping, ensure that the specified classes have been configured. Use the ‘class > [max-buffers|max-latency|rate]’ option available with this command to configure a traffic shaper class. For more information, see following parameter tables.traffic-shape app-category <APPLICATION-NAME> class <1-4>Configures an application to traffic-class mapping. Use this option to apply an application to traffic-shaper class mapping.• app-category <APPLICATION-NAME> – Specify the application name.• class <1-4> – Map the specified application to a traffic-shaper class from 1 - 4.Note: Before configuring an application to class mapping, ensure that the specified classes have been configured. Use the ‘class > [max-buffers|max-latency|rate] option available with this command to configure a traffic shaper class. For more information, see following tables.traffic-shape class <1-4> max-buffers <1-400>Configures the queue length limit for different traffic-shaper class• class <1-4> – Specify the traffic-shaper class from 1 - 4.• max-buffers <1-400> – Configures the maximum queue lengths for packets of dif-ferent priority queues, after which the queue starts to drop packets. • <1-400> – Configure the queue length limit from 1 - 400 for packets of priorityqueues 0, 1, 2, 3, 4, 5, 6, and 7.Note: For access points the upper queue length limit is 400.red-level <1-400> Optional. Performs Random Early Drop (RED) when a specified queue length in packets is reached• <1-400> – Configure the queue length limit from 1 - 400 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.The RED algorithm is a queuing technique for congestion avoidance. RED monitors the average queue size and drops or marks packets. If the buffer is near empty, all incoming packets are accepted. When the queue grows, the probability for dropping an incoming packet also grows. When the buffer is full, the probability has reached 1 and all incoming packets are dropped.Note: For more information on default values, see the Usage Guidelines section in this topic.red-percent <1-100> Optional. Performs RED when a specified value, which is a percentage of the max-buffers configured, is reached• <1-100> – Configure the percentage of the maxi-buffers from 1 - 100 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 431• traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]• traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-percent <1-100>]• traffic-shape priority-map <0-7>traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]Configures the max-latency for different traffic-shaper class. Max latency specifies the time limit after which packets start dropping (maximum packet delay in the queue). The maximum number of entries is 8.• class <1-4> – Specify the traffic-shaper class from 1 - 4.• max-latency <1-1000000> – Configures the max-latency for packets of differentpriority queues, after which the queue starts to drop packets. • <1-1000000> – Configure the max-latency from 1 - 100000 for packets of priorityqueues 0, 1, 2, 3, 4, 5, 6, and 7.• [msec|usec] – Configures the unit for measuring latency as milliseconds(msec) or microseconds (usec). The default setting is msec.traffic-shape class <1-4> rate Configures traffic rate, in either Kbps, Mbps or percentage, for the different traffic shaper class. Specify rates for different traffic shaper class to control the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority.• class <1-4> – Specify the traffic-shaper class from 1 - 4.<1-250000> [Kbps|Mbps]Configures the traffic rate, in Kbps, Mbps, for the class specified in the previous step• <1-250000> – Specify the rate from 1 - 250000.• [Kbps|Mbps] – Configures the unit for measuring bandwidth as Kbps or Mbps. Thedefault setting is Kbps.Note: The range varies depending on the unit selected. It is 1 - 250 Mbps, or 250 - 250000 Kbps.total-bandwidth-percent <1-100>Configures the traffic rate, as a percentage of the total available bandwidth, for the class specified in the previous first step• <1-100> – Specify the traffic rate from 1 - 100% of the total bandwidth.traffic-shape priority-map <0-7>Configures the traffic-shaper queues, within a class, having different priority values (0, 1, 2, 3, 4, 5, 6, and 7). There are 8 queues (0 - 7), and traffic is queued in each based on the incoming packet’s 802.1p 3-bit priority markings.• priority-map <0-7> – Specify the priority from 0 - 7 for priority levels 0, 1, 2, 3, 4, 5, 6, and 7.The IEEE 802.1p standards sets a 3-bit value in the MAC header to indicate prioritization. This 3-bit value provides priority levels ranging from 0 to 7 (i.e., a total of 8 levels), with level 7 representing the highest priority. This permits packets to cluster and form different traffic classes. In case of network congestion, packets with higher priority receive preferential treatment while low priority packets are kept on hold.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 432• traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]• traffic-shape enableUsage GuidelinesFollowing are the default max-buffers set for the traffic shaper classes:traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10Following is the default priority-map settings:traffic-shape priority-map 2 0 1 3 4 5 6 7Examplenx9500-6C8809(config-profile-ProfileNX5500)#show context include-factory | include traffic-shape traffic-shape priority-map 2 0 1 3 4 5 6 7 traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape activation-criteria always traffic-shape total-bandwidth 10 Mbps no traffic-shape enablenx9500-6C8809(config-profile-ProfileNX5500)#nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape enablenx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape class 1 rate 250 Mbpsnx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape application Bing class 1nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape total-bandwidth 200 Mbpstraffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]Configures the total-bandwidth for traffic shaping• <1-1000000> – Specify the value from 1 - 1000000 Kbps/Mbps. The default value is 10 Mbps.• [Kbps|Mbps] – Configures the unit for measuring bandwidth as Kbps or Mbps. Thedefault setting is Mbps.Note: The range varies depending on the unit selected. It is 1 - 1000 Mbps, or 250 - 1000000 Kbps.traffic-shape enable Enables traffic shaping using the defined bandwidth, rate and class mappings configured using this commandNote: Traffic shaping is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 433nx9500-6C8809(config-profile-ProfileNX5500)#show context include-factory | include traffic-shape traffic-shape priority-map 2 0 1 3 4 5 6 7 traffic-shape class 1 rate 250 Mbps traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape activation-criteria always traffic-shape application Bing class 1 traffic-shape total-bandwidth 200 Mbps traffic-shape enablenx9500-6C8809(config-profile-ProfileNX5500)#Related Commandsno Removes traffic shaping configuration or reverts them to the default values
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4347.1.74 trustpoint (profile-config-mode)Profile Config CommandsConfigures the trustpoint assigned for validating a CMP auth OperatorA certificate links identity information with a public key enclosed in the certificate.A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain the CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key.Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtrustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>Parameters• trustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>NOTE: Certificates/trustpoints used in this command should be verifiable as existing on the device.NOTE: For information on configuring trustpoints on a device, see trustpoint (device-config-mode).trustpoint Assigns an existing trustpoint to validate CMP auth operator, client certificates, and RADIUS server certificatehttps Assigns an existing trustpoint to validate HTTPS requests
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 435Examplenx9500-6C8809(config-profile-testNX9500)#trustpoint cmp-auth-operator testnx9500-6C8809(config-profile-testNX9500)#show contextprofile nx9000 testNX9500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha........................................................... service pm sys-restart router bgp trustpoint cmp-auth-operator testnx9500-6C8809(config-profile-testNX9500)#Related Commandscmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator Once validated, CMP is used to obtain and manage digital certificates in a PKI network. Digital certificates link identity information with a public key enclosed within the certificate, and are issued by the CA.Use this command to specify the CMP-assigned trustpoint. When specified, devices send a certificate request to the CMP supported CA server, and download the certificate directly from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.radius-ca Assigns an existing trustpoint to validate client certificates in EAPradius-server Assigns an existing trustpoint to validate RADIUS server certificate<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:• <TRUSTPOINT-NAME> – After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device).no Removes trustpoint-related configurations
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4367.1.75 tunnel-controllerProfile Config CommandsConfigures the tunneled WLAN (extended VLAN) wireless controller or service platform’s nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtunnel-controller <NAME>Parameters• tunnel-controller <NAME>Examplerfs7000-37FABE(config-profile-default-rfs7000)#tunnel-controller testgroupRelated Commandstunnel-controller <NAME>Configures the tunneled WLAN (extended VLAN) wireless controller or service platform’s name• <NAME> – Specify the name.no Removes the configured the tunneled WLAN (extended VLAN) wireless controller or service platform’s name
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4377.1.76 useProfile Config CommandsAssociates existing policies with this profile. This command is also applicable to the device configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntax Profiles Modeuse [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|database-client-policy|dhcp-server-policy|dhcpv6-server-policy|event-system-policy|firewall-policy|global-association-list|guest-management|ip-access-list|ipv6-access-list|management-policy|radius-server-policy|role-policy|routing-policy|web-filter-policy] <POLICY-NAME>use ip/ipv6-access-list <IP/IPv6-ACL-NAME> traffic-shape class <1-4>Syntax Device Modeuse [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|database-client-policy|database-policy|dhcp-server-policy|dhcpv6-server-policy|enterprise-ui|event-system-policy|firewall-policy|global-association-list|guest-management|ip-access-list|ipv6-access-list|license|management-policy|nsight-policy|profile|radius-server-policy|rf-domain|role-policy|routing-policy|rtl-server-policy|sensor-policy|web-filter-policy||wips-policy] <POLICY-NAME>Parameters Profiles Mode• use [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|database-client-policy|dhcp-server-policy|dhcpv6-server-policy|event-system-policy|firewall-policy|global-association-list|guest-management|ip-access-list|ipv6-access-list|management-policy|radius-server-policy|role-policy|routing-policy|web-filter-policy] <POLICY-NAME>NOTE: The following tables contain the ‘use’ command parameters for the Profile and Device configuration modes.use Associates the specified policies with this profileThe specified policies should be existing and configured.auto-provisioning-policy <POLICY-NAME>Associates an auto provisioning policy• <POLICY-NAME> – Specify the auto provisioning policy name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 438bonjour-gw-forwarding-policy <POLICY-NAME>Uses an existing Bonjour GW Forwarding policy with a profile or device• <POLICY-NAME> – Specify the Bonjour GW Forwarding policy name (should be existing and configured).For more information on Bonjour GW Forwarding policy, see bonjour-gw-forwarding-policy.bonjour-gw-query-forwarding-policy <POLICY-NAME>Uses an existing Bonjour GW Query Forwarding policy with a profile or device• <POLICY-NAME> – Specify the Bonjour GW Query Forwarding policy name (should be existing and configured).captive-portal server <CAPTIVE-PORTAL>Configures access to a specified captive portal with this profile• <CAPTIVE-PORTAL> – Specify the captive portal name.client-identity-identity-group <CLIENT-IDENTITY-GROUP-NAME>Associates an existing client identity group with this profile• <CLIENT-IDENTITY-GROUP-NAME> – Specify the client identity group name.For more information on the ‘client-identity’ and ‘client-identity-group’ commands, see client-identity and client-identity-group.crypto-cmp-policy <POLICY-NAME>Associates an existing crypto certificate management protocol (CMP) policy with this profile• <POLICY-NAME> – Specify the CMP policy name.For more information on configuring a crypto CMP policy, see CRYPTO-CMP-POLICY.database-client-policy <POLICY-NAME>Associates an existing database client policy with a profile• <POLICY-NAME> – Specify the policy name (should be existing and configured).For more information on database client policy, see database-client-policy.Applicable only to the VX9000 model virtual machine platform.dhcp-server-policy <DHCP-POLICY>Associates a DHCP server policy• <DHCP-POLICY> – Specify the DHCP server policy name.dhcpv6-server-policy <DHCPv6-POLICY>Associates a DHCPv6 server policy• <DHCPv6-POLICY> – Specify the DHCPv6 server policy name.event-system-policy <EVENT-SYSTEM-POLICY>Associates an event system policy• <EVENT-SYSTEM-POLICY> – Specify the event system policy name.firewall-policy <FW-POLICY>Associates a firewall policy• <FW-POLICY> – Specify the firewall policy name.global-association-list server <GLOBAL-ASSOC-LIST-NAME>Associates the specified global association list with the controller profile• <GLOBAL-ASSOC-LIST-NAME> – Specify the global association list name.Once associated, the controller, using this profile, applies this association list to requests received from all adopted APs. For more information on global association list, see global-association-list.guest-management <GUEST-MANAGEMENT-POLICY-NAME>Associates the specified guest management policy with the controller profile• <GUEST-MANAGEMENT-POLICY-NAME> – Specify the guest management policy name (should be existing and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 439Parameters Device Mode• use [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|database-client-policy|database-policy|dhcp-server-policy|dhcpv6-server-policy|enterprise-ui|event-system-policy|firewall-policy|global-association-list|guest-management|ip-access-list|ipv6-access-list|license|management-policy|nsight-policy|profile|radius-server-policy|rf-domain|role-policy|routing-policy|rtl-server-policy|sensor-policy|wips-policy|smart-rf-policy|web-filter-policy] <POLICY-NAME>ip/ipv6-access-list <IP/IPv6-ACL-NAME> traffic-shape class <1-4>Associates an IP and/or IPv6 ACL with this profile and applies it as a firewall for the selected traffic-shape class• <IP/IPv6-ACL-NAME> – Specify the IP/IPv6 ACL name (should be existing and configured)• traffic-shape class <1-4> – Selects the traffic-shape class to apply the above spec-ified IP/IPv6 ACL• <1-4> – Select the traffic-shape class from 1 - 4.management-policy <MNGT-POLICY>Associates a management policy• <MNGT-POLICY> – Specify the management policy name.radius-server-policy <RADIUS-POLICY>Associates a device onboard RADIUS policy• <RADIUS-POLICY> – Specify the RADIUS policy name.role-policy <ROLE-POLICY>Associates a role policy• <ROLE-POLICY> – Specify the role policy name.routing-policy <ROUTING-POLICY>Associates a routing policy• <ROUTING-POLICY> – Specify the routing policy name.•web-filter-policy <POLICY-NAME>Associates an existing Web Filter policy with a profile or device• <POLICY-NAME> – Specify the policy name.use Associates the following policies with this device:auto-provisioning-policy <POLICY-NAME>Associates an auto provisioning policy• <POLICY-NAME> – Specify the auto provisioning policy name.bonjour-gw-forwarding-policy <POLICY-NAME>Uses an existing Bonjour GW Forwarding policy with a profile or device• <POLICY-NAME> – Specify the Bonjour GW Forwarding policy name (should be existing and configured).For more information on Bonjour GW Forwarding policy, see bonjour-gw-forwarding-policy.bonjour-gw-query-forwarding-policy <POLICY-NAME>Uses an existing Bonjour GW Query Forwarding policy with a profile or device• <POLICY-NAME> – Specify the Bonjour GW Query Forwarding policy name (should be existing and configured).captive-portal server <CAPTIVE-PORTAL>Configures access to a specified captive portal• <CAPTIVE-PORTAL> – Specify the captive portal name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 440client-identity-identity-group <CLIENT-IDENTITY-GROUP-NAME>Associates an existing client identity group with this device• <CLIENT-IDENTITY-GROUP-NAME> – Specify the client identity group name.For more information on the ‘client-identity’ and ‘client-identity-group’ commands, see client-identityand client-identity-group.crypto-cmp-policy <POLICY-NAME>Associates an existing crypto certificate management protocol (CMP) policy• <POLICY-NAME> – Specify the CMP policy name.For more information on configuring a crypto CMP policy, see CRYPTO-CMP-POLICY.database-client-policy <POLICY-NAME>Associates an existing database client policy with a device• <POLICY-NAME> – Specify the policy name (should be existing and configured).For more information on database client policy, see database-client-policy.Applicable only to the NX95XX and VX9000 model service platforms.database-policy <DATABASE-POLICY-NAME>Associates an existing database policy with this device• <DATABASE-POLICY-NAME> – Specify the database policy name.Note: For more information on configuring a database policy, see database-policy.dhcp-server-policy <DHCP-POLICY>Associates a DHCP server policy• <DHCP-POLICY> – Specify the DHCP server policy name.dhcpv6-server-policy <DHCPv6-POLICY>Associates a DHCPv6 server policy• <DHCPv6-POLICY> – Specify the DHCPv6 server policy name.enterprise-ui Enables application of the site controller’s Enterprise user interface (UI) on all management points (controllers and access points)For example, the site controller is NX5500 and a AP7532 is adopted to it. To enable the access point to also use the Enterprise UI:On the AP7532’s profile configuration mode execute: use > enterprise-uiOn adoption and application of this profile, the AP7532 access point resets and reboots using the Enterprise UI. Once using the Enterprise UI, on all subsequent adoptions, the AP does not get reset.event-system-policy <EVENT-SYSTEM-POLICY>Associates an event system policy• <EVENT-SYSTEM-POLICY> – Specify the event system policy name.firewall-policy <FW-POLICY>Associates a firewall policy• <FW-POLICY> – Specify the firewall policy name.global-association-list server <GLOBAL-ASSOC-LIST-NAME>Associates the specified global association list with the device (controller)• <GLOBAL-ASSOC-LIST-NAME> – Specify the global association list name.Once associated, the controller applies this association list to requests received from all adopted APs. For more information on global association list, see global-association-list.guest-management <GUEST-MANAGEMENT-POLICY-NAME>Associates the specified guest management policy with this device• <GUEST-MANAGEMENT-POLICY-NAME> – Specify the guest management policy name (should be existing and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 441ip/ipv6-access-list <IP/IPv6-ACL-NAME> traffic-shape class <1-4>Associates an IP and/or IPv6 ACL with this device and applies it as a firewall for a selected traffic-shape class• <IP/IPv6-ACL-NAME> – Specify the IP/IPv6 ACL name (should be existing and configured)• traffic-shape class <1-4> – Selects the traffic-shape class to apply the above spec-ified IP/IPv6 ACL• <1-4> – Select the traffic-shape class from 1 - 4.license <WORD> Associates a Web filtering license with this device• <WORD> – Provide a 256 character maximum license string for the Web filtering feature. Web filtering is used to restrict access to specific resources on the Internet.management-policy <MNGT-POLICY>Associates a management policy• <MNGT-POLICY> – Specify the management policy name.nsight-policy <NSIGHT-POLICY-NAME>Associates a specified NSight policy with this device• <NSIGHT-POLICY-NAME> – Specify the NSight policy name (should be existing and configured).Note: Use this command to associate an NSight policy to a controller to enable it to function as the NSight server. For more information, see nsight-policy.profile <PROFILE-NAME>Associates a profile with this device• <PROFILE-NAME> – Specify the profile name.radius-server-policy <RADIUS-POLICY>Associates a device onboard RADIUS policy• <RADIUS-POLICY> – Specify the RADIUS policy name.rf-domain <RF-DOMAIN-NAME>Associates an RF Domain• <RF-DOMAIN-NAME> – Specify the RF Domain name.role-policy <ROLE-POLICY>Associates a role policy• <ROLE-POLICY> – Specify the role policy name.routing-policy <ROUTING-POLICY>Associates a routing policy• <ROUTING-POLICY> – Specify the routing policy name.rtl-server-policy <POLICY-NAME>Associates a Real TIme Locationing (RTL) server policy with an access point. When associated, enables the access point to directly send RSSI feeds to the third-party Euclid RTL server• <POLICY-NAME> – Specify the RTL server policy name (should be existing and configured).sensor-policy <POLICY-NAME>Associates a sensor policy with an access point or controller. When associated, WiNG controllers and access points function as sensors. • <POLICY-NAME> – Specify the sensor policy name (should be existing and configured).wips-policy <WIPS-POLICY>Associates a WIPS policy• <WIPS-POLICY> – Specify the WIPS policy name.web-filter-policy <POLICY-NAME>Associates an existing Web Filter policy with a profile or device• <POLICY-NAME> – Specify the policy name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 442Examplerfs6000-37FABE(config-profile-default-rfs6000)#use event-system-policy TestEventSysPolicyrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 ..................................................... interface ge3  ip dhcp trust  qos trust dscp  qos trust 802.1p interface ge4  ip dhcp trust  qos trust dscp  qos trust 802.1p interface pppoe1 use event-system-policy TestEventSysPolicy use firewall-policy default ntp server 172.16.10.10 prefer version 1 --More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsno Disassociates a specified policy from this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4437.1.77 vrrpProfile Config CommandsConfigures VRRP group settingsA default gateway is a critical resource for connectivity. However, it is prone to a single point of failure. Thus, redundancy for the default gateway is required. If WAN backhaul is available, and a router failure occurs, then the controller should act as a router and forward traffic on to its WAN link.Define an external VRRP configuration when router redundancy is required in a network requiring high availability.Central to VRRP configuration is the election of a VRRP master. A VRRP master (once elected) performs the following functions:• Responds to ARP requests• Forwards packets with a destination link layer MAC address equal to the virtual router’s MAC address• Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP address owner• Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address owner or accept mode is true.The nodes that lose the election process enter a backup state. In the backup state they monitor the master for any failures, and in case of a failure one of the backups, in turn, becomes the master and assumes the management of the designated virtual IPs. A backup does not respond to an ARP request, and discards packets destined for a virtual IP resource.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvrrp [<1-255>|version]vrrp <1-255> [delta-priority|description|interface|ip|monitor|preempt|priority|sync-group|timers]vrrp <1-255> [delta-priority <1-253>|description <LINE>|ip <IP> {<IP>}|preempt {delay <1-65535>}|priority <1-254>|sync-group]vrrp <1-255> interface vlan <1-4094>vrrp <1-255> monitor [<IF-NAME>|critical-resource|pppoe1|vlan|wwan1]vrrp <1-255> monitor [<IF-NAME>|pppoe1|vlan <1-4094>|wwan1] {(<IF-NAME>|critical-resource|pppoel|vlan|wwan1)}vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-NAME3> <CRM-NAME4> (action [decrement-priority|increment-priority] {<IF-NAME>|pppoe1|vlan|wwan1})vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>]
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 444vrrp version [2|3]Parameters• vrrp <1-255> [delta-priority <1-253>|description <LINE>|vrrp ip <IP> {<IP>}|preempt {delay <1-65535>}|priority <1-254>|sync-group]• vrrp <1-255> interface vlan <1-4094>• vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-NAME3> <CRM-NAME4> (action [decrement-priority|increment-priority] {<IF-NAME>|pppoe1|vlan|wwan1})vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.delta-priority <1-253> Configures the priority to decrement (local link monitoring and critical resource monitoring) or increment (critical resource monitoring). When the monitored interface is down, the configured priority decrements by a value defined by the delta-priority option. When monitoring critical resources, the value increments by the delta-priority option.• <1-253> – Specify the delta priority level from 1- 253.description <LINE> Configures a text description for the virtual router to further distinguish it from other routers with similar configuration• <LINE> – Provide a description (a string from 1- 64 characters in length)ip <IP-ADDRESSES> Identifies the IP address(es) backed by the virtual router. These are IP addresses of Ethernet switches, routers, and security appliances defined as virtual router resources.• <IP-ADDRESSES> – Specify the IP address(es) in the A.B.C.D format.This configuration triggers VRRP operation.preempt {delay <1-65535>}Controls whether a high priority backup router preempts a lower priority master. This field determines if a node with higher priority can takeover all virtual IPs from a node with lower priority. This feature is disabled by default.• delay – Optional. Configures the pre-emption delay timer from 1 - 65535 seconds (default is 0 seconds). This option can be used to delay sending out the master advertisement or, in case of monitored link coming up, adjusting the VRRP priority by priority delta.priority <1-254> Configures the priority level of the router within a VRRP group. This value determines which node is elected as the Master. Higher values imply higher priority, value 254 has the highest precedence (default is 100).sync-group Adds this VRRP group to a synchronized group. To trigger VRRP failover, it is essential all individual groups within a synchronized group have failover. VRRP failover is triggered if an advertisement is not received from the virtual masters that are part of this VRRP sync group. This feature is disabled by default.vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.interface vlan <1-4094>Enables VRRP on the specified switch VLAN interface (SVI)• vlan <1-4094> – Specify the VLAN interface ID from 1 - 4094.vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.monitor Enables link monitoring or Critical Resource Monitoring (CRM)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 445• vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>]• vrrp version [2|3]critical-resource <CRM-NAME1>Specifies the name of the critical resource to monitor. VRRP can be configured to monitor maximum of four critical resources. Use the <CRM-NAME2>, <CRM-NAME3>, and <CRM-NAME4> to provide names of the remaining three critical resources.By default VRRP is configured to monitor all critical resources on the device.action [decrement-priority|increment-priority]Sets the action on critical resource down event. It is a recursive parameter that sets the action for each of the four critical resources being monitored.• decrement-priority – Decrements the priority of virtual router on critical resource down event• increment-priority – Increments the priority of virtual router on critical resource down event<IF-NAME> Optional. Enables interface monitoring• <IF-NAME> – Specify the interface name to monitorpppoe1 Optional. Enables Point-to-Point Protocol (PPP) over Ethernet interface monitoringvlan <1-4094> Optional. Enables VLAN (switched virtual interface) interface monitoring• <1-4094> – Specify the VLAN interface ID from 1- 4094.wwan1 Optional. Enables Wireless WAN interface monitoringvrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.timers Configures the timer that runs every intervaladvertise [<1-255>|centiseconds <25-4095>|msec <250-999>]Configures the VRRP advertisements time interval. This is the interval at which a master sends out advertisements on each of its configured VLANs.• <1-255> – Configures the timer interval from 1- 255 seconds. (applicable for VRRP version 2 only)• centiseconds <25-4095> – Configures the timer interval in centiseconds (1/100th of a second). Specify a value between 25 - 4095 centiseconds (applicable for VRRP version 3 only).• msec <250-999> – Configures the timer interval in milliseconds (1/1000th of a second). Specify a value between 250 - 999 msec (applicable for VRRP version 2 only).Default is 1 second.vrrp version [2|3] Configures one of the following VRRP versions:• 2 – VRRP version 2 (RFC 3768). This is the default setting.• 3 – VRRP version 3 (RFC 5798 only IPV4)The VRRP version determines the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 446Examplerfs6000-37FABE(config-profile-default-rfs6000)#vrrp version 3rfs6000-37FABE(config-profile-default-rfs6000)#vrrp 1 sync-grouprfs6000-37FABE(config-profile-default-rfs6000)#vrrp 1 delta-priority 100rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1 ...................................................... vrrp 1 timers advertise 1 vrrp 1 preempt vrrp 1 sync-group vrrp 1 delta-priority 100 vrrp version 3rfs6000-37FABE(config-profile-default-rfs7000)#Related Commandsno Reverts VRRP settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4477.1.78 vrrp-state-checkProfile Config CommandsPublishes interface via OSPF or BGP based on Virtual Router Redundancy Protocol (VRRP) statusVRRP allows automatic assignment of available IP routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvrrp-state-checkParametersNoneExamplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#vrrp-state-checknx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show contextnx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default.......................................................................   no weight  no timers bgp  ip default-gateway priority 7500  bgp-route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 360 vrrp-state-check controller adopted-devices controllers alias string $SN B4C7996C8809nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related Commandsno Disables the publishing of an interface via OSPF/BGP based on VRRP status
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4487.1.79 virtual-controllerProfile Config CommandsEnables an access point as a virtual-controller (VC) or a dynamic virtual controller (DVC)When configured without the ‘auto’ option, this command manually enables an AP as a VC. The ‘auto’ option allows dynamic enabling of APs as VCs. When DVC is enabled on an AP’s device or profile context, the AP is dynamically enabled as the VC on being elected as the RF-Domain manager.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvirtual-controller {auto|management-interface}virtual-controller autovirtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}Parameters• virtual-controller autoNOTE: The DVC feature is supported only on the AP7522, AP7532, AP7562, AP8432, and AP8533 model access points.virtual-controller auto Enables an AP as a virtual-controller• auto – Enables AP as a DVC. When enabled, the AP on being elected as the RF Domain manager takes on the role of the virtual controller. In an RF-Domain, DVC can be enabled on multiple access points. However, only the current RF-Domain manager AP has a running instance of the DVC. This option is applicable only if enabling DVC.Note: MLCP discovery does not function on APs enabled as VC or DVCs. Do an explicit “mint link vlan X” on the AP’s device/profile context, or “control-vlan X” in the AP’s RF-Domain context, to establish MiNT links between the VC and its adopted APs.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 449• virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}Exampleap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller autoap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-interface ip address 110.110.110.120/24ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-interface vlan 100ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show context | include virtual-controllervirtual-controller autovirtual-controller management-interface ip address 110.110.110.120/24virtual-controller management-interface vlan 100ap8533-9A1529(config-device-74-67-F7-9A-15-29)#The following example shows the management interface VLAN IP address being configured as the secondary IP address.ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show ip interface brief-------------------------------------------------------------------------------INTERFACE          IP-ADDRESS/MASK            TYPE        STATUS   PROTOCOL-------------------------------------------------------------------------------vlan1              10.1.1.11/24               primary     UP       upvlan100            110.110.110.110/24         primary     UP       upvlan100            110.110.110.120/24         secondary   UP       up-------------------------------------------------------------------------------virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}Enables an AP as a virtual-controller. If enabling DVC, use this option to configure management interface details.• management-interface – Configures the management interface for the DVC. Configuring the management interface ensures failover in case the RF Domain manager is unreachable.• ip address <IP/M> – Specify the management interface IP address. Due to the ran-dom nature of DVC, specifying an explicit management interface IP address makesit easier to manage VCs. In case of fail over, this IP address is installed as the second-ary IP address on the new VC.• vlan <1-4094> – Optional. Specifies the VLAN from 1 - 4094 on which the man-agement interface IP address is configured.Note: For DVC, configuring management-interface ip address is mandatory. However, VLAN configuration is optional. If you configure the ip address without specifying the VLAN, the system configures the specified ip address as secondary ip on VLAN 1.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4507.1.80 wep-shared-key-authProfile Config CommandsEnables support for 802.11 WEP shared key authenticationWhen enabled, devices, using this profile, use a WEP key to access the network. The controller or service platform use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without the recommended adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwep-shared-key-authParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000)#wep-shared-key-authrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier wep-shared-key-auth autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1  ip dhcp trust  qos trust dscp  qos trust 802.1p interface ge2  ip dhcp trust--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsno Disables support for 802.11 WEP shared key authentication
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4517.1.81 serviceProfile Config CommandsService commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [captive-portal-server|cluster|critical-resource|fast-switching|enable|global-association-list|lldp|memory|meshpoint|pm|power-config|radius|remote-config|rss-timeout|watchdog|wireless|show]service captive-portal-server connections-per-ip <3-64>service cluster master-election immediateservice critical-resource port-mode-source-ip <IP>service enable [l2tpv3|pppoe|radiusd]service global-association-list blacklist-interval <1-65535>service lldp loop-detectionservice memory kernel decreaseservice meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-5>|port-channel <1-2>|up1]service pm sys-restartservice power-config [3af-out|force-3at]service radius dynamic-authorization additional-port <1-65535>service remote-config apply-delay <0-600>service rss-timeout <0-86400>service watchdogservice wireless [anqp-frag-always|anqp-frag-size|ap650|client|cred-cache-sync|inter-ap-key|noise-immunity|reconfig-on-tx-stall|test|wispe-controller-port]service wireless anqp-frag-alwaysservice wireless anqp-frag-size <100-1500>service wireless ap650 legacy-auto-update-image <FILE>service wireless client tx-deauth on-radar-detectservice wireless cred-cache-sync [full|interval <30-864000>|never|partial]service wireless test [max-rate|max-retries|min-rate]service wireless test [max-rate|min-rate] [1,2,5.5,6,11,12,18,24,36,48,54,mcs0,mcs1,............mcs23]service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]service wireless noise-immunityservice wireless reconfig-on-rx-stallservice wireless test max-retries <0-15>service wireless wispe-controller-port <1-65535>
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 452service show cliParameters• service captive-portal-server connections-per-ip <3-64>• service cluster master-election immediate• service critical-resource port-mode-source-ip <IP>• service enable [l2tpv3|pppoe|radiusd]• service global-association-list blacklist-interval <1-65535>• service lldp loop-detectioncaptive-portal-server connections-per-ip <3-64>Configures the maximum number of simultaneous captive portal connection allowed per IP address• <3-64> – Specify the maximum number of connections per IP address from 3 - 64. The default is 3.Note: This command is applicable only to the NX9XXX and NX9600 service platform profiles.cluster master-election immediateInitiates and completes cluster master election as soon as just one cluster member comes on and is active. This option is disabled by default.critical-resource port-mode-source-ip <IP>Hard codes a source IP for critical resource management The default is 0.0.0.0Use this option to define the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface. By default, the source address used in ARP packets to detect critical resources is 0.0.0.0. However, some devices do not support the above IP address and drop the ARP packets. Use this field to provide an IP address specifically used for this purpose. The IP address used for port-mode-source-ip monitoring must be different from the IP address configured on the device.service enable l2tpv3 Enables L2TPv3 on this profileThe L2TPV3 enable/disable option is not supported on AP6522, AP6532, AP6562, AP7161, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, and NX95XX model devices.It is supported only on AP6521.service enable pppoe Enables PPPoE features. When executed on a device, enables PPPoE on the logged device. When executed on a profile, enables PPPoE on all devices using that profile.service enable radiusd Enables RADIUSD features. When executed on a device, enables RADIUSD on the logged device. When executed on a profile, enables RADIUSD on all devices using that profile.service global-association-listConfigures global association list related parametersblacklist-interval <1-65535>Configures the period for which a client is blacklisted. A client is considered blacklisted after being denied access by the server.• <1-65535> – Specify a value from 1 - 65535 seconds. The default is 60 seconds.lldp loop-detection Enables network loop detection via LLDP. This option is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 453• service memory kernel decrease• service meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-4>|port-channel <1-2>]• service pm sys-restart• service power-config [3af-out|force-3at]• service radius dynamic-authorization additional-port <1-65535>• service remote-config apply-delay <0-600>• service rss-timeout <0-86400>service memory kernel decreaseEnables reduction in kernel memory usage. When enabled, firewall flows are reduced by 75% resulting in reduced kernel memory usage. A reboot is required for the option to take effect. This option is disabled by default.meshpoint loop-prevention-portLimits meshpoint loop prevention to a single port<L2-INTERFACE-NAME>Limits meshpoint loop prevention on a specified Ethernet interface• <L2-INTERFACE-NAME> – Specify the layer 2 Ethernet interface name.ge <1-4> Limits meshpoint loop prevention on a specified GigabitEthernet interface• ge <1-4> – Specify the GigabitEthernet interface index from 1 - 4.port-channel <1-2> Limits meshpoint loop prevention on a specified port-channel interface• port-channel <1-2> – Specify the port-channel interface index from 1 - 2.pm sys-restart Enables the process monitor (PM) to restart the system when a process fails. This option is enabled by default.power-config 3af-out Enables LLDP power negotiation, but uses 3af power. This option is disabled by default.power-config force-3at Disables LLDP negotiation and forces 802.3at power configuration. This option is disabled by default.radius dynamic-authorization additional-port <1-65535>Configures an additional UDP port used by the device to listen for dynamic authorization messages• <1-65535> – Specify a value from 1 - 65535. The default is 3799.The Cisco Identity Services Engine (ISE) server uses port 1700.remote-config apply-delay <0-600>Delays configuration of a remote device (after it becomes active) by the specified time period• <0-600> – Specify a value from 0 - 600 seconds. The default is 0 seconds.rss-timeout <0-86400>Configures the duration, in seconds, for which an adopted access point will continue to provide wireless functions even after loosing controller adoption.• <0-86400> – Specify a value from 0 - 86400 seconds. The default is 300 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 454• service watchdog• service wireless anqp-frag-always• service wireless anqp-frag-size <100-1500>• service wireless client tx-deauth on-radar-detection• service wireless cred-cache-sync [full|interval <30-864000>|never|partial]• service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]• service wireless noise-immunity• service wireless reconfig-on-rx-stallwatchdog Enables the watchdog. This feature is enabled by default.Enabling the watchdog option implements heartbeat messages to ensure other associated devices are up and running and capable of effectively inter-operating with the controller.wireless anqp-frag-alwaysEnables fragmentation of all ANQP packets. This option is disabled by default.wireless anqp-frag-size <100-1500>Configures the ANQP packet fragment size• <100-1500> – Specify a value from 100 - 1500. The default is 1200.wireless client Configures wireless client and stations related settingstx-deauth on-radar-detectionEnables access points to transmit deauth to clients when changing channels on radar detection. This option is enabled by default.wireless cred-cache-sync Configures the credential cache’s synchronization parameters. The parameters are: full, interval, never, and partial.full Enables synchronization of all credential cache entriesinterval <30-864000> Sets the interval, in seconds, at which the credential cache is synchronized• <30-864000> – Specify a value from 30 - 864000 seconds. The default is 1200 seconds.never Disables credential cache entry synchronization for all associated clients other than roaming clients. This is the default setting.partial Enables partial synchronization of parameters for associated clients, with credential cache close to aging outwireless inter-ap-key Configure encryption key used for securing inter-ap messages. This option is disabled by default.[0<WORD>|2<WORD>|<WORD>]Specify a clear text or encrypted key.wireless noise-immunityPolls for status and reconfigures radio in case of receive stall. This option is enabled by default.wireless reconfig-on-rx-stallEnables noise immunity on the radio
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 455• service wireless test [max-rate|min-rate] [1,2,5.5,6,11,12,18,24,36,48,54,mcs0,mcs1,............mcs23]• service wireless test max-retries <0-15>• service wireless wispe-controller-port <1-65535>• service show cliExamplerfs6000-37FABE(config-profile-testrfs6000)#service radius dynamic-authorization additional-port 1700rfs6000-37FABE(config-profile-testrfs6000)#show contextprofile rfs6000 testrfs6000 service radius dynamic-authorization additional-port 1700 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn--More--rfs6000-37FABE(config-profile-testrfs6000)#Related Commandswireless test Configures the serviceability parameters used for testing[max-rate|min-rate] Configures the maximum and minimum data rates for clients using rate-scaling. The ‘max-rate’ and min-rate’ options are disabled by default.[1,2,5.5,....mcs23] Select the maximum and minimum data rates applicable.wireless test Configures the serviceability parameters used for testingmax-retries <0-15> Configures the maximum number of retries per packet from 0 - 15. The default is 0.wispe-controller-port <1-65535>Resets the WIreless Switch Protocol Enhanced (WISPe) controller port. This is the UDP port used to listen for WISPe.• <1-65535> – Specify a value from 1 - 65535. The default is 24756.show cli Displays running system configuration details• cli – Displays the CLI tree of the current modeno Removes or resets service command parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4567.1.82 zoneProfile Config CommandsConfigures the zone for devices using this profile. The zone can also be configured on the device’s self context.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxzone <NAME>Parameters• zone <NAME>Examplenx9500-6C8809(config-profile-testNX9000)#szone Ecospacenx9500-6C8809(config-profile-testNX9000)#show context include-factory | includezone zone Ecospacenx9500-6C8809(config-profile-testNX9000)#Related Commandszone <NAME> Configures the device’s zone/area• <NAME> – Specify the zone/areaname.no Removes the zone configured on this profile or device
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4577.2 Device Config CommandsPROFILESUse the (config) instance to configure device specific parametersTo navigate to this instance, use the following commands:<DEVICE>(config)#<DEVICE-TYPE> <MAC><DEVICE>(config-device-<MAC>)#?Device Mode commands:  adopter-auto-provisioning-policy-lookup  Use centralized auto-provisioning                                           policy when adopted by another                                           controller  adoption                                 Adoption configuration  adoption-mode                            Configure the adoption mode for the                                           access-points in this RF-Domain  adoption-site                            Set system's adoption site  alias                                    Alias  application-policy                       Application Policy configuration  area                                     Set name of area where the system                                           is located?  arp                                      Address Resolution Protocol (ARP)  auto-learn                               Auto learning  autogen-uniqueid                         Autogenerate a unique id  autoinstall                              Autoinstall settings  bridge                                   Ethernet bridge  captive-portal                           Captive portal  cdp                                      Cisco Discovery Protocol  channel-list                             Configure channel list to be                                           advertised to wireless clients  cluster                                  Cluster configuration  configuration-persistence                Enable persistence of configuration                                           across reloads (startup config                                           file)  contact                                  Configure the contact  controller                               WLAN controller configuration  country-code                             Configure the country of operation  critical-resource                        Critical Resource  crypto                                   Encryption related commands  database                                 Database command  device-upgrade                           Device firmware upgrade  device-onboard                           Device-onboarding configuration  dot1x                                    802.1X  dpi                                      Enable Deep-Packet-Inspection                                           (Application Assurance)  dscp-mapping                             Configure IP DSCP to 802.1p                                           priority mapping for untagged  eguest-server                            Enable EGuest Server functionality                                           frames  email-notification                       Email notification configuration  enforce-version                          Check the firmware versions of                                           devices before interoperating  environmental-sensor                     Environmental Sensors Configuration  events                                   System event messages  export                                   Export a file  file-sync                                File sync between controller and                                           adoptees  floor                                    Set the floor within a area where                                           the system is located  geo-coordinates                          Configure geo coordinates for this                                           device  gre                                      GRE protocol  hostname                                 Set system's network name  http-analyze                             Specify HTTP-Analysis configuration  interface                                Select an interface to configure
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 458  ip                                       Internet Protocol (IP)  ipv6                                     Internet Protocol version 6 (IPv6)  l2tpv3                                   L2tpv3 protocol  l3e-lite-table                           L3e lite Table  lacp                                     LACP commands  layout-coordinates                       Configure layout coordinates for                                           this device  led                                      Turn LEDs on/off on the device  led-timeout                              Configure the time for the led to                                           turn off after the last radio state                                           change  legacy-auto-downgrade                    Enable device firmware to auto                                           downgrade when other legacy devices                                           are detected  legacy-auto-update                       Auto upgrade of legacy devices  license                                  License management command  lldp                                     Link Layer Discovery Protocol  load-balancing                           Configure load balancing parameter  location                                 Configure the location  logging                                  Modify message logging facilities  mac-address-table                        MAC Address Table  mac-auth                                 802.1X  mac-name                                 Configure MAC address to name                                           mappingss  management-server                        Configure management server address  memory-profile                           Memory profile to be used on the                                           device  meshpoint-device                         Configure meshpoint device                                           parameters  meshpoint-monitor-interval               Configure meshpoint monitoring                                           interval  min-misconfiguration-recovery-time       Check controller connectivity after                                           configuration is received  mint                                     MiNT protocol  mirror                                   Mirroring  misconfiguration-recovery-time           Check controller connectivity after                                           configuration is received  mpact-server                             MPACT server configuration  neighbor-inactivity-timeout              Configure neighbor inactivity                                           timeout  neighbor-info-interval                   Configure neighbor information                                           exchange interval  no                                       Negate a command or set its                                           defaults  noc                                      Configure the noc related setting  nsight                                   NSight  nsight-sensor                            Enable sensor for Nsight  ntp                                      Ntp server A.B.C.D  offline-duration                         Set duration for which a device                                           remains unadopted before it                                           generates offline event  otls                                     Omnitrail Location Server  override-wlan                            Configure RF Domain level overrides                                           for wlan  power-config                             Configure power mode  preferred-controller-group               Controller group this system will                                           prefer for adoption  preferred-tunnel-controller              Tunnel Controller Name this system                                           will prefer for tunneling extended                                           vlan traffic  radius                                   Configure device-level radius                                           authentication parameters  raid                                     RAID  remove-override                          Remove configuration item override                                           from the device (so profile value                                           takes effect)  rf-domain-manager                        RF Domain Manager  router                                   Dynamic routing
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 459  rsa-key                                  Assign a RSA key to a service  sensor-server                            AirDefense sensor server                                           configuration  slot                                     PCI expansion Slot  spanning-tree                            Spanning tree  timezone                                 Configure the timezone  traffic-class-mapping                    Configure IPv6 traffic class to                                           802.1p priority mapping for                                           untagged frames  traffic-shape                            Traffic shaping  trustpoint                               Assign a trustpoint to a service  tunnel-controller                        Tunnel Controller group this                                           controller belongs to  use                                      Set setting to use  vrrp                                     VRRP configuration  vrrp-state-check                         Publish interface via OSPF/BGP only                                           if the interface VRRP state is not                                           BACKUP  wep-shared-key-auth                      Enable support for 802.11 WEP                                           shared key authentication  zone                                     Configure Zone name  clrscr                                   Clears the display screen  commit                                   Commit all changes made in this                                           session  do                                       Run commands from Exec mode  end                                      End current mode and change to EXEC                                           mode  exit                                     End current mode and down to                                           previous mode  help                                     Description of the interactive help                                           system  revert                                   Revert changes  service                                  Service Commands  show                                     Show running system information  write                                    Write running configuration to                                           memory or terminal<DEVICE>(config-device-<MAC>)#The following table summarizes device configuration mode commands:Command Description Referenceadopter-auto-provisioning-policy-lookupEnables the use of a centralized auto provisioning policy on this devicepage 7-11adoption Configures a minimum and maximum delay time in the initiation of the device adoption processpage 7-13adoption-site Sets the device’s adoption site name page 7-464alias Configures network, VLAN, and service aliases on a device page 7-15application-policy Associates a RADIUS server provided application policy with this device. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane.page 7-22area Sets the name of area where the system is deployed page 7-465arp Configures ARP parameters page 7-25
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 460auto-learn Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a device’s host name via DHCP options.page 7-27autogen-uniqueid When executed in the device configuration mode, this command generates a unique ID for the logged devicepage 7-28autoinstall Autoinstalls firmware image and configuration setup parameters page 7-30bridge Configures Ethernet Bridging parameters page 7-31captive-portal Configures captive portal advanced Web page upload on this profile page 7-62cdp Operates CDP on the device page 7-63channel-list Configures channel list advertised to wireless clients page 7-466cluster Sets cluster configuration page 7-64configuration-persistenceEnables configuration persistence across reloads page 7-67contact Sets contact information page 7-467controller Configures a WLAN’s wireless controller or service platform page 7-68country-code Configures wireless controller or service platform’s country code page 7-468critical-resource Monitors user configured IP addresses and logs their status page 7-72crypto Configures data encryption protocols and settings page 7-80database Backs up captive-portal and/or NSight database to a specified location and file and configures a low-disk-space threshold valuepage 7-143device-upgrade Configures device firmware upgrade settings on this device page 7-145diag Enables looped packet logging page 7-147dot1x Configures 802.1x standard authentication controls page 7-148dpi Enables Deep Packet Inspection (DPI) on this device page 7-150dscp-mapping Configures IP Differentiated Services Code Point (DSCP) to 802.1p priority mapping for untagged framespage 7-153eguest-server (VX9000 only)Enables the EGuest daemon when executed without the ‘host’ option page 7-154eguest-server (NOC Only)Points to the EGuest server, when executed along with the ‘host’ optionpage 7-155email-notification Configures e-mail notification settings page 7-156enforce-version Checks the device firmware version before attempting connection page 7-158environmental-sensorConfigures the environmental sensor device settings. If the device is an environmental sensor, use this command to configure its settings.page 7-159events Enables system event message generation and forwarding page 7-161export Enables export of startup.log file after every boot page 7-162file-sync Configures parameters enabling syncing of trustpoint/wireless-bridge certificate between the staging-controller and its adopted access pointspage 7-163floor Sets the floor name where the system is located page 7-164Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 461geo-coordinates Configures the geographic coordinates for this device page 7-470gre Enables GRE tunneling on this device page 7-166hostname Sets a system's network name page 7-471http-analyze Enables HTTP analysis on this device page 7-177interface Selects an interface to configure page 7-180ip Configures IPv4 components page 7-348ipv6 Configures IPv6 components page 7-358l2tpv3 Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling Layer 2 payloads using Virtual Private Networks (VPNs)page 7-362l3e-lite-table Configures L3e Lite Table with this profile page 7-364lacp Configures an LACP-enabled peer’s system-priority value. LACP uses this system-priority value along with the peer’s MAC address to form the peer’s system ID.page 7-472layout-coordinates Configures layout coordinates page 7-473led Turns LEDs on or off page 7-365led-timeout Configures the LED-timeout timer in the device or profile configuration modepage 7-366legacy-auto-downgradeEnables legacy device firmware to auto downgrade page 7-368legacy-auto-updateAuto updates AP7161 legacy device firmware page 7-369license Adds device feature licenses page 7-474lldp Configures Link Layer Discovery Protocol (LLDP) settings for this devicepage 7-370load-balancing Configures load balancing parameters. page 7-372location Configures the system’s location (place of deployment) page 7-477logging Enables message logging page 7-377mac-address-table Configures the MAC address table page 7-379mac-auth Enables 802.1x authentication of hosts on this device page 7-381mac-name Configures MAC address to device name mappings page 7-478management-serverConfigures a management server with this profile page 7-384memory-profile Configures memory profile used on the device page 7-385meshpoint-device Configures meshpoint device parameters page 7-386meshpoint-monitor-intervalConfigures meshpoint monitoring interval page 7-388min-misconfiguration-recovery-timeConfigures the minimum device connectivity verification time page 7-389mint Configures MiNT protocol settings page 7-390Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 462misconfiguration-recovery-timeVerifies device connectivity after a configuration is received page 7-397neighbor-inactivity-timeoutConfigures neighbor inactivity timeout value page 7-398neighbor-info-intervalConfigures the neighbor information exchange interval page 7-399no Negates a command or resets values to their default settings page 7-479noc Configures NOC settings page 7-402nsight Configures NSight database statistics related parameters. Use this command to set the interval at which data is updated by the RF Domain managers to the NSight server. This command is applicable only on the NX95XX series and NX9600 service platforms and is configured on the NSight server.page 7-480ntp Configures NTP server settings page 7-408offline-duration Sets the duration, in minutes, for which a device remains unadopted before it generates offline eventpage 7-414override-wlan Configures WLAN RF Domain level overrides on the logged device page 7-484power-config Configures power mode features page 7-415preferred-controller-groupSpecifies the wireless controller or service platform group the system prefers for adoptionpage 7-417preferred-tunnel-controllerConfigures the tunnel wireless controller or service platform preferred by the system for tunneling extended VLAN trafficpage 7-418radius Configures device-level RADIUS authentication parameters page 7-419remove-override Removes device overrides page 7-486rf-domain-managerEnables the RF Domain manager page 7-420router Configures dynamic router protocol settings. page 7-421rsa-key Assigns a RSA key to SSH page 7-488sensor-server Configures an AirDefense sensor server page 7-489spanning-tree Enables spanning tree commands on the logged device page 7-423traffic-class-mappingMaps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p prioritypage 7-426traffic-shape Enables traffic shaping and configures traffic shaping parameters on this devicepage 7-428trustpoint (device-config-mode)Assigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external LDAP server, etc.page 7-491timezone Configures wireless controller or service platform’s time zone settings page 7-490tunnel-controller Configures the tunneled WLAN (extended VLAN) wireless controller or service platform’s namepage 7-436use Associates different policies and settings with this device page 7-437vrrp Configures VRRP group settings page 7-443Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 463vrrp-state-check Publishes interface via OSPF or BGP based on Virtual Router Redundancy Protocol (VRRP) statuspage 7-447wep-shared-key-authEnables support for 802.11 WEP shared key authentication page 7-450raid Enables alarm on the array. This command is supported only on the NX9500 series service platform.page 7-493Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4647.2.1 adoption-siteDevice Config CommandsSets the device’s adoption site nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadoption-site <SITE-NAME>Parameters• adoption-site <SITE-NAME>Examplerfs4000-229D58(config-device-00-23-68-22-9D-58)#adoption-site SanJoseMainOfficeRelated Commandsadoption-site <SITE-NAME>Sets the device’s adoption site nameno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4657.2.2 areaDevice Config CommandsSets the physical area where the device (controller, service platform, or access point) is deployed. This can be a building, region, campus or other area that describes the deployment location of the device. Assigning an area name is helpful when grouping devices in RF Domains and profiles, as devices in the same physical deployment location may need to share specific configuration parameters in respect to radio transmission and interference requirements specific to that location.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxarea <AREA-NAME>Parameters• area <AREA-NAME>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#area RMZEcoSpacerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospacerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandsarea <AREA-NAME> Sets the physical area where the device is deployed<AREA-NAME> – Specify the area name (should not 64 characters in length).no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4667.2.3 channel-listDevice Config CommandsConfigures the channel list advertised to wireless clientsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-list [2.4GHz|5GHz|dynamic]channel-list [2.4GHz <CHANNEL-LIST>|5GHz <CHANNEL-LIST>|dynamic]Parameters• channel-list [2.4GHz <CHANNEL-LIST>|5GHz <CHANNEL-LIST>|dynamic]Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandschannel-list Configures the channel list advertised to wireless clients2.4GHz <CHANNEL-LIST>Configures the channel list advertised by radios operating in 2.4 GHz• <CHANNEL-LIST> – Specify a list of channels separated by commas or hyphens.5GHz <CHANNEL-LIST>Configures the channel list advertised by radios operating in 5.0 GHz• <CHANNEL-LIST> – Specify a list of channels separated by commas or hyphens.dynamic Enables dynamic (neighboring access point based) update of configured channel listno Resets the channel list configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4677.2.4 contactDevice Config CommandsDefines an administrative contact for a deployed device (controller, service platform, or access point)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontact <WORD>Parameters• contact <WORD>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#contact Bob+1-631-738-5200rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace contact Bob+1-631-738-5200 channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandscontact <WORD> Specify the administrative contact name (should not exceed 64 characters in length)no Resets the administrative contact name
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4687.2.5 country-codeDevice Config CommandsDefines the two digit country code for legal device deploymentConfiguring the correct country is central to legal operation. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcountry-code <WORD>Parameters• country-code <COUNTRY-CODE>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#country-code usrfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandscountry-code <COUNTRY-CODE>Defines the two digit country code for legal device deployment• <COUNTRY-CODE> – Specify the two letter ISO-3166 country code.no Removes the configured country code
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4697.2.6 floorDevice Config CommandsSets the building floor name representative of the location within the area or building the device (controller, service platform, or access point) is physically deployed. Assigning a building floor name is helpful when grouping devices in RF Domains and profiles, as devices on the same physical building floor may need to share specific configuration parameters in respect to radio transmission and interference requirements specific to that location.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfloor <FLOOR-NAME> <1-4094>Parameters• floor <FLOOR-NAME> <1-4094>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#floor 5thfloorrfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace floor 5thfloor contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandsfloor <FLOOR-NAME> <1-4094>Sets the building floor name where the device is deployed• <1-4094> – Sets a numerical floor designation in respect to the floor’s actual location within a building. Specify a value from 1 - 4094. The default setting is the 1st floor.no Removes device’s location floor name
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4707.2.7 geo-coordinatesDevice Config CommandsConfigures the geographic coordinates for this device. Specifies the exact location of this device in terms of latitude and longitude coordinates.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgeographic coordinates <-90.0000-90.0000> <-180.0000-180.0000>Parameters• geographic coordinates <-90.0000-90.0000> <-180.0000-180.0000>Examplerfs4000-229D58(config-device-00-23-68-22-9D-58)#geo-coordinates -90.0000 166.0000rfs4000-229D58(config-device-00-23-68-22-9D-58)#show contextrfs4000 00-23-68-22-9D-58 use profile default-rfs4000 use rf-domain default hostname rfs4000-229D58 geo-coordinates -90.0000 166.0000 license AP DEFAULT-6AP-LICENSE license ADSEC DEFAULT-ADV-SEC-LICENSE ip default-gateway 192.168.13.2 ip default-gateway priority static-route 20 interface ge1  switchport mode access  switchport access vlan 1 interface vlan1  ip address 192.168.13.9/24  ip address 192.168.0.1/24 secondary  ip dhcp client request options all use client-identity-group ClientIdentityGroup logging on logging console warnings logging buffered warningsrfs4000-229D58(config-device-00-23-68-22-9D-58)#Related Commandsgeographic coordinatesConfigures the geographic coordinates for this device• <-90.0000-90.0000> – Specify the device’s latitude coordinate from -90.0000 to 90.0000. When looking at a floor map, latitude lines specify the east-west position of a point on the Earth's surface.• <-180.0000-180.0000> – Specify the device’s longitude coordinate from -180.0000 to 180.0000. When looking at a floor map, longitude lines specify the north-south position of a point on the Earth's surface.no Removes device’s geographic coordinates
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4717.2.8 hostnameDevice Config CommandsSets the system's network nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhostname <WORD>Parameters• hostname <WORD>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#hostname TechPubAP7131The hostname has changed from ‘ap7131-4AA708’ to ‘TechPubAP7131’rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandshostname <WORD> Sets the name of the managing wireless controller, service platform, or access point. This name is displayed when accessed from any network.no Removes device’s hostname
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4727.2.9 lacpDevice Config CommandsConfigures an LACP-enabled peer’s system priority value. LACP uses this system priority value along with the peer’s MAC address to form the system ID. In a LAG, the peer with the lower system ID initiates LACP negotiations with another peer. In scenarios, where both peers have the same system-priority value assigned, the peer with the lower MAC gets precedence.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxlacp system-priority <1-65535>Parameters• lacp system-priority <1-65535>Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#lacp system-priority 1nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include lacp lacp system-priority 1  lacp-channel-group 1 mode active  lacp port-priority 2  lacp-channel-group 1 mode active  lacp port-priority 2nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related CommandsNOTE: For more information on enabling link aggregation, see lacp and lacp-channel-group.lacp system-priority <1-65535>Configures the LACP system priority value• <1-65535> – Specify a value from 1 - 65535. Lower the value, higher is the priority. Therefore, ‘1’ and ‘65535’ indicate highest and lowest system-priority values respectively. The default value is 32768.no Removes this device’s configured system-priority value
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4737.2.10 layout-coordinatesDevice Config CommandsConfigures X and Y layout coordinates for the deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlayout-coordinates <-4096.0-4096.0> <-4096.0-4096.0>Parameters• layout-coordinates <-4096.0-4096.0> <-4096.0-4096.0>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#layout-coordinates 1.0 2.0rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandslayout-coordinates Configures X and Y layout coordinates for the device<-4096.0-4096.0> Specify the X coordinate from -4096 - 4096.0<-4096.0-4096.0> Specify the Y coordinate from -4096 - 4096.0no Removes device’s layout co-ordinates
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4747.2.11 licenseDevice Config CommandsAdds a license pack on the device for the specified feature (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/NSIGHT-PER/EGUEST-DEV)The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy.The NOC controllers and/or site controllers can both have license packs installed. Adoption of APs by the NOC and site controllers depends on the number of licenses available on each of these controllers.The NOC controllers and/or site controllers can both have license packs installed. When a AP is adopted by a site controller, the site controller pushes a license on to the AP. The various possible scenarios are:• AP licenses installed only on NOC controller:The NOC controller provides the site controllers with AP licenses, ensuring that per platform limits are not exceeded. • AP licenses installed on site controller:The site controller uses its installed licenses, and then asks the NOC controller for additional licenses in case of a shortage.In a hierarchical and centrally managed network, the NOC controller can pull unused AP licenses from site controllers and relocate to other site controllers when required.• AP licenses installed on any member of a site cluster:The site controller shares installed and borrowed (from the NOC) licenses with other controllers within a site cluster.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlicense <WORD> <LICENSE-KEY>Parameters• license <WORD> <LICENSE-KEY>
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 475<WORD> Specify the feature name (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/NSIGHT-PER/EGUEST-DEV) for which license is addedAP License: This is the license key required for AP adoptions. The number of APs that can be adopted depends on the installed license count. If the installed license count is 10 APs and the number of AP adoptions is 5, 5 additional APs can still be adopted under the terms of the license.AAP License: This is the license key required for AAP adoptions. The number of AAPs that can be adopted depends on the installed license count. If the installed license count is 10 APs and the number of AAP adoptions is 5, 5 additional AAPs can still be adopted under the terms of the license.ADSEC License: This is the license key required to install the Role Based Firewall feature and increase the number of IPSec VPN tunnels. The number of IPSec tunnels varies by platform.HTANLT: This is the license key required to install Analytics (an enhanced statistical management tool) for NX95XX series service platforms.WEBF License: This is the license key required to install the Web filtering feature. Web filtering is used to restrict access to specific resources on the Internet.NSIGHT/NSIGHT-PER Licenses: This is the license key required to install NSight on a supported service platform. The NSight UI displays a comprehensive, day-to-day overview of the network in a graphical, visually interactive, and easy-to-use format. However, NSight being a licensed service, on expiration of the first 120 days grace period, the NSight server’s NSight UI can be launched only on the application of the NSight or NSight-Per (NSight Perpetual) license.The difference between the NSight and NSight-Per licenses is that the first one has an expiration date, whereas the latter doesn’t have an expiration date. Once purchased and applied, the NSight-Per license is active forever, and is therefore ideally suited for a Replica-set, NSight deployment, where it is essential that the license is perpetually active and synched across the NSight servers and their primary and secondary databases.Note: NSight is supported only on NX9500, NX9510, NX9600 model service platforms, and the VX9000 virtual controller.EGUEST-DEV License - This is the per-device license key installed on the EGuest server. Once installed the EGuest feature is activated. The EGuest-DEV license defines the number of APs supported by each EGuest server. The maximum limit for per-device license is 100,000. The EGuest server is supported only on the VX9000 platform.<LICENSE-KEY> Specify the license key.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 476Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#license ap aplicensekey@1234 aplicensekey@123rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicensekey@1234 aplicensekey@123 location SanJose no contact country-code us channel-list 2.4GHz 1,2 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#license NSIGHT 62e512ae6cb74689df253a03efe493f375597b67c70ee0b7c30655256b1322d064ca8dfaecedc450VX-EGuest-DB(config-device-14-A0-19-06-AB-10)#license EGUEST-DEV5f06f09e8209cba1fc7db70681fe78ba2707bbcd6ca2e8f8a31fe5b7e2e778c8b0d0ee3994f800adVX-EGuest-DB(config-device-14-A0-19-06-AB-10)#commit writeVX-EGuest-DB(config-device-14-A0-19-06-AB-10)#show context include-factory | include license license EGUEST-DEV5f06f09e8209cba1fc7db70681fe78ba2707bbcd6ca2e8f8a31fe5b7e2e778c8b0d0ee3994f800adVX-EGuest-DB(config-device-14-A0-19-06-AB-10)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4777.2.12 locationDevice Config CommandsSets the location where a managed device (controller, service platform, or access point) is deployed. This is the location of the device with respect to the RF Domain it belongs. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocation <WORD>Parameters• location <WORD>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#location SanJoserfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 location SanJose contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commands<WORD> Specify the managed device’s location as part of its RF Domain configurationno Removes a managed device’s location
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4787.2.13 mac-nameDevice Config CommandsConfigures a client name to MAC address mapping. Use this command to assign a user-friendly name to the device (controller, service platform, or access point) and map it to the device’s MAC address.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-name <MAC> <NAME>Parameters• mac-name <MAC> <NAME>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#mac-name 00-04-96-4A-A7-08 5.8TestAPrfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 location SanJose contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 mac-name 00-04-96-4A-A7-08 5.8TestAPrfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandsmac-name <MAC> <NAME>Maps a user-friendly name to the device’s MAC address• <MAC> – Specify the device’s MAC address.• <NAME> – Specify the 'friendly' name used for the specified MAC address. This isthe name used in events and statistics logs.no Removes the device’s friendly name to MAC address mapping
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4797.2.14 noDevice Config CommandsNegates a command or resets values to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [adopter-auto-provisioning-policy-lookup|adoption-site|alias|application-policy|area|arp|auto-learn-staging-config|autoinstall|bridge|captive-portal|cdp|channel-list|cluster|configuration-persistence|contact|controller|country-code|critical-resource|crypto|database-backup|device-upgrade|dot1x|dpi|dscp-mapping|email-notification|environmental-sensor|events|export|file-sync|floor|geo-coordinates|gre|hostname|http-analyze|interface|ip|ipv6|l2tpv3|l3-lite-table|lacp|layout-coordinates|led|led-timeout|legacy-auto-downgrade|legacy-auto-update|license|lldp|load-balancing|location|logging|mac-address-table|mac-auth|mac-name|management-server|memory-profile|meshpoint-device|meshpoint-monitor-interval|min-misconfiguration-recovery-time|mint|mirror|misconfiguration-recovery-time|mpact-server|noc|nsight||ntp|offline-duration|override-wlan|power-config|preferred-controller-group|preferred-tunnel-controller|radius|raid|rf-domain-manager|router|rsa-key|sensor-server|slot|spanning-tree|timezone|traffic-class-mapping|traffic-shape|trustpoint|tunnel-controller|use|vrrp|vrrp-state-check|wep-shared-key-auth|service]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negatedExamplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#no arearfs7000-37FABE(config-device-00-04-96-4A-A7-08)#no contactno <PARAMETERS> Removes or resets the logged device’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4807.2.15 nsightDevice Config CommandsConfigures NSight database related parameters. Use this command to configure the data-update periodicity, number of applications posted to the NSight server for a wireless client, and the duration for which data is stored in the NSight database’s buckets. These parameters impact the amount of data stored in the NSight DB and interval at which data is aggregated and expired within the NSight DB. For more information on data aggregation and expiration, see (Data Aggregation and Expiration).Configure these parameters in the NSight server’s device configuration mode.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxnsight database [statistics|summary]nsight database statistics [avc-update-interval|max-apps-per-client|update-interval|wireless-clients-update-interval]nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-interval] [120|30|300|60|600]nsight database statistics max-apps-per-client <1-1000>nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>Parameters• nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-interval] [120|30|300|60|600]nsight database statisticsConfigures NSight database statistics related parametersavc-update-interval Configures the interval, in seconds, at which Application Visibility and Control (AVC) statistics is updated to the NSight database. This interval represents the rate at which AVC-related data is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting AVC-related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the avc-update-interval configured here.update-interval Configures the interval, in seconds, at which data is updated to the NSIght server. This interval represents the rate at which data (excluding AVC and wireless-clients related statistics) is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the update-interval configured here.Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ keywords to configure update interval for AVC-related and wireless-clients related information respectively.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 481• nsight database statistics max-apps-per-client <1-1000>• nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>wireless-clients-update-intervalConfigures the interval, in seconds, at which wireless-client statistics is updated to the NSIght server. This interval represents the rate at which wireless-clients related statistics is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting wireless-client related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the wireless-clients-update-interval configured here.[120|30|300|60|600] The following keywords are common to all of the above parameters:• 120 – Sets the data-update periodicity as 120 seconds (2 minutes)• 30 – Sets the data-update periodicity as 30 seconds• 300 – Sets the data-update periodicity as 300 seconds (5 minutes). This is the default setting for the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ parameters.• 60 – Sets the data-update periodicity as 60 seconds (1 minute). This is the default setting for the ‘update-interval’ parameter.• 600 – Sets the data-update periodicity as 600 seconds (10 minutes)nsight database statisticsConfigures NSight database statistics related parametersmax-apps-per-client Configures the maximum number of applications per wireless-client to be posted to the NSight server within the configured data-update interval. This information is included in the AVC statistics posted by RF Domain managers to the NSIght server.<1-1000> Specify the number of applications posted from 1 - 1000. The default is 10 applications per wireless client.nsight database summaryConfigures the NSight database’s per-bucket data storage durationduration <1-24> <1-168> <1-2160> <24-26280>Configures the duration for which data is stored on a per-bucket basis• <1-24> – Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day). The default is 8 hours.• <1-168> – Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7 days).The default is 24 hours.• <1-2160> – Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1 hour to 90days). The default is 7 days (168 hours).• <24-26280> – Specify the bucket 4 duration from 24 - 26280 hours (i.e. 1day to 3 years). The default is 365 days (1 year).Note: A bucket is a database collection that holds statistical data for each RF Domain within the network. (Note, only those RF Domain’s that are using an NSight policy with the NSight server host configured will post data to the NSight server. For more information, see use in the RF Domain configuration mode.) NSight database has four (4) buckets. The data from each bucket is aggregated and pushed to the next bucket once the data storage duration, specified for the bucket, has exceeded. For more information on data aggregation, see (Data Aggregation and Expiration).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 482Usage Guidelines (Data Aggregation and Expiration)Data Aggregation:The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes within the managed wireless LAN. For large WLAN networks, generating significantly large amount of data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one record by taking an average of them. Although this causes a loss in the data’s granularity, average numbers for any given time period is still available.Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets (database collections) within the NSight database. There are four buckets in total. These are:• First bucket (termed as the RAW bucket) - B1• Second bucket - B2• Third bucket - B3•Fourth bucket - B4On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes the next bucket’s granularity. For example, the B1 records (that have exceeded the data storage duration configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default storage duration for each bucket is as follows:•B1: storage duration 8 hours• B2: granularity 10 minutes / storage duration 24 hours • B3: granularity 1 hour / storage duration 7 days• B4: granularity 1 day / storage duration 1 yearLet us consider (with default update-interval settings) the growth of any one of the statistical buckets.• Since B1’s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF Domain after 8 hours (updated at the rate of 30 seconds).• Since B2’s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into a single record and inserted into B2.• Since B2’s default storage duration is 24 hours, it will contain a maximum of 144 records per RF Domain after 24 hours.• Since B3’s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record and inserted into B3.• Since B3’s default storage duration is 7 days, it will contain a maximum of 168 records per RF Domain after 7 days.• Since B4’s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record and inserted into B4.• Since B4’s default storage duration is 365 days, it will contain a maximum of 365 records per RF Domain after 1 year.Data Expiration:
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 483The expiration of older records (also referred to as purging or deleting of records) occurs along with data aggregation for each bucket.Let us consider (with default data storage-duration settings) the expiration of data for any one of the statistical buckets.• As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8 hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first 10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is triggered every 10 minutes.• At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10 minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of data.• At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data.• At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records (corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to enable B4 to maintain exactly 365 days worth of data.Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics avc-update-interval 120nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics update-interval 30nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics wireless-clients-update-interval 600nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics max-apps-per-client 20nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database summary duration 12 30 200 500nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include nsight use nsight-policy nsight-noc nsight database statistics update-interval 30 nsight database statistics wireless-clients-update-interval 600 nsight database summary duration 12 30 200 500 nsight database statistics avc-update-interval 120 nsight database statistics max-apps-per-mu 20nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related Commandsno Reverts the NSight database related parameters configured to default values
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4847.2.16 override-wlanDevice Config CommandsConfigures WLAN’s RF Domain level overridesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoverride-wlan <WLAN> [shutdown|ssid|vlan-pool|wep128|wpa-wpa2-psk]override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}|wpa-wpa2-psk <WORD>]override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>]Parameters• override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}|wpa-wpa2-psk <WORD>]• override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>]<WLAN> Specify the WLAN name.Configure the following WLAN parameters: SSID, VLAN pool, and WPA-WPA2 key.shutdown Shuts down the WLAN’s (identified by the <WLAN> keyword) operations on all mapped radiosSSID <SSID> Configures the WLAN’s Service Set Identifier (SSID)• <SSID> – Specify an SSID ID.vlan-pool <1-4094> {limit <0-8192>}Configures a pool of VLANs for the selected WLAN• <1-4094> – Specifies a VLAN pool ID from 1 - 4094.• limit – Optional. Limits the number of users on this VLAN pool• <0-8192> – Specify the user limit from 0 - 8192.Note: The VLAN pool configuration overrides the VLAN configuration.wpa-wpa2-psk <WORD>Configures the WLAN WPA-WPA2 key or passphrase for the selected WLAN• <WORD> – Specify a WPA-WPA2 key or passphrase.<WLAN> Specify the WLAN name.wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>Configures the WEP128 key for this WLAN, and also enables key transmissionWired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP 128 uses a 104 bit key, which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. This results in a level of security and privacy comparable to that of a wired LAN.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 485Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#override-wlan test vlan-pool 8rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 location SanJose no contact country-code us channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commands• key <1-4> hex – Configures a hexadecimal key (clear text or encrypted) and specifies the key’s index.• 0 <WORD> – Configures a clear text key. Specify a 4 - 32 character pass key.• 2 <WORD> – Configures an encrypted key. Specify a 4 - 32 character pass key.• transmit-key <1-4> – Enables transmission of key index. Specify the key index.Wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without the required adapters need to use WEP keys manually configured as hexadecimal numbers.no Removes RF Domain level WLAN overrides
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4867.2.17 remove-overrideDevice Config CommandsRemoves device overrides in order to enable profile settings to take effectSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxremove-override <PARAMETERS>Parameters• remove-override <PARAMETERS>Examplerfs4000-229D58(config-device-00-23-68-22-9D-58)#remove-override ?  adopter-auto-provisioning-policy-lookup  Use centralized auto-provisioning                                           policy when adopted by another                                           controller  adoption                                 Adoption configuration  adoption-mode                            Configure the adoption mode for the                                           access-points in this RF-Domain  alias                                    Alias  all                                      Remove all overrides for the device  application-policy                       Application Policy configuration  area                                     Reset name of area where the system                                           is located  arp                                      Address Resolution Protocol (ARP)  auto-learn                               Auto learning  autogen-uniqueid                         Autogenerate a unique id  autoinstall                              Autoinstall settings  bridge                                   Bridge group commands  captive-portal                           Captive portal  cdp                                      Cisco Discovery Protocol  channel-list                             Configure a channel list to be                                           advertised to wireless clients  cluster                                  Cluster configuration  configuration-persistence                Automatic write of startup                                           configuration file  contact                                  The contact  controller                               WLAN controller configuration  country-code                             The country of operation  critical-resource                        Critical Resource  crypto                                   Encryption related commands  device-upgrade                           Device firmware upgrade  dot1x                                    802.1X  dpi                                      Deep-Packet-Inspection (Application                                           Assurance)  dscp-mapping                             IP DSCP to 802.1p priority mapping                                           for untagged frames  email-notification                       Email notification configuration  enforce-version                          Check the firmware versions of                                           devices before interoperating  environmental-sensor                     Environmental Sensors Configurationremove-override <PARAMETERS>Removes settings configured at the device level based on the parameters passed. The profile (applied to the device) settings take effect once the device-level overrides are removed.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 487  events                                   System event messages  export                                   Export a file  file-sync                                File sync between controller and                                           adoptees  firewall                                 Enable/Disable firewall  floor                                    Reset name of floor where the                                           system is located  geo-coordinates                          Geo co-ordinates for this device  global                                   Remove global overrides for the                                           device but keeps per-interface                                           overrides  gre                                      GRE protocol  interface                                Select an interface to configure  ip                                       Internet Protocol (IP)  ipv6                                     Internet Protocol version 6 (IPv6)  l2tpv3                                   L2tpv3 protocol  l3e-lite-table                           L3e lite Table  led                                      LED on the device  lldp                                     Link Layer Discovery Protocol  location                                 The location  logging                                  Modify message logging facilities  mac-address-table                        MAC Address Table  mac-auth                                 802.1X  memory-profile                           Memory-profile  mint                                     MiNT protocol  mpact-server                             MPACT server configuration  noc                                      Noc related configuration  ntp                                      Configure NTP  offline-duration                         Duration to mark adopted device as                                           offline  override-wlan                            Overrides for wlans  power-config                             Configure power mode  preferred-controller-group               Controller group this system will                                           prefer for adoption  preferred-tunnel-controller              Tunnel Controller Name this system                                           will prefer for tunneling extended                                           vlan traffic  rf-domain-manager                        RF Domain Manager  router                                   Dynamic routing  routing-policy                           Policy Based Routing Configuration  sensor-server                            AirDefense WIPS sensor server                                           configuration  spanning-tree                            Spanning tree  timezone                                 The timezone  traffic-class-mapping                    IPv6 traffic-class to 802.1p                                           priority mapping for untagged                                           frames  traffic-shape                            Traffic shaping  trustpoint                               Assign a trustpoint to a service  tunnel-controller                        Tunnel Controller group this                                           controller belongs to  use                                      Set setting to use  vrrp                                     VRRP configuration  service                                  Service Commandsrfs4000-229D58(config-device-00-23-68-22-9D-58)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4887.2.18 rsa-keyDevice Config CommandsAssigns an SSH RSA keySSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/password. One key is private and the other is public key. Secure Shell (SSH) public key authentication can be used by a requesting client to access resources, if properly configured. The RSA key pair must be generated on the client. The public portion of the key pair resides with the controller, service platform, or access point locally, while the private portion remains on a secure area of the client.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrsa-key ssh <RSA-KEY-NAME>Parameters• rsa-key ssh <RSA-KEY-NAME>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#rsa-key ssh rsa-key1rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 rsa-key ssh rsa-key1 location SanJose no contact country-code us channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandsrsa-key ssh <RSA-KEY-NAME>Assigns RSA key to SSH• <RSA-KEY-NAME> – Specifies the RSA key name. The key should be installed using PKI commands in the enable mode.no Removes RSA key from service
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4897.2.19 sensor-serverDevice Config CommandsConfigures an AirDefense sensor server resource for client terminations and WIPS event logging. This is the server that supports WIPS events on behalf of the controller or service platform.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}Parameters• sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#sensor-server 1 ip 172.16.10.7rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 rsa-key ssh rsa-key1 location SanJose no contact country-code us sensor-server 1 ip 172.16.10.7 channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandssensor-server <1-3> Sets a numerical index to differentiate this AirDefense sensor server from other servers. A maximum of 3 (three) sensor server resources can be defined.ip <IP/HOSTNAME> Configures the AirDefense sensor server’s IP address or hostname• <IP/HOSTNAME> – Specify the IP address.port [443|<1-65535>] Optional. Configures the port. The options are:• 443 – The default port used by the AirDefense server. This is the default setting.• <1-65535> – Manually sets the port number of the AirDefense server from 1 - 65535no Removes configured sensor server settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4907.2.20 timezoneDevice Config CommandsConfigures device’s timezoneSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtimezone <TIMEZONE>Parameters• timezone <TIMEZONE>Examplerfs7000-37FABE(config-device-00-04-96-4A-A7-08)#timezone Etc/UTCrfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show contextap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 rsa-key ssh rsa-key1 location SanJose no contact timezone Etc/UTC stats open-window 2 sample-interval 77 size 10 country-code us sensor-server 1 ip 172.16.10.7 channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#Related Commandstimezone <TIMEZONE>Configures the device’s timezoneno Removes device’s configured timezone
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4917.2.21 trustpoint (device-config-mode)Device Config CommandsAssigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external LDAP server, etc.For more information on digital certificates and certificate authorities, see trustpoint (profile-config-mode).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtrustpoint [cloud-client|cmp-auth-operator|https|radius-ca|radius-ca-ldaps|radius-server|radius-server-ldaps] <TRUSTPOINT-NAME>Parameters• trustpoint [cloud-client|cmp-auth-operator|https|radius-ca|radius-ca-ldaps|radius-server|radius-server-ldaps] <TRUSTPOINT-NAME>NOTE: Certificates/trustpoints used in this command should be verifiable as existing on the device.trustpoint Assigns trustpoints to validate various services. The assigned trustpoint is used as the CA for validating the services.cloud-client Assigns trustpoint to validate cloud client. The trustpoint should be existing and installed on the device.Use this option on cloud-enabled access points and cloud-adopted, to secure the communication between the cloud AP and cloud client. The trustpoint should be existing and installed on the AP. The cloud-enabled access points are AP7502, AP7522, AP7532, and AP7562. For local-controller adopted APs, this configuration is not required,cmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator. Once validated, CMP is used to obtain and manage digital certificates in a PKI network. Digital certificates link identity information with a public key enclosed within the certificate, and are issued by the CA.Use this command to specify the CMP-assigned trustpoint. When specified, devices send a certificate request to the CMP supported CA server, and download the certificate directly from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.Note: When configured, this cmp-auth-operator trustpoint setting overrides the profile-level configuration.https Assigns an existing trustpoint to validate HTTPSradius-ca Assigns an existing trustpoint to validate client certificates in EAP
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 492ExampleA device’s default HTTPS, RADIUS, and CMP certificate/trustpoint configuration is as follows:nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include trustpoint trustpoint https default-trustpoint no trustpoint radius-ca trustpoint radius-server default-trustpoint no trustpoint radius-ca-ldaps trustpoint radius-server-ldaps default-trustpoint no trustpoint cmp-auth-operatornx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#trustpoint https testnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include trustpoint trustpoint https test no trustpoint radius-ca trustpoint radius-server default-trustpoint no trustpoint radius-ca-ldaps trustpoint radius-server-ldaps default-trustpoint no trustpoint cmp-auth-operatornx9500-6C8809(config-device-B4-C7-99-6C-88-09)#radius-ca-ldaps Assigns an existing trustpoint to validate external LDAP serverradius-server Assigns an existing trustpoint to validate RADIUS server certificateradius-server-ldaps Assigns an existing trustpoint to RADIUS server certificate to validate LDAP server<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:• <TRUSTPOINT-NAME> – After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device).Note: By default, the system assigns the default-trustpoint to validate the following: https, radius-server, and radius-server-ldaps.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4937.2.22 raidDevice Config CommandsEnables chassis alarm that sounds when events are detected that degrade RAID support (drive content mirroring) on a service platformThe NX95XX (NX9500 and NX9510) series service platforms include a single Intel MegaRAID controller (virtual drive) with RAID-1 mirroring support enabled. The online virtual drive supports up to two physical drives that could require hot spare substitution if a drive were to fail. The WiNG software allows you to manage the RAID controller event alarm and syslogs supporting the array hardware from the service platform user interface without rebooting the service platform BIOS.Although RAID controller drive arrays are available only on the NX95XX series service platforms, they can be administrated on behalf of a NX95XX profile by a different model service platform or wireless controller.Supported in the following platforms:• Service Platforms — NX7530, NX9500, NX9510, NX9600Syntaxraid alarm enableParameters• raid alarm enableExamplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#raid alarm enablenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show contextnx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 ip default-gateway 192.168.13.2 interface ge1  switchport mode access  switchport access vlan 1 interface vlan1  ip address 192.168.13.13/24 logging on logging console warnings logging buffered warnings raid alarm enablenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related Commandsalarm enable Enables audible alarm, which is triggered a RAID drives fails. When triggered the alarm can be disabled by executing the raid > silence command in the device’s Priv Exec mode.no Disables RAID alarm
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4947.3 T5 Profile Config CommandsPROFILESA T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices using the IPX operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.To navigate to this instance, use the following commands:<DEVICE>(config-profile-<PROFILE-NAME>)#?T5 Profile Mode commands:  cpe            T5 CPE configuration  interface      Select an interface to configure  ip             Internet Protocol (IP)  no             Negate a command or set its defaults  ntp            Configure NTP  override-wlan  Configure RF Domain level overrides for wlan  t5             T5 configuration  t5-logging     Modify message logging facilities  use            Set setting to use  clrscr         Clears the display screen  commit         Commit all changes made in this session  do             Run commands from Exec mode  end            End current mode and change to EXEC mode  exit           End current mode and down to previous mode  help           Description of the interactive help system  revert         Revert changes  service        Service Commands  show           Show running system information  write          Write running configuration to memory or terminal<DEVICE>(config-profile-<PROFILE-NAME>)#The following table summarizes T5 profile configuration mode commands:Command Description Referencecpe Configures T5 CPE related settings (IP address range and VLAN) page 7-495interface Configures the T5 controller’s interfaces page 7-497ip Configures the default gateway’s IP address page 7-499no Removes or reverts this T5 controller profile settings page 7-500ntp Configures the NTP server associated with this T5 profile page 7-501override-wlan Configures the RF Domain level overrides for applied on a WLAN on this T5 profilepage 7-502t5 Configures the logged T5 controller’s country of operation page 7-503t5-logging Configures a maximum of 5 (five) remote hosts capable of receiving syslog messages from this selected T5 controllerpage 7-504use Defines this T5 profile’s management settings page 7-505
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4957.3.1 cpeT5 Profile Config CommandsConfigures T5 CPE related settings. This command is available both in the T5 profile and T5 device contextsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntax T5 Profile & T5 Device Contextcpe [address led]cpe address vlan <1-4094> <START-IP> <END-IP>cpe led cpe <cpe1-24>The following commands are specific to the T5 device context:cpe [boot|reload|upgrade]cpe boot system <cpe1-24> <primary|secondary>cpe reload <cpe1-24>cpe <cpe1-24> upgrade <IMAGE-LOCATION>Parameters• cpe address vlan <1-4094> <START-IP> <END-IP>• cpe led cpe <cpe1-24>• cpe boot system <cpe1-24> <primary|secondary>cpe address Configures the range of addresses that can be assigned to adopted CPEsvlan <1-4094> Configures the VLAN assigned to the CPEs managed by this T5 controller<START-IP> <END-IP>Configures the range of IP addresses that can be assigned to the CPEs managed by this T5 controller• <START-IP> – Specify the first IP address in the range.• <END-IP> – Specify the last IP address in the range.cpe led Enables flashing of LEDs on specified CPEscpe <cpe1-24> Identifies the CPE(s) on which the operation is performed• <cpe1-24> – Configures the CPE’s ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5.cpe boot system Changes the image used by a CPE to boot. When reloading, the CPE uses the specified image.<cpe1-24> Identifies the CPE(s) on which the operation is performed• <cpe1-24> – Configures the CPE’s ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 496• cpe reload <cpe1-24>• cpe <cpe1-24> upgrade <IMAGE-LOCATION>Examplenx9500-6C8809(config-profile-T5TestProfile)#cpe address vlan 200 192.168.13.26 192.168.13.30nx9500-6C8809(config-profile-T5TestProfile)#show contextprofile t5 T5TestProfile no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090 interface fe 5 2.......................................................................... interface radio 11 1 interface fe 9 2 interface radio 18 1 interface fe 9 1 use firewall-policy default service pm sys-restart cpe address vlan 200 192.168.13.26 192.168.13.30nx9500-6C8809(config-profile-T5TestProfile)#<primary|secondary> Select the next boot image• primary – Uses the primary image when reloading• secondary – Uses the secondary image when reloadingcpe reload Reloads all or specified CPEs.<cpe1-24> Identifies the CPE(s) to reload• <cpe1-24> – Configures the CPE’s ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5.cpe <cpe1-24> upgrade <IMAGE-LOCATION>Upgrades all or specified CPEs• <cpe1-24> – Identifies the CPE(s) to upgrade. Specify the CPE’s ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5.• upgrade <IMAGE-LOCATION> – Uses the image specified here to upgrade identified CEPs.• <IMAGE-LOCATION> – Specify the firmware image location using one of the fol-lowing options:path/filetftp://<IP>/path/fileftp://<user>:<passwd>@<IP>/path/file
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4977.3.2 interfaceT5 Profile Config CommandsConfigures the T5 controller’s interfacesSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxinterface [<WORD>|dsl|fe|ge|radio|vlan]interface [<WORD>|dsl <1-24>|fe <1-24> <1-2>|ge <1-2>|radio <1-24> <1-2>|vlan <1-4094>]Parameters• interface [<WORD>|dsl <1-24>|fe <1-24> <1-2>|ge <1-2>|radio <1-24> <1-2>|vlan <1-4094>]<WORD> Configures the interface identified by the <WORD> keyworddsl <1-24> Configures the specified DSL interface. A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating used by controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use DSL as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.• <1-24> – Specify the DSL port index from 1 - 24.fe <1-24> <1-2> Configures the specified FastEthernet interface. The T5 controller has the following FastEthernet port designations: fe1-fe2 (fe1-fe2 are for up to 24 CPE devices managed by a T5 controller).• <1-24> – Specify the DSL port index from 1 - 24.• <1-2> – Specify the FastEthernet interface to configure.In the FastEthernet interface configuration mode, specify the interface settings.ge <1-2> Configures the specified GigabitEthernet interface.T5 controllers have two Ethernet port designations, These are ge1 and ge2.The GE ports can be RJ-45 or fiber ports supporting 10/100/1000Mbps.• <1-2> – Specify the interface index from 1 - 2.In the GigabitEthernet interface configuration mode, specify the interface settings.radio <1-24> <1-2> Configures the specified radio interface. T5 controller managed CPE device radios can have their radio configurations overridden once their radios have successfully associated and have been provisioned by the adopting controller, service platform, or peer model AP controller access point.• <1-24> – Specify the radio interface index from 1 - 24.• <1-2> – Allows the second radio to be specified as a radio interface. For example,this is “interface radio X Y” where ‘X’ is the DSL line number and ‘Y’ is the radio interface (number).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 498Examplerfs7000-37FABE(config-profile-t5Profile)#interface dsl 1rfs7000-37FABE(config-profile-t5Profile-if-dsl1)#?Interface configuration commands:  description       Port description  ds-interleaver    Enable impulse noise protection in the downstream                    direction  ds-max-datarate   Configure maximum allowed downstream rate for the                    interface  ds-min-margin     Configure the minimum downstream signal-to-noise(SNR)                    ratio margin  ds-target-margin  Configure the desired downstream signal-to-noise (SNR)                    ratio margin  duplex            Set duplex to interface  flowcontrol       Set flowcontrol to interface  line-power        Use the line-power command to apply power to the interface  no                Negate a command or set its defaults  qos               QOS settings  shutdown          Shutdown the selected interface  speed             Configure speed  switchport        Set switching mode characteristics  us-interleaver    Enable impulse noise protection in the upstream direction  us-max-datarate   Configure maximum allowed upstream rate for the interface  us-min-margin     Configure the minimum upstream signal-to-noise (SNR) ratio                    margin  us-target-margin  Configure the desired upstream signal-to-noise (SNR) ratio                    margin  clrscr            Clears the display screen  commit            Commit all changes made in this session  do                Run commands from Exec mode  end               End current mode and change to EXEC mode  exit              End current mode and down to previous mode  help              Description of the interactive help system  revert            Revert changes  service           Service Commands--More--rfs7000-37FABE(config-profile-t5Profile-if-dsl1)#Related Commandsvlan <1-4094> Configures the specified VLAN interface. Once configured, the VLAN interface provides layer 3 (IP) T5 controller access or provides layer 3 service on a VLAN. The VLAN interface defines which IP address is associated with each VLAN ID a T5 controller is connected to. A VLAN interface is created for the default VLAN (VLAN 1) to enable remote administration. This interface is also used to map VLANs to IP4 and IPv6 formatted IP address ranges. This mapping determines the destination for routing.• <1-4094> – Specify the VLAN interface index from 1 - 4094.In the VLAN configuration mode, specify the interface’s primary IP address in the A.B.C.D/M format. Optionally specify the secondary IP address.no Removes the selected interface configuration on the T5 device
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4997.3.3 ipT5 Profile Config CommandsConfigures the default gateway’s IP addressSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxip default-gateway <IP>Parameters• ip default-gateway <IP>Examplenx9500-6C8809(config-profile-t5Profile)#ip default-gateway 192.168.13.7nx9500-6C8809(config-profile-t5Profile)#show contextprofile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090 interface fe 5 2 interface ge 2 interface ge 1 interface fe 5 1--More--nx9500-6C8809(config-profile-t5Profile)#ip default-gateway <IP>Enter the default gateway’s IP address in the A.B.C.D format.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5007.3.4 noT5 Profile Config CommandsRemoves or reverts this T5 controller profile settingsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxno [cpe|interface|ntp|override-wlan|t5-logging|use]no cpe led cpe <1-24>no interface vlan <2-4094>no ntp server <IP>no override-wlan <WLAN-NAME> vlanno t5-logging host <IP>no use management-policyParameters• no <PARAMETERS>Examplenx9500-6C8809(config-profile-t5Profile)#show contextprofile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090.................................................... use firewall-policy default ntp server 192.168.13.2 service pm sys-restartnx9500-6C8809(config-profile-t5Profile)#nx9500-6C8809(config-profile-t5Profile)#no ntp server 192.168.13.2nx9500-6C8809(config-profile-t5Profile)#show contextprofile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090.................................................... use firewall-policy default service pm sys-restartnx9500-6C8809(config-profile-t5Profile)#no <PARAMETERS> Removes or reverts to default the selected T5 profile’s or device’s settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5017.3.5 ntpT5 Profile Config CommandsConfigures the NTP server associated with this T5 profile. T5 controllers, using this profile, will obtain their system time from the specified NTP server resources.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxntp server <IP>Parameters• ntp server <IP>Examplenx9500-6C8809(config-profile-t5Profile)#ntp server 192.168.13.2nx9500-6C8809(config-profile-t5Profile)#show contextprofile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface dsl 5 ..................................................... use firewall-policy default ntp server 192.168.13.2 service pm sys-restartnx9500-6C8809(config-profile-t5Profile)#Related Commandsntp server <IP> Specify the NTP server’s IP address. You can specify a maximum of 3 (three) NTP server resources.no Removes the NTP server’s IP address
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5027.3.6 override-wlanT5 Profile Config CommandsUse this option to configure RF Domain level configuration for WLAN. The override configured here are applied to all T5 devices using this T5 profile.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxoverride-wlan <WLAN-NAME> vlan <1-4094>Parameters• override-wlan <WLAN-NAME> vlan <1-4094>ExampleThe following example displays the WLAN SJOffWLan configuration:nx9500-6C8809(config-wlan-SJOffWLan)#show contextwlan SJOffWLan description "SJ Office WLAN" ssid SJOffWLan vlan 468 bridging-mode local encryption-type ccmp authentication-type eap-psk use aaa-policy testnx9500-6C8809(config-wlan-SJOffWLan)#The following example overrides the SJOffWLan WLAN’s VLAN configuration on the T5 profile:nx9500-6C8809(config-profile-testT5)#override-wlan SJOffWLan vlan 30nx9500-6C8809(config-profile-testT5)#show context include-factory | include override-wlan override-wlan SJOffWLan vlan 30nx9500-6C8809(config-profile-testT5)#Related Commandsoverride-wlan <WLAN-NAME>Overrides the specified WLAN’s VLAN configuration<WLAN-NAME> – Specify the WLAN’s name.vlan <1-4094> Specify the new VLAN option• <1-4094> – Specify the VLAN from 1 - 4094.no Removes the RF Domain level overrides for applied on a WLAN on this T5 profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5037.3.7 t5T5 Profile Config CommandsConfigures this T5 controller’s country of operationSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxt5 country-code <WORD>Parameters• t5 country-code <WORD>Examplenx9500-6C8809(config-profile-T5TestProfile)#t5 country-code usnx9500-6C8809(config-profile-T5TestProfile)#show contextprofile t5 T5TestProfile no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090 interface fe 5 2.......................................................................... interface fe 9 1 use firewall-policy default service pm sys-restart t5 country-code US cpe address vlan 200 192.168.13.26 192.168.13.30nx9500-6C8809(config-profile-T5TestProfile)#country-code <WORD>Configures the 2 letter ISO-3166 country code for this T5 controller
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5047.3.8 t5-loggingT5 Profile Config CommandsConfigures a maximum of 5 (five) remote hosts capable of receiving syslog messages from this selected T5 controllerSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxt5-logging host <IP> severity [error|info|notice|trace|warning] facility [local0|local1|local2|local3|local4|local5|local6|local7]Parameters• t5-logging host <IP> severity [error|info|notice|trace|warning] facility [local0|local1|local2|local3|local4|local5|local6|local7]Examplenx9500-6C8809(config-profile-T5TestProfile)#t5-logging host 192.168.13.10 severity warning facility local6nx9500-6C8809(config-profile-T5TestProfile)#show contextprofile t5 T5TestProfile t5-logging host 192.168.13.10 severity warning facility local6 no autoinstall configuration............................................................................. no autoinstall firmware t5 country-code US cpe address vlan 200 192.168.13.26 192.168.13.30nx9500-6C8809(config-profile-T5TestProfile)#Related Commandst5-logging host <IP>Configures syslog message logging settings• host <IP> – Configures the external syslog remote host resource’s IP address. This is the host dedicated to receive T5 syslog messages.severity [error|info|notice|trace|warning]Configures the syslog message filtering severity level. The options are:• Error – Only forwards error and above syslog event messages.• Info – Only forwards informational and above syslog event messages.• notice – Only forwards syslog notices relating to general device operational events. These are events that are of more interest than the “info” events. • trace – Only forwards trace routing event messages• warning – Only forwards warnings and above syslog event messagesfacility [local0|local1|local2|local3|local4|local5|local6|local7]Configures the facility level for log messages sent to the syslog server. The facility level specifies the type of program logging the message. Specifying the facility level allows the configuration file to specify that message handling will vary with varying facility type. The options are: local0, local1, local2, local3, local4, local5, local5, local6, local7. The default value is local7.no Modifies message logging severity level and facilities
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5057.3.9 useT5 Profile Config CommandsAssociates a management policy with this T5 profile. The specified policy is applied to all T5 controllers using this profile.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxuse management-policy <POLICY-NAME>Parameters• use management-policy <POLICY-NAME>Examplenx9500-6C8809(config-profile-t5Profile)#use management-policy defaultTrustpoints HTTPS Server  and RSA keys for SSH can be configured with 'trustpoint' and 'rsa-key' commands in device contextnx9500-6C8809(config-profile-t5Profile)#Related Commandsuse management-policy <POLICY-NAME>Associates a management policy with this T5 profile (should be existing and configured)• <POLICY-NAME> – Specify the management policy’s name.no Removes the management policy used with this T5 profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5067.4 EX3524 & EX3548 Profile/Device Config CommandsPROFILESCreates a new EX3524 and EX3548 profile and enters its configuration mode.To navigate to this instance, use the following commands:<DEVICE>(config)#profile ex35xx <EX35XX-PROFILE-NAME>Where ex35xx can be a EX3524 or a EX3548 device type.<DEVICE>(config-profile-<EX35XX-PROFILE-NAME>)#?EX35XX Profile Mode commands:  interface  Select an interface to configure  ip         Internet Protocol (IP)  no         Negate a command or set its defaults  power      EX3500 Power over Ethernet Command  upgrade    Configures upgrade option for ex3500 system  use        Set setting to use  clrscr     Clears the display screen  commit     Commit all changes made in this session  do         Run commands from Exec mode  end        End current mode and change to EXEC mode  exit       End current mode and down to previous mode  help       Description of the interactive help system  revert     Revert changes  service    Service Commands  show       Show running system information  write      Write running configuration to memory or terminal<DEVICE>(config-profile-<EX35XX-PROFILE-NAME>)#The following table summarizes EX3524 and EX3548 profile/device configuration mode commands:Command Description Referenceinterface Selects an interface type and enters the selected interface’s configuration modepage 7-507ip Configures the default gateway through which this EX35XX switch can reach other subnetspage 7-527power Enables power inline compatibility mode on this EX35XX profile page 7-528upgrade Configures adopted EX35XX switch upgrade settings page 7-529use Applies an EX3500 management policy to this EX35XX profile page 7-530no Removes or reverts this EX35XX profile’s settings page 7-531
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5077.4.1 interfaceEX3524 & EX3548 Profile/Device Config CommandsThis command selects an interface type and enters the selected interface’s configuration mode. The EX35XX switch has GE and VLAN interfaces. Select the interface type and provide the interface ID to enter its configuration mode.Command Description Referenceinterface Selects an interface type and enters the selected interface’s configuration modepage 7-508interface-ge-config commandsSummarizes GE interface configuration mode commands page 7-510interface-vlan-config commandsSummarizes VLAN interface configuration mode commands page 7-523
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5087.4.1.1  interfaceinterfaceSelects the EX35XX interface type and enters the selected interface’s configuration modeSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxinterface [ge 1 <1-48>|vlan <1-4094>]Parameters• interface [ge 1 <1-48>|vlan <1-4094>]Examplenx4500-5CFA8E(config-profile-testEX35XX)#interface vlan 1nx4500-5CFA8E(config-profile-testEX35XX-if-vlan1)#? commands:  ip       Internet Protocol (IP)  no       Negate a command or set its defaults  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalnx4500-5CFA8E(config-profile-testEX35XX-if-vlan1)#nx4500-5CFA8E(config-profile-testEX35XX)#interface ge 1 1nx4500-5CFA8E(config-profile-testEX35XX-if-ge1-1)#? commands:  access-group  Access group to bind a port to an ACL name  no            Negate a command or set its defaults  port          Configures the characteristics of the port  power         EX3500 Power over Ethernet Command  shutdown      Shutdown the selected interface  speed-duplex  Configures speed and duplex operation  switchport    Configures switch mode characteristics  use           Set setting to useinterface Selects the EX35XX interface type and enters its configuration mode. The interface options available are: GE and VLANge 1 <1-48> Selects a GE interface to configure• 1 – Configures the GE interface unit identifier as 1• <1-48> – Configures the physical port number from 1 - 24/48Note: For the EX3524 model switch the GE port range is 1-24, and for the EX3548 it is 1-48.vlan <1-4094> Selects a VLAN interface to configure• <1-4094> – Specify the VLAN interface ID from 1 - 4094.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 509  clrscr        Clears the display screen  commit        Commit all changes made in this session  do            Run commands from Exec mode  end           End current mode and change to EXEC mode  exit          End current mode and down to previous mode  help          Description of the interactive help system  revert        Revert changes  service       Service Commands  show          Show running system information  write         Write running configuration to memory or terminalnx4500-5CFA8E(config-profile-testEX35XX-if-ge1-1)#Related Commandsno Removes this interface (GE/VLAN) settings from the EX35XX profile or deviceinterface-ge-config commandsSummarizes GE interface configuration mode commandsinterface-vlan-config commandsSummarizes VLAN interface configuration mode commands
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5107.4.1.2  interface-ge-config commandsinterfaceThe following table lists the EX35XX GE interface configuration mode commands:Command Description Referenceaccess-group Binds an EX3500 ACL to the selected port page 7-511port Enables port monitoring on the selected port page 7-512power Turns power on or off for the selected port page 7-514shutdown Shuts down the selected port page 7-516speed-duplex Configures the speed and duplex mode of the selected port when auto-negotiation is disabled. Auto-negotiation is enabled by default.page 7-517switch-port Configures the switch mode characteristics of the selected port page 7-518use Applies a EX3500 QoS policy map with the selected port page 7-520no Removes or reverts the selected port’s settings page 7-521
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5117.4.1.2.1 access-groupinterface-ge-config commandsBinds an EX3500 ACL to the selected portWhen applied to the port, the ACL takes effect. Only one ACL can be bound to a port at a time. In case you bind a new ACL to a port with an existing ACL binding, the old binding is replaced with the new one.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxaccess-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME> in {time-range <TIME-RANGE-NAME>}Parameters• access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME> in {time-range <TIME-RANGE-NAME>}Examplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsaccess-group Binds a EX3500 ACL with this GE port. Select ACL type and specify the ACL name. The ACL should be existing and configured.ex3500-ext-access-list <ACL-NAME>Binds an existing and configured EX3500 extended ACL• <ACL-NAME> – Specify the ACL name.ex3500-std-access-list <ACL-NAME>Binds an existing and configured EX3500 standard ACL• <ACL-NAME> – Specify the ACL name.mac-access-list <ACL-NAME>Binds an existing and configured EX3500 MAC ACL• <ACL-NAME> – Specify the MAC ACL name.in Applies the specified ACL to all incoming packetstime-range <TIME-RANGE-NAME>Optional. Associates a EX3500 absolute or periodic time range with this access group. The specified ACL is bound to the port during the time period specified by the associated time range.• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured).no Removes the GE port EX3500 ACL binding
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5127.4.1.2.2 po rtinterface-ge-config commandsEnables port monitoring on the selected port. This allows the port to monitor specified ports and/or MAC address(es). When enabled, the switch sends a copy of the network packets seen on the specified switch port (or VLAN interface) to the monitoring switch port. These packets are analyzed and debugged to provide vital information, such as network performance, intrusion alerts, etc.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxport monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|mac-access-list|mac-address|vlan]port monitor ethernet 1 <1-52> {both|rx|tx}port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME>port monitor mac-address <MAC>port monitor vlan <1-4094>Parameters• port monitor ethernet 1 <1-52> {both|rx|tx}• port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]<ACL-NAME>• port monitor mac-address <MAC>port monitor ethernet 1 <1-52>Configures the characteristics of this GE port• monitor – Enables monitoring of another port• ethernet 1 – Selects Ethernet interface and configures the port identifier as 1• <1-52> – Configures the Ethernet unit number from 1 - 52{both|rx|tx} After specifying the port, optionally configure the following:• both – Optional. Monitors both incoming and outgoing traffic• rx – Optional. Monitors only incoming traffic• tx – Optional. Monitors only outgoing trafficport monitor Configures the characteristics of this GE port• monitor – Enables monitoring of another port[ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]<ACL-NAME>After specifying the port, apply one of the following ACLs:• ex3500-ext-access-list – Applies a EX3500 extended ACL• ex3500-std-access-list – Applies a EX3500 standard ACL• mac-access-list – Applies a MAC ACL with EX3500 deny or permit rules• <ACL-NAME> – Specify the ACL name (should be existing and configured).port monitor Configures the characteristics of this GE port• monitor – Enables monitoring of another port
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 513• port monitor vlan <1-4094>Examplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsmac-address <MAC> Configures the MAC address to monitor• <MAC> – Specify the MAC address in the AA-BB-CC-DD-EE-FF format.port monitor Configures the characteristics of this GE port• monitor – Enables monitoring of another portvlan <1-4094> Configures the VLAN interface to monitor• <1-4094> – Specify the VLAN ID from 1 - 4094.no Disables port monitoring on the selected port and removes the settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5147.4.1.2.3 powe rinterface-ge-config commandsEnables power allocation to the selected port. When enabled, the power is allocated to this port. Use the command to configure the power allocation settings, such as maximum power allocated, priority level of this port in connection with power allocation, and the time range within which these power settings are applied.This option is enabled by default.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxpower inline {maximum|priority|time-range}power inline {maximum allocation milliwatts <3000-34200>}power inline {priority [critical|high|low]}power inline {time-range <TIME-RANGE-NAME>}Parameters• power inline {maximum allocation milliwatts <3000-34200>}• power inline {priority [critical|high|low]}• power inline {time-range <TIME-RANGE-NAME>}power inline Turns power on or off for the selected port. This option is enabled by default.maximum allocation milliwatts <3000-34200>Optional. Configures the maximum power allocation, in milliwatts, for this port• <3000-34200> – Specify a value from 3000 - 34200 milliwatts. The default is 34200 milliwatts.power inline Turns power on or off for the selected port. This option is enabled by default.priority [critical|high|low]Optional. Configures the PoE power priority as:• critical – Configures the PoE power priority as critical• high – Configures the PoE power priority as high• low - Configures the PoE power priority as low (this is the default setting)power inline Turns power on or off for the selected port. This option is enabled by default.time-range <TIME-RANGE-NAME>Optional. Binds a EX3500 time range to this port• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 515Examplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline maximum allocation milliwatts 30000nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline priority criticalnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline time-range EX3500_TimeRange_01nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  power inline maximum allocation milliwatts 30000  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsno Disables power allocation to the selected port
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5167.4.1.2.4 s hu tdowninterface-ge-config commandsShuts down the selected portSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600SyntaxshutdownParametersNoneExamplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#shutdownnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  shutdown  power inline maximum allocation milliwatts 30000  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsno Brings up a shutdown port
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5177.4.1.2.5 speed-duplexinterface-ge-config commandsConfigures the speed and duplex mode of the selected port when auto-negotiation is disabled. Auto-negotiation is enabled by default.This option is disabled by default.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxspeed-duplex [100full|100half|10full|10half]Parameters• speed-duplex [100full|100half|10full|10half]Examplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#speed-duplex 100halfnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  shutdown  speed-duplex 100half  power inline maximum allocation milliwatts 30000  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsspeed-duplex [100full|100half|10full|10half]Configures the speed and duplex mode of the selected port to one of the following modes:• 100full – Forces 100 Mbps full-duplex operation• 100half – Forces 100 Mbps half-duplex operation• 10full – Force 10 Mbps full-duplex operation• 10half – Force 10 Mbps half-duplex operationWhen configured, forces the switch to operate at the specified speed and mode.no Removes the speed and duplex settings configured for this EX35XX profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5187.4.1.2.6 sw i tc h- po r tinterface-ge-config commandsConfigures the switch mode characteristics of the selected portSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxswitchport [allowed|l2protocol-tunnel|mode|native]switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]switchport mode [access|hybrid|trunk]switchport native Parameters• switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]• switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]• switchport mode [access|hybrid|trunk]switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]Configures VLAN groups on the selected interface.• add <VLAN-ID> – Configures the list of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained.• <VLAN-ID> – Specify the list of VLANs to add.• none – Removes all VLANs from the current list• remove <VLAN-ID> – Configures the list of VLAN identifiers to remove. When the remove option is used, the specified VLANs are removed from the current list.• <VLAN-ID> – Specify the list of VLANs to remove.switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]Enables layer 2 protocol tunneling (L2PT) for the specified protocol. Specify the protocol:• cdp – Cisco Discovery Protocol• lldp – Link Layer Discovery Protocol• pvst+ – Cisco Per VLAN Spanning Tree Plus• spanning-tree – Spanning Tree (STP, RSTP, MSTP)• vtp – Cisco VLAN Trunking ProtocolL2PT is disabled for all of the above specified protocols by default.switchport mode [access|hybrid|trunk]Configures the VLAN membership mode for this port• access – The port is configured as an access VLAN interface. It transmits and receives packets untagged frames on a single VLAN.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 519• switchport native vlan <1-4094>Examplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#switchport mode accessnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  shutdown  speed-duplex 100half  switchport mode access  power inline maximum allocation milliwatts 30000  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commands• trunk – Configures the selected port as an end-point for a VLAN trunk. A trunk link is configured between two switches, and it carries frames on more than one VLANs. These frames are tagged in order to identify the source VLAN. Frames belonging to the port’s default VLAN are also transmitted as tagged frames.• hybrid – Configures the selected port as a hybrid VLAN interface. When configured as hybrid, the port can transmit either tagged or untagged frames. This is the default setting.switchport native vlan <1-4094> inConfigures the VLAN membership mode for this port• native vlan <1-4094> – Configures the port’s VLAN ID (PVID) (this is the port’s default VLAN ID). Frames from the specified VLAN ingress untagged at this port. The default value is 1.When using access mode, and an interface is assigned to a new VLAN, the port’s VLAN ID (PVID) is automatically set to the identifier for that VLAN. When using hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member.no Removes the selected port’s switchport characteristics
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5207.4.1.2.7 useinterface-ge-config commandsApplies a EX3500 QoS policy map with the selected portSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxuse ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME> inParameters• use ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME> inExamplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#use ex3500-policy-map in testnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  shutdown  speed-duplex 100half  switchport mode access  use ex3500-policy-map in test  power inline maximum allocation milliwatts 30000  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsuse ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME>Applies a EX3500 QoS policy map with the selected port• <EX3500-QoS-POLICY-MAP-NAME> – Specify the EX3500 QoS policy map name (should be existing and configured)• in – Applies the specified policy to traffic ingressing at the selected port.no Disassociates the EX3500 QoS policy map linked to this EX3500 profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5217.4.1.2.8 n ointerface-ge-config commandsRemoves or reverts the selected port’s settingsSupported in the following platforms:• Switches — EX3524, EX3548Syntaxno [access-group|port|power|shutdown|speed-duplex|switchport|use]no access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME> inno port monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|mac-access-list|mac-address|vlan]no port monitor ethernet 1 <1-52>no port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME>no port monitor mac-address <MAC>no port monitor vlan <1-4094>no power inline {maximum allocation|priority|time-range}no shutdownno speed-duplexno switchport [l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]|native vlan]no use ex3500-policy-map inParameters• no <PARAMETERS>ExampleThe following example shows the EX3524 profile’s GE port 20’s settings before the ‘no’ commands are executed:nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  shutdown  speed-duplex 100half  switchport mode access  use ex3500-policy-map in test  power inline maximum allocation milliwatts 30000  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no shutdownnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no power inline maximum allocationnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no use ex3500-policy-map inno <PARAMETERS> Removes or reverts the selected port’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 522The following example shows the EX3524 profile’s GE port 20’s settings after the ‘no’ commands are executed:nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20  speed-duplex 100half  switchport mode access  power inline maximum allocation milliwatts 32400  power inline priority critical  power inline time-range EX3500_TimeRange_01  access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01  port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5237.4.1.3  interface-vlan-config commandsinterfaceThe following table lists the VLAN interface configuration mode commands:Command Description Referenceip Configures IP related settings for this VLAN interface page 7-524no Removes the IP related settings configured for this VLAN interface page 7-526
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5247.4.1.3.1 ipinterface-vlan-config commandsConfigures IP related settings for this VLAN interfaceSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers – RFS4000, RFS6000• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxip address [<IP/M>|bootp|dhcp]ip address <IP/M> {default-gateway <IP>|secondary <IP>}ip address [bootp|dhcp]Parameters• ip address <IP/M> {default-gateway <IP>|secondary <IP>}• ip address [bootp|dhcp]ip address <IP/M> {default-gateway <IP>|secondary <IP>}Manually configures the selected VLAN interface’s primary and secondary IPv4 addresses. It also allows to optionally configure the default gateway.• <IP/M> – Manually configures this VLAN interface’s IP address in the A.B.C.D/M format. Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. The network mask can be either in the traditional format xxx.xxx.xxx.xxx or use classless format with the range /5 to /32. For example the subnet 255.255.224.0 would be /19.• default-gateway <IP> – Optional. Configures the default gateway’s IP address. Thisis the gateway through which this switch can reach other subnets not found in the lo-cal routing table. Before specifying the default gateway, ensure that the network in-terface directly connecting to the gateway is configured on the route. By default nogateway is specified.• <IP> – Specify the IP address in the A.B.C.D address.• secondary <IP> – Optional. Configures this VLAN interface’s secondary IP address• <IP> – Specify the secondary IP address in the A.B.C.D addressip address [bootp|dhcp]Enables a DHCP or Bootp server to provide the primary IPv4 address for the selected VLAN interface• bootp – Enables the VLAN interface to get its IP address from a Bootp server• dhcp – Enables the VLAN interface to get its IP address from a DHCP serverIf selecting DHCP/Bootp, ensure that a server on the network has been configured to provide the necessary configuration to the switch. Using DHCP or Bootp results in frequent connectivity loss between the browser interface and the switch. Further, DHCP and Bootp cannot configure secondary IP addresses needed for multinetting.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 525Examplenx9500-6C8809(config-profile-testEX3524-if-vlan20)#ip address 192.168.13.28/24 default-gateway 192.168.13.13nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context interface vlan 20  ip address 192.168.13.28/24 default-gateway 192.168.13.13nx9500-6C8809(config-profile-testEX3524-if-vlan20)#Related Commandsno Removes the IP address configured for this VLAN interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5267.4.1.3.2 nointerface-vlan-config commandsRemoves the IP related settings configured for this VLAN interfaceSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers – RFS4000, RFS6000• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxno ip address [<IP/M>|bootp|dhcp]Parameters• no <PARAMETERS>ExampleThe following example shows the interface VLAN 20 setting before the ‘no’ command is executed:nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context interface vlan 20  ip address 192.168.13.28/24 default-gateway 192.168.13.13nx9500-6C8809(config-profile-testEX3524-if-vlan20)#nx9500-6C8809(config-profile-testEX3524-if-vlan20)#no ip address 192.168.13.28/24The following example shows the interface VLAN 20 setting after the ‘no’ command is executed:nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context interface vlan 20nx9500-6C8809(config-profile-testEX3524-if-vlan20)#no <PARAMETERS> Removes this EX3500’s selected VLAN’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5277.4.2 ipEX3524 & EX3548 Profile/Device Config CommandsConfigures the default gateway through which this EX35XX switch can reach other subnetsSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers – RFS4000, RFS6000• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxip default-gateway <IP>Parameters• ip default-gateway <IP>Examplenx9500-6C8809(config-profile-testEX3524)#ip default-gateway 192.168.13.13nx9500-6C8809(config-profile-testEX3524)#show contextprofile ex3524 testEX3524 ip default-gateway 192.168.13.13 no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 interface ge 1 14 interface ge 1 13 interface ge 1 12 interface ge 1 11--More-- interface ge 1 21 use firewall-policy default service pm sys-restartnx9500-6C8809(config-profile-testEX3524)#ip default-gateway <IP>Configures the default gateway’s IP address in the A.B.C.D format• <IP> – Specify the IP address.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5287.4.3 powerEX3524 & EX3548 Profile/Device Config CommandsEnables power inline compatibility mode on this EX35XX profile. This option is disabled by default.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers – RFS4000, RFS6000, RFS7000• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxpower inline compatibleParameters• power inline compatibleExamplenx9500-6C8809(config-profile-testEX3524)#power inline compatiblenx9500-6C8809(config-profile-testEX3524)#show contextprofile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 interface ge 1 14 interface ge 1 13 interface ge 1 12 --More-- nx9500-6C8809(config-profile-testEX3524)#power inline compatibleEnables power inline compatibility mode
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5297.4.4 upgradeEX3524 & EX3548 Profile/Device Config CommandsConfigures adopted EX35XX switch upgrade settingsFor a EX35XX switch to adopt to and be managed by a WiNG controller, you need to upload two images on the switch. An operation code (opcode) image and an adopted image. The opcode image functions as an operating system that enables the WiNG controller to communicate with the EX35XX switch. This command allows you to configure the EX35XX’s opcode image upgrade settings.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000, RFS7000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxupgrade opcode [auto|path <LINE>|reload]Parameters• upgrade opcode [auto|path <LINE>|reload]Example<EX35XX-DEVICE>#show versionsUnit 1Serial Number          : 14136520900352Hardware Version       : R01EPLD Version           : 0.00Number of Ports        : 28Main Power Status      : UpRole                   : MasterLoader Version         : 5.0.0.1-01ALinux Kernel Version   : 2.6.22.18Boot ROM Version       : 0.0.0.1Operation Code Version : 5.0.0.0-03DAdoptd Version         : 5.8.3.0-024D<EX35XX-DEVICE>#nx9500-6C8809(config-profile-testEX3524)#upgrade autonx9500-6C8809(config-profile-testEX3524)#upgrade reloadnx9500-6C8809(config-profile-testEX3524)#upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.imgnx9500-6C8809(config-profile-testEX3524)#show contextprofile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible............................................. use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img upgrade opcode reloadnx9500-6C8809(config-profile-testEX3524)#upgrade opcode Configures the opcode image upgrade settingsauto Enables automatic upgradepath <LINE> Configures the location of the opcode imagereload Enables automatic reload after successful loading of the opcode image
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 5307.4.5 useEX3524 & EX3548 Profile/Device Config CommandsApplies an EX3500 management policy to this EX35XX profileSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000, RFS7000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxuse ex3500-management-policy <POLICY-NAME>Parameters• use ex3500-management-policy <POLICY-NAME>Examplenx9500-6C8809(config-profile-testEX3524)#use ex3500-management-policy testTrustpoints HTTPS Server and RSA keys for SSH can be configured with 'trustpoint' and 'rsa-key' commands in device contextnx9500-6C8809(config-profile-testEX3524)#nx9500-6C8809(config-profile-testEX3524)#show contextprofile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 --More-- use ex3500-management-policy test use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img upgrade opcode reloadnx9500-6C8809(config-profile-testEX3524)#use ex3500-management-policy <POLICY-NAME>Applies an EX3500 management policy to this EX35XX profile• <POLICY-NAME> – Specify the EX3500 management policy name (should be existing and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5317.4.6 noEX3524 & EX3548 Profile/Device Config CommandsRemoves or reverts this EX3500 profile’s settingsSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000, RFS7000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxno [interface vlan <1-4094>|default-gateway {<IP>}|power inline compatible|upgrade opcode [auto|path|reload]|use ex3500-management-policy]Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-profile-testEX3524)#show contextprofile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 interface ge 1 14 interface ge 1 13 interface ge 1 12 interface ge 1 11 interface ge 1 10 interface ge 1 24 interface ge 1 22 interface vlan 20 interface ge 1 23--More-- use ex3500-management-policy test use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img upgrade opcode reloadnx9500-6C8809(config-profile-testEX3524)#nx9500-6C8809(config-profile-testEX3524)#no use ex3500-management-policynx9500-6C8809(config-profile-testEX3524)#no upgrade opcode reloadnx9500-6C8809(config-profile-testEX3524)#no interface vlan 20nx9500-6C8809(config-profile-testEX3524)#show contextprofile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration--More-- use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.imgnx9500-6C8809(config-profile-testEX3524)#no <PARAMETERS> Removes or reverts this EX3500 profile settings based on the parameters passed
8 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide8AAA-POLICYThis chapter summarizes the Authentication, Authorization, and Accounting (AAA) policy commands in the CLI command structure.A AAA policy enables administrators to define access control settings governing network permissions. External RADIUS and LDAP servers (AAA servers) also provide user database information and user authentication data. Each WLAN maintains its own unique AAA configuration.AAA provides a modular way of performing the following services: Authentication — Provides a means for identifying users, including login and password dialog, challenge and response, messaging support and (depending on the security protocol), encryption. Authentication is the technique by which a user is identified before allowed access to the network. Configure AAA authentication by defining a list of authentication methods, and then applying the list to various interfaces. The list defines the authentication schemes performed and their sequence. The list must be applied to an interface before the defined authentication technique is conducted. Authorization — Authorization occurs immediately after authentication. Authorization is a method for remote access control, including authorization for services and individual user accounts and profiles. Authorization functions through the assembly of attribute sets describing what the user is authorized to perform. These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database could be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be defined through AAA. When AAA authorization is enabled it’s applied equally to all interfaces. Accounting — Collects and sends security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored locally on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, it is applied equally to all interfaces on the access servers.Use the (config) instance to configure AAA policy commands. To navigate to the config-aaa-policy instance, use the following commands:<DEVICE>(config)#aaa-policy <POLICY-NAME>rfs6000-37FABE(config)#aaa-policy testrfs6000-37FABE(config-aaa-policy-test)#?AAA Policy Mode commands:  accounting           Configure accounting parameters  attribute            Configure RADIUS attributes in access and accounting                       requests  authentication       Configure authentication parameters  health-check         Configure server health-check parameters  mac-address-format   Configure the format in which the MAC address must be                       filled in the Radius-Request frames  no                   Negate a command or set its defaults  proxy-attribute      Configure radius attribute behavior when proxying                       through controller or rf-domain-manager  server-pooling-mode  Configure the method of selecting a server from the
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 2                       pool of configured AAA servers  use                  Set setting to use  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-aaa-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 38.1 aaa-policyAAA-POLICYThe following table summarizes AAA policy configuration commands:Table 8.1 AAA-Policy-Config CommandsCommand Description Referenceaccounting Configures accounting parameters page 8-4attribute Configure RADIUS attributes in access and accounting requests page 8-8authentication Configures authentication parameters page 8-11health-check Configures health check parameters page 8-16mac-address-formatConfigures the MAC address format page 8-17no Negates a command or sets its default page 8-19proxy-attribute Configures the RADIUS server’s attribute behavior when proxying through the wireless controller or the RF Domain managerpage 8-21server-pooling-modeDefines the method for selecting a server from the pool of configured AAA serverspage 8-22use Defines the AAA command settings page 8-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 48.1.1 accountingaaa-policyConfigures the server type and interval at which interim accounting updates are sent to the server. A maximum of 6 accounting servers can be configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccounting [interim|server|type]accounting interim interval <60-3600>accounting server [<1-6>|preference]accounting server preference [auth-server-host|auth-server-number|none]accounting server <1-6> [dscp|host|nai-routing|onboard|proxy-mode|retry-timeout-factor|timeout]accounting server <1-6> [dscp <0-63>|retry-timeout-factor <50-200>]accounting server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT> {strip}accounting server <1-6> onboard [centralized-controller|self|controller]accounting server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]accounting server <1-6> timeout <1-60> {attempts <1-10>}accounting type [start-interim-stop|start-stop|stop-only]Parameters• accounting interim interval <60-3600>• accounting server preference [auth-server-host|auth-server-number|none]interim Configures the interim accounting interval. This is the interval at which interim accounting updates are posted to the accounting server.interval <60-3000> Specify the interim interval from 60 - 3600 seconds. The default is 1800 seconds.server Configures a RADIUS accounting server’s settingspreference Configures the accounting server’s preference mode. Authentication requests are forwarded to a accounting server, from the pool, based on the preference mode selected.auth-server-host Sets the authentication server as the accounting server. This is the default setting.This parameter indicates the same server is used for authentication and accounting. The server is identified by its hostname.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 5• accounting server <1-6> [dscp <0-63>|retry-timeout-factor <50-200>]• accounting server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}• accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT> {strip}auth-server-number Sets the authentication server as the accounting serverThis parameter indicates the same server is used for authentication and accounting. The server is identified by its index or number.none Indicates the accounting server is independent of the authentication serverserver <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.dscp <0-63> Sets the Differentiated Services Code Point (DSCP) value for Quality of Service (QOS) monitoring. This value is used in generated RADIUS packets.• <0-63> – Sets the DSCP value from 0 - 63. The default value is 34.retry-timeout-factor <50-200>Sets the scaling factor for retransmission timeouts. The timeout at each attempt is a function of this retry-timeout factor and the attempt number.• <50-200> – Specify a value from 50 - 200. The default is 100.If the scaling factor is 100, the interval between two consecutive retries remains the same, irrespective of the number of retries.If the scaling factor is less than 100, the interval between two consecutive retires reduces with subsequent retries.If this scaling factor is greater than 100, the interval between two consecutive retries increases with subsequent retries.server <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.host <IP/HOSTNAME/HOST-ALIAS>Configures the accounting server’s hostname IP address, or host-aliasThe host alias should be existing and configured.secret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures a common secret key used to authenticate with the accounting server• 0 <SECRET> – Configures a clear text secret key• 2 <SECRET> – Configures an encrypted secret key• <SECRET> – Specify the secret key. This shared secret should not exceed 127 characters.port <1-65535> Optional. Configures the accounting server’s UDP port (the port used to connect to the accounting server)• <1-65535> – Sets the port number from 1 - 65535 (default port is 1813)server <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 6• accounting server <1-6> onboard [centralized-controller|self|controller]• accounting server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]nai-routing Enables Network Access Identifier (NAI) routing. This option is disabled by default.The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be.realm-type Specifies whether the prefix or suffix of the username is used as the match criteria. For example, if the option selected is prefix, the username’s prefix is matched to the realm.[prefix|suffix] Select one of the following options:• prefix – Matches the prefix of the username (For example, username is of type DOMAIN/user1, DOMAIN/user2). This is the default setting.• suffix – Matches the suffix of the username (For example, user1@DOMAIN, user2)@DOMAIN)realm <REALM-TEXT>Configures the text matched against the username. Enter the realm name (should not exceed 50 characters). When the RADIUS accounting server receives a request for a user name, the server references a table of user names. If the user name is known, the server proxies the request to the RADIUS server.• <REALM-TEXT> – Specifies the matching text including the delimiter (a delimiter is typically '' or '@')strip Optional. When enabled, strips the realm from the username before forwarding the request to the RADIUS server. This option is disabled by default.server <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.onboard Selects an onboard server instead of an external hostcentralized-controllerConfigures the server on the centralized controller managing the networkself Configures the onboard server on a AP, wireless controller, or service platform (where the client is associated)controller Configures local RADIUS server settingsserver <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.proxy-mode Select the mode used to proxy requests. The options are: none, through-controller, and through-rf-domain-manager.none No proxy required. Sends the request directly using the IP address of the device. This is the default setting.through-centralized-controllerProxy requests through the centralized controller that is configuring and managing the network
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 7• accounting server <1-6> timeout <1-60> {attempts <1-10>}• accounting type [start-interim-stop|start-stop|stop-only]Examplerfs6000-37FABE(config-aaa-policy-test)#accounting interim interval 65rfs6000-37FABE(config-aaa-policy-test)#accounting server 2 host 172.16.10.10 secret test1 port 1rfs6000-37FABE(config-aaa-policy-test)#accounting server 2 timeout 2 attempts 2rfs6000-37FABE(config-aaa-policy-test)#accounting type start-stoprfs6000-37FABE(config-aaa-policy-test)#accounting server preference auth-server-numberrfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-numberrfs6000-37FABE(config-aaa-policy-test)#Related Commandsthrough-controller Proxies requests through the controller (access point, wireless controller, or service platform) configuring the devicethrough-mint-host <HOSTNAME/MINT-ID>Proxies requests through a neighboring MiNT device. Provide the device’s MiNT ID or hostname.through-rf-domain-managerProxies requests through the local RF Domain Managerserver <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.timeout <1-60> Configures the timeout for each request sent to the RADIUS server• <1-60> – Specify a value from 1 - 60 seconds. The default is 5 seconds.attempts <1-10> Optional. Specifies the number of times a transmission request is attempted• <1-10> – Specify a value from 1 - 10. The default is 3.type Configures the type of RADIUS accounting packets sent. The options are: start-interim-stop, start-stop, and stop-only.start-interim-stop Sends accounting-start and accounting-stop messages when the session starts and stops. This parameter also sends interim accounting updates.start-stop Sends accounting-start and accounting-stop messages when the session starts and stops. This is the default setting.stop-only Sends an accounting-stop message when the session endsno Removes or resets accounting server parameters
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 88.1.2 attributeaaa-policyConfigures RADIUS Framed-MTU attribute used in access and accounting requests. The Framed-MTU attribute reduces the Extensible Authentication Protocol (EAP) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation.To ensure network security, some firewall software drop UDP fragments from RADIUS server EAP packets. Consequently, the packets are large. Using Framed MTU reduces the packet size. EAP authentication uses Framed MTU to notify the RADIUS server about the Maximum Transmission Unit (MTU) negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxattribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|cisco-vsa|framed-ip-address|framed-mtu|location-information|nas-ip-address|nas-ipv6-address|operator-name|service-type]attribute acct-delay-timeattribute acct-multi-session-idattribute chargeable-user-identityattribute cisco-vsa audit-session-idattribute framed-ip-addressattribute framed-mtu <100-1500>attribute location-information [include-always|none|server-requested]attribute nas-ip-address <WORD>attribute nas-ipv6-addressattribute operator-name <OPERATOR-NAME>attribute service-type [framed|login]Parameters• attribute acct-delay-time• attribute acct-multi-session-idacct-delay-time Enables support for accounting-delay-time attribute in accounting requests. When enabled, this attribute indicates the number of seconds the client has been trying to send a request to the accounting server. By subtracting this value from the time the packet is received by the server, the system is able to calculate the time of a request-generating event. Note, the network transit time is ignored. This option is disabled by default.Including the acct-delay-time attribute in accounting requests updates the acct-delay-time value whenever the packet is retransmitted, This changes the content of the attributes field, requiring a new identifier and request authenticator.acct-multi-session-id Enables support for accounting-multi-session-id attribute. When enabled, it allows linking of multiple related sessions of a roaming client. This option is useful in scenarios where a client roaming between access points sends multiple RADIUS accounting requests to different access points. This option is disabled by default.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 9• attribute chargeable-user-identity• attribute cisco-vsa audit-session-id• attribute framed-ip-address• attribute framed-mtu <100-1500>• attribute location-information [include-always|none|server-requested]• attribute nas-ip-address <WORD>chargeable-user-identityEnables support for chargeable-user-identity attribute. This option is disabled by default.cisco-vsa audit-session-idConfigures the CISCO Vendor Specific Attribute (VSA) attribute included in access requests. This feature s disabled by default.This VSA allows CISCO’s Identity Services Engine (ISE) to validate a requesting client’s network compliance, such as the validity of virus definition files (anti virus software or definition files for an anti-spyware software application).• audit-session-id – Includes the audit session ID attribute in access requestsThe audit session ID is included in access requests when Cisco ISE is configured as an authentication server.Note: If the Cisco VSA attribute is enabled, configure an additional UDP port to listen for dynamic authorization messages from the Cisco ISE server. For more information, see service.framed-ip-address Enables inclusion of framed IP address attribute in access requests. This option is disabled by default.framed-mtu <100-1500>Configures Framed-MTU attribute used in access requests• <100-1500> – Specify the Framed-MTU attribute from 100 - 1500. The default value is 1400.location-information [include-always|none|server-requested]Enables support for RFC5580 location information attribute, based on the option selected. The various options are:• include-always – Always includes location information in RADIUS authentication and accounting messages• none – Disables sending of location information in RADIUS authentication and accounting messages. This is the default setting.• server-requested – Includes location information in RADIUS authentication and accounting messages only when requested by the serverWhen enabled, location information is exchanged in authentication and accounting messages.nas-ip-address <WORD>Enables configuration of an IP address, which is used as the RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. If you are using a cluster of small network access servers (NASs) to simulate a large NAS, use this option to improve scalability. The IP address configured using this option allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.• <WORD> – Provide the IPv4 address.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 10• attribute nas-ipv6-address• attribute operator-name <OPERATOR-NAME>• attribute service-type [framed|login]Examplerfs6000-37FABE(config-aaa-policy-test)#attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#rfs6000-37FABE(config-aaa-policy-test1)#attribute cisco-vsa audit-session-idrfs6000-37FABE(config-aaa-policy-test1)#show contextaaa-policy test attribute cisco-vsa audit-session-idrfs6000-37FABE(config-aaa-policy-test)#Related Commandsnas-ipv6-address Enables support for NAS IPv6 address. This option is disabled by default.When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6 addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a larger address space.operator-name <OPERATOR-NAME>Enables support for RFC5580 operator name attribute. When enabled, the network operator’s name is included in all RADIUS authentication and accounting messages and uniquely identifies the access network owner. This option is disabled by default.• <OPERATOR-NAME> – Specify the network operator’s name (should not exceed 63 characters in length). service-type [framed|login]Configures the service-type (6) attribute value. This attribute identifies the following: the type of service requested and the type of service to be provided.• framed – Sets service-type to framed (2) in the authentication packets. When enabled, a framed protocol, Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP), is started for the client. This is the default setting.• login – Sets service-type to login (1) in the authentication packets. When enabled, the client is connected to the host.no Resets values or disables commands
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 118.1.3 authenticationaaa-policyConfigures user authentication parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [eap|protocol|server]authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]authentication protocol [chap|mschap|mschapv2|pap]authentication server <1-6> [dscp|host|nac|nai-routing|onboard|proxy-mode|retry-timeout-factor|timeout]authentication server <1-6> dscp <0-63>authentication server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}authentication server <1-6> nacauthentication server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-NAME>{strip}authentication server <1-6> onboard [centralized-controller|controller|self]authentication server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]authentication server <1-6> retry-timeout-factor <50-200>authentication server <1-6> timeout <1-60> {attempts <1-10>}Parameters• authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]eap Configures EAP authentication parameterswireless-client Configures wireless client’s EAP parametersattempts <1-10> Configures the maximum number of attempts allowed to authenticate a wireless client• <1-10> – Specify a value from 1 - 10. The default is 3.identity-request-retry-timeout <10-5000>Configures the interval, in milliseconds, after which an EAP-identity request to the wireless client is retried• <10-5000> – Specify a value from 10 - 5000 milliseconds. The default is 1000 milliseconds.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 12• authentication protocol [chap|mschap|mschapv2|pap]• authentication server <1-6> dscp <0-63>• authentication server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}identity-request-timeout <1-60>Configures the timeout, in seconds, after the last EAP-identity request message retry attempt (to allow time to manually enter user credentials)• <1-60> – Specify a value from 1 - 60 seconds. The default is 30 seconds.retry-timeout-factor <50-200>Configures the spacing between successive EAP retries• <50-200> – Specify a value from 50 - 200. The default is 100.A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry.timeout <1-60> Configures the interval, in seconds, between successive EAP-identity request sent to a wireless client• <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds.protocol [chap|mschap|mschapv2|pap]Configures one of the following protocols for non-EAP authentication:• chap – Uses Challenge Handshake Authentication Protocol (CHAP)• mschap – Uses Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)• mschapv2 – Uses MS-CHAP version 2•pap – Uses Password Authentication Protocol (PAP) (default authentication protocol used)server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.dscp <0-63> Configures the Differentiated Service Code Point (DSCP) quality of service parameter generated in RADIUS packets. The DSCP value specifies the class of service provided to a packet, and is represented by a 6-bit parameter in the header of every IP packet.• <0-63> – Specify the value from 0 - 63. The default is 46.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.host <IP/HOSTNAME/HOST-ALIAS>Sets the RADIUS authentication server’s IP address, hostname, or host-aliasThe host alias should be existing and configured.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 13• authentication server <1-6> nac• accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}secret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures the RADIUS authentication server’s secret. This key is used to authenticate with the RADIUS server.• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The shared key should not exceed 127 characters in length.port <1-65535> Optional. Specifies the RADIUS authentication server’s UDP port (this port is used to connect to the RADIUS server)• <1-65535> – Specify a value from 1 - 65535. The default port is 1812.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.nac Enables Network Access Control (NAC) on the RADIUS authentication server identified by the <1-6> parameter.Using NAC, the controller hardware and software grant access to specific network resources. NAC performs a user and client authorization check for resources that do not have a NAC agent. NAC verifies the client’s compliance with the controller’s security policy. The controller supports only the EAP/802.1x type of NAC. However, the controller also provides a means to bypass NAC authentication for client’s that do not have NAC 802.1x support (printers, phones, PDAs, etc.).server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured. • <1-6> – Specifies the RADIUS server index from 1 - 6.nai-routing Enables NAI routing. When enabled, AAA servers identify clients using NAI. This option is disabled by default.The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be.realm-type [prefix|suffix]Configures the realm-type used for NAI authentication• prefix – Sets the realm prefix. For example, in the realm name ‘AC\JohnTalbot’, the prefix is ‘AC’ and the user name ‘JohnTalbot’.• suffix – Sets the realm suffix. For example, in the realm name ‘JohnTalbot@AC.org’ the suffix is ‘AC.org’ and the user name is ‘JohnTalbot’.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 14• authentication server <1-6> onboard [centralized-controller|controller|self]• authentication server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]realm <REALM-NAME>Sets the realm information used for RADIUS authentication. The realm name should not exceed 64 characters in length. When the wireless controller or access point’s RADIUS server receives a request for a user name the server references a table of usernames. If the user name is known, the server proxies the request to the RADIUS server.• <REALM-NAME> – Sets the realm used for authentication. This value is matched against the user name provided for RADIUS authentication. Example:Prefix - AC\JohnTalbotSuffix - JohnTalbot@AC.orgstrip Optional. Indicates the realm name must be stripped from the user name before sending it to the RADIUS server for authentication. For example, if the complete username is ‘AC\JohnTalbot’, then with the strip parameter enabled, only the ‘JohnTalbot’ part of the complete username is sent for authentication. This option is disabled by default.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.onboard [centralized-controller|controller|self]Selects the onboard RADIUS server for authentication instead of an external host• centralized-controller – Configures the server on the centralized controller managing the network• controller – Configures the wireless controller, to which the AP is adopted, as the onboard wireless controller• self – Configures the onboard server on the device (AP or wireless controller) where the client is associated as the onboard wireless controllerserver <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]Configures the mode for proxying a request• none – Proxying is not done. The packets are sent directly using the IP address of the device. This is the default setting.• through-centralized-controller – The traffic is proxied through the centralized controller that is configuring and managing the network.• through-controller – The traffic is proxied through the wireless controller configuring this device.• through-mint-host <HOSTNAME/MINT-ID> – The traffic is proxied through a neighboring MiNT device. Provide the device’s hostname or MiNT ID.• through-rf-domain-manager – The traffic is proxied through the local RF Domain manager.
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 15• authentication server <1-6> retry-timeout-factor <50-200>• authentication server <1-6> timeout <1-60> {attempts <1-10>}Examplerfs6000-37FABE(config-aaa-policy-test)#authentication server 5 host 172.16.10.10 secret 0 test1 port 1rfs6000-37FABE(config-aaa-policy-test)#authentication server 5 timeout 10 attempts 3rfs6000-37FABE(config-aaa-policy-test)#authentication protocol chaprfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#Related Commandsserver <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.retry-timeout-factor <50-200>Configures the scaling of timeouts between two consecutive RADIUS authentication retries• <50-200> – Specify the scaling factor from 50 - 200. The default is 100.A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.timeout <1-60> Configures the timeout, in seconds, for each request sent to the RADIUS server. This is the time allowed to elapse before another request is sent to the RADIUS server. If a response is received from the RADIUS server within this time, no retry is attempted.• <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds. attempts <1-10> Optional. Indicates the number of retry attempts to make before giving up• <1-10> – Specify a value from 1 -10. The default is 3.no Resets authentication parameters on this AAA policy
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 168.1.4 health-checkaaa-policyAn AAA server could go offline. When a server goes offline, it is marked as down. This command configures the interval after which a server marked as down is checked to see if it has come back online and is reachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhealth-check interval <60-86400>Parameters• health-check interval <60-86400>Examplerfs6000-37FABE(config-aaa-policy-test)#health-check interval 4000rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number health-check interval 4000 attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#Related Commandsinterval <60-86400> Configures an interval (in seconds) after which a down server is checked to see if it is reachable again• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 3600 seconds.no Resets the health-check interval for AAA servers
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 178.1.5 mac-address-formataaa-policyConfigures the format MAC addresses are filled in RADIUS request framesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot]mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper] attributes [all|username-password]Parameters]• mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper] attributes [all|username-password]Examplerfs6000-37FABE(config-aaa-policy-test)#mac-address-format quad-dot case upper attributes username-passwordrfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 mac-address-format quad-dot case upper attributes username-password authentication protocol chap --More--rfs6000-37FABE(config-aaa-policy-test)#middle-hyphen Configures the MAC address format as AABBCC-DDEEFFno-delim Configures the MAC address format as AABBCCDDEEFF (without delimiters)pair-colon Configures the MAC address format as AA:BB:CC:DD:EE:FFpair-hyphen Configures the MAC address display format as AA-BB-CC-DD-EE-FF (default setting)quad-dot Configures the MAC address display format as AABB.CCDD.EEFFcase [lower|upper] Indicates the case the MAC address is formatted• lower – Indicates MAC address is in lower case. For example, aa:bb:cc:dd:ee:ff• upper – Indicates MAC address is in upper case. For example, AA:BB:CC:DD:EE:FF (default setting)attributes [all|username-password]Configures RADIUS attributes to which this MAC format is applicable• all – Applies to all attributes with MAC addresses such as username, password, calling-station-id, and called-station-id• username-password – Applies only to the username and password fields (default setting)
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 18Related Commandsno Resets the MAC address format to default (pair-hyphen)
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 198.1.6 noaaa-policyNegates a AAA policy command or sets its defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accounting|attribute|authentication|health-check|mac-address-format|proxy-attribute|server-pooling-mode|use]no accounting interim intervalno accounting server preferenceno accounting server <1-6> {dscp|nai-routing|proxy-mode|retry-timeout-factor|timeout}no accounting typeno attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|cisco-vsa audit-session-id|framed-ip-address|framed-mtu|location-information|nas-ipv6-address|operator-name|service-type]no authentication [eap|protocol|server]no authentication eap wireless-client [attempts|identity-request-retry-timeout|identity-request-timeout|retry-timeout-factor|timeout]no authentication protocolno authentication server <1-6> {dscp|nac|nai-routing|proxy-mode|retry-timeout-factor|timeout}no health-check intervalno mac-address-formatno proxy-attribute [nas-identifier|nas-ip-address]no server-pooling-modeno use nac-listParameters• no <PARAMETERS>no <PARAMETERS> Negates a AAA policy command or sets its default
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 20ExampleThe following example shows the AAA policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 mac-address-format quad-dot case upper attributes username-password authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number health-check interval 4000 attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#rfs6000-37FABE(config-aaa-policy-test)#no accounting server 2 timeout 2rfs6000-37FABE(config-aaa-policy-test)#no accounting interim intervalrfs6000-37FABE(config-aaa-policy-test)#no health-check intervalrfs6000-37FABE(config-aaa-policy-test)#no attribute framed-mturfs6000-37FABE(config-aaa-policy-test)#no authentication protocolThe following example shows the AAA policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000rfs6000-37FABE(config-aaa-policy-test)#
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 218.1.7 proxy-attributeaaa-policyConfigures RADIUS server’s attribute behavior when proxying through a wireless controller or a RF Domain managerSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-attribute [nas-identifier|nas-ip-address]proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]]Parameters• proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]]Examplerfs6000-37FABE(config-aaa-policy-test)#proxy-attribute nas-ip-address proxierrfs6000-37FABE(config-aaa-policy-test)#proxy-attribute nas-identifier originatorRelated Commandsnas-identifier[originator|proxier]Uses NAS identifier• originator – Configures the NAS identifier as the originator of the RADIUS request. The originator could be an AP, or a wireless controller with radio. This is the default setting.• proxier – Configures the proxying device as the NAS identifier. The device could be a controller or a RF Domain manager.nas-ip-address[none|proxier]Uses NAS IP address• none – NAS IP address attribute is not filled• proxier – NAS IP address is filled by the proxying device.The device could be a controller or a RF Domain manager. This is the default setting.no Resets RADIUS server’s proxying attributes
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  8 - 228.1.8 server-pooling-modeConfigures the server selection method from a pool of AAA servers. The available methods are failover and load-balance.In the failover scenario, when a configured AAA server goes down, the server with the next higher index takes over for the failed server.In the load-balance scenario, when a configured AAA server goes down, the remaining servers distribute the load amongst themselves.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver-pooling-mode [failover|load-balance]Parameters• server-pooling-mode [failover|load-balance]Examplerfs6000-37FABE(config-aaa-policy-test)#server-pooling-mode load-balancerfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test2 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 server-pooling-mode load-balance mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000rfs6000-37FABE(config-aaa-policy-test)#Related Commandsfailover Sets the pooling mode to failover. This is the default setting.When a configured AAA server fails, the server with the next higher index takes over the failed server’s load.load-balance Sets the pooling mode to load balancingWhen a configured AAA server fails, all servers in the pool share the failed server’s load transmitting requests in a round-robin fashion.no Resets the method of selecting a server, from the pool of configured AAA servers
AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 238.1.9 useaaa-policyAssociates a Network Access Control (NAC) with this AAA policy. This allows only the set of configured devices to use the configured AAA servers.For more information on creating a NAC list, see nac-list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse nac-list <NAC-LIST-NAME>Parameters• use nac-list <NAC-LIST-NAME>Examplerfs6000-37FABE(config-aaa-policy-test)#use nac-list test1rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 server-pooling-mode load-balance mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000use nac-list test1rfs6000-37FABE(config-aaa-policy-test)#Related Commandsnac-list <NAC-LIST-NAME>Associates a NAC list with this AAA policy• <NAC-LIST-NAME> – Specify the NAC list name (should be existing and configured).no Resets set values or disables commandsnac-list Creates a NAC list
9 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide9AUTO-PROVISIONING-POLICYThis chapter summarizes the auto provisioning policy commands in the CLI command structure.Wireless devices can adopt and manage other wireless devices. For example, a wireless controller can adopt multiple access points. When a device is adopted, the device configuration is provisioned by the adopting device. Since multiple configuration policies are supported, an adopting device uses auto provisioning policies to determine which configuration policies are applied to an adoptee based on its properties. For example, a configuration policy could be assigned based on MAC address, IP address, CDP snoop strings, etc.Auto provisioning or adoption is the process by which an access point discovers controllers in the network, identifies the most desirable controller, associates with the identified controller, and optionally obtains an image upgrade, obtains its configuration and considers itself provisioned.At adoption, an access point solicits and receives multiple adoption responses from controllers available on the network. These adoption responses contain loading policy information the access point uses to select the optimum controller for adoption. An auto-provisioning policy maps a new AP to a profile and RF Domain based on various parameters related to the AP and where it is connected. By default a new AP will be mapped to the default profile and default RF Domain. Modify existing auto-provisioning policies or create a new one as needed to meet the configuration requirements of a device.An auto-provisioning policy enables an administrator to define rules for the supported access points capable of being adopted by a controller. The policy determines which configuration policies are applied to an adoptee based on its properties. For example, a configuration policy could be assigned based on MAC address, IP address, CISCO Discovery Protocol (CDP) snoop strings, etc. Once created an auto provisioning policy can be used in profiles or device configuration objects. The policy contains a set of rules (ordered by precedence) that either deny or allow adoption based on potential adoptee properties and a catch-all variable that determines if the adoption should be allowed when none of the rules is matched. All rules (both deny and allow) are evaluated sequentially starting with the rule with the lowest precedence. The evaluation stops as soon as a rule has been matched, no attempt is made to find a better match further down in the set.For example,rule #1 adopt ap7161 10 profile default vlan 10rule #2 adopt ap6562 20 profile default vlan 20rule #3 adopt ap7161 30 profile default serial-numberrule #4 adopt ap7161 40 p d mac aa bbAP7161 L2 adoption, VLAN 10 - will use rule #1AP7161 L2 adoption, VLAN 20 - will not use rule #2 (wrong type), may use rule #3 if the serial number matched, or rule #4 If aa<= MAC <= bb, or else default.With the implementation of the hierarchically managed (HM) network, the auto-provisioning policy has been modified to enable controllers to adopt other controllers in addition to access points.The new WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 2All adopted devices (access points and second-level controllers) are referred to as the ‘adoptee’. The adopting devices are the ‘adopters’.A controller cannot be configured as an adoptee and an adopter simultaneously. In other words, a controller can either be an adopter (adopts another controller) or an adoptee (is adopted by another controller). Therefore, a site controller, which has been adopted by a NOC controller, cannot adopt another controller.A controller should be configured to specify the device types (APs and/or controllers) that it can adopt. For more information on configuring the adopted-device types for a controller, see controller.Use the (config) instance to configure an auto-provisioning policy. To navigate to the auto-provisioning-policy configuration instance, use the following command:<DEVICE>(config)#auto-provisioning-policy <POLICY-NAME>nx9500-6C8809((config)#auto-provisioning-policy testnx9500-6C8809((config-auto-provisioning-policy-test)#?Auto-Provisioning Policy Mode commands:  adopt                     Add rule for device adoption  auto-create-rfd-template  When RF Domain specified by the matching rule                            template does not exist create new RF Domain                            automatically  default-adoption          Adopt devices even when no matching rules are                            found. Assign default profile and default                            rf-domain  deny                      Add rule to deny device adoption  evaluate-always           Set the flag to evaluate the policy everytime,                            regardless of previous adoption status  no                        Negate a command or set its defaults  redirect                  Add rule to redirect device adoption  upgrade                   Add rule for device upgrade  clrscr                    Clears the display screen  commit                    Commit all changes made in this session  do                        Run commands from Exec mode  end                       End current mode and change to EXEC mode  exit                      End current mode and down to previous mode  help                      Description of the interactive help system  revert                    Revert changes  service                   Service Commands  show                      Show running system information  write                     Write running configuration to memory or terminalnx9500-6C8809((config-auto-provisioning-policy-test)#NOTE: The adoption capabilities of a controller depends on:• Whether the controller is deployed at the NOC or site• A NOC controller can adopt site controllers and access points• A site controller can only adopt access points• The controller device type, which determines the number and type of devices it can adoptNOTE: Some access points can be configured as virtual controllers. When configured as a virtual controller, an AP can only adopt another AP of the same type. In such a scenario, an auto provisioning policy is required to enable adoption of a specific device identified by its MAC address, IP address, serial number, model number, etc.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 3NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 49.1 auto-provisioning-policyAUTO-PROVISIONING-POLICYThe following table summarizes auto provisioning policy configuration commands:Table 9.1 Auto-Provisioning-Policy-Config CommandsCommand Description Referenceadopt Adds a permit adoption rule page 9-5auto-create-rfd-templateEnables auto creation of a new RF Domain based on an existing RF Domain template specified using this commandpage 9-10default-adoptionAdopts devices even when no matching rules are found. Assigns default profile and default RF Domainpage 9-12deny Adds a deny adoption rule page 9-13evaluate-alwaysRuns this policy every time a device is adopted page 9-16redirect Adds a rule redirecting device adoption to a specified controller within the systempage 9-17upgrade Adds a device upgrade rue to this auto provisioning policy page 9-21no Negates a command or reverts settings to their default page 9-24NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 59.1.1 adoptauto-provisioning-policyAdds device adoption rulesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [profile|rf-domain]adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7632|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [any|area|cdp-match|dhcp-option|floor|fqdn|ip|ipv6|lldp-match|mac|model-number|rf-domain|serial-number|vlan]adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] anyadopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [area <AREA-NAME>|cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|floor <FLOOR-NAME>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]Parameters• adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] anyadopt Adds an adopt device rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530 NX95XX, VX9000, and NX9600.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 6• adopt[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [area <AREA-NAME>|cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|floor <FLOOR-NAME>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]precedence <1-10000>Sets the rule precedence from 1 - 10000. A rule with a lower value has a higher precedence.profile <DEVICE-PROFILE-NAME>Sets the device profile for this provisioning policy. The selected device profile must be appropriate for the device being provisioned. For example, use an AP7502 device profile for an AP7502. Using an inappropriate device profile can result in unpredictable results. Provide a device profile name.Provide a device profile name (should be existing and configured). Or a template with appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-indoor'.Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.rf-domain <RF-DOMAIN-NAME>Sets the RF Domain for this auto provisioning policy. The provisioning policy is only applicable to devices that try to become a part of the specified RF Domain. Provide the full RF Domain name OR use a string alias to identify the RF Domain.Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, ‘alias string $DOMAIN test.example_company.com’. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias.any Indicates any device. Any device seeking adoption is adopted.adopt Adds an adopt device rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7502, AP7522, AP7532, AP7562, AP7161, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530, NX95XX, VX9000, and NX9600.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.precedence <1-10000>Sets the rule precedence. A rule with a lower value has a higher precedence.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 7profile <DEVICE-PROFILE-NAME>Sets the device profile for this provisioning policy. The selected device profile must be AP7502 for the device being provisioned. For example, use an AP7502 device profile for an AP7502. Using an inappropriate device profile can result in unpredictable results.Provide a device profile name (should be existing and configured). Or a template with appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-indoor'Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.rf-domain <RF-DOMAIN-NAME>Sets the RF Domain for this auto provisioning policy. The provisioning policy is only applicable to devices that try to become a part of the specified RF Domain.Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'.Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, ‘alias string $DOMAIN test.example_company.com’. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias.area <AREA-NAME> Matches the area of deployment. This option is not applicable to the ‘rf-domain’ parameter.• <AREA-NAME> – Enter a 64 character maximum deployment area name assigned to this policy. Devices with matching area names are adopted.cdp-match <LOCATION-SUBSTRING>Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com, 'controller1', ‘example’, 'example.com', are examples of the substrings that will match.• <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the specified value are adopted.dhcp-option <DHCP-OPTION>Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present.• <DHCP-OPTION> – Specify the DHCP option. Devices matching the specified value are adopted.floor <FLOOR-NAME>Matches the floor name. This option is not applicable to the ‘rf-domain’ parameter.• <FLOOR-NAME> – Enter a 32 character maximum deployment floor name assigned to this policy. Devices with matching floor names are adopted. fqdn <FQDN> Matches a substring to the Fully Qualified Domain Name (FQDN) of a device (case insensitive)FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain. This parameter allows a device to adopt based on its FQDN value.• <FQDN> – Specify the FQDN. Devices matching the specified value are adopted.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 8ip [<START-IP> <END-IP>|<IP/MASK>]Adopts a device if its IP address matches the specified IPv4 address or is within the specified IP address range. Or if the device is a part of the specified subnet.• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.ipv6 [<START-IP> <END-IP>|<IP/MASK>]Adopts a device if its IP v6 address matches the specified IPv6 address or is within the specified IP address range. Or if the device is a part of the specified subnet.• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IPv6 address.lldp-match <LLDP-STRING>Matches a substring in a list of Link Layer Discovery Protocol (LLDP) snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com,'controller1', 'example', 'example.com', are examples of the substrings that will match.LLDP is a vendor neutral link layer protocol that advertises a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the LLDP string. Devices matching the specified value are adopted.mac <START-MAC> {<END-MAC>}Adopts a device if its MAC address matches the specified MAC address or is within the specified MAC address range• <START-MAC> – Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Adopts a device if its model number matches <MODEL-NUMBER>• <MODEL-NUMBER> – Specify the model number.rf-domain <RF-DOMAIN-NAME>Adopts a device if its RF Domain matches <RF-DOMAIN-NAME><RF-DOMAIN-NAME> – Specify the RF Domain name. You can use a string alias to specify a RF Domain.Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, ‘alias string $DOMAIN test.example_company.com’. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias.serial-number <SERIAL-NUMBER>Adopts a device if its serial number matches <SERIAL-NUMBER>• <SERIAL-NUMBER> – Specify the serial number.vlan <VLAN-ID> Adopts a device if its VLAN matches <VLAN-ID>• <VLAN-ID> – Specify the VLAN ID.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 9Usage Guidelines Built-in Tokens & AliasFollowing are the built-in tokens that can be used to identify the devices to adopt:$FQDN       - references FQDN of adopting device$CDP        - references CDP Device Id of the wired switch to which             adopting device is connected$LLDP       - references LLDP System Name of wired switch to             which adopting device is connected$DHCP       - references DHCP Option Value received by the             adopting device$SN         - references SERIAL NUMBER of adopting device$MODEL      - references MODEL NUMBER of adopting device$DNS-SUFFIX - references FQDN excluding the hostname of the             adopting device$CDP-SUFFIX - references CDP excluding the hostname of the             adopting device$LLDP-SUFFIX - references LLDP excluding the hostname of the             adopting deviceFollowing is the built-in alias that can be used to identify the RF Domain of devices to adopt:$AUTO-RF-DOMAIN - rf-domain of adopting deviceExamplerfs4000-229D58(config-auto-provisioning-policy-test)#adopt ap81xx precedence 1 profile default-ap81xx vlan 1rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap81xx precedence 1 profile default-ap81xx vlan 1rfs4000-229D58(config-auto-provisioning-policy-test)#rfs4000-229D58(config-auto-provisioning-policy-test)#show wireless ap configured--------------------------------------------------------------------------------------- IDX      NAME              MAC             PROFILE       RF-DOMAIN       ADOPTED-BY--------------------------------------------------------------------------------------- 1   ap81xx-711728    B4-C7-99-71-17-28   default-ap81xx   default    00-23-68-22-9D-58 2   rfs4000-229D58   00-23-68-22-9D-58   default-rfs4000  default---------------------------------------------------------------------------------------rfs4000-229D58(config-auto-provisioning-policy-test)#rfs6000-6DCD4B(config-auto-provisioning-policy-test)#adopt anyap precedence 1 profile rfs6000 anyrfs6000-6DCD4B(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt anyap precedence 1 profile rfs6000 anyrfs6000-6DCD4B(config-auto-provisioning-policy-test)#Related Commandsno Removes an adopt rule
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 109.1.2 auto-create-rfd-templateauto-provisioning-policyEnables auto creation of an RF Domain:• when tokens are used to select the RF Domain to apply to devices matching the adoption criteria, and• the token-specified RF Domain does not exist.During device adoption, if the token-specified RF Domain (configured using the ‘adopt’ rule) is not found, the system auto creates a new RF Domain based on an existing RF Domain template specified using this command. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauto-create-rfd-template <RF-DOMAIN-NAME>Parameters• auto-create-rfd-template <RF-DOMAIN-NAME>ExampleThe following example configures an adopt rule for adopting any AP7532 and applying an RF Domain matching the token “$MODEL[1:5]” to the adopted AP:nx9500-6C8809(config-auto-provisioning-policy-test)#adopt ap7532 precedence 20 rf-domain $MODEL[1:5] anynx9500-6C8809(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap7532 precedence 20 rf-domain $MODEL[1:5] anynx9500-6C8809(config-auto-provisioning-policy-test)#The following example enables auto creation of the following RF Domain using an existing RF Domain ‘rfd-AP’ as template:• RF Domain name “AP-75”: Applicable to any AP7532nx9500-6C8809(config-auto-provisioning-policy-test)#auto-create-rfd-template rfd-APnx9500-6C8809(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap7532 precedence 20 rf-domain $MODEL[1:5] any auto-create-rfd-template rfd-APnx9500-6C8809(config-auto-provisioning-policy-test)#auto-creates-rfd-template <RF-DOMAIN-NAME>Auto creates a new RF Domain based on an existing RF Domain template• <RF-DOMAIN-NAME> – Specify the RF Domain name (should be existing and configured). The new RF Domain created is saved with the token name specified in the ‘adopt’ command.Note: For more information on configuring tokens, see adopt.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 11As per the above configurations, when an AP7532 comes up for first-time adoption, the system:• Checks for an RF Domain matching the options provided in the ‘adopt’ rule, and if not found• auto creates the RF Domain only if:- A token is specified in the ‘adopt’ rule. For example, $MODEL[1:5], and- the ‘auto-create-rfd-template’ option is configured• Uses the ‘RF Domain’ specified in the auto-create-rfd-template command as a template. Therefore, the specified RF Domain should be existing and configured.• Applies the new RF Domain to the AP.Related Commandsno Disables auto creation of an RF Domain
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 129.1.3 default-adoptionauto-provisioning-policyAdopts devices, even when no matching rules are defined, and assigns a default profile and default RF Domain to the adopted deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-adoptionParametersNoneExamplerfs4000-229D58(config-auto-provisioning-policy-test)#default-adoptionrfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test default-adoption adopt ap81xx precedence 1 profile default-ap81xx vlan 1rfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandsno Disables adoption of devices when matching rules are not found
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 139.1.4 denyauto-provisioning-policyDefines a deny device adoption ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anydeny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]Parameters• deny[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|aap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anydeny Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.precedence <1-10000> Sets the rule precedence. A rule with a lower value has a higher precedence.any Indicates any device. Any device seeking adoption is denied adoption.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 14• deny[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-1000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]deny Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600.precedence <1-10000>Sets the rule precedence. A rule with a lower value has a higher precedence.After specifying the rule precedence, specify the match criteria. Devices matching the specified criteria are denied adoption.cdp-match <LOCATION-SUBSTRING>Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com, 'controller1', ‘example’, 'example.com', are examples of the substrings that will match.• <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the specified value are denied adoption.dhcp-option <DHCP-OPTION>Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present.• <DHCP-OPTION> – Specify the DHCP option value to match. Devices matching the specified value are denied adoption.fqdn <FQDN> Matches a substring to the FQDN of a device (case insensitive)FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.• <FQDN> – Specify the FQDN. Devices matching the specified value are denied adoption.ip [<START-IP> <END-IP>|<IP/MASK>]Denies adoption if a device's IP address matches the specified IPv4 address or is within the specified IP address range• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.ipv6 [<START-IP> <END-IP>|<IP/MASK>]Denies adoption if a device's IPv6 address matches the specified IP address or is within the specified IP address range• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IP address.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 15Examplerfs4000-229D58(config-auto-provisioning-policy-test)#deny ap71xx precedence 2 model-number AP7131Nrfs4000-229D58(config-auto-provisioning-policy-test)#deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap81xx precedence 1 profile default-ap81xx vlan 1 deny ap71xx precedence 2 model-number AP7131N deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23rfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandslldp-match <LLDP-STRING>Matches a substring in a list of LLDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com,'controller1', 'example', 'example.com', are examples of the substrings that will match.LLDP is a vendor neutral link layer protocol used to advertise a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the LLDP string. Devices matching the specified values are denied adoption.mac <START-MAC> {<END-MAC>}Denies adoption if a device's MAC address matches the specified MAC address or is within the specified MAC address range• <START-MAC> – Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Denies adoption if a device’s model number matches <MODEL-NUMBER>• <MODEL-NUMBER> – Specify the model number.serial-number <SERIAL-NUMBER>Denies adoption if a device’s serial number matches <SERIAL-NUMBER>• <SERIAL-NUMBER> – Specify the serial number.vlan <VLAN-ID> Denies adoption if a device’s VLAN matches <VLAN-ID>• <VLAN-ID> – Specify the VLAN ID.no Removes a deny adoption rule
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 169.1.5 evaluate-alwaysauto-provisioning-policySets flag to run this auto-provisioning policy every time an access point is adopted. The access point’s previous adoption status is not taken into consideration.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevaluate-alwaysParametersNoneExamplerfs4000-229D58(config-auto-provisioning-policy-test)#evaluate-alwaysrfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test evaluate-alwaysrfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandsno Disables the running of this policy every time an AP is adopted
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 179.1.6 redirectauto-provisioning-policyAdds a rule redirecting device adoption to another controller within the system. Devices seeking adoption are redirected to a specified controller based on the redirection parameters specified.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxredirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]redirect [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>] [any|cdp-match|dhcp-option|fqdn|ip|ipv6|level|lldp-match|mac|model-number|pool|serial-number|vlan]redirect [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] anyredirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|level [1|2]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>] {upgrade}Parameters• redirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] anyredirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, AP7632, AP7662, NX9600 series.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.Note: An adoptee controller, such as RFS4000 and RFS6000 can be redirected to another controller (configured to adopt controllers) with a capacity equal to or higher than its own. For more information, see controller.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 18• redirect [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-1000> controller [<CONTROLLER-IP>| <CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6[<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>] {upgrade}precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6]Configures the controller to which the adopting devices are redirected. Specify the controller’s IP address or hostname.• <CONTROLLER-IP> – Specifies the controller’s IP address• <CONTROLLER-HOSTNAME> – Specifies the controller’s hostname• ipv6 – Specify the controller’s IPv6 addressany Indicates any device. Any device seeking adoption is redirected.redirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device type options are: anyap, AP6521, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600.Note: An adoptee controller, such as RFS4000, RFS6000, and RFS7000, can be redirected to another controller (configured to adopt controllers) with a capacity equal to or higher than its own. For more information, see controller.precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6]Configures the controller to which the adopting devices are redirected. Specify the controller’s IP address or hostname.• <CONTROLLER-IP> – Specifies the controller’s IP address• <CONTROLLER-HOSTNAME> – Specifies the controller’s hostname• ipv6 – Specify the controller’s IPV6 address.After specifying the rule precedence and the controller, specify the match criteria.cdp-match <LOCATION-SUBSTRING>Configures the device location to match, based on CDP snoop strings• <LOCATION-SUBSTRING> – Specify the location. Devices matching the specified string are redirected.dhcp-option <DHCP-OPTION>Configures the DHCP options to matchDHCP options identify the vendor and DHCP client functionalities. This information is used by the client to convey to the DHCP server that the client requires extra information in a DHCP response.• <DHCP-OPTION> – Specify the DHCP option value. Devices matching the specified value are redirected.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 19fqdn <FQDN> Configures the FQDN to matchFQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.• <FQDN> – Specify the FQDN. Devices matching the specified value are redirected.ip [<START-IP> <END-IP>|<IP/MASK>]Configures a range of IP addresses and subnet address. Devices having IPv4 addresses within the specified range or are part of the specified subnet are redirected.• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.level[1|2] Configures the routing level• level1 – Specifies level 1 as local routing• level2 – Specifies level2 as inter-site routingipv6 [<START-IP> <END-IP>|<IP/MASK>]Redirects if a device's IPv6 address matches the specified IP address or is within the specified IP address range• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IP address.lldp-match <LLDP-STRING>Configures the device location to match, based on LLDP snoop stringsLLDP is a vendor neutral link layer protocol used to advertise a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the location. Devices matching the specified string are redirected.mac <START-MAC> {<END-MAC>}Configures a single or a range of MAC addresses. Devices matching the specified values are redirected.• <START-MAC> – Specify the first MAC address in the range. Provide only this MAC address to filter a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Configures the device model number• <MODEL-NUMBER> – Specify the model number. Devices matching the specified model number are redirected.pool <1-2> Configures the controller pool• <1-2> – Configures the pool to which the specified controller belongs to. The default pool value is 1. serial-number <SERIAL-NUMBER>Configures the device’s serial number• <SERIAL-NUMBER> – Specify the serial number. Devices matching the specified serial number are redirected.vlan <VLAN-ID> Configures the VLAN ID• <VLAN-ID> – Specify the VLAN ID. Devices assigned to the specified VLAN are redirected.upgrade Optional. Upgrades APs before redirecting the device for adoption within the system
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 20Examplerfs4000-229D58(config-auto-provisioning-policy-test)#redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25rfs4000-229D58(config-auto-provisioning-policy-test)#redirect ap81xx precedence 5 controller 192.168.13.10 model-number AP-8132-66040-USrfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test default-adoption adopt ap81xx precedence 1 profile default-ap81xx vlan 1 deny ap71xx precedence 2 model-number AP7131N deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23 redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25 redirect ap81xx precedence 5 controller 192.168.13.10 model-number AP-8132-66040-USrfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandsno Removes a redirect rule
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 219.1.7 upgradeauto-provisioning-policyAdds a device upgrade rule to this auto provisioning policy. When applied to a controller, the upgrade rule ensures adopted devices, of the specified type, are upgraded automatically. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxupgrade[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anyupgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]Parameters• upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anyupgrade Adds a device upgrade rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series.precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.any Indicates any device. Any device, of the selected type, is upgraded.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 22• upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]redirect Adds a device upgrade rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.cdp-match <LOCATION-SUBSTRING>Configures the device location to match, based on CDP snoop strings• <LOCATION-SUBSTRING> – Specify the location. Devices matching the specified string are upgraded.dhcp-option <DHCP-OPTION>Configures the DHCP options to matchDHCP options identify the vendor and DHCP client functionalities. This information is used by the client to convey to the DHCP server that the client requires extra information in a DHCP response.• <DHCP-OPTION> – Specify the DHCP option value. Devices matching the specified value are upgraded.fqdn <FQDN> Configures the FQDN to matchFQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.• <FQDN> – Specify the FQDN. Devices matching the specified value are upgraded.ip [<START-IP> <END-IP>|<IP/MASK>]Configures a range of IP addresses and subnet address. Devices having IPv4 addresses within the specified range or are part of the specified subnet are upgraded.• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.ipv6 [<START-IP> <END-IP>|<IP/MASK>]Upgrades if a device's IPv6 address matches the specified IP address or is within the specified IP address range• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IP address.
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 23Examplerfs4000-229D58(config-auto-provisioning-policy-test)#upgrade ap6521 precedence 1 anyrfs4000-229D58(config-auto-provisioning-policy-test)#upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test upgrade ap6521 precedence 1 any upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandslldp-match <LLDP-STRING>Configures the device location to match, based on LLDP snoop stringsLLDP is a vendor neutral link layer protocol used to advertise a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the location. Devices matching the specified string are upgraded.mac <START-MAC> {<END-MAC>}Configures a single or a range of MAC addresses. Devices matching the specified values are upgraded.• <START-MAC> – Specify the first MAC address in the range. Provide only this MAC address to filter a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Configures the device model number• <MODEL-NUMBER> – Specify the model number. Devices matching the specified model number are upgraded.serial-number <SERIAL-NUMBER>Configures the device’s serial number• <SERIAL-NUMBER> – Specify the serial number. Devices matching the specified serial number are upgraded.vlan <VLAN-ID> Configures the VLAN ID• <VLAN-ID> – Specify the VLAN ID. Devices assigned to the specified VLAN are upgraded.no Removes an upgrade rule
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  9 - 249.1.8 noauto-provisioning-policyRemoves a deny, permit, or redirect rule from the specified auto provisioning policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [adopt|auto-create-rfd-template|default-adoption|deny|evaluate-always|redirect|upgrade]no adopt precedence <1-10000>no auto-create-rfd-templateno deny precedence <1-10000>no evaluate-alwaysno default-adoptionno redirect precedence <1-10000>no upgrade precedence <1-10000>Parameters• no <PARAMETERS>ExampleThe following example shows the auto-provisioning-policy ‘test’ settings before the ‘no’ commands are executed:rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test default-adoption adopt ap81xx precedence 1 profile default-ap81xx vlan 1 deny ap71xx precedence 2 model-number AP7131N deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23 redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25 redirect ap81xx precedence 5 controller 192.168.13.10 model-number AP-8132-66040-USrfs4000-229D58(config-auto-provisioning-policy-test)#rfs4000-229D58(config-auto-provisioning-policy-test)#no default-adoptionrfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 2rfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 3rfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 5The following example shows the auto-provisioning-policy ‘test’ settings after the ‘no’ commands are executed:rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap81xx precedence 1 rf-domain TechPubs vlan 1 redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25rfs4000-229D58(config-auto-provisioning-policy-test)#no <PARAMETERS> Removes a deny, permit, or redirect rule from the specified auto provisioning policy
AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 25rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test upgrade ap6521 precedence 1 any upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#rfs4000-229D58(config-auto-provisioning-policy-test)#no upgrade precedence 1rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#
10 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide10ASSOCIATION-ACL-POLICYThis chapter summarizes the association ACL policy commands in the CLI command structure. An association ACL is a policy-based Access Control List (ACL) that either allows or denies wireless clients from connecting to a wireless controller, service platform, or access point managed WLAN.System administrators can use an association ACL to grant or restrict wireless clients access to the WLAN by specifying a client’s MAC address or a range of MAC addresses to either include or exclude from WLAN connectivity. Association ACLs are applied to WLANs as an additional access control mechanism.Use the (config) instance to configure the association ACL policy. To navigate to the association-acl-policy instance, use the following commands:<DEVICE>(config)#association-acl-policy <POLICY-NAME>rfs6000-37FABE(config)#association-acl-policy testrfs6000-37FABE(config-assoc-acl-test)#rfs6000-37FABE(config-assoc-acl-test)#?Association ACL Mode commands:  deny     Specify MAC addresses to be denied  no       Negate a command or set its defaults  permit   Specify MAC addresses to be permitted  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-assoc-acl-test)#Before defining an association ACL policy and applying it to a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:• The name and configuration of an association ACL policy should meet the requirements of the WLANs it may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN.• You cannot apply more than one MAC based ACL to a layer 2 interface. If a MAC ACL is already configured on a layer 2 interface, and a new MAC ACL is applied to the interface, the new ACL replaces the previously configured one.NOTE: If creating an new association ACL policy, provide a name specific to its function. Avoid naming it after a WLAN it may support. The name cannot exceed 32 characters.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  10 - 210.1 association-acl-policyASSOCIATION-ACL-POLICYThe following table summarizes association ACL policy configuration commands:Table 10.1 Association-ACL-Policy-Config CommandsCommand Description Referencedeny Specifies a range of MAC addresses denied access to the WLAN page 10-3no Removes a deny or permit rule from this association ACL policy page 10-5permit Specifies a range of MAC addresses allowed access to the WLAN page 10-6NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 310.1.1 denyassociation-acl-policyCreates a list of devices denied access to the managed network. Devices are identified by their MAC address. A single MAC address or a range of MAC addresses can be denied access. This command also sets the precedence on how deny rules are applied. Up to a thousand (1000) deny rules can be defined for every association ACL policy. Each rule has a unique sequential precedence value assigned, and is applied to packets on the basis of the precedence value. Lower the precedence, higher is the priority. This results in the rule with the lowest precedence being applied first. No two rules can have the same precedence. The default precedence is 1, prioritize ACLs accordingly as they are added.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny <STARTING-MAC> [<ENDING-MAC>|precedence]deny <STARTING-MAC> precedence <1-1000>deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Parameters• deny <STARTING-MAC> precedence <1-1000>• deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Usage GuidelinesEvery rule has a unique sequential precedence value. You cannot add two rules with the same precedence. Rules are applied in an increasing order of precedence. That means the rule with precedence 1 is applied first, then the rule with precedence 2 and so on.deny Adds a single device or a set of devices to the deny list<STARTING-MAC> To add a single device, enter its MAC address in the <STARTING-MAC> parameter.precedence <1-1000>Sets a precedence rule. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a precedence value from 1 - 1000.deny Adds a single device or a set of devices to the deny listTo add a set of devices, provide the range of MAC addresses.<STARTING-MAC> Specify the first MAC address in the range.<ENDING-MAC> Specify the last MAC address in the range.precedence <1-1000>Sets a precedence rule. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a value from 1 - 1000.
ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  10 - 4Examplerfs6000-37FABE(config-assoc-acl-test)#deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150rfs6000-37FABE(config-assoc-acl-test)#deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160rfs6000-37FABE(config-assoc-acl-test)#Related Commandsno Removes a deny rule based on its precedence value
ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 510.1.2 noassociation-acl-policyRemoves a deny or permit rule from this association ACL policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|permit]no deny <STARTING-MAC> precedence <1-1000>no deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>no permit <STARTING-MAC> precedence <1-1000>no permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Parameters• no <PARAMETERS>ExampleThe following example shows the association ACL policy ‘test’ settings before the ‘no’ commands is executed:rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160rfs6000-37FABE(config-assoc-acl-test)#rfs6000-37FABE(config-assoc-acl-test)#no deny 11-22-33-44-56-01 11-22-33-44-56-FF precedence 160The following example shows the association ACL policy ‘test’ settings after the ‘no’ commands is executed:rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150rfs6000-37FABE(config-assoc-acl-test)#no <PARAMETERS> Removes a deny or permit rule from this association ACL policy
ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  10 - 610.1.3 permitassociation-acl-policyCreates a list of devices allowed access to the managed network. Devices are permitted access based on their MAC address. A single MAC address or a range of MAC addresses can be specified. This command also sets the precedence on how permit list rules are applied. Up to a thousand (1000) permit rules can be defined for every association ACL policy. Each rule has a unique sequential precedence value assigned, and are applied to packets on the basis of this precedence value. Lower the precedence of a rule, higher is its priority. This results in the rule with the lowest precedence being applied first. No two rules can have the same precedence. The default precedence is 1, so be careful to prioritize ACLs accordingly as they are added.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit <STARTING-MAC> [<ENDING-MAC>|precedence]permit <STARTING-MAC> precedence <1-1000>permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Parameters• permit <STARTING-MAC> precedence <1-1000>• permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Usage GuidelinesEvery rule has a unique sequential precedence value. You cannot add two rules with the same precedence. Rules are applied to packets in an increasing order of precedence. That means the rule with precedence 1 is applied first, then the rule with precedence 2 and so on.permit Adds a single device or a set of devices to the permit list<STARTING-MAC> To add a single device, enter its MAC address in the <STARTING-MAC> parameter.precedence <1-1000>Specifies a rule precedence. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a value from 1 - 1000.permit Adds a single device or a set of devices to the permit listTo add a set of devices, provide the MAC address range.<STARTING-MAC> Specify the first MAC address of the range.<ENDING-MAC> Specify the last MAC address of the range.precedence <1-1000>Specifies a rule precedence. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a value from 1 - 1000.
ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 7Examplerfs6000-37FABE(config-assoc-acl-test)# permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170rfs6000-37FABE(config-assoc-acl-test)# permit 11-22-33-44-67-01 precedence 180rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170 permit 11-22-33-44-67-01 11-22-33-44-67-01 precedence 180rfs6000-37FABE(config-assoc-acl-test)#Related Commandsno Removes a permit rule based on its precedence
11 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide11ACCESS-LISTThis chapter summarizes IPv4, IPv6, and MAC access list commands in the CLI command structure.Access lists control access to the managed network using a set of rules also known as Access Control Entries (ACEs). Each rule specifies an action taken when a packet matches that rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. A set of deny and/or permit rules based on IP (IPv4 and IPv6) addresses constitutes a IP Access Control List (ACL). Similarly, a set of deny and/or permit rules based on MAC addresses constitutes a MAC ACL.Within a managed network, IP ACLs are used as firewalls to filter packets and also mark packets. IP based firewall rules are specific to the source and destination IP addresses and have unique precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying an IP ACL. With either IPv4 or IPv6, create access rules for traffic entering a controller, service platform, or access point interface, because if you are going to deny specific types of packets, it’s recommended you do it before the controller, service platform, or access point spends time processing them, since access rules are given priority over other types of firewall rules.MAC ACLs are firewalls that filter or mark packets based on the MAC address which they arrive, as opposed to filtering packets on layer 2 ports. Optionally filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to controller managed packet traffic.Once defined, an IP and/or MAC ACL (consisting of a set of firewall rules) must be applied to an interface to be a functional filtering tool.Firewall supported devices (access points, wireless controllers, and service platforms) process firewall rules (within an IP/MAC ACL) sequentially, in ascending order of their precedence value. When a packet matches a rule, the firewall applies the action specified in the rule to determine whether the traffic is allowed or denied. Once a match is made, the firewall does not process subsequent rules in the ACL.The WiNG software enables the configuration of IP SNMP ACLs. These ACLs control access by combining IP ACLs with SNMP server community strings.The following ACLs are supported:•ip-access-list•mac-access-list•ipv6-access-list•ip-snmp-access-list•ex3500-ext-access-list•ex3500-std-access-listUse IP and MAC commands under the global configuration to create an access list.• When the access list is applied on an Ethernet port, it becomes a port ACL.• When the access list is applied on a VLAN interface, it becomes a router ACL.Use the (config) instance to configure a new ACL or modify an existing ACL. To navigate to the (config-access-list) instance, use the following commands:
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 2<DEVICE>(config)#ip access-list <IP-ACCESS-LIST-NAME><DEVICE>(config)#mac access-list <MAC-ACCESS-LIST-NAME><DEVICE>(config)#ipv6 access-list <IPv6-ACCESS-LIST-NAME><DEVICE>(config)#ip snmp-access-list <SNMP-ACCESS-LIST-NAME><DEVICE>(config)#ex3500-ext-access-list <EX3500-EXT-ACCESS-LIST-NAME><DEVICE>(config)#ex3500-std-access-list <EX3500-STD-ACCESS-LIST-NAME>ip-access-listrfs6000-37FABE(config)#ip access-list testrfs6000-37FABE(config-ip-acl-test)#?ACL Configuration commands:  deny     Specify packets to reject  disable  Disable rule if not needed  insert   Insert this rule (instead of overwriting a existing rule)  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-ip-acl-test)#mac-access-listrfs6000-37FABE(config)#mac access-list testrfs6000-37FABE(config-mac-acl-test)#?MAC Extended ACL Configuration commands:  deny     Specify packets to reject  disable  Disable rule if not needed  ex3500   EX3500 device  insert   Insert this rule (instead of overwriting a existing rule)  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  do       Run commands from Exec mode  commit   Commit all changes made in this session  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalNOTE: If creating an new ACL policy, provide a name that uniquely identifies its purpose. The name cannot exceed 32 characters.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3rfs6000-37FABE(config-mac-acl-test)#ipv6-access-listrfs6000-37FABE(config-ipv6-acl-test)#?IPv6 Access Control Mode commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-ipv6-acl-test)#ip-snmp-access-listnx9500-6C8809(config-ip-snmp-acl-test)#?SNMP ACL Configuration commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalnx9500-6C8809(config-ip-snmp-acl-test)#The WiNG NOC controller also has the capabilities of adopting and managing EX3500 series switch. These switches are Gigabit Ethernet layer 2 switches with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. Once adopted to the NOC, various ACLs specifically defined for a EX3500 switch can be used to either prevent or allow specific clients from using it.The following EX3500 ACLs are supported:•ex3500-ext-access-list•ex3500-std-access-list•ex3500: This configures a EX3500 deny or permit rule in a MAC ACL.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 411.1 ip-access-listACCESS-LISTThe following table summarizes IP access list configuration commands:Table 11.1 IP-Access-List-Config CommandsCommand Description Referencedeny Creates a deny access rule or modifies an existing rule. A deny access rule rejects packets from specified address(es) and/or destined for specified address(es).page 11-5disable Disables an existing deny or permit rule without removing it from the ACL page 11-17insert Inserts a rule in an IP ACL without overwriting or replacing an existing rule having the same precedencepage 11-20no Removes a deny and/or a permit access rule from a IP ACL page 11-22permit Creates a permit access rule or modifies an existing rule. A permit access rule accepts packets from specified address(es) and/or destined for specified address(es).page 11-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 511.1.1 denyip-access-listCreates a deny rule that rejects packets from a specified source IP and/or to a specified destination IP. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}deny dns-name [contains|exact|suffix]deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 6Parameters• deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}<NETWORK-SERVICE-ALIAS-NAME>Applies this deny rule to packets based on service protocols and ports specified in the network-service alias• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured).A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL deny rule.Note: For more information on configuring network-service alias, see alias.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny).any Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are dropped.any Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are dropped.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7• deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the headerrule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).dns-name Applies this deny rule to packets based on dns-names specified in the network-servicecontains Matches any hostname which has this DNS label. (for example, *.test.*)exact Matches an exact hostname as specified in the network-servicesuffix Matches any hostname as suffix (for example,  *.test)<WORD> Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.log Logs all deny events matching this dns entry. If a dns-name is matched an event is logged.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 8• deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>](<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).icmp Applies this deny rule to Internet Control Message Protocol (ICMP) packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. ICMP packets received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the destination as any IP address. ICMP packets addressed to any destination are dropped.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 9• deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}<ICMP-TYPE> Defines the ICMP packet typeFor example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.<ICMP-CODE> Defines the ICMP message typeFor example, an ICMP code 3 indicates “Destination Unreachable”, code 1 indicates “Host Unreachable”, and code 3 indicates “Port Unreachable.”Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match.log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).ip Applies this deny rule to IP packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. IP packets received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are dropped.any Specifies the destination as any IP address. IP packets addressed to any destination are dropped.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 10• deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter<PROTOCOL-NUMBER>Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the Enhanced Internet Gateway Routing Protocol (EIGRP) protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the General Routing Encapsulation (GRE) protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 11igmp Identifies the Internet Group Management Protocol (IGMP) protocol (number 2)IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)ospf Identifies the OSPF protocol (number 89)OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.vrrp Identifies the Virtual Router Redundancy Protocol (VRRP) protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are dropped.• <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are dropped.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 12• deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}any Specifies the destination as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are dropped.• <SOURCE-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-group alias are dropped.• <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).Note: After specifying the source and destination IP address(es), specify the action taken in case of a match.log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).tcp Applies this deny rule to TCP packets onlyudp Applies this deny rule to UDP packets only<SOURCE-IP/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are dropped.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are dropped.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).After specifying the source and destination IP address(es), specify the action taken in case of a match.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 13any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any IP address. TCP/UDP packets received from any source are dropped.from-vlan <VLAN-ID>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are dropped.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are dropped.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are dropped.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 14Usage GuidelinesUse this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:•IP•ICMP•TCP•UDP• PROTO (any Internet protocol other than TCP, UDP, and ICMP)eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated Border Gateway Protocol (BGP) protocol port (179)• dns – The designated Domain Name System (DNS) protocol port (53)• ftp – The designated File Transfer Protocol (FTP) protocol port (21)• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated Lightweight Directory Access Protocol (LDAP) protocol port (389)• nntp – The designated Network News Transfer Protocol (NNTP) protocol port (119)•ntp – The designated Network Time Protocol (NTP) protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated Session Initiation Protocol (SIP) protocol port (5060)• smtp – The designated Simple Mail Transfer Protocol (SMTP) protocol port (25)• ssh – The designated Secure Shell (SSH) protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated Trivial File Transfer Protocol (TFTP) protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all deny events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 15The last access control entry (ACE) in the access list is an implicit deny statement.Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration.• Filtering TCP/UDP allows you to specify port numbers as filtering criteria• Select ICMP as the protocol to allow or deny ICMP packets. Selecting ICMP filters ICMP packets based on ICMP type and code.Examplerfs6000-37FABE(config-ip-acl-test)#deny proto vrrp any any log rule-precedence 600rfs6000-37FABE(config-ip-acl-test)#deny proto ospf any any log rule-precedence 650rfs6000-37FABE(config-ip-acl-test)#show contextip access-list test deny proto vrrp any any log rule-precedence 600 deny proto ospf any any log rule-precedence 650rfs6000-37FABE(config-ip-acl-test)#Using aliases in IP access list.The following examples show the usage of network-group aliases:rfs4000-229D58(config)#ip access-list barExample 1:rfs4000-229D58(config-ip-acl-bar)#permit ip $foo any rule-precedence 10Example 2rfs4000-229D58(config-ip-acl-bar)#permit tcp 192.168.100.0/24 $foobar eq ftp rule-precedence 20Example 3rfs4000-229D58(config-ip-acl-bar)#deny ip $guest  $lab rule-precedence 30- In example1, network-group alias $foo is used as a source- In example 2, network-group alias $foobar is used as a destination- In example 3, network-group aliases $guest and $lab are used as source and destination respectively.The following examples show the usage of network-service aliases:Example 4rfs4000-229D58(config-ip-acl-bar)# permit $kerberos 10.60.20.0/24 $kerberos-servers log rule-precedence 40Example 5rfs4000-229D58(config-ip-acl-bar)#permit $Tandem 10.60.20.0/24 $Tandem-servers log rule-precedence 50In examples 4, and 5:- The network-service aliases ($kerberos and $Tandem) define the destination protocol-port combinations- The source network is 10.60.20.0/24- The destination network-address combinations are defined by the network-group aliases ($kerberos-servers and $Tandem-servers)NOTE: The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet that matches the entry sent to the console.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 16Related Commandsno Removes a specified IP deny access rulealias Creates and configures aliases (network, VLAN, and service)
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 1711.1.2 disableip-access-listDisables an existing deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdisable [deny|insert|permit]disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence)Parameters• disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence)disable [deny|insert [deny|permit]|permit]Disables a deny or permit access rule without removing it from the ACLThis command also enables the insertion of a disable deny or permit rule without overwriting an existing rule in the IP ACL.Note: To disable an existing deny/permit rule, provide the exact values used to configure the deny or permit rule.<NETWORK-SERVICE-ALIAS-NAME>Specifies the network-service alias, identified by the <NETWORK-SERVICE-ALIAS-NAME> keyword, associated with the deny/permit ruledns-name [contains|exact|suffix]Specifies the packets to reject based on the dns-name match. Applies this deny rule to packets based on dns-names specified in the network-serviceicmp Disables a rule applicable to ICMP packets onlyip Disables a rule applicable to IP packets onlyproto <PROTOCOL-OPTIONS>Disables a rule applicable to any Internet protocol other than TCP, UDP, or ICMP packets• <PROTOCOL-OPTIONS> – Identify the Internet protocol using the options available.tcp Disables a rule applicable to TCP packets only
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 18ExampleThe following example shows the ‘auto-tunnel-acl’ settings before the disable command is executed:rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#show contextip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#The following example shows the ‘auto-tunnel-acl’ settings after the disable command is executed:rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#show contextip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2udp Disables a rule applicable to UDP packets onlyNote: After specifying the packet type, specify the source and destination devices and network address(es) to match.<SOURCE-IP/MASK>Specify the source IP address and mask in the A.B.C.D/M format.<NETWORK-GROUP-ALIAS-NAME>Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit ruleany Select ‘any’ if the rule is applicable to any source IP address.from-vlan <VLAN-ID>Specify the VLAN IDs.host <SOURCE-HOST-IP>Specify the source host’s exact IP address.<DEST-IP/MASK> Specify the destination IP address and mask in the A.B.C.D/M format.<NETWORK-GROUP-ALIAS-NAME>Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit ruleany Select ‘any’ if the rule is applicable to any destination IP address.host <DEST-HOST-IP>Specify the destination host’s exact IP address.log Select log, if the rule has been configured to log records in case of a match.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the headerrule-precedence <1-5000>Specify the rule precedence. The deny or permit rule with the specified precedence is disabled.Note: To enable a disabled rule, enter the rule again without the ‘disable’ keyword.Note: The no > disable command removes a disabled rule from the ACL.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 19 disable permit ip host 200.200.200.99 any rule-precedence 3rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#rfs4000-229D58(config-ip-acl-test)#deny icmp any any log rule-precedence 1rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny icmp any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#rfs4000-229D58(config-ip-acl-test)#disable deny icmp any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#show contextip access-list test disable deny icmp any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#In the following example a disable deny rule has been inserted in the IP ACL “test”:rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2rfs4000-229D58(config-ip-acl-test)#rfs4000-229D58(config-ip-acl-test)#disable insert deny ip any any log rule-precedence 2rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 disable deny ip any any log rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3rfs4000-229D58(config-ip-acl-test)#Related Commandsno Enables a disabled deny or permit ruledeny Creates a new deny access rule or modifies an existing rulepermit Creates a new permit access rule or modifies an existing rulealias Creates and configures a aliases (network, VLAN, and service)
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 2011.1.3 insertip-access-listEnables the insertion of a rule in an IP ACL without overwriting or replacing an existing rule having the same precedenceThe insert option allows a new rule to be inserted within a IP access list. Consider an IP ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule’s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinsert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule.[deny|permit] Inserts a deny or a permit rule within an IP ACL<PARMETERS> Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here.For more information on the deny rule, see deny.For more information on the permit rule, see permit.log After specifying the match criteria, specify the action taken for filtered packetsLogs all deny/permit events matching this entry. If a source and/or destination IP address is matched an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 21Examplerfs4000-229D58(config-ip-acl-test)#deny tcp from-vlan 1 any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#permit icmp any host 192.168.13.7 1 1 rule-precedence 2rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2rfs4000-229D58(config-ip-acl-test)#In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2’ rule changes to precedence 3.rfs4000-229D58(config-ip-acl-test)#insert deny ip any any rule-precedence 2rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 deny ip any any rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3rfs4000-229D58(config-ip-acl-test)#Related Commandsrule-precedence <1-5000> rule-description <LINE>Assigns a precedence for this deny/permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this new rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128characters in length).NOTE: The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet that matches the entry sent to the console.alias Creates and configures aliases (network, VLAN, and service)
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 2211.1.4 noip-access-listRemoves a deny, permit, or disable ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|disable|permit]no [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp] <RULE-PARAMETERS>no disable [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp] <RULE-PARAMETERS>Parameters• no <PARAMETERS>Usage GuidelinesRemoves an access list control entry. Provide the rule-precedence value when using the no command.ExampleThe following example shows the ACL ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-ip-acl-test)#show contextip access-list test deny proto vrrp any any log rule-precedence 600 deny proto ospf any any log rule-precedence 650rfs6000-37FABE(config-ip-acl-test)#rfs6000-37FABE(config-ip-acl-test)#no deny proto vrrp any any rule-precedence 600rfs6000-37FABE(config-ip-acl-test)#no deny proto ospf any any rule-precedence 650The following example shows the ACL ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-ip-acl-test)#show contextip access-list testrfs6000-37FABE(config-ip-acl-test)#no <PARAMETERS> Removes a deny, permit, or disable rule
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 2311.1.5 permitip-access-listCreates a permit rule that marks packets (from a specified source IP and/or to a specified destination IP) for forwarding. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}permit dns-name [contains|exact|suffix]permit dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit dns-name exact <WORD> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 24Parameters• permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}<NETWORK-SERVICE-ALIAS-NAME>Applies this permit rule to packets based on service protocols and ports specified in the network-service alias• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured).A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL permit rule.Note: For more information on configuring network-service alias, see alias.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny).any Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are permitted.any Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are permitted.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 25• permit dns-name [contains|exact (mark)|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the headerrule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).dns-name Applies this permit rule to packets based on dns-names specified in the network-servicecontains Matches any hostname which has this DNS label. (for example, *.test.*)exact  Matches an exact hostname as specified in the network-servicesuffix Matches any hostname as suffix (for example, *.test)<WORD> Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are forwarded.log Logs all permit events matching this dns entry. If a dns-name is matched an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 26• permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128characters in length).icmp Applies this permit rule to ICMP packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any source IP address. ICMP packets received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the destination as any destination IP address. ICMP packets addressed to any destination are permitted.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 27• permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}<ICMP-TYPE> Defines the ICMP packet typeFor example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.<ICMP-CODE> Defines the ICMP message typeFor example, an ICMP code 3 indicates “Destination Unreachable”, code 1 indicates “Host Unreachable”, and code 3 indicates “Port Unreachable.”Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match.log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).ip Applies this permit rule to IP packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any source IP address. IP packets received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are permitted.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 28• permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}any Specifies the destination as any destination IP address. IP packets addressed to any destination are permitted.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.<PROTOCOL-NUMBER>Filters protocols using their IANA protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the EIGRP protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the GRE protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 29igmp Identifies the IGMP protocol (number 2)IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)ospf Identifies the OSPF protocol (number 89)OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.vrrp Identifies the VRRP protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are permitted.• <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are permitted.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 30• permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID> |host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT> |host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}any Specifies the destination as any destination IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are permitted.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are permitted.• <SOURCE-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-group alias are permitted.• <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).Note: After specifying the source and destination IP address(es), specify the action taken in case of a match.log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).tcp Applies this permit rule to TCP packets onlyudp Applies this deny rule to UDP packets only<SOURCE-IP/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are permitted.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are permitted.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).After specifying the source and destination IP address(es), specify the action taken in case of a match.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 31any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any source IP address. TCP/UDP packets received from any source are permitted.from-vlan <VLAN-ID>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are permitted.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are permitted.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are permitted.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated Border Gateway Protocol (BGP) protocol port (179)• dns – The designated Domain Name System (DNS) protocol port (53)• ftp – The designated File Transfer Protocol (FTP) protocol port (21)Contd..
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 32Usage GuidelinesUse this command to permit traffic between networks/hosts based on the protocol type selected in the access list. The following protocols are supported:•IP•ICMP•ICP•UDP• PROTO (any Internet protocol other than TCP, UDP, and ICMP)The last ACE in the access list is an implicit deny statement.• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated Lightweight Directory Access Protocol (LDAP) protocol port (389)• nntp – The designated Network News Transfer Protocol (NNTP) protocol port (119)• ntp – The designated Network Time Protocol (NTP) protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated Session Initiation Protocol (SIP) protocol port (5060)• smtp – The designated Simple Mail Transfer Protocol (SMTP) protocol port (25)• ssh – The designated Secure Shell (SSH) protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated Trivial File Transfer Protocol (TFTP) protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all permit events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128characters in length).
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 33Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. The packet is allowed or denied based on the ACL configuration.• Filtering on TCP or UDP allows you to specify port numbers as filtering criteria.• Select ICMP to allow/deny packets. Selecting ICMP filters ICMP packets based on ICMP type and code.Examplerfs6000-37FABE(config-ip-acl-test)#show contextip access-list testrfs6000-37FABE(config-ip-acl-test)#rfs6000-37FABE(config-ip-acl-test)#permit ip 172.16.10.0/24 any log rule-precedence 750rfs6000-37FABE(config-ip-acl-test)#permit tcp 172.16.10.0/24 any log rule-precedence 800rfs6000-37FABE(config-ip-acl-test)#show contextip access-list test permit ip 172.16.10.0/24 any log rule-precedence 750 permit tcp 172.16.10.0/24 any log rule-precedence 800rfs6000-37FABE(config-ip-acl-test)#Related CommandsNOTE: The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet matching the entry sent to the console.no Removes a specified IP permit access rulealias Creates and configures aliases (network, VLAN, and service)
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 3411.2 mac-access-listACCESS-LISTThe following table summarizes MAC Access list configuration commands:Table 11.2 MAC-Access-List-Config CommandsCommand Description Referencedeny Creates a new deny access rule or modifies an existing rule. A deny access rule marks packets for rejection.page 11-35disable Disables a MAC deny or permit rule without removing it from the ACL page 11-38ex3500 Creates a MAC ACL deny and/or permit rule applicable only to the EX3500 switchpage 11-40insert Inserts a rule in an MAC ACL without overwriting or replacing an exciting rule having the same precedencepage 11-43no Removes a deny and/or a permit access rule from a MAC ACL page 11-45permit Creates a new permit access rule or modifies an existing rule. A deny access rule marks packets for forwarding.page 11-46
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3511.2.1 denymac-access-listCreates a deny rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for rejection. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.<SOURCE-MAC> <SOURCE-MAC-MASK>Configures the source MAC address and mask to match• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC address mask.Packets received from the specified MAC addresses are dropped.any Identifies all devices as the source to deny access. Packets received from any source are dropped.host <SOURCE-HOST-MAC>Identifies a specific host as the source to deny access• <SOURCE-HOST-MAC> – Specify the source host’s exact MAC address to match. Packets received from the specified host are dropped.<DEST-MAC> <DEST-MAC-MASK>Configures the destination MAC address and mask to match• <DEST-MAC> – Specify the destination MAC address to match. • <DEST-MAC-MASK> – Specify the destination MAC address mask to match.Packets addressed to the specified MAC addresses are dropped.any Identifies all devices as the destination to deny access. Packets addressed to any destination are dropped.host <DEST-HOST-MAC>Identifies a specific host as the destination to deny access• <DEST-HOST-MAC> – Specify the destination host’s exact MAC address to match. Packets addressed to the specified host are dropped.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 36Usage GuidelinesThe deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic from a list of MAC addresses based on the source mask.The MAC access list can disallow traffic based on the VLAN and EtherType.•ARP•WISP•IP•802.1qdotp1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling• <0-7> – Specify 802.1p priority from 0 - 7.type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp]Configures the EtherType valueAn EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:• 8021q – Indicates a 802.1q payload (0x8100)• <1-65535> – Indicates the EtherType protocol number• aarp – Indicates the Appletalk Address Resolution Protocol (ARP) payload (0x80F3)• appletalk – Indicates the Appletalk Protocol payload (0x809B)• arp – Indicates the ARP payload (0x0806)• ip – Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800)• ipv6 – Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD)• ipx – Indicates the Novell’s IPX payload (0x8137)• mint – Indicates the MiNT protocol payload (0x8783)• rarp – Indicates the reverse Address Resolution Protocol (ARP) payload (0x8035)• wisp – Indicates the Wireless Internet Service Provider (WISP) payload (0x8783)vlan <1-4095> Configures the VLAN where the traffic is received• <1-4095> – Specify the VLAN ID from 1 - 4095.log Logs all deny events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).NOTE: MAC ACLs always take precedence over IP based ACLs.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 37The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is allowed or denied based on the ACL’s configuration.Examplerfs4000-229D58(config-mac-acl-test)#deny 41-85-45-89-66-77 ff-ff-ff-00-00-00 any vlan 1 rule-precedence 1rfs4000-229D58(config-mac-acl-test)#deny host 00-01-ae-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#show contextmac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#The MAC ACL (in the example below) denies traffic from any source MAC address to a particular host MAC address:rfs6000-37FABE(config-mac-acl-test)#deny any host 00:01:ae:00:22:11The following example denies traffic between two hosts based on MAC addresses:rfs6000-37FABE(config-mac-acl-test)#deny host 01:02:fe:45:76:89 host 01:02:89:78:78:45Related Commandsno Removes a specified MAC deny access rule
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 3811.2.2 disablemac-access-listDisables a MAC deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdisable [deny|insert|permit]disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}disable insert [deny|permit]Parameters• disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}disable [deny|insert|permit]Disables a deny, insert or permit access rule without removing it from the MAC ACLNote: Provide the exact values used to configure the deny or permit rule that is to be disabled.<SOURCE-MAC> <SOURCE-MAC-MASK>Specifies the source MAC address and mask to match• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC address mask.any Select ‘any’ if the rule is applicable to any source MAC addresshost <SOURCE-HOST-MAC>Specify the source host’s exact MAC address<DEST-MAC> <DEST-MAC-MASK>Specifies the destination MAC address and mask to match• <DEST-MAC> – Specify the destination MAC address.• <DEST-MAC-MASK> – Specify the destination MAC address mask.any Select ‘any’ if the rule is applicable to any destination MAC addresshost <DEST-HOST-MAC>Specify the destination host’s exact MAC addresslog The following keyword defines the action taken when a packet matches any or all of the above specified criteria• log – Logs a record. when a packet matches the specified criteria
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 39ExampleThe following example shows the MAC access list ‘test’ settings before the ‘disable’ command is executed:rfs4000-229D58(config-mac-acl-test)#show contextmac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#rfs4000-229D58(config-mac-acl-test)#disable deny host 00-01-AE-00-22-11 any rule-precedence 2The following example shows the MAC access list ‘test’ settings after the ‘disable’ command is executed:rfs4000-229D58(config-mac-acl-test)#show contextmac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 disable deny host 00-01-AE-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#Related Commandsdotp1p <0-7> Specify the 802.1p priority from 0 - 7.mark [8021p <0-7>|dscp <0-63>]Marks/modifies packets that match the criteria specified here• 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63Note: This option is applicable only to the disable > permit MAC ACL rule.type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp]Use the available options to specify the EtherType value.vlan <1-4095> Specify the VLAN ID(s)log Select log, if the rule has been configured to log records in case of a match.rule-precedence <1-5000> {(rule-description <LINE>)}The following keywords are recursive and common to all of the above parameters:• rule-precedence – Provide the precedence assigned to this deny or permit rule.• <1-5000> – Specify a value from 1 - 5000. The rule with the specified precedence isremoved form the MAC ACL.• rule-description <LINE> – Optional. Enter the description configured for this denyor permit rule.no Enables a disabled deny or permit ruledeny Creates a new deny access rule or modifies an existing rulepermit Creates a new permit access rule or modifies an existing rule
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 4011.2.3 ex3500mac-access-listCreates a MAC ACL deny and/or permit rule, applicable only to the EX3500 switchEach deny or permit rule consists of a set of match criteria and an associated action, which is deny access for the deny rule and allow access for the permit rule. When applied to layer 2 traffic (between a EX3500 switch and the WiNG managed service platform or a WiNG VM interface) every packet is matched against the configured match criteria and in case of a match the packet is dropped or forwarded depending on the rule type.EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and command line interface (CLI), which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxex3500 [deny|permit] [all|tagged-eth2|untagged-eth2]ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any |host <SOURCE-MAC>|network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC> <DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range <TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]Parameters• ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any|host <SOURCE-MAC>|network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC> <DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range <TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]NOTE: To implement the EX3500 MAC ACL rule, apply the MAC ACL directly to a EX3500 device, or to an EX35XX profile. For more information, see access-group.[deny|permit] Creates a deny or permit MAC ACL rule and configures the rule parametersEvery EX3500 MAC ACL rule provides a set of match criteria against which incoming and outgoing packets (to and from an EX3500 device) are matched. In case of a match, the packet is dropped or forwarded depending on the rule type. The packet is dropped in case of a deny rule, and forwarded for an permit rule.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 41[all|tagged-eth2|untagged-eth2]Specifies the packet type• all – Applies this deny/permit rule to all packets• tagged-eth2 – Applies this deny/permit rule only to tagged Ethernet-2 packets• untagged-eth2 – Applies this deny/permit rule only to untagged Ethernet-2 packetsAfter specifying the packet type, configure the source and/or EX3500 MAC addresses to match.[any|host <SOURCE-MAC>|network <SOURCE-MAC> <SOURCE-MAC-MASK>]Enter the Source MAC addresses• any – Identifies all EX3500 devices as a source to match• host <SOURCE-MAC> – Identifies a specific EX3500 host as the source to match• <SOURCE-MAC> – Specify the source host’s exact MAC address• network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a range of MAC addresses as the source to match. Packets received from any of these MAC addresses are dropped.• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC bit mask.For a deny rule, packets received from EX3500 device(s) matching the specified MAC address(es) are dropped.For a permit rule, packets received from EX3500 device(s) matching the specified MAC address(es) are forwarded.[any|host <DEST-MAC>|network <DEST-MAC> <DEST-MAC-MASK>]Enter the Destination MAC addresses• any – Identifies all EX3500 devices as a destination to match• host <SOURCE-MAC> – Identifies a specific EX3500 host as the destination to match• <SOURCE-MAC> – Specify the destination host’s exact MAC address• network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a range of MAC addresses as the destination to match. Packets addressed to any of these MAC addresses are dropped.• <SOURCE-MAC> – Specify the destination MAC address to match.• <SOURCE-MAC-MASK> – Specify the destination MAC bit mask.For a deny rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are dropped.For a permit rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are forwarded.ether-type <0-65535>Configures the Ethertype protocol number. The ether type is a two-octet field within an Ethernet frame. It indicates the protocol encapsulated in the payload of an Ethernet frame.• <0-65535> – Specify the value from 0 - 65535. The default value is 1.ethertype-mask <0-65535>Configures the Ethertype mask• <0-65535> – Specify the value from 0 - 65535. The default value is 1.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 42Examplenx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500 deny tagged-eth2 any any vlan20 rule-precedence 1nx9500-6C8809(config-mac-acl-ex3500MacACL)#show contextmac access-list ex3500MacACL ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1nx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500-time-range <TIME-RANGE-NAME>Applies a specified EX3500 time range (should be existing and configured). The deny or permit rule is applied during the time period specified in the EX3500 time range.• <TIME-RANGE-NAME> – Specify the time range name.An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed).Note: For information on configuring EX3500 time-range, see ex3500.vlan <1-4094> Configures a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server)• <1-4094> – Specify the VLAN ID from 1 - 4094.vlan-mask <1-4095> Configures the VLAN ID bit mask value• <1-4095> – Specify the VLAN bit mask from 1 - 4095.rule-precedence <1-128>Configures a precedence for this EX3500 MAC ACL• <1 - 128> – Specify a value from 1 - 128. ACLs with lower precedence are applied first to packets.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4311.2.4 insertmac-access-listEnables the insertion of a rule in an MAC ACL without overwriting or replacing an existing rule having the same precedenceThe insert option allows a new rule to be inserted within a MAC ACL. Consider an MAC ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule’s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinsert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule.insert [deny|permit] Inserts a deny or permit rule within an MAC ACL<PARAMETERS> Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here.For more information on the deny rule, see deny.For more information on the permit rule, see permit.dot1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling• <0-7> – Specify 802.1p priority from 0 - 7.mark [8021p <0-7>|dscp <0-63>]Marks/modifies packets that match the criteria specified here• 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63Note: This option is applicable only to the insert > permit MAC ACL rule.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 44Examplerfs4000-229D58(config-mac-acl-test1)#deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1rfs4000-229D58(config-mac-acl-test1)#deny host B4-C7-99-6D-CD-9B any rule-precedence 2rfs4000-229D58(config-mac-acl-test1)#show contextmac access-list test1 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 deny host B4-C7-99-6D-CD-9B any rule-precedence 2rfs4000-229D58(config-mac-acl-test1)#In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2’ rule changes to precedence 3.rfs4000-229D58(config-mac-acl-test1)#insert permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2rfs4000-229D58(config-mac-acl-test1)#show contextmac access-list test1 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2 deny host B4-C7-99-6D-CD-9B any rule-precedence 3rfs4000-229D58(config-mac-acl-test1)#type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp]Configures the EtherType valueAn EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:• 8021q – Indicates a 802.1q payload (0x8100)• <1-65535> – Indicates the EtherType protocol number• aarp – Indicates the Appletalk ARP payload (0x80F3)• appletalk – Indicates the Appletalk Protocol payload (0x809B)• arp – Indicates the ARP payload (0x0806)• ip – Indicates the IPv4 payload (0x0800)• ipv6 – Indicates the IPv6 payload (0x86DD)• ipx – Indicates the Novell’s IPX payload (0x8137)• mint – Indicates the MiNT protocol payload (0x8783)• rarp – Indicates the reverse ARP payload (0x8035)• wisp – Indicates the WISP payload (0x8783)vlan <1-4095> Configures the VLAN where the traffic is received• <1-4095> – Specify the VLAN ID from 1 - 4095.log Logs all deny/permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4511.2.5 nomac-access-listNegates a command or sets its defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|disable|permit]no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}no disable [deny|permit] <RULE-PARAMETERS>Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-mac-acl-test)#show contextmac access-list test permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610deny any host 33-44-55-66-77-88 log rule-precedence 700rfs6000-37FABE(config-mac-acl-test)#no deny any host 33-44-55-66-77-88 log rule-precedence 700rfs6000-37FABE(config-mac-acl-test)#show contextmac access-list test permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610no <PARAMETERS> Removes a deny or permit rule from the MAC ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 4611.2.6 permitmac-access-listCreates a permit rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for forwarding. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.<SOURCE-MAC> <SOURCE-MAC-MASK>Configures the source MAC address and mask to match• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC address mask.Packets addressed to the specified MAC addresses are forwarded.any Identifies all devices as the source to permit access. Packets addressed from any source are forwarded.host <SOURCE-HOST-MAC>Identifies a specific host as the source to permit access• <SOURCE-HOST-MAC> – Specify the source host’s exact MAC address to match. Packets addressed to the specified host are forwarded.<DEST-MAC> <DEST-MAC-MASK>Configures the destination MAC address and mask to match• <DEST-MAC> – Specify the destination MAC address to match. • <DEST-MAC-MASK> – Specify the destination MAC address mask to match.Packets addressed to the specified MAC addresses are forwarded.DEST-MAC-MASK Specifies the destination MAC address mask to matchany Identifies all devices as the destination to permit access. Packets addressed to any destination are forwarded.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 47host <DEST-HOST-MAC>Identifies a specific host as the destination to permit access• <DEST-HOST-MAC> – Specify the destination host’s exact MAC address to match. Packets addressed to the specified host are forwarded.dotp1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling• <0-7> – Specify 802.1p priority from 0 - 7.mark [8021p <0-7>,dscp <0-63>]Marks/modifies packets that match the criteria specified here• 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63Note: This option is applicable only to the MAC ACL permit rule.type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp]Configures the EtherType valueAn EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:• 8021q – Indicates a 802.1q payload (0x8100)• <1-65535> – Indicates the EtherType protocol number• aarp – Indicates the Appletalk Address Resolution Protocol (ARP) payload (0x80F3)• appletalk – Indicates the Appletalk Protocol payload (0x809B)• arp – Indicates the ARP payload (0x0806)• ip – Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800)• ipv6 – Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD)• ipx – Indicates the Novell’s IPX payload (0x8137)• mint – Indicates the MiNT protocol payload (0x8783)• rarp – Indicates the reverse Address Resolution Protocol (ARP) payload (0x8035)• wisp – Indicates the Wireless Internet Service Provider (WISP) payload (0x8783)vlan <1-4095> Configures the VLAN ID• <1-4095> – Specify the VLAN ID from 1 - 4095.log Logs all permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is addressed to a specified MAC address or is destined for a specified MAC address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 48Usage GuidelinesThe permit command in the MAC ACL allows traffic based on layer 2 (data-link layer) information. A MAC access list permits traffic from a source MAC address or any MAC address. It also has an option to allow traffic from a list of MAC addresses (based on the source mask).The MAC access list can be configured to allow traffic based on VLAN information, or Ethernet type. Common types include:•ARP•WISP•IP•802.1qLayer 2 traffic is not allowed by default. To adopt an access point through an interface, configure an ACL to allow an Ethernet WISP.Use the mark option to specify the type of service (tos) and priority value. The tos value is marked in the IP header and the 802.1p priority value is marked in the dot1q frame. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is marked based on the ACL’s configuration.Examplerfs6000-37FABE(config-mac-acl-test)#permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600rfs6000-37FABE(config-mac-acl-test)#permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610rfs6000-37FABE(config-mac-acl-test)#show contextmac access-list testPF permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610rfs6000-37FABE(config-mac-acl-test)#Related CommandsNOTE: To apply an IP based ACL to an interface, a MAC access list entry is mandatory to allow ARP. A MAC ACL always takes precedence over IP based ACLs.no Removes or resets a specified MAC ACL permit rule
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4911.3 ipv6-access-listACCESS-LISTConfigures a IPv6 ACLAn IPv6 ACL defines a set of rules that filter IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.The WiNG software supports IPv6 only on VLAN interfaces. Therefore, IPv6 ACLs can be applied only on the VLAN interface.The following table summarizes IPv6 access list configuration commands:Table 11.3 IPv6-Access-List-Config CommandsCommand Description Referencedeny Creates a deny access rule or modifies an existing rule. A deny access rule rejects IPv6 packets from specified address(es) and/or destined for specified address(es).page 11-50no Removes a deny and/or a access rule from a IPv6 ACL page 11-56permit Creates a permit access rule or modifies an existing rule. A permit access rule accepts IPv6 packets from specified address(es) and/or destined for specified address(es).page 11-57
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 5011.3.1 denyipv6-access-listCreates a deny rule that rejects packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [icmpv6|ipv6|proto|tcp|udp]deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}icmpv6 Applies this deny rule to ICMPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are dropped.any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are dropped.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are dropped.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are dropped.any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are dropped.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 51• deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are dropped.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.<ICMPv6-TYPE> [eq|range]Defines the ICMPv6 type field filter• eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type value.• range – Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values.Note: ICMPv6 packets with type field value matching the values specified here are dropped.<ICMPv6-CODE> Defines the ICMPv6 code field filter• eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code value.• range – Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values.Note: ICMPv6 packets with code field value matching the values specified here are dropped.log Logs all deny events matching this entryrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).ipv6 Applies this deny rule to IPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are dropped.any Specifies the source as any IPv6 address. IPv6 packets received from any source are dropped.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are dropped.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are dropped.any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are dropped.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are dropped.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 52• deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}log Logs all deny events matching this entryrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.<PROTOCOL-NUMBER>Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the EIGRP protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the GRE protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF.ospf Identifies the OSPF protocol (number 89)OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 53• deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}vrrp Identifies the VRRP protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are dropped.any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are dropped.any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are dropped.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.log Logs all deny events matching this entryrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).tcp Applies this deny rule to TCP packets onlyudp Applies this deny rule to UDP packets only<SOURCE-IPv6/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are dropped.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any IPv6 address. TCP/UDP packets received from any source are dropped.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 54host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are dropped.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are dropped.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address.range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated BGP protocol port (179)• dns – The designated DNS protocol port (53)• ftp – The designated FTP protocol port (21)• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated LDAP protocol port (389)• nntp – The designated NNTP protocol port (119)• ntp – The designated NTP protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated SIP protocol port (5060)• smtp – The designated SMTP protocol port (25)• ssh – The designated SSH protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated TFTP protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all deny events matching this entry
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 55Examplerfs6000-81742D(config-ipv6-acl-test)#deny icmpv6 any any type eq 1 code eq 0 log rule-precedence 1rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1rfs6000-81742D(config-ipv6-acl-test)#Related Commandsrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).no Removes a specified deny access rule
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 5611.3.2 noipv6-access-listRemoves a deny or permit ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|permit]no [deny|permit] [icmpv6|ipv6|proto|tcp|udp] <RULE-PARAMETERS> {(rule-description <LINE>)}Parameters• no <PARAMETERS>ExampleThe following example shows the ACL ‘test’ settings before the ‘no’ commands are executed:rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1 permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#rfs6000-81742D(config-ipv6-acl-test)#no deny icmpv6 any any type eq 1 log rule-precedence 1rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#no <PARAMETERS> Removes a deny or permit rule from the selected IPv6 access list
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 5711.3.3 permitipv6-access-listCreates a permit rule that accepts packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [icmpv6|ipv6|proto|tcp|udp]permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}icmpv6 Applies this permit rule to ICMPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are accepted.any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are accepted.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are accepted.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are accepted.any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are accepted.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 58• permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are accepted.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.<ICMPv6-TYPE> [eq|range]Defines the ICMPv6 type field filter• eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type value.• range – Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values.Note: ICMPv6 packets with type field value matching the values specified here are forwarded.<ICMPv6-CODE> Defines the ICMPv6 code field filter• eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code value.• range – Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values.Note: ICMPv6 packets with code field value matching the values specified here are forwarded.log Logs all permit events matching this entryrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).ipv6 Applies this permit rule to IPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are forwarded.any Specifies the source as any IPv6 address. IPv6 packets received from any source are forwarded.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are forwarded.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are forwarded.any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are forwarded.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are forwarded.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 59• permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}log Logs all permit events matching this entryrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.<PROTOCOL-NUMBER>Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the EIGRP protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the GRE protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF.ospf Identifies the OSPF protocol (number 89)OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 60• permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}vrrp Identifies the VRRP protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are forwarded.any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are forwarded.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are forwarded.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are forwarded.any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are forwarded.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are forwarded.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.log Logs all permit events matching this entryrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).tcp Applies this permit rule to TCP packets onlyudp Applies this permit rule to UDP packets only<SOURCE-IPv6/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are forwarded.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any IPv6 address. TCP/UDP packets received from any source are forwarded.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 61host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are forwarded.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are forwarded.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are forwarded.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are forwarded.• <DEST-HOST-IPv6> – Specify the destination host’s exact IP address.range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated BGP protocol port (179)• dns – The designated DNS protocol port (53)• ftp – The designated FTP protocol port (21)• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated LDAP protocol port (389)• nntp – The designated NNTP protocol port (119)• ntp – The designated NTP protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated SIP protocol port (5060)• smtp – The designated SMTP protocol port (25)• ssh – The designated SSH protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated TFTP protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all permit events matching this entry
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 62Examplerfs6000-81742D(config-ipv6-acl-test)#permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1 permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#Related Commandsrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).no Removes a specified permit access rule
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6311.4 ip-snmp-access-listACCESS-LISTSNMP performs network management functions using a data structure called a Management Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files.Use SNMP ACLs to help reduce SNMP’s vulnerabilities, as SNMP traffic can be exploited to produce a denial of service (DoS).The following table summarizes SNMP access list configuration commands:Table 11.4 SNMP-Access-List-Config CommandsCommand Description Referencedeny Creates a deny SNMP MIB object traffic rule page 11-64permit Creates a permit SNMP MIB object traffic rule page 11-65no Removes a deny or permit SNMP MIB object traffic rule page 11-66
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 6411.4.1 denyip-snmp-access-listCreates a deny SNMP MIB object traffic rule. Use this command to specify the match criteria based on which SNMP traffic is deniedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [<IP/M>|any|host <IP>]Parameters• deny [<IP/M>|any|host <IP>]Examplerfs6000-81742D(config-ip-snmp-acl-test)#deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#Related Commandsdeny [<IP/M>|any|host <IP>]Configures the match criteria for this deny rule• <IP/M> – Specifies a network address and mask in the A.B.C.D/M format. Packets received or destined for this network are dropped• any – Specifies the match criteria as any. Packets received or destined from any address are dropped• host <IP> – Identifies a host by its IP address. Packets received or destined for this host are droppedno Removes this deny rule form the IP SNMP ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6511.4.2 permitip-snmp-access-listCreates a permit SNMP MIB object traffic rule. Use this command to specify the match criteria based on which SNMP traffic is permitted.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [<IP/M>|any|host <IP>]Parameters• permit [<IP/M>|any|host <IP>]Examplerfs6000-81742D(config-ip-snmp-acl-test)#permit host 192.168.13.13rfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test permit host 192.168.13.13 deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#Related Commandspermit [<IP/M>|any|host <IP>]Configures the match criteria for this permit rule• <IP/M> – Specifies a network address and mask in the A.B.C.D/M format. Packets received or destined for this network are forwarded• any – Specifies the match criteria as any. Packets received or destined from any address are forwarded• host <IP> – Identifies a host by its IP address. Packets received or destined for this host are forwardedno Removes this permit rule form the IP SNMP ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 6611.4.3 noip-snmp-access-listRemoves a deny or permit rule from the IP SNMP ACL. Use this command to remove IP SNMP ACL as they become obsolete for filtering network access permissions.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|permit] [<IP/M>|any|host <IP>]Parameters• no <PARAMETERS>Examplerfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test permit host 192.168.13.13 deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#rfs6000-81742D(config-ip-snmp-acl-test)#no permit host 192.168.13.13rfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#no <PARAMETERS> Removes deny and/or permit access rule from this IP SNMP ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6711.5 ex3500-ext-access-listACCESS-LISTIP ACLs function as firewalls that filter or mark packets on layer 3 ports as opposed to MAC ACLs that filter traffic on layer 2 ports.An IPv4 EX3500 extended ACL is a policy-based ACL that either prevents or allows specific clients from using the EX3500 switch. It allows you to permit or deny client access by specifying that the traffic from a specific host or network and/or the traffic to a specific host or network be either denied or permitted.An EX3500 extended ACL consists of a set of deny /permit rules that filter packets based on both source and destination IPv4 addresses. Each rule specifies a set of match criteria (the source and destination IP addresses) and has a unique precedence value assigned. These ACL rules are applied sequentially to the traffic at a port, by a firewall-supported device, in an increasing order of their precedence. When a packet matches the criteria specified in a rule the packet is either forwarded or dropped based on the rule type.The following table summarizes IPv4 EX3500 extended ACL configuration commands:NOTE: To implement the EX3500 extended ACL, apply it directly to a EX3500 device, or to an EX35XX profile. For more information, see access-group.Table 11.5 EX3500-Extended-Access-List-Config CommandsCommand Description Referencedeny Creates a deny access rule or modifies an existing rule. A deny access rule rejects packets from specified address(es) and/or destined to specified address(es).page 11-68permit Creates a permit access rule or modifies an existing rule. A permit access rule accepts packets from specified address(es) and/or destined to specified address(es).page 11-71no Removes a deny and/or a permit access rule from this IPv4 EX3500 extended ACLpage 11-74
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 6811.5.1 denyex3500-ext-access-listCreates a deny ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxdeny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]Parameters• deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]deny [<0-255>|tcp|udp]Creates a deny rule and identifies the protocol type. This deny rule is applied only to packets matching the protocol specified here.• <0-255> – Identifies the protocol from its number. Specify the protocol number from 0 - 255.• tcp – Configures the protocol as TCP• udp – Configures the protocol as UDP[<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Specifies the source IP address as any, host, or network• <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any device[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>]Specifies the destination IP address as any, host, or network. • <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide the network’s IPv4 address along with the mask• host <DEST-HOST-IP> – Configures a single device as the destination. Provide the host device’s IPv4 address• any – Specifies that the destination can be any devicecontrol-flag <0-63> Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header<0-63> – Specify a value from 0 - 63.Note: Control flags can be used only in ACLs designed to filter TCP traffic.Contd..
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 69The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags.• URG flag - Marks incoming packet as urgent. • ACK flag - Acknowledges receipt of packet• PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer.• RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag.• SYN flag - Establishes the 3-way handshake between two hosts• FIN flag - Tears down the connection established between two hosts via the 3-way SYN processdestination-port <0-65535>Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the destination port from 0 - 65535.destination-port-bitmark <0-65535>Configures the decimal number representing the protocol destination port bits to match• <0-65535> – Specify the destination port bits from 0 - 65535.dscp <0-63> Configures the DSCP priority level • <0-63> – Specify a value from 0 - 63.Note: If specifying DSCP priority, ip-precedence cannot be specified.ex3500-time-range <TIME-RANGE-NAME>Applies a periodic or absolute time range to this rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500.ip-precedence <0-7>Configures the IP header precedence• <0-7> – Specify a value from 0 - 7.source-port <0-65535>Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the source port from 0 - 65535.source-port-bitmark <0-65535>Configures the decimal number representing the protocol source port bits to match<0-65535> – Specify the source port bits from 0 - 65535.rule-precedence <1-128> The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence to this deny rule• <1-128> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 70Usage GuidelinesUse this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:•TCP•UDP• <0-255> (any Internet protocol other than TCP, UDP, and ICMP)Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the ACL configuration.• Filtering TCP/UDP allows you to specify port numbers as filtering criteriaExampleThe following example denies TCP outgoing packets from all sources p indentwithin the 192.168.14.0 network to a specific host 192.168.13.13:nx9500-6C8809(config-ip-ex3500-ext-acl-test)#deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1#nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1nx9500-6C8809(config-ip-ex3500-ext-acl-test)#Related Commandsno Removes a specified deny access rule from this IPv4 EX3500 extended ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7111.5.2 permitex3500-ext-access-listCreates a permit ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxpermit [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NEWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]Parameters• permit [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NEWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]permit [<0-255>|tcp|udp]Creates a permit rule and identifies the protocol type. This permit rule is applied only to packets matching the protocol specified here.• <0-255> – Identifies the protocol from its number. Specify the protocol number from 0 - 255.• tcp – Configures the protocol as TCP• udp – Configures the protocol as UDP[<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Specifies the source IP address as any, host, or network. • <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any device[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>]Specifies the destination IP address as any, host, or network. • <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide the network’s IPv4 address along with the mask.• host <DEST-HOST-IP> – Configures a single device as the destination. Provide the host device’s IPv4 address.• any – Specifies that the destination can be any device
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 72control-flag <0-63> Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header• <0-63> – Specify a value from 0 - 63.Note: Control flags can be used only in ACLs designed to filter TCP traffic.The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags.• URG flag - Marks incoming packet as urgent.• ACK flag - Acknowledges receipt of packet• PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer.• RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag.• SYN flag - Establishes the 3-way handshake between two hosts• FIN flag - Tears down the connection established between two hosts via the 3-way SYN processdestination-port <0-65535>Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the destination port from 0 - 65535.destination-port-bitmark <0-65535>Configures the decimal number representing the protocol destination port bits to match• <0-65535> – Specify the destination port bits from 0 - 65535.dscp <0-63> Configures the DSCP priority level• <0-63> – Specify a value from 0 - 63.Note: If specifying DSCP priority, ip-precedence cannot be specified.ex3500-time-range <TIME-RANGE-NAME>Applies a periodic or absolute time range to this rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500.ip-precedence <0-7>Configures the IP header precedence• <0-7> – Specify a value from 0 - 7.source-port <0-65535>Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the source port from 0 - 65535.source-port-bitmark <0-65535>Configures the decimal number representing the protocol source port bits to match• <0-65535> – Specify the source port bits from 0 - 65535.rule-precedence <1-128> The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence to this permit rule• <1-128> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets.
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 73Usage GuidelinesUse this command to permit traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:•TCP•UDP• <0-255> (any Internet protocol other than TCP, UDP, and ICMP)Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration.• Filtering TCP/UDP allows you to specify port numbers as filtering criteriaExampleThe following example permits outgoing TCP packets from all sources within the 192.168.14.0 network to any destination, with the TCP control flag set to 16 (acknowledge):nx9500-6C8809(config-ip-ex3500-ext-acl-test)#permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2nx9500-6C8809(config-ip-ex3500-ext-acl-test)#Related Commandsno Removes a specified permit access rule from this IPv4 EX3500 extended ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 7411.5.3 noex3500-ext-access-listRemoves a deny or permit access rule from this IPv4 EX3500 extended ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxno [deny|permit] [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]Parameters• no <PARAMETERS>Usage GuidelinesThe keyword ‘control-flag <0-63>’ is only applicable to ACL rules filtering TCP traffic.ExampleThe following example shows the IPv4 EX3500 extended ACL ‘test’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2nx9500-6C8809(config-ip-ex3500-ext-acl-test)#nx9500-6C8809(config-ip-ex3500-ext-acl-test)#no permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2The following example shows the IPv4 EX3500 extended ACL ‘test’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1nx9500-6C8809(config-ip-ex3500-ext-acl-test)#no <PARAMETERS> Removes a deny or permit access rule based on the parameters passed
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7511.6 ex3500-std-access-listACCESS-LISTA EX3500 standard ACL is a policy-based ACL that contains a set of filter criteria and action that is applied to traffic originating from a specified source.The following table summarizes IPv4 EX3500 standard ACL configuration commands:NOTE: To implement the EX3500 standard ACL, apply it directly to a EX3500 device, or to an EX35XX profile. For more information, see access-group.Table 11.6 EX3500-Standard-Access-List-Config CommandsCommand Description Referencedeny Creates a deny rule that rejects packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing deny rule.page 11-76permit Creates a permit rule that allows packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing permit rule.page 11-77no Removes a deny and/or a permit access rule from this IPv4 EX3500 extended ACLpage 11-78
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 7611.6.1 denyex3500-std-access-listCreates a deny rule that rejects packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing deny rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxdeny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Parameters• deny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Examplenx9500-6C8809(config-ip-ex3500-std-acl-test)#deny 192.168.14.0/24nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test deny 192.168.13.0/24nx9500-6C8809(config-ip-ex3500-std-acl-test)#Related Commandsdeny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Creates a deny rule that rejects packets from a specified source or a network. Use one of the following options to specify the source: any, host, or network.• <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any deviceex3500-time-range <TIME-RANGE-NAME>Optional. Applies a periodic or absolute time range to this deny rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). The ACL is triggered during the time period configured in the specified EX3500 time range. For information on configuring EX3500 time-range, see ex3500.no Removes a specified deny access rule from this IPv4 EX3500 standard ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7711.6.2 permitex3500-std-access-listCreates a permit rule that allows packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing permit rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxpermit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Parameters• permit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Examplenx9500-6C8809(config-ip-ex3500-std-acl-test)#permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test deny 192.168.14.0/24 permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#Related Commandspermit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Creates a permit rule that allows packets from a specified source or a network. Use one of the following options to specify the source: any, host, or network.• <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any deviceex3500-time-range <TIME-RANGE-NAME>Optional. Applies a periodic or absolute time range to this deny rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). The ACL is triggered during the time period configured in the specified EX3500 time range. For information on configuring EX3500 time-range, see ex3500.no Removes a specified permit access rule from this IPv4 EX3500 standard ACL
ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  11 - 7811.6.3 noex3500-std-access-listRemoves a deny or permit access rule from this IPv4 EX3500 standard ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxno [deny|permit] [<SOURCE-IP/MASK>|any|host <IP>] {ex3500-time-range <TIME-RANGE-NAME>}Parameters• no <PARAMETERS>ExampleThe following example shows the IPv4 EX3500 standard ACL ‘test’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test deny 192.168.14.0/24 permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#nx9500-6C8809(config-ip-ex3500-std-acl-test)#no deny 192.168.14.0/24The following example shows the IPv4 EX3500 standard ACL ‘test’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#no <PARAMETERS> Removes a deny or permit access rule based on the parameters passed
12 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide12DHCP-SERVER-POLICYThis chapter summarizes Dynamic Host Control Protocols (DHCP) server policy commands in the CLI command structure.DHCP automatically assigns network IP addresses to requesting clients to enable them access to network resources. DHCP tracks IP address assignments, their lease times and their availability. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnet’s address pool. When the controller's (wireless controller, service platform, or access point) onboard DHCP server allocates an address to a DHCP client, the client is assigned a lease, which expires after a pre-determined interval. Before a lease expires, wireless clients (with assigned leases) are expected to renew them to continue using the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. The controller's DHCP server policy ensures all IP addresses are unique, and no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). IP address management is conducted by a controller’s DHCP server and not by an administrator.The controller’s internal DHCP server groups wireless clients based on defined user-class options. Clients with a defined set of user-class values are segregated by class. A DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are compared against classes. If the client matches one of the classes assigned to the pool, it receives an IP address from the range assigned to the class. If the client doesn't match any of the classes in the pool, it receives an IP address from a default pool range (if defined). Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses, each belonging to different subnets. Class configuration allows a DHCP client to obtain an address from the first pool to which the class is assigned.Use the (config) instance to configure DHCP/DHCPv6 server policy parameters. To navigate to the config DHCP server policy instance, use the following commands:<DEVICE>(config)#dhcp-server-policy <POLICY-NAME>rfs6000-37FABE(config)#dhcp-server-policy testrfs6000-37FABE(config-dhcp-server-policy-test)#rfs6000-37FABE(config-dhcp-policy-test)#?DHCP policy Mode commands:  bootp        BOOTP specific configuration  dhcp-class   Configure DHCP class (for address allocation using DHCP               user-class options)  dhcp-pool    Configure DHCP server address pool  dhcp-server  Activating dhcp server based on criteria  no           Negate a command or set its defaults  option       Define DHCP server option  ping         Specify ping parameters used by DHCP Server  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test)#
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 2To navigate to the config DHCPv6 server policy instance, use the following commands:<DEVICE>(config)#dhcpv6-server-policy <POLICY-NAME>rfs6000-37FABE(config)#dhcpv6-server-policy testrfs6000-37FABE(config-dhcpv6-server-policy-test)#rfs6000-37FABE(config-dhcpv6-server-policy-test)#?DHCPv6 server policy Mode commands:  dhcpv6-pool              Configure DHCPV6 server address pool  no                       Negate a command or set its defaults  option                   Define DHCPv6 server option  restrict-vendor-options  Restrict vendor specific options to be sent in                           server reply  server-preference        Server preference value sent in the reply, by the                           server to client  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminalrfs6000-37FABE(config-dhcpv6-server-policy-test)#This chapter is organized as follows:•dhcp-server-policy•dhcpv6-server-policyNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 312.1 dhcp-server-policyDHCP-SERVER-POLICYThe following table summarizes DHCP server policy configuration commands:Table 12.1 DHCP-Server-Policy-Config CommandsCommand Description Referencebootp Configures a BOOTP specific configuration page 12-4dhcp-class Configures a DHCP server class page 12-5dhcp-pool Configures a DHCP server address pool page 12-11dhcp-server Configures the activation-criteria that triggers dynamic activation of DHCP service running on a redundancy devicepage 12-56no Negates a command or sets its default page 12-58option Defines the DHCP option used in DHCP pools page 12-59ping Specifies ping parameters used by a DHCP server page 12-60NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 412.1.1 bootpdhcp-server-policyConfigures a BOOTP specific configurationBootstrap Protocol (BOOTP) requests are used by UNIX diskless workstations to obtain the location of their boot image and IP address within the managed network. A BOOTP configuration server provides this information and also assigns an IP address from a configured pool of IP addresses. By default, all BOOTP requests are forwarded to the BOOTP configuration server by the controller. When enabled, this feature allows controllers, using this DHCP server policy, to ignore BOOTP requests.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbootp ignoreParameters• bootp ignoreExamplerfs6000-37FABE(config-dhcp-policy-test)#bootp ignorerfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test bootp ignorerfs6000-37FABE(config-dhcp-policy-test)#Related Commandsbootp ignore Enables controllers to ignore BOOTP requestsno Disables the ignore BOOTP requests option
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 512.1.2 dhcp-classdhcp-server-policyA controller, service platform, or access point’s local DHCP server assigns IP addresses to requesting DHCP clients based on user class option names. The DHCP server can assign IP addresses from as many IP address ranges as defined by an administrator. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range.A DHCP user class applies different DHCP settings to a set of wireless clients. Wireless clients using the same DHCP settings are grouped under one DHCP class. Grouping users into classes facilitates the provision of differentiated service.The following table summarizes DHCP class configuration commands:Table 12.2 DHCP-Class Config CommandsCommand Description Referencedhcp-class Creates a DHCP class and enters its configuration mode page 12-6dhcp-class-mode commandsInvokes DHCP class configuration commands page 12-7
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 612.1.2.1 dhcp-classdhcp-classCreates a DHCP server class and enters its configuration mode. Use this command to configure user class option values. Once defined, the controller’s internal DHCP server uses the configured values to group wireless clients into DHCP classes. Therefore, each user class consists of wireless clients sharing the same set of user class values.You can also use this command to modify an existing DHCP user class settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-class <DHCP-CLASS-NAME>Parameters• dhcp-class <DHCP-CLASS-NAME>Examplerfs6000-37FABE(config-dhcp-policy-test)#dhcp-class dhcpclass1rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#?DHCP class Mode commands:  multiple-user-class  Enable multiple user class option  no                   Negate a command or set its defaults  option               Configure DHCP Server options  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#Related Commands<DHCP-CLASS-NAME> Creates a DHCP user class• <DHCP-CLASS-NAME> – Specify a name that appropriately identifies this class of wireless clients. If the class does not exist, it is created. The class name should not exceed 32 characters in length.no Removes a configured DHCP user class policy
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 712.1.2.2 dhcp-class-mode commandsdhcp-classUse DHCP class mode commands to configure the parameters of the DHCP user class.The following table summarizes DHCP user class configuration commands:Table 12.3 DHCP-Class-Config-Mode CommandsCommand Description Referencemultiple-user-class Enables multiple user class option for this DHCP user class policy page 12-8no Negates a command or sets its default page 12-9option Configures DHCP user class options for this DHCP user class policy page 12-10
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 812.1.2.2.1 multiple-user-classdhcp-class-mode commandsEnables multiple user class option for this DHCP user class policy. Enabling this option allows this user class to transmit multiple option values to other DHCP servers also supporting multiple user class options.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmultiple-user-classParametersNoneExamplerfs6000-37FABE(config-dhcp-policy-test-class-class1)#multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1  multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#Related Commandsno Disables the multiple user class option for the selected DHCP user class policy
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 912.1.2.2.2 nodhcp-class-mode commandsRemoves this DHCP user class policy’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [multiple-user-class|option]no option user-class <VALUE>Parameters• no <PARAMETERS>ExampleThe following example shows the DHCP class settings before the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1  option user-class hex  multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#rfs6000-37FABE(config-dhcp-policy-test-class-class1)#no multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#no option user-class hexThe following example shows the DHCP class settings after the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#no <PARAMETERS> Disables multiple user class options on this DHCP user class policy
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 1012.1.2.2.3 optiondhcp-class-mode commandsConfigures DHCP user class options for this DHCP user class policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption user-class <VALUE>Parameters• option user-class <VALUE>Examplerfs6000-37FABE(config-dhcp-policy-test-class-class1)#option user-class hexrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1  option user-class hex  multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#Related Commandsuser-class <VALUE> Configures DHCP user class options• <VALUE> – Specify the DHCP user class option’s ASCII value.no Removes the configured DHCP user class option
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1112.1.3 dhcp-pooldhcp-server-policyThe DHCP pool command creates and manages a pool of IP addresses. These IP addresses are assigned to devices using the DHCP protocol. IP addresses have to be unique for each device in the network. Since IP addresses are finite, DHCP ensures that every device, in the network, is issued a unique IP address by tracking the issue, release, and reissue of IP addresses.The DHCP pool command configures a finite set of IP addresses that can be assigned whenever a device joins a network.The following table summarizes DHCP pool configuration mode commands:Table 12.4 DHCP-Pool-Config CommandsCommand Description Referencedhcp-pool Creates a DHCP pool and enters its configuration mode page 12-12dhcp-pool-mode commandsSummarizes DHCP pool configuration mode commands page 12-14
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 1212.1.3.1 dhcp-pooldhcp-poolConfigures a DHCP server address poolDHCP services are available for specific IP interfaces. A pool (or range) of IP network addresses and DHCP options can be created for each IP interface defined. This range of addresses is available to DHCP enabled wireless devices on either a permanent or leased basis. This enables the reuse of limited IP address resources for deployment in any network. DHCP options are provided to each DHCP client with a DHCP response and provides DHCP clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCP client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCP client.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-pool <POOL-NAME>Parameters• dhcp-pool <POOL-NAME>Examplerfs6000-37FABE(config-dhcp-policy-test)#dhcp-pool pool1rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#?DHCP pool Mode commands:  address              Configure network pool's included addresses  bootfile             Boot file name  ddns                 Dynamic DNS Configuration  default-router       Default routers  dns-server           DNS Servers  domain-name          Configure domain-name  excluded-address     Prevent DHCP Server from assigning certain addresses  lease                Address lease time  netbios-name-server  NetBIOS (WINS) name servers  netbios-node-type    NetBIOS node type  network              Network on which DHCP server will be deployed  next-server          Next server in boot process  no                   Negate a command or set its defaults  option               Raw DHCP options  respond-via-unicast  Send DHCP offer and DHCP Ack as unicast messages  static-binding       Configure static address bindings  static-route         Add static routes to be installed on dhcp clients  update               Control the usage of DDNS service<POOL-NAME> Creates a DHCP server address pool• <POOL-NAME> – Specify a name that appropriately identifies this DHCP address pool. If the pool does not exist, it is created. The pool name cannot be modified as part of the edit process. However, an obsolete address pool can be deleted.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 13  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#Related Commandsno Removes a specified DHCP address pool
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 1412.1.3.2 dhcp-pool-mode commandsdhcp-poolConfigures the DHCP pool parametersThe following table summarizes DHCP pool configuration commands:Table 12.5 DHCP-Pool-Config-Mode CommandsCommand Description Referenceaddress Specifies a range of addresses for a DHCP address pool page 12-15bootfile Assigns a bootfile name. The bootfile name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted.page 12-17ddns Configures dynamic DNS parameters page 12-18default-router Configures a default router or gateway IP address for the network poolpage 12-20dns-server Sets a DNS server’s IP address available to all DHCP clients connected to the DHCP poolpage 12-22domain-name Sets the domain name for the network pool page 12-24excluded-address Prevents a DHCP server from assigning certain addresses to the DHCP poolpage 12-25lease Sets a valid lease for the IP address used by DHCP clients in the DHCP poolpage 12-27netbios-name-serverConfigures a NetBIOS (WINS) name server’s IP address page 12-29netbios-node-type Defines the NetBIOS node type page 12-30network Configures the network on which the DHCP server is deployed page 12-31next-server Configures the next server in the boot process page 12-32no Negates a command or sets its default page 12-9option Configures RAW DHCP options page 12-10respond-via-unicastSends a DHCP offer and DHCP Ack as unicast messages page 12-37static-route Configures a static route for a DHCP pool page 12-36update Controls the usage of the DDNS service page 12-38static-binding Configures static address bindings page 12-39
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1512.1.3.2.1 addressdhcp-pool-mode commandsAdds IP addresses to the DHCP address pool. These IP addresses are assigned to each device joining the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaddress [<IP>|<HOST-ALIAS-NAME>|range]address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]] {class <DHCP-CLASS-NAME>}Parameters• address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]] {class <DHCP-CLASS-NAME>}<IP> Adds a single IP address to the DHCP address pool<HOST-ALIAS-NAME> Adds a single host mapped to the specified host alias. The host alias should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]Adds a range of IP addresses to the DHCP address pool. Use one of the following options to provide the first IP address in the range:• <START-IP> – Specifies the first IP address in the range• <START-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the first IP address in the rangeUse one of the following options to provide the last IP address in the range:• <END-IP> – Specifies the last IP address in the range• <END-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the last IP ad-dress in the rangeThe host aliases should be existing and configured.class <DHCP-CLASS-NAME>Optional. Applies additional DHCP options, or a modified set of options to those available to wireless clients. For more information, see dhcp-class.• <DHCP-CLASS-NAME> – Sets the DHCP class.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 16Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#address 192.168.13.4 class dhcpclass1rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsno Removes the DHCP pool’s configured IP addressesdhcp-class Creates and configures the DHCP class parametersalias Creates and configures a network, VLAN, host, string, and network-service aliases
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1712.1.3.2.2 bootfiledhcp-pool-mode commandsThe Bootfile command provides a diskless node path to the image file while booting up. Only one file can be configured for each DHCP pool.For more information on the BOOTP protocol with reference to the DHCP policy, see bootp.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbootfile <IMAGE-FILE-PATH>Parameters• bootfile <IMAGE-FILE-PATH>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#bootfile test.txtrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  bootfile test.txtrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IMAGE-FILE-PATH> Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted.no Resets the boot image path for BOOTP clientsbootp Configures BOOTP protocol parameters
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 1812.1.3.2.3 ddnsdhcp-pool-mode commandsConfigures Dynamic Domain Name Service (DDNS) parameters. Dynamic DNS provides a way to access an individual device in a DHCP serviced network using a static device name.Depending on the DHCP server’s configuration, the IP address of a device changes periodically. To ensure continuous accessibility to a device (having a dynamic IP address), the device’s current IP address is published to a DDNS server that resolves the static device name (used to access the device) with a changing IP address.The DDNS server must be accessible from outside the network and must be configured as an address resolver.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxddns [domainname|multiple-user-class|server|ttl]ddns domainname <DDNS-DOMAIN-NAME>ddns multiple-user-classddns server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}ddns ttl <1-864000>Parameters• ddns domainname <DDNS-DOMAIN-NAME>• ddns multiple-user-class• ddns server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}domainname <DDNS-DOMAIN-NAME>Sets the domain name used for DNS updatesThe controller uses DNS to convert human readable host names into IP addresses. Host names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. A Fully Qualified Domain Name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com.multiple-user-class Enables the multiple user class options with this DDNS domainserver Configures the DDNS server used by this DHCP profile[<IP>|<HOST-ALIAS-NAME>]Configures the primary DDNS server. This is the default server.Use one of the following options to specify the primary DDNS server:• <IP> – Specifies the primary DDNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DDNS server’s IP address. The host alias should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 19• ddns ttl <1-864000>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns domainname WIDrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns multiple-user-classrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns server 192.168.13.9rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  bootfile test.txtrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary DDNS server. If the primary server is not reachable, this server is used.Use one of the following options to identify the secondary DDNS server:• <IP> – Specifies the secondary DDNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the secondary DDNS server’s IP address. The host alias should be existing and configured.ttl <1-864000> Configures the Time To Live (TTL) value for DDNS updates• <1-86400> – Specify a value from 1 - 864000 seconds.no Resets or disables a DHCP pool’s DDNS settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 2012.1.3.2.4 default-routerdhcp-pool-mode commandsConfigures a default router or gateway IP address for a network poolAfter a DHCP client has booted, the client begins sending packets to its default router. Set the IP address of one or a group of routers the controller uses to map host names into IP addresses available to DHCP supported clients. Up to 8 default router IP addresses are supported.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Usage GuidelinesThe IP address of the router should be on the same subnet as the client subnet.Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#default-router 192.168.13.8 192.168.13.9rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  bootfile test.txt  default-router 192.168.13.8 192.168.13.9rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#[<IP>|<HOST-ALIAS-NAME>]Configures the primary default router, using one of the following options:• <IP> – Specifies the primary default router’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary default router’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary default router, using one of the following options:• <IP1> – Specifies the secondary default router’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary default router’s IP address. If the primary default router is unavailable, the secondary router is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.A maximum of 8 default routers can be configured.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 21Related Commandsno Removes the default router settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 2212.1.3.2.5 dns-serverdhcp-pool-mode commandsConfigures a network’s DNS server. The DNS server supports all clients connected to networks supported by the DHCP server.For DHCP clients, the DNS server’s IP address maps the hostname to an IP address. DHCP clients use the DNS server’s IP address based on the order (sequence) configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1> <HOST-ALIAS-NAME1>}[<IP>|<HOST-ALIAS-NAME>]Configures the primary DNS server, using one of the following options:• <IP> – Specifies the primary DNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DNS server’s IP addressA maximum of 8 DNS servers can be configured.To enable redirection of DNS queries to OpenDNS it is necessary that the DNS server IP addresses provided here should point to the OpenDNS resolver (208.67.220.220 or 208.67.222.222). OpenDNS is a proxy DNS server that provides additional functionality, such as Web filtering, reporting, and performance enhancements in addition to DNS services. When configured on a WLAN, DNS queries from wireless clients are redirected to OpenDNS. The following example illustrates the configuration:dhcp-server-policy dhcppolicy dhcp-pool dhcppool  network 192.168.1.0/24  address range 192.168.1.160 192.168.1.200  default-router 192.168.1.105  dns-server 208.67.220.220Note, the above example shows the OpenDNS server as being 208.67.2202.220. The alternative IP address 208.67.222.222 can also be used.For more information on the entire configuration that needs to be done to integrate WiNG access point, controllers, and service platform with OpenDNS , see opendns.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 23Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary DNS server, using one of the following options:• <IP1> – Specifies the secondary DNS server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary DNS server’s IP address. If the primary DNS server is unavailable, the secondary server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.A maximum of 8 DNS servers can be configured.no Removes DNS server settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 2412.1.3.2.6 domain-namedhcp-pool-mode commandsSets the domain name for the DHCP pool. This is the domain name used by the controller with this pool.Domain names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. The FQDN consists of the host name and the domain name. For example, computername.domain.com. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#domain-name documentationrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  domain-name documentation  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<DOMAIN-NAME> Defines the DHCP pool’s domain nameno Removes a DHCP pool’s domain name
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2512.1.3.2.7 excluded-addressdhcp-pool-mode commandsIdentifies a single IP address or a range of IP addresses, included in the DHCP address pool, that cannot be assigned to clients by the DHCP serverSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxexcluded-address [<IP>|<HOST-ALIAS-NAME>|range]excluded-address <IP>excluded-address <HOST-ALIAS-NAME>excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]Parameters• excluded-address <IP>• excluded-address <HOST-ALIAS-NAME>• excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]<IP> Adds a single IP address to the excluded address list<HOST-ALIAS-NAME> Adds a host alias. The host alias is mapped to a host’s IP address. The host identified by the host alias is added to the excluded address list. The host alias should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>] Adds a range of IP addresses to the excluded address list. Use one of the following options to provide the first IP address in the range:• <START-IP> – Specifies the first IP address in the range• <START-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the first IP address in the rangeUse one of the following options to provide the last IP address in the range:• <END-IP> – Specifies the last IP address in the range• <END-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the last IP ad-dress in the rangeThe host aliases should be existing and configured.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 26Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#excluded-address range 192.168.13.25 192.168.13.28rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsno Removes the exclude IP addresses settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2712.1.3.2.8 leasedhcp-pool-mode commandsA lease is the duration a DHCP issued IP address is valid. Once a lease expires, and if the lease is not renewed, the IP address is revoked and is available for reuse. Generally, before an IP lease expires, the client tries to get the same IP address issued for the next lease period. This feature is enabled by default, with a lease period of 24 hours (1 day).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlease [<0-365>|infinite]lease infinitelease <0-365> {0-23} {0-59} {0-59}Parameters• lease infinite• lease <0-365> {<0-23>} {<0-59>} {<0-59>}Usage GuidelinesIf lease parameter is not configured on the DHCP pool, the default is used. The default is 24 hours.Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#lease 100 23 59 59rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  lease 100 23 59 59  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#infinite The lease never expires (equal to a static IP address assignment)<0-365> Configures the lease duration in daysNote: Days may be 0 only when hours and/or minutes are greater than 0.<0-23> Optional. Sets the lease duration in hours<0-59> Optional. Sets the lease duration in minutes<0-59> Optional. Sets the lease duration in seconds
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 28Related Commandsno Resets values or disables the DHCP pool lease settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2912.1.3.2.9 netbios-name-serverdhcp-pool-mode commandsConfigures the NetBIOS (WINS) name server’s IP address. This server is used to resolve NetBIOS host names.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  lease 100 23 59 59  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19  netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary NetBIOS name server, using one of the following options:• <IP> – Specifies the primary NetBIOS name server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary NetBIOS name server’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary NetBIOS name server, using one of the following options:• <IP1> – Specifies the secondary NetBIOS name server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary NetBIOS name server’s IP address. If the primary NetBIOS name server is unavailable, the secondary server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Removes the NetBIOS name server settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 3012.1.3.2.10 netbios-node-typedhcp-pool-mode commandsDefines the predefined NetBIOS node type. The NetBIOS node type resolves NetBIOS names to IP addresses.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-node-type [b-node|h-node|m-node|p-node]Parameters• netbios-node-type [b-node|h-node|m-node|p-node]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#netbios-node-type b-noderfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  lease 100 23 59 59  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  netbios-node-type b-node  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19  netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands[b-node|h-node|m-node|p-node]Defines the netbios node type• b-node – Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name.• h-node – Sets the node type as hybrid. Uses a combination of two or more nodes.• m-node – Sets the node type as mixed. A mixed node uses broadcast queries to find a node, and failing that, queries a known p-node name server for the address.• p-node – Sets the node type as peer-to-peer. Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine.no Removes the NetBIOS node type settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3112.1.3.2.11 networkdhcp-pool-mode commandsConfigures the DHCP server’s network settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetwork [<IP/M>|<NETWORK-ALIAS-NAME>]Parameters• network [<IP/M>|<NETWORK-ALIAS-NAME>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#network 192.168.13.0/24rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  lease 100 23 59 59  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  netbios-node-type b-node  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19  netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IP/M> Configures the network number and mask (for example, 192.168.13.0/24)<NETWORK-ALIAS-NAME>Configures a network alias to identify the network number and mask• <NETWORK-ALIAS-NAME> – Specify the network alias name. It should be existing and configured.A network alias defines a single network address. For example, ‘alias network $NET 1.1.1.0/24’. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24. For more information, see alias.no Removes the network number and mask configured for this DHCP pool
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 3212.1.3.2.12 next-serverdhcp-pool-mode commandsConfigures the next server in the boot processSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnext-server [<IP>|<HOST-ALIAS-NAME>]Parameters• next-server [<IP>|<HOST-ALIAS-NAME>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#next-server 192.168.13.26rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  lease 100 23 59 59  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  netbios-node-type b-node  bootfile test.txt  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  next-server 192.168.13.26rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IP> Configures the next server’s (the first server in the boot process) IP address<HOST-ALIAS-NAME> Configures a host alias, mapped to the next server’s IP address• <HOST-ALIAS-NAME> – Specify the host alias name. It should be existing and configured.A host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Removes the next server configuration settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3312.1.3.2.13 nodhcp-pool-mode commandsRemoves or resets this DHCP user pool’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [address|bootfile|ddns|default-router|dns-server|domain-name|excluded-address|lease|netbios-name-server|netbios-node-type|network|next-server|option|respond-via-unicast|static-binding|static-route|update]no [bootfile|default-router|dns-server|domain-name|lease|netbios-name-server|netbios-node-type|next-server|network|respond-via-unicast]no address [<IP>|<HOST-ALIAS-NAME>|all]no address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]no ddns [domainname|multiple-user-class|server|ttl]no excluded-address [<IP>|<HOST-ALIAS-NAME>]no excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]no option <OPTION-NAME>no static-binding client-identifier <CLIENT-IDENTIFIER>no static-binding hardware-address <MAC>no static-route <IP/MASK> <GATEWAY-IP>no update dns {override}Parameters• no <PARAMETERS>ExampleThe following example shows the DHCP pool settings before the ‘no’ commands are executed:rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  network 192.168.13.0/24  address 192.168.13.4 class dhcpclass1  lease 100 23 59 59  ddns server 192.168.13.9  ddns domainname WID  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  domain-name documentation  netbios-node-type b-node  bootfile test.txtno <PARAMETERS> Removes or resets this DHCP user pool’s settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 34  default-router 192.168.13.8 192.168.13.9  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  next-server 192.168.13.26rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no bootfilerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no networkrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no default-routerrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no next-serverrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no domain-namerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no ddns domainnamerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no leaseThe following example shows the DHCP pool settings after the ‘no’ commands are executed:rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  netbios-node-type b-node  dns-server 192.168.13.19  netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3512.1.3.2.14 optiondhcp-pool-mode commandsConfigures raw DHCP options. The DHCP option must be configured under the DHCP server policy. The options configured under the DHCP pool/DHCP server policy can also be used in static-bindings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Parameters• option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#option option1 157.235.208.80rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  netbios-node-type b-node  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  option option1 157.235.208.80rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<OPTION-NAME> Sets the name of the DHCP option<DHCP-OPTION-IP> Sets DHCP option as an IP address<DHCP-OPTION-ASCII> Sets DHCP option as an ASCII stringNOTE: An option name in ASCII format accepts backslash (\) as an input but is not displayed in the output (Use show runnig config to view the output). Use a double backslash to represent a single backslash.no Resets values or disables the DHCP pool option settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 3612.1.3.2.15 static-routedhcp-pool-mode commandsConfigures a static route for a DHCP pool. Static routes define a gateway for traffic intended for other networks. This gateway is always used when an IP address does not match any route in the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstatic-route <IP/M> <IP>Parameters• static-route <IP/M> <IP>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-route 192.168.13.0/24 192.168.13.7rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  netbios-node-type b-node  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  option option1 157.235.208.80  respond-via-unicast  static-route 192.168.13.0/24 192.168.13.7rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IP/M> Specifies the IP destination prefix (for example, 10.0.0.0/8)<IP> Specifies the gateway IP addressno Removes static route settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3712.1.3.2.16 respond-via-unicastdhcp-pool-mode commandsSends DHCP offer and acknowledgement as unicast messagesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrespond-via-unicastParametersNoneExamplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#respond-via-unicastrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  ddns server 192.168.13.9  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  netbios-node-type b-node  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  option option1 157.235.208.80  respond-via-unicastrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsno Disables sending of a DHCP offer and DHCP Ack as unicast messages. When disabled, sends offer and acknowledgement as broadcast messages.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 3812.1.3.2.17 updatedhcp-pool-mode commandsControls the use of the DDNS serviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxupdate dns {override}Parameters• update dns {override}Usage GuidelinesA DHCP client cannot perform updates for RR’s A, TXT and PTR resource records. Use  update (dns)(override)to enable the internal DHCP server to send DDNS updates for resource records. The DHCP server can override the client, even if the client is configured to perform the updates.In the DHCP server’s DHCP pool, FQDN is configured as the DDNS domain name. This is used internally in DHCP packets between the DHCP server and the DNS server.Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#update dns overriderfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  update dns override  ddns server 192.168.13.9  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  netbios-node-type b-node  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  option option1 157.235.208.80  respond-via-unicast  static-route 192.168.13.0/24 192.168.13.7rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsdns {override} Configures Dynamic DNS parameters• override – Optional. Enables Dynamic DNS updates on an onboard DHCP serverno Removes dynamic DNS service control
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3912.1.3.3 static-bindingdhcp-pool-mode commandsConfigures static IP address information for a particular device. Static address binding is executed on the device’s hostname, client identifier, or MAC address. Static bindings allow the configuration of client parameters, such as DHCP server, DNS server, default routers, fixed IP address etc.The following table summarizes static binding configuration commands:Table 12.6 Static-Binding-Config CommandsCommand Description Referencestatic-binding Creates a static binding policy and enters its configuration mode page 12-40static-binding-mode commandsInvokes static binding configuration commands page 12-42
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 4012.1.3.3.1 static-bindingstatic-bindingConfigures static address bindingsA static address binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client. Bindings are managed by DHCP servers. DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses. Static bindings assign IP addresses without creating numerous host pools with manual bindings. Static host bindings use a text file the DHCP server reads. It eliminates the need for a lengthy configuration file and reduces the space required to maintain address pools.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstatic-binding [client-identifier <CLIENT>|hardware-address <MAC>]Parameters• static-binding [client-identifier <CLIENT>|hardware-address <MAC>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-binding client-identifier testrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool  address 192.168.13.4 class dhcpclass1  update dns override  ddns server 192.168.13.9  ddns multiple-user-class  excluded-address range 192.168.13.25 192.168.13.28  netbios-node-type b-node  dns-server 192.168.13.19  netbios-name-server 192.168.13.25  option option1 157.235.208.80  respond-via-unicast  static-route 192.168.13.0/24 192.168.13.7  static-binding client-identifier testrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#client-identifier <CLIENT>Enables a static binding configuration for a client based on its client identifier (as provided by DHCP option 61 and its key value)• <CLIENT> – Specify the client identifier (DHCP option 61).hardware-address <MAC>Enables a static binding configuration for a client based on its MAC address• <MAC> – Specify the MAC address of the client.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 41rfs4000-229D58(config-dhcp-policy-test-pool-testPool-binding-test)#?DHCP static binding Mode commands:  bootfile             Boot file name  client-name          Client name  default-router       Default routers  dns-server           DNS Servers  domain-name          Configure domain-name  ip-address           Fixed IP address for host  netbios-name-server  NetBIOS (WINS) name servers  netbios-node-type    NetBIOS node type  next-server          Next server in boot process  no                   Negate a command or set its defaults  option               Raw DHCP options  respond-via-unicast  Send DHCP offer and DHCP Ack as unicast messages  static-route         Add static routes to be installed on dhcp clients  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs4000-229D58(config-dhcp-policy-test-pool-testPool-binding-test)#rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#static-binding hardware-address 11-22-33-44-55-66rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-11-22-33-44-55-66)#?DHCP static binding Mode commands:  bootfile             Boot file name  client-name          Client name  default-router       Default routers  dns-server           DNS Servers  domain-name          Configure domain-name  ip-address           Fixed IP address for host  netbios-name-server  NetBIOS (WINS) name servers  netbios-node-type    NetBIOS node type  next-server          Next server in boot process  no                   Negate a command or set its defaults  option               Raw DHCP options  respond-via-unicast  Send DHCP offer and DHCP Ack as unicast messages  static-route         Add static routes to be installed on dhcp clients  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-11-22-33-44-55-66)#Related Commandsno Resets values or disables the DHCP policy static binding settingsstatic-binding-mode commandsInvokes static binding configuration commands
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 4212.1.3.3.2 static-binding-mode commandsstatic-bindingThe following table summarizes static binding configuration mode commands:Table 12.7 Static-Binding-Config-Mode CommandsCommand Description Referencebootfile Assigns a Bootfile name for the DHCP configuration on the network poolpage 12-43client-name Configures a client name page 12-44default-router Configures default router or gateway IP address page 12-45dns-server Sets the DNS server’s IP address available to all DHCP clients connected to the DHCP poolpage 12-46domain-name Sets the network pool’s domain name  page 12-47ip-address Configures a host’s fixed IP address page 12-48netbios-name-serverConfigures a NetBIOS (WINS) name server IP address page 12-49netbios-node-type Defines the NetBIOS node type page 12-50next-server Specifies the next server used in the boot process page 12-51no Negates a command or sets its default page 12-52option Configures raw DHCP options page 12-53respond-via-unicast Sends a DHCP offer and DHCP Ack as unicast messages page 12-54static-route Adds static routes installed on DHCP clients page 12-55
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4312.1.3.3.3 bootfilestatic-binding-mode commandsThe Bootfile command provides a diskless node the path to the image file used while booting up. Only one file can be configured for each static IP binding.For more information on the BOOTP protocol with reference to static binding, see bootp.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbootfile <IMAGE-FILE-PATH>Parameters• bootfile <IMAGE-FILE-PATH>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#bootfile test.txtrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   bootfile test.txtrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IMAGE-FILE-PATH> Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted.no Resets values or disables DHCP pool static binding settingsbootp Configures BOOTP protocol parameters
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 4412.1.3.3.4 client-namestatic-binding-mode commandsConfigures the client’s nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-name <NAME>Parameters• client-name <NAME>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#client-name RFIDrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   bootfile test.txtrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<NAME> Specify the name of the client using this static IP address host pool. Do not include the domain name.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4512.1.3.3.5 default-routerstatic-binding-mode commandsConfigures a default router or gateway IP address for the static binding configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Usage GuidelinesThe IP address of the router should be on the same subnet as the client subnet.Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#default-router 172.16.10.8 172.16.10.9rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   bootfile test.txt   default-router 172.16.10.8 172.16.10.9rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary default router, using one of the following options:• <IP> – Specifies the primary default router’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary default router’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary default router, using one of the following options:• <IP1> – Specifies the secondary default router’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary default router’s IP address. If the primary default router is unavailable, the secondary router is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 4612.1.3.3.6 dns-serverstatic-binding-mode commandsConfigures the DNS server for this static binding configuration. This DNS server supports the client for which the static binding has been configured.For this client, the DNS server’s IP address maps the host name to an IP address. DHCP clients use the DNS server’s IP address based on the order (sequence) configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary DNS server, using one of the following options:• <IP> – Specifies the primary DNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DNS server’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary DNS server, using one of the following options:• <IP1> – Specifies the secondary DNS server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary DNS server’s IP address. If the primary DNS server is unavailable, the secondary DNS server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4712.1.3.3.7 domain-namestatic-binding-mode commandsSets the domain name for the static binding configurationDomain names are not case sensitive and contain alphabetic or numeric letters (or a hyphen). A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.comSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#domain-name documentationrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   domain-name documentation   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<DOMAIN-NAME> Defines the domain name for the static binding configurationno Resets values or disables the DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 4812.1.3.3.8 ip-addressstatic-binding-mode commandsConfigures a fixed IP address for a hostSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip-address [<IP>|<HOST-ALIAS-NAME>]Parameters• ip-address [<IP>|<HOST-ALIAS-NAME>]Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#ip-address 172.16.10.9rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   ip-address 172.16.10.9   client-name RFID   domain-name documentation   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IP>  Configures a fixed IP address (in dotted decimal format) of the client using this host pool<HOST-ALIAS-NAME> Configures a host alias identifying the fixed IP address of the client using this host poolA network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4912.1.3.3.9 netbios-name-serverstatic-binding-mode commandsConfigures the NetBIOS (WINS) name server’s IP address. This server is used to resolve NetBIOS host names.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#netbios-name-server 172.16.10.23rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   ip-address 172.16.10.9   client-name RFID   domain-name documentation   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7   netbios-name-server 172.16.10.23rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary NetBIOS server, using one of the following options:• <IP> – Specifies the primary NetBIOS name server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary NetBIOS name server’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary NetBIOS name server, using one of the following options:• <IP1> – Specifies the secondary NetBIOS name server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary NetBIOS name server’s IP address. If the primary NetBIOS name server is unavailable, the secondary server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 5012.1.3.3.10 netbios-node-typestatic-binding-mode commandsConfigures different predefined NetBIOS node types. The NetBIOS node defines the way a device resolves NetBIOS names to IP addresses.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-node-type [b-node|h-mode|m-node|p-node]Parameters• netbios-node-type [b-node|h-node|m-node|p-node]Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#netbios-node-type b-noderfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   ip-address 172.16.10.9   client-name RFID   domain-name documentation   netbios-node-type b-node   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7   netbios-name-server 172.16.10.23rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[b-node|h-mode|m-node|p-node]Defines the netbios node type• b-node – Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name.• h-node – Sets the node type as hybrid. Uses a combination of two or more nodes.• m-node – Sets the node type as mixed. A mixed node uses broadcast queries to find a node, and failing that, queries a known p-node name server for the address.• p-node – Sets the node type as peer-to-peer. Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5112.1.3.3.11 next-serverstatic-binding-mode commandsConfigures the next server utilized in the boot processSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnext-server [<IP>|<HOST-ALIAS-NAME>]Parameters• next-server [<IP>|<HOST-ALIAS-NAME>]Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   ip-address 172.16.10.9   client-name RFID   domain-name documentation   netbios-node-type b-node   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7   netbios-name-server 172.16.10.23   next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IP> Configures the next server’s (the first server in the boot process) IP address<HOST-ALIAS-NAME> Configures a host alias, mapped to the next server’s IP address• <HOST-ALIAS-NAME> – Specify the host alias name. It should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 5212.1.3.3.12 nostatic-binding-mode commandsNegates or reverts static binding settings for the selected DHCP server policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bootfile|client-name|default-router|dns-server|domain-name|ip-address|netbios-name-server|netbios-node-type|next-server|option|respond-via-unicast|static-route]no option <OPTION-NAME>no static-route <IP/MASK> <GATEWAY-IP>Parameters• no <PARAMETERS>ExampleThe following example shows the DHCP pool static binding settings before the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   ip-address 172.16.10.9   client-name RFID   domain-name documentation   netbios-node-type b-node   bootfile test.txt   default-router 172.16.10.8 172.16.10.9   dns-server 172.16.10.7   netbios-name-server 172.16.10.23   next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no bootfilerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no ip-addressrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no default-routerrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no dns-serverThe following example shows the DHCP pool static binding settings after the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   domain-name documentation   netbios-node-type b-node   netbios-name-server 172.16.10.23   next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no <PARAMETERS> Negates or reverts static binding settings for the selected DHCP server policy
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5312.1.3.3.13 optionstatic-binding-mode commandsConfigures the raw DHCP options in the DHCP policy. The DHCP options can be used only in static bindings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Parameters• option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Usage GuidelinesDefines non standard DHCP option codes (0-254)Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#option option1 172.16.10.10rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   domain-name documentation   netbios-node-type b-node   netbios-name-server 172.16.10.23   next-server 172.16.10.24   option option1 172.16.10.10rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#<OPTION-NAME> Sets the DHCP option name<DHCP-OPTION-IP> Sets the DHCP option as an IP address<DHCP-OPTION-ASCII> Sets the DHCP option as an ASCII stringNOTE: An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 5412.1.3.3.14 respond-via-unicaststatic-binding-mode commandsSends a DHCP offer and DHCP acknowledge as unicast messagesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrespond-via-unicastParametersNoneExamplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#respond-via-unicastrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   domain-name documentation   netbios-node-type b-node   netbios-name-server 172.16.10.23   next-server 172.16.10.24   option option1 172.16.10.10   respond-via-unicastrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commandsno Resets values or disables DHCP pool static binding settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5512.1.3.3.15 static-routestatic-binding-mode commandsAdds static routes to the static binding configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstatic-route <IP/MASK> <GATEWAY-IP>Parameters• static-route <IP/MASK> <GATEWAY-IP>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-1)#static-route 10.0.0.0/10 157.235.208.235rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context  static-binding client-identifier test   client-name RFID   domain-name documentation   netbios-node-type b-node   netbios-name-server 172.16.10.23   next-server 172.16.10.24   option option1 172.16.10.10   respond-via-unicast   static-route 10.0.0.0/10 157.235.208.235rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IP/MASK> Sets the subnet for which the static route is configured<GATEWAY-IP> Specify the gateway’s IP addressno Resets values or disables DHCP pool static route settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 5612.1.4 dhcp-serverdhcp-server-policyConfigures the activation-criteria (run-criteria) that triggers dynamic activation of DHCP service running on a redundancy deviceIn a managed wireless network, when the primary, active DHCP server fails (is unreachable), network clients are unable to access DHCP services, such as new IP address leasing and renewal of existing IP address leases. In such a scenario, the activation-criteria, when configured, triggers dynamic activation of the secondary DHCP server, allowing network clients to continue accessing DHCP services. The WiNG implementation provides activation-criteria options specific to a RF Domain, cluster setup, and a Virtual Router Redundancy Protocol (VRRP) master/client setup.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-server activation-criteria [cluster-master|rf-domain-manager|vrrp-master]Parameters• dhcp-server activation-criteria [cluster-master|rf-domain-manager|vrrp-master]dhcp-server Enables dynamic activation of the DHCP server, running on a redundancy device, based on the activation criteria specifiedactivation-criteria [cluster-master|rf-domain-manager|vrrp-master]Configures the activation criteria. Specify one of the following options as the activation criteria:• cluster-master – Configures the cluster-master criteria in a cluster setup. Within a cluster, DHCP service is enabled on the cluster master. While it remains disabled on the other cluster members. In case of the cluster master failing, the cluster-master activation criteria, when configured, triggers dynamic activation of DHCP service on the new cluster master.• rf-domain-manger – Configures the rf-domain-manager criteria on an RF Domain. Within a RF Domain, DHCP service is enabled on the RF Domain manager. While it remains disabled on the other devices within the RF Domain. In case of the RF Domain manager failing, the rf-domain-manager activation criteria, when configured, triggers dynamic activation of DHCP service on the new RF Domain manager.• vrrp-master – Configures the vrrp-master criteria within a VRRP master/client setup. In such a setup, the DHCP service is enabled on the VRRP master. While it remains disabled on the other members. In case of the VRRP master failing, the vrrp-master activation criteria, when configured, triggers dynamic activation of DHCP service on the new VRRP master.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 57Examplerfs4000-229D58(config-dhcp-policy-test)#dhcp-server activation-criteria rf-domain-managerrfs4000-229D58(config-dhcp-policy-test)#show contextdhcp-server-policy test dhcp-server activation-criteria rf-domain-managerrfs4000-229D58(config-dhcp-policy-test)#rfs4000-229D58(config-dhcp-policy-test)#no dhcp-server activation-criteriarfs4000-229D58(config-dhcp-policy-test)#show contextdhcp-server-policy testrfs4000-229D58(config-dhcp-policy-test)#Related Commandsno Removes the DHCP service activation criteria configured on this DHCP server policy
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 5812.1.5 nodhcp-server-policyNegates a command or sets its default. When used in the DHCP server configuration context, the ‘no’ command resets or reverts the DHCP server policy settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bootp|dhcp-class|dhcp-pool|dhcp-server|option|ping]no bootp ignoreno dhcp-class <DHCP-CLASS-NAME>no dhcp-pool <DHCP-POOL-NAME>no dhcp-server activation-criteriano option <DHCP-OPTION>no ping timeoutParameters• no <PARAMETERS>ExampleThe following example shows the DHCP policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test bootp ignore  dhcp-class dhcpclass1 dhcp-pool pool1  address 1.2.3.4 class dhcpclass1  update dns override  --More--rfs6000-37FABE(config-dhcp-policy-test)#rfs6000-37FABE(config-dhcp-policy-test)#no bootp ignorerfs6000-37FABE(config-dhcp-policy-test)#no dhcp-class dhcpclass1rfs6000-37FABE(config-dhcp-policy-test)#no dhcp-pool pool1The following example shows the DHCP policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy testrfs6000-37FABE(config-dhcp-policy-test)#no <PARAMETERS> Negates a command or sets its default. When used in the DHCP server configuration context, the ‘no’ command resets or reverts the DHCP server policy settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5912.1.6 optiondhcp-server-policyConfigures raw DHCP options. The DHCP option has to be configured in the DHCP server policy. The options configured in the DHCP pool/DHCP server policy can also be used in static bindings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> <0-254> [ascii|hexstring|ip]Parameters• option <OPTION-NAME> <0-254> [ascii|hexstring|ip]Usage GuidelinesDefines non standard DHCP option codes (0-254)Examplerfs6000-37FABE(config-dhcp-policy-test)#option option1 200 asciirfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test option option1 200 asciirfs6000-37FABE(config-dhcp-policy-test)#Related Commands<OPTION-NAME> Configures the option name<0-254> Configures the DHCP option code from 0 - 254ascii Configures the DHCP option as an ASCII stringhexstring Configures the DHCP option as a hexadecimal stringip Configures the DHCP option as an IP addressNOTE: An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash.no Removes DHCP server options
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 6012.1.7 pingdhcp-server-policyConfigures the DHCP server’s ping timeout interval. The controller uses the timeout to intermittently ping and discover whether a client requested IP address is available or in use.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxping timeout <1-10>Parameters• ping timeout <1-10>Examplerfs6000-37FABE(config-dhcp-policy-test)#ping timeout 2rfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test ping timeout 2 option option1 200 asciirfs6000-37FABE(config-dhcp-policy-test)#Related Commandstimeout <1-10> Sets the ping timeout from 1 - 10 seconds. The default is 1 second.no Resets the ping interval to 1 second
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6112.2 dhcpv6-server-policyDHCP-SERVER-POLICYDHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network.DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool.The following table summarizes DHCPv6 server policy configuration commands:Table 12.8 DHCPv6-Server-Policy-Config CommandsCommand Description Referencedhcpv6-pool Creates a DHCPv6 pool and enters its configuration mode page 12-62option Configures this DHCPv6 server policy’s DHCP option settings, such as enterprise (vendor ID)page 12-73restrict-vendor-optionsRestricts the use of vendor-specific DHCP options on this DHCPv6 server policypage 12-75server-preferenceConfigures this DHCP server’s preference value. This value is sent in DHCP server replies to the IPv6 client.page 12-76no Negates or reverts this DHCPv6 server policy’s settings page 12-77
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 6212.2.1 dhcpv6-pooldhcpv6-server-policyThe following table summarizes DHCPv6 pool configuration mode commands:Table 12.9 DHCPv6-Pool-Config CommandsCommand Description Referencedhcpv6-pool Creates a DHCPv6 pool and enters its configuration mode page 12-63dhcpv6-pool-mode commandsSummarizes DHCPv6 pool configuration mode commands page 12-65
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6312.2.1.1 dhcpv6-pooldhcpv6-poolConfigures a DHCPv6 server address pool and enters its configuration modeA DHCPv6 IPv6 pool is a resource from which IPv6 formatted addresses can be issued on DHCPv6 client requests. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcpv6-pool <POOL-NAME>Parameters• dhcpv6-pool <POOL-NAME>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#dhcpv6-pool DHCPv6Pool1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#?DHCPv6 pool Mode commands:  dns-server    DNS Servers  domain-name   Configure domain-name  network       Network on which DHCPv6 server will be deployed  no            Negate a command or set its defaults  option        Raw DHCPv6 options  refresh-time  Upper limit specifying the timer for which client should wait                before refreshing information  sip           SIP server options  clrscr        Clears the display screen  commit        Commit all changes made in this session  do            Run commands from Exec mode  end           End current mode and change to EXEC mode  exit          End current mode and down to previous mode  help          Description of the interactive help system  revert        Revert changes  service       Service Commands  show          Show running system information  write         Write running configuration to memory or terminalrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#<POOL-NAME> Creates a DHCPv6 server address pool• <POOL-NAME> – Specify a name that appropriately identifies this DHCPv6 address pool. If the pool does not exist, it is created. The pool name cannot be modified as part of the edit process. However, an obsolete address pool can be deleted.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 64rfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsno Removes the DHCPv6 pool identified by the <POOL-NAME> keyword
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6512.2.1.2 dhcpv6-pool-mode commandsdhcpv6-poolConfigures the DHCPv6 pool parametersThe following table summarizes DHCPv6 pool configuration commands:Table 12.10 DHCPv6-Pool-Config-Mode CommandsCommand Description Referencedns-server Configures this DHCPv6 pool’s DNS server page 12-66domain-name Configures this DHCPv6 pool’s domain name page 12-67network Configures this DHCPv6 pool’s network page 12-68option Configures this DHCPv6 pool’s raw DHCPv6 options. This is the vendor-specific option used in this DHCPv6 pool.page 12-70refresh-time Configures this DHCPv6 pool’s refresh time in seconds page 12-71sip Configures this DHCPv6 pool’s Session Initiation Protocol (SIP) server settingpage 12-72no Negates or reverts this DHCPv6 pool’s settings page 12-69
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 6612.2.1.2.1 dns-serverdhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s DNS server. The DNS server supports all clients connected to networks supported by the DHCPv6 server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server <IPv6> {<SECONDARY-IPv6>}Parameters• dns-server <IPv6> {<SECONDARY-IPv6>}Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<IPv6> Configures the primary DNS server’s IPv6 address• <IPv6> – Specify the DNS server’s IPv6 address (the server associated with this DHCP pool).<SECONDARY-IPv6> Configures the secondary DNS server’s IPv6 address• <SECONDARY-IPv6> – Specify the secondary DNS server’s IPv6 address (the server associated with this DHCP pool).no Removes this DHCPv6 pool’s configured DNS server settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6712.2.1.2.2 domain-namedhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s domain nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#domain-name TechPubsrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  domain-name TechPubs  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<DOMAIN-NAME> Specify the DHCP pool’s hostname or hostnames of the domain or domainsno Removes this DHCPv6 pool’s domain name
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 6812.2.1.2.3 networkdhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s network. Use this command to configure the address of the network on which this DHCP server is deployed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetwork [<IPv6/M>|<NETWORK-ALIAS-NAME>]Parameters• network [<IPv6/M>|<NETWORK-ALIAS-NAME>]Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#network 2002::0/64rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<IPv6/M> Specify this DHCPv6 pool network’s IPv6 address and mask (for example, 1:2::1:0/96)<NETWORK-ALIAS-NAME>Specify this DHCPv6 pool network’s alias nameno Removes the network IPv6 address and mask configured for this DHCPv6 pool
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6912.2.1.2.4 nodhcpv6-pool-mode commandsNegates a command or sets its default. When used in the DHCPv6 pool configuration context, the ‘no’ command resets or reverts the DHCPv6 pool’s settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dns-server|domain-name|network|option|refresh-time|sip]Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  network 2002::/64  refresh-time 1000  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1  option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no option DHCPv6Pool1Optionrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no refresh-timerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no <PARAMETERS> Negates a command or sets its default. When used in the DHCPv6 pool configuration context, the ‘no’ command resets or reverts the DHCPv6 pool’s settings.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 7012.2.1.2.5 optiondhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s raw DHCPv6 options. This is the vendor-specific option used in this DHCPv6 pool.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> [<DHCPv6-OPTION-IP>|<DHCPv6-OPTION-ASCII>]Parameters• option <OPTION-NAME> [<DHCPv6-OPTION-IP>|<DHCPv6-OPTION-ASCII>]Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  dns-server 2002::1  option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<OPTION-NAME> Sets the name of the DHCPv6 option<DHCPv6-OPTION-IP> Sets DHCPv6 option as an IPv6 address<DHCPv6-OPTION-ASCII> Sets DHCPv6 option as an ASCII stringNOTE: An option name in ASCII format accepts backslash (\) as an input but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash.no Removes this DHCPv6 pool’s DHCP option settings
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7112.2.1.2.6 refresh-timedhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s refresh time in seconds. This is the interval between two successive DHCP pool refreshes. The DHCP refresh process refreshes IPv6 client information.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrefresh-time <600-4294967295>Parameters• refresh-time <600-4294967295>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#refresh-time 1000rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  network 2002::/64  refresh-time 1000  domain-name TechPubs  dns-server 2002::1  option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commandsrefresh-time <600-4294967295>Specify this DHCPv6 pool’s refresh time from 600 -4294967295 seconds.no Removes or reverts the configured DHCPv6 pool’s refresh time
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 7212.2.1.2.7 sipdhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s Session Initiation Protocol (SIP) server settingConfigures the domain name or domain names associated with the SIP servers. The SIP server is used to prioritize voice and video traffic on the network. SIP is an application-layer control protocol that can establish, modify and terminate multimedia sessions or calls. A SIP system has several components (user agents, proxy servers, redirect servers, and registrars). User agents can contain SIP clients; proxy servers always contain SIP clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsip [address <IPv6>|domain-name <DOMAIN-NAME>]Parameters• sip [address <IPv6>|domain-name <DOMAIN-NAME>]Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#sip domain-name TechPubsSIPrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1  network 2002::/64  refresh-time 1000  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1  option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commandssip [address <IPv6>|domain-name <DOMAIN-NAME>]Configures the SIP server’s setting, such as address and/or domain nameno Removes this DHCPv6 pool’s SIP server setting
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7312.2.2 optiondhcpv6-server-policyConfigures this DHCPv6 server policy’s DHCP option settings, such enterprise (vendor) IDDHCPv6 services are available for specific IP interfaces. A pool (or range) of IPv6 network addresses and DHCPv6 options can be created for each IPv6 interface defined. This range of addresses can be made available to DHCPv6 enabled devices on either a permanent or leased basis. DHCPv6 options are provided to each client with a DHCPv6 response and provide DHCPv6 clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCPv6 client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCPv6 client.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> <0-254> [ascii|hexstring|ipv6] <1-4294967295>Parameters• option <OPTION-NAME> <0-254> [ascii|hexstring|ipv6] <1-4294967295>option <OPTION-NAME>Specify a unique name for this DHCP option. The name should describe option's function.<0-254> Specify a DHCP option code for this option.• <0-254> – Specify a value from 0 -254. The system allows only one code, of the same value, for each DHCP option used in each DHCPv6 server policy.ascii Specifies the option type as ASCII (sends an ASCII compliant string to the client)hexstring Specifies the option type as a string of hexadecimal characters (sends a hexadecimal string to the client)ipv6 Specifies the option type as IPv6 address (sends an IPv6 compatible address to the client)<1-4294967295> This parameter is common to all option types.• <1-4294967295> – Specifies the enterprise (vendor) ID. Specify a value from 1 - 4294967295. The option code (1) is reserved for subnet-mask and cannot be used.Each vendor should have a unique vendor ID used by the DHCP server to issue vendor-specific DHCP options.
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 74Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#option DHCPServerOption1 10 ascii 50rfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsno Removes the DHCPv6 server option settings configured for this DHCPv6 server policy
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7512.2.3 restrict-vendor-optionsdhcpv6-server-policyRestricts the use of vendor-specific DHCP options on this DHCPv6 server policy. When restricted, vendor-specific DHCP options, configured on this DHCPv6 server policy, are not included in the DHCPv6 server replies to IPv6 clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrestrict-vendor-optionsParametersNoneExamplerfs6000-37FABE(config-dhcpv6-server-policy-test)#restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1 restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsno Removes restriction on sending of vendor-specific options in DHCPv6 server replies to IPv6 clients
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  12 - 7612.2.4 server-preferencedhcpv6-server-policyConfigures this DHCPv6 server’s preference value. When configured, the server preference value is included in the DHCPv6 server’s replies to IPv6 clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver-preference <0-255>Parameters• server-preference <0-255>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#server-preference 1rfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1 server-preference 1 restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsserver-preference <0-255>Configures this DHCP server’s preference value• <0-255> – Specify a value from 0 - 255.no Removes this DHCPv6 server’s preference value
DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7712.2.5 nodhcpv6-server-policyNegates or reverts this DHCPv6 server policy’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dhcpv6-pool|option|restrict-vendor-options|server-preference]Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1 server-preference 1 restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#rfs6000-37FABE(config-dhcpv6-server-policy-test)#no restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#no server-preferencerfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1  network 2002::/64  domain-name TechPubs  sip domain-name TechPubsSIP  dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test)#no <PARAMETERS> Negates or reverts this DHCPv6 server policy’s settings
13 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide13FIREWALL-POLICYThis chapter summarizes the firewall policy commands in the CLI command structure.A firewall protects a network from attacks and unauthorized access from outside the network. Simultaneously, it allows authorized users to access required resources. Firewalls work on multiple levels. Some work at layers 1, 2 and 3 to inspect each packet. The packet is either passed, dropped or rejected based on rules configured on the firewall.Firewalls use application layer filtering to enforce compliance. These firewalls can understand applications and protocols and can detect if an unauthorized protocol is being used, or an authorized protocol is being abused in any malicious way.The third set of firewalls, ‘Stateful Firewalls’, consider the placement of individual packets within each packet in the series of packets being transmitted. If there is a packet that does not fit into the sequence, it is automatically identified and dropped.Use (config) instance to configure firewall policy commands. To navigate to the config-fw-policy instance, use the following commands:<DEVICE>(config)#firewall-policy <POLICY-NAME>rfs6000-37FABE(config)#firewall-policy testrfs6000-37FABE(config-fw-policy-test)#?Firewall policy Mode commands:  acl-logging                    Log on flow creating traffic  alg                            Enable ALG  clamp                          Clamp value  dhcp-offer-convert             Enable conversion of broadcast dhcp offers to                                 unicast  dns-snoop                      DNS Snooping  firewall                       Wireless firewall  flow                           Firewall flow  ip                             Internet Protocol (IP)  ip-mac                         Action based on ip-mac table  ipv6                           Internet Protocol version 6 (IPv6)  ipv6-mac                       Action based on ipv6-mac table  logging                        Firewall enhanced logging  no                             Negate a command or set its defaults  proxy-arp                      Enable generation of ARP responses on behalf                                 of another device  proxy-nd                       Enable generation of ND responses (for IPv6)                                 on behalf of another device  stateful-packet-inspection-l2  Enable stateful packet inspection in layer2                                 firewall  storm-control                  Storm-control  virtual-defragmentation        Enable virtual defragmentation for IPv4                                 packets (recommended for proper functioning                                 of firewall)  clrscr                         Clears the display screen  commit                         Commit all changes made in this session  do                             Run commands from Exec mode  end                            End current mode and change to EXEC mode  exit                           End current mode and down to previous mode  help                           Description of the interactive help system  revert                         Revert changes  service                        Service Commands  show                           Show running system information  write                          Write running configuration to memory or                                 terminalrfs6000-37FABE(config-fw-policy-test)#
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 2NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 313.1 firewall-policyFIREWALL-POLICYThe following table summarizes default firewall policy configuration commands:Table 13.1 Firewall-Policy-Config CommandsCommand Description Referenceacl-logging Enables logging on flow creating traffic page 13-4alg Enables an algorithm page 13-5clamp Sets a clamp value to limit TCP MSS to inner path-MTU for tunnelled packets page 13-7dhcp-offer-convert Enables the conversion of broadcast DHCP offers to unicast page 13-8dns-snoop Sets the timeout value for DNS entries page 13-9firewall Configures the wireless firewall page 13-10flow Defines a session flow timeout page 13-11ip Configures Internet Protocol (IP) components on this firewall policy page 13-13ip-mac Defines an action based on IP-MAC table page 13-20ipv6 Configures IPv6 components on this firewall policy page 13-22ipv6-mac Defines an action based on IPv6-MAC table page 13-26logging Enables enhanced firewall logging page 13-28no Negates a command or reverts settings to their default page 13-30proxy-arp Enables the generation of ARP responses on behalf of another device page 13-32proxy-nd Enables the generation of ND responses (for IPv6) on behalf of another devicepage 13-33stateful-packet-inspection-12Enables stateful packets-inspection in layer 2 firewall page 13-34storm-control Defines storm control and logging settings page 13-35virtual-defragmentationEnables virtual defragmentation of IPv4 packets page 13-37NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 413.1.1 acl-loggingfirewall-policyEnables logging on flow creating traffic. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxacl-loggingParametersNoneExamplerfs4000-229D58(config-fw-policy-test)#acl-loggingrfs4000-229D58(config-fw-policy-test)#no acl-loggingrfs4000-229D58(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window no acl-loggingrfs4000-229D58(config-fw-policy-test)#Related Commandsno Disables logging on flow creating traffic
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 513.1.2 algfirewall-policyEnables traffic filtering at the application layer using the Application Layer Gateway (ALG) featureSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxalg [dns|facetime|ftp|pptp|sccp|sip|tftp]Parameters• alg [dns|facetime|ftp|pptp|sccp|sip|tftp]alg Enables traffic filtering at the application layer. The ALG provides filters for the fol lowi n g common p rotocols : DNS , Face time, F TP, PPTP, S CCP, S IP, an d TFTP.dns Allows Domain Name System (DNS) traffic through the firewall using its default ports. This option is enabled by default.When enabled, you can easily permit or deny traffic based on a packet’s DNS name, instead of the IP address. Use this option when configuring ACLs allowing or denying traffic for Web sites that have a single domain name resolving to any one of multiple IP addresses.facetime Allows Apple’s FaceTime video calling traffic through the firewall using its default ports. This option is disabled by default.ftp Allows File Transfer Protocol (FTP) traffic through the firewall using its default ports. This option is enabled by default.pptp Allows Point-to-Point Tunneling Protocol (PPTP) traffic through the firewall using its default ports. PPTP, a network protocol, enables secure transfer of data from a remote client to an enterprise server by encapsulating PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This option is enabled by defaultsccp Allows Signalling Connection Control Part (SCCP) traffic through the firewall using its default ports. This option is disabled by default.SCCP is a network protocol that provides routing, flow control and error correction in telecommunication networks.sip Allows Session Initiation Protocol (SIP) traffic through the firewall using its default ports. This option is enabled by default.tftp Enables the Trivial File Transfer Protocol (TFTP) algorithm. When enabled, allows TFTP traffic through the firewall using its default ports. This option is enabled by default.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 6Examplenx4500-5CFA2B(config-fw-policy-test)#alg facetimenx4500-5CFA2B(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window alg facetimenx4500-5CFA2B(config-fw-policy-test)#Related Commandsno Removes or reverts ALG related settings
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 713.1.3 clampfirewall-policyThis option limits the TCP Maximum Segment Size (MSS) to the size of the Maximum Transmission Unit (MTU) discovered by path MTU discovery for the inner protocol. This ensures the packet traverses through the inner protocol without fragmentation. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclamp tcp-mssParameters• clamp tcp-mssExamplerfs6000-37FABE(config-fw-policy-test)#clamp tcp-mssRelated Commandstcp-mss Limits the TCP MSS size to the MTU value of the inner protocol for tunneled packetsno Disables limiting of the TCP MSS
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 813.1.4 dhcp-offer-convertfirewall-policyEnables the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-offer-convertParametersNoneExamplerfs6000-37FABE(config-fw-policy-test)#dhcp-offer-convertrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window dhcp-offer-convertrfs6000-37FABE(config-fw-policy-test)#Related Commandsno Disables the conversion of broadcast DHCP offers to unicast
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 913.1.5 dns-snoopfirewall-policySets the timeout interval for DNS snoop table entries. DNS snoop entries provide information, such as client to IP address and client to default gateway(s) mappings. This information is used to detect if the client is sending routed packets to a wrong MAC address.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-snoop entry-timeout <30-86400>Parameters• dns-snoop entry-timeout <30-86400>Examplerfs6000-37FABE(config-fw-policy-test)#dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandsentry-timeout <30-86400>Sets the DNS snoop table entry timeout interval from 30 - 86400 seconds. An entry is retained in the DNS snoop table only for the specified time, and is deleted once this time is exceeded. The default is 1,800 seconds.no Removes the DNS snoop table entry timeout interval
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 1013.1.6 firewallfirewall-policyEnables a device’s firewallSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfirewall enableParameters• firewall enableExamplerfs6000-37FABE(config-fw-policy-default)#firewall enablerfs6000-37FABE(config-fw-policy-default)#Related Commandsfirewall enable Enables wireless firewallsno Disables a device’s firewall
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 1113.1.7 flowfirewall-policyDefines the session flow timeout interval for different packet typesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxflow [dhcp|timeout]flow dhcp statefulflow timeout [icmp|other|tcp|udp]flow timeout [icmp|other] <1-32400>flow timeout udp <15-32400>flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-general] <1-32400>flow timeout tcp established <15-32400>Parameters• flow dhcp stateful• flow timeout [icmp|other] <1-32400>• flow timeout udp <15-32400>• flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-general] <1-32400>dhcp Configures DHCP packet flowstateful Performs a stateful check on DHCP packets. This feature is enabled by default.timeout Configures a packet timeouticmp Configures the timeout for ICMP packets. The default is 30 seconds.other Configures the timeout for packets other than ICMP, TCP, or UDP. The default is 30 seconds.<1-32400> Configures the timeout from 1 - 32400 secondstimeout Configures a packet timeoutudp Configures the timeout for UDP packets. The default is 30 seconds.<15-32400> Configures the timeout from 15 - 32400 secondstimeout Configures a packet timeouttcp Configures the timeout for TCP packetsclose-wait Configures the closed TCP flow timeout. The default is 10 seconds.reset Configures the reset TCP flow timeout. The default is 10 seconds.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 12• flow timeout tcp established <15-32400>Examplerfs6000-37FABE(config-rw-policy-test)#flow timeout udp 10000rfs6000-37FABE(config-rw-policy-test)#flow timeout icmp 16000rfs6000-37FABE(config-rw-policy-test)#flow timeout other 16000rfs6000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500rfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandssetup Configures the opening TCP flow timeout. The default is 10 seconds.stateless-fin-or-reset Configures stateless TCP flow timeout created with the FIN or RESET packets. The default is 10 seconds.stateless-general Configures the stateless TCP flow timeout. The default is 90 seconds (1m 30 s).<1-32400> Configures the timeout from 1 - 32400 secondstimeout Configures the packet timeouttcp Configures the timeout for TCP packetsestablished Configures the established TCP flow timeout. The default is 5400 seconds.<15-32400> Configures the timeout from 15 - 32400 secondsno Removes session timeout intervals configured for different packet types
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 1313.1.8 ipfirewall-policyConfigures Internet Protocol (IP) componentsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [dos|tcp]ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-max-incomplete|tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke}ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [drop-only]ip dos tcp-max-incomplete [high|low] <1-1000>ip tcp [adjust-mss|optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]ip tcp adjust-mss <472-1460>ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]Parameters• ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]dos Identifies IP events as DoS eventsascend Optional. Detects ASCEND DoS attacksAscend DoS attacks target known vulnerabilities in various versions of Ascend routers. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 14broadcast-multicast-icmpOptional. Detects broadcast or multicast ICMP Dos attacksBroadcast or multicast ICMP DoS attacks take advantage of ICMP behavior in response to echo replies. These attacks spoof the source address of the target and send ICMP broadcast or multicast echo requests to the rest of the network, flooding the target machine with replies.chargen Optional. Detects Chargen attacks The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services.fraggle Optional. Detects Fraggle DoS attacksThe Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address' echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic.ftp-bounce Optional. Detects FTP bounce attacksA FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client.invalid-protocol Optional. Enables a check for an invalid protocol numberAttackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, call hijacking, or a DoS attack.ip-ttl-zero Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time to Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload.ipsproof Optional. Enables a check for the IP spoofing DoS attacksIP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker.land Optional. Detects LAND DoS attacksA Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target device’s IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously.option-route Optional. Enables an IP Option Record Route DoS check
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 15router-advt Optional. Detects router-advertisement attacksThis attack uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions).router-solicit Optional. Detects router solicitation attacksThe ICMP router solicitation scan is used to actively find routers on a network. A hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network.ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122).By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requestssmurf Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies.snork Optional. This attack causes a remote Windows™ NT to consume 100% of the CPU’s resources. This attack uses a UDP packet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack.tcp-bad-sequence Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TCP connectiontcp-fin-scan Optional. Detects TCP FIN scan attacksHackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting.If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 16tcp-intercept Optional. Prevents TCP intercept attacks by using TCP SYN cookiesA SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing e-mail, using FTP service, and so on.The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the software's aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.tcp-null-scan Optional. Detects TCP NULL scan attacksHackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings.If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply.tcp-post-syn Optional. Detects TCP post SYN DoS attacksA remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS.tcp-sequence-past-windowOptional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.tcp-xmas-scan Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.tcphdrfrag Optional. A DoS attack where the TCP header spans IP fragmentstwinge Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 17• ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [drop-only]udp-short-hdr Optional. Enables the identification of truncated UDP headers and UDP header length fieldswinnuke Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT.The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and results in high CPU utilization on the target machine.log-and-drop Logs the event and drops the packetlog-only Logs the event only, the packet is not droppedlog-level Configures the log level<0-7> Sets the numeric logging levelemergencies Numerical severity 0. System is unusablealerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditionerrors Numerical severity 3. Indicates an error conditionwarnings Numerical severity 4. Indicates a warning conditionnotification Numerical severity 5. Indicates a normal but significant conditioninformational Numerical severity 6. Indicates a informational conditiondebugging Numerical severity 7. Debugging messagesdos Identifies IP events as DoS eventsascend Optional. Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash.broacast-multicast-icmpOptional. Detects broadcast or multicast ICMP packets as an attackchargen Optional. The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.fraggle Optional. A Fraggle DoS attack checks for UDP packets to or from port 7 or 19ftp-bounce Optional. A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client.invalid-protocol Optional. Enables a check for invalid protocol numberip-ttl-zero Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)ipsproof Optional. Enables a check for IP spoofing DoS attack
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 18• ip dos tcp-max-incomplete [high|low] <1-1000>land Optional. A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target device’s IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously.option-route Optional. Enables an IP Option Record Route DoS checkrouter-advt Optional. This is an attack, where a default route entry is added remotely to a device. This route entry is given preference, and thereby exposes an attack vector.router-solicit Optional. Router solicitation messages are sent to locate routers as a form of network scanning. This information can then be used to attack a device.smurf Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies.snork Optional. This attack causes a remote Windows™ NT to consume 100% of the CPU’s resources. This attack uses a UDP packtet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack.tcp-bad-sequence Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TCP connectiontcp-fin-scan Optional. A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.tcp-intercept Optional. Prevents TCP intercept attacks by using TCP SYN cookiestcp-null-scan Optional. A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open portstcp-post-syn Optional. Enables a TCP post SYN DoS attacktcp-sequence-past-windowOptional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.tcp-xmas-scan Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.tcphdrfrag Optional. A DoS attack where the TCP header spans IP fragmentstwinge Optional. A twinge attack is a flood of false ICMP packets to try and slow down a systemudp-short-hdr Optional. Enables the identification of truncated UDP headers and UDP header length fieldswinnuke Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to crash with a blue screendrop-only Optional. Drops a packet without loggingdos Identifies IP events as DoS eventstcp-max-incomplete Sets the limits for the maximum number of incomplete TCP connectionshigh Sets the upper limit for the maximum number of incomplete TCP connectionslow Sets the lower limit for the maximum number of incomplete TCP connections<1-1000> Sets the range limit from 1 - 1000 connections
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 19• ip tcp adjust-mss <472-1460>• ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]Examplerfs6000-37FABE(config-rw-policy-test)#ip dos fraggle drop-onlyrfs6000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete high 600rfs6000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete low 60rfs6000-37FABE(config-fw-policy-test)#ip dos tcp-sequence-past-window drop-onlyrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandstcp Identifies and configures TCP events and configuration itemsadjust-mss Adjusts the TCP Maximum Segment Size (MSS). Use this option to adjust the MSS for TCP segments on the router.<472-1460> Sets the TCP MSS value from 472 - 1460 bytes. The default is 472 bytes.tcp Identifies and configures TCP events and configuration itemsoptimize-unnecessary-resendsEnables the validation of unnecessary TCP packetsrecreate-flow-on-out-of-state-syncAllows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and TCP_CLOSED_STATE states and create a new flowvalidate-icmp-unreachableEnables the validation of the sequence number in ICMP unreachable error packets, which abort an established TCP flowvalidate-rst-ack-number Enables the validation of the acknowledgment number in RST packets, which abort a TCP flowvalidate-rst-seq-number Enables the validation of the sequence number in RST packets, which abort an established TCP flowno Resets firewall policy IP components
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 2013.1.9 ip-macfirewall-policyDefines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addressesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip-mac [conflict|routing]ip-mac conflict drop-onlyip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]ip-mac routing conflict drop-onlyip-mac routing [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]Parameters• ip-mac conflict drop-only• ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]conflict Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default.drop-only Drops a packet without loggingconflict Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default.log-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level Configures the log level<0-7> Sets the numeric logging levelalerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditiondebugging Numerical severity 7. Debugging messagesemergencies Numerical severity 0. System is unusableerrors Numerical severity 3. Indicates an error conditioninformational Numerical severity 6. Indicates a informational conditionnotification Numerical severity 5. Indicates a normal but significant conditionwarnings Numerical severity 4. Indicates a warning condition. This is the default setting
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 21• ip-mac routing conflict drop-only• ip-mac routing [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]Examplerfs6000-37FABE(config-rw-policy-test)#ip-mac conflict drop-onlyrfs6000-37FABE(config-rw-policy-test)#ip-mac routing conflict log-and-drop log-level notificationsrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 ip-mac conflict drop-only ip-mac routing conflict log-only log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandsrouting Enables IPMAC routing conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.conflict Defines the action performed when a routing table conflict is detected. This option is enabled by default.drop-only Drops a packet without loggingrouting Defines a routing table based actionconflict Action performed when a conflict exists in the routing table. This option is enabled by default.log-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level Configures the log level to log this event under<0-7> Sets the numeric logging levelalerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditiondebugging Numerical severity 7. Debugging messagesemergencies Numerical severity 0. System is unusableerrors Numerical severity 3. Indicates an error conditioninformational Numerical severity 6. Indicates a informational conditionnotification Numerical severity 5. Indicates a normal but significant conditionwarnings Numerical severity 4. Indicates a warning condition. This is the default setting.no Disables actions based on device IP MAC table, IP address, and MAC address conflict detection
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 2213.1.10 ipv6firewall-policyConfigures IPv6 components on this firewall policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|strict-ext-hdr-check|unknown-options]ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|log-and-drop|log-only]ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] [drop-only|log-and-drop|log-only]ipv6 option {endpoint-identification|network-service-access-point|router-alert|strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]ipv6 [firewall enable|rewrite-flow-label]Parameters• ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|log-and-drop|log-only]dos Identifies IPv6 events as DoS eventshop-limit-zero Optional. Enables checking of IPv6 hop limit field. If the IPv6 hop limit field is ZERO (0) it is considered as attack. This option is enabled by default.multicast-icmpv6 Optional. Enables detection of multicast ICMPv6 traffic as attack. This option is applicable only to ICMPv6 Echo request or reply packets. This option is enabled by default.tcp-intercept-mobility Optional. Enables detection of IPv6 TCP packets with mobility option "HAO(Home-Address-Option)" or "RH(Routing Header) type two". When enabled, this option also detects the “don't generate TCP syn cookies” for such packets. This option is enabled by default.drop-only This parameter is common to all of the above keywords.Drops all packets. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility).log-and-drop Logs the event and drops the packet. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility) and logs an event.log-only Logs the event only, the packet is not dropped. Does not drop the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility). But, an event is logged.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 23• ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] [drop-only|log-and-drop|log-only]log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:• <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.duplicate-options Enables handling of duplicate options in hop-by-hop and destination option extension headers. This configuration excludes HAO handling. This option is enabled by default.routing-type [one|two] Enables checking of the following IPv6 routing types:• one – Routing Type 1(Nimrod routing). This option is disabled by default.• two – Routing Type 2(Mobile IP). This option is disabled by default.strict-ext-hdr-check Enables strict checking for out of order and number of occurrences of extension header. This option is enabled by default.unknown-options Enables handling unknown options in hop-by-hop and destination option extension headers. This option is enabled by default.drop-only This parameter is common to all of the above keywords.Drops all packets. Drops the packet if matching any of the above specified types.log-and-drop Logs the event and drops the packet. Drops the packet, if matching any of the above specified types, and logs an event.log-only Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified types. But an event is logged.log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:• <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 24• ipv6 option {endpoint-identification|network-service-access-point|router-alert|strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]• ipv6 [firewall enable|rewrite-flow-label]Examplenx4500-5CFA2B(config-fw-policy-test)#ipv6 dos hop-limit-zero drop-onlynx4500-5CFA2B(config-fw-policy-test)#ipv6 routing-type two log-and-drop log-level warningsnx4500-5CFA2B(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window ipv6 routing-type two log-and-drop log-level warnings ipv6 dos hop-limit-zero drop-onlynx4500-5CFA2B(config-fw-policy-test)#option Enables checking for the following ipv6 extension header options: • End point identification option (disabled by default)• Network service access point address option (disabled by default)• Router alert option (disabled by default)• Home address option in destination option extension header (enabled by default)• Pad1 and PadN options validating (enabled by default)All of these are optional parameters. If no option is specified, the system enables checks as per the default values.drop-only This parameter is common to all of the above keywords.Drops all packets. Drops the packet if matching any of the above specified “option” types.log-and-drop Logs the event and drops the packet. Drops the packet, if matching any of the above specified “option” types, and logs an event.log-only Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified “option” types. But an event is logged.log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:• <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting. firewall enable Enables IPv6 firewall. This option is enabled by default.rewrite-flow-label Rewrites the IPv6 flow label field of every packet. This option is disabled by default.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 25Related Commandsno Resets this firewall policy’s IPv6 components
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 2613.1.11 ipv6-macfirewall-policyDefines an action based on conflicts detected in a device’s IPv6 and MAC addressesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6-mac [conflict|routing]ipv6-mac conflict [drop-only|log-and-drop|log-only]ipv6-mac routing conflict [drop-only|log-and-drop|log-only]Parameters• ipv6-mac conflict [drop-only|log-and-drop|log-only]• ipv6-mac routing conflict [drop-only|log-and-drop|log-only]conflict Enables detection of conflict between a device’s IPv6 and MAC addresses. This option is enabled by default.This command also specifies the action to be performed when a such a conflict is detected. The options are: drop-only, log-and-drop, and log-onlydrop-only Drops a packet (with conflicting IPv6 and MAC address) without logginglog-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: • <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.routing conflict Enables detection of conflict between the next-hop’s IPv6 and MAC addresses. This option is enabled by default.This command also specifies the action to be performed when a such a conflict is detected. The options are: drop-only, log-and-drop, and log-only
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 27Examplenx4500-5CFA2B(config-fw-policy-test)#ipv6-mac routing conflict drop-onlynx4500-5CFA2B(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window ipv6 routing-type two log-and-drop log-level warnings ipv6 dos hop-limit-zero drop-only ipv6-mac routing conflict drop-onlynx4500-5CFA2B(config-fw-policy-test)#Related Commandsdrop-only Drops a packet (with conflicting next-hop IPv6 and MAC addresses) without logginglog-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: • <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.no Disables actions based on device IPv6 MAC table, next-hop’s IPv6 and MAC address conflict detection
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 2813.1.12 loggingfirewall-policyConfigures enhanced firewall loggingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging [icmp-all|icmp-packet-drop|malformed-packet-drop|verbose]logging icmp-alllogging verboselogging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]Parameters• logging icmp-all• logging verbose• logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]logging Configures enhanced firewall logging parametersicmp-all Enables logging of all ICMPv4/v6 packets allowed by the firewall. This option is disabled by default.logging Configures enhanced firewall logging parameters. This option is disabled by default.verbose Enables verbose logginglogging Configures enhanced firewall logging parametersicmp-packet-drop Drops ICMP (ICMPv4 and ICMPv6) packets that do not pass sanity checks. The default is none.malformed-packet-drop Drops raw IP (IPv4 and IPv6) packets that do not pass sanity checks. The default is none.all Logs all messagesrate-limited Enables rate-limited logging. This option sets the rate limit for log messages to one message every 20 seconds.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 29Examplerfs6000-37FABE(config-rw-policy-test)#logging verboserfs6000-37FABE(config-rw-policy-test)#logging icmp-packet-drop rate-limitedrfs6000-37FABE(config-rw-policy-test)#logging malformed-packet-drop allrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 ip-mac conflict drop-only ip-mac routing conflict log-only log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#nx9500-6C8809(config-fw-policy-test2)#show contextfirewall-policy test2 no ip dos tcp-sequence-past-windownx9500-6C8809(config-fw-policy-test2)#nx9500-6C8809(config-fw-policy-test2)#logging icmp-allnx9500-6C8809(config-fw-policy-test2)#show contextfirewall-policy test2 no ip dos tcp-sequence-past-window logging icmp-allnx9500-6C8809(config-fw-policy-test2)Related Commandsno Disables enhanced firewall logging
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 3013.1.13 nofirewall-policyNegates a command or sets the default for firewall policy commandsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [acl-logging|alg|clamp|dhcp-offer-convert|dns-snoop|firewall|flow|ip|ip-mac|ipv6|ipv6-mac|logging|proxy-arp|proxy-nd|stateful-packet-inspection-l2|storm-control|virtual-defragmentation]no [acl-logging|dhcp-offer-convert|proxy-arp|proxy-nd|stateful-packet-inspection-l2]no alg [dns|facetime|ftp|pptp|sccp|sip|tftp]no clamp tcp-mssno dns-snoop entry-timeoutno firewall enableno flow dhcp statefulno flow timeout [icmp|other|udp]no flow timeout tcp [closed-wait|established|reset|setup|stateless-fin-or-reset|stateless-general]no ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke}no ip tcp [adjust-mss|optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]no ip-mac conflictno ip-mac routing conflictno ipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|strict-ext-hdr-check|unknown-options]no ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility}no ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options]no ipv6 option {endpoint-identification|network-service-access-point|router-alert|strict-hao-opt-alert|strict-padding}no ipv6 [firewall enable|rewrite-flow-label]no logging [icmp-all|icmp-packet-drop|verbose|malformed-packet-drop]
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 31no storm-control [arp|broadcast|multicast|unicast] {fe <1-4>|ge <1-8>|log|port-channel <1-8>|up1|wlan <WLAN-NAME>}no virtual-defragmentation {maximum-fragments-per-datagram|minimum-first-fragment-length|maximum-defragmentation-per-host|timeout}Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#rfs6000-37FABE(config-fw-policy-test)#no ip dos fragglerfs6000-37FABE(config-fw-policy-test)#no storm-control arp logrfs6000-37FABE(config-fw-policy-test)#no dhcp-offer-convertrfs6000-37FABE(config-fw-policy-test)#no logging malformed-packet-droprfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos fraggle no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log none ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 logging icmp-packet-drop rate-limited logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#no <PARAMETERS> Negates a command or sets the default for firewall policy commands.
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 3213.1.14 proxy-arpfirewall-policyEnables the generation of ARP responses on behalf of another device. Proxy ARP allows the Firewall to handle ARP routing requests for devices behind the firewall. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-arpParametersNoneExamplerfs6000-37FABE(config-fw-policy-test)#proxy-arprfs6000-37FABE(config-fw-policy-test)#Related Commandsno Disables the generation of ARP responses on behalf of another device
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3313.1.15 proxy-ndfirewall-policy Enables generation of ND responses (for IPv6) on behalf of another deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-ndParametersNoneExamplenx9500-6C8809(config-fw-policy-fw1)#proxy-ndnx9500-6C8809(config-fw-policy-fw1)#Related Commandsno Disables the generation of ND responses on behalf of another device
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 3413.1.16 stateful-packet-inspection-12firewall-policyEnables layer 2 firewall stateful packet inspection. When enabled, allows stateful packet inspection for RF Domain manager routed interfaces within the layer 2 firewall. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstateful-packet-inspection-l2ParametersNoneExamplerfs6000-37FABE(config-fw-policy-test)#stateful-packet-inspection-l2rfs6000-37FABE(config-fw-policy-test)#Related Commandsno Disables stateful packet inspection in a layer 2 firewall
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3513.1.17 storm-controlfirewall-policyEnables storm control on the firewall policyStorms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the RF Domain manager interface.Storm control limits multicast, unicast and broadcast frames accepted and forwarded by a device. Messages are logged based on their severity level.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstorm-control [arp|broadcast|multicast|unicast]storm-control [arp|broadcast|multicast|unicast] [level|log]storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>|ge <1-8>|port-channel <1-8>|up1|wlan <WLAN-NAME>]storm-control [arp|broadcast|multicast|unicast] log [<0-7>|alerts|critical|debugging|emergencies|errors|informational|none|notifications|warnings]Parameters• storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>|ge <1-8>|port-channel <1-8>|up1|wlan <WLAN-NAME>]arp Configures storm control for ARP packetsbroadcast Configures storm control for broadcast packetsmulticast Configures storm control for multicast packetsunicast Configures storm control for unicast packetslevel <1-1000000> Configures the allowed number of packets received per second before storm control begins• <1-1000000> – Sets the number of packets received per secondfe <1-4> Sets the FastEthernet port for storm control from 1 - 4ge <1-8> Sets the GigabitEthernet port for storm control from 1 - 8port-channel <1-8> Sets the port channel for storm control from 1- 8up1 Sets the uplink interfacewlan <WLAN-NAME> Configures the WLAN• <WLAN-NAME> – Sets the WLAN ID for the storm control configuration
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  13 - 36• storm-control [arp|bcast|multicast|unicast] log [<0-7>|alerts|critical|debugging|emergencies|errors|informational|none|notifications|warnings]Examplerfs6000-37FABE(config-fw-policy-test)#storm-control arp log warningrfs6000-37FABE(config-fw-policy-test)#storm-control broadcast level 20000 ge 4rfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandsarp Configures storm control for ARP packetsbroadcast Configures storm control for broadcast packetsmulticast Configures storm control for multicast packetsunicast Configures storm control for unicast packetslog Configures the storm control log level for storm control events<0-7> Sets the numeric logging level from 0 - 7alerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditiondebugging Numerical severity 7. Debugging messagesemergencies Numerical severity 0. System is unusableerrors Numerical severity 3. Indicates an error conditioninformational Numerical severity 6. Indicates a informational conditionnone Disables storm control loggingnotification Numerical severity 5. Indicates a normal but significant conditionwarnings Numerical severity 4. Indicates a warning condition. This is the default setting.no Disables storm control limits on multicast, unicast, and broadcast frames accepted and forwarded by a device
FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3713.1.18 virtual-defragmentationfirewall-policyEnables the virtual de-fragmentation of IPv4 and IPv6 packets. This parameter is required for optimal firewall functionality and is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvirtual-defragmentation {maximum-defragmentation-per-host <1-16384>|maximum-fragments-per-datagram <2-8129>|minimum-first-fragment-length <8-1500>|timeout <1-60>}Parameters• virtual-defragmentation {maximum-defragmentation-per-host <1-16384>|maximum-fragments-per-datagram <2-8129>|minimum-first-fragment-length <8-1500>|timeout <1-60>}Examplerfs6000-37FABE(config-fw-policy-test)#virtual-defragmentation maximum-fragments-per-datagram 10rfs6000-37FABE(config-fw-policy-test)#virtual-defragmentation minimum-first-fragment-length 100Related Commandsmaximum-defragmentation-per-host <1-16384>Optional. Configures the maximum number of active defragmentations allowed per host before it is dropped (applicable to IPv4 and IPV6 packets)• <1-16384> – Sets a value from 1 - 16384. The default is 8.maximum-fragments-per-datagram <2-8129>Optional. Configures the maximum number of fragments allowed in a datagram before it is dropped (applicable to IPv4 and IPV6 packets)• <2-8129> – Sets a value from 2 - 8129. The default is 140.minimum-first-fragment-length <8-1500>Optional. Defines the minimum length required for the first fragment (applicable to IPv4 and IPV6 packets)• <8-1500> – Sets a value from 8 - 1500 bytes. The default is 8 bytes.timeout <1-60> Optional. Configures a virtual defragmentation timeout, in seconds, applicable to both IPv4 and IPv6 packets• <1-60> – Specify a value from 1 - 60 seconds. The default is 1 second.no Resets values or disables virtual defragmentation settings
14 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide14MINT-POLICYThis chapter summarizes MiNT policy commands in the CLI command structure.All communication using the MiNT transport layer can be optionally secured. This includes confidentiality, integrity and authentication of all communications. In addition, a device can be configured to communicate over MiNT with other devices authorized by an administrator.Use the (config) instance to configure mint-policy related configuration commands. To navigate to the config MiNT policy instance, use the following command:<DEVICE>(config)#mint-policy global-defaultrfs6000-37FABE(config-mint-policy-global-default)#?Mint Policy Mode commands:  level    Mint routing level  lsp      LSP  mtu      Configure the global Mint MTU  no       Negate a command or set its defaults  router   Mint router  udp      Configure mint UDP/IP encapsulation  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-mint-policy-global-default)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  14 - 214.1 mint-policyMINT-POLICYThe following table summarizes MiNT policy configuration commands:Table 14.1 MiNT-Policy-Config CommandsCommand Description Referencelevel Configures the MiNT routing level page 14-3lsp Enables adding of checksum to LSP messages forwarded across MiNT linkspage 14-4mtu Configures the global MiNT MTU page 14-5no Negates a command or sets its default page 14-8router Configures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN)page 14-6udp Configures the MiNT UDP/IP encapsulation parameters page 14-7NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 314.1.1 levelmint-policyConfigures the global MiNT routing levelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlevel 2 area-id <1-16777215>Parameters• level 2 area-id <1-16777215>Examplerfs6000-37FABE(config-mint-policy-global-default)#level 2 area-id 2000rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default level 2 area-id 2000rfs6000-37FABE(config-mint-policy-global-default)#Related Commandslevel 2 Configures level 2 inter-site MiNT routingarea-id <1-16777215>Configures the routing area identifier• <1-16777215> – Specify a value from 1 - 16777215.The level 2 area ID is the global MiNT area identifier. This area identifier separates two overlapping MiNT networks. Configure the level 2 area ID only if there are two MiNT networks sharing the same packet broadcast domain.no Disables level 2 MiNT packet routing (inter-site packet routing)
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  14 - 414.1.2 lspmint-policyEnables adding of checksum to label-switched path (LSP) messages forwarded across MiNT links. When enabled, this option helps to verify integrity of LSP messages. LSP messages exchanged over MiNT links are often corrupted. These LSP corruptions cause inaccuracies in the Shortest Path First (SPF) calculation process, leading to access point adoption related issues. Enabling LSP checksum helps troubleshooting adoption-related issues.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlsp checksumParameters• lsp checksumExamplenx4500-5CFA2B(config-mint-policy-global-default)#lsp checksumnx4500-5CFA2B(config-mint-policy-global-default)#show contextmint-policy global-default lsp checksumnx4500-5CFA2B(config-mint-policy-global-default)#Related Commandslsp checksum Enables adding of checksum to LSP messages forwarded across MiNT links. When enabled, the integrity of LSP messages is verified by matching the LSP message checksum at the MiNT link end nodes. In case of a match the message is uncorrupted.no Disables adding of checksum to LSP messages forwarded across MiNT links
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 514.1.3 mtumint-policyConfigures global MiNT Multiple Transmission Unit (MTU). Use this command to specify the maximum packet size, in bytes, for MiNT routing. Higher the MTU values, greater is the network efficiency. The user data per packet increases, while protocol overheads, such as headers or underlying per-packet delays remain the same.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmtu <900-1500>Parameters• mtu <900-1500>Examplerfs6000-37FABE(config-mint-policy-global-default)#mtu 1000rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default mtu 996 level 2 area-id 2rfs6000-37FABE(config-mint-policy-global-default)#Related Commands<900-1500> Specifies the maximum packet size from 900 - 1500 bytesThe maximum packet size specified is rounded down to a value using the following formula: 4 + a multiple of 8.The MTU setting specifies the maximum packet size used for MiNT packets. Larger packets are fragmented to fit within the specified packet size limit. You may want to configure this parameter if the MiNT backhaul network requires or recommends smaller packet sizes. The default value is 1500 bytes.no Reverts the configured MiNT MTU value to its default (1500 bytes)Negates the configured maximum packet size for MiNT routing
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  14 - 614.1.4 routermint-policyConfigures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouter packet priority <0-7>Parameters• router packet priority <0-7>Examplerfs4000-229D58(config-mint-policy-global-default)#router packet priority 4rfs4000-229D58(config-mint-policy-global-default)#show contextmint-policy global-default router packet priority 4rfs4000-229D58(config-mint-policy-global-default)#Related Commandsrouter packet priority <0-7>Allows you to configure the priority for MiNT router packets from 0 - 7. The default is 5.Higher the value higher is the priority. Therefore, seven (7) represents highest priority.no Reverts the MiNT router packet priority to default (5)
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 714.1.5 udpmint-policyConfigures MiNT UDP/IP encapsulation parameters. Use this command to configure the default UDP port used for MiNT control packet encapsulation.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxudp port <2-65534>Parameters• udp port <2-65534>Examplerfs6000-37FABE(config-mint-policy-global-default)#udp port 1024rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default udp port 1024 mtu 996 level 2 area-id 2000 sign-unknown-device security-level control-and-data rejoin-timeout 1000rfs6000-37FABE(config-mint-policy-global-default)#Related Commandsport <2-65534> Configures default UDP port used for MiNT control packet encapsulation• <2-65534> – Enter a value from 2 - 65534. This value specifies an alternate UDP port used by MiNT control packets and must be an even number. The specified port number plus 1 is used to carry MiNT data packets. The default value is 24576.no Reverts MiNT UDP/IP encapsulation to its default
MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  14 - 814.1.6 nomint-policyNegates a command or reverts values to their default. When used in the config MiNT policy mode, the no command resets or reverts the following global MiNT policy parameters: routing level, MTU, router packet priority, and UDP or IP encapsulation settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [level|lsp|mtu|router|udp]no level 2 area-idno lsp checksumno mtuno router packet priorityno udp port <LINE-SINK>Parameters• no <PARAMETERS>ExampleThe following example shows the global Mint Policy parameters before the ‘no’ commands are executed:rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default udp port 1024 mtu 996 level 2 area-id 2000 sign-unknown-device security-level control-and-data rejoin-timeout 1000rfs6000-37FABE(config-mint-policy-global-default)#rfs6000-37FABE(config-mint-policy-global-default)#no level 2 area-idrfs6000-37FABE(config-mint-policy-global-default)#no mturfs6000-37FABE(config-mint-policy-global-default)#no udp portThe following example shows the global Mint Policy parameters after the ‘no’ commands are executed:rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default sign-unknown-device security-level control-and-data rejoin-timeout 1000rfs6000-37FABE(config-mint-policy-global-default)#no <PARAMETERS> The no command resets or reverts the following global MiNT policy parameters: routing level, MTU, router packet priority, and UDP or IP encapsulation settings.
15 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide15MANAGEMENT-POLICYThis chapter summarizes management policy commands in the CLI command structure.A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles.A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, FTP, Telnet, SSH or SNMP). Management access can be enabled or disabled as required for unique policies. The management access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service.To enhance security, administrators can do the following:• Restrict SNMP, CLI and Web UI access to specific hosts or subnets.• Disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.• Provide authentication for management users.• Apply access restrictions and permissions to management users.Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed.Access Points utilize a single management access policy, so ensure all the intended administrative roles, permissions, authentication and SNMP settings are correctly set. If an access point is functioning as a virtual controller AP, these are the access settings used by adopted access points of the same model as the virtual controller AP.It is recommended to disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.Use the (config) instance to configure a management policy. To navigate to the config management policy instance, use the following commands:<DEVICE>(config)#management-policy <POLICY-NAME>
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 2To commit a management-policy, the policy must have at least one admin user account configured.<DEVICE>(config-management-policy-<POLICY-NAME>)#user admin password 0 test role superuser access all<DEVICE>(config-management-policy-<POLICY-NAME>)#<DEVICE>(config-management-policy-<POLICY-NAME>)#?Management Mode commands:  aaa-login                Set authentication for logins  allowed-locations        Add allowed locations  banner                   Define a login banner  ftp                      Enable FTP server  http                     Hyper Text Terminal Protocol (HTTP)  https                    Secure HTTP  idle-session-timeout     Configure idle timeout for a configuration session                           (GUI or CLI)  ipv6                     IPv6 Protocol  no                       Negate a command or set its defaults  passwd-retry             Lockout user if too many consecutive login failures  privilege-mode-password  Set the password for entering CLI privilege mode  rest-server              Enable rest server for device on-boarding                           functionality  restrict-access          Restrict management access to the device  snmp-server              SNMP  ssh                      Enable ssh  t5                       T5 configuration  telnet                   Enable telnet  user                     Add a user account  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminal<DEVICE>(config-management-policy-<POLICY-NAME>)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 315.1 management-policyMANAGEMENT-POLICYThe following table summarizes management policy configuration commands:Table 15.1 Management-Policy-Config CommandsCommand Description Referenceaaa-login Configures login authentication settings page 15-5allowed-locations Configures a user-role based access control to RF Domains and locations with respect to the NSight user interface (UI)page 15-7banner Configures the message of the day (motd) text page 15-9ftp Enables FTP on this management policy page 15-10http Enables HTTP on this management policy page 15-12https Enables HTTPS on this management policy page 15-13idle-session-timeoutSets the interval after which an idle session is terminated page 15-15ipv6 Restricts management access to specified hosts and/or subnets based on their IPv6 addresses and prefixes respectivelypage 15-16no Removes or resets this management policy’s settings page 15-18passwd-entry Configures user-account lockout and unlock parameters page 15-20privilege-mode-passwordConfigures the CLI’s privilege mode access password page 15-22rest-server Enables the Representational State Transfer (REST) server to facilitate device on-boardingpage 15-24restrict-access Restricts management access to a set of hosts or subnets page 15-25snmp-server Sets the SNMP server settings on this management policy page 15-28ssh Enables SSH on this management policy page 15-33t5 Configures SNMP server settings for T5 devices on this management policy. This command is available only RFS4000, RFS6000, and NX95XX platforms.page 15-34telnet Enables Telnet on this management policy page 15-36user Creates a new user account page 15-37service Invokes service commands to troubleshoot or debug (config-if) instance configurationspage 15-41
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 4NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 515.1.1 aaa-loginmanagement-policyConfigures Authentication, Authorization and Accounting (AAA) authentication mode used with this management policy. The different modes are: local authentication and external RADIUS server authentication.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaaa-login [local|radius|tacacs]aaa-login localaaa-login radius [external|fallback|policy]aaa-login radius [external|fallback|policy <AAA-POLICY-NAME>]aaa-login tacacs [accounting|authentication|authorization|fallback|policy]aaa-login tacacs [accounting|authentication|authorization|fallback|policy <AAA-TACACS-POLICY-NAME>]Parameters• aaa-login local• aaa-login radius [external|fallback|policy <AAA-POLICY-NAME>]local Sets local as the preferred authentication mode. Local authentication uses the local username database to authenticate a user.Note: The AP6511 and AP6521 platforms do not support local RADIUS resource.radius Configures the RADIUS server parametersNote: If local authentication is disabled, use this command to specify if the RADIUS server used is external, fallback, or specified by a AAA policy.external Configures external RADIUS server as the preferred authentication modefallback Configures RADIUS server authentication as the primary authentication modeWhen RADIUS server authentication fails, the system uses local authentication. This command configures local authentication as a backup mode.policy <AAA-POLICY-NAME>Associates a specified AAA policy with this management policy. The AAA policy determines if a client is granted access to the network.• <AAA-POLICY-NAME> – Specify the AAA policy name (should be existing and configured).Note: For more information on configuring AAA policy, see AAA-POLICY.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 6• aaa-login tacacs [accounting|authentication|authorization|fallback|policy <AAA-TACACS-POLICY-NAME>]Usage GuidelinesUse AAA login to determine whether management user authentication must be performed against a local user database or an external RADIUS server.Examplerfs6000-37FABE(config-management-policy-test)#aaa-login radius externalrfs6000-37FABE(config-management-policy-test)#aaa-login radius policy testrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh aaa-login radius external aaa-login radius policy testrfs6000-37FABE(config-management-policy-test)#Related Commandstacacs Configures Terminal Access Control Access-Control System (TACACS) server parametersaccounting Configures TACACS accountingauthentication Configures TACACS authenticationauthorization Configures TACACS authorizationfallback Configures TACACS as the primary authentication mode. When TACACS authentication fails, the system uses local authentication. This command configures local authentication as a backup mode.policy <AAA-TACACS-POLICY-NAME>Associates a specified AAA TACACS policy with this management policy. TACACS policies control user access to devices and network resources while providing separate accounting, authentication, and authorization services.• <AAA-TACACS-POLICY-NAME> – Specify the TACACS policy name (should be existing and configured).Note: For more information on configuring AAA TACACS policy, see AAA-TACACS-POLICY.no Removes the TACACS server settings
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 715.1.2 allowed-locationsmanagement-policyConfigures a user-role based access control to RF Domains and locations with respect to the NSight user interface (UI). When configured, this access control is enforced only on the NSight UI. The WiNG and NSight applications may have the same users with different permissions defined in each application. Various user roles are supported in WiNG (superuser, system-admin, network-admin, security-admin, device-provisioning-admin, helpdesk and monitor). With NSight, a user logging into the NSight UI should also have an access control restriction based on the role they’re assigned. For example, a WiNG user with helpdesk privileges should have access to only the site (RF Domain) in which the helpdesk is situated, and the location tree should contain only one RF Domain. Similarly, when a user responsible for a set of sites logs in NSight, their location tree needs to contain the RF Domains for which they’re responsible.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxallowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]Parameters• allowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]NOTE: For more information on NSight-policy configuration, see nsight-policy.allowed-locations <WORD>Configures a location tag and associates a list locations with the tag<WORD> – Provide a location tag not exceeding 32 characters in length.locations [NONE|ALL|<LIST-OF-LOCATIONS>]Associates locations with the above created location tag• NONE – When specified, states that none of the locations are to be allowed access.• ALL – When specified, states that all the locations are to be allowed access.• <LIST-OF-LOCATIONS> – Specifies a list of locations or individual RF Domains. When specified, states that the specified list of locations or RF Domain are allowed access.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 8Examplenx9500-6C8809(config-management-policy-test)#allowed-locations Ecospace locations TechPubs ALLnx9500-6C8809(config-management-policy-test)#allowed-locations TEST locations NONEnx9500-6C8809(config-management-policy-test)#show contextmanagement-policy test no telnet no http server https server ssh allowed-location TEST locations NONE allowed-location Ecospace locations TechPubs ALLnx9500-6C8809(config-management-policy-test)##Related Commandsno Removes the allowed-locations configuration
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 915.1.3 bannermanagement-policyConfigures the message of the day (motd) text. This text is displayed at login to clients connecting through Telnet or SSH.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbanner motd <LINE>Parameters• banner motd <LINE>Examplerfs6000-37FABE(config-management-policy-test)#banner motd “Have a Good Day”rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh aaa-login radius external aaa-login radius policy test banner motd “Have a Good Day”rfs6000-37FABE(config-management-policy-test)#Related Commandsmotd <LINE> Sets the motd banner• <LINE> – Enter the message string. The message string should not exceed 255 characters.no Removes the motd banner
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 1015.1.4 ftpmanagement-policyEnables File Transfer Protocol (FTP) on this management policy. FTP is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally. FTP access is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxftp {password|rootdir|username}ftp {password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>]}ftp {rootdir <DIR>}ftp {username <USERNAME> password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>] rootdir <DIR>}Parameters• ftp {password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>]}• ftp {rootdir <DIR>}• ftp {username <USERNAME> password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>] rootdir <DIR>}ftp password Optional. Configures the FTP server password1 <ENCRYPTED-PASSWORD>Configures an encrypted password. Use this option when copy pasting the password from another device.• <ENCRYPTED-PASSWORD> – Specify the password. The password should not exceed 63 characters in length.<PASSWORD> Configures a clear text passwordftp rootdir <DIR> Optional. Configures the root directory for FTP logins• <DIR> – Specify the root directory path. By default the root directory is set to flash:/ftp username <USERNAME>Optional. Configures a new user account on the FTP server. The FTP user file lists users with FTP server access.• <USERNAME> – Specify the username. The username should not exceed 32 characters in length.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 11Usage GuidelinesThe string size of an encrypted password (option 1, password is encrypted with a SHA1 algorithm) must be exactly 40 characters.Examplerfs6000-37FABE(config-management-policy-test)#ftp username superuser password test@123 rootdir dirrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#Related Commandspassword 1 [<ENCRYPTED-PASSWORD>|<PASSWORD>]Configures an encrypted password• <ENCRYPTED-PASSWORD> – Specifies an encrypted password (use this option if copy pasting from another device). The password should not exceed 63 characters in length.• <PASSWORD> – Configures a clear text passwordrootdir <DIR> After specifying the password, configure the FTP root directory.• rootdir <DIR> – Configures the root directory for FTP logins. Specify the root directory path.no Disables FTP and its settings, such as the server password, root directory, and users
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 1215.1.5 httpmanagement-policyEnables Hyper Text Transport Protocol (HTTP) on this management policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttp serverParameters• http serverExamplerfs6000-37FABE(config-management-policy-test)#http serverrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#Related Commandshttp server Enables HTTP on this management policy. HTTP provides limited authentication and no encryption.no Disables HTTP on this management policy
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1315.1.6 httpsmanagement-policyEnables Hyper Text Transport Protocol Secure (HTTPS) on this management policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttps [server|sslv3|use-secure-ciphers-only]Parameters• https [server|sslv3|use-secure-ciphers-only]Examplerfs6000-37FABE(config-management-policy-test)#https serverrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#NOTE: If the a RADIUS server is not reachable, HTTPS management access to the controller or access point may be denied. RADIUS support is available locally on controllers and access points, with the exception of AP6511 and AP6522 models, which require an external RADIUS resource.https Configures secure HTTP related parameters on this management policyserver Enables HTTPS on this management policy. HTTPS provides both authentication and data encryption as opposed to just authentication. This option is enabled by default.sslv3 Enables the use of SSLv3 protocol to connect to a Web page. When enabled, SSLv2 Web authentication is disabled, and enforces the use of Web browsers supporting SSLv3, which is a more secure protocol. This option is disabled by default.use-secure-ciphers-onlyEnables the use of TLS v1.2 ciphers to secure client-server network communications. When enabled, for HTTPS connections the TLS v1.2 protocol is used, instead of the less secure TLS v1.0 or TLS v1.1 protocols. This option is enabled by default.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 14The following example shows that the ‘use-secure-ciphers-only’ option is enabled by default:rfs6000-817379(config-management-policy-default)#show context include-factory |incl httpshttps serverno https sslv3https use-secure-ciphers-onlyrfs6000-817379(config-management-policy-default)#Related Commandsno Disables HTTPS on this management policy
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1515.1.7 idle-session-timeoutmanagement-policyConfigures a session’s idle timeout. An idle session is automatically terminated after the specified interval is exceeded.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxidle-session-timeout <1-4320>Parameters• idle-session-timeout <1-4320>Examplerfs6000-37FABE(config-management-policy-test)#idle-session-timeout 100rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#Related Commands<1-4320> Sets the interval, in minutes, after which an idle session is timed out. Specify a value from 1 - 4320 minutes. The default is 30 minutes.no Removes the configured idle session timeout value
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 1615.1.8 ipv6management-policyRestricts management access to specified hosts and/or subnets based on their IPv6 addresses and prefixes respectivelySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 restrict-access [host|ipv6-access-list|subnet]ipv6 restrict-access host <IPv6> {log|subnet}ipv6 restrict-access host <IPv6> {log [all|denied-only]}ipv6 restrict-access host <IPv6> {subnet <IPv6-PREFIX> {log [all|denied-only]}}ipv6 restrict-access ipv6-access-list <IPv6-ACCESS-LIST-NAME>ipv6 restrict-access subnet <IPv6-PREFIX> {host|log}ipv6 restrict-access subnet <IPv6-PREFIX> {log [all|denied-only]}ipv6 restrict-access subnet <IPv6-PREFIX> {host <IPv6> {log [all|denied-only]}}Parameters• ipv6 restrict-access host <IPv6> {log [all|denied-only]}• ipv6 restrict-access host <IPv6> {subnet <IPv6-PREFIX> {log [all|denied-only]}}host <IPv6> Restricts management access to a specified host, based on the host’s IPv6 address• <IPv6> – Specify the host’s IPv6 address.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host is denied access)host <IPv6> Restricts management access to a specified host, based on the host’s IPv6 address.• <IPv6> – Specify the host’s IPv6 address.subnet <IPv6-PREFIX> Optional. Restricts access to the host on a specified IPv6 subnet• <IPv6-PREFIX> – Specify the subnet’s IPv6 prefix in the X:X::X:X/M format.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host/subnet is denied access)
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 17• ipv6 restrict-access ipv6-access-list <IPv6-ACCESS-LIST-NAME>• ipv6 restrict-access subnet <IPv6-PREFIX> {log [all|denied-only]}• ipv6 restrict-access subnet <IPv6-PREFIX> {host <IPv6> {log [all|denied-only]}}Examplerfs6000-37FABE(config-management-policy-test)#ipv6 restrict-access host 2001:fdbc:06cf:0011::13 subnet 2001:fdbc:06cf:0011::0/64 log allrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh ipv6 restrict-access host 2001:fdbc:06cf:0011::13 subnet 2001:fdbc:06cf:0011::0/64 log allrfs6000-37FABE(config-management-policy-test)#Related Commandsipv6-access-list <IPv6-ACCESS-LIST-NAME>Uses an IPv6 Access Control List (ACL) to filter access requests. IPv6 ACLs filter/mark packets based on the IPv6 address from which they arrive. IPv6 hosts configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. An existing IPv6 ACL can be created and used in the management policy context to permit or deny access to specific hosts and/or subnets.• <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 ACL name.subnet <IPv6-PREFIX>Restricts management access to a specified IPv6 subnet• <IPv6-PREFIX> – Specify the subnet’s IPv6 prefix in the X:X::X:X/M format.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host/subnet is denied access)subnet <IPv6-PREFIX>Restricts management access to a specified IPv6 subnet• <IPv6-PREFIX> – Specify the subnet’s IPv6 prefix in the X:X::X:X/M format.host <IPv6> Optional. Restricts management access to a specific host within the specified subnet• <IPv6> – Specify the host’s IPv6 address.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host/subnet is denied access)no Removes management access restriction settings
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 1815.1.9 nomanagement-policyNegates a command or reverts values to their default. When used in the config management policy mode, the no command negates or reverts management policy settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [aaa-login|allowed-locations|banner|ftp|http|https|idle-session-timeout|ipv6|passwd-entry|privilege-mode-password|rest-server|restrict-access|snmp-server|ssh|t5|telnet|user|service]no aaa-login tacacs [accounting|authentication|authorization|fallback|policy]no allowed-location <LOCATION-TAG>no banner motdno ftp {password|rootdir}no http serverno https [server|sslv3|use-secure-ciphers-only]no passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin]no [idle-session-timeout|privilege-mode-password|rest-server|restrict-access]no ipv6 restrict-accessno snmp-server [community|display-vlan-info-per-radio|enable|host|manager|max-pending-requests|request-timeout|suppress-security-configuration-level|throttle|user]no snmp-server [community <WORD>|display-vlan-info-per-radio|enable traps|host <IP> {<1-65535>}|manager [all|v1|v2|v3]|max-pending-requests|request-timeout|suppress-security-configuration-level|throttle|user [snmpmanager|snmpoperator|snmptrap]]no ssh {login-grace-time|port|use-key}no t5 snmp-server [community|enable|host]no [telnet|user <USERNAME>]no service prompt crash-infoParameters• no <PARAMETERS>no <PARAMETERS> Removes or reverts this Management policy settings based on the parameters passed
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 19ExampleThe following example shows the management policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#rfs6000-37FABE(config-management-policy-test)#no banner motdrfs6000-37FABE(config-management-policy-test)#no idle-session-timeoutrfs6000-37FABE(config-management-policy-test)#no http serverThe following example shows the management policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 0rfs6000-37FABE(config-management-policy-test)#
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 2015.1.10 passwd-entrymanagement-policyConfigures user-account lockout and unlock parameters. Use this option to configure the maximum number of consecutive, failed login attempts allowed before an account is locked out, and the duration of lockout.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpasswd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <<0-600>Parameters• passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <0-600>passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <<0-600>Configures user-role based account lockout criteria• role – Select the user-role. The options are:• device-provisioning-admin•helpdesk• monitor•network-admin•security-admin• system-admin• vendor-admin• web-user-admin] • max-fail <1-100> – Specify the maximum number of consecutive, failed at-tempts allowed before an account is locked. Specify a value from 1 - 100. • lockout-time <<0-600> – Specify the maximum time, in minutes, forwhich an account remains locked. The value ‘0’ indicates that the ac-count is permanently locked. Specify a value from 0 - 600 minutes.When configured, the lockout is individually applied to each account within the specified role/roles. For example, consider the ‘monitor’ role having two users: ‘user1’ and ‘user2’. The max-fail and lockout-time is set at ‘5’ attempts and ‘10’ minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active.Note: Note, in the event-system-policy context, enable ‘login-lockout’ and ‘login-unlocked’ event notification to trigger e-mail or syslog notification to users on occurrence of the login-lockout and login-unlock events. For more information, see event.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 21Examplerfs6000-817379(config-management-policy-default)#passwd-retry role monitor max-fail 5 lockout-time 10rfs6000-817379(config-management-policy-default)#show conmanagement-policy defaultno telnetno http serverhttps serversshuser admin password 1 979cfb9288837ee26d74d07b5ea328fd0e9a2b55cf5104649c2b496cc94e7003 role superuser access allpasswd-retry role monitor max-fail 2 lockout-time 5snmp-server community 0 private rwsnmp-server community 0 public rosnmp-server user snmptrap v3 encrypted des auth md5 0 admin123snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123rfs6000-817379(config-management-policy-default)#Related Commandsno Removes the user-account lockout and unlock parameters configured here
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 2215.1.11 privilege-mode-passwordmanagement-policyConfigures the CLI’s privilege mode access password. Use this option to strengthen security by enforcing a second level authentication to access the privilege configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxprivilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>Parameters• privilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>ExampleThe following example shows the privilege mode password being configured as a hashed string:rfs6000-37FABE(config-management-policy-test)#privilege-mode-password 1 2e9f038ac2ed27f919ed5a4dceb3d30e32f356f2ceff6fbf26a153d0339c734frfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh privilege-mode-password 1 2e9f038ac2ed27f919ed5a4dceb3d30e32f356f2ceff6fbf26a153d0339c734frfs6000-37FABE(config-management-policy-test)#privilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>Configures the password required to enter the privilege configuration mode. When configured, users are prompted to provide the password when enabling the privilege configuration mode.• <PASSWORD/HASHED-STRING-ALIAS-NAME> – Enter the password as a clear text, or provide a hashed-string alias. Enter the password as a clear text, or provide a hashed-string alias. If using a hashed-string alias, ensure that the alias is existing and configured.Note, the clear text password is saved and displayed as a hashed string. Hashing is a means of establishing the integrity of transmitted messages. Before transmission, a hash of the message is generated, encrypted and sent along with the message. At the receiving end, the message and the hash are both decrypted, and another hash is generated from the received message. The two hashes are compared. If both are identical the message is considered to have been transmitted intact.Note: For more information on configuring a hashed-string alias, see alias.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 23Follow the steps below to configure a hashed-string alias and use it as a privilege mode password:1 In the global-configuration context, create a hashed-string alias.nx9500-6C8809(config)#alias hashed-string $PriMode Test12345nx9500-6C8809(config)#show context | include aliasalias vlan $BLR-01 1alias string $IN-Blr-EcoSpace-Floor-4 IBEF4alias encrypted-string $READ 0 publicalias encrypted-string $WRITE 0 privatealias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75nx9500-6C8809(config)#2 In the management-policy context, configure the hashed-string alias created in step 1 as the privilege mode password.nx9500-6C8809(config-management-policy-test)#privilege-mode-password $PrivModenx9500-6C8809(config-management-policy-default)#show contextmanagement-policy defaulthttps server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 privilege-mode-password $PriModenx9500-6C8809(config-management-policy-default)#3 Confirm, if the privilege mode is password protected.nx9500-6C8809 login: adminPassword:Feb 07 14:40:47 2017: %AUTH-6-INFO: login[28768]: user 'admin' on 'ttyS0' from 'Console' logged inFeb 07 14:40:47 2017: nx9500-6C8809 : %SYSTEM-5-LOGIN: Successfully logged in user 'admin' with privilege 'superuser' from 'ttyS0'nx9500-6C8809>enPassword:Related Commandsno Removes the configured CLI privilege mode access password
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 2415.1.12 rest-servermanagement-policyEnables the Representational State Transfer (REST) server. When enabled, the REST server allows vendor users access to the online device registration portal. All requests and responses to and from the on-boarding portal are handled by the REST server through restful Application Programming Interface (API) transactions. The REST server serves the Web pages used to associate a device’s MAC address with a specific vendor group.Each vendor has a ‘vendor-admin’ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can access the online device registration portal to on-board devices. For more information on vendor-admin user configuration, see user.The REST server is enabled by default.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxrest-serverParametersNoneExamplenx9500-6C8809(config-management-policy-testMNGTPolicy)#show contextmanagement-policy testMNGTPolicy no telnet no http server https server rest-server sshnx9500-6C8809(config-management-policy-testMNGTPolicy)#nx9500-6C8809(config-management-policy-testMNTPolicy)#no rest-servernx9500-6C8809(config-management-policy-testMNGTPolicy)#show contextmanagement-policy testMNGTPolicy no telnet no http server https server no rest-server sshnx9500-6C8809(config-management-policy-testMNGTPolicy)#Related Commandsno Disables the REST server
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2515.1.13 restrict-accessmanagement-policyRestricts management access to a set of hosts or subnetsRestricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network.Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrestrict-access [host|ip-access-list|subnet]restrict-access host <IP> {log|subnet}restrict-access host <IP> {log [all|denied-only]}restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}restrict-access ip-access-list <IP-ACCESS-LIST-NAME>restrict-access subnet <IP/M> {host|log}restrict-access subnet <IP/M> {log [all|denied-only]}restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}Parameters• restrict-access host <IP> {log [all|denied-only]}• restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}host <IP> Restricts management access to a specified host, based on the host’s IPv4 address• <IP> – Specify the host’s IPv4 address.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access (when an access request is received from a host denied access, a record is logged)host <IP> Restricts management access to a specified host, based on the host’s IPv4 address• <IP> – Specify the host’s IPv4 address.subnet <IP/M> Optional. Restricts access to the host on a specified subnet• <IP/M> – Specify the subnet’s IPv4 address and mask in the A.B.C.D/M format.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 26• restrict-access ip-access-list <IP-ACCESS-LIST-NAME>• restrict-access subnet <IP/M> {log [all|denied-only]}• restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}log [all|denied-only] Optional. Configures a logging policy for access requests.• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when access request received from a host is denied)ip-access-list Uses an IPv4 ACL to filter access requestsIPv4 ACLs filter/mark packets based on the IPv4 address from which they arrive. IP and non-IP traffic, on the same layer 2 interface, can be filtered by applying an IPv4 ACL. Each IPv4 ACL contains a set of deny and/or permit rules. Each rule is specific to source and destination IPv4 addresses and the unique rules and precedence definitions assigned. When the network traffic matches the criteria specified in one of these rules, the action defined in that rule is used to determine whether the traffic is allowed or denied.<IP-ACCESS-LIST-NAME>Specify the IPv4 ACL name.subnet <IP/M> Restricts management access to a specified subnet• <IP/M> – Specify the subnet’s IPv4 address and mask in the A.B.C.D/M format.log [all|denied-only] Optional. Configures a logging policy for access requests. Sets the log type generated for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when access request received from a subnet is denied)subnet <IP/M> Restricts management access to a specified subnet• <IP/M> – Specify the subnet’s IPv4 address and mask in the A.B.C.D/M formathost <IP> Optional. Uses the host IP address as a second filter• <IP> – Specify the host’s IPv4 address.log [all|denied-only] Optional. Configures a logging policy for access requests. Sets the log type generated for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when access request received from a host within the specified subnet is denied)
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 27Examplerfs6000-37FABE(config-management-policy-test)#restrict-access host 172.16.10.4 log denied-onlyrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.4 log denied-onlyrfs6000-37FABE(config-management-policy-test)#Related Commandsno Removes device access restrictions
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 2815.1.14 snmp-servermanagement-policyConfigures the Simple Network Management Protocol (SNMP) engine settings. SNMP is an application layer protocol that facilitates the exchange of management information between the controller and a managed device. SNMP enabled devices listen on port 162 (by default) for SNMP packets from the controller’s management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string gathers statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system’s performance and other parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsnmp-server [community|enable|display-vlan-info-per-radio|host|manager|max-pending-requests|request-timeout|suppress-security-configuration-level|throttle|user]snmp-server community [0 <WORD>|2 <WORD>|<WORD>] [ro|rw] {ip-snmp-access-list <IP-SNMP-ACL-NAME>}snmp-server enable trapssnmp-server host <IP> [v1|v2c|v3] {<1-65535>}snmp-server manager [all|v1|v2|v3]snmp-server [max-pending-requests {<64-1024>}|request-timeout {<2-720>}]snmp-server [display-vlan-info-per-radio|throttle <1-100>|suppress-security-configuration-level [0|1]]snmp-server user [snmpmanager|snmpoperator|snmptrap]snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 [auth|encrypted]snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 auth md5 [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 encrypted [auth md5|des auth md5] [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 29Parameters• snmp-server community [0 <WORD>|2 <WORD>|<WORD>] [ro|rw] {ip-snmp-access-list <IP-SNMP-ACL-NAME>}• snmp-server enable traps• snmp-server host <IP> [v1|v2c|v3] {<1-65535>}community [0 <WORD>|2 <WORD>|<WORD>]Sets the community string and associated access privileges. Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public for the read-only community string, and private for the read-write community string.• 0 <WORD> – Sets a clear text SNMP community string• 2 <WORD> – Sets an encrypted SNMP community string• <WORD> – Sets the SNMP community string[ro|rw] After configuring the SNMP community string, set the access permission for each community string used by devices to retrieve or modify information. Available options include• ro – Assigns read-only access to the specified SNMP community (allows a remote device to retrieve information)• rw – Assigns read and write access to the specified SNMP community (allows a remote device to modify settings)ip-snmp-access-list <IP-SNMP-ACL-NAME>Optional. Associates an IP SNMP access list (should be existing and configured). The IP SNMP ACL sets the SNMP management station’s IP address. SNMP trap information is received at this address.enable traps Enables trap generation (using the trap receiver configuration defined). This feature is disabled by default. Enabling this feature ensures the dispatch of SNMP notifications to all hosts.In a managed network, the controller uses SNMP trap receivers to notify faults. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices and are therefore an important fault management tool.A SNMP trap receiver is the destination of SNMP messages (external to the controller). A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community, etc.SNMP trap notifications exist for most controller operations, but not all are necessary for day-to-day operation.host <IP> Configures a host’s IP address. This is the external server resource dedicated to receiving SNMP traps on behalf of the controller.[v1|v2c|v3] Configures the SNMP version used to send the traps• v1 – Uses SNMP version 1. This option is disabled by default.• v2c – Uses SNMP version 2c. This option is disabled by default.• v3 – Uses SNMP version 3. This option is enabled by default.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 30• snmp-server manager [all|v1|v2|v3]• snmp-server [max-pending-requests {<64-1024>}|request-timeout {<2-720>}]• snmp-server [display-vlan-info-per-radio|throttle <1-100>|suppress-security-configuration-level [0|1]]<1-65535> Optional. Configures the virtual port of the server resource dedicated to receiving SNMP traps• <1-65535> – Optional. Specify a value from 1 - 65535. The default port is 162.manager [all|v2|v3] Enables SNMP manager and specifies the SNMP version• all – Enables SNMP manager version v2 and v3• v1 – Enables SNMP manager version v1 only. SNMPv1 uses a simple password (“community string”). Data is unencrypted (clear text). Consequently it provides limited security, and should be used only inside LANs behind firewalls, not in WANs.• v2 – Enables SNMP manager version v2 only. SNMPv2 provides device management using a hierarchical set of variables. SNMPv2 uses Get, GetNext, and Set operations for data management. SNMPv2 is enabled by default.• v3 – Enables SNMP manager version v3 only. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control. The architecture supports the concurrent use of different security, access control and message processing techniques. SNMPv3 is enabled by default.max-pending-requests {<64-1024>}Sets the maximum number of requests that can be pending at any given time• <64-1024> – Optional. Specify a value from 64 - 1024. The default is 128.request-timeout{<2-720>}Sets the interval, in seconds, after which an error message is returned for a pending request• <2-720> – Optional. Specify a value from 2 - 720 seconds. The default is 240 seconds.display-vlan-info-per-radioEnables the display of the VLAN ID along with the radio interface IDthrottle <1-100> Sets CPU usage for SNMP activities. Use this command to set the CPU usage from 1 - 100.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 31• snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 auth md5 [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]• snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 encrypted [auth md5|des auth md5] [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]suppress-security-configuration-level [0|1]Sets the level of suppression of SNMP security configuration information• 0 – If this option is selected, an empty string is returned for the SNMP request for security configuration information. Security configuration information consists of:•Passwords•Keys• Shared secretsThe default setting is 0.• 1 – Suppresses the display of the policy, IP ACL, passwords, keys and shared secrets. If this option is selected, in addition to suppression from ‘Level 0’, an empty string is returned for a SNMP request on following items:• Management policies•IP ACL• Tables containing user names and community stringsuser [snmpmanager|snmpoperator|snmptrap]Defines user access to the SNMP engine• snmpmanager – Sets user as a SNMP manager• snmpoperator – Sets user as a SNMP operator• snmptrap – Sets user as a SNMP trap userv3 auth md5 Uses SNMP version 3 as the security model• auth – Uses an authentication protocol• md5 – Uses HMAC-MD5 algorithm for authentication[0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]Configures password using one of the following options:• 0 <PASSWORD> – Configures clear text password• 2 <ENCRYPTED - PASSWORD> – Configures encrypted password• <PASSWORD> – Specifies a password for authentication and privacy protocolsuser [snmpmanager|snmpoperator|snmptrap]Defines user access to the SNMP engine• snmpmanager – Sets user as a SNMP manager• snmpoperator – Sets user as a SNMP operator• snmptrap – Sets user as a SNMP trap userv3 encrypted Uses SNMP version 3 as the security model• encrypted – Uses encrypted privacy protocolauth md5 Uses authentication protocol• auth – Sets authentication parameters• md5 – Uses HMAC-MD5 algorithm for authenticationdes auth md5 Uses privacy protocol for user privacy• des – Uses CBC-DES for privacyAfter specifying the privacy protocol, specify the authentication mode.• auth – Sets user authentication parameters• md5 – Uses HMAC-MD5 algorithm for authentication
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 32Examplerfs6000-37FABE(config-management-policy-test)#snmp-server community snmp1 rorfs6000-37FABE(config-management-policy-test)#snmp-server host 172.16.10.23 v3 162rfs6000-37FABE(config-management-policy-test)#commitrfs6000-37FABE(config-management-policy-test)#snmp-server user snmpmanager v3 auth md5 test@123rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#Related Commands[0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]The following are common to both the auth and des parameters:Configures password using one of the following options:• 0 <PASSWORD> – Configures a clear text password• 2 <ENCRYPTED - PASSWORD> – Configures an encrypted password• <PASSWORD> – Specifies a password for authentication and privacy protocolsno Disables or resets the SNMP server settings
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3315.1.15 sshmanagement-policyEnables Secure Shell (SSH) for this management policySSH, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssh {login-grace-time <60-300>|port <1-65535>}Parameters• ssh {login-grace-time <60-300>|port <1-65535>}Examplerfs6000-37FABE(config-management-policy-test)#ssh port 162rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#Related CommandsNOTE: If the a RADIUS server is not reachable, SSH management access to the controller or access point may be denied. RADIUS support is available locally on controllers and access points, with the exception of AP6511 and AP6522 models, which require an external RADIUS resource.ssh Enables SSH communication between client and serverlogin-grace-time <60-300>Optional. Configures the login grace time. This is the interval, in seconds, after which an unsuccessful login is disconnected.• <60-300> – Specify a value from 60 - 300 seconds. The default is 60 seconds.port <1-65535> Optional. Configures the SSH port. This is the port used for SSH connections.• <1-65535> – Specify a value from 1 - 165535. The default port is 22.no Resets SSH access port to factory default (port 22)
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 3415.1.16 t5management-policyConfigures SNMP server settings for T5 devices on this management policyA T5 controller is an external device that can be adopted and managed by a WiNG controller. When enabled as a supported external device, a T5 controller can provide data to WiNG to assist in it’s management within a WiNG supported subnet.This command enables SNMP to communicate with T5 devices within the network. SNMP facilitates the exchange of management information between the controller or service platform and the T5 device. For more information, see snmp-server.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxt5 snmp-server [community|contact|enable|host|location]t5 snmp-server community <COMMUNITY-NAME> [ro|rw] <SNMP-STATION-IP>t5 snmp-server contact <LINE>t5 snmp-server enable [server|traps]t5 snmp-server host <IP>t5 snmp-server location <LINE>Parameters• t5 snmp-server community <COMMUNITY-NAME> [ro|rw] <SNMP-STATION-IP>• t5 snmp-server contact <LINE>community <COMMUNITY-NAME> [ro|rw]Defines a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string.• <COMMUNITY-NAME> – Specify the SNMP community name, and configure the access permission for this community string (used by devices to retrieve or modify information).• ro – Allows a remote device to retrieve information only• rw – Allows a remote device to retrieve information and modify settings<SNMP-STATION-IP> Specify the SNMP management station IP address for receiving trap informationcontact <LINE> Configures the administrator of SNMP trap events for the T5 controller.• <LINE> – Specify the administrator’s name (should not exceed 64 characters).
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 35• t5 snmp-server enable [server|traps]• t5 snmp-server host <IP>• t5 snmp-server location <LINE>Examplenx9500-6C8809(config-management-policy-test)#t5 snmp-server community lab rw 192.168.13.7nx9500-6C8809(config-management-policy-test)#show contextmanagement-policy test http server no ssh t5 snmp-server community lab rw 192.168.13.7nx9500-6C8809(config-management-policy-test)#Related Commandsenable [server|traps] Enables the following:• server – Enables the SNMP server. When enabled, the system accepts SNMP management data. This is enabled by default.• traps – Enables SNMP traps. When enabled, the system generates SNMP traps. This is enabled by default.host <IP> Configures the T5 SNMP host’s IP address. The SNMP host receives the SNMP notifications.• <IP> – Specify the SNMP host’s IP address.location <LINE> Configures the system location for SNMP traps.• <LINE> – Specify the SNMP trap location (should not exceed 64 characters).no Removes or reverts SNMP server configuration for T5 devices
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 3615.1.17 telnetmanagement-policyEnables Telnet. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default.By default Telnet, when enabled, uses Transmission Control Protocol (TCP) port 23. Use this command to change the TCP port.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtelnet {port <1-65535>}Parameters• telnet {port <1-65535>}Examplerfs6000-37FABE(config-management-policy-test)#telnet port 200rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test telnet port 200 no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#Related Commandstelnet Enables Telnetport <1-65535> Optional. Configures the Telnet port. This is the port used for Telnet connections.• <1-65535> – Sets a value from 1 - 65535. The default port is 23.no Disables Telnet
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3715.1.18 usermanagement-policyAdds new user account. Use this option to add a new user, and define the role, access type, and allowed locations assigned to the user.Management services like Telnet, SSHv2, HTTP, HTTPs and FTP require users (administrators) enter a valid username and password, which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password, which is authenticated by the SNMPv3 module. For CLI users, the controller or service platform also requires user role information to know what permissions to assign.• If local authentication is used, associated role information is defined on the controller or service platform when the user account is created.• If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions.Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user’s access assignment to determine if the user has permissions to access an interface:• If local authentication is used, role information is defined on the controller or service platform when the user account is created.• If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes.The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account’s access mode list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin]user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 38Parameters• user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})user <USERNAME> Adds a new user account to this management policy• <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>]Configures a password• 0 <PASSWORD> – Sets a clear text password• 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password• <PASSWORD> – Sets the passwordrole Configures the user role. The options are:• device-provisioning-admin – Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived.• helpdesk – Helpdesk administrator. Performs troubleshooting tasks, such as run troubleshooting utilities (like a sniffer), view/retrieve logs, clear statistics, reboot, create and copy technical support dumps. The helpdesk administrator can also create a guest user account and password for registration. However, the helpdesk admin cannot execute controller or service platform reloads.• monitor – Monitor. Has read-only access to the system. Can view configuration and statistics except for secret information.• network-admin – Network administrator. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF• security-admin – Security administrator. Modifies WLAN keys and passphrases• superuser – Superuser. Has full access, including halt and delete startup-config• system-admin – System administrator. Upgrades image, boot partition, time, and manages admin access• web-user-admin – Web user administrator. This role is used to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.access [all|console|ssh|telnet|web]Configures the access type• all – Allows all types of access: console, SSH, Telnet, and Web• console – Allows console access only• ssh – Allows SSH access only• telnet – Allows Telnet access only• web – Allows Web access onlyallowed-locations <ALLOWED-LOCATIONS>Optional. This keyword is recursive and optional. It configures a list of locations (either as a path or a RF Domain) to which this user is allowed access.• <ALLOWED-LOCATIONS> – Specify the allowed locations.Note: Use this option to configure a list of RF Domains or its tree nodes to which this user is allowed access with respect to the Nsight policy.Note: This option is not applicable to the user role ‘web-user-admin’.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 39• user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>Examplerfs6000-37FABE(config-management-policy-test)#user TESTER password test123 rolesuperuser access allrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test telnet port 200 no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 user TESTER password 1 b6b37c51405f4e93c67fe8af82d450c9fd6af69324cd56a55055cefe695b6a14 role superuser access all snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162user <USERNAME> Adds a new user account to this management policy• <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>]Configures a password• 0 <PASSWORD> – Sets a clear text password• 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password• <PASSWORD> – Sets the passwordrole vendor-admin Configures this user’s role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which he/she belongs. Vendor-admins have only Web access to the device registration portal.The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendor-admin’ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN. On subsequent associations with this SSID, registered devices are dynamically placed into the vendor-allowed VLAN.If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration.Note: Use the service > show > wireless > credential-cache command to view on-boarded device’s VLAN assignment.Note: Ensure that the REST server is enabled, to allow vendor users access to the online device registration portal. Note, by default the REST server is enabled. For more information, see rest-server.group <VENDOR-GROUP-NAME>Associates this vendor-admin user with a vendor group, required for RADIUS authentication. The vendor group should be existing and configured in the RADIUS group policy. For more information on configuring RADIUS groups, see radius-group.• <VENDOR-GROUP-NAME> – Provide the vendor group name. In case of multiple allowed groups, provide a list of comma-separated group names.
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  15 - 40 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#nx9500-6C8809(config-management-policy-OB)#user test password 0 test123 role vendor-admin group Apple,Sony,Samsungnx9500-6C8809(config-management-policy-OB)#user Samsung password 0 samsungrole vendor-admin group Samsungnx9500-6C8809(config-management-policy-OB)#show contextmanagement-policy OB no telnet no http server https server rest-server ssh user admin password 1 d9849649218dcaa79109fbd47bbf1a24ecdf1edda220d21f76ce4c15a4e7e696 role superuser access all user test password 1 62fca173a1ffc0e9cc4eef782b1978a5e0c47f66bc57a32992f03e3e00fe0bc4 role vendor-admin group Apple,Sony,Samsung user Samsung password 1 39cb036b8e09c2ec625ebcda6e4001f4584263ed86fa69fc1f6b284113772eb0 role vendor-admin group Samsungnx9500-6C8809(config-management-policy-OB)#Related Commandsno Removes a user account
MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 4115.1.19 servicemanagement-policyInvokes service commandsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [prompt|show]service [prompt crash-info|show cli]Parameters• service [prompt crash-info|show cli]Examplerfs6000-37FABE(config-management-policy-test)#service show cliManagement Mode mode:+-help [help]  +-search    +-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]+-show  +-commands [show commands]  +-simulate    +-stats [show simulate stats]  +-eval    +-WORD [show eval WORD]  +-debugging [show debugging (|(on DEVICE-OR-DOMAIN-NAME))]    +-cfgd [show debugging cfgd]    +-on      +-DEVICE-OR-DOMAIN-NAME [show debugging (|(on DEVICE-OR-DOMAIN-NAME))]    +-fib [show debugging fib(|(on DEVICE-NAME))]      +-on        +-DEVICE-NAME [show debugging fib(|(on DEVICE-NAME))]    +-wireless [show debugging wireless (|(on DEVICE-OR-DOMAIN-NAME))]      +-on--More--Related Commandsservice promptcrash-infoUpdates CLI prompt settings• crash-info – Includes an asterix at the end of the prompt if the device has crash files in the flash:/crashinfo folderservice show cli Displays running system information• cli – Displays the current mode’s CLI treeno Disables the inclusion of an asterix indicator notifying the presence of crash files
16 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide16RADIUS-POLICYThis chapter summarizes the RADIUS group, server, and user policy commands in the CLI command structure.Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to authenticate users and authorize their access to the network. RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients send authentication requests to the local RADIUS server containing user authentication and network service access information.RADIUS enables centralized management of authentication data (usernames and passwords). When a client attempts to associate to a network, the authentication request is sent to the local RADIUS server. The authentication and encryption of communications takes place through the use of a shared secret password (not transmitted over the network).The local RADIUS server stores the user database locally, and can optionally use a remote user database. It ensures higher accounting performance. It allows the configuration of multiple users, and assigns policies for group authorization.Controllers and access points allow enforcement of user-based policies. User policies include dynamic VLAN assignment and access based on time of day. A certificate is required for EAP TTLS, PEAP, and TLS RADIUS authentication (configured with the RADIUS service).Dynamic VLAN assignment is achieved based on the RADIUS server response. A user who associates to WLAN1 (mapped to VLAN1) can be assigned a different VLAN after RADIUS server authentication. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the user associates.The chapter is organized into the following sections:•radius-group•radius-server-policy•radius-user-pool-policyNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 216.1 radius-groupRADIUS-POLICYThis section describes RADIUS user group configuration commands.The local RADIUS server allows the configuration of user groups with common user policies. User group names and associated users are stored in the local database. The user ID in the received access request is mapped to the associated wireless group for authentication. The configuration of groups allows enforcement of the following policies that control user access:• Assign a VLAN to the user upon successful authentication• Define start and end of time (HH:MM) when the user is allowed to authenticate• Define the SSID list to which a user, belonging to this group, is allowed to associate• Define the days of the week the user is allowed to login• Rate limit traffic (for non-management users)RADIUS users are categorized into three groups: normal user, management user, and guest user. A RADIUS group not configured as management or guest is a normal user group. User access and role settings depends on the RADIUS group the user belongs.Use the (config) instance to configure RADIUS group commands. This command creates a group within the existing RADIUS group. To navigate to the RADIUS group instance, use the following commands:<DEVICE>(config)#radius-group <GROUP-NAME>rfs6000-37FABE(config)#radius-group testrfs6000-37FABE(config-radius-group-test)#?Radius user group configuration commands:  guest       Make this group a Guest group  no          Negate a command or set its defaults  policy      Radius group access policy configuration  rate-limit  Set rate limit for group  clrscr      Clears the display screen  commit      Commit all changes made in this session  do          Run commands from Exec mode  end         End current mode and change to EXEC mode  exit        End current mode and down to previous mode  help        Description of the interactive help system  revert      Revert changes  service     Service Commands  show        Show running system information  write       Write running configuration to memory or terminalrfs6000-37FABE(config-radius-group-test)#The following table summarizes RADIUS group configuration commands:NOTE: The RADIUS group name cannot exceed 32 characters, and cannot be modified as part of the group edit process.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3Table 16.1 RADIUS-Group-Config CommandsCommand Description Referenceguest Enables guest access for the newly created group page 16-4no Negates a command or reverts settings to their default page 16-10policy Configures RADIUS group access policy parameters page 16-5rate-limit Sets the default rate limit per user in Kbps, and applies it to all enabled WLANspage 16-9NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 416.1.1 guestradius-groupConfigures this group as a guest (non-management) group. A guest user group has temporary permissions to the controller’s local RADIUS server. You can configure multiple guest user groups, each having a unique set of settings. Guest user groups cannot be made management groups with access and role permissions.Guest users and policies are used for captive portal authorization to the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxguestParametersNoneExamplerfs6000-37FABE(config-radius-group-test)#guestrfs6000-37FABE(config-radius-group-test)#show contextradius-group test guestrfs6000-37FABE(config-radius-group-test)#Related Commandsno Makes this group a non-guest group
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 516.1.2 policyradius-groupSets a RADIUS group’s authorization settings, such as access day/time, WLANs, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpolicy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]policy vlan <1-4094>policy access [all|console|ssh|telnet|web]policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|weekdays)}policy inactivity-timeout <60-86400>policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin]policy session-time <5-144000>policy ssid <SSID>policy time start <HH:MM> end <HH:MM>Parameters• policy vlan <1-4094>NOTE: A user-based VLAN is effective only if dynamic VLAN authorization is enabled for the WLAN.NOTE: Access and role settings are applicable only to a management group. They cannot be configured for a RADIUS non-management group.vlan <1-4094> Sets the guest RADIUS group’s VLAN ID from 1 - 4094. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the network (once authenticated by the local RADIUS server).This option applicable to a guest user group, which has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each group. Guest user groups cannot be made management groups with unique access and role permissions.Enable dynamic VLAN assignment for the WLAN for the VLAN assignment to take effect.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 6• policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}• policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin]• policy inactivity-timeout <60-86400>access Configures access type for a management group. Management groups can be assigned unique access and role permissions.• all – Allows all access. Wireless client access to the console, ssh, telnet, and/or Web• console – Allows console access only• ssh – Allows SSH access only• telnet – Allows Telnet access only•web – Allows Web access onlyThese parameters are recursive, and you can provide access to more than one component.role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin]Configures the role assigned to a management RADIUS group. If a group is listed as a management group, it may also have a unique role assigned. Available roles include:• device-provisioning-admin – Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived.• helpdesk – Helpdesk administrator. Performs troubleshooting tasks, such as clear statistics, reboot, create and copy tech support dumps. The helpdesk administrator can also create a guest user account and password for registration. These details can be e-mailed or sent as SMS to a mobile phone.• monitor – Monitor. Has read-only access to the network. Can view configuration and statistics except for secret information• network-admin – Network administrator. has wired and wireless access to the network. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF• security-admin – Security administrator. Has full read/write access to the network. Modifies WLAN keys and passphrases• superuser – Superuser. Has full access, including halt and delete startup config• system-admin – System administrator. Upgrades image, boot partition, time, and manages admin access• web-user-admin – Web user administrator. This role is used to create guest users and credentials. The web-user-admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.inactivity-timeout <60-86400>Configures the inactivity time for this RADIUS group users. If a frame is not received from a client for the specified period, then the client’s session is removed. When defined, this value is used instead of the captive-portal inactivity timeout. If the inactivity timeout is not configured in the radius-group context or the captive-portal context, the default timeout (60 seconds) is applied.• <60-86400> – Specify a value from 60 - 86400 seconds. This option is disabled by default.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 7• policy session-time <5-144000>• policy ssid <SSID>• policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|weekdays)}• policy time start <HH:MM> end <HH:MM>Usage GuidelinesA management group access policy provides:• access details•user roles• policy’s start and end timeThe SSID, day, and VLAN settings are not applicable to a management user group.session-time <5-144000>Configures the session duration for client’s belonging to a specific vendor group. Once configured, this is the duration for which over-the-air, on-boarded, successfully authenticated devices, belonging to a vendor group, get online access. The session is removed on completion of this duration. The vendor’s RADIUS group takes precedence over statically configured group for device registration.• <5-144000> – Specify a value from 5 - 144000 minutes. This option is disabled by default.For more information, see configuring device registration with dynamic VLAN assignment.ssid <SSID> Sets the Service Set Identifier (SSID) for this guest RADIUS group. Use this command to assign SSIDs that users within this RADIUS group are allowed to associate. Assign SSIDs of those WLANs only that the guest users need to access. This option is not available for a management group.• <SSID> – Specify a case-sensitive alphanumeric SSID, not exceeding 32 characters.day [all|fr|mo|sa|su|th|tu|we|weekdays]Configures the days on which this guest RADIUS group members can access the local RADIUS resources. The options are recursive, and you can provide access on multiple days.• fr – Allows access on Friday only• mo – Allows access on Mondays only• sa – Allows access on Saturdays only• su – Allows access on Sundays only• th – Allows access on Thursdays only• tu – Allows access on Tuesdays only• we – Allows access on Wednesdays only• weekdays – Allows access on weekdays only (Monday to Friday)time start<HH:MM> end <HH:MM>Configures the time when this RADIUS group can access the network• start <HH:MM> – Sets the start time in the HH:MM format (for example, 13:30 means the user can login only after 1:30 PM). Specifies the time users, within each listed group, can access the local RADIUS resources.• end <HH:MM> – Sets the end time in the HH:MM format (for example, 17:30 meansthe user is allowed to remain logged in until 5:30 PM). Specifies the time users, within each listed group, lose access to the local RADIUS resources.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 8ExampleThe following example shows a RADIUS guest group settings:rfs6000-37FABE(config-radius-group-test)#policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#policy day allrfs6000-37FABE(config-radius-group-test)#policy vlan 1rfs6000-37FABE(config-radius-group-test)#policy ssid testrfs6000-37FABE(config-radius-group-test)#show contextradius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#The following example shows a RADIUS management group settings:rfs6000-37FABE(config-radius-group-management)#policy access console ssh telnetrfs6000-37FABE(config-radius-group-management)#policy role network-adminrfs6000-37FABE(config-radius-group-management)#policy time start 9:30 end 20:30rfs6000-37FABE(config-radius-group-management)#show contextradius-group management policy time start 9:30 end 20:30 policy access console ssh telnet web policy role network-adminrfs6000-37FABE(config-radius-group-management)#Related Commandsno Removes or modifies a RADIUS group’s access settings
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 916.1.3 rate-limitradius-groupSets the rate limit for the guest RADIUS server groupSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [from-air|to-air] <100-1000000>Parameters• rate-limit [from-air|to-air] <100-1000000>Examplerfs6000-37FABE(config-radius-group-test)#rate-limit to-air 200rfs6000-37FABE(config-radius-group-test)#show contextradius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su rate-limit to-air 200 policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#Related CommandsNOTE: The rate-limit setting is not applicable to a management group.to-air <100-1000000> Sets the rate limit in the downlink direction, from the network to the wireless client• <100-1000000> – Specify the rate from 100 - 1000000 Kbps.from-air <100-1000000>Sets the rate limit in the uplink direction, from the wireless client to the network• <100-1000000> – Specify the rate from 100 - 1000000 Kbps.no Removes the RADIUS guest group’s rate limits
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 1016.1.4 noradius-groupNegates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no  command removes or modifies the following settings: access type, access days, role type, VLAN ID, and SSID.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [guest|policy|rate-limit]no policy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]no policy access [all|console|ssh|telnet|web]no policy day [all|fr|mo|sa|su|th|tu|we|weekdays]no policy session-timeno policy ssid [<SSID>|all]no policy [inactivity-timeout|role|time|vlan]no rate-limit [from-air|to-air]Parameters• no <PARAMETERS>ExampleThe following example shows the RADIUS guest group ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-radius-group-test)#show contextradius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su rate-limit to-air 200 policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#rfs6000-37FABE(config-radius-group-test)#no guestrfs6000-37FABE(config-radius-group-test)#no rate-limit to-airrfs6000-37FABE(config-radius-group-test)#no policy day allno <PARAMETERS> Negates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no  command removes or modifies the following settings: access type, access days, role type, VLAN ID, and SSID.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 11The following example shows the RADIUS guest group ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-radius-group-test)#show contextradius-group test policy vlan 1 policy ssid test policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 1216.2 radius-server-policyRADIUS-POLICYCreates an onboard device RADIUS server policy and enters its configuration modeA RADIUS server policy is a unique authentication and authorization configuration that receives user connection requests, authenticates users, and returns configuration information necessary for the RADIUS client to deliver service to the user. The client is the entity with authentication information requiring validation. The local RADIUS server has access to a database of authentication information used to validate the client's authentication request.The local RADIUS server uses authentication schemes like PAP, CHAP, or EAP to verify and confirm information provided by a user. The user's proof of identification is verified, along with, optionally, other information. A local RADIUS server policy can also be configured to refer to an external Lightweight Directory Access Protocol (LDAP) resource to verify a user's credentials.Use the (config) instance to configure RADIUS-Server-Policy related parameters. To navigate to the RADIUS-Server-Policy instance, use the following commands:<DEVICE>(config)#radius-server-policy <POLICY-NAME>rfs6000-37FABE(config)#radius-server-policy testrfs6000-37FABE(config-radius-server-policy-test)#?Radius Configuration commands:  authentication           Radius authentication  bypass                   Bypass Certificate Revocation List( CRL ) check  chase-referral           Enable chasing referrals from LDAP server  crl-check                Enable Certificate Revocation List( CRL ) check  ldap-agent               LDAP Agent configuration parameters  ldap-group-verification  Enable LDAP Group Verification setting  ldap-server              LDAP server parameters  local                    RADIUS local realm  nas                      RADIUS client  no                       Negate a command or set its defaults  proxy                    RADIUS proxy server  session-resumption       Enable session resumption/fast reauthentication by                           using cached attributes  termination              Enable Eap termination for proxy requests  use                      Set setting to use  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminalrfs6000-37FABE(config-radius-server-policy-test)#The following table summarizes RADIUS server policy configuration commands:
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 13Table 16.2 RADIUS-Server-Policy-Config CommandsCommands Description Referenceauthentication Configures RADIUS authentication settings page 16-14bypass Enables bypassing of CRL check page 16-16chase-referral Enables LDAP server referral chasing page 16-17crl-check Enables a certificate revocation list (CRL) check page 16-18ldap-agent Configures the LDAP agent’s settings page 16-19ldap-group-verificationEnables LDAP group verification page 16-21ldap-server Configures the LDAP server’s settings page 16-22local Configures a local RADIUS realm page 16-25nas Configures the key sent to a RADIUS client page 16-26no Removes or resets the RADIUS server policy’s settings page 16-28proxy Configures the RADIUS proxy server’s settings page 16-30session-resumptionEnables session resumption page 16-32termination Enables EAP termination on this current RADIUS server policy. When enabled, EAP authentication is terminated at the controller level.page 16-33use Defines settings used with the RADIUS server policy page 16-34
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 1416.2.1 authenticationradius-server-policySpecifies the RADIUS datasource used for user authentication. Options include local for the local user database or LDAP for a remote LDAP resource.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [data-source|eap-auth-type]authentication data-source [ldap|local]authentication data-source [ldap {fallack}|local] {(ssid <SSID> precedence <1-5000>)}authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-mschapv2|ttls-pap]Parameters• authentication data-source [ldap {fallback}|local] {(ssid <SSID> precedence <1-5000>)}data-source The RADIUS sever can either use the local database or an external LDAP server to authenticate a user. It is necessary to specify the data source. The options are: LDAP and local.ldap fallback Uses a remote LDAP server as the data source• fallback – Optional. Enables fallback to local authentication. This feature ensures that if the designated external LDAP resource were to fail or become unavailable, the client is authenticated against the local RADIUS resource. This option is disabled by default.When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server.local Uses the local user database to authenticate a user. This is the default setting.ssid <SSID> precedence <1-5000>The following keywords are recursive and common to both ‘ldap’ and ‘local’ parameters:• ssid – Optional. Associates the data source, selected in the previous step, with a SSID• <SSID> – Specify the SSID for this authentication data source. The SSID is case sen-sitive and should not exceed 32 characters in length. Do not use any of the followingcharacters (< > | " & \ ? ,).Contd..
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 15• authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-mschapv2|ttls-pap]Examplerfs6000-37FABE(config-radius-server-policy-test)#authentication eap-auth-type tlsrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tlsrfs6000-37FABE(config-radius-server-policy-test)#Related Commands• precedence <SSID> – Sets the precedence for this authentication rule. The pre-cedence value allows systematic evaluation and application of rules. Rules withthe lowest precedence receive the highest priority.• <1-5000> – Specify a precedence from 1- 5000.Specifying the SSID allows the RADIUS server to use the SSID attribute in access requests to determine the data source to use. This option is applicable to onboard RADIUS servers only.eap-auth-type Uses Extensible Authentication Protocol (EAP), with this RADIUS server policy, for user authenticationThe EAP authentication types supported by the local RADIUS server are: all, peap-gtc, peap-mschapv2, tls, ttls-md5, ttls-mschapv2, ttls-pap.all Enables both TTLS and PEAP authentication. This is the default setting.peap-gtc Enables PEAP with default authentication using GTCpeap-mschapv2 Enables PEAP with default authentication using MSCHAPv2When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server.tls Enables TLS as the EAP typettls-md5 Enables TTLS with default authentication using md5ttls-mschapv2 Enables TTLS with default authentication using MSCHAPv2ttls-pap Enables TTLS with default authentication using PAPno Removes the RADIUS authentication settings
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 1616.2.2 bypassradius-server-policyEnables bypassing a CRL check. When enabled, this feature bypasses checks for missing and expired CRLs. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbypass [crl-check|expired-crl]Parameters• bypass [crl-check|expired-crl]Examplenx9500-6C8809(config-radius-server-policy-test)#bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#no bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#show contextradius-server-policy test no bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#Related Commandsbypass [crl-check|expired-crl]Bypasses CRL check based on the parameters passed• crl-check – Bypasses CRL check of missing CRLs• expired-crl – Bypasses CRL check of expired CRLsNote: A CRL is a list of certificates that have been revoked or are no longer valid.no Disables bypassing of checking for missing CRLs or expired CRLs
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1716.2.3 chase-referralradius-server-policyEnables chasing of referrals from an external LDAP server resourceAn LDAP referral is a controller or service platform’s way of indicating to a client it does not hold the section of the directory tree where a requested content object resides. The referral is the controller or service platform’s direction to the client a different location is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the domain controller to generate another referral, although it usually does not take long to discover the object does not exist and inform the client.This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchase-referralParametersNoneExamplerfs6000-37FABE(config-radius-server-policy-test)#chase-referralRelated Commandsno Disables LDAP server referral chasing
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 1816.2.4 crl-checkradius-server-policyEnables a certificate revocation list (CRL) check on this RADIUS server policyA CRL is a list of revoked certificates issued and subsequently revoked by a Certification Authority (CA). Certificates can be revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. The mechanism used for certificate revocation depends on the CA.This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrl-checkParametersNoneExamplerfs6000-37FABE(config-radius-server-policy-test)#crl-checkrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-checkrfs6000-37FABE(config-radius-server-policy-test)#Related Commandsno Disables CRL check on a RADIUS server policy
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1916.2.5 ldap-agentradius-server-policyConfigures the LDAP agent’s settings in the RADIUS server policy contextWhen a user's credentials are stored on an external LDAP server, the local RADIUS server cannot successfully conduct PEAP-MSCHAPv2 authentication, since it is not aware of the user's credentials maintained on the external LDAP server resource. Therefore, up to two LDAP agents can be provided locally so remote LDAP authentication can be successfully accomplished on the remote LDAP resource (using credentials maintained locally).This feature is available to all controller, service platforms and access point models, with the exception of AP6511 and AP6521 models running in standalone AP or virtual controller AP mode. However, this feature is supported by dependent mode AP6511 and AP6521 model access points when adopted and managed by a controller or service platform.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-agent [join|join-retry-timeout|primary|secondary]ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user <ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]Parameters• ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]ldap-agent Configures the LDAP agent’s settingsjoin {on <DEVICE-NAME>}Initiates the join process, which binds the RADIUS server with the LDAP server’s (Windows) domain. When successful, the hostname (name of the AP, wireless controller, or service platform) is added to the LDAP server’s Active Directory.• on <DEVICE-NAME> – Optional. Specifies the device name• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.To confirm the join status of a controller, use the show > ldap-agent > join-status command.join-retry-timeout <60-300>If the join process fails (i.e. the RADIUS server fails to join the LADP server’s domain), the process is retried after a specified interval. This command configures the interval (in seconds) between two successive join attempts.• <60-300> – Set the timeout value from 60 - 300 seconds. The default is 60 seconds.A retry timer is initiated as soon as the join process starts, which tracks the time lapse in case of a failure.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 20•  ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user <ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]Examplerfs4000-229D58(config-radius-server-policy-test)#ldap-agent primary domain-nametest domain-admin-user Administrator domain-admin-password 0 test@123rfs4000-229D58(config-radius-server-policy-test)#rfs4000-229D58(config-radius-server-policy-test)#show contextradius-server-policy test ldap-agent primary domain-name test domain-admin-user Administrator domain-admin-password 0 test@123rfs4000-229D58(config-radius-server-policy-test)#Related Commandsldap-agent Configures the LDAP agent’s settingsprimary Configures the primary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the primary LDAP server.secondary Configures the secondary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the secondary LDAP server.domain-name <LDAP-DOMAIN-NAME>This keyword is common to both the ‘primary’ and ‘secondary’ parameters.• domain-name – Configures the primary or secondary LDAP server’s domain name• <LDAP-DOMAIN-NAME> – Specify the domain name.domain-admin-user <ADMIN-USER-NAME>This keyword is common to both the ‘primary’ and ‘secondary’ parameters.• domain-admin-user – Configures the primary or secondary LDAP server’s admin user name• <ADMIN-USER-NAME> – Specify the admin user’s name.domain-admin-password [0 <WORD>|2 <WORD>]This keyword is common to both the ‘primary’ and ‘secondary’ parameters.• domain-admin-password – Configures the primary or secondary LDAP server’s admin user password• 0 <WORD> – Specifies the password in the unencrypted format• 2 <WORD> – Specifies the password in the encrypted formatno Removes LDAP agent settings from this RADIUS server policy
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2116.2.6 ldap-group-verificationradius-server-policyEnables LDAP group verification settings on this RADIUS server policy. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-group-verificationParametersNoneExamplerfs6000-37FABE(config-radius-server-policy-test)#ldap-group-verificationrfs6000-37FABE(config-radius-server-policy-test)#Related Commandsno Disables LDAP group verification settings
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 2216.2.7 ldap-serverradius-server-policyConfigures the LDAP server’s settings. Configuring LDAP server allows users to login and authenticate from anywhere on the network.Administrators have the option of using the local RADIUS server to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative user management overhead making RADIUS authorization more secure and efficient.RADIUS is not just a database. It is a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials used optionally with the local RADIUS server to free up resources and manage user credentials from a secure remote location. It is the local RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic. A LDAP user database alone cannot perform such complex authorization checks.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-server [dead-period|primary|secondary]ldap-server dead-period <0-600>ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD> {net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}Parameters• ldap-server dead-period <0-600>• ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD> {net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}}dead-period <0-600> Sets an interval, in seconds, during which the local server will not contact its LDAP server resource once its been defined as unavailable. A dead period is only implemented when additional LDAP servers are configured and available.• <0-600> – Specify a value from 0 - 600 seconds. The default is 300 seconds.ldap primary Configures the primary LDAP server settingsldap secondary Configures the secondary LDAP server settingshost <IP> Specifies the LDAP host’s IP address• <IP> – Specify the LDAP server’s IP address.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 23port <1-65535> Configures the LDAP server port• <1-65535> – Specify a port between 1 - 65535.login <LOGIN-NAME> Configures the login name of a user to access the LDAP server• <LOGIN-NAME> – Specify a login ID (should not exceed 127 characters).bind-dn <BIND-DN> Configures a distinguished bind name. This is the distinguished name (DN) used to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.• <BIND-DN> – Specify a bind name (should not exceed 127 characters).base-dn <BASE-DN> Configures a distinguished base name. This is the DN that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with a specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent• <BASE-DN> – Specify a base name (should not exceed 127 characters).passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]Sets a valid password for the LDAP server.• 0 <PASSWORD> – Sets an UNENCRYPTED password• 2 <ENCRYPTED-PASSWORD> – Sets an ENCRYPTED password• <PASSWORD> – Sets the LDAP server bind password, specified UNENCRYPTED, with a maximum size of 31 characterspasswd-attr <ATTR> Specify the LDAP server password attribute (should not exceed 63 characters).group-attr <ATTR> Specify a name to configure group attributes (should not exceed 31 characters).LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password or group membership name.group-filter <FILTER> Specify a name for the group filter attribute (should not exceed 255 characters).This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service.group-membership <WORD>Specify a name for the group membership attribute (should not exceed 63 characters).This attribute is sent to the LDAP server when authenticating users.net-time <1-10> Optional. Select a value from 1 - 10 to configure the network timeout (number of seconds to wait for a response from the target primary or secondary LDAP server). The default is 10 seconds.start-tls net-timeout <1-10>Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using start_tls support on the external LDAP server.tls-mode net-timeout <1-10>Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using tls_mode support on the external LDAP server.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 24Examplerfs6000-37FABE(config-radius-server-policy-test)#ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#ldap-server primary host 172.16.10.19 port 162 login test bind-dn bind-dn1 base-dn base-dn1 passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter groupfilter1 group-membership groupmembership1 net-timeout 2rfs6000-37FABE(config-radius-server-policy-test)#rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsno Disables the LDAP server parameters
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2516.2.8 localradius-server-policyConfigures a local RADIUS realm on this RADIUS server policyWhen the local RADIUS server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal realm <RADIUS-REALM>Parameters• local realm <RADIUS-REALM>Examplerfs6000-37FABE(config-radius-server-policy-test)#local realm realm1rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsrealm <RADIUS-REALM>Configures a local RADIUS realm• <RADIUS-REALM> – Sets a local RADIUS realm name (a string not exceeding 50 characters)no Removes the RADIUS local realm
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 2616.2.9 nasradius-server-policyConfigures the key sent to a RADIUS clientA RADIUS client is a mechanism to communicate with a central server to authenticate users and authorize access to the controller, service platform or Access Point managed network.The client and server share a secret (a password). That shared secret followed by the request authenticator is put through a MD5 hash algorithm to create a 16 octet value which is XORed with the password entered by the user. If the user password is greater than 16 octets, additional MD5 calculations are performed, using the previous ciphertext instead of the request authenticator. The server receives a RADIUS access request packet and verifies the server possesses a shared secret for the client. If the server does not possess a shared secret for the client, the request is dropped. If the client received a verified access accept packet, the username and password are considered correct, and the user is authenticated. If the client receives a verified access reject message, the username and password are considered to be incorrect, and the user is not authenticated.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnas <IP/M> secret [0|2|<LINE>]nas <IP/M> secret [0 <LINE>|2 <LINE>|<LINE>]Parameters• nas <IP/M> secret [0 <LINE>|2<LINE>]Examplerfs6000-37FABE(config-radius-server-policy-test)#nas 172.16.10.10/24 secret 0 wirelesswellrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#<IP/M> Sets the RADIUS client’s IP address• <IP/M> – Sets the RADIUS client’s IP address in the A.B.C.D/M formatsecret [0 <LINE>|2 <LINE>|<LINE>]Sets the RADIUS client’s shared secret. Use one of the following options:• 0 <LINE> – Sets an UNENCRYPTED secret• 2 <LINE> – Sets an ENCRYPTED secret• <LINE> – Defines the secret (client shared secret) up to 64 characters
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 27Related Commandsno Removes a RADIUS server’s client on a RADIUS server policy
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 2816.2.10 noradius-server-policyNegates a command or reverts back to default settings. When used with in the config RADIUS server policy mode, the no command removes settings, such as crl-check, LDAP group verification, RADIUS client, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [authentication|bypass|chase-referral|clr-check|ldap-agent|ldap-group-verification|ldap-server|local|nas|proxy|session-resumption|termination|use]no bypass [crl-check|expired-crl]no authentication [data-source|eap]no authentication [data-source {ldap {fallback}|local|ssid}|eap configuration]no [chase-referral|clr-check|ldap-group-verification|nas <IP/M>|session-resumption]no ldap-agent [join-retry-timeout|primary|secondary]no local realm [<REALM-NAME>|all]no proxy [realm <REALM-NAME>|retry-count|retry-delay]no ldap-server [dead-period|primary|secondary]no terminationno use [radius-group [<RAD-GROUP-NAME>|all]|radius-user-pool-policy [<RAD-USER-POOL-NAME>|all]]Parameters• no <PARAMETERS>ExampleThe following example shows the RADIUS server policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100no <PARAMETERS> Negates a command or reverts back to default settings. When used with in the config RADIUS server policy mode, the no command removes settings, such as crl-check, LDAP group verification, RADIUS client etc
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 29rfs6000-37FABE(config-radius-server-policy-test)#rfs6000-37FABE(config-radius-server-policy-test)#no authentication eap configurationrfs6000-37FABE(config-radius-server-policy-test)#no crl-checkrfs6000-37FABE(config-radius-server-policy-test)#no local realm realm1rfs6000-37FABE(config-radius-server-policy-test)#no nas 172.16.10.10/24rfs6000-37FABE(config-radius-server-policy-test)#no ldap-server dead-periodThe following example shows the RADIUS server policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2rfs6000-37FABE(config-radius-server-policy-test)#
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 3016.2.11 proxyradius-server-policyConfigures a proxy RADIUS server based on the realm/suffix. The realm identifies where the RADIUS server forwards AAA requests for processing.A user’s access request is sent to a proxy RADIUS server if it cannot be authenticated by the local RADIUS resources. The proxy server checks the information in the user access request and either accepts or rejects the request. If the proxy server accepts the request, it returns configuration information specifying the type of connection service required to authenticate the user.The RADIUS proxy appears to act as a RADIUS server to NAS, whereas the proxy appears to act as a RADIUS client to the RADIUS server.When the proxy server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy [realm|retry-count|retry-delay]proxy realm <REALM-NAME> server <IP> port <1024-65535> secret [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]proxy retry-count <3-6>proxy retry-delay <5-10>Parameters• proxy realm <REALM-NAME> server <IP> port <1024-65535> secret [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]proxy realm <REALM-NAME>Configures the realm name• <REALM-NAME> – Specify the realm name. The name should not exceed 50 characters.server <IP> Configures the proxy server’s IP address. This is the address of server checking the information in the user access request and either accepting or rejecting the request on behalf of the local RADIUS server.• <IP> – Sets the proxy server’s IP addressport <1024-65535> Configures the proxy server’s port. This is the TCP/IP port number for the server that acts as a data source for the proxy server.• <1024-65535> – Sets the proxy server’s port from 1024 - 65535 (default port is 1812)secret [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>Sets the proxy server secret string. The options are:• 0 <PASSWORD> – Sets an UNENCRYPTED password• 2 <ENCRYPTED-PASSWORD> – Sets an ENCRYPTED password• <PASSWORD> – Sets the proxy server shared secret value
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 31• proxy retry-count <3-6>• proxy retry-delay <5-10>Usage GuidelinesA maximum of five RADIUS proxy servers can be configured. The proxy server attempts six retries before it times out. The retry count defines the number of times RADIUS requests are transmitted before giving up. The timeout value is the defines the interval between successive retransmission of a RADIUS request (in case of no reply).Examplerfs6000-37FABE(config-radius-server-policy-test)#proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123rfs6000-37FABE(config-radius-server-policy-test)#proxy retry-count 4rfs6000-37FABE(config-radius-server-policy-test)#proxy retry-delay 8rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsretry-count <3-6> Sets the proxy server’s retry count. This is the maximum number attempts made by a controllers RADIUS server to connect to the proxy server.• <3-6> – Sets a value from 3 - 6 (default is 3 counts)retry-delay <5-10> Sets the proxy server’s retry delay count. This is the interval the controller’s RADIUS server waits before making an additional connection attempt.• <5-10> – Sets a value from 5 - 10 seconds (default is 5 seconds)no Removes or resets the RADIUS proxy server’s settings
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 3216.2.12 session-resumptionradius-server-policyEnables session resumption or fast re-authentication by using cached attributes. This feature controls the volume and duration cached data is maintained by the server policy, upon termination of a server policy session. The availability and quick retrieval of the cached data speeds up session resumption.This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsession-resumption {lifetime|max-entries}session-resumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-1024>}Parameters• session-resumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-1024>}Examplerfs6000-37FABE(config-radius-server-policy-test)#session-resumption lifetime 10 max-entries 11rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 session-resumption lifetime 10 max-entries 11rfs6000-37FABE(config-radius-server-policy-test)#Related Commandslifetime <1-24>{max-entries <10-1024>}Optional. Sets the lifetime of cached entries• <1-24> – Specify the lifetime period from 1 - 24 hours (default is 1 hour)• max-entries – Optional. Configures the maximum number of entries in the cache• <10-1024> – Sets the maximum number of entries in the cache from 10 - 1024(default is 128 entries)max-entries <10-1024> Optional. Configures the maximum number of entries in the cache• <10-1024> – Sets the maximum number of entries in the cache from 10 - 1024 (default is 128 entries)no Disables session resumption on this RADIUS server policy
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3316.2.13 terminationradius-server-policyEnables EAP termination on this RADIUS server policy. When enabled, EAP authentication is terminated at the controller level. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxterminationParametersNoneExamplenx9500-6C8809(config-radius-server-policy-test)#terminationnx9500-6C8809(config-radius-server-policy-test)#show contextradius-server-policy test termination no bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#Related Commandsno Disables EAP termination on this RADIUS server policy
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 3416.2.14 useradius-server-policyDefines settings used with the RADIUS server policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [radius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}|radius-user-pool-policy <RAD-USER-POOL-NAME>]Parameters• use [radius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}|radius-user-pool-policy <RAD-USER-POOL-NAME>]Examplerfs6000-37FABE(config-radius-server-policy-test)#use radius-group testrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 use radius-group test session-resumption lifetime 10 max-entries 11rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsradius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}Associates a specified RADIUS group (for LDAP users) with this RADIUS server policyYou can optionally associate two RADIUS groups with one RADIUS server policy.radius-user-pool-policy <RAD-USER-POOL-NAME>Associates a specified RADIUS user pool with this RADIUS server policy. Specify a user pool name.no Disassociates a RADIUS group or a RADIUS user pool policy from this RADIUS server policy
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3516.3 radius-user-pool-policyRADIUS-POLICYConfigures a RADIUS user pool policy and enters its configuration modeA user pool defines policies for individual user access to the internal RADIUS resources. User pool policies define unique permissions (either temporary or permanent) that control user access to the local RADIUS resources. A pool can contain a single user or multiple users.Use the (config) instance to configure RADIUS user pool policy commands. To navigate to the radius-user-pool-policy instance, use the following commands:<DEVICE>(config)#radius-user-pool-policy <POOL-NAME>rfs6000-37FABE(config)#radius-user-pool-policy testuserrfs6000-37FABE(config-radius-user-pool-testuser)#rfs6000-37FABE(config-radius-user-pool-testuser)#?Radius User Pool Mode commands:  duration  Set a guest user's access duration  no        Negate a command or set its defaults  user      Radius user configuration  clrscr    Clears the display screen  commit    Commit all changes made in this session  do        Run commands from Exec mode  end       End current mode and change to EXEC mode  exit      End current mode and down to previous mode  help      Description of the interactive help system  revert    Revert changes  service   Service Commands  show      Show running system information  write     Write running configuration to memory or terminalrfs6000-37FABE(config-radius-user-pool-testuser)#The following table summarizes RADIUS user pool policy configuration commands:Table 16.3 RADIUS-User-Pool-Policy-Config CommandsCommands Description Referenceduration Modifies a guest user’s duration of captive-portal access page 16-36user Configures the RADIUS user parameters page 16-37no Negates a command or sets its default page 16-40
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 3616.3.1 durationradius-user-pool-policyModifies the duration, in minutes, that a guest user can access the captive portalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxduration <GUEST-USER-NAME> <0-525600>Parameters• duration <GUEST-USER-NAME> <0-525600>Examplerfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 500rfs4000-229D58(config-radius-user-pool-wdws)#rfs4000-229D58(config-radius-user-pool-wdws)#duration guestuser1 200rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 200rfs4000-229D58(config-radius-user-pool-wdws)#duration <GUEST-USER-NAME> <0-525600>Modifies the duration of captive-portal access (in minutes) for the guest user identified by the <GUEST-USER-NAME> keyword• <GUEST-USER-NAME> – Specify the guest user’s name.• <0-525600> – Specify the access duration from 0 - 525600 minutes. A value of“0” indicates unlimited access. The default is 1440 minutes.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3716.3.2 userradius-user-pool-policyConfigures RADIUS user parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest}user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM/DD/YYYY> {access-duration <0-525600>|data-limit|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM/DD/YYYY> {access-duration <0-525600>|data-limit <1-102400> committed-downlink <100-1000000> committed-uplink <100-1000000> reduced-downlink <100-1000000> reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}} Parameters• user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM:DD:YYY> {access-duration <0-525600>|data-limit <1-102400> committed-downlink <100-1000000>   committed-uplink <100-1000000> reduced-downlink <100-1000000> reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}user <USERNAME> Adds a new RADIUS user to the RADIUS user pool• <USERNAME> – Specify the name of the user. The username should not exceed 64 characters.Note: The username is a unique alphanumeric string identifying this user, and cannot be modified with the rest of the configuration.passwd [0 <UNENCRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]Configures the user password (provide a password unique to this user)• 0 <UNENCRYPTED-PASSWORD> – Sets an unencrypted password• 2 <ENCRYPTED-PASSWORD> – Sets an encrypted password• <PASSWORD> – Sets a password (specified unencrypted) up to 21 charactersgroup <RAD-GROUP-NAME>Optional. Configures the RADIUS server group of which this user is a member• <RAD-GROUP-NAME> – Specify the group name in the local database.If the user is a guest, assign the user a group with temporary access privileges.guest Optional. Specifies that this user is a guest user. Guest users have restricted access. After enabling a guest user account, specify the expiry time and date for this account.A guest user can be assigned only to a guest user group.
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 38expiry-time <HH:MM> Specify the user account expiry time in the HH:MM format (for example, 12:30 means 30 minutes after 12:00 the user login will expire).expiry-date <MM:DD:YYYY>Specify the user account expiry date in the MM:DD:YYYY format (for example. 02:15:2014).{access-duration <0-525600>|data-limit <1-102400> committed-downlink <100-1000000>   committed-uplink <100-1000000> reduced-downlink <100-1000000> reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM:DD:YYY>|telephone <TELEPHONE-NUMBER>}After configuring the above user details, optionally configure the following user information:• access-duration <0-525600> – Configures the duration, in minutes, for which this guest user can access the captive portal.• <0-525600> – Specify a value from 0 - 525600 minutes.• data-limit <1-102400> – Configures the data limit for which this guest user can access the captive portal. Specify a value from 1 - 102400 bytes.• committed-downlink <100-1000000> – Configures committed downlink bandwidth until data limit is reached. This value represents the download speed (inkilobits per second) allocated to the guest user. When bandwidth is available, theuser can download data at the specified rate. If a guest user has a bandwidth basedpolicy and exceeds the specified   data limit, the speed is throttled to the reduceddownlink rate (specified using this command). Specify a value from 100 - 1000000Kbps.• committed-uplink <100-1000000> – Configures committed uplink bandwidthuntil data limit is reached. This value represents the upload speed (in kilobitsper second) allocated to the guest user. When bandwidth is available, the usercan upload data at the specified rate. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to the re-duced uplink rate (specified using this command). Specify a value from 100 -1000000 Kbps.• reduced-downlink <100-1000000> – Configures reduced downlinkbandwidth after data Limit is reached. This value represents the reducedspeed the guest utilizes (in kilobits per second) when exceeding thespecified data limit, if applicable. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to thereduced downlink rate specified here. Specify a value from 100-1000000 Kbps.• reduced-uplink <100-1000000> – Configures reduced uplink band-width after data Limit is reached. This value represents the reducedspeed the guest utilizes (in kilobits per second) when exceeding thespecified data limit, if applicable. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to thereduced uplink rate specified here. Specify a value from 100 - 1000000Kbps.• email-id – Optional. User’s e-mail ID• start-time – Optional. User’s account activation time. After specifying the activation time, specify the activation date.• start-date – User’s account activation date• telephone – Optional. User’s telephone number (should include the area code)Contd..
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 39Examplerfs4000-229D58(config-radius-user-pool-wdws)#user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 500rfs4000-229D58(config-radius-user-pool-wdws)#rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration  500rfs4000-229D58(config-radius-user-pool-wdws)#nx4500-5CFA2B(config-radius-user-pool-pool1)#user word password 0 word group group1 guest expiry-time 11:10 expiry-date 12/12/2014 data-limit 10 committed-downlink 103 committed-uplink 100 reduced-downlink 102 reduced-uplink 101nx4500-5CFA2B(config-radius-user-pool-pool1)#Related CommandsTo view access details of guest users on a RADIUS server, in the Priv Executable Configuration mode, use the following command:show > radius > guest-usersrfs6000-37FABE#show radius guest-users time         TIME (min:sec)       USED    REMAINING   GUEST USER       0:00       500:00   user1Current time: 09:03:07rfs6000-37FABE#no Deletes a user from a RADIUS user pool
RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  16 - 4016.3.3 noradius-user-pool-policyNegates a command or sets its default. When used in the RADIUS user pool policy mode, the no command deletes a user from a RADIUS user poolSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno user <USERNAME>Parameters• no user <USERNAME>ExampleThe following example shows the RADIUS user pool ‘wdws’ settings before the ‘no’ command is executed:rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration  500rfs4000-229D58(config-radius-user-pool-wdws)#rfs4000-229D58(config-radius-user-pool-wdws)#no user guestuser1The following example shows the RADIUS user pool ‘wdws’ settings after the ‘no’ command is executed:rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdwsrfs4000-229D58(config-radius-user-pool-wdws)#Related Commandsno user <USERNAME> Deletes a RADIUS user• <USERNAME> – Specify the user name.user Configures the RADIUS user parameters
17 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide17RADIO-QOS-POLICYThis chapter summarizes the radio QoS policy in the CLI command structure.Configuring and implementing a radio QoS policy is essential for WLANs with heavy traffic and less bandwidth. The policy enables you to provide preferential service to selected network traffic by controlling bandwidth allocation. The radio QoS policy can be applied to VLANs configured on an access point. In case no VLANs are configured, the radio QoS policy can be applied to an access point’s Ethernet and radio ports.Without a dedicated QoS policy, a network operates on a best-effort delivery basis, meaning all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped!When configuring a QoS policy for a radio, select specific network traffic, prioritize it, and use congestion-management and congestion-avoidance techniques to provide deployment customizations best suited to each QoS policy’s intended wireless client base.A well designed QoS policy should:• Classify and mark data traffic to accurately prioritize and segregate it (by access category) throughout the network.• Minimize network delay and jitter for latency sensitive traffic.• Ensure higher priority traffic has a better likelihood of delivery in the event of network congestion.• Prevent ineffective utilization of access points degrading session quality by configuring admission control mechanisms within each radio QoS policy.Within a managed wireless network, wireless clients supporting low and high priority traffic contend with one another for access and data resources. The IEEE 802.11e amendment has defined Enhanced Distributed Channel Access (EDCA) mechanisms stating high priority traffic can access the network sooner then lower priority traffic. The EDCA defines four traffic classes (or access categories); voice (highest), video (next highest), best effort, and background (lowest). The EDCA has defined a time interval for each traffic class, known as the Transmit Opportunity (TXOP). The TXOP prevents traffic of a higher priority from completely dominating the wireless medium, thus ensuring lower priority traffic is still supported.IEEE 802.11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery (U-APSD) that provides a mechanism for wireless clients to retrieve packets buffered by an access point. U-APSD reduces the amount of signaling frames sent from a client to retrieve buffered data from an access point. U-APSD also allows access points to deliver buffered data frames as bursts, without backing-off between data frames. These improvements are useful for voice clients, as they provide improved battery life and call quality.The Wi-Fi alliance has created Wireless Multimedia (WMM) and WMM Power Save (WMM-PS) certification programs to ensure interoperability between 802.11e WLAN infrastructure implementations and wireless clients. A managed wireless network supports both WMM and WMM-Power Save techniques. WMM and WMM-PS (U-APSD) are enabled by default in each WLAN profile.Enabling WMM support on a WLAN just advertises the WLAN’s WMM capability and radio configuration to wireless clients. The wireless clients must also support WMM and use the values correctly while accessing the WLAN to benefit.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 2WMM includes advanced parameters (CWMin, CWMax, AIFSN and TXOP) specifying back-off duration and inter-frame spacing when accessing the network. These parameters are relevant to both connected access point radios and their wireless clients. Parameters impacting access point transmissions to their clients are controlled using per radio WMM settings, while parameters used by wireless clients are controlled by a WLAN’s WMM settings.Wireless network controllers (access points, controllers, and service platforms) include a Session Initiation Protocol (SIP), Skinny Call Control Protocol (SCCP) and Application Layer Gateway (ALG) enabling devices to identify voice streams and dynamically set voice call bandwidth. Wireless network controllers also support static QoS mechanisms per WLAN to provide prioritization of WLAN traffic when legacy (non WMM) clients are deployed. When enabled on a WLAN, traffic forwarded to a client is prioritized and forwarded based on the WLAN’s WMM access control setting.Wireless network administrators can also assign weights to each WLAN in relation to user priority levels. The lower the weight, the lower the priority. Use a weighted technique to achieve different QoS levels across WLANs. All devices rate-limit bandwidth for WLAN sessions. This form of per-user rate limiting enables administrators to define uplink and downlink bandwidth limits for users and clients. This sets the level of traffic a user or client can forward and receive over the WLAN. If the user or client exceeds the limit, excessive traffic is dropped. Rate limits can be applied to WLANs using groups defined locally or externally from a RADIUS server using Vendor Specific Attributes (VSAs). Rate limits can be applied to users authenticating using 802.1X, captive portal authentication, and devices using MAC authentication.Use the (config) instance to configure radios QoS policy related configuration commands. To navigate to the radio QoS policy instance, use the following commands:<DEVICE>(config)#radio-qos-policy <POLICY-NAME>rfs6000-37FABE(config)#radio-qos-policy testrfs6000-37FABE(config-radio-qos-test)#?Radio QoS Mode commands:  accelerated-multicast  Configure multicast streams for acceleration  admission-control      Configure admission-control on this radio for one or                         more access categories  no                     Negate a command or set its defaults  smart-aggregation      Configure smart aggregation parameters  wmm                    Configure 802.11e/Wireless MultiMedia parameters  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-37FABE(config-radio-qos-test)#NOTE: Statistically setting a WLAN WMM access category value only prioritizes traffic to the client.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 3NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 417.1 radio-qos-policyRADIO-QOS-POLICYThe following table summarizes radio QoS policy configuration commands:Table 17.1 Radio-QoS-Policy-Config CommandsCommand Description Referenceaccelerated-multicastConfigures multicast streams for acceleration page 17-5admission-controlEnables admission control across all radios for one or more access categoriespage 17-6no Negates a command or resets configured settings to their default page 17-10smart-aggregationConfigures smart aggregation parameters page 17-12service Invokes service commands in the radio QoS configuration mode page 17-14wmm Configures 802.11e/wireless multimedia parameters page 17-16NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 517.1.1 accelerated-multicastradio-qos-policyConfigures multicast streams for acceleration. Multicasting allows group transmission of data streams.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccelerated-multicast [client-timeout|max-client-streams|max-streams|overflow-policy|stream-threshold]accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>|max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>]Parameters• accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>|max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>]Examplerfs6000-37FABE(config-radio-qos-test)#accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#accelerated-multicast stream-threshold 15rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#Related Commandsclient-timeout <5-6000>Configures a timeout period in seconds for wireless clients• <5-6000> – Specify a value from 5 - 6000 seconds. The default is 60 seconds.max-client-streams <1-4>Configures the maximum number of accelerated multicast streams per client• <1-4> – Specify a value from 1 - 4. The default is 2.max-streams <0-256> Configures the maximum number of accelerated multicast streams per radio• <0-256> – Specify a value from 0 - 256. The default is 25.overflow-policy [reject|revert]Specifies the policy in case too many clients register simultaneously. The radio QOS policy can be configured to follow one of the following courses of action:• reject – Rejects new clients. The default overflow policy is reject.• revert – Reverts to regular multicast deliveryWhen the number of wireless clients using accelerated multicast exceeds the configured value (max-streams), the radio can either reject new wireless clients or revert existing clients to a non-accelerated state.stream-threshold <1-500>Configures the number of multicast packets per second threshold value. Once this threshold is crossed, the system triggers streams to accelerate.• <1-500> – Specify a value from 1 - 500. The default is 25 packets per second.no Reverts accelerated multicasting settings to their default
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 617.1.2 admission-controlradio-qos-policyEnables admission control across all radios for one or more access categories. Enabling admission control for an access category, ensures clients associated to an access point and complete WMM admission control before using that access category.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadmission-control [background|best-effort|firewall-detected-traffic|implicit-tspec|video|voice]admission-control [firewall-detected-traffic|implicit-tspec]admission-control [background|best-effort|video|voice] {max-airtime-percent|max-clients|max-roamed-clients|reserved-for-roam-percent}admission-control [background|best-effort|video|voice] {max-airtime-percent <0-150>|max-clients <0-256>|max-roamed-clients <0-256>|reserved-for-roam-percent <0-150>}Parameters• admission-control [firewall-detected-traffic|implicit-tspec]• admission-control [background|best-effort|video|voice] {max-airtime-percent <0-150>|max-clients <0-256>|max-roamed-clients <0-256>|reserved-for-roam-percent <0-150>}admission-control firewall-detected-trafficEnforces admission control for traffic whose access category is detected by the firewall ALG. For example, SIP voice calls. This feature is enabled by default.When enabled, the firewall simulates reception of frames for voice traffic when the voice traffic was originated via SIP or SCCP control traffic. If a client exceeds configured values, the call is stopped and/or received voice frames are forwarded at the next non admission controlled traffic class priority. This applies to clients that do not send TSPEC frames only.admission-control implicit-tspecEnables implicit traffic specifiers for clients that do not support WMM TSPEC, but are accessing admission-controlled access categories. This feature is enabled by default.This feature requires wireless clients to send their traffic specifications to an access point before they can transmit or receive data. If enabled, this setting applies to this radio QoS policy. When enabled, the access point simulates the reception of frames for any traffic class by looking at the amount of traffic the client is receiving and sending. If the client sends more traffic than has been configured for an admission controlled traffic class, the traffic is forwarded at the priority of the next non admission controlled traffic class. This applies to clients that do not send TSPEC frames only.admission-control backgroundConfigures background access category admission control parameters
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 7admission-control best-effortConfigures best effort access category admission control parametersadmission-control video Configures video access category admission control parametersadmission-control voice Configures voice access category admission control parametersmax-airtime-percent <0-150>Optional. Specifies the maximum percentage of airtime, including oversubscription, for the following access category:• background – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for low (background) client traffic. Background traffic only needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved to support background data.• best-effort – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for normal (best-effort) client traffic. Normal best effort traffic needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved for best effort data support.• video – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for voice supported client traffic. Video traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support video.• voice – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for voice supported client traffic. Voice traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support voice.The following keyword is common to all of the above traffic types:• <0-150> – Specify a value from 0 - 150. This is the maximum percentage of air-time, including oversubscription, for the selected access category. The default is75%.max-clients <0-256> Optional. Specifies the maximum number of wireless clients admitted to the following access categories:• background – Sets the number of wireless clients supporting low (background) traffic allowed to exist (and consume bandwidth) within the radio’s QoS policy• best-effort – Sets the number of wireless clients supporting normal (best-effort) traffic allowed to exist (and consume bandwidth) within the radio’s QoS policy• video – Sets the number of video supported wireless clients allowed to exist (and consume bandwidth) within the radio’s QoS policy.• voice – Sets the number of voice supported wireless clients allowed to exist (and consume bandwidth) within the radio’s QoS policy.Since voice and video supported wireless clients use a greater portion of a controller’s resources than lower bandwidth traffic (like low and best effort categories), consider setting the max-client value proportionally to the number of other QoS policies supporting voice access category clients.The following keyword is common to all of the above traffic types:• <0-256> – Specify a value from 0 - 256. This is the maximum number of wirelessclients admitted to the selected access category. The default is 100 clients.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 8Examplerfs6000-37FABE(config-radio-qos-test)#admission-control best-effort max-clients 200rfs6000-37FABE(config-radio-qos-test)#admission-control voice reserved-for-roam-percent 8rfs6000-37FABE(config-radio-qos-test)#admission-control voice max-airtime-percent 9rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#max-roamed-clients <0-256>Optional. Specifies the maximum number of roaming wireless clients admitted to the selected access category• background – Sets the number of low (background) supported wireless clients allowed to roam to a different access point radio• best-effort – Sets the number of normal (best-effort) supported wireless clients allowed to roam to a different access point radio• video – Sets the number of video supported wireless clients allowed to roam to a different access point radio• voice – Sets the number of voice supported wireless clients allowed to roam to a different access point radioThe following keyword is common to all of the above traffic types:• <0-256> – Specify a value from 0 - 256. This is the maximum number of roamingwireless clients admitted to the selected access category. The default is 10 roamedclients.reserved-for-roam-percent <0-150>Optional. Calculates the percentage of air time, including oversubscription, allocated exclusively for roaming clients. This value is calculated relative to the configured max air time for this access category.• background – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for low (background) supported clients who have roamed to a different radio.• best-effort – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for normal (best-effort) supported clients who have roamed to a different radio.• video – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for video supported clients who have roamed to a different radio.• voice – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for voice supported clients who have roamed to a different radio.The following keyword is common to all of the above traffic types:• <0-150> – Specify a value from 0 - 150. This is the percentage of air time, includ-ing oversubscription, allocated exclusively for roaming clients associated with theselected access category. The default is 10%.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 9Related Commandsno Reverts or resets admission control settings to their default
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 1017.1.3 noradio-qos-policyNegates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accelerated-multicast|admission-control|smart-aggregation|wmm|service]no accelerated-multicast [client-timeout|max-client-streams|max-streams|overflow-policy|stream-threshold]no admission-control [firewall-detected-traffic|implicit-tspec|background|best-effort|video|voice]no admission-control [firewall-detected-traffic|implicit-tspec]no admission-control [background|best-effort|video|voice] {max-airtime-percent|max-clients|max-roamed-clients|reserved-for-roam-percent}no smart-aggregation {delay|max-mesh-hops|min-aggregation-limit}no smart-aggregation {delay [background|best-effort|streaming-video|video-conferencing|voice]|max-mesh-hops|min-aggregation-limit}no wmm [background|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit]no service admission-control across-reassocParameters• no <PARAMETERS>ExampleThe following example shows the Radio-qos-policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#rfs6000-37FABE(config-radio-qos-test)#no admission-control best-effort max-clientsrfs6000-37FABE(config-radio-qos-test)#no accelerated-multicast client-timeoutno <PARAMETERS> Negates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters.
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 11The following example shows the Radio-qos-policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 accelerated-multicast stream-threshold 15rfs6000-37FABE(config-radio-qos-test)#rfs4000-229D58(config-radio-qos-test)#show contextradio-qos-policy test service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#rfs4000-229D58(config-radio-qos-test)#no service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#show contextradio-qos-policy testrfs4000-229D58(config-radio-qos-test)#
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 1217.1.4 smart-aggregationradio-qos-policyConfigures smart aggregation parameters on this Radio QoS policy. Smart aggregation is disabled by default.Smart aggregation enhances frame aggregation by dynamically selecting the time when the aggregated frame is transmitted. In a frame’s typical aggregation, an aggregated frame is sent when:• A pre-configured number of aggregated frames is reached• An administrator-defined interval has elapsed since the first frame (of a set of frames to be aggregated) was received• An administrator-defined interval has elapsed since the last frame (not necessarily the final frame) of a set of frames to be aggregated was receivedWith this enhancement, an aggregation delay is set uniquely for each traffic class. For example, voice traffic might not be aggregated, but sent immediately. Whereas, background data traffic is set a delay for aggregating frames, and these aggregated frames are sent.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsmart-aggregation {delay|max-mesh-hops|min-aggregation-limit}smart-aggregation {delay [background|best-effort|streaming-video|video-conferencing|voice] <0-1000>}smart-aggregation {max-mesh-hops <1-10>}smart-aggregation {min-aggregation-limit <0-64>}Parameters• smart-aggregation {delay [background|best-effort|streaming-video|video-conferencing|voice] <0-1000>}delay Optional. Configures the maximum delay parameter for each traffic typeThis is the maximum delay, in milliseconds, in the transmission of the first frame received.background Configures the maximum delay parameter, in milliseconds, for background traffic (250 msec)best-effort Configures the maximum delay parameter, in milliseconds, for best effort traffic (150 msec)streaming-video Configures the maximum delay parameter, in milliseconds, for streaming video traffic (150 msec)video-conferencing Configures the maximum delay parameter, in milliseconds, for video conference traffic (40 msec)
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 13• smart-aggregation {max-mesh-hops <1-10>}• smart-aggregation {min-aggregation-limit <0-64>}Examplerfs6000-37FABE(config-radio-qos-test)#smart-aggregation delay voice 50rfs6000-37FABE(config-radio-qos-test)#smart-aggregation delay background 100rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test smart-aggregation delay voice 50 smart-aggregation delay background 100rfs6000-37FABE(config-radio-qos-test)#Related Commandsvoice Configures the maximum delay parameter, in milliseconds, for voice traffic (0 msec)<0-1000> This parameter is common to all of the above traffic types.• <0-1000> – Specify a value from 0 - 1000 msec.max-mesh-hops <1-10> Optional. Sets the maximum number of expected hops to the destination within a mesh• <1-10> – Specify a value from 1 - 10. The default is 3 hops.min-aggregation-limit<0-64>Optional. Sets the minimum number of aggregates buffered before an aggregate is sent• <0-64> – Specify a value from 0 - 64. The default is 8 frames.no Resets the minimum aggregation limit
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 1417.1.5 serviceradio-qos-policyInvokes service commands in the radio QoS configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [admission-control|show]service admission-control across-reassocservice show cliParameters• service admission-control across-reassoc• service show cliExamplerfs4000-229D58(config-radio-qos-test)#service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#show contextradio-qos-policy test service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#rfs4000-229D58(config-radio-qos-test)#service show cliRadio QoS Mode mode:+-help [help]  +-search    +-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]+-show  +-commands [show commands]  +-adoption    +-log     --More--]service Invokes service commandsadmission-control across-reassocRetains previously negotiated TSPEC parameters across re-associations on the radioFor more information on admission-control parameters, see admission-control.service show cli Displays running system information• cli – Displays the Radio QoS mode’s CLI tree
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 15Related Commandsno Disables retention of previously negotiated TSPEC parameters across re-associations on the radio
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 1617.1.6 wmmradio-qos-policyConfigures 802.11e wireless multimedia (wmm) parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwmm [background|best-effort|video|voice]wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]Parameters• wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]wmm background Configures background access category wireless multimedia settingswmm best-effort Configures best effort access category wireless multimedia settingswmm video Configures video access category wireless multimedia settingswmm voice Configures voice access category wireless multimedia settingsaifsn <1-15> Configures Arbitrary Inter-Frame Space Number (AIFSN) as the wait time between data frames derived from the AIFSN and slot time• background – Sets the current AIFSN for low (background) traffic. The default is 7.• best-effort – Sets the current AIFSN for normal (best-effort) traffic. The default is 3.• video – Set the current AIFSN for video traffic. Higher-priority traffic video categories should have lower AIFSNs than lower-priority traffic categories. This causes lower-priority traffic to wait longer before attempting access. The default is 1.• voice – Sets the current AIFSN for voice traffic. Higher-priority traffic voice categories should have lower AIFSNs than lower-priority traffic categories. This causes lower-priority traffic to wait longer before attempting access. The default is 1.The following keyword is common to all of the above traffic types:• <1-15> – Sets a value from 1 - 15cw-max <0-15> Clients pick a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window.• background – Sets CW Max for low (background) traffic. The default is 10.• best-effort – Sets CW Max for normal (best effort) traffic. The default is 6.Contd..
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 17Usage GuidelinesBefore defining a radio QoS policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:• To support QoS, each multimedia application, wireless client, and WLAN is required to support WMM.• WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category.• Default WMM values are recommended for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose.• Overloading an access point radio with too much high priority traffic (especially voice) degrades overall service quality for all users.• TSPEC admission control is only available with newer voice over WLAN phones. Many legacy voice devices do not support TSPEC or even support WMM traffic prioritization.• voice – Sets CW Max for voice traffic. The default is 3.• video – Sets CW Max for video traffic. The default is 4The following keyword is common to all of the above traffic types:• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1).Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort).cw-min <0-15> Clients select a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window.• background – Sets CW Min for low (background) traffic. The default is 4.• best-effort – Sets CW Min for normal (best effort) traffic. The default is 4.• voice – Sets CW Min for voice traffic. The default is 2.• video – Sets CW Min for video traffic. The default is 3.The following keyword is common to all of the above traffic types:• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1).Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort).txop-limit <0-65535>Set the interval, in microseconds, during which a particular client has the right to initiate transmissions• background – Sets TXOP for low (background) traffic. The default is 0.• best-effort – Sets TXOP for normal (best effort) traffic. The default is 4.• voice – Sets TXOP for voice traffic. The default is 47.• video – Sets TXOP for video traffic. The default is 94.The following keyword is common to all of the above traffic types:• <0-65535> – Specify a value from 0 - 65535 to configure the transmit opportu-nity limit in 32 microsecond units.Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort).
RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  17 - 18Examplerfs6000-37FABE(config-radio-qos-test)#wmm best-effort aifsn 7rfs6000-37FABE(config-radio-qos-test)#wmm voice txop-limit 1rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test wmm best-effort aifsn 7 wmm voice txop-limit 1 admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 accelerated-multicast stream-threshold 15rfs6000-37FABE(config-radio-qos-test)#Related Commandsno Reverts or resets 802.11e/wireless multimedia settings to their default
18 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide18ROLE-POLICYThis chapter summarizes the role policy commands in the CLI command structure.A well defined role policy simplifies user management, and is a significant aspect of WLAN management. It acts as a role based firewall (much like ACLs) consisting of user-defined roles. Each role has a set of match criteria (filters) used to filter wireless clients. The action taken when a client matches the defined filters, is determined by the IP or MAC ACL associated with the user-defined role. Based on the conditions specified in the IP and/or MAC ACL, clients are granted or denied access to the controller managed network. The role policy also defines the VLAN and data rates assigned to clients provided network access. A role policy also enables LDAP service, allowing controllers and access points to retrieve user information from the LDAP server. This information is matched with the user-defined role filters to determine if a client matches the role or not, and should be allowed or denied access to the controller managed network.Use the (config-role-policy) instance to configure role policy related configuration commands. To navigate to the config-role instance, use the following commands:<DEVICE>(config)#role-policy <POLICY-NAME>rfs6000-37FABE(config)#role-policy testrfs6000-37FABE(config-role-policy-test)#?Role Policy Mode commands:  default-role     Configuration for Wireless Clients not matching any role  ldap-deadperiod  Ldap dead period interval  ldap-query       Set the ldap query mode  ldap-server      Add a ldap server  ldap-timeout     Ldap query timeout interval  no               Negate a command or set its defaults  user-role        Create a role  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalrfs6000-37FABE(config-role-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 218.1 role-policyROLE-POLICYThe following table summarizes role policy configuration commands:Table 18.1 Role-Policy-Config CommandsCommand Description Referencedefault-role Assigns the default role to clients not matching any of the user-defined roles defined in the role policypage 18-3ldap-deadperiod Configures the Lightweight Directory Access Protocol (LDAP) deadperiod intervalpage 18-5ldap-query Enables LDAP service and specifies the LDAP server query mode page 18-6ldap-server Configures the LDAP server settings page 18-7ldap-timeout Configures the LDAP query timeout interval page 18-9no Negates a command or reverts settings to their default page 18-10user-role Creates a role and associates it to the newly created role policy page 18-11NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 318.1.1 default-rolerole-policyAssigns a default role to a wireless client that fails to match any of the user-defined rolesWhen a wireless client accesses a network, the client’s details, retrieved from the LDAP server, are matched against all user-defined roles within the role policy. If the client fails to match any of these user-defined role filters, the client is assigned the default role. The action taken (permit or deny access) is determined by the IP and/or MAC ACL associated with the default role.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-role use [ip-access-list|ipv6-access-list|mac-access-list]default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>Parameters• default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>default-role use Enables default role configuration. This role is applied to a wireless client not matching any of the user-defined roles.• Use – Associates an IP, IPv6, or MAC access list with the default role[ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME>Associates an IP access list, IPv6 access list, or a MAC access list with this default role• in – Applies the rule (IP, IPv6, or MAC) to incoming packets• out – Applies the rule (IP, IPv6, or MAC) to outgoing packetsIP and MAC access control lists (ACLs) act as firewalls by blocking and/or permitting data traffic in both directions (inbound and outbound) within a managed network. IP ACLs use IP addresses for matching operations. Whereas, MAC ACLs use MAC addresses for matching operations, In case of a match (i.e. if a packet is received from or is destined for a specified IP or MAC address), an action is taken. This action is a typical allow, deny or mark designation to controller packet traffic. For more information on ACLs, see AAA-POLICY.• <IP/IPv6/MAC-ACCESS-LIST-NAME> – Specify the access list name.The ACL applied determines the action applied to a client assigned the default role.precedence <1-100>The following keyword is common to the all of the above parameters:• precedence – Assigns a precedence value to the ACL identified in the previous step.• <1-100> – Specify a precedence from 1 - 100.ACLs are applied in increasing order of their precedence. Rules with lower precedence are given priority.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 4Examplerfs6000-37FABE(config-role-policy-test)#default-role use ip-access-list in test precedence 1rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1rfs6000-37FABE(config-role-policy-test)#Related Commandsno Removes or resets the default role configuration
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 518.1.2 ldap-deadperiodrole-policyConfigures the LDAP deadperiod intervalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-deadperiod <60-300>Parameters• ldap-deadperiod <60-300>Examplerfs6000-37FABE(config-role-policy-test)#ldap-deadperiod 100rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-deadperiod 100rfs6000-37FABE(config-role-policy-test)#Related Commandsldap-deadperiod <60-300>Configures a LDAP dead period. When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details to match with user-defined role filters. The LDAP deadperiod is the interval between two consecutive attempts to bind with the LDAP server. To enable LDAP service, use the ldap-query command.• <60-300> – Specify the interval from 60 - 300 seconds. The default is 120 seconds.no Removes or resets the LDAP deadperiod interval
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 618.1.3 ldap-queryrole-policyEnables LDAP service and specifies the LDAP server query modeConfiguring the LDAP server query mode automatically enables LDAP service on this role policy. By default LDAP service is disabled.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-query [self|through-controller]Parameters• ldap-query [self|through-controller]Examplerfs6000-37FABE(config-role-policy-test)#ldap-query selfrfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-deadperiod 100rfs6000-37FABE(config-role-policy-test)#Related Commandsself Configures LDAP query mode as self. The AP directly queries the LDAP server for user information. Select ‘self’ to use local LDAP server resources configured using the ldap-server command.through-controller Configures LDAP query mode as through-controller. The AP queries the LDAP server, for user information, through the controller.Use this option when the AP is layer 2 adopted to the controller.no Disables LDAP service on this role policy
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 718.1.4 ldap-serverrole-policyAssociates a specified LDAP server with this role policy. Use this command to configure the credentials needed to bind with the LDAP server.When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details. This information is matched with the user-defined roles within the role policy. If a match is made, the user is assigned the role and allowed or denied access to the controller managed network.You can associate two LDAP servers with a role policy, allowing failover in case the primary server is unreachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-server <1-2> host [<IP>|<FQDN>] bind-dn <BIND-DN> base-dn <BASE-DN> bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|openldap])}Parameters• ldap-server <1-2> host [<IP>|<HOSTNAME>] bind-dn <BIND-DN> base-dn <BASE-DN> bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|openldap])}Usage GuidelinesUse the ldap-query command to enable LDAP service on a role policy.Use the show > role > ldap-stats command to view LDAP server status and state.ldap-server <1-2> Specify the LDAP server ID from 1 - 2.The primary LDAP server (ID 1) is used to bind and query. The secondary LDAP server (ID 2) is for failover.host [<IP>|<FQDN>] Specify the LDAP server’s IP address or Fully Qualified Domain Name (FQDN).bind-dn <BIND-DN> Specify the bind distinguished name (used for binding with the server).base-dn <BASE-DN> Specify the base distinguished name (used for searching). This should not exceed 127 characters.bind-password <PASSWORD>Specify the LDAP server password associated with the bind DN.port <1-65535> Optional. Specify the LDAP server port from 1 - 65535. (default is 389).server-type [active-directory|openldap]The following keywords are common to the ‘port’ parameter:• server-type – Optional. Specifies the LDAP server type• active-directory – Enables support for active directory attribute search. This is thedefault setting.• openldap – Enables support for openLDAP attribute search
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 8Examplerfs6000-37FABE(config-role-policy-test)#ldap-server 1 host 192.168.13.7 bind-dn"CN=Administrator,CN=Users,DC=TechPub,DC=com" base-dn "CN=Administrator,CN=Users,DC=TechPub,DC=com" bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Administrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#Related Commandsno Removes or resets the LDAP server settings
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 918.1.5 ldap-timeoutrole-policyConfigures the LDAP timeout interval. This is the interval after which a LDAP query is timed out.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-timeout <1-5>Parameters• ldap-timeout <1-5>Examplerfs6000-37FABE(config-role-policy-test)#ldap-timeout 1rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-timeout 1 ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Adminstrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#Related Commandsldap-timeout <1-5> Configures the LDAP query timeout interval from 1 - 5 seconds (default is 2 seconds)When enabled, LDAP service allows the AP or controller to bind with the LDAP server and query it for user details. The LDAP query timeout is the interval between a request to and the response from the LDAP server. Once this interval is exceeded, the LDAP bind and query is timed out.no Removes or resets the LDAP query timeout to default (2 seconds)
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 1018.1.6 norole-policyNegates a command or resets settings to their default. When used in the config role policy mode, the no command removes or resets the role policy settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [default-role|ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout|user-role]no [ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout]no default-role use [ip-access-list|ipv6-access-list|mac-access-list]no default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>no user-role <ROLE-NAME>Parameters• no <PARAMETERS>ExampleThe following example shows the role policy ‘test’ setting before the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-timeout 1 ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Adminstrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#rfs6000-37FABE(config-role-policy-test)#no ldap-deadperiodrfs6000-37FABE(config-role-policy-test)#no ldap-timeoutrfs6000-37FABE(config-role-policy-test)#no ldap-server 1The following example shows the role policy ‘test’ setting after the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query selfrfs6000-37FABE(config-role-policy-test)#no <PARAMETERS> Negates a command or resets settings to their default. When used in the config role policy mode, the no command removes or resets the role policy settings.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1118.1.7 user-rolerole-policyThis command creates a user-defined role. Each user-defined role has a set of Active Directory attributes. Each attribute is matched against the information returned by the LDAP server, until a complete match of role is found.The following table summarizes user role configuration commands:Table 18.2 User-Role-Config Commandsuser-role Creates a new user role and enters its configuration mode page 18-12user-role commandsSummarizes user role configuration mode commands page 18-14
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 1218.1.7.1 user-roleuser-roleCreates a user-defined role. Each role consists of a set of filters and action. The filters are match criteria used to filter wireless clients. And the action defines the action taken when a client matches the specified filters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser-role <ROLE-NAME> precedence <1-10000>Parameters• user-role <ROLE-NAME> precedence <1-10000>Examplerfs6000-37FABE(config-role-policy-test)#user-role testing precedence 10rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test user-role testing precedence 10 default-role use ip-access-list in test precedence 1rfs6000-37FABE(config-role-policy-test)#rfs6000-37FABE(config-role-policy-test-user-role-testing)#?Role Mode commands:  ap-location          AP Location configuration  assign               Assign parameters to the role  authentication-type  Type of Authentication  captive-portal       Captive-portal based Role Filter  city                 City configuration  client-identity      Client identity  company              Company configuration  country              Country configuration  department           Department configuration  emailid              Emailid configuration  employee-type        Employee-type configuration  employeeid           Employeeid configuration  encryption-type      Type of encryption  group                Group configuration  memberOf             MemberOf configuration  mu-mac               MU MAC address configuration  no                   Negate a command or set its defaults  radius-user          Radius-user configuration  ssid                 SSID configurationuser-role <ROLE-NAME> Configures the user role name• <ROLE-NAME> – Specify a name for this user role.precedence <1-10000> Sets the precedence for this roleLower the precedence, higher is the role priority. Precedence determines the order in which a role is applied. If a wireless client matches multiple roles, the role with the lower precedence is applied before those with higher precedence. While there is no default precedence for a role, two or more roles can share the same precedence.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 13  state                State configuration  title                Title configuration  use                  Set setting to use  user-defined         User-defined configuration  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes an existing user role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 1418.1.7.2 user-role commandsuser-roleThe following table summarizes user role configuration mode commands:Table 18.3 User-Role-Mode CommandsCommands Description Referenceap-location Configures an AP deployment location based filter page 18-15assign Configures upstream/downstream rate limits and VLAN ID assigned to clients matching the filters defined in the user-defined rolepage 18-16authentication-typeConfigures an authentication type based filter page 18-18captive-portal Configures a captive portal based filter page 18-20city Configures a city name based filter page 18-21client-identity Associates a client-identity (device fingerprinting) based filter page 18-22company Configures a company name based filter page 18-23country Configures a country name based filter page 18-25department Configures a department name based filter page 18-27emailid Configures a e-mail ID based filter page 18-29employee-type Configures a employee type ID based filter page 18-31employeeid Configures a employee ID based filter page 18-32encryption-typeConfigures an encryption type filter page 18-34group Configures a RADIUS group based filter page 18-36memberOf Assigns an Active Directory (AD) group to this user-defined role page 18-38mu-mac Configures MAC address and mask based filter page 18-39no Removes or resets the filters configured on this user-defined role page 18-40radius-user Configures a wireless client filter based on the RADIUS user name page 18-42ssid Configures a SSID based filter page 18-44state Configures a user role state to match page 18-46title Configures a ‘title’ string to match page 18-48use Associates a IP and/or MAC ACL with this role. These ACLs specify the action taken when a client matches this user-defined role.page 18-49user-defined Defines a filter based on an attribute defined in the Active Directory or the OpenLDAP serverpage 18-52
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1518.1.7.2.1 ap-locationuser-role commandsConfigures an AP’s deployment location based filter for this user-defined roleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap-location [any|contains|exact|not-contains]ap-location anyap-location [contains|exact|not-contains] <WORD>Parameters• ap-location any• ap-location [contains|exact|not-contains] <WORD>Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#ap-location contains officerfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  ap-location contains officerfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsap-location any Specifies the AP location to match (in a RF Domain) or the AP’s resident configuration• any – Defines an AP’s location as anyap-location Specifies the AP location to match (in a RF Domain) or the AP’s resident configuration. Select one of the following filter options: contains, exact, or not-contains.contains <WORD> Applies role if the associating AP’s location contains the location string specified in the role.• <WORD> – Specify the location string to match.exact <WORD> Applies role if the associating AP’s location exactly matches the string specified in the role.• <WORD> – Specify the exact location string to match.not-contains <WORD> Applies role if the associating AP’s location does not contain the location string specified in the role.• <WORD> – Specify the location string not to match.no Removes an AP’s deployment location string from this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 1618.1.7.2.2 assignuser-role commandsConfigures upstream/downstream rate limits and VLAN ID. Clients matching this user-defined role filters are associated with the specified VLAN, and assigned the specified data rates.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassign [rate-limit|VLAN]assign rate-limit [from-client|to-client] <1-65536>assign vlan <1-4094>Parameters• assign rate-limit [from-client|to-client] <1-65536>• assign vlan <1-4094>Usage GuidelinesACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes.In case of bridge VLAN, the default bridging mode is ‘auto’. Change the bridging mode to ‘tunnel’. This extends the controller’s existing VLAN onto the AP and ensures that wireless clients are served IP addresses.assign rate-limit [from-client|to-client] <1-65536>Assigns an upstream and downstream traffic rate limit• from-client – Assigns a rate limit, in Kbps, for the upstream (from client) traffic• to-client – Assigns a rate limit, in Kbps, for the downstream (to client) traffic• <1-65536> – Specify upstream and/or downstream rate limits from 1 - 65536 Kbps.Wireless clients matching this user-defined role are assigned the configured rate limits.assign vlan <1-4094> Assigns a VLAN (identified by VLAN’s ID). Clients matching this user-defined role are associated with the specified VLAN. The VLAN ID represents the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server).This feature is disabled by default.• <1-4094> – Specify the VLAN ID from 1 - 4094.A wireless client that fails to match any user-defined role is assigned to the default role (configured as a role policy setting) and is mapped to the default VLAN under the WLAN.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 17The VLAN configured under the user-defined role need not exist under the WLAN. But, when using tunneled VLAN bridges, configure an additional bridge VLAN. If the VLAN bridging mode is ‘local’, no additional VLAN configuration is required.Examplerfs4000-229D58(config-role-policy-test-user-role-test)#assign rate-limit to-client 200rfs4000-229D58(config-role-policy-test-user-role-test)#commitrfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1  assign vlan 1  assign rate-limit to-client 200rfs4000-229D58(config-role-policy-test-user-role-test)#The following examples define a role used to forward the IP traffic from all engineers in Test_Company, Santa Clara, USA onto VLAN 2.1 Create a new role policy with name ‘test-policy’.<DEVICE>(config)#role-policy test-policy2Specify the LDAP server used for this role policy.<DEVICE>(config-role-policy-test-policy)#ldap-query self<DEVICE>(config-role-policy-test-policy)#ldap-server 1 host 192.160.1.1 bind-dn CN=Administrator,CN=Users,DC=testtest,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 test port 389<DEVICE>(config-role-policy-test-policy)#ldap-timeout 23 Create a user defined role.<DEVICE>(config-role-policy-test-policy)#user-role SCEngineer precedence 1004 Define the role by adding appropriate values and match operators.<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#city exact santa-clara<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#company exact ExampleCompany<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#country exact usa<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#title contains engineer<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#assign vlan-id 25 Apply role policy to an access point.ap7131-99BFA8(config-device-ap7131)# use role-policy test-policyRelated Commandsno Removes the upstream and/or downstream rate limits applied to this user-defined role. Also removes the VLAN ID.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 1818.1.7.2.3 authentication-typeuser-role commandsConfigures the authentication type based filter for this user-defined roleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication-type [any|eq|neq]authentication-type anyauthentication-type [eq|neq] [eap|kerberos|mac-auth|none]{(eap|kerberos|mac-auth|none)}Parameters• authentication-type any• authentication-type [eq|neq] [eap|kerberos|mac-auth|none] {(eap|kerberos|mac-auth|none)}Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#authentication-type eq kerberosrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains officerfs6000-37FABE(config-role-policy-test-user-role-testing)#any The authentication type is any (eq or neq). This is the default setting.eq [eap|kerberos|mac-auth|none]The role is applied only when the authentication type matches (equals) one or more than one of the following types:• eap – Extensible authentication protocol• kerberos – Kerberos authentication• mac-auth – MAC authentication protocol• none – no authentication usedThese parameters are recursive, and you can configure more than one unique authentication type for this user-defined role.neq [eap|kerberos|mac-auth|none]The role is applied only when the authentication type does not match (not equals) any of the following types:• eap – Extensible authentication protocol• kerberos – Kerberos authentication• mac-auth – MAC authentication protocol• none – no authentication usedThese parameters are recursive, and you can configure more than one unique ‘not equal to’ authentication type for this user-defined role.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 19Related Commandsno Removes the authentication type filter configured for this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 2018.1.7.2.4 captive-portaluser-role commandsConfigures a captive portal based filter for this user-defined role. A captive portal is a guest access policy that provides temporary and restrictive access to the wireless network. When applied to a WLAN, a captive portal policy ensures secure guest access.This command defines user-defined role filters based on a wireless client’s state of authentication.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal authentication-state [any|post-login|pre-login]Parameters• captive-portal authentication-state [any|post-login|pre-login]Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#captive-portal authentication-state pre-loginrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-loginrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsauthentication-state Defines the authentication state of a client connecting to a captive portalany Specifies any authentication state (authenticated and pending authentication). This is the default setting.This option makes no distinction on whether authentication is conducted before or after the wireless client has logged in.post-login Specifies authentication is completed successfullyThis option requires the wireless client to share authentication credentials after logging into the managed network.pre-login Specifies authentication is pendingThis option enables captive portal client authentication before the client is logged into the controller.no Removes the captive portal based role filter settings
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2118.1.7.2.5 cityuser-role commandsConfigures a wireless client filter based on the city nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcity [any|contains|exact|not-contains]city [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• city [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#city exact SanJoserfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJoserfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandscity Specifies a wireless client filter based on how the ‘city’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contain.any No specific city associated with this user-defined role. This role can be applied to any wireless client from any city.contains <WORD> The role is applied only when the city name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the city name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the city name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should not contain the provided expression.no Removes the city name configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 2218.1.7.2.6 client-identityuser-role commandsAssociates a client-identity (device fingerprinting) based filter. The role is assigned to a wireless client matching any of the defined client identities.For more information on configuring client identity fingerprints, see client-identity.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-identity <CLIENT-IDENTITY-NAME> {<CLIENT-IDENTITY-NAME>}Parameters• client-identity <CLIENT-IDENTITY-NAME> {<CLIENT-IDENTITY-NAME>}Usage GuidelinesWhen associating a single or multiple client identities with a role policy, ensure that in a client identity group, all the client identities used by the role policy, is attached to the device or profile using the role policy. In other words, group all the client identities (used in this role policy) in a client identity group, and associate this group to the profile or device using this role policy.For more information on configuring client identities and client identity groups, see client-identity and client-identity-group.For more information on associating a client identity group and a role policy to a profile or a device, see use.Examplerfs4000-229D58(config-role-policy-test-user-role-test)#client-identity TestClientIdentityrfs4000-229D58(config-role-policy-test-user-role-test)#commitrfs4000-229D58(config-role-policy-test-user-role-test)#client-identity ClientIdentityWindowsrfs4000-229D58(config-role-policy-test-user-role-test)#rfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1  client-identity TestClientIdentity  client-identity ClientIdentityWindowsrfs4000-229D58(config-role-policy-test-user-role-test)#Related Commandsclient-identity <CLIENT-IDENTITY-NAME>Specifies the client-identity fingerprint to match (should be existing and configured)• <CLIENT-IDENTITY-NAME> – Specify the client identity signature name.Multiple client identities can be configured with a role policy.no Removes the client identities associated with this role policy
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2318.1.7.2.7 companyuser-role commandsConfigures a wireless client filter based on the company nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcompany [any|contains|exact|not-contains]company [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• company [any|exact <WORD>|contains <WORD>|not-contains <WORD>]company Specifies a wireless client filter based on how the ‘company’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific company associated with this user-defined role. This role is applied to any wireless client from any company (no strings to match). This is the default setting.contains <WORD> The role is applied only when the company name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the company name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the company name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 24Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#company exact ExampleCompanyrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompanyrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the company name configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2518.1.7.2.8 countryuser-role commandsConfigures a wireless client filter based on the country nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcountry [any|contains|exact|not-contains]country [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• country [any|exact <WORD>|contains <WORD>|not-contains <WORD>]country Specifies a wireless client filter based on how the ‘country’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific country associated with this user-defined role. This role is applied to any wireless client from any country (no strings to match). This is the default setting.contains <WORD> The role is applied only when the country name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the country name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the country name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 26Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#country exact Americarfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJose  company exact Examplecompany  country exact Americarfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the country name configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2718.1.7.2.9 departmentuser-role commandsConfigures a wireless client filter based on the department nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdepartment [any|contains|exact|not-contains]department [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• department [any|exact <WORD>|contains <WORD>|not-contains <WORD>]department Specifies a wireless client filter based on how the ‘department’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific department associated with this user-defined role. This role can be applied to any wireless client from any department (no strings to match). This is the default setting.contains <WORD> The role is applied only when the department name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the department name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the department name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 28Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#department exact TnVrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnVrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the department name configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2918.1.7.2.10 emailiduser-role commandsConfigures a wireless client filter based on the e-mail IDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemailid [any|contains|exact|not-contains]emailid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• emailid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]emailid Specifies a wireless client filter based on how the ‘e-mail ID’, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific e-mail ID associated with this user-defined role. This role can be applied to any wireless client having any e-mail ID (no strings to match). This is the default setting.contains <WORD> The role is applied only when the e-mail ID, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the e-mail ID, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the e-mail ID, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 30Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the e-mail ID configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3118.1.7.2.11 employee-typeuser-role commandsConfigures a wireless client filter based on the employee typeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemployee-type [any|contains|exact|not-contains]employee-type [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• employee-type [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Examplerfs4000-229D58(config-role-policy-test-user-role-test1)#employee-type exact consultantrfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1  employee-type exact consultantrfs4000-229D58(config-role-policy-test-user-role-user1)#Related Commandsemployee-type Specifies a wireless client filter based on how the ‘employee type’, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any No specific employee type associated with this user-defined role. This role can be applied to any wireless client having any employee type (no strings to match). This is the default setting.contains <WORD> The role is applied only when the employee type, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the employee type, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the employee type, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should not contain the provided expression.no Removes the employee type filter configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 3218.1.7.2.12 employeeiduser-role commandsConfigures a wireless client filter based on the employee IDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemployeeid [any|contains|exact|not-contains]employeeid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• employeeid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]employeeid Specifies a wireless client filter based on how the ‘employee ID’, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any No specific employee ID associated with this user-defined role. This role can be applied to any wireless client having any employee ID (no strings to match). This is the default setting.contains <WORD> The role is applied only when the employee ID, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the employee ID, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the employee ID, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 33Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.com  employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the employee ID configured with this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 3418.1.7.2.13 encryption-typeuser-role commandsSelects the encryption type for this user-defined role. Encryption ensures privacy between access points and wireless clients. There are various modes of encrypting communication on a WLAN, such as Counter-model CBC-MAC Protocol (CCMP), Wired Equivalent Privacy (WEP), keyguard, Temporal Key Integrity Protocol (TKIP), etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxencryption-type [any|eq|neq]encryption-type anyencryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64] (ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)}Parameters• encryption-type any• encryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64] {(ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)}any The encryption type can be any one of the listed options (ccmp|keyguard|tkip|wep128|wep64). This is the default setting.eq [ccmp|keyguard|none|tkip|wep128|wep64]The role is applied only if the encryption type equals to one of the following options:• ccmp – Encryption mode is CCMP• keyguard – Encryption mode is keyguard. Keyguard encryption shields the master encryption keys from being discovered.• none – No encryption mode specified• tkip – Encryption mode is TKIP• wep128 – Encryption mode is WEP128• wep64 – Encryption mode is WEP64These parameters are recursive, and you can configure more than one encryption type for this user-defined role.neq [ccmp|keyguard|none|tkip|wep128|wep64]The role is applied only if encryption type is not equal to any of the following options:• ccmp – Encryption mode is not equal to CCMP• keyguard – Encryption mode is not equal to keyguard• none: Encryption mode is not equal to none• tkip – Encryption mode is not equal to TKIPContd..
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 35Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#encryption-type eq wep128rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  encryption-type eq wep128  ap-location contains office  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.com  employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commands• wep128 – Encryption mode is not equal to WEP128• wep64 – Encryption mode is not equal to WEP64These parameters are recursive, and you can configure more than one ‘not equal to’ encryption type for this user-defined role.no Removes the encryption type configured for this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 3618.1.7.2.14 groupuser-role commandsConfigures a wireless client filter based on the RADIUS group nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgroup [any|contains|exact|not-contains]group [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• group [any|contains <WORD>|exact <WORD>|not-contains <WORD>]group Specifies a wireless client filter based on how the RADIUS group name matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany This user-defined role can fit into any group (no strings to match). This is the default setting.contains <WORD> The role is applied only when the RADIUS group name contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the RADIUS group name exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should be an exact match.not-contains <WORD>The role is applied only when the RADIUS group name does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 37Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#group contains testgrouprfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  encryption-type eq wep128  ap-location contains office  group contains testgroup  captive-portal authentication-state pre-login  city exact SanJose  company exact Example_company  country exact America  department exact TnV  emailid exact testing@examplecompany.com  employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the group configured for this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 3818.1.7.2.15 memberOfuser-role commandsApplies an Active Directory (AD) group filter to this user-defined role. A wireless client can be a member of more than one group within the AD database. This command applies a AD group based firewall, which applies a role to a wireless client only if it belongs to the specified AD group.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxmemberOf <AD-GROUP-NAME>Parameters• memberOf <AD-GROUP-NAME>Examplerfs4000-229D58(config-role-policy-test-user-role-test)#memberOf ADTestgrouprfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1  assign vlan 1  assign rate-limit to-client 200  memberOf ADTestgrouprfs4000-229D58(config-role-policy-test-user-role-test)#Related CommandsmemberOf <AD-GROUP-NAME>Applies this user-defined role to a client only if the client belongs to the specified AD group• <AD-GROUP-NAME> – Specify the AD group name.no Removes the AD group assigned to this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3918.1.7.2.16 mu-macuser-role commandsConfigures a MAC address and mask based filter for this role policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmu-mac [<MAC>|any]mu-mac anymu-mac <MAC> {mask <MAC>}Parameters• mu-mac any• mu-mac <MAC> {mask <MAC>}Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#mu-mac 11-22-33-44-55-66rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  encryption-type eq wep128  ap-location contains office  mu-mac 11-22-33-44-55-66  group contains testgroup  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.com  employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsany Applies role to any wireless client (no MAC address to match). This is the default setting.<MAC> Applies role to the wireless client having specified MAC address• <MAC> – Sets the MAC address in the AA-BB-CC-DD-EE-FF formatmask <MAC> Optional. After specifying the client’s MAC address, specify the mask in the AA-BB-CC-DD-EE-FF format. The role is applied to the wireless client exactly matching the specified MAC address and MAC mask.no Removes the MAC address and mask for this user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 4018.1.7.2.17 nouser-role commandsNegates a command or resets configured settings to their default. When used in the config role policy user-defined role mode, the no command removes or resets settings, such as AP location, authentication type, encryption type, captive portal, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ap-location|assign|authentication-type|captive-portal|city|client-identity|company|country|department|emailid|employee-type|employeeid|encryption-type|group|memberOf|mu-mac|radius-user|ssid|state|title|use|user-defined]no [ap-location|assign|authentication-type|city|client-identity|company|country|department|emailid|employee-type|employeeid|encryption-type|group|mu-mac|memberOf|ssid|radius-user|state|title|user-defined]no captive-portal authentication-stateno use [application-policy|bonjour-gw-discovery-policy|ip-access-list|ipv6-access-list|mac-access-list|url-filter]no use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>no use [application-policy|bonjour-gw-discovery-policy|url-filter]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.no <PARAMETERS> Negates a command or resets configured settings to their default. When used in the config role policy user-defined role mode, the no command removes or resets settings, such as AP location, authentication type, encryption type, captive portal, etc.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 41ExampleThe following example shows the Role Policy ‘test’ User Role ‘testing’ configuration before the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  authentication-type eq kerberos  encryption-type eq wep128  ap-location contains office  mu-mac 11-22-33-44-55-66  group contains testgroup  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.com  employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#rfs6000-37FABE(config-role-policy-test-user-role-testing)#no authentication-typerfs6000-37FABE(config-role-policy-test-user-role-testing)#no encryption-typerfs6000-37FABE(config-role-policy-test-user-role-testing)#no grouprfs6000-37FABE(config-role-policy-test-user-role-testing)#no mu-macrfs6000-37FABE(config-role-policy-test-user-role-testing)#no ap-locationrfs6000-37FABE(config-role-policy-test-user-role-testing)#no employeeidThe following example shows the Role Policy ‘test’ User Role ‘testing’ configuration after the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 4218.1.7.2.18 radius-useruser-role commandsConfigures a wireless client filter based on the RADIUS user nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius-user [any|contains|ends-with|exact|not-contains|starts-with]Parameters• radius-user [any|contains|ends-with|exact|not-contains|starts-with]radius-user Specifies a wireless client filter based on how the ‘radius-user’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any No specific RADIUS user name associated with this user-defined role. This role can be applied to any wireless client (no strings to match). This is the default setting.contains <WORD> The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the ‘radius-user’ name returned by the RADIUS server). It should contain the provided expression.You can use the realm or any sub-string of the user name.ends-with <WORD> Enables role assignment on the basis of the wireless client’s “department” and/or “group”• <WORD> – Specify the string (could be department/group code). For example: 1005000002. In this the last three digits represent the department/group code. The remaining digits represent user’s badge number.The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, ends with the string specified here.exact <WORD> The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the ‘radius-user’ name returned by the RADIUS server). It should be an exact match.Provide the complete user name along with the realm.not-contains <WORD> The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the ‘radius-user’ name returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 43Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#radius-user contains test.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 1  radius-user contains test.com  company exact ExampleCompany  emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsstarts-with <WORD> Enables role assignment on the basis of the wireless client’s “department” and/or “group” code• <WORD> – Specify the string (could be department/group code). For example: 0026100573. The first three digits represent the department/group code. The remaining digits represent user’s badge number.The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, starts with the string specified here.no Removes the radius-user filter
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 4418.1.7.2.19 ssiduser-role commandsConfigures a SSID based filterSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssid [any|exact|contains|not-contains]ssid anyssid [exact|contains|not-contains] <WORD>Parameters• ssid any• ssid [exact|contains|not-contains] <WORD>ssid any Specifies a wireless client filter based on how the SSID is specified in a WLAN• any – The role is applied to any SSID location. This is the default setting.ssid Specifies a wireless client filter based on how the SSID is specified in a WLAN. This options are: contains, exact, or not-containsexact <WORD> The role is applied only when the SSID, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the SSID string to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN.contains <WORD> The role is applied only when the SSID, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the SSID string to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN.not-contains <WORD> The role is applied only when the SSID, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the SSID string not to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 45Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#ssid not-contains DevUserrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  ssid not-contains DevUser  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#]Related Commandsno Removes the SSID configured for a user-defined role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 4618.1.7.2.20 stateuser-role commandsConfigures a user role state to match with this user-defined roleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstate [any|contains|exact|not-contains]state [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• state [any|contains <WORD>|exact <WORD>|not-contains <WORD>]state Specifies a wireless client filter option based on how the RADIUS state matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any This user role can fit any wireless client irrespective of the state (no strings to match).contains <WORD> The user role is applied only when the RADIUS state contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the RADIUS state exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the RADIUS state does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 47Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#state exact activerfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  ssid not-contains DevUser  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.com  state exact activerfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the ‘state’ filter string associated with a user role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 4818.1.7.2.21 titleuser-role commandsConfigures a ‘title’ string to matchSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtitle [any|contains|exact|not-contains]title [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• title [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#title anyRelated Commandstitle Specifies a wireless client filter based on how the title string, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any This user role can fit any wireless client irrespective of the title (no strings to match).contains <WORD> The user role is applied only when the title string, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the title string, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the title string, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should not contain the provided expression.no Removes the ‘title’ filter string configured with a user role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4918.1.7.2.22 useuser-role commandsConfigures an access list based firewall with this user roleA firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, firewalls are mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules.IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [application-policy|bonjour-gw-discovery-policy|ip-access-list|ipv6-access-list|mac-access-list|url-filter]use bonjour-gw-discovery-policy <POLICY-NAME>use [ip-access-list|ipv6-access-list] [in|out] <IP/ipv6-ACCESS-LIST-NAME> precedence <1-100>use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>use url-filter <URL-FILTER-NAME>Parameters• use application-policy|bonjour-gw-discovery-policy] <POLICY-NAME>application-policy <POLICY-NAME>Uses an existing Application policy with a user role. When associated, the Application policy enforces application assurance for all users using this role.• <POLICY-NAME> – Specify the Application policy name (should be existing and configured).For more information on Application policy, see application-policy.bonjour-gw-discovery-policy <POLICY-NAME>Uses an existing Bonjour GW Discovery policy with a user role. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming from this specific user roles.• <POLICY-NAME> – Specify the Bonjour GW Discovery policy name (should be existing and configured).For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-policy.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 50• use [ip-access-list|ipv6-access-list] [in|out] <IP/IPv6-ACCESS-LIST-NAME> precedence <1-100>• use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>• use url-filter <URL-FILTER-NAME>Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#use ip-access-list intest precedence 9rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10  ssid not-contains DevUser  captive-portal authentication-state pre-login  city exact SanJose  company exact ExampleCompany  country exact America  department exact TnV  emailid exact testing@examplecompany.com  state exact active  use ip-access-list in test precedence 9rfs6000-37FABE(config-role-policy-test-user-role-testing)#rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#use bonjour-gw-discovery-policy role2rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#show context user-role bonjour_user1 precedence 2  use bonjour-gw-discovery-policy role2rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#ip-access-list [in|out] Uses an IPv4 or IPv6 ACL with this user role• in – Applies the rule to incoming packets• out – Applies the rule to outgoing packets<IPv4/IPv6-ACCESS-LIST-NAME>Specify the IPv4/IPv6 access list name.precedence <1-100> After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first.• <1-100> – Sets a precedence from 1 - 100mac-access-list [in|out] Uses a MAC access list with this user role• in – Applies the rule to incoming packets• out – Applies the rule to outgoing packets<MAC-ACCESS-LIST-NAME>Specify the MAC access list name.precedence <1-100> After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first• <1-100> – Sets a precedence from 1 - 100use url-filter <URL-FILTER-NAME>Uses an existing URL filter that acts as a Web content filter firewall rule.• <POLICY-NAME> – Specify the URL filter name (should be existing and configured).
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 51rfs6000-37FABE(config-role-policy-bonjour_test)#show contextrole-policy bonjour_test user-role bonjour_user precedence 1  mu-mac A4-D1-D2-BF-3D-19  use bonjour-gw-discovery-policy role1 user-role bonjour_user1 precedence 2  mu-mac B0-65-BD-4B-BC-09  use bonjour-gw-discovery-policy role2................................................rfs6000-37FABE(config-role-policy-bonjour_test)#Related Commandsno Removes an IP, MAC access list, or a Bonjour GW Discovery policy from use with a user role
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  18 - 5218.1.7.2.23 user-defineduser-role commandsEnables you to define a filter based on an attribute defined in the Active Directory or the OpenLDAP serverSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser-defined <ATTR-STRING> [any|contains|exact|not-contains]user-defined <ATTR-STRING> [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• user-defined <ATTR-STRING> [any|exact <WORD>|contains <WORD>|not-contains <WORD>]user-defined <ATTR-STRING>Specify a filter based on an attribute defined in the AD or OpenLDAP server.• <ATTR-NAME> – Specify the attribute string.After specifying the attribute name, specify the match type.any No specific string to match. This role can be applied to any wireless client. This is the default setting.contains <WORD> The role is applied only when the user-defined attribute value, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the user-defined attribute value, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the user-defined attribute value, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should not contain the provided expression.
ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 53Examplerfs4000-229D58(config-role-policy-test-user-role-user1)#user-defined office-location exact EcoSpacerfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1  employee-type exact consultant  user-defined office-location exact EcoSpacerfs4000-229D58(config-role-policy-test-user-role-user1)#Related Commandsno Removes the user-defined filter configured with this user role
19 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide19SMART-RF-POLICYThis chapter summarizes Self Monitoring at Run Time RF (Smart RF) management policy commands in the CLI command structure.A Smart RF management policy defines operating and recovery parameters that can be assigned to groups of access points. A Smart RF policy is designed to scan the network to identify the best channel and transmit power for each access point radio.A Smart RF policy reduces deployment costs by scanning the RF environment to determine the best channel and transmit power configuration for each managed radio. Smart RF policies when applied to specific RF Domains, apply site specific deployment configurations and self-healing values to groups of devices within pre-defined physical RF coverage areas.Smart RF centralizes the decision process and makes intelligent RF configuration decisions using information obtained from the RF environment. Smart RF helps reduce ongoing management and maintenance costs through the periodic re-calibration of the network. Re-calibration can be initiated manually or can be automatically scheduled to ensure the RF configuration is optimized to factor for RF environment changes (such as new sources of interference, or neighboring access points).Smart RF also provides self-healing functions by monitoring the network in real-time, and provides automatic mitigation from potentially problematic events such as radio interference, coverage holes and radio failures. Smart RF employs self-healing to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual re-configuration to resolve.Smart RF is supported on any RF Domain manager. In standalone environments, an individual wireless controller manages the calibration and monitoring phases. In clustered environments, a single wireless controller is elected a Smart RF master and the remaining cluster members operate as Smart RF clients. In cluster operation, the Smart RF master co-ordinates the calibration and configuration and during the monitoring phase receives information from the Smart RF clients.Before defining a Smart RF policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:• The Smart RF calibration process impacts associated users and should not be run during business or production hours. The calibration process should be performed during scheduled maintenance intervals or non-business hours.• For Smart RF to provide effective recovery, RF planning must be performed to ensure overlapping coverage exists at the deployment site. Smart RF can only provide recovery when access points are deployed appropriately. Smart RF is not a solution, it's a temporary measure. Administrators need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist.Keep in mind that if a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS, it will switch channels if radar is detected.• If Smart RF is enabled, the radio picks a channel defined in the Smart RF policy.• If Smart RF is disabled, but a Smart RF policy is mapped, the radio picks channels specified in the Smart RF policy• If no SMART RF policy is mapped, the radio selects a random channel
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 2If the radio is a dedicated sensor, it stops termination on that channel if a neighboring access point detect radar. The access point attempts to come back to its original channel (statically configured or selected by Smart RF) after the channel evacuation period has expired.Change this behavior using the dfs-rehome command from the controller or service platform CLI. This keeps the radio on the newly selected channel and prevents the radio from coming back to the original channel, even after the channel evacuation period.Use the (config) instance to configure Smart RF Policy related configuration commands. To navigate to the Smart RF policy instance, use the following commands:<DEVICE>(config)#smart-rf-policy <POLICY-NAME>rfs6000-37FABE(config)#smart-rf-policy testrfs6000-37FABE(config-smart-rf-policy-test)#?Smart RF Mode commands:  area                    Specify channel list/ power for an area  assignable-power        Specify the assignable power during power-assignment  avoidance-time          Time to avoid a channel once dfs/adaptivity                          avoidance is necessary  channel-list            Select channel list for smart-rf  channel-width           Select channel width for smart-rf  coverage-hole-recovery  Recover from coverage hole    enable                  Enable this smart-rf policy  group-by                Configure grouping parameters  interference-recovery   Recover issues due to excessive noise and                          interference  neighbor-recovery       Recover issues due to faulty neighbor radios  no                      Negate a command or set its defaults  sensitivity             Configure smart-rf sensitivity (Modifies various                          other smart-rf configuration items)  smart-ocs-monitoring    Smart off channel scanning  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs6000-37FABE(config-smart-rf-policy-test)#NOTE: Perform RF planning to ensure overlapping coverage exists at a deployment site, for Smart RF to be a viable network performance tool. Smart RF can only provide recovery when access points are deployed appropriately. Smart RF is not a solution, it is a temporary measure. You need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist in trouble shooting.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 319.1 smart-rf-policySMART-RF-POLICYThe following table summarizes Smart RF policy configuration commands:Table 19.1 Smart-RF-Policy-Config CommandsCommand Description Referencearea Configures the channel list and power for a specified area page 19-4assignable-powerSpecifies the power range during power assignment page 19-5avoidance-time Allows Smart RF-enabled radios to avoid Dynamic Frequency Selection (DFS) and/or adaptivity regulated channels on detection of interference or radar. This command configures the period for which the channel is avoided.page 19-5channel-list Assigns the channel list for the selected frequency page 19-8channel-width Selects the channel width for Smart RF configuration page 19-9coverage-hole-recoveryEnables recovery from errors page 19-11enable Enables a Smart RF policy page 19-13group-by Configures grouping parameters page 19-14interference-recoveryRecovers issues due to excessive noise and interference page 19-15neighbor-recoveryEnables recovery from errors due to faulty neighbor radios page 19-17no Negates a command or reverts settings to their default page 19-19sensitivity Configures Smart RF sensitivity  page 19-21smart-ocs-monitoringApplies smart off-channel scanning instead of dedicated detectors page 19-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 419.1.1 areasmart-rf-policyConfigures the channel list and power for a specified areaSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxarea <AREA-NAME/STRING-ALIAS> channel-list [2.4GHz|5GHz] <CHANNEL-LIST>Parameters• area <AREA-NAME/STRING-ALIAS> channel-list [2.4GHz|5GHz] <CHANNEL-LIST>Examplerfs6000-37FABE(config-smart-rf-policy-test)#area test channel-list 2.4GHz 1,2,3rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3rfs6000-37FABE(config-smart-rf-policy-test)#nx9500-6C8809(config)#alias string $AREA Ecospacenx9500-6C8809(config)#commitnx9500-6C8809(config-smart-rf-policy-test)#exitnx9500-6C8809(config-smart-rf-policy-Ecospace)#area $AREA channel-list 5GHz 36,44nx9500-6C8809(config-smart-rf-policy-Ecospace)#show contextsmart-rf-policy Ecospace area $AREA channel-list 5GHz 36,44nx9500-6C8809(config-smart-rf-policy-Ecospace)#Related Commandsarea <AREA-NAME/STRING-ALIAS>Specifies the area name• <AREA-NAME/STRING-ALIAS> – Specify the area name as clear text. Alternately, use a string-alias to specify the area name. If using a string-alias, ensure that the string-alias is existing and configured.channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>Selects the channels for the specified area in the 2.4 GHz or 5.0 GHz band• 2.4GHz – Selects the channels for the specified area in the 2.4 GHz band• 5GHz – Selects the channels for the specified area in the 5.0 GHz bandThe following keyword is common to the 2.4 GHz and 5.0 GHz bands:• <CHANNEL-LIST> – Enter a comma-separated list of channels for the selectedband.no Removes channel list/power configuration for an area
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 519.1.2 assignable-powersmart-rf-policyConfigures the Smart RF power settings over both 2.4 GHZ and 5.0 GHZ radiosSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassignable-power [2.4GHz|5GHz] [max|min] <1-20>Parameters• assignable-power [2.4GHz|5GHz] [max|min] <1-20>Examplerfs6000-37FABE(config-smart-rf-policy-test)#assignable-power 5GHz max 20rfs6000-37FABE(config-smart-rf-policy-test)#assignable-power 5GHz min 8rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz [max|min] <1-20>Assigns a power range on the 2.4 GHz band• max <1-20> – Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 dBm)• min <1-20> – Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm)5GHz [max|min] <1-20>Assigns a power range on the 5.0 GHz band• max <1-20> – Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 dBm)• min <1-20> – Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm)no Resets assignable power to its default
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 619.1.3 avoidance-timesmart-rf-policyAllows Smart-RF enabled radios to avoid channels with high levels of interference and channels where radar has been detectedThis command configures the interval for which a channel is avoided on detection of interference or radar, and is applicable only if the channel selection mode is set to Smart and a Smart-RF policy is applied to the access point’s RF Domain. For more information on configuring a radio’s channel of operation, see channel.Certain 5.0 GHz channels are subject to FCC / ETSI DFS regulations that require channels transmitting critical radar signals to be free of interference from radio signals. Consequently, DFS-enabled 5.0 GHz radios scan and switch channels if radar is detected on their current channel of operation. If radar-free channels are not available, the radio stops transmitting until it identifies a radar-free channel.Adaptivity is a new European Union (EU) stipulation that requires access points to monitor interference levels on their current channel of operation, and stop functioning on channels with interference levels exceeding ETSI-specified threshold values. When enabled, this feature ensures recovery by switching the radio to a new channel with less interference.Once adaptivity or DFS is triggered, the radio’s channel is switched based on the channel selection mode specified. If the channel is fixed, the radio attempts to come back to its specified channel of operation after the DFS/adaptivity channel evacuation period has expired.On the other hand, if the radio’s channel selection mode is set to Smart or ACS, once adaptivity or DFS is triggered, the channel is avoided until the avoidance-time, specified here, expires. Once the evacuation period has expired, the channel is free for use by both Smart-RF and ACS.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxavoidance-time [adaptivity|dfs] <30-3600>NOTE: To optionally disable the radio from switching back to its original channel of operation, execute the no > dfs-rehome command in the radio interface configuration mode of the access point’s profile or device. For more information, see dfs-rehome.NOTE: For radio’s having channel selection mode set to ACS, Random, or Fixed adaptivity timeout can be configured in the access point’s radio interface mode. For more information, see adaptivity.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 7Parameters• avoidance-time [adaptivity|dfs] <30-3600>Examplenx4500-5CFA2B(config-smart-rf-policy-test)#avoidance-time adaptivity 200nx4500-5CFA2B(config-smart-rf-policy-test)#avoidance-time dfs 300nx4500-5CFA2B(config-smart-rf-policy-test)#show contextsmart-rf-policy test avoidance-time dfs 300 avoidance-time adaptivity 200nx4500-5CFA2B(config-smart-rf-policy-test)#nx4500-5CFA2B(config-smart-rf-policy-test)#no avoidance-time adaptivitynx4500-5CFA2B(config-smart-rf-policy-test)#show context include-factory | include avoidance-time avoidance-time dfs 300 avoidance-time adaptivity 90nx4500-5CFA2B(config-smart-rf-policy-test)#Related Commandsavoidance-time [adaptivity|dfs]Configures the time for which a channel is avoided after dfs or adaptivity is triggered• adaptivity – Sets the time, in minutes, for which a radio avoids an adaptivity-regulated channel detected with interference• dfs – Sets the time, in minutes, for which a radio avoids a DFS-regulated channel detected with radar• <30-3600> – Specify a value from 30 - 3600 minutes. The default for both parameters is 90 minutes.no Reverts the DFS/adaptivity regulated channel avoidance time to default (90 minutes)
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 819.1.4 channel-listsmart-rf-policyAssigns a list of channels, for the selected frequency, used in Smart RF scansSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-list [2.4GHz|5GHz] <WORD>Parameters• channel-list [2.4GHz|5GHz] <WORD>Examplerfs6000-37FABE(config-smart-rf-policy-test)#channel-list 2.4GHz 1,12rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz <WORD> Assigns a channel list for the 2.4 GHz band• <WORD> – Specify a comma separated list of channels5GHz <WORD> Assigns a channel list for the 5.0 GHz band• <WORD> – Specify a comma separated list of channelsno Removes the channel list for the selected frequency
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 919.1.5 channel-widthsmart-rf-policySelects the channel width for Smart RF configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-width [2.4GHz|5GHz]channel-width 2.4GHz [20MHz|40MHz|auto]channel-width 5GHz [20MHz|40MHz|80MHz|auto]Parameters• channel-width 2.4GHz [20MHz|40MHz|auto]• channel-width 5GHz [20MHz|40MHz|auto]Usage GuidelinesThe 20/40 MHz operation allows the access point to receive packets from clients using 20 MHz, and transmit using 40 MHz. This mode is supported for 802.11n users on both the 2.4 GHz and 5.0 GHz radios. If an 802.11n user selects two channels (a primary and secondary channel), the system is configured for dynamic 20/40 operation. When 20/40 is selected, clients can take advantage of wider channels. 802.11n clients experience improved throughput using 40 MHz while legacy clients (either 802.11a or 802.11b/g depending on the radio selected) can still be serviced without interruption using 20 MHz. Select auto to enable automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources.NOTE: In addition to 20 MHz and 40 MHz, AP82XX also provides support for 80 MHz channels.2.4GHz [20MHz|40MHz|auto]Assigns the channel width for the 2.4 GHz band• 20MHz – Assigns the 20 MHz channel width. This is the default setting.• 40MHz – Assigns the 40 MHz channel width• auto – Assigns the best possible channel in the 20 MHz or 40 MHz channel width5GHz [20MHz|40MHz|80MHz|auto]Assigns the channel width for the 5.0 GHz band• 20MHz – Assigns the 20 MHz channel width• 40MHz – Assigns the 40 MHz channel width. This is the default setting.• 80MHz – Assigns the 80 MHz channel width (supported only on AP8232)• auto – Assigns the best possible channel in the 20 MHz, 40 MHz, or 80 MHz channel width
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 10Examplerfs6000-37FABE(config-smart-rf-policy-test)#channel-width 5GHz autorfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz autorfs6000-37FABE(config-smart-rf-policy-test)#Related Commandsno Resets channel width for the selected frequency to its default
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1119.1.6 coverage-hole-recoverysmart-rf-policyEnables recovery from coverage hole errors detected by Smart RF. Use this command to configure the coverage hole recovery settings.When coverage hole recovery is enabled, on detection of a coverage hole, Smart RF first determines the power increase needed based on the signal-to-noise ratio (SNR) for a client as seen by the access point radio. If a client’s SNR is above the specified threshold, the transmit power is increased until the SNR falls below the threshold.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcoverage-hole-recovery {client-threshold|coverage-interval|interval|snr-threshold}coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>}coverage-hole-recovery {coverage-interval|interval} [2.4GHz|5GHz] <1-120>coverage-hole-recovery {snr-threshold [2.4Ghz|5Ghz] <1-75>}Parameters• coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>}• coverage-hole-recovery {coverage-interval|interval} [2.4GHz|5GHz] <1-120>NOTE: The coverage-hole-recovery parameters can be modified only if the sensitivity level is set to ‘custom’. For more information, see sensitivity.client-threshold Optional. Specifies the minimum number of clients associated to a radio in order to trigger coverage hole recovery.2.4GHz <1-255> Specifies the minimum number of clients on the 2.4 GHz band• <1-255> – Sets a value from 1 - 255. The default is 1.5GHz <1-255> Specifies the minimum number of clients on the 5.0 GHz band• <1-255> – Sets a value from 1 - 255. The default is 1.coverage-interval Optional. Specifies the interval between the discovery of a coverage hole and the initiation of coverage hole recoveryinterval Optional. Specifies the interval at which coverage hole recovery is performed even before a coverage hole is detected
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 12• coverage-hole-recovery {snr-threshold} [2.4Ghz|5Ghz] <1-75>Examplerfs6000-37FABE(config-smart-rf-policy-test)#coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz <1-120> The following keywords are common to the ‘coverage-interval’ and ‘interval’ parameters:• 2.4GHz <1-120> – Specifies the coverage hole recovery interval on the 2.4 GHz band• <1-120> – Specify a value from 1 - 120 seconds.Note: coverage-interval – The default is 10 seconds.Note: interval – The default is 30 seconds.5GHz <1-120> The following keywords are common to the ‘coverage-interval’ and ‘interval’ parameters:• 5GHz <1-120> – Specifies a coverage hole recovery interval on the 5.0 GHz band• <1-120> – Specify a value from 1 - 120 seconds.Note: coverage-interval – The default is 10 seconds.Note: interval – The default is 30 seconds.snr-threshold Optional. Specifies the SNR threshold. This value is the SNR threshold for an associated client as seen by its associated AP radio. When the SNR threshold is exceeded, the radio increases its transmit power to increase coverage for the associated client.2.4GHz <1-75> Specifies SNR threshold on the 2.4 GHz band• <1-75> – Sets a value from 1 dB - 75 dB. The default is 20 dB.5GHz <1-75> Specifies SNR threshold on the 5.0 GHz band• <1-75> – Sets a value from 1 - 75. The default is 20 dB.no Disables recovery from coverage hole errors
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1319.1.7 enablesmart-rf-policyEnables a Smart RF policyUse this command to enable this Smart RF policy. Once enabled, the policy can be assigned to a RF Domain supporting a network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplerfs6000-37FABE(config-smart-rf-policy-test)#enableRelated Commandsno Disables a Smart RF policy
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 1419.1.8 group-bysmart-rf-policyEnables grouping of APs on the basis of their location in a building (floor) or an areaWithin a large RD Domain, grouping of APs (within an area or on the same floor in a building) facilitates statistics gathering and troubleshooting.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgroup-by [area|floor]Parameters• group-by [area|floor]Examplerfs6000-37FABE(config-smart-rf-policy-test)#group-by floorrfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commandsarea Groups radios based on their area of locationfloor Groups radios based on their floor locationBoth options are disabled by default.no Removes Smart RF group settings
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1519.1.9 interference-recoverysmart-rf-policyEnables interference recovery from neighboring radios and other sources of WiFi and non-WiFi interference. Interference is the excess noise detected within the Smart RF supported radio coverage area. Smart RF provides mitigation from interfering sources by monitoring the noise levels and other RF parameters on an access point radio’s current channel. When a noise threshold is exceeded, Smart RF selects an alternative channel with less interference. To avoid channel flapping a hold timer is defined, which disables interference avoidance for a specific period of time upon detection. Interference recovery is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinterference-recovery {channel-hold-time|channel-switch-delta|client-threshold|interference|neighbor-offset|noise|noise-factor}interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>}interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>|interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>}Parameters• interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>}• interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>|interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>}NOTE: The interference-recovery parameters can be modified only if the sensitivity level is set to ‘custom’. For more information, see sensitivity.channel-switch-delta Optional. Configures a threshold value for the difference between interference levels on the current channel and the prospective channel needed to trigger a channel change. If the difference in noise levels on the current channel and the prospective channel is below the configured threshold, the channel is not changed.[2.4GHz|5GHz] Selects the band• 2.4GHz – Selects the 2.4 GHz band• 5GHz – Selects the 5.0 GHz band<5-35> Specifies the threshold value for the difference between the current and prospective channel interference levels• <5-35> – Sets a value from 5 dBm - 35 dBm. The default setting is 20 dBm for both 2.4 GHz and 5.0 GHz bands.channel-hold-time <0-86400> Optional. Defines the minimum time between two channel change recoveries• <0-86400> – Sets the time, in seconds, between channel change assignments based on interference or noise. The default is 7,200 seconds.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 16Examplerfs6000-37FABE(config-smart-rf-policy-test)#interference-recovery channel-switch-delta 5GHz 5rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commandsclient-threshold <1-255> Optional. Specifies client thresholds needed to avoid channel change. If the specified threshold number of clients are connected to a radio, the radio avoids changing channels even if the Smart RF master determines that a channel change is required.• <1-255> – Sets the number of clients from 1 - 255. The default is 50.interference Optional. Considers external interference values to perform interference recovery. This feature allows the Smart RF policy to scan for excess interference from supported radio devices. WLANs are susceptible to sources of interference, such as neighboring radios, cordless phones, microwave ovens and Bluetooth devices. When interference for WiFi sources is detected, Smart RF supported devices can change the channel and move to a cleaner channel. This feature is enabled by default.neighbor-offset <3-10> Optional. Configures a noise factor value, which is taken into consideration when switching channels to avoid interference from neighboring access points. Smart RF enabled access points consider the difference in noise between candidate channels.• <3-10> – Specify a noise factor value from 3 - 10.noise Optional. Considers noise values to perform interference recovery. This feature allows the Smart RF policy to scan for excess noise from WiFi devices. When detected, Smart RF supported devices can change their channel and move to a cleaner channel. This feature is enabled by default.noise-factor <1.0-3.0>Optional. Configures additional noise factor (the level of network interference detected) for non WiFi interference• <1.0-3.0> – Specify the noise factor from 1.0 - 3.0. The default is 1.50.no Disables recovery from excessive noise and interference
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1719.1.10 neighbor-recoverysmart-rf-policyEnables recovery from errors due to faulty neighboring radios. Enabling neighbor recovery ensures automatic recovery from failed radios within the radio coverage area. Smart RF instructs neighboring access points to increase their transmit power to compensate for the failed radio. Neighbor recovery is enabled by default when the sensitivity setting is medium.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxneighbor-recovery {dynamic-sampling|power-hold-time|power-threshold}neighbor-recovery {dynamic-sampling} {retries <1-10>|threshold <1-30>}neighbor-recovery {power-hold-time <0-3600>}neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>}Parameters• neighbor-recovery {dynamic-sampling} {retries <1-10>|threshold <1-30>}• neighbor-recovery {power-hold-time <0-3600>}NOTE: The neighbor-recovery parameters can be modified only if the sensitivity level is set to ‘custom’. For more information, see sensitivity.dynamic-sampling Optional. Enables dynamic sampling on this Smart RF policy. Dynamic sampling allows you to define how Smart RF adjustments are triggered by locking the ‘retry’ and ‘threshold’ values. Dynamic sampling is disabled by default.retries <1-10> Optional. Specifies the number of retries before allowing a power level adjustments to compensate for a potential coverage hole.• <1-10> – Sets the number of retries from 1 - 10. The default is 3.threshold <1-30> Optional. Specifies the minimum number of sample reports before which a power change requires dynamic sampling• <1-30> – Sets the minimum number of reports from 1 - 30. The default is 5.power-hold-time Optional. Specifies the minimum time, in seconds, between two power changes on a radio during neighbor-recovery<0-3600> Sets the time from 0 - 3600 sec. The default is 0 seconds.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 18• neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>}Examplerfs6000-37FABE(config-smart-rf-policy-test)#neighbor-recovery power-threshold 2.4GHz -82rfs6000-37FABE(config-smart-rf-policy-test)#neighbor-recovery power-threshold 5GHz -65rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 neighbor-recovery power-threshold 5GHz -65 neighbor-recovery power-threshold 2.4GHz -82 coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commandspower-threshold Optional. Specifies the power threshold based on which recovery is performedThe 2.4 GHz/5.0 GHz radio uses the value specified here as the maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within its coverage area.[2.4GHz|5GHz] Selects the band• 2.4GHz – Selects the 2.4 GHz band• 5GHz – Selects the 5.0 GHz band<-85--55> Specify the threshold value• <-85--55> – Sets the power threshold from -85 dBm - -55 dBm. The default is -70 dBm for both the 2.4 GHz and 5.0 GHz bands.no Disables recovery from faulty neighbor radios
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1919.1.11 nosmart-rf-policyNegates a command or sets its default. When used in the config Smart RF policy mode, the no  command disables or resets Smart RF settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [area|assignable-power|avoidance-time|channel-list|channel-width|coverage-hole-recovery|enable|group-by|interference-recovery|neighbor-recovery|smart-ocs-monitoring]no area <AREA-NAME> channel-list [2.4GHZ|5GHZ]no assignable-power [2.4GHZ|5GHZ] [max|min]no [channel-list|channel-width] [2.4GHZ|5GHZ]no coverage-hole-recovery [client-threshold|coverage-interval|interval|snr-threshold] [2.4GHZ|5GHZ]no avoidance-time [adaptivity|dfs]no enableno group-by [area|floor]no interference-recovery {channel-hold-time|channel-switch-delta [2.4GHZ|5GHZ]|client-threshold|interference|neighbor-offset|noise|noise-factor}no neighbor-recovery {dynamic-sampling {retries|threshold}|power-hold-time|power-threshold [2.4GHZ|5GHZ]}no smart-rf-monitoring {awareness-override [schedule <1-3>|threshold]|client-aware [2.4GHZ|5GHZ]|extended-scan-frequency [2.4GHZ|5GHZ]|frequency [2.4GHZ|5GHZ]|off-channel-duration [2.4GHZ|5GHZ]|power-save-aware [2.4GHZ|5GHZ]|sample-count [2.4GHZ|5GHZ]|voice-aware [2.4GHZ|5GHZ]}Parameters• no <PARAMETERS>no <PARAMETERS> Negates a command or sets its default. When used in the config Smart RF policy mode, the no  command disables or resets the Smart RF policy settings.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 20ExampleThe following example shows the Smart RF policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 neighbor-recovery power-threshold 5GHz -65 neighbor-recovery power-threshold 2.4GHz -82 coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#rfs6000-37FABE(config-smart-rf-policy-test)#no interference-recovery channel-switch-delta 5GHzrfs6000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 2.4GHzrfs6000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 5GHzrfs6000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz minrfs6000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz maxThe following example shows the Smart RF policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 2119.1.12 sensitivitysmart-rf-policyConfigures Smart RF sensitivity level. The sensitivity level determines Smart RF scanning and sampling aggressiveness. For example, a low sensitivity level indicates a less aggressive Smart-RF policy. This translates to fewer samples taken during off-channel scanning and short off-channel durations. When the sensitivity level is set to high, Smart-RF collects more samples, and remains off-channel longer.The Smart RF sensitivity level options include low, medium, high, and custom. Medium, is the default setting. The custom option allows an administrator to adjust the parameters and thresholds for interference recovery, coverage hole recovery, and neighbor recovery. However, the low, medium, and high settings still allow utilization of these features.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsensitivity [custom|high|low|medium]Parameters• sensitivity [custom|high|low|medium]Usage GuidelinesTo enable the power and channel setting parameters, set sensitivity to custom or medium.To enable the monitoring and scanning parameters, set sensitivity to custom.To enable the neighbor recovery, interference and coverage hole recovery parameters, set sensitivity to custom.sensitivity Configures Smart RF sensitivity levels. The options available are: custom, high, low, and medium.custom Enables custom interference recovery, coverage hole recovery, and neighbor recovery as additional Smart RF optionshigh High sensitivitylow Low sensitivitymedium Medium sensitivity. This is the default setting.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 22Examplerfs6000-37FABE(config-smart-rf-policy-test)#sensitivity highrfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity high channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3 --More--rfs6000-37FABE(config-smart-rf-policy-test)#
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 2319.1.13 smart-ocs-monitoringsmart-rf-policyApplies smart Off Channel Scanning (OCS) instead of dedicated detectorsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsmart-ocs-monitoring {awareness-override|client-aware|extended-scan-frequency|frequency|off-channel-duration|power-save-aware|sample-count|tx-load-aware|voice-aware}smart-ocs-monitoring {awareness-override [schedule|threshold]}smart-ocs-monitoring {awareness-override schedule <1-3> <START-TIME> <END-TIME> <DAY>}smart-ocs-monitoring {awareness-override threshold <10-10000>}smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>}smart-ocs-monitoring {extended-scan-frequency [2.4GHz|5GHz] <0-50>}smart-ocs-monitoring {frequency [2.4GHz|5GHz] <1-120>}smart-ocs-monitoring {off-channel-duration [2.4GHz|5GHz] <20-150>}smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]}smart-ocs-monitoring {sample-count [2.4GHz|5GHz] <1-15>}smart-ocs-monitoring {tx-load-aware [2.4GHz|5GHz] <1-100>}smart-ocs-monitoring {voice-aware [2.4GHz|5GHz] [disable|dynamic|strict]}Parameters• smart-ocs-monitoring {awareness-override schedule <1-3> <START-TIME> <END-TIME> <DAY>}awareness-override Optional. Use this parameter to configure client awareness settings overridesschedule <1-3> <START-TIME> <END-TIME> {<DAY>}Configures a time and day schedule when awareness settings are overridden• <1-3> – Sets the awareness override schedule index. A maximum of three overrides can be configured.• <START-TIME> – Sets the override start time in HH:MM format• <END-TIME> – Sets the override end time in HH:MM format• DAY – Optional. Set the day when the override is active. Use one of the follow-ing formats:• all – Override is active on all days• sun – Override is active only on Sundays• mon – Override is active only on MondaysContd..
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 24• smart-ocs-monitoring {awareness-override threshold <10-10000>}• smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>}• smart-ocs-monitoring {extended-scan-frequency [2.4GHz|5GHz] <0-50>}• smart-ocs-monitoring {frequency [2.4GHz|5GHz] <1-120>}• tue – Override is active only on Tuesdays• wed – Override is active only on Wednesdays• thu – Override is active only on Thursdays• fri – Override is active only on Fridays• sat – Override is active only on Saturdaysawareness-override threshold <10-10000>Optional. Use this parameter to configure client awareness settings overrides• threshold – Specifies the threshold after which client awareness settings are overridden. When the specified threshold is reached, awareness settings are overridden.• <10-10000> – Specify a threshold value from 10 -10000. The default is 10.client-aware Optional. Enables client aware scanning on this Smart RF policyUse this parameter to configure a client threshold number. When the number of clients connected to a radio equals this threshold number, the radio avoids channel scanning.This feature is disabled by default.2.4GHz <1-255> Enables client aware scanning on the 2.4 GHz bandAvoids radio scanning when a specified minimum number of clients are present• <1-255> – Sets the minimum number of clients from 1 - 255. The default is 1 client.5GHz <1-255> Enables client aware scanning on the 5.0 GHz bandAvoids radio scanning when a specified minimum number of clients are present• <1-255> – Sets the minimum number of clients from 1 - 255. The default is 1 client.extended-scan-frequencyOptional. Enables an extended scan, as opposed to a neighbor only scan, on this Smart RF policy. This is the frequency radios use to scan for non-peer radios.2.4GHz <0-50> Enables extended scan on the 2.4 GHz band• <0-50> – Sets the number of trails from 0 - 50. The default is 5.5GHz <0-50> Enables extended scan on the 5.0 GHz band• <0-50> – Sets the number of trails from 0 - 50. The default is 5.frequency Optional. Specifies the scan frequency. This is the frequency, in seconds, in which smart-ocs-monitoring changes channels for an off channel scan.2.4GHz <1-120> Selects the 2.4 GHz band• <1-120> – Sets a scan frequency from 1 - 120 sec. The default is 6 seconds.5GHz <1-120> Selects the 5.0 GHz band• <1-120> – Sets a scan frequency from 1 - 120 sec. The default is 6 seconds.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 25• smart-ocs-monitoring {off-channel-duration [2.4GHz|5GHz] <20-150>}• smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]}• smart-ocs-monitoring {sample-count [2.4GHz|5GHz] <1-15>}• smart-ocs-monitoring {tx-load-aware [2.4GHz|5GHz] <1-100>}off-channel-duration Optional. Specifies the duration to scan off channelThis is the duration access point radios use to monitor devices within the network and, if necessary, perform self healing and neighbor recovery to compensate for coverage area losses within a RF Domain.2.4GHz <20-150> Selects the 2.4 GHz band (in milliseconds)• <20-150> – Sets the off channel duration from 20 - 150 msec. The default is 50 milliseconds.5GHz <20-150> Selects the 5.0 GHz band (in milliseconds)• <20-150> – Sets the off channel duration from 20 - 150 msec. The default is 50 milliseconds.power-save-aware Optional. Enables power save awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict.This setting allows Smart RF to detect power save clients and take them into consideration when performing off channel scans.Strict disables smart monitoring as long as a power save capable client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a power save client at the radio.2.4GHz [disable|dynamic|strict]Sets power save awareness scanning mode on the 2.4 GHz band• disable – Disables power save awareness scanning• dynamic – Dynamically avoids scanning based on traffic for power save (PSP) clients• strict – Strictly avoids scanning when PSP clients are presentThe default is dynamic.5GHz [disable|dynamic|strict]Sets power save awareness scanning mode on the 5.0 GHz band• disable – Disables power save awareness scanning• dynamic – Dynamically avoids scanning based on traffic for PSP clients• strict – Strictly avoids scanning when PSP clients are presentThe default is dynamic.sample-count Optional. Specifies the number of samples to collect before reporting an issue to the Smart RF master2.4GHz <1-15> Selects the 2.4 GHz band• <1-15> – Specifies the number of samples to collect from 1 - 15. The default is 10.5GHz <1-15> Selects the 5.0 GHz band• <1-15> – Specifies the number of samples to collect from 1 - 15. The default is 5.tx-load-aware Optional. Specifies a transmit load percentage that serves as a threshold before scanning is avoided for an access point’s 2.4 GHz or 5.0 GHz band. This option is disabled for both 2.4 GHz and 5.0 GHz bands.
SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  19 - 26• smart-ocs-monitoring {voice-aware [2.4GHz|5GHz] [disable|dynamic|strict]}Examplerfs6000-37FABE(config-smart-rf-policy-test)#smart-ocs-monitoring extended-scan-frequency 2.4GHz 9rfs6000-37FABE(config-smart-rf-policy-test)#smart-ocs-monitoring sample-count 2.4GHz 3rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring off-channel-duration 2.4GHz 25 smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3 smart-ocs-monitoring extended-scan-frequency 5GHz 0 smart-ocs-monitoring extended-scan-frequency 2.4GHz 9 root-recovery root-path-metric-threshold 800--More--rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz <1-100> Selects the 2.4 GHz band• <1-100> – Specify a transmit load percentage from 1 - 100%. When enabled, the default is 1%.5GHz <1-100> Selects the 5.0 GHz band• <1-100> – Specify a transmit load percentage from 1 - 100%. When enabled, the default is 1%.voice-aware Optional. Enables voice awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict.Strict disables smart monitoring as long as a voice client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a voice client at the radio.2.4GHz [disable|dynamic|strict]Specifies the scanning mode on the 2.4 GHz band• disable – Disables voice awareness scanning• dynamic – Dynamically avoids scanning based on traffic for voice clients• strict – Strictly avoids scanning when voice clients are presentNote: The default is dynamic.5GHz [disable|dynamic|strict]Specifies the scanning mode on the 5.0 GHz band• disable – Disables voice awareness scanning• dynamic – Dynamically avoids scanning based on traffic for voice clients• strict – Strictly avoids scanning when voice clients are present.Note: The default is dynamic.no Disables off channel monitoring
20 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide20WIPS-POLICYThis chapter summarizes the Wireless Intrusion Protection Systems (WIPS) policy commands in the CLI command structure.WIPS is an additional measure of security designed to continuously monitor the network for threats and intrusions. Along with wireless VPNs, encryptions, and authentication policies WIPS enhances the security of a WLAN.The WIPS policy enables detection of intrusions and threats that a managed network is likely to encounter. However, the WIPS policy does not include threat mitigation configurations. These intrusions and threats are available within the WIPS policy configuration mode as pre configured, fixed events. Each event consists of a set of frames or anomalies that may be harmful to the managed network. You can enable/disable various aspects of each individual event.Events are broadly grouped into the following three categories:• Excessive/Thresholdable events: These events detect DOS attacks, like excessive deauths, EAP floods, etc. Threshold limits for such events can be configured for mobile units (MU) and radios. Once these threshold limits are exceeded, an event is triggered. Stations triggering an event are usually filtered. You can configure a filter ageout specifying the time for which the station, triggering the event, is filtered. However, the filter ageout only applies when the MU-threshold is exceeded. When radio threshold is reached, the system raises a warning about the same and updates event history with event details.• Station/MU anomalies: These events are triggered when a MU performs suspicious activities that can compromise the security and stability of the managed network. You can configure a filter ageout, similar to the above class of events, to filter the station triggering such events.• AP/neighbor anomalies: These events are triggered when an AP or neighbor sends suspicious frames. The system cannot filter APs or neighbors triggering such events. However, the system warns you about such attacks, allowing you to take further actions against such APs and neighbors.In addition to event monitoring configuration, the WIPS policy allows you to configure a list of signatures. Unlike events, signatures are not fixed. You are free to define your own signatures based on a specific set of parameters. A signature is a rule, consisting of a set of fields to match and a corresponding set of actions in case of a match. By default, whenever a signature is matched an event log is triggered. This event log is similar to the one triggered upon an event. In addition to an event log, you can also configure other actions. Signatures have all the features supported by events. In fact most events are internally implemented as signatures.Signature rules are of the following three types:• ssid, ssid length rule: This signature matches a specified SSID or SSID length. It is mandatory to configure the frame type to match for this signature. When configured, only frame types allowed are beacons, probe requests, and probe responses. Example rule: ssid : AirJack and frame type beacon : Signature for AirJack attack.• payload rule: This signature matches a particular payload at a particular frame offset. You can restrict these matches based on frame type. Example rule: Payload : 0x00601d Offset 3 : Netstumbler• address-match rule: This signature matches one or more address fields. The address fields supported are BSSID, source-MAC, and destination-MAC. You can also specify frame types to
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 2match. The frame types supported are assoc, auth, beacon, data, deauth, disassoc, mgmt, probe-request, and probe-response.A WIPS policy, once configured, has to be attached to a RF Domain to take effect. Multiple WIPS policies can be configured at the same time, but only one policy can be attached to a given RF Domain at any time.Use the (config) instance to configure WIPS policy commands. To navigate to the WIPS policy instance, use the following commands:<DEVICE>(config)#wips-policy <POLICY-NAME>rfs6000-37FABE(config)#wips-policy testrfs6000-37FABE(config-wips-policy-test)#?Wips Policy Mode commands:  ap-detection               Rogue AP detection  enable                     Enable this wips policy  event                      Configure an event  history-throttle-duration  Configure the duration for which event duplicates                             are not stored in history  interference-event         Specify events which will contribute to smart-rf                             wifi interference calculations  no                         Negate a command or set its defaults  signature                  Signature to configure  use                        Set setting to use  clrscr                     Clears the display screen  commit                     Commit all changes made in this session  do                         Run commands from Exec mode  end                        End current mode and change to EXEC mode  exit                       End current mode and down to previous mode  help                       Description of the interactive help system  revert                     Revert changes  service                    Service Commands  show                       Show running system information  write                      Write running configuration to memory or terminalNOTE: To attach a WIPS policy to a RF Domain, in the RF Domain configuration mode, execute the use > wips-policy <WIPS-POLICY-NAME> command. For more information, see use.NOTE: With this most recent release, AP7522 and AP7532 model Access Points can provide enhanced sensor support. AP7522 and AP7532 sensors can send data from off-channel-scans while in radio-share promiscuous/inline mode, in addition to the on-channel data captured in radio-share mode. ADSP uses the off-channel-scan data (in addition to the on-channel data) to monitor for rogue intrusions and trigger alarms. OTA Termination is triggered from ADSP to the appropriate radio-share AP to initiate termination.NOTE: AP7522 and AP7532 models also support shared part-time scanning using WIPS in WiNG (using off-channel-scans) and no ADSP. WIPS on WiNG was enhanced to add rogue detection/classification (wired side detection based of MAC Address Offset) and over-the-air (OTA) termination for AP7522 and AP7532 deployments.
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3rfs6000-37FABE(config-wips-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 420.1 wips-policyWIPS-POLICYThe following table summarizes WIPS policy configuration commands:Table 20.1 WIPS-Policy-Config CommandsCommand Description Referenceap-detection Defines the WIPS AP detection configuration page 20-5enable Enables a WIPS policy page 20-7event Configures events page 20-8history-throttle-durationConfigures the duration event duplicates are omitted from the event historypage 20-12interference-eventSpecifies events contributing to the Smart RF WiFi interference calculationspage 20-13no Negates a command or sets its default page 20-14signature Configures a WIPS policy signature and enters its configuration mode page 20-16use Defines a WIPS policy settings page 20-33NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 520.1.1 ap-detectionwips-policyEnables the detection of unauthorized or unsanctioned APs. Unauthorized APs are untrusted access points connected to an access point managed network. These untrusted APs accept wireless client associations. It is important to detect such rogue APs and declare them unauthorized. Rogue AP detection is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap-detection {ageout|air-termination|interferer-threshold|recurring-event-interval|wait-time}ap-detection {ageout <30-86400>|interferer-threshold <-100--10>|recurring-event-interval <0-10000>|wait-time <10-600>}ap-detection air-termination {allow-channel-switch|mode [auto|manual]}Parameters• ap-detection {ageout <30-86400>|interferer-threshold <-100--10>|recurring-event-interval <0-10000>|wait-time <10-600>}ap-detection Enables detection of unauthorized or unsanctioned APsageout <30-86400>Optional. Configures the unauthorized AP ageout interval. The WIPS policy uses this value to ageout unauthorized APs.• <30-86400> – Sets an ageout interval from 30 - 86400 seconds. The default is 5 minutes (300 seconds).recurring-event-interval <0-10000>Configures recurring event interval help of unauthorized APs• <0-10000> – Configures the recurring interval between 0 - 10000 seconds. The default is 300 seconds.interferer-threshold <-100--10>Configures RSSI threshold value to determine if an unsanctioned ap is an interferer or not• <-100--10> – Configures the rssi threshold between -100 - -10 dBm. The default is -75 dBm.wait-time <10-600>Optional. Configures the wait time before a detected AP is declared as unauthorized and potentially removed• <10-600> – Sets a wait time from 10 - 600 seconds. The default is 1 minute (60 seconds).
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 6• ap-detection air-termination {allow-channel-switch|mode [auto|manual]}Examplerfs6000-37FABE(config-wips-policy-test)#ap-detection wait-time 15rfs6000-37FABE(config-wips-policy-test)#ap-detection age-out 50rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test ap-detection-age-out 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#nx9500-6C8809(config-wips-policy-test)#ap-detection recurring-event-interval 10nx9500-6C8809(config-wips-policy-test)#show contextwips-policy test ap-detection recurring-event-interval 10nx9500-6C8809(config-wips-policy-test)#Related Commandsap-detection Enables detection of unauthorized or unsanctioned APsair-termination {allow-channel-switch|mode [auto|manual]}Enables air termination of unauthorized APs. This option is disabled by default.• allow-channel-switch – Optional. Allows channel switch of unauthorized APs based on the channel mode. This option is disabled by default.• mode [auto|manual] – Optional. Select the mode as auto or manual to configure. The default setting is manual.no Resets unauthorized or unsanctioned AP detection settings to default
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 720.1.2 enablewips-policyEnables this WIPS policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplerfs6000-37FABE(config-wips-policy-test)#enablerfs6000-37FABE(config-wips-policy-test)#Related Commandsno Disables a WIPS policy
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 820.1.3 eventwips-policyConfigures events, filters and threshold values for this WIPS policy. Events are grouped into three categories, AP anomaly, client anomaly, and excessive. WLANs are baselined for matching criteria. Any deviation from this baseline is considered an anomaly and logged as an event.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevent [ap-anomaly|client-anomaly|enable-all-events|excessive]event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|unencrypted-wired-leakage|wireless-bridge]event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}event enable-all-eventsevent excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout <0-86400>|threshold-client <0-65535>|threshold-radio <0-65535>}Parameters• event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|unencrypted-wired-leakage|wireless-bridge]NOTE: By default all event monitoring is disabled.ap-anomaly Enables AP anomaly event trackingAn AP anomaly event refers to suspicious frames sent by neighboring APs. An administrator enables the filtering of each listed event and sets the thresholds for the generation of event notification and filtering.ad-hoc-violation Tracks ad-hoc network violationsairjack Tracks AirJack attacksap-ssid-broadcast-in-beaconTracks AP SSID broadcasts in beacon eventsasleap Tracks ASLEAP attacks. These attacks break Lightweight Extensible Authentication Protocol (LEAP) passwordsimpersonation-attack Tracks impersonation attacks. These are also referred to as spoofing attacks, where the attacker assumes the address of an authorized device.
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 9• event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}• event enable-all-eventsnull-probe-response Tracks null probe response attackstransmitting-device-using-invalid-macTracks the transmitting device using an invalid MAC attacksunencrypted-wired-leakageTracks unencrypted wired leakagewireless-bridge Tracks wireless bridge (WDS) framesclient-anomaly Enables client anomaly event trackingThese are suspicious events performed by wireless clients compromising the security of the network. An administrator can enable or disable filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action applied.dos-broadcast-deauth Tracks DoS broadcast deauthentication eventsfuzzing-all-zero-macs Tracks Fuzzing: All zero MAC addresses observedfuzzing-invalid-frame-typeTracks Fuzzing: Invalid frame type detectedfuzzing-invalid-mgmt-framesTracks Fuzzing: Invalid management frame detectedfuzzing-invalid-seq-num Tracks Fuzzing: Invalid sequence number detectedidentical-src-and-dest-addrTracks identical source and destination addresses detectioninvalid-8021x-frames Tracks Fuzzing: Invalid 802.1x frames detectednetstumbler-generic Tracks Netstumbler (v3.2.0, 3.2.3, 3.3.0) eventsnon-conforming-data Tracks non conforming data packetswellenreiter Tracks Wellenreiter eventsfilter-ageout <0-86400> The following keywords are common to all of the above client anomaly events:• filter-ageout <0-86400> – Optional. Configures the filter expiration interval in seconds• <0-86400> – Sets the filter ageout interval from 0 - 86400 seconds. The defaultis 0 seconds.Note: For each violation define a filter time in seconds, which determines how long the packets (received from an attacking device) are ignored once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed.The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is detected performing an attack and is filtered by one of the APs, the information is passed on to all APs and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for the specified period of time, across all devices.enable-all-events Enables tracking of all intrusion events (client anomaly and excessive events)
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 10• event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout [<0-86400>]|threshold-client [<0-5535>]|threshold-radio <0-65535>}excessive Enables the tracking of excessive events. Excessive events are actions performed continuously and repetitively. These events can impact the performance of the controller managed network. DoS attacks come under this category.80211-replay-check-failureTracks 802.11replay check failureaggressive-scanning Tracks aggressive scanning eventsauth-server-failures Tracks failures reported by authentication serversdecryption-failures Tracks decryption failuresdos-assoc-or-auth-flood Tracks DoS association or authentication floodsdos-eapol-start-storm Tracks DoS EAPOL start stormsdos-unicast-deauth-or-disassocTracks DoS dissociation or deauthentication floodseap-flood Tracks EAP floodseap-nak-flood Tracks EAP NAK floodsframes-from-unassoc-stationTracks frames from unassociated clientsfilter-ageout <0-86400> The following keywords are common to all excessive events:• filter-ageout <0-86400> – Optional. Configures a filter expiration interval in seconds. It sets the duration for which the client is filtered. The client is added to a ACL as a special entry and frames received from this client are dropped.• <0-86400> – Sets a filter ageout interval from 0 - 86400 seconds. The default is 0 seconds.Note: This value is applicable across the RF Domain. If a client is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller. The domain controller then propagates this information to all APs and wireless controllers in the RF Domain.threshold-client <0-65535>The following keywords are common to all excessive events:• threshold-client <0-65535> – Optional. Configures a client threshold value after which the filter is triggered and an event is recorded• <0-65535> – Sets a wireless client threshold value from 0 - 65535 secondsthreshold-radio <0-65535>The following keywords are common to all excessive events:• threshold-radio <0-65535> – Optional. Configures a radio threshold value after which the filter is triggered and an event is recorded• <0-65535> – Sets a radio threshold value from 0 - 65535 seconds
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 11Examplerfs6000-37FABE(config-wips-policy-test)#event excessive 80211-replay-check-failure filter-ageout 9 threshold-client 8 threshold-radio 99rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandsno Disables WIPS policy events tracking
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 1220.1.4 history-throttle-durationwips-policyConfigures the duration event duplicates are omitted from the event historyThe system maintains a history of all events that have occurred, on each device, within a RF Domain. Sometimes an event occurs for a prolonged period of time and tends to fill up the event history list. In such a scenario, duplicate information added to the event history list can be throttled for a specified period of time. Once this period is over, duplicate entries are once again allowed.Event history statistics are periodically sent to the domain manager, which can be queried to ascertain the general health of the domain.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhistory-throttle-duration <30-86400>Parameters• history-throttle-duration <30-86400>Examplerfs6000-37FABE(config-wips-policy-test)#history-throttle-duration 77rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandshistory-throttle-duration <30-86400>Configures the duration event duplicates are omitted from the event history• <30-86400> – Sets a value from 30 - 86400 seconds. The default is 120 seconds.no Resets the history throttle duration to its default (120 seconds)
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1320.1.5 interference-eventwips-policySpecifies events contributing to the Smart RF WiFi interference calculationsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinterference-event [non-conforming-data|wireless-bridge]Parameters• interference-event [non-conforming-data|wireless-bridge]Examplerfs6000-37FABE(config-wips-policy-test)#interference-event non-conforming-datarfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandsnon-conforming-data Considers non conforming data packets when calculating Smart RF interferencewireless-bridge Considers Wireless Bridge (WDS) frames when calculating Smart RF interferenceno Disables this WIPS policy signature as a Smart RF interference source
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 1420.1.6 nowips-policyNegates a command or resets configured settings to their default. When used in the config WIPS policy mode, the no command negates or resets filters and thresholds.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ap-detection|enable|event|history-throttle-duration|interference-event|signature|use]no [enable|history-throttle-duration]no ap-detection {ageout {<LINE-SINK>}|air-termination|interferer-threshold <-100--10>|recurring-event-interval <0-10000>wait-time {<LINE-SINK>}} no event [ap-anomaly|client-anomaly|enable-all-events|excessive]no event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|impersonation-attack|null-porbe-response|transmitting-device-using-invalid-mac|unencrypted-wired-leakage|wireless-bridge]no event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}no event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout <0-86400>|threshold-client <0-65535>|threshold-radio <0-65535>}no interference-event [non-conforming-data|wireless-bridge]no signature <WIPS-SIGNATURE>no use device-categorizationParameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.no <PARAMETERS> Negates a command or resets configured settings to their default. When used in the config WIPS policy mode, the no command negates or resets filters and thresholds.
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 15ExampleThe following example shows the WIPS Policy ‘test’ settings before the ‘no’ commands are executed:rrfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#rfs6000-37FABE(config-wips-policy-test)#no event client-anomaly wellenreiter filter-ageout 99rfs6000-37FABE(config-wips-policy-test)#no interference-event non-conforming-datarfs6000-37FABE(config-wips-policy-test)#no history-throttle-durationThe following example shows the WIPS Policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 1620.1.7 signaturewips-policyAttack and intrusion patterns are identified and configured as signatures in a WIPS policy. The WIPS policy compares packets in the network with pre configured signatures to identify threats.The following table summarizes WIPS policy signature configuration commands:Table 20.2 WIPS-Policy-Signature-Config Commandssignature Configures a WIPS policy signature and enters its configuration mode page 20-17signature mode commandsSummarizes WIPS signature configuration mode commands page 20-19
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1720.1.7.1 signaturesignatureConfigures a WIPS policy signature. A WIPS signature is the set of parameters or patterns used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsignature <SIGNATURE-NAME>Parameters• signature <SIGNATURE-NAME>Examplerfs6000-37FABE(config-wips-policy-test)#signature testrfs6000-37FABE(config-test-signature-test)#rfs6000-37FABE(config-test-signature-test)#?Wips Signature Mode commands:  bssid               Bssid mac address  dst-mac             Destination mac address  filter-ageout       Configure filter ageout  frame-type          Configure frame-type to match  interference-event  Signature is a smart-rf interference source  mode                Enable/Disable signature  no                  Negate a command or set its defaults  payload             Configure a payload  src-mac             Source mac address  ssid-match          Match based on ssid  threshold-client    Configure client threshold limit  threshold-radio     Configure radio threshold limit  clrscr              Clears the display screen  commit              Commit all changes made in this session  do                  Run commands from Exec mode  end                 End current mode and change to EXEC mode  exit                End current mode and down to previous mode  help                Description of the interactive help system  revert              Revert changes  service             Service Commands  show                Show running system information  write               Write running configuration to memory or terminalrfs6000-37FABE(config-test-signature-test)#signature <SIGNATURE-NAME>Configures a WIPS policy signature• <SIGNATURE-NAME> – Enter a name for the WIPS policy signature. The name should not exceed 64 characters.
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 18rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 signature test  interference-event  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00  frame-type reassoc  filter-ageout 8  threshold-client 88  payload 1 pattern test offset 1 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandsno Deletes a WIPS policy signature
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1920.1.7.2 signature mode commandssignatureThe following table summarizes WIPS policy signature configuration mode commands:Table 20.3 WIPS-Policy-Signature-Mode CommandsCommands Description Referencebssid Configures the BSSID MAC address page 20-20dst-mac Configures the destination MAC address page 20-21filter-ageout Configures the filter ageout interval page 20-22frame-type Configures the frame type used for matching page 20-23interference-eventConfigures this WIPS policy signature as the Smart RF interference source page 20-24mode Enables the signature mode page 20-25payload Configures payload settings page 20-26src-mac Configures the source MAC address page 20-27ssid-match Configures a match based on SSID page 20-28threshold-client Configures the wireless client threshold limit page 20-29threshold-radio Configures the radio threshold limit page 20-30no Negates a command or sets its default page 20-31
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 2020.1.7.2.1 bssidsignature mode commandsConfigures a BSSID MAC address with this WIPS signature for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbssid <MAC>Parameters• bssid <MAC>Examplerfs6000-37FABE(config-test-signature-test)#bssid 11-22-33-44-55-66rfs6000-37FABE(config-test-signature-test)#show contextsignature testbssid 11-22-33-44-55-66rfs6000-37FABE(config-test-signature-test)#Related Commandsbssid <MAC> Configures a BSSID MAC address to match• <MAC> – Specify the MAC address.no Disables a WIPS signature BSS ID
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2120.1.7.2.2 dst-macsignature mode commandsConfigures a destination MAC address for the packet examined for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdst-mac <MAC>Parameters• dst-mac <MAC>Examplerfs6000-37FABE(config-test-signature-test)#dst-mac 55-66-77-88-99-00rfs6000-37FABE(config-test-signature-test)#show contextsignature test  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00rfs6000-37FABE(config-test-signature-test)#Related Commandsdst-mac <MAC> Configures a destination MAC address to match• <MAC> – Specify the destination MAC address.no Disables a WIPS signature destination MAC address
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 2220.1.7.2.3 filter-ageoutsignature mode commandsConfigures the filter ageout interval in seconds. This is the duration a client, triggering a WIPS event, is excluded from RF Domain manager radio association.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfilter-ageout <1-86400>Parameters• filter-ageout <1-86400>Examplerfs6000-37FABE(config-test-signature-test)#filter-ageout 8rfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00  filter-ageout 8rfs6000-37FABE(config-test-signature-test)#Related Commandsfilter-ageout <1-86400>Configures the filter ageout interval from 1 - 86400 secondsno Removes the configured filter ageout interval
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2320.1.7.2.4 frame-typesignature mode commandsConfigures the frame type used for matching with this WIPS policy signatureSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxframe-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp|reassoc]Parameters• frame-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp|reassoc]Usage GuidelinesThe frame type configured determines the SSID match type configured. To configure the SSID match type as SSID, the frame type must be beacon, probe-req or probe-resp.Examplerfs6000-37FABE(config-test-signature-test)#frame-type reassocrfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00  frame-type reassoc  filter-ageout 8rfs6000-37FABE(config-test-signature-test)#Related Commandsframe-type Configures the frame type used for matchingall Configures all frame type matchingassoc Configures association frame matchingauth Configures authentication frame matchingbeacon Configures beacon frame matchingdata Configures data frame matchingdeauth Configures deauthentication frame matchingdisassoc Configures disassociation frame matchingmgmt Configures management frame matchingprobe-req Configures probe request frame matchingprobe-resp Configures probe response frame matchingreassoc Configures re-association frame matchingno Resets a WIPS signature frame type
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 2420.1.7.2.5 interference-eventsignature mode commandsConfigures this WIPS policy signature as Smart RF interference sourceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinterference-eventParametersNoneExamplerfs6000-37FABE(config-test-signature-test)#interference-eventrfs6000-37FABE(config-test-signature-test)#show context signature test  interference-event  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00  frame-type reassoc  filter-ageout 8rfs6000-37FABE(config-test-signature-test)#Related Commandsno Disables this WIPS policy signature as Smart RF interference source
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2520.1.7.2.6 modesignature mode commandsEnables a WIPS policy signatureSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmode enableParameters• mode enableExamplerfs6000-37FABE(config-test-signature-test)#mode enablerfs6000-37FABE(config-test-signature-test)#Related Commandsmode enable Enables this WIPS signatureno Disables a WIPS signature
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 2620.1.7.2.7 payloadsignature mode commandsConfigures payload settings. The payload command sets a numerical index pattern and offset for this WIPS signature.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpayload <1-3> pattern <WORD> offset <0-255>Parameterspayload <1-3> pattern <WORD> offset <0-255>Examplerfs6000-37FABE(config-test-signature-test)#payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00  frame-type assoc  filter-ageout 8  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandspayload <1-3> Configures payload settings• <1-3> – Sets the payload index from 1 - 3.pattern <WORD>Specifies the pattern to match: hex or string• <WORD> – Sets the pattern nameoffset <0-255> Specifies the payload offset to start the pattern match• <0-255> – Sets the offset value from 0 - 255no Removes payload and associated settings
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2720.1.7.2.8 src-macsignature mode commandsConfigures a source MAC address for a packet examined for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsrc-mac <MAC>Parameters• src-mac <MAC>Examplerfs6000-37FABE(config-test-signature-test)#src-mac 00-1E-E5-EA-1D-60rfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  src-mac 00-1E-E5-EA-1D-60  dst-mac 55-66-77-88-99-00  frame-type assoc  filter-ageout 8  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandssrc-mac <MAC> Configures the source MAC address to match• <MAC> – Specify the source MAC address.no Removes a WIPS signature source MAC address
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 2820.1.7.2.9 ssid-matchsignature mode commandsConfigures the SSID (and its character length) used for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssid-match [ssid|ssid-len]ssid-match [ssid <SSID>|ssid-len <0-32>]Parameters• ssid-match [ssid <SSID>|ssid-len <0-32>]Examplerfs6000-37FABE(config-test-signature-test)#ssid-match ssid PrinterLanrfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  src-mac 00-1E-E5-EA-1D-60  dst-mac 55-66-77-88-99-00  frame-type beacon  ssid-match ssid PrinterLan  filter-ageout 8  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandsssid <SSID> Specifies the SSID match string• <SSID> – Specify the SSID string.Note: Specify the correct SSID to ensure proper filtering.ssid-len <0-32> Specifies the length of the SSID• <0-32> – Specify the SSID length from 0 - 32 characters.no Removes the configured SSID
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2920.1.7.2.10 threshold-clientsignature mode commandsConfigures the wireless client threshold limit. When the wireless client exceeds the specified limit, an event is triggered.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxthreshold-client <1-65535>Parameters• threshold-client <1-65535>Examplerfs6000-37FABE(config-test-signature-test)#threshold-client 88rfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  src-mac 00-1E-E5-EA-1D-60  dst-mac 55-66-77-88-99-00  frame-type beacon  ssid-match ssid PrinterLan  filter-ageout 8  threshold-client 88  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandsthreshold-client <1-65535>Configures the wireless client threshold limit• <1-65535> – Sets the threshold limit for a 60 second window from 1 - 65535no Removes the wireless client threshold limit configured with a WIPS policy signature
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 3020.1.7.2.11 threshold-radiosignature mode commandsConfigures the radio’s threshold limit. When the radio exceeds the specified limit, an event is triggered.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxthreshold-radio <1-65535>Parameters• threshold-radio <1-65535>Examplerfs6000-37FABE(config-test-signature-test)#threshold-radio 88rfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  src-mac 00-1E-E5-EA-1D-60  dst-mac 55-66-77-88-99-00  frame-type beacon  ssid-match ssid PrinterLan  filter-ageout 8  threshold-client 88  threshold-radio 88  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandsthreshold-radio <1-65535>Configures the radio’s threshold limit• <1-65535> – Specify the threshold limit for a 60 second window from 1 - 65535.no Removes the radio’s threshold limit configured with a WIPS policy signature
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3120.1.7.2.12 nosignature mode commandsNegates a command or resets settings to their default. When used in the config WIPS policy signature mode, the no command resets or removes WIPS signature settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bssid|dst-mac|filter-ageout|frame-type|interference-event|mode|payload|src-mac|ssid-match|threshold-client|threshold-radio]no [bssid|dts-mac|filter-ageout|frame-type|interference-event|mode enable|payload <1-3>|src-mac|ssid-match [ssid|ssid-len]|threshold-client|threshold-radio]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleThe following is the WIPS signature ‘test’ settings before the execution of the ‘no’ command:rfs6000-37FABE(config-test-signature-test)#show context signature test  bssid 11-22-33-44-55-66  src-mac 00-1E-E5-EA-1D-60  dst-mac 55-66-77-88-99-00  frame-type beacon  ssid-match ssid PrinterLan  filter-ageout 8  threshold-client 88  threshold-radio 88  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#no <PARAMETERS> Negates a command or resets settings to their default
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  20 - 32The following is the WIPS signature ‘test’ settings after the execution of the ‘no’ command:rfs6000-37FABE(config-test-signature-test)#no mode enablerfs6000-37FABE(config-test-signature-test)#no bssidrfs6000-37FABE(config-test-signature-test)#no dst-macrfs6000-37FABE(config-test-signature-test)#no src-macrfs6000-37FABE(config-test-signature-test)#no filter-ageoutrfs6000-37FABE(config-test-signature-test)#no threshold-clientrfs6000-37FABE(config-test-signature-test)#no threshold-radiorfs6000-37FABE(config-test-signature-test)# signature test  no mode enable  frame-type beacon  payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)
WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3320.1.8 usewips-policyEnables device categorization on this WIPS policy. This command uses an existing device categorization list. The list categorizes devices as authorized or unauthorized.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse device-categorization <DEVICE-CATEGORIZATION>Parameters• use device-categorization <DEVICE-CATEGORIZATION>Examplerfs6000-37FABE(config-wips-policy-test)#use device-categorization testrfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 signature test  interference-event  bssid 11-22-33-44-55-66  dst-mac 55-66-77-88-99-00  frame-type reassoc  filter-ageout 8  threshold-client 88  payload 1 pattern test offset 1 ap-detection-ageout 50 ap-detection-wait-time 15 use device-categorization testrfs6000-37FABE(config-wips-policy-test)#Related Commandsdevice-categorization <DEVICE-CATEGORIZATION>Configures a device categorization list• <DEVICE-CATEGORIZATION> – Specify the device categorization object name to associate with this profileno Disables the use of a device categorization policy with a WIPS policy
21 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide21WLAN-QOS-POLICYThis chapter summarizes the WLAN QoS policy in the CLI command structure.A WLAN QoS policy increases network efficiency by prioritizing data traffic. Prioritization reduces congestion. This is essential because of the lack of bandwidth for all users and applications. QoS helps ensure each WLAN on the wireless controller receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as Video, Voice and Data. Packets within each category are processed based on the weights defined for each WLANEach WLAN QoS policy has a set of parameters which it groups into categories, such as management, voice and data. Packets within each category are processed based on the weights defined for each WLAN.Use the (config) instance to configure WLAN QoS policy commands. To navigate to the WLAN QoS policy instance, use the following commands:<DEVICE>(config)#wlan-qos-policy <POLICY-NAME>rfs6000-37FABE(config)#wlan-qos-policy testrfs6000-37FABE(config-wlan-qos-test)#?WLAN QoS Mode commands:  accelerated-multicast  Configure accelerated multicast streams address and                         forwarding QoS classification  classification         Select how traffic on this WLAN must be classified                         (relative prioritization on the radio)  multicast-mask         Egress multicast mask (frames that match bypass the                         PSPqueue. This permits intercom mode operation                         without delay even in the presence of PSP clients)  no                     Negate a command or set its defaults  qos                    Quality of service  rate-limit             Configure traffic rate-limiting parameters on a                         per-wlan/per-client basis  svp-prioritization     Enable spectralink voice protocol support on this wlan  voice-prioritization   Prioritize voice client over other client (for                         non-WMM clients)  wmm                    Configure 802.11e/Wireless MultiMedia parameters  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-37FABE(config-wlan-qos-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 221.1 wlan-qos-policyWLAN-QOS-POLICYWLAN QoS configurations differ significantly from QoS policies configured for radios. WLAN QoS configurations are designed to support the data requirements of wireless clients, including the data types they support and their network permissions. Radio QoS policies are specific to the transmit and receive characteristics of the connected radio’s themselves, independent from the wireless clients these access point radios support.The following table summarizes WLAN QoS policy configuration commands:Table 21.1 WLAN-QoS-Policy-Config CommandsCommand Description Referenceaccelerated-multicastConfigures accelerated multicast stream addresses and forwards QoS classificationspage 21-3classification Classifies WLAN traffic based on priority page 21-5multicast-mask Configures the egress prioritization multicast mask page 21-7no Negates a command or sets its default page 21-8qos Defines the QoS configuration page 21-9rate-limit Configures the WLAN traffic rate limit using a WLAN QoS policy page 21-10svp-prioritization Enables Spectralink voice protocol support on a WLAN page 21-13voice-prioritizationPrioritizes voice client over other clients page 21-14wmm Configures 802.11e/wireless multimedia parameters page 21-15NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 321.1.1 accelerated-multicastwlan-qos-policyConfigures the accelerated multicast stream address and forwarding QoS classification settingsEnabling this option allows the system to automatically detect and convert multicast streams to unicast streams. When a stream is converted and queued up for transmission, there are a number of classification mechanisms that can be applied to the stream. Use the classification options to specify the traffic type to prioritize.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccelerated-multicast [<IP>|autodetect]accelerated-multicast [<IP>|autodetect] {classification [background|best-effort|trust|video|voice]}Parameters• accelerated-multicast [<IP>|autodetect] {classification [background|best-effort|trust|video|voice]}accelerated-multicast Configures the accelerated multicast stream address and forwarding QoS classification<IP> Configures a multicast IP address in the A.B.C.D format. The system can configure up to 32 IP addresses for each WLAN QoS policyautodetect Allows the system to automatically detect multicast streams to be accelerated. This parameter allows the system to convert multicast streams to unicast, or to specify multicast streams converted to unicast.classification Optional. Configures the QoS classification (traffic class) settings. When the stream is converted and queued for transmission, specify the type of classification applied to the stream. The options are: background, best-effort, trust, voice, and video.background Forwards streams with background (low) priority. This parameter is common to both <IP> and auto detect.best-effort Forwards streams with best effort (normal) priority. This parameter is common to both <IP> and autodetect.trust No change to the streams forwarding traffic class. This parameter is common to both <IP> and autodetect.video Forwards streams with video traffic priority. This parameter is common to both <IP> and autodetect.voice Forwards streams with voice traffic priority. This parameter is common to both <IP> and autodetect.
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 4Examplerfs6000-37FABE(config-wlan-qos-test)#accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 521.1.2 classificationwlan-qos-policySpecifies how traffic on this WLAN is classified. This classification is based on relative prioritization on the radio.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclassification [low|non-unicast|non-wmm|normal|video|voice|wmm]classification [low|normal|video|voice|wmm]classification non-unicast [voice|video|normal|low|default]classification non-wmm [voice|video|normal|low]Parameters• classification [low|normal|video|voice|wmm]• classification non-unicast [voice|video|normal|low|default]low Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radionormal Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radiovideo Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radiovoice Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radiowmm Uses WMM based classification, using DSCP or 802.1p tags, to classify traffic into different queuesImplies WiFi Multimedia QoS extensions are enabled on this radio. This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic (voice, video etc). The WMM classification supports high throughput data rates required for 802.11n device support. This is the default setting.non-unicast Optimized for non-unicast traffic. Implies all traffic on this WLAN is designed for broadcast or multiple destinationsvideo Optimized for non-unicast video traffic. Implies all WLAN non-unicast traffic is classified and treated as video packetsvoice Optimized for non-unicast voice traffic. Implies all WLAN non-unicast traffic is classified and treated as voice packetsnormal Optimized for non-unicast best effort traffic. Implies all WLAN non-unicast traffic is classified and treated as normal priority packets (best effort).
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 6• classification non-wmm [voice|video|normal|low]Examplerfs6000-37FABE(config-wlan-qos-test)#classification wmmrfs6000-37FABE(config-wlan-qos-test)#classification non-wmm videorfs6000-37FABE(config-wlan-qos-test)#classification non-unicast normalrfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#low Optimized for non-unicast background traffic. Implies all WLAN non-unicast traffic is classified and treated as low priority packets (background)default Uses the default classification mode (same as unicast classification if WMM is disabled, normal if unicast classification is WMM). This is the default setting.non-wmm Specifies how traffic from non-WMM clients is classifiedvoice Optimized for non-WMM voice traffic. Implies all WLAN non-WMM client traffic is classified and treated as voice packetsvideo Optimized for non-WMM video traffic. Implies all WLAN non-WMM client traffic is classified and treated as video packetsnormal Optimized for non-WMM best effort traffic. Implies all WLAN non-WMM client traffic is classified and treated as normal priority packets (best effort). This is the default setting.low Optimized for non-WMM background traffic. Implies all WLAN non-WMM client traffic is classified and treated as low priority packets (background)
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 721.1.3 multicast-maskwlan-qos-policyConfigures an egress prioritization multicast mask for this WLAN QoS policyNormally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames. However, for certain applications and traffic types, the administrator may want the frames transmitted immediately, without waiting for the DTIM interval. By configuring a primary or secondary prioritization multicast mask, the network administrator can indicate which packets are transmitted immediately.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmulticast-mask [primary|secondary] <MAC/MASK>Parameters• multicast-mask [primary|secondary] <MAC/MASK>Examplerfs6000-37FABE(config-wlan-qos-test)#multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#primary <MAC/MASK> Configures the primary egress prioritization multicast mask• <MAC/MASK> – Provide the MAC address and the mask in the AA-BB-CC-DD-EE-FF /XX-XX-XX-XX-XX-XX-XX format. The default value is 00-00-00-00-00-00/FF-FF-FF-FF-FF-FF.Note: Setting masks is optional and only needed if there are traffic types requiring special handling.secondary <MAC/MASK>Configures the secondary egress prioritization multicast mask• <MAC/MASK> – Provide the MAC address and the mask in the AA-BB-CC-DD-EE-FF /XX-XX-XX-XX-XX-XX-XX format. The default value is 00-00-00-00-00-00/FF-FF-FF-FF-FF-FF.
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 821.1.4 nowlan-qos-policyNegates a command or resets settings to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accelerated-multicast|classification|multicast-mask|qos|rate-limit|svp-prioritization|voice-prioritization|wmm]no [accelerated-multicast [<IP>|autodetect]|classification {non-unicast|non-wmm}|multicast-mask [primary|secondary]|qos trust [dscp|wmm]|svp-prioritization|voice-prioritization]no rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold}no rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold [background|best-effort|video|voice]}no wmm [background|best-effort|power-save|qbss-load-element|video|voice]no wmm [power-save|qbss-load-element]no wmm [backgorund|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit]Parameters• no <PARAMETERS>ExampleThe following example shows the WLAN QoS Policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#rfs6000-37FABE(config-wlan-qos-test)#no classification non-wmmrfs6000-37FABE(config-wlan-qos-test)#no multicast-mask primaryrfs6000-37FABE(config-wlan-qos-test)#no qos trust dscpThe following example shows the WLAN QoS Policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-unicast normal no qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#no <PARAMETERS> Negates a command or resets settings to their default
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 921.1.5 qoswlan-qos-policyEnables QoS on this WLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxqos trust [dscp|wmm]Parameters• qos trust [dscp|wmm]Examplerfs6000-37FABE(config-wlan-qos-test)#qos trust wmmrfs6000-37FABE(config-wlan-qos-test)#qos trust dscprfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#trust [dscp|wmm] Trusts the QoS values of ingressing packets. Both these options are enabled by default.• dscp – Trusts the IP DSCP values of ingressing packets• wmm – Trusts the 802.11 WMM QoS values of ingressing packets
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 1021.1.6 rate-limitwlan-qos-policyConfigures the WLAN traffic rate limits using the WLAN QoS policyExcessive traffic causes performance issues or brings down the network entirely. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that has infected one or more devices at the branch. Rate limiting limits the maximum rate sent to or received from the wireless network (and WLAN) per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. The uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS server’s response. When such attributes are not present, settings defined on the controller (access point, wireless controller, or service platform) are applied. An administrator can set separate QoS rate limits for upstream (data transmitted from the managed network) and downstream (data transmitted to the managed network).Before defining rate limit thresholds for WLAN upstream and downstream traffic, it is recommended that you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) are dropped resulting in intermittent outages and performance problems.Connected wireless clients can also have QoS rate limit settings defined in both the upstream and downstream direction.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold}rate-limit [client|wlan] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}Parameters• rate-limit [client|wlan] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}rate-limit Configures traffic rate limit parametersclient Configures traffic rate limiting parameters on a per-client basiswlan Configures traffic rate limiting parameters on a per-WLAN basisfrom-air Configures traffic rate limiting from a wireless client to the networkto-air Configures the traffic rate limit from the network to a wireless client
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 11• rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}max-burst-size <2-1024>Optional. Sets the maximum burst size from 2 - 1024 kbytes. The chances of the upstream or downstream packet transmission getting congested for the WLAN’s client destination are reduced for smaller burst sizes. The default values are:- WLAN ‘to-air’ and ‘from-air’: 320 kbytes- Client ‘to-air’ and ‘from-air’: 64 kbytesSmaller the burst, lesser are the chances of upstream packet transmission resulting in congestion for the WLAN’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site.rate <50-1000000> Optional. Sets the traffic rate from 50 - 1000000 Kbps. This limit is the threshold value for the maximum number of packets received or transmitted over the WLAN from all access categories. Any traffic that exceeds the specified rate is dropped and a log message is generated. The default values are:- WLAN ‘to-air’ and ‘from-air’: 5000 kbytes- Client ‘to-air’ and ‘from-air’: 1000 kbytesrate-limit Configures traffic rate limit parametersclient Configures traffic rate limiting parameters on a per-client basiswlan Configures traffic rate limiting parameters on a per-WLAN basisfrom-air Configures traffic rate limiting from a wireless client to the networkto-air Configures the traffic rate limit from the network to a wireless clientred-threshold Configures random early detection threshold values for a designated traffic classbackground <0-100> Optional. Sets the maximum burst size from 2 - 1024 kbytes. The chances of the upstream or downstream packet transmission getting congested for the WLAN’s client destination are reduced for smaller burst sizes. The default values are:- WLAN ‘to-air’ and ‘from-air’: 320 kbytes- Client ‘to-air’ and ‘from-air’: 64 kbytesSmaller the burst, lesser are the chances of upstream packet transmission resulting in congestion for the WLAN’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site.best-effort <0-100> The following is common to the ‘from-air’ and ‘to-air’ parameters:Optional. Sets a percentage value for best effort traffic in the upstream or downstream direction. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:- WLAN ‘to-air’ and ‘from-air’: 50%- Client ‘to-air’ and ‘from-air’: 50%
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 12Usage GuidelinesThe following information should be taken into account when configuring rate limits:• Background traffic consumes the least bandwidth, so this value can be set to a lower value once a general downstream rate is known by the network administrator (using a time trend analysis).• Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).• Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).• Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).Examplerfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air max-burst-size 6rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air rate 55rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air red-threshold best-effort 10rfs6000-37FABE(config-wlan-qos-test)#rate-limit client from-air red-threshold background 3rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#video <0-100> The following is common to the ‘from-air’ and ‘to-air’ parameters:Optional. Sets a percentage value for video traffic in the upstream or downstream direction. Video traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:- WLAN ‘to-air’ and ‘from-air’: 25%- Client ‘to-air’ and ‘from-air’: 25%voice <0-100> The following is common to the ‘from-air’ and ‘to-air’ parameters:Optional. Sets a percentage value for voice traffic in the upstream or downstream direction. Voice traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:.- WLAN ‘to-air’ and ‘from-air’: 0%- Client ‘to-air’ and ‘from-air’: 0%Note: A value of 0% means no early random drops.
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1321.1.7 svp-prioritizationwlan-qos-policyEnables WLAN SVP support on this WLAN QoS policy. SVP support enables the identification and prioritization of traffic from Spectralink/Ploycomm phones. This gives priority to voice, with voice management packets supported only on certain legacy VOIP phones. If the wireless client classification is WMM, non-WMM devices recognized as voice devices have all their traffic transmitted at voice priority. Devices are classified as voice, when they emit SIP, SCCP, or H323 traffic. Thus, selecting this option has no effect on devices supporting WMM.This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsvp-prioritizationParametersNoneExamplerfs6000-37FABE(config-wlan-qos-test)#svp-prioritizationrfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video svp-prioritization multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 1421.1.8 voice-prioritizationwlan-qos-policyPrioritizes voice clients over other clients (for non-WMM clients). This gives priority to voice and voice management packets and is supported only on certain legacy VOIP phones. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvoice-prioritizationParametersNoneExamplerfs6000-37FABE(config-wlan-qos-test)#voice-prioritizationrfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video svp-prioritization voice-prioritization multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1521.1.9 wmmwlan-qos-policyConfigures 802.11e/Wireless Multimedia (WMM) parameters for this WLAN QoS policyWMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher traffic priority.WMM’s prioritization capabilities are based on the four access categories (background, best-effort, video, and voice). Higher the Access Category (AC) higher is the transmission probability over the controller managed WLAN. ACs correspond to the 802.1d priorities, facilitating interoperability with QoS policy management mechanisms. WMM enabled controllers coexist with legacy devices (not WMM-enabled).Packets not assigned to a specific access category are categorized as best effort by default. Applications assign each data packet to a given access category. Categorized packets are added to one of four independent transmit queues (one per access category). The client has an internal collision resolution mechanism to address collision among different queues, which selects the frames with the highest priority to transmit.The same mechanism deals with external collision, to determine which client should be granted the Opportunity to Transmit (TXOP). The collision resolution algorithm responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each access category. These parameters are:• The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN)• The contention window, sometimes referred to as the random back off waitBoth values are smaller for high-priority traffic. The value of the contention window varies through time. Initially the contention window is set to a value that depends on the AC. As frames with the highest AC tend to have the lowest back off values, they are more likely to get a TXOP.After each collision the contention window is doubled until a maximum value (also dependent on the AC) is reached. After successful transmission, the contention window is reset to its initial, AC dependant value. The AC with the lowest back off value gets the TXOP.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwmm [background|best-effort|power-save|qbss-load-element|video|voice]wmm [power-save|qbss-load-element]wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]Parameters• wmm [power-save|qbss-load-element]wmm Configures 802.11e/wireless multimedia parameters
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  21 - 16• wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]power-save Enables support for the WMM-Powersave mechanism. This mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD), is specifically designed for WMM voice devices. This feature is enabled by default.qbss-load-element Enables support for the QOS Basic Service Set (QBSS) load information element in beacons and probe response packets advertised by access packets. This feature is enabled by default.wmm Configures 802.11e/wireless multimedia parameters. This parameter enables the configuration of four access categories. Applications assign each data packet to one of these four access categories and queues them for transmission.background Configures background access category parametersbest-effort Configures best effort access category parameters. Packets not assigned to any particular access category are categorized by default as having best effort priorityvideo Configures video access category parametersvoice Configures voice access category parametersaifsn <2-15> Configures Arbitrary Inter-Frame Space Number (AIFSN) from 2 - 15. AIFSN is the wait time between data frames. This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 2The default for traffic video categories is 2The default for traffic best effort (normal) categories is 3The default for traffic background (low) categories is 7• <2-15> – Sets a value from 2 - 15cw-max <0-15> Configures the maximum contention window. Wireless clients pick a number between 0 and the minimum contention window to wait before retransmission. Wireless clients then double their wait time on a collision, until it reaches the maximum contention window. This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 3The default for traffic video categories is 4The default for traffic best effort (normal) categories 10The default for traffic background (low) categories is 10• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1). Set a value from 0 - 15.
WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 17Examplerfs6000-37FABE(config-wlan-qos-test)#wmm video txop-limit 9rfs6000-37FABE(config-wlan-qos-test)#wmm voice cw-min 6rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video svp-prioritization voice-prioritization wmm video txop-limit 9 wmm voice cw-min 6 multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#cw-min <0-15> Configures the minimum contention window. Wireless clients pick a number between 0 and the min contention window to wait before retransmission. Wireless clients then double their wait time on a collision, until it reaches the maximum contention window. This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 2The default for traffic video categories is 3The default for traffic best effort (normal) categories is 4The default for traffic background (low) categories is 4• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1). Set a value from 0 - 15.txop-limit <0-65535> Configures the transmit-opportunity (the interval of time during which a particular client has the right to initiate transmissions). This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 47The default for traffic video categories is 94The default for traffic best effort (normal) categories is 0The default for traffic background (low) categories is 0• <0-65535> – Set a value from 0 - 65535 to configure the transmit-opportunity in 32 microsecond units.
22 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide22L2TPV3-POLICYThis chapter summarizes Layer 2 Tunnel Protocol Version 3 (L2TPv3) policy commands in the CLI command structure.L2TPv3 is an IETF standard used for transporting different types of layer 2 frames over an intermediate IP network. L2TPv3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TPv3 to create tunnels for transporting layer 2 frames. L2TPv3 enables WING supported controllers and access points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TPv3 tunnels can be defined between WING devices and other vendor devices supporting the L2TPv3 protocol.Multiple pseudowires can be created within an L2TPv3 tunnel. WING supported devices support an Ethernet VLAN pseudowire type exclusively. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TPv3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TPv3 sessions. Each tunnel session corresponds to one pseudowire. An L2TPv3 control connection (an L2TPv3 tunnel) needs to be established between the tunneling entities before creating a session.Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TPv3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TPv3 sessions. Each tunnel session corresponds to one pseudowire. An L2TPv3 control connection (a L2TPv3 tunnel) needs to be established between the tunneling entities before creating a session.For optimal pseudowire operation, both the L2TPv3 session originator and responder need to know the psuedowire type and identifier. These two parameters are communicated during L2TPv3 session establishment. An L2TPv3 session created within an L2TPv3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID.The working status of a pseudowire is reflected by the state of the L2TPv3 session. If a L2TPv3 session is down, the pseudowire associated with it must be shut down. The L2TPv3 control connection keep-alive mechanism can serve as a monitoring mechanism for the pseudowires associated with a control connection.NOTE: A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network.NOTE: If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 2This chapter is organized into the following sections:•l2tpv3-policy-commands•l2tpv3-tunnel-commands•l2tpv3-manual-session-commandsNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 322.1 l2tpv3-policy-commandsL2TPV3-POLICYUse the (config) instance to configure L2TPv3 policy parameters. To navigate to the L2TPv3 policy instance, use the following commands:<DEVICE>(config)#l2tpv3 policy <L2TPV3-POLICY-NAME>rfs6000-37FABE(config)#l2tpv3 policy L2TPV3Policy1rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#?L2tpv3 Policy Mode commands:  cookie-size             Size of the cookie field present in each l2tpv3 data                          message  failover-delay          Time interval for re-establishing the tunnel after                          the failover (RF-Domain                          manager/VRRP-master/Cluster-master failover)  force-l2-path-recovery  Enables force learning of servers, gateways etc.,                          behind the l2tpv3 tunnel when the tunnel is                          established  hello-interval          Configure the time interval (in seconds) between                          l2tpv3 Hello keep-alive messages exchanged in l2tpv3                          control connection  no                      Negate a command or set its defaults  reconnect-attempts      Maximum number of attempts to reestablish the                          tunnel.  reconnect-interval      Time interval between the successive attempts to                          reestablish the l2tpv3 tunnel  retry-attempts          Configure the maximum number of retransmissions for                          signaling message  retry-interval          Time interval (in seconds) before the initiating a                          retransmission of any l2tpv3 signaling message  rx-window-size          Number of signaling messages that can be received                          without sending the acknowledgment  tx-window-size          Number of signaling messages that can be sent                          without receiving the acknowledgment  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#The following table summarizes L2TPv3 policy configuration commands:Table 22.1 L2TPV3-Tunnel-Policy-Config CommandsCommand Description Referencecookie-size Configures the cookie field size for each L2TPv3 data packet page 22-5failover-delay Configures the L2TPv3 tunnel failover delay in seconds page 22-6force-l2-path-recoveryEnables the forced detection of servers and gateways behind the L2TPv3 tunnelpage 22-7hello-interval Configures the interval, in seconds, between L2TPv3 “Hello” keep-alive messages exchanged in the L2TPv3 control connectionpage 22-8
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 4no Negates or reverts L2TPv3 tunnel commands page 22-9reconnect-attemptsConfigures the maximum number of retransmissions for signalling messagespage 22-10reconnect-intervalConfigures the interval, in seconds, between successive attempts to re-establish a failed tunnel connectionpage 22-11retry-attempts Configures the maximum number of retransmissions of signalling messagespage 22-12retry-interval Configures the interval, in seconds, before initiating a retransmission of any L2TPv3 signalling messagepage 22-13rx-window-size Configures the number of signalling messages received without sending an acknowledgmentpage 22-14tx-window-size Configures the number of signalling messages transmitted without receiving an acknowledgmentpage 22-15Table 22.1 L2TPV3-Tunnel-Policy-Config CommandsCommand Description ReferenceNOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 522.1.1 cookie-sizel2tpv3-policy-commandsConfigures the size of the cookie field present in each L2TPv3 data packet. L2TPv3 data packets contain a session cookie that identifies the session (pseudowire) corresponding to it. In a tunnel, the cookie is a 4-byte or 8-byte signature shared between the two tunnel endpoints. This signature is configured at both the source and destination routers. If the signature at both ends do not match, the data is dropped. All sessions within a tunnel have the same session cookie size.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcookie-size [0|4|8]Parameters• cookie-size [0|4|8]Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#cookie-size 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 cookie-size 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandscookie-size [0|4|8] Configures the cookie-field size for each data packet. Select one of the following options:• 0 – No cookie field present in each L2TPv3 data message (this is the default setting)• 4 – 4 byte cookie field present in each L2TPv3 data message• 8 – 8 byte cookie field present in each L2TPv3 data messageno Resets the cookie-field size to its default (0 - no cookie field present in each L2TPv3 data packet)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 622.1.2 failover-delayl2tpv3-policy-commandsConfigures the L2TPv3 tunnel failover delay in seconds. This is the interval after which a failed over tunnel is re-established.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfailover-delay <5-60>Parameters• failover-delay <5-60>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#failover-delay 30rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 failover-delay 30 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsfailover-delay <5-60> Sets the delay interval to re-establish a failed L2TPv3 tunnel (RF-Domain manager/VRRP-master/Cluster-master failover)• <5-60> – Specify a failover delay from 5 - 60 seconds. The default is 5 seconds.no Resets the failover interval to its default (5 seconds)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 722.1.3 force-l2-path-recoveryl2tpv3-policy-commandsEnables the forced detection of servers and gateways behind the L2TPv3 tunnel. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxforce-l2-path-recoveryParametersNoneExamplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#force-l2-path-recoveryrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 failover-delay 30 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 force-l2-path-recoveryrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsno Disables the forced detection of servers and gateways behind the L2TPv3 tunnel
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 822.1.4 hello-intervall2tpv3-policy-commandsConfigures the interval, in seconds, between L2TPv3 “Hello” keep-alive messages exchanged in a L2TPv3 control connection.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhello-interval <1-3600>Parameters• hello-interval <1-3600>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#hello-interval 200rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandshello-interval <1-3600> Configures the interval for L2TPv3 “Hello” keep-alive messages• <1-3600> – Specify a value from 1 - 3600 seconds (default is 60 seconds).no Resets the “Hello” keep-alive message interval to its default of 60 seconds
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 922.1.5 nol2tpv3-policy-commandsNegates or reverts L2TPv3 policy settings to defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [cookie-size|failover-delay|force-l2-path-recovery|hello-interval|reconnect-attempts|reconnect-interval|retry-attempts|retry-interval|rx-window-size|tx-window-size]Parameters• no <PARAMETERS>ExampleThe following example shows the l2tpv3 policy ‘L2TPV3Policy1’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 reconnect-interval 100 reconnect-attempts 50rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no hello-intervalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-attemptsrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-intervalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-attemptsrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-intervalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no cookie-sizeThe following example shows the l2tpv3 policy ‘L2TPV3Policy1’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no <PARAMETERS> Negates or reverts L2TPv3 policy settings to default
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 1022.1.6 reconnect-attemptsl2tpv3-policy-commandsConfigures the maximum number of attempts made to re-establish a tunnel connectionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreconnect-attempts <0-8>Parameters• reconnect-attempts <0-8>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsreconnect-attempts <0-8>Configures the maximum number of attempts made to re-establish a tunnel connection• <0-8> – Specify a value from 0 - 8 (default is 0: configures infinite reconnect attempts).no Resets the maximum number of reconnect attempts to default (0: configures infinite reconnect attempts)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1122.1.7 reconnect-intervall2tpv3-policy-commandsConfigures the interval, in seconds, between two successive attempts to re-establish a failed tunnel connectionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreconnect-interval <1-3600>Parameters• reconnect-interval <1-3600>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-interval 100l2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsreconnect-interval <1-3600>Configures the interval between successive attempts to re-establish a failed tunnel connection• <1-3600> – Specify a value from 1 - 3600 seconds (default is 120 seconds).no Resets the interval between successive attempts to re-establish a failed tunnel connection to default (120 seconds)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 1222.1.8 retry-attemptsl2tpv3-policy-commandsConfigures the maximum number of attempts made to retransmit signalling messages. Use this command to specify how many retransmission cycles occur before determining the target tunnel peer is not reachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxretry-attempts <1-10>Parameters• retry-attempts <1-10>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#retry-attempts 10rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 cookie-size 8 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsretry-attempts <1-10> Configures the maximum number of attempts made to retransmit signalling messages• <1-10> – Specify a value from 1 - 10 (default is 5 attempts).no Resets the maximum number of retransmissions of signalling messages to default (5 attempts)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1322.1.9 retry-intervall2tpv3-policy-commandsConfigures the interval, in seconds, between two successive attempts at retransmitting a L2TPv3 signalling messageSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxretry-interval <1-250>Parameters• retry-interval <1-250>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#retry-interval 30rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsretry-interval <1-250> Configures the interval, in seconds, between two successive retransmission attempts• <1-250> – Specify a value from 1 - 250 seconds (default is 5 seconds).no Resets the retry interval to default (5 seconds)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 1422.1.10 rx-window-sizel2tpv3-policy-commandsConfigures the number of signalling packets received without sending an acknowledgmentSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrx-window-size <1-15>Parameters• rx-window-size <1-15>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rx-window-size 9rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsrx-window-size <1-15> Configures the number of packets received without sending an acknowledgment• <1-15> – Specify a value from 1 - 15 (default is 10 packets).no Resets the number of packets received without sending an acknowledgment to default (10 packets)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1522.1.11 tx-window-sizel2tpv3-policy-commandsConfigures the number of signalling packets transmitted without receiving an acknowledgmentSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtx-window-size <1-15>Parameters• tx-window-size <1-15>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#tx-window-size 9rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandstx-window-size <1-15> Configures the number of packets transmitted without receiving an acknowledgment• <1-15> – Specify a value from 1 - 15 (default is 10 packets).no Resets the number of packets transmitted without receiving an acknowledgment to default (10 packets)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 1622.2 l2tpv3-tunnel-commandsL2TPV3-POLICYUse the (profile or device context) instance to configure a L2TPv3 tunnel. To navigate to the tunnel configuration mode, use the following command in the profile context:<DEVICE>(config-profile-default-rfs7000)#l2tpv3 tunnel <TUNNEL-NAME>rfs6000-37FABE(config-profile-default-rfs7000)#l2tpv3 tunnel Tunnel1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#?L2tpv3 Tunnel Mode commands:  establishment-criteria  Set tunnel establishment criteria  fast-failover           Configure fast failover for l2tpv3 tunnels  hostname                Tunnel specific local hostname  local-ip-address        Configure the IP address for tunnel. If not                          specified, tunnel source ip address would be chosen                          automatically based on the tunnel peer ip address  mtu                     Configure the mtu size for the tunnel  no                      Negate a command or set its defaults  peer                    Configure the l2tpv3 tunnel peers. At least one peer                          must be specified  router-id               Tunnel specific local router ID  session                 Create / modify the specified l2tpv3 session  use                     Set setting to use  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#The following table summarizes L2TPv3 tunnel configuration commands:Table 22.2 L2TPV3-Tunnel-Config CommandsCommand Description Referenceestablishment-criteriaConfigures L2TPv3 tunnel establishment criteria page 22-17fast-failover Configures fast-failover support on the L2TPv3 tunnel page 22-19hostname Configures tunnel specific local hostname page 22-20local-ip-address Configures the tunnel’s IP address page 22-21mtu Configures the tunnel’s Maximum Transmission Unit (MTU) size page 22-22no Negates or reverts L2TPv3 tunnel commands page 22-23peer Configures the tunnel’s peers page 22-24router-id Configures the tunnel’s local router ID page 22-28session Creates/modifies specified L2TPv3 session page 22-29use Configures a tunnel to use a specified L2TPv3 tunnel policy page 22-31
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1722.2.1 establishment-criterial2tpv3-tunnel-commandsConfigures L2TPv3 tunnel establishment criteriaA L2TPv3 tunnel is established from the current device to the NOC controller when the current device becomes the VRRP master, cluster master, or RF Domain manager. Similarly, the L2TPv3 tunnel is closed when the current device switches to standby or backup mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxestablishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]Parameters• establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]always Always establishes a L2TPv3 tunnel from the current device to the NOC controller. This is the default setting.The ‘always’ option indicates the device need not be a cluster-master, rf-domain-manager, or vrrp-master to establish a tunnel.cluster-master Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the cluster masterNote: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.rf-domain-manager Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the RF Domain managerNote: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.vrrp-master <1-255> Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the VRRP master• <1-255> – Specify the VRRP group number from 1 - 255.Note: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 18Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandsno Resets to default (always)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1922.2.2 fast-failoverl2tpv3-tunnel-commandsConfigures fast-failover support on the L2TPv3 tunnel. When configured, devices, using this profile, send tunnel requests to both peers, and in turn, establish tunnels with both peers. If not configured, tunnel establishment occurs on one peer, with failover and other functionality the same as legacy behavior. In case fast failover is configured when an active tunnel, with one peer, already exists, the tunnel establishment process is re-initiated with both peers. Of the two tunnels established, one is marked active while the other is standby. The sessions and routes from the active tunnel are only pushed to the dataplane, resulting in creation of data sessions. However, if the active tunnel fails, sessions and routes from the standby tunnel are pushed to the dataplane thereby providing almost immediate fail over. Both tunnels individually perform connection health checkups through hello intervals. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfast-failover {aggressive}Parameters• fast-failover {aggressive}Examplenx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#show contextinclude-factory | include fast-failover  no fast-failovernx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#nx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#fast-failover aggressivenx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#show context l2tpv3 tunnel TestTunnel2  fast-failover aggressivenx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#Related Commandsfast-failover Configures fast-failover support on the L2TPv3 tunnelaggressive Optional. When enabled, tunnel initiation hello requests are set to zero. For failure detections, hello attempts are not retried, regardless of the number of retry attempts configured. This option is disabled by default.Note: The hello-interval and retry-attempts parameters are defined in the L2TPv3 Policy context. For more information on configuring an L2TPv3 policy, see l2tpv3-policy-commands. For more information on associating an L2TPv3 policy to an L2TPv3 tunnel, see use.no Removes fast-failover support on the L2TPv3 tunnel
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 2022.2.3 hostnamel2tpv3-tunnel-commandsConfigures the tunnel’s local hostnameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhostname <WORD>Parameters• hostname <WORD>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#hostname TunnelHost1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  hostname TunnelHost1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandshostname <WORD> Configures the tunnel’s local hostname• <WORD> – Specify the tunnel’s local hostname.no Removes the tunnel’s local hostname
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2122.2.4 local-ip-addressl2tpv3-tunnel-commandsConfigures the tunnel’s source IP address. If no IP address is specified, the tunnel’s source IP address is automatically configured based on the tunnel’s peer IP address.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal-ip-address <IP>Parameters• local-ip-address <IP>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#local-ip-address 172.16.10.2rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  local-ip-address 172.16.10.2  hostname TunnelHost1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandslocal-ip-address <IP> Configures the L2TPv3 tunnel’s source IP address• <IP> – Specify the tunnel’s IP address. Ensure the IP address is available (or will become available - virtual IP) on an interface. Modifying a tunnel’s local IP address re-establishes the tunnel.no Resets the tunnel’s local IP address and re-establishes the tunnel
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 2222.2.5 mtul2tpv3-tunnel-commandsConfigures the MTU size for this tunnel. This value determines the packet size transmitted over this tunnel.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmtu <128-1460>Parameters• mtu <128-1460>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#mtu 1280rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  local-ip-address 172.16.10.2  mtu 1280  hostname TunnelHost1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandsmtu <128-1460> Configures the MTU size for this tunnel• <128-1460> – Specify a value from 128 - 1460 bytes (default is 1460 bytes).no Resets the MTU size for this tunnel to default (1460 bytes)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2322.2.6 nol2tpv3-tunnel-commandsNegates or reverts a L2TPv3 tunnel settings to defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [establishment-criteria|fast-failover|hostname|local-ip-address|mtu|peer <1-2>|router-id|session|use]Parameters• no <PARAMETERS>ExampleThe tunnel settings before the ‘no’ command is executed:rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  local-ip-address 172.16.10.2  mtu 1280  hostname TunnelHost1  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#The tunnel settings after the ‘no’ command is executed:rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no local-ip-addressrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no mturfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no hostnamerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no <PARAMETERS> Negates or reverts a L2TPv3 tunnel settings to default
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 2422.2.7 peerl2tpv3-tunnel-commandsConfigures the L2TPv3 tunnel’s peers. At least one peer must be specified.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer <1-2> {hostname|ip-address|ipsec-secure|router-id|udp}peer <1-2> {hostname [<HOSTNAME>|any]} {ipsec-secure|router-id|udp}peer <1-2> {ip-address <IP>} {hostname|ipsec-secure|router-id|udp}peer <1-2> {ipsec-secure} {gw [<IP>|<WORD>]}peer <1-2> {router-id [<IP>|<WORD>|any]} {ipsec-secure|udp}peer <1-2> {udp} {ipsec-secure|port <1-65535>}Parameters• peer <1-2> {hostname [<HOSTNAME>|any]} {ipsec-secure|router-id|udp}peer <1-2> Configures the tunnel’s peer ID• <1-2> – Specify the ID from 1 - 2. The peer ID identifies the primary (ID 1) secondary (ID 2) peers. The L2TPv3 tunnel is established with the primary peer. The secondary peer is used for tunnel failover. If the peer is not specified, tunnel establishment does not occur.Note: At any time the tunnel is established with only one peer, unless fast-failover support is configured on the L2TPv3 tunnel. For more information, see fast-failover.hostname [<HOSTNAME>|any]Optional. Configures the peers’ hostname. The hostname options are:• <HOSTNAME> – Specifies the hostname as Fully Qualified Domain Name (FQDN) or partial DN or any other name• any – Peer name is not specified. If the hostname is ‘any’ this tunnel is considered as responder only and will allow incoming connection from any host.ipsec-secure {gw [<IP>|<WORD>]}After specifying the peer hostname, optionally specify the IPSec settings:• ipsec-secure – Optional. Enables auto IPSec on the L2TPv3 tunnel• gw – Optional. Configures the IPSec gateway. Use one of the following options toconfigure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnamerouter-id [<IP>|<WORD>|any]After specifying the peer hostname, optionally specify router ID settings:• router-id – Optional. Configures the peer’s router ID in one of the following formats:• <IP> – Peer router ID in the IP address (A.B.C.D) format• <WORD> – Peer router ID range (for example, 100-120)• any – Peer router ID is not specified. This allows incoming connection from anyrouter ID.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 25• peer <1-2> {ip-address <IP>} {hostname|ipsec-secure|router-id|udp}• peer <1-2> {ipsec-secure} {gw [<IP>|<WORD>]}udp {ipsec-secure gw|port <1-65535> {ipsec-secure}}After specifying the peer hostname, optionally specify UDP settings:The UDP option configures the encapsulation mode for this tunnel.• UDP – Optional. Configures UDP encapsulation (default encapsulation is IP)• ipsec-secure gw – Optional. Enables auto IPSec• port <1-65535> {ipsec-secure} – Optional. Configures the peer’s UDP port run-ning the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, option-ally configure the IPSec settings.peer <1-2> Configures the tunnel’s peer ID from 1 - 2. At any time the tunnel is established with only one peer.ip-address <IP> Optional. Configures the peer’s IP address in the A.B.C.D format• <IP> – Specify the peer’s IP address.hostname [<FQDN>|any]After specifying the peer IP address, optionally specify the peer’s hostname:• hostname – Optional. Configures the peers’ hostname. The hostname options are:• <FQDN> – Specifies the hostname as FQDN or partial DN• any – Peer name is not specified. If the hostname is ‘any’ this tunnel is consideredas responder only and will allow incoming connection from any host.ipsec-secure {gw [<IP>|<WORD>]}After specifying the peer IP address, optionally specify the IPSec settings:• ipsec-secure – Optional. Enables auto IPSec• gw – Optional. Configures the IPSec gateway. Use one of the following options toconfigure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnamerouter-id [<A.B.C.D>|<WORD>|any]After specifying the peer IP address, optionally specify the router ID using one of the following options:• router-id – Optional. Configures the peer’s router-id in one of the following formats:• <A.B.C.D> – Peer router ID in the IP address (A.B.C.D) format• <WORD> – Peer router ID range (for example, 100-120)• any – Peer router ID is not specified. This allows incoming connection from anyrouter ID.udp {ipsec-secure gw|port <1-65535> {ipsec-secure}}After specifying the peer IP address, optionally specify the peer’s UDP port settings:The UDP option configures the encapsulation mode for this tunnel.• UDP – Optional. Configures UDP encapsulation (default encapsulation is IP)• ipsec-secure gw – Optional. Enables auto IPSec• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3service from 1 - 65535. After specifying the peer UDP port, optionally configure theIPSec settings.peer <1-2> Configures the tunnel’s peer ID from 1 - 2. At any time the tunnel is established with only one peer.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 26• peer <1-2> {router-id [<IP>|<WORD>|any]} {ipsec-secure|udp}• peer <1-2> {udp} {ipsec-secure|port <1-65535>}ipsec-secure {gw [<IP>|<WORD>]}Optional. Enables auto IPSec for this peer• gw – Optional. Configures the IPSec gateway. Use one of the following options to configure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnamepeer <1-2> Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer.router-id [<A.B.C.D>|<WORD>|any]Optional. Configures the peer’s router-id in one of the following formats:• <A.B.C.D> – Peer router ID in the IP address (A.B.C.D) format• <WORD> – Peer router ID range (for example, 100-120)• any – Peer router ID is not specified. This allows incoming connection from any router ID.ipsec-secure {gw [<IP>|<WORD>]}After specifying the peer’s router ID, optionally specify the IPSec settings.• ipsec-secure – Optional. Enables auto IPSec• gw – Optional. Configures the IPSec gateway. Use one of the following optionsto configure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnameudp {ipsec-secure gw|port <1-65535> {ipsec-secure}}After specifying the peer’s router ID, optionally specify the IPSec settings.The UDP option configures the encapsulation mode for this tunnel.• UDP – Optional. Configures UDP encapsulation (default encapsulation is IP)• ipsec-secure gw – Optional. Enables auto IPSec• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3service from 1 - 65535. After specifying the peer UDP port, optionally configure theIPSec settings.peer <1-2> Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer.udp {ipsec-secure|port <1-65535> {ipsec-secure}}Optional. Configures UDP encapsulation for this tunnel’s pee (default encapsulation is IP)• ipsec-secure – Optional. Configures IPSec gateway on this peer UDP port• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, optionally configure the IPSec settings.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 27Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#peer 2 hostname tunnel1peer1 udp port 100rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  peer 2 hostname tunnel1peer1 udp port 100  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandsno Removes the peer configured for this tunnel
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 2822.2.8 router-idl2tpv3-tunnel-commandsConfigures the tunnel’s local router IDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouter-id [<1-4294967295>|<IP>]Parameters• router-id [<1-4294967295>|<IP>]Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#router-id 2000rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  peer 2 hostname tunnel1peer1 udp port 100  router-id 2000  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandsrouter-id [<1-4294967295>|<IP>]Configures the tunnel’s local router ID in one of the following formats:• <1-4294967295> – Router ID in the number format (from1 - 4294967295)• <IP> – Router ID in IP address format (A.B.C.D)no Removes the tunnel’s router ID
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2922.2.9 sessionl2tpv3-tunnel-commandsConfigures a session’s pseudowire ID, which describes the session’s purpose. The session established message sends this pseudowire ID to the L2TPv3 peer.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsession <L2TPV3-SESSION-NAME> [pseudowire-id|rate-limit]session <L2TPV3-SESSION-NAME> pseudowire-id <1-4294967295> traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}session <L2TPV3-SESSION-NAME> rate-limit [egress|ingress] rate <50-1000000> max-burst-size <2-1024>Parameters• session <L2TPV3-SESSION-NAME> pseudowire-id <1-4294967295> traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}• session <L2TPV3-SESSION-NAME> rate-limit [egress|ingress] rate <50-1000000> max-burst-size <2-1024>session <L2TPV3-SESSION-NAME>Configures this session’s name• <L2TPV3-SESSION-NAME> – Specify the L2TPV3 session name (should not exceed 31 characters in length). A tunnel is usable only if it has one or more session(s) (having specific session names) configured. The L2TPv3 tunnel has no idle timeout, it closes when the last tunnel session is closed.pseudowire-id <1-4294967295>Configures the pseudowire ID for this session from 1- 4204067295A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire is needed to encapsulate and tunnel layer 2 protocols across a layer 3 network.traffic-source vlan <VLAN-ID-RANGE>Configures VLAN as the traffic source for this tunnel• <VLAN-ID-RANGE> – Configures VLAN range list of traffic source. Specify the VLAN IDs as a range (for example, 10-20, 25, 30-35).native-vlan <1-4094> Optional – Configures the native VLAN ID for this session, which is not tagged• <1-4094> – Specify the native VLAN ID from 1- 4094.session <L2TPV3-SESSION-NAME>Configures this session’s name• <L2TPV3-SESSION-NAME> – Specify the L2TPV3 session name (should not exceed 31 characters in length). A tunnel is usable only if it has one or more session(s) (having specific session names) configured. The L2TPv3 tunnel has no idle timeout, it closes when the last tunnel session is closed.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 30Usage GuidelinesThe working status of a pseudowire is reflected by the state of the L2TPv3 session. If the corresponding session is L2TPv3 down, the pseudowire associated with it must be shut down.Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#session tunnel1peer1session1 pseudowire-id 5000 traffic-source vlan 10-20 native-vlan 1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  peer 2 hostname tunnel1peer1 udp port 100  session tunnel1peer1session1 pseudowire-id 5000 traffic-source vlan 10-20 native-vlan 1  router-id 2000  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandsrate-limit [egress|ingress]Configures a rate for incoming and/or outgoing traffic on this L2TPv3 tunnel. When configured, this option limits the rate at which data is sent to or received from L2TPv3 tunnel members.• egress – Applies the specified rate to outbound traffic, from the L2TPv3 tunnel (going out from access points, wireless controllers, and service platforms) to the network• ingress – Applies the specified rate to inbound traffic, from the network to the L2TPV3 tunnel (coming in to access points, wireless controllers, and service platforms) rate <50-1000000> Specify the data rate, in kilobits per second, for the incoming and/or outgoing traffic• <50-1000000> – Specify a value from 50 - 1000000 kbps. The default is 5000 Kbps.max-burst-size <2-1024> Configures the maximum burst size, in kilobytes, for incoming/outgoing traffic rate limiting (depending on the direction selected) on a L2TPv3 tunnel.• <2-1024> – Specify the maximum burst size from 2 - 1024 kbytes. Smaller the burst size, lesser are the chances of the upstream packet transmission resulting in congestion of the L2TPv3 tunnel traffic. The default setting is 320 kbytes.no Removes a session
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 3122.2.10 usel2tpv3-tunnel-commandsConfigures a tunnel to use a specified L2TPv3 tunnel policy and specified critical resourcesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [critical-resource|l2tpv3-policy]use critical-resource <CRM-NAME1> {<CRM-NAME2>} <CRM-NAME3>} <CRM-NAME4>}use l2tpv3-policy <L2TPV3-POLICY-NAME>Parameters• use critical-resource <CRM-NAME1> {<CRM-NAME2>} {<CRM-NAME3>} {<CRM-NAME4>}• use l2tpv3-policy <L2TPV3-POLICY-NAME>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#use l2tpv3-policy L2TPV3Policy1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1  peer 2 hostname tunnel1peer1 udp port 100  use l2tpv3-policy L2TPV3Policy1  session tunnel1peer1session1 pseudowire-id 5000 traffic-source vlan 10-20 native-vlan 1  router-id 2000  establishment-criteria cluster-masterrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#Related Commandsuse critical-resource<CRM-NAME1> {<CRM-NAME2>}{<CRM-NAME3>}{<CRM-NAME4>}Specifies the critical resource(s) to use with this tunnel• <CRM1-NAME> – Specify the first critical resource name (should be existing).• <CRM-NAME2/3/4> – Optional. Specify the second/third/fourth critical resourcenames. Maximum of four critical resources can be monitored.Note: In case of tunnel initiator, L2TPv3 tunnel is established only if the critical resources identified by the <CRM-NAME1>.................. <CRM-NAME4> arguments are available at the time of tunnel establishment.Note: In case of L2TPv3 tunnel termination, all incoming tunnel establishment requests are rejected if the critical resources specified by the <CRM-NAME1>.............. <CRM-NAME4> arguments are not available.use l2tpv3-policy <L2TPV3-POLICY-NAME>Associates a specified L2TPv3 policy with this tunnel• <L2TPV3-POLICY-NAME> – Specify the policy name (should be existing and configured).no Removes the L2TPv3 policy configured with a tunnel and reverts to the default tunnel policy
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 3222.3 l2tpv3-manual-session-commandsL2TPV3-POLICYAfter a successful tunnel connection and establishment, individual sessions can be created. Each session is a single data stream. After successful session establishment, data corresponding to that session (pseudowire) can be transferred. If a session is down, the pseudowire associated with it is shut down as well.Use the (profile-context) instance to manually configure a L2TPv3 session. To navigate to the L2TPv3 manual session configuration mode, use the following command in the profile context:<DEVICE>(config-profile-default-rfs7000)#l2tpv3 manual-session <SESSION-NAME>rfs6000-37FABE(config-profile-default-rfs7000)#l2tpv3 manual-session testrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#?L2tpv3 Manual Session Mode commands:  local-cookie       The local cookie for the session  local-ip-address   Configure the IP address for tunnel. If not specified,                     tunnel source ip address would be chosen automatically                     based on the tunnel peer ip address  local-session-id   Local session id for the session  mtu                Configure the mtu size for the tunnel  no                 Negate a command or set its defaults  peer               Configure L2TPv3 manual session peer  remote-cookie      The remote cookie for the session  remote-session-id  Remote session id for the session  traffic-source     Traffic that is tunneled  clrscr             Clears the display screen  commit             Commit all changes made in this session  end                End current mode and change to EXEC mode  exit               End current mode and down to previous mode  help               Description of the interactive help system  revert             Revert changes  service            Service Commands  show               Show running system information  write              Write running configuration to memory or terminalrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#The following table summarizes L2TPv3 manual session configuration commands:Table 22.3 L2TPV3-Manual-Session-Config CommandsCommand Description Referencelocal-cookie Configures the manual session’s local cookie field size page 22-34local-ip-address Configures the manual session’s local source IP address page 22-35local-session-id Configures the manual session’s local session ID page 22-36mtu Configures the MTU size for the manual session tunnel page 22-37no Negates or reverts L2TPv3 manual session commands to default page 22-23peer Configures the manual session’s peers page 22-39remote-cookie Configures the remote cookie for the manual session page 22-40
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 33remote-session-idConfigures the manual session’s remote session ID page 22-41traffic-source Configures the traffic source tunneled by the manual session page 22-42Table 22.3 L2TPV3-Manual-Session-Config CommandsCommand Description Reference
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 3422.3.1 local-cookiel2tpv3-manual-session-commandsConfigures the local cookie field size for the manual sessionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal-cookie size [4|8] <1-4294967295> {<1-4294967295>}Parameters• local-cookie size [4|8] <1-4294967295> {<1-4294967295>}Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#local-cookie size 8 200 300rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-cookie size 8 200 300rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandslocal-cookie size [4|8] Configures the local cookie field size for this manual session. The options are:• 4 – 4 byte local cookie field• 8 – 8 byte local cookie field<1-4294967295> Configures the local cookie value first word. Applies to both the 4 byte and 8 byte local cookies<1-4294967295> Optional – Configures the local cookie value second word. Applicable to only 8 byte cookies. This parameter is ignored for 4 byte cookies.no Removes the local cookie size configured for a manual session
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 3522.3.2 local-ip-addressl2tpv3-manual-session-commandsConfigures the manual session’s source IP address. If no IP address is specified, the tunnel’s source IP address is automatically configured based on the tunnel peer IP address. This parameter is applicable when establishing the session and responding to incoming requests.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal-ip-address <IP>Parameters• local-ip-address <IP>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test#local-ip-address 1.2.3.4rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.2.3.4rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandslocal-ip-address <IP> Configures the manual session’s source IP• <IP> – Specify the IP address in the A.B.C.D format.no Resets the manual session’s local source IP address. This re-establishes the session.
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 3622.3.3 local-session-idl2tpv3-manual-session-commandsConfigures the manual session’s local session IDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal-session-id <1-63>Parameters• local-session-id <1-63>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#local-session-id 1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-cookie size 8 200 300  local-ip-address 1.2.3.4  local-session-id 1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandslocal-session-id <1-63> Configures this manual session’s local session ID• <1-63> – Specify the ID from 1 - 63. This is the pseudowire ID for the session. This pseudowire ID is sent in a session establishment message to the L2TP peer.no Removes the manual session’s local session ID
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 3722.3.4 mtul2tpv3-manual-session-commandsConfigures the MTU size for the manual session tunnel. The MTU is the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmtu <128-1460>Parameters• mtu <128-1460>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#mtu 200rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-cookie size 8 200 300  local-ip-address 1.2.3.4  mtu 200  local-session-id 1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandsmtu <128-1460> Configures the MTU size for this manual session tunnel• <128-1460> – Specify a value from 128 - 1460 bytes (default is 1460 bytes).no Resets the MTU size for this manual session to default (1460 bytes)
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 3822.3.5 nol2tpv3-manual-session-commandsNegates or reverts L2TPv3 manual session settings to defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [local-cookie|local-ip-address|local-session-id|mtu|peer|remote-cookie|remote-session-id|traffic-source]Parameters• no <PARAMETERS>ExampleThe following example shows the manual session ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-ip-address 1.2.3.4  peer ip-address 5.6.7.8 udp port 150  traffic-source vlan 50-60 native-vlan 2  local-session-id 1  remote-session-id 200  remote-cookie size 8 400 700rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no local-ip-addressrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no local-session-idrfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no remote-session-idThe following example shows the manual session ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  peer ip-address 5.6.7.8 udp port 150  traffic-source vlan 50-60 native-vlan 2  remote-cookie size 8 400 700rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no <PARAMETERS> Negates or reverts L2TPv3 manual session settings to default
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 3922.3.6 peerl2tpv3-manual-session-commandsConfigures peer(s) allowed to establish the manual session tunnel. The peers are identified by their IP addresses.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer ip-address <IP> {udp {port <1-65535>}}Parameters• peer ip-address <IP> {udp {port <1-65535>}}Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#peer ip-address 5.6.7.8 udp port 150rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-cookie size 8 200 300  local-ip-address 1.2.3.4  peer ip-address 5.6.7.8 udp port 150  mtu 200  local-session-id 1rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandspeer ip-address <IP> Configures the tunnel’s peer IP address in the A.B.C.D formatudp {port <1-65335>} Optional. Configures the UDP encapsulation mode for this tunnel (default encapsulation is IP)• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3 service. • <1-65335> – Specify a value from 1 - 65535.no Removes the manual session’s peer
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 4022.3.7 remote-cookiel2tpv3-manual-session-commandsConfigures the manual session’s remote cookie field sizeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxremote-cookie size [4|8] <1-4294967295> {<1-4294967295>}Parameters• remote-cookie size [4|8] <1-4294967295> {<1-4294967295>}Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#remote-cookie size 8 400 700rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-ip-address 1.2.3.4  peer ip-address 5.6.7.8 udp port 150  mtu 200  local-session-id 1  remote-cookie size 8 400 700rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandsremote-cookie size [4|8]Configures the remote cookie field size for this manual session. The options are:• 4 – 4 byte remote cookie field• 8 – 8 byte remote cookie field<1-4294967295> Configures the remote cookie value first word. Applies to both the 4 byte and 8 byte local cookies<1-4294967295> Optional – Configures the remote cookie value second word. Applicable to only 8 byte cookies. This parameter is ignored for 4 byte cookies.no Removes the manual session’s remote cookie field size
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 4122.3.8 remote-session-idl2tpv3-manual-session-commandsConfigures the manual session’s remote ID. This ID is passed in the establishment of the tunnel session.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxremote-session-id <1-4294967295>Parameters• remote-session-id <1-4294967295>Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#remote-session-id 200rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-ip-address 1.2.3.4  peer ip-address 5.6.7.8 udp port 150  local-session-id 1  remote-session-id 200  remote-cookie size 8 400 700rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandsremote-session-id <1-4294967295>Configures this manual session’s remote ID• <1-4294967295> – Specify a value from 1 - 4294967295.no Removes the manual session’s remote ID
L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  22 - 4222.3.9 traffic-sourcel2tpv3-manual-session-commandsConfigures the traffic source tunneled by this sessionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtraffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}Parameters• traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}Examplerfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#traffic-source vlan 50-60 native-vlan 2rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test  local-ip-address 1.2.3.4  peer ip-address 5.6.7.8 udp port 150  traffic-source vlan 50-60 native-vlan 2  local-session-id 1  remote-session-id 200  remote-cookie size 8 400 700rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#Related Commandstraffic-source vlan <VLAN-ID-RANGE>Configures VLAN as the traffic source for this tunnel• <VLAN-ID-RANGE> – Configures VLAN range list of traffic source. Specify the VLAN IDs as a range (for example, 10-20, 25, 30-35)native-vlan <1-4094> Optional – Configures the native VLAN ID for this session, which is not tagged• <1-4094> – Specify the native VLAN ID from 1- 4094.no Removes the traffic source configured for a tunnel
23 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide23ROUTER-MODE COMMANDSThis chapter summarizes Open Shortest Path First (OSPF) router mode commands in the CLI command structure. All router-mode commands are available on both device and profile modes.OSPF is an interior gateway protocol (IGP) used within large autonomous systems to distribute routing information. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer, which makes routing decisions based solely on the destination IP address found in IP packets.OSPF detects changes in the topology, like a link failure, and plots a new loop-free routing structure. It computes the shortest path for each route using a shortest path first algorithm. Link state data is maintained on each router and is periodically updated on all OSPF member routers. This enables routers to synchronize routing tables.OSPF uses a route table managed by the link cost (external metrics) defined for each routing interface. The cost could be the distance of a router (round-trip time), link throughput or link availability.Use the (config) instance to configure router commands. To navigate to the (config-router-mode) instance, use the following command:<DEVICE>(config-profile-<PROFILE-NAME>)#router ospf<DEVICE>(config-profile <PROFILE-NAME>-router-ospf)#rfs6000-37FABE(config-profile-default-rfs7000)#router ospfrfs6000-37FABE(config-profile default-rfs7000-router-ospf)#rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#?Router OSPF Mode commands:  area                 OSPF area  auto-cost            OSPF auto-cost  default-information  Distribution of default information  ip                   Internet Protocol (IP)  network              OSPF network  no                   Negate a command or set its defaults  ospf                 OSPF  passive              Make OSPF Interface as passive  redistribute         Route types redistributed by OSPF  route-limit          Limit for number of routes handled OSPF process  router-id            Router ID  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-profile default-rfs7000-router-ospf)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 223.1 router-modeROUTER-MODE COMMANDSThe following table summarizes router configuration commands:Table 23.1 OSPF-Router Config CommandsCommand Description Referencearea Specifies OSPF enabled interfaces page 23-3auto-cost Specifies the reference bandwidth in terms of Mbits per second page 23-12default-informationControls the distribution of default information page 23-13ip Configures Internet Protocol (IP) default gateway priority page 23-14network Defines OSPF network settings page 23-15ospf Enables OSPF page 23-16passive Specifies the configured OSPF interface as passive interface page 23-17redistribute Specifies the route types redistributed by OSPF page 23-18route-limit Specifies the limit for the number of routes managed by OSPF page 23-19router-id Specifies the router ID for OSPF page 23-21no Negates a command or sets its defaults page 23-22NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 323.1.1 arearouter-modeConfigures OSPF network area (OSPF enabled interfaces) settingsThe following table lists the OSPF Area configuration mode commands:Table 23.2 OSPF Area Config CommandsCommand Description Referencearea Creates a new OSPF area and enters its configuration mode page 23-4OSPF-area-modeSummarizes OSPF area configuration commands page 23-6
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 423.1.1.1 areaareaConfigures OSPF network areas (OSPF enables interfaces)An OSPF network can be subdivided into routing areas to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. Areas can defined as: stub area, totally-stub, non-stub, nssa, totally nssa. Each of these area types have been discussed further in the area-type section of this chapter.At least one default area, bearing number ‘0’, should be configured for every OSPF network. In case of multiple areas, the default area 0 forms the backbone of the network. The default area 0 is used as a link to the other areas. Each area has its own link-state database.A router running OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxarea [<0-4294967295>|<IP>]Parameters• area [<0-4294967295>|<IP>]Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#area 4 ?rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#?Router OSPF Area Mode commands:  area-type       OSPF area type  authentication  Authentication scheme for OSPF area  no              Negate a command or set its defaults  range           Routes matching this range are considered for summarization                  (ABR only)  clrscr          Clears the display screen  commit          Commit all changes made in this session  do              Run commands from Exec mode  end             End current mode and change to EXEC mode  exit            End current mode and down to previous modearea Defines an OSPF area<0-4294967295> Defines an OSPF area in the form of a 32 bit integer• <0-4294967295> – Specify the value from 0 - 4294967295.<IP> Defines an OSPF area in the form of an IP address• <IP> – Specify the IP address.
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 5  help            Description of the interactive help system  revert          Revert changes  service         Service Commands  show            Show running system information  write           Write running configuration to memory or terminalrfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#show context  area 0.0.0.4rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#Related Commandsno Removes area configuration settings
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 623.1.1.2 OSPF-area-modeareaThe following table summarizes OSPF area mode configuration commands:Table 23.3 OSPF-Area-Mode CommandsCommand Description Referencearea-type Configures a particular OSPF area as STUB or NSSA page 23-7authentication Specifies the authentication scheme used for the OSPF area page 23-9range Specifies the routes matching address/mask for summarization page 23-10no Negates a command or sets its defaults page 23-11
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 723.1.1.2.1 area-typeOSPF-area-modeConfigures a particular OSPF area type as STUB, Totally STUB, NSSA or Totally NSSAAreas can be defined as:• stub area - Is an area that does not receive route advertisements external to the autonomous system (AS), and routing from within the area is based entirely on a default route.• totally-stub - Is an area that does not allow summary routes and external routes. A default route is the only way to route traffic outside of the area. When there is only one route out of the area, fewer routing decisions are needed, lowering system resource utilization.• non-stub - Is an area that imports autonomous system external routes and forwards to other areas. However. it still cannot receive external routes from other areas.• nssa - A Not-So-Stubby Area (NSSA) is an extension of a stub that allows the injection of limited external routes into a stub area. If selecting NSSA, no external routes, except a default route, enter the area.• totally-nssa - Is a NSSA using 3 and 4 summary routes are not flooded into this type of area. It is also possible to declare an area both totally stubby and not-so-stubby, which means that the area will receive only the default route from area 0.0.0.0, but can also contain an Autonomous System Boundary Router (ASBR) that accepts external routing information and injects it into the local area, and from the local area into area 0.0.0.0.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxarea-type [nssa|stub]area-type nssa {default-cost|no-summary|translate-always|translate-candidate|translate-never}area-type nssa {default-cost <0-16777215> {no-summary}|no-summary {default-cost <0-16777215>}}area-type nssa {translate-always|translate-candidate|translate-never} {(default-cost <0-16777215>|no-summary)}area-type stub {default-cost <0-16777215> {no-summary}|no-summary {default-cost <0-16777215>}}Parameters• area-type [nssa|stub]{default-cost|no-summary|translate-always|translate-candidate|translate-never}area-type Configures a particular OSPF area type as STUB, Totally STUB, NSSA or Totally NSSAnssa Configures the OSPF area as NSSAstub Configures the OSPF area as Stubby Area (STUB)default-cost <0-16777215>Specifies the default summary cost that will be advertised, if the OSPF area is a STUB or NSSA• <0-16777215> – Specify the default summary cost value from 0 - 16777215.
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 8Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#area-type stub default-cost 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context  area 0.0.0.1   area-type stub default-cost 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#Related Commandsno-summary Configures the OSPF area as totally STUB if the area-type is STUB or totally NSSA if the area-type is NSSAtranslate-always Always translates type-7 Link State Advertisements (LSAs) into type-5 LSAstranslate-candidate Defines it as default behaviortranslate-never Never translates type-7 LSAs into type-5 LSAsno Removes configured area-type settings
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 923.1.1.2.2 authenticationOSPF-area-modeSpecifies an authentication scheme used for an OSPF area used with the OSPF dynamic routeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxauthentication [message-digest|simple-password]Parameters• authentication [message-digest|simple-password]Usage GuidelinesOSPF packet authentication enables routers to use predefined passwords and participate within a routing domain. The two authentication modes are:• MD-5 – MD-5 authentication is a cryptographic authentication mode, where every router has a key (password) and key-id configured on it. This key and key-id together form the message digest that is appended to the OSPF packet.• Simple Password – Simple password authentication allows a password (key) to be configured per area. Routers in the same area and participating in the routing domain have to be configured with the same key.Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#authentication simple-passwordrfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context  area 0.0.0.1   authentication simple-password   area-type stub default-cost 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#Related Commandsmessage-digest Configures the message-digest (MD-5) authentication schemesimple-password Configures the simple password authentication schemeno Removes the authentication scheme
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 1023.1.1.2.3 rangeOSPF-area-modeSpecifies a range of addresses for routes matching address/mask for OSPF summarizationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxrange <IP/M>Parameters• range <IP/M>Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#range 172.16.10.0/24rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context  area 0.0.0.1   authentication simple-password   range 172.16.10.0/24   area-type stub default-cost 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#Related Commands<IP/M> Specifies the routes matching address/mask for summarization.Note: This command is applicable for a Area Border Router (ABR) only.no Removes the configured network IP range
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 1123.1.1.2.4 noOSPF-area-modeNegates a command or set its defaultsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxno [area-type|authentication|range]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. ExampleThe following example shows the OSPF router settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context  area 0.0.0.1   authentication simple-password   range 172.16.10.0/24   area-type stub default-cost 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#no authenticationrfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#no range 172.16.10.0/24The following example shows the OSPF router settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context  area 0.0.0.1   area-type stub default-cost 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#no <PARAMETERS> Negates a command or set its defaults
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 1223.1.2 auto-costrouter-modeConfigures the reference bandwidth in terms of megabits per second. Specifying the reference bandwidth allows you to control the default metrics for an interface, which is calculated by OSPF.The formula used to calculate default metrics is: ref-bw divided by the bandwidth.Use the ‘no > auto-cost > reference-bandwidth’ command to configure default metrics calculation based on interface type.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602. AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxauto-cost reference-bandwidth <1-4294967>Parameters• auto-cost reference-bandwidth <1-4294967>Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#auto-cost reference-bandwidth 1Ensure that the auto-cost reference-bandwidth is configured uniformly on all routers.rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  area 0.0.0.4  auto-cost reference-bandwidth 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commandsreference-bandwidth <1-4294967>Defines the reference bandwidth in Mbps•  <1-4294967> – Specify the reference bandwidth value from1 - 4294967.no Removes auto-cost reference bandwidth settings
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 1323.1.3 default-informationrouter-modeControls the distribution of default route information. Use the default-information > originate command to advertise a default route in the routing table.This option is disabled by default. When enabled, the default route becomes a distributed route.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxdefault-information originate {always|metric|metric-type}default-information originate {always|metric <0-16777214>|metric-type [1|2]} {(metric <0-16777214>|metric-type [1|2])}Parameters• default-information originate {always|metric <0-16777214>|metric-type [1|2]} {(metric <0-16777214>|metric-type [1|2])}Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#default-information originate metric-type 2 metric 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commandsoriginate Originates default route information. Enabling this feature makes the default route a distributed route. This option is disabled by default.always Optional. Always distributes default route information (will continue to advertise default route information even if that information has been removed from the routing table for some reason). This option is disabled by default.metric <0-16777214> This is a recursive parameter and can be optionally configured along with the metric-type option.• metric <0-16777214> – Optional. Specifies OSPF metric value for redistributed routes (this value is used to generate the default route)• <0-16777214> – Specify a value from 0 - 16777214.metric-type [1|2] This is a recursive parameter and can be optionally configured along with the metric option.• metric-type [1|2] – Optional. Sets OSPF exterior metric type for redistributed routes (this information is advertised with the OSPF routing domain)• 1 – Sets OSPF external type 1 metrics• 2 – Sets OSPF external type 2 metricsno Disables advertising of default route information available in the routing table
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 1423.1.4 iprouter-modeConfigures IP default gateway prioritySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxip default-gateway priority <1-8000>Parameters• ip default-gateway priority <1-8000>Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commandsdefault-gateway Configures the default gatewaypriority <1-8000> Sets the priority for the default gateway acquired via OSPF• <1-8000> – Specify an integer from 1 - 8000. The default is 7000.Note: Lower the value, higher is the priority.no Removes default gateway priority settings
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 1523.1.5 networkrouter-modeAssigns networks to specified areas (defines the OSPF interfaces and their associated area IDs)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxnetwork <IP/M> area [<0-4294967295>|<IP>]Parameters• network <IP/M> area [<0-4294967295>|<IP>]Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#network 1.2.3.0/24 area 4.5.6.7rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  network 1.2.3.0/24 area 4.5.6.7  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commands<IP/M> Specifies an OSPF network address/mask value. Defines networks (IP addresses and mask) participating in OSPF.area [<0-4294967295>|<IP>]Specifies an OSPF area, associated with the OSPF address range, in one of the following formats:• <0-4294967295> – Specifies a 32 bit OSPF area ID from 0 - 4294967295• <IP> – Defines an OSPF area ID in the form of an IPv4 addressno Removes the OSPF network to area ID association
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 1623.1.6 ospfrouter-modeEnables OSPF routing on a profile or deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxospf enableParameters• ospf enableExamplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#ospf enablerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  ospf enable  network 1.2.3.0/24 area 4.5.6.7  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commandsospf enable Enables OSPF routing on devices using this profile. This option is disabled by default.no Disables OSPF routing on a profile or device
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 1723.1.7 passiverouter-modeConfigures specified OSPF interface as passive. This option is disabled by default.A passive interface receives routing updates, but does not transmit them.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxpassive [<WORD>|all|vlan <1-4094>]Parameters• passive [<WORD>|all|vlan <1-4094>]Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#passive vlan 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  ospf enable  network 1.2.3.0/24 area 4.5.6.7  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  passive vlan1  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commands<WORD> Enables the OSPF passive mode on the interface specified by the <WORD> parameterall Enables the OSPF passive mode on all the L3 interfacesvlan <1-4094> Enables the OSPF passive mode on the specified VLAN interface• <1-4094> – Specify the VLAN interface ID from 1 - 4094.no Disables the OSPF passive mode on a specified interface
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 1823.1.8 redistributerouter-modeSpecifies the route types redistributed by OSPFSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxredistribute [bgp|connected|kernel|static] {metric <0-16777214>|metric-type [1|2]}Parameters• redistribute [connected|kernel|static] {metric <0-16777214>|metric-type [1|2]}Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#redistribute static metric-type 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  ospf enable  network 1.2.3.0/24 area 4.5.6.7  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  redistribute static metric-type 1  passive vlan1  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commandsbgp Redistributes all BGP routes by OSPFconnected Redistributes all connected interface routes by OSPFkernel Redistributes all routes that are neither connected, static, dynamic, nor bgpstatic Redistributes static routes by OSPFmetric <0-16777214> The following keywords are common to the ‘bgp’, ‘connected’, ‘kernel’, and ‘static’ parameters:• metric <0-16777214> – Optional. Specifies the OSPF metric value for redistributed routes. • <0-16777214> – Specify a value from 0 - 16777214.metric-type [1|2] The following keywords are common to the ‘connected’, ‘kernel’, and ‘static’ parameters:• metric-type [1|2] – Optional. Sets the OSPF exterior metric type for redistributed routes• 1 – Sets the OSPF external type 1 metrics• 2 – Sets the OSPF external type 2 metricsno Removes the OSPF redistribution of various route types
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 1923.1.9 route-limitrouter-modeLimits the number of routes managed by OSPF. The maximum limit supported by the platform is the default configuration defined under the router-ospf context.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxroute-limit [num-routes|reset-time|retry-count|retry-timeout]route-limit [num-routes <DYNAMIC-ROUTE-LIMIT>|reset-time <1-86400>|retry-count <1-32>|retry-timeout <1-3600>] {(num-routes|reset-time|retry-count|retry-timeout)}Parameters• route-limit [num-routes <DYNAMIC-ROUTE-LIMIT>|reset-time <1-86400>|retry-count <1-32>|retry-timeout <1-3600>] {(num-routes|reset-time|retry-count|retry-timeout)}Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 10rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  ospf enable  network 1.2.3.0/24 area 4.5.6.7  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  redistribute static metric-type 1  passive vlan1  route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 10  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#num-routes <DYNAMIC-ROUTE-LIMIT>Specifies the maximum number of non self-generated LSAs this process can receive• <DYNAMIC-ROUTE-LIMIT> – Specify the dynamic route limit.reset-time <1-86400> Specifies the time, in seconds, after which the retry-count is reset to zero<1-86400> – Specify a value from 1 - 86400 seconds. The default is 360 seconds.retry-count <1-32> Specifies the maximum number of times adjacencies can be suppressed. Each time OSPF gets into an ignore state, a counter increments. If the counter exceeds the timeout configured by the retry-count parameter, OSPF stays in the same ignore state. Manual intervention is required to get OSPF out of the ignore state. • <1-32> – Specify a value from 1 - 32. The default is 5.retry-timeout <1-3600> Specifies the retry time in seconds. During this time, OSPF remains in ignore state and all adjacencies are suppressed.• <1-3600> – Specify a value from 1 - 3600 seconds. The default is 60 seconds.
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 20Related Commandsno Removes the limit on the number of routes managed by OSPF
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 2123.1.10 router-idrouter-modeSpecifies the OSPF router IDThis ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxrouter-id <IP>Parameters• router-id <IP>Examplerfs6000-37FABE(config-profile default-rfs7000-router-ospf)#router-id 172.16.10.8Reload, or execute "clear ip ospf process" command, for this to take effectrfs6000-37FABE(config-profile default-rfs7000-router-ospf)#Related Commands<IP> Identifies the OSPF router by its IP address• <IP> – Specify the router ID in the IP <A.B.C.D> formatno Removes the configured OSPF router ID
ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  23 - 2223.1.11 norouter-modeNegates a command or reverts settings to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxno [area|auto-cost|default-information|ip|network|ospf|passive|redistribute|route-limit|router-id]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleThe following example shows the OSPF router interface settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  network 1.2.3.0/24 area 4.5.6.7  area 0.0.0.4  auto-cost reference-bandwidth 1  default-information originate metric 1 metric-type 2  redistribute static metric-type 1  passive vlan1  route-limit num-routes 10 reset-time 10  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no area 4rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no auto-cost reference-bandwidthrfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no network 1.2.3.0/24 area 4.5.6.7The following example shows the OSPF router interface settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf  default-information originate metric 1 metric-type 2  redistribute static metric-type 1  passive vlan1  route-limit num-routes 10 reset-time 10  ip default-gateway priority 1rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no <PARAMETERS> Negates a command or set its defaults
24 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide24ROUTING-POLICYThis chapter summarizes routing-policy commands in the CLI command structure.Routing policies enable network administrators to control data packet routing and forwarding. Policy-based routing (PBR) always overrides protocol-based routing. Network administrators can define routing policies based on parameters, such as access lists, packet size, etc. For example, a routing policy can be configured to route packets along user-defined routes.In addition to the above, PBR facilitates the provisioning of preferential service to specific traffic. PBR minimally provides the following:• A means to use source address, protocol, application, and traffic class as traffic routing criteria• A means to load balance multiple WAN uplinks• A means to selectively mark traffic for Quality of Service (QoS) optimizationUse the (config) instance to configure router-policy commands. To navigate to the (config-routing-policy mode) instance, use the following commands:<DEVICE>(config)#routing-policy <ROUTING-POLICY-NAME>rfs6000-37FABE(config)#routing-policy testpolicyrfs6000-37FABE(config-routing-policy-testpolicy)#?Routing Policy Mode commands:  apply-to-local-packets  Use Policy Based Routing for packets generated by                          the device  logging                 Enable logging for this Route Map  no                      Negate a command or set its defaults  route-map               Create a Route Map  use                     Set setting to use  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  do                      Run commands from Exec mode  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs6000-37FABE(config-routing-policy-testpolicy)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 224.1 routing-policy-commandsROUTING-POLICYThe following table summarizes routing policy configuration commands:Table 24.1 Routing-Policy-Config CommandsCommand Description Referenceapply-to-local-packetsEnables PBR for locally generated packets page 24-3logging Enables logging for a specified route map page 24-4route-map Creates a route map entry page 24-5use Defines default settings to use page 24-18no Negates a command or sets its defaults page 24-19NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 324.1.1 apply-to-local-packetsrouting-policy-commandsEnables PBR for locally generated packets (packets generated by the device). When enabled, this option implements the match and action clauses defined within route maps. This option is enabled by default.To disable PBR, use the no > apply-to-local-packets command.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxapply-to-local-packetsParametersNoneExamplerfs6000-37FABE(config-routing-policy-testpolicy)#apply-to-local-packetsrfs6000-37FABE(config-routing-policy-testpolicy)#Related Commandsno Disables PBR for locally generated packets
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 424.1.2 loggingrouting-policy-commandsEnables logging for a specified route map. When enabled, this option logs events generated by the enforcement of route-maps. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxloggingParametersNoneExamplerfs6000-37FABE(config-routing-policy-testpolicy)#loggingrfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy loggingrfs6000-37FABE(config-routing-policy-testpolicy)#Related Commandsno Disables route map logging
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 524.1.3 route-maprouting-policy-commandsCreates a route map entry and enters the route map configuration modeIn policy-based routing (PBR), route maps control the flow of traffic within the network. They override route tables and direct traffic along a specific path.Route-maps contain a set of filters that select traffic (match clauses) and associated actions (mark clauses) for routing. Every route-map entry has a precedence value. Lower the precedence, higher is the route-map’s priority. All incoming packets are matched against these route-maps entries. The route-map entry with highest precedence (lowest numerical value) is applied first. In case of a match, action is taken based on the mark clause specified in the route-map. In case of no match, the route-map entry with the next highest precedence is applied. If the incoming packet does not match any of the route-map entries, it is subjected to typical destination-based routing. Each route-map entry can optionally enable/disable logging.The following criteria can optionally be used as traffic selection segregation criteria:•IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry.ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.-IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP Differentiated Services Code Point (DSCP) field. One DSCP value can be configured per route map entry. If IP ACLs on a WLAN, ports or SVI mark packets, the new/marked DSCP value is used for matching.-Incoming WLAN - Packets can be filtered on the basis of the incoming WLAN. Depending on whether the receiving device has an onboard radio or not, the following two scenarios are possible:•Device with an onboard radio: If a device having an onboard radio and capable of PBR receives a packet on a local WLAN, this WLAN is used for selection.•Device without an onboard radio: If a device, without an onboard radio, capable of PBR receives a packet from an extended VLAN, it passes the WLAN information in the MiNT packet to the PBR router. The PBR router uses this information as match criteria.-Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree on a unique identifier for role definition and pass the same MINT tunneled packets.-Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the source host (where the packet originates) is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing PBR, and not to the source device.Mark (or action) clauses determine the routing function when a packet satisfies match criteria. If no mark clauses are defined, the default is to fallback to destination-based routing for packets satisfying the match criteria. If no mark clause is configured and fallback to destination-based routing is disabled, then the packet is dropped. The mark clause defines one of following actions:•Next hop - The IP address of the next hop or the outgoing interface through which the packet should be routed. Up to two next hops can be specified. The outgoing interface should be a PPP, a tunnel interface or a SVI which has DHCP client configured. The first reachable hop should be used. But if all next hops are unreachable, typical destination-based route lookup is performed.
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 6•Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is: in case of the former, PBR occurs first, then destination-based routing. In case of the latter, the order is reversed. In both cases:a If a defined next hop is reachable, it is used. If fallback is configured refer to (b).b Perform normal destination-based route lookup. If a next hop is found, it is used, if not refer to (c).c If default next hop is configured and reachable, it is used, if not, packet is dropped.-Fallback - Enables fallback to destination-based routing if none of the configured next hops are reachable (or not configured). This is enabled by default.-Mark IP DSCP - Configures IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxroute-map <1-100>Parameters• route-map <1-100>Examplerfs6000-37FABE(config-routing-policy-testpolicy)#route-map 1rfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy logging route-map 1rfs6000-37FABE(config-routing-policy-testpolicy)#rfs6000-37FABE(config-routing-policy-testpolicy)#route-map 1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#?Route Map Mode commands:  default-next-hop  Default next-hop configuration (aka                    gateway-of-last-resort)  fallback          Fallback to destination based routing if no next-hop is                    configured or all are unreachable  mark              Mark action for route map  match             Match clause configuration for Route Map  next-hop          Next-hop configuration  no                Negate a command or set its defaults  clrscr            Clears the display screen  commit            Commit all changes made in this session  do                Run commands from Exec mode  end               End current mode and change to EXEC mode  exit              End current mode and down to previous mode  help              Description of the interactive help systemroute-map <1-100> Creates a route map entry, sets a precedence value for the route map, and enters the route map configuration mode• <1-100> – Specify a precedence value from 1 - 100.Note: Lower the sequence number, higher is the precedence.
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 7  revert            Revert changes  service           Service Commands  show              Show running system information  write             Write running configuration to memory or terminalrfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsno Removes a route map
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 824.1.4 route-map-moderoute-mapThe following table summarizes route-map configuration commands:Table 24.2 Route-Map-Config CommandsCommand Description Referencedefault-next-hop Sets the default next hop for packets satisfying match criteria page 24-9fallback Configures a fallback to the next destination page 24-10mark Marks action clause for packets satisfying match criteria page 24-11match Sets match clauses for the route map page 24-12next-hop Sets the next hop for packets satisfying match criteria page 24-15no Negates a command or sets its default page 24-17
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 924.1.4.1 default-next-hoproute-map-modeSets the default next hop for packets satisfying match criteriaIf a packet, subjected to PBR, does not have an explicit route to the destination, the configured default next hop is used. This value is set as either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is: in case of the former, PBR occurs first, then destination-based routing. In case of the latter, the order is reverse. Use this command to set either the default next hop IP address or define either a WWAN1, PPPoE1, or VLAN interface.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7562, AP7602, AP7612, AP7622, AP7632, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]Parameters• default-next-hop [<IP>|<ROUTER-IF-NAME>|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|pppoe1|vlan <1-4094>|wwan1]Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#default-next-hop wwan1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1  default-next-hop wwan1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsdefault-next-hop Sets the next hop router to which packets are sent in case the next hop is not the adjacent router<IP> Specifies next hop router’s IP address<ROUTER-IF-NAME> Specifies the outgoing interface name (router interface name)pppoe1 Specifies the PPPoE interfaceserial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>Specifies the serial interface’s slot, port, and channel group IDsvlan <1-4094> Specifies a VLAN interface ID • <1-4094> – Specify a value from 1 - 4094.wwan1 Specifies the WAN interfaceno Removes default next hop router settings
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 1024.1.4.2 fallbackroute-map-modeEnables fallback to destination-based routing. This option is enabled by default. To disable fallback, use the no > fallback command.The action taken for packets satisfying the match criteria is determined by the mark (action) clauses. If no action is defined, the default is to fallback to destination-based routing.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxfallbackParametersNoneExamplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#fallbackrfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related CommandsNOTE: If no mark clause is configured and fallback to destination-based routing is disabled, then the packet is dropped.no Disables fallback to destination-based routing, if no next hop is configured or are unreachable
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1124.1.4.3 markroute-map-modeEnables the marking of the DSCP field in the IP headerUse this command to set the IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.The DSCP field in an IP header enables packet classification. Packet filtering can be done based on traffic class, determined from the IP DSCP field. One DSCP value can be configured per route map entry.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmark ip dscp <0-63>Parameters• mark ip dscp <0-63>Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1  default-next-hop wwan1  mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsip dscp <0-63> Marks the DSCP field in the IP header• <0-63> – Specify a DSCP value from 0 - 63.no Disables marking of IP packets
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 1224.1.4.4 matchroute-map-modeSets the match clausesEach route map entry has a set of match clauses used to segregate and filter packets. Packets can be segregated using any one of the following criteria:•IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry.ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.-IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP Differentiated Services Code Point (DSCP) field. One DSCP value can be configured per route map entry. If IP ACLs on a WLAN, ports or SVI mark packets, the new/marked DSCP value is used for matching.-Incoming WLAN - Packets can be filtered on the basis of the incoming WLAN. Depending on whether the receiving device has an onboard radio or not, the following two scenarios are possible:•Device with an onboard radio: If a device having an onboard radio and capable of PBR receives a packet on a local WLAN, this WLAN is used for selection.•Device without an onboard radio: If a device, without an onboard radio, capable of PBR receives a packet from an extended VLAN, it passes the WLAN information in the MiNT packet to the PBR router. The PBR router uses this information as match criteria.-Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree on a unique identifier for role definition and pass the same MINT tunneled packets.-Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the source host (where the packet originates) is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing PBR, and not to the source device.The action taken for filtered packets is determined by the mark (action) clauses. If no action is defined, the default is to fallback to destination-based routing for packets satisfying the match criteria. For more information on configuring mark clauses, see mark. And for more information on fallback action, see fallback.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmatch [incoming-interface|ip|ip-access-list|wireless-client-role|wlan]match incoming-interface [<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]match ip dscp <0-63>
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 13match ip-access-list <IP-ACCESS-LIST-NAME>match wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>match wlan <WLAN-NAME>Parameters• match incoming-interface [<ROUTER-IF-NAME>|pppoe1|serial<SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]• match ip dscp <0-63>• match ip-access-list <IP-ACCESS-LIST-NAME>• match wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>• match wlan <WLAN-NAME>incoming-interface Sets the incoming SVI match clause. Specify an interface name.<ROUTER-IF-NAME> Specifies the layer 3 interface name (route interface)pppoe1 Specifies the PPP over Ethernet interfaceserial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>Specifies the serial interface’s slot, port, and channel group IDs.vlan <1-4094> Specifies the VLAN interface ID• <1-4094> – Specify a VLAN ID from 1 - 4094.wwan1 Specifies the WAN interface nameip dscp <0-63> Sets the DSCP match clause• <0-63> – Specify a value from 0 - 63. The defined DSCP value is used as a matching clause for this route map.ip-access-list <IP-ACCESS-LIST-NAME>Sets the match clause using a pre-configured IP access list• <IP-ACCESS-LIST-NAME> – Specify a pre-configured IP access list name.wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>Sets the wireless client role match clause• <ROLE-POLICY-NAME> – Specify a pre-configured role policy.• <ROLE-NAME> – Specify a pre-configured role within it.wlan <WLAN-NAME> Sets the incoming WLAN match clause• <WLAN-NAME> – Specify a WLAN name.
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 14Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#match incoming-interface pppoe1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1  match incoming-interface pppoe1  default-next-hop wwan1  mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsno Disables match clause settings for this route map
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1524.1.4.5 next-hoproute-map-modeSets the next hop for packets satisfying match criteriaThis command allows you to configure the primary and secondary hop priority requests.Define the primary and secondary hop settings. When defined, the primary hop resource is used with no additional considerations when ever it is available.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnext-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1] {<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1}Parameters• next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1] {<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1}next-hop Sets the next hop (primary and secondary) for packets satisfying match criteriaIt is not mandatory to define the secondary hop interface. The secondary hop is used in case the primary hop is unavailable.<IP> Specifies the primary and secondary next hop router’s IP address<WORD> Specifies the layer 3 Interface name (router interface)pppoe1 Specifies the PPP over Ethernet interfaceserial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>Specifies the serial interface’s slot, port, and channel group IDs.vlan <1-4094> Specifies the VLAN interface ID• <1-4094> – Specify a VLAN ID from 1 - 4094. The VLAN interface should be a DHCP client.wwan1 Specifies the WAN interface
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 16Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#next-hop vlan 1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1  match incoming-interface pppoe1  next-hop vlan1  default-next-hop wwan1  mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsno Disables the next hop router settings
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1724.1.4.6 noroute-map-modeNegates a command or sets its defaultsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [default-next-hop|fallback|mark|match|next-hop]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleThe following example shows the route-map ‘1’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1  match incoming-interface pppoe1  next-hop vlan1  default-next-hop wwan1  mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no default-next-hoprfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no next-hopThe following example shows the route-map ‘1’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1  match incoming-interface pppoe1  mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no <PARAMETERS> Negates a command or set its defaults
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  24 - 1824.1.5 userouting-policy-commandsUses Critical Resource Management (CRM) to monitor link statusSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse critical-resource-monitoringParameters• use critical-resource-monitoringExamplerfs6000-37FABE(config-routing-policy-testpolicy)#use critical-resource-monitoringrfs6000-37FABE(config-routing-policy-testpolicy)#Related Commandsuse critical-resource-monitoringUses CRM to monitor the status of a link. Selecting this option determines the disposition of the route-map next hop via monitored critical resources. Link monitoring is the function used to determine a potential fail over to the secondary next hop. This option is enabled by default.no Disables CRM link status monitoring
ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1924.1.6 norouting-policy-commandsNegates a command or sets its defaultsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [apply-to-local-packets|logging|route-map|use]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. ExampleThe following example shows the routing policy ‘testpolicy’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy logging route-map 1  match incoming-interface pppoe1  default-next-hop wwan1  mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy)#rfs6000-37FABE(config-routing-policy-testpolicy)#no loggingrfs6000-37FABE(config-routing-policy-testpolicy)#no route-map 1rfs6000-37FABE(config-routing-policy-testpolicy)#no apply-to-local-packetsThe following example shows the routing policy ‘testpolicy’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy  no apply-to-local-packetsrfs6000-37FABE(config-routing-policy-testpolicy)#no <PARAMETERS> Negates a command or set its defaults
25 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide25AAA-TACACS-POLICYThis chapter summarizes the accounting, authentication, and authorization (AAA) Terminal Access Control Access-Control System (TACACS) policy commands in the CLI command structure.TACACS is a network security application that provides additional network security by providing a centralized authentication, authorization, and accounting platform. TACACS implementation requires configuration of the TACACS authentication server and database.Use the (config) instance to configure AAA-TACACS policy commands. To navigate to the config-aaa-tacacs-policy instance, use the following commands:<DEVICE>(config)#aaa-tacacs-policy <POLICY-NAME>rfs6000-37FABE(config)#aaa-tacacs-policy testrfs6000-37FABE(config-aaa-tacacs-policy-test)#?AAA TACACS Policy Mode commands:  accounting      Configure accounting parameters  authentication  Configure authentication parameters  authorization   Configure authorization parameters  no              Negate a command or set its defaults  clrscr          Clears the display screen  commit          Commit all changes made in this session  do              Run commands from Exec mode  end             End current mode and change to EXEC mode  exit            End current mode and down to previous mode  help            Description of the interactive help system  revert          Revert changes  service         Service Commands  show            Show running system information  write           Write running configuration to memory or terminalrfs6000-37FABE(config-aaa-tacacs-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  25 - 225.1 aaa-tacacs-policyAAA-TACACS-POLICY The following table summarizes AAA-TACACS policy configuration commands:Table 25.1 AAA-TACACS-Policy-Config CommandsCommand Description Referenceaccounting Configures TACACS accounting parameters page 25-3authentication Configures TACACS authentication parameters page 25-6authorization Configures TACACS authorization parameters page 25-9no Negates a command or sets its default page 25-12NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 325.1.1 accountingaaa-tacacs-policyConfigures the server type and interval at which interim accounting updates are sent to the server. Up to 2 accounting servers can be configured.This feature tracks user activities on the network, and provides information such as, resources used and usage time. This information can be used for audit and billing purposes.TACACS accounting tracks user activity and is useful for security audit purposes.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccounting [access-method|auth-fail|commands|server|session]accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}accounting [auth-fail|commands|session]accounting server [<1-2>|preference]accounting server preference [authenticated-server-host|authenticated-server-number|authorized-server-host|authorized-server-number|none]accounting server <1-2> [host|retry-timeout-factor <50-200>|timeout]accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}accounting server <1-2> timeout <3-5> {attempts <1-3>}Parameters• accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}• accounting [auth-fail|commands|session]access-method Configures TACACS accounting access mode. The options are: console, SSH, Telnet, and all.all Configures TACACS accounting for all access modesconsole Configures TACACS accounting for console access onlyssh Configures TACACS accounting for SSH access onlytelnet Configures TACACS accounting for Telnet access onlyauth-fail Enables accounting for authentication fail details. This option is disabled by default.commands Enables accounting of commands executed. This option is disabled by default.session Enables accounting for session start and stop details. This option is disabled by default.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  25 - 4• accounting server preference [authenticated-server-host|authenticated-server-number|authorized-server-host|authorized-server-number|none]• accounting server <1-2> retry-timeout-factor <50-200>• accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}server Configures a TACACS accounting serverpreference Configures the accounting server preference (specifies the method of selecting a server, from the pool, to send the request)authenticated-server-hostSets the authentication server as the accounting server. This is the default setting.This parameter indicates the same server is used for authentication and accounting. The server is referred to by its hostname.authenticated-server-numberSets the authentication server as the accounting serverThis parameter indicates the same server is used for authentication and accounting. The server is referred to by its index or number.authorized-server-host Sets the authorization server as the accounting serverThis parameter indicates the same server is used for authorization and accounting. The server is referred to by its hostname.authorized-server-numberSets the authorized server as the accounting serverThis parameter indicates the same server is used for authorization and accounting. The server is referred to by its index number.none Indicates the accounting server is independent of the authentication and authorization serversserver <1-2> Configures an accounting server. Up to 2 accounting servers can be configuredretry-timeout-factor <50-200>Sets the scaling factor for retry timeouts• <50-200> – Specify a value from 50 - 200. The default is 100.A value of 100 indicates the time gap between two consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the time gap between two consecutive retries reduces with each successive retry.A value greater than 100 indicates the time gap between two consecutive retries increases with each successive retry.server <1-2> Configures an accounting server. Up to 2 accounting servers can be configuredhost <IP/HOSTNAME> Configures the accounting server’s IP address or hostnamesecret [0 <SECRET>|2 <SECRET>|<SECRET>]Optional. Configures a common secret key used to authenticate with the accounting server• 0 <SECRET> – Configures a clear text secret key• 2 <SECRET> – Configures an encrypted secret key• <SECRET> – Specify the secret key. This shared secret should not exceed 127 characters.port <1-65535> Optional. Configures the accounting server port (the port used to connect to the accounting server)• <1-65535> – Specify the TCP accounting port number from 1 - 65535. The default port is 49.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 5• accounting server <1-2> timeout <3-5> {attempts <1-3>}Examplerfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting auth-failrfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting server preference authorized-server-numberrfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test accounting server preference authorized-server-number accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsserver <1-2> Configures an accounting server. Up to 2 accounting servers can be configuredtimeout <3-5> Configures the timeout for each request sent to the TACACS accounting server. This is the time allowed to elapse before another request is sent to the TACACS accounting server. If a response is received from the server within this time, no retry is attempted.• <3-5> – Specify a value from 3 - 5 seconds. The default is 3 seconds.attempts <1-3> Optional. Specifies the number of times a transmission request is attempted. This is the maximum number of times a request is sent to the TACACS accounting server before getting discarded.• <1-3> – Specify a value from 1 - 3. The default is 3.no Resets values or disables commands
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  25 - 625.1.2 authenticationaaa-tacacs-policyConfigures user authentication parameters. Users are allowed or denied access to the network based on the authentication parameters set.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [access-method|directed-request|server|service]authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|web)}authentication directed-requestauthentication server <1-2> [host|retry-timeout-factor|timeout]authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}authentication server <1-2> retry-timeout-factor <50-200>authentication server <1-2> timeout <3-60> {attempts <1-10>}authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}Parameters• authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet)}• authentication directed-request• authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}access-method Configures access modes for TACACS authentication. The options are: console, SSH, Telnet, Web, and all.all Authenticates users using all access modes (console, SSH, and Telnet)console Authenticates users using console access onlyssh Authenticates users using SSH access onlytelnet Authenticates users using Telnet access onlyweb Authenticates users using Web interface onlydirected-request Enables user to specify TACACS server to use with `@server'. This option is disabled by default.The specified server should be present in the configured servers list.server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 7• authentication server <1-2> retry-timeout-factor <50-200>• authentication server <1-2> timeout <3-60> {attempts <1-10>}• authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}host <IP/HOSTNAME> Sets the TACACS server’s IP address or hostnamesecret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures the secret key used to authenticate with the TACACS server• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.port <1-65535> Optional. Specifies the port used to connect to the TACACS server• <1-65535> – Specify a value for the TCP authentication port from 1 - 65535. The default port is 49.server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.retry-timeout-factor <50-200>Configures timeout scaling between two consecutive TACACS authentication retries• <50-200> – Specify the scaling factor from 50 - 200. The default is 100.A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between consecutive retries increases with each successive retry.server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1- 2.timeout <3-60> Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.• <3-60> – Specify a value from 3- 60 seconds. The default is 3 seconds.attempts <1-10> Optional. Indicates the number of retry attempts to make before giving up• <1-10> – Specify a value from 1 -10. The default is 3.service <SERVICE-NAME>Configures the TACACS authentication service nameprotocol <AUTHENTICATION-PROTO-NAME>Optional. Specify the authentication protocol used with this TACACS policy.A maximum of five entries is allowed.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  25 - 8Examplerfs6000-37FABE(config-aaa-tacacs-policy-test)#authentication directed-requestrfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsno Resets values or disables commands
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 925.1.3 authorizationaaa-tacacs-policyConfigures authorization parametersThis feature allows network administrators to limit user accessibility and configure varying levels of accessibility for different users.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthorization [access-method|allow-privileged-commands|server]authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}authorization server [<1-2>|preference]authorization server <1-2> [host|retry-timeout-factor|timeout]authorizationserver <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}authorization server <1-2> retry-timeout-factor <50-200>authorization server <1-2> timeout <3-5> {attempts <1-3>}authorization server preference [authenticated-server-host|authenticated-server-number|none]Parameters• authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}• authorization allow-privileged-commands• authorization server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}access-method Configures the access method for command authorizationall Authorizes commands from all access methodsconsole Authorizes commands from the console onlytelnet Authorizes commands from Telnet onlyssh Authorizes commands from SSH only{console|ssh|telnet} Optional. Configures more than one access method for command authorizationallow-privileged-commandsAllows privileged commands execution without command authorization. This option is disabled by default.server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  25 - 10• authorization server <1-2> retry-timeout-factor <50-200>• authorization server <1-2> timeout <3-5> {attempts <1-3>}• authorization server preference [authenticated-server-host|authenticated-server-number|none]host <IP/HOSTNAME> Sets the TACACS server’s IP address or hostnamesecret [0 <SECRET>|2 <SECRET>|<SECRET>]Optional. Configures the secret used to authorize with the TACACS server• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.port <1-65535> Optional. Specifies the port used to connect to the TACACS server• <1-65535> – Specify a value for the TCP authorization port from 1 - 65535. The default port is 49.server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.retry-timeout-factor <50-200>Configures the scaling of timeouts between consecutive TACACS authorization retries• <50-200> – Specify the scaling factor from 50 - 200. The default is 100.A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between consecutive retries increases with each successive retry.server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server’s index from 1- 2.timeout <3-5> Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.• <3-5> – Specify a value from 3 - 5 seconds. The default is 3 seconds.attempts <1-3> Optional. Indicates the number of retry attempts to make before giving up• <1-3> – Specify a value from 1 - 3. The default is 3.preference Configures the authorization server preferenceauthenticated-server-hostSets the authentication server as the authorization serverThis parameter indicates the same server is used for authentication and authorization. The server is referred to by its hostname.
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 11Examplerfs6000-37FABE(config-aaa-tacacs-policy-test)#authorization allow-privileged-commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number authorization allow-privileged-commands accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsauthenticated-server-numberSets the authentication server as the authorization serverThis parameter indicates the same server is used for authentication and authorization. The server is referred to by its index or number.none Indicates the authorization server is independent of the authenticationno Resets values or disables commands
AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  25 - 1225.1.4 noaaa-tacacs-policyNegates a AAA TACACS policy command or sets its defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accounting|authentication|authorization]Parameters• no <PARAMETERS>ExampleThe following example shows the AAA-TACACS policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number authorization allow-privileged-commands accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#rfs6000-37FABE(config-aaa-tacacs-policy-test)#no authentication directed-requestrfs6000-37FABE(config-aaa-tacacs-policy-test)#no accounting auth-failrfs6000-37FABE(config-aaa-tacacs-policy-test)#no authorization allow-privileged-commandsThe following example shows the AAA-TACACS policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test accounting server preference authorized-server-number accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsno <PARAMETERS> Provide the parameters needed to reset or disable the desired AAA-TACACS policy setting.accounting Configures TACACS accounting parametersauthentication Configures TACACS authentication parametersauthorization Configures TACACS authorization parameters
26 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide26MESHPOINTThis chapter summarizes the Meshpoint commands in the CLI command structure.Meshpoints are detector radios that monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation.This chapter is organized as follows:•meshpoint-config-instance•meshpoint-qos-policy-config-instance•meshpoint-device-config-instanceNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 226.1 meshpoint-config-instanceMESHPOINTMeshConnex (MCX) is a mesh networking technology that is comparable to the 802.11s mesh networking specification. MCX meshing uses a hybrid proactive/on-demand path selection protocol, similar to Ad hoc On Demand Distance Vector (AODV) routing protocols. This allows it to form efficient paths using multiple attachment points to a distribution WAN, or form purely ad-hoc peer-to-peer mesh networks in the absence of a WAN. Each device in the MCX mesh proactively manages its own path to the distribution WAN, but can also form peer-to-peer paths on demand to improve forwarding efficiency.MCX is not compatible with MiNT Based meshing, though the two technologies can be enabled simultaneously in certain circumstances.MCX is designed for large-scale, high-mobility outdoor mesh deployments. MCX continually gathers data from beacons and transmission attempts to estimate the efficiency and throughput of each MP-to-MP link. MCX uses this data to dynamically form and continually maintain paths for forwarding network frames.In MCX systems, a meshpoint (MP) is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 MPs can be created and 2 can be created per radio. MPs can be configured to use one or both radios in the device. If the MP is configured to use both radios, the path selection protocols will continually select the best radio to reach each destination. Each MP participates in a single Mesh Network, defined by the MeshID. The MeshID is typically a descriptive network name, similar to the SSID of a WLAN. All MPs configured to use the same MeshID attempt to form a mesh and interoperate. The MeshID allows overlapping mesh networks to discriminate and disregard MPs belonging to different networks.Use the (config) instance to configure a meshpoint. To navigate to the meshpoint configuration instance, use the following command:<DEVICE>(config)#meshpoint <MESHPOINT-NAME>rfs6000-37FABE(config)#meshpoint testrfs6000-37FABE(config-meshpoint-test)#?Mesh Point Mode commands:  allowed-vlans  Set the allowed VLANs  beacon-format  The beacon format of this meshpoint  control-vlan   VLAN for meshpoint control traffic  data-rates     Specify the 802.11 rates to be supported on this meshpoint  description    Configure a description of the usage of this meshpoint  force          Force suboptimal paths  meshid         Configure the Service Set Identifier for this meshpoint  neighbor       Configure neighbor specific parameters  no             Negate a command or set its defaults  root           Set this meshpoint as root  security-mode  The security mode of this meshpoint  shutdown       Shutdown this meshpoint  use            Set setting to use  wpa2           Modify ccmp wpa2 related parameters  clrscr         Clears the display screen  commit         Commit all changes made in this session  do             Run commands from Exec mode  end            End current mode and change to EXEC mode  exit           End current mode and down to previous mode  help           Description of the interactive help system  revert         Revert changes  service        Service Commands  show           Show running system information
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3  write          Write running configuration to memory or terminalrfs6000-37FABE(config-meshpoint-test)#The following table summarizes meshpoint configuration commands:Table 26.1 Meshpoint-Config commandsCommand Description Referenceallowed-vlans Configures VLANs allowed on the meshpoint page 26-4beacon-format Configures the beacon format for the meshpoint AP page 26-5control-vlan Configures the VLAN where meshpoint control traffic traverses page 26-6data-rates Configures the data rates supported per frequency band page 26-7description Configures a human friendly description for this meshpoint page 26-11force Forces formation of sub-optimal paths through the meshpoint’s root nodepage 26-12meshid Configures a unique ID for this meshpoint page 26-13neighbor Configures the neighbor inactivity time out for this meshpoint page 26-14no Negates a command or reverts settings to their default page 26-15root Configures a meshpoint as the root meshpoint page 26-17security-mode Configures the security mode on the meshpoint. page 26-19service Allows only 802.11n capable neighbors to create a mesh connection page 26-20shutdown Shuts down the meshpoint page 26-21use Configures a QoS policy for use with this meshpoint page 26-22wpa2 Configures WPA2 encryption settings page 26-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 426.1.1 allowed-vlansmeshpoint-config-instanceDefines VLANs allowed to pass traffic on the mesh network. Use this command to add and remove VLANs from the list of allowed VLANs.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxallowed-vlans [<VLAN-ID>|add <VLAN-ID>|remove <VLAN-ID>]Parameters• allowed-vlans [<VLAN-ID>|add <VLAN-ID>|remove <VLAN-ID>]Examplerfs6000-37FABE(config-meshpoint-test)#allowed-vlans 1rfs6000-37FABE(config-meshpoint-test)#allowed-vlans add 10-23rfs6000-37FABE(config-meshpoint-test)#allowed-vlans remove 17rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsallowed-vlans Defines VLANs allowed access on the mesh network<VLAN-ID> The VLAN ID or the range of IDs to be managed.A single VLAN or multiple VLANs can be added to the list of allowed VLANs. When adding multiple VLANs, specify the range (for example, 10-20, 25, 30-35). Use this command to create a VLAN list on a new meshpoint.add <VLAN-ID> Adds a single VLAN or a range of VLANs to the list of allowed VLANs. To specify a range of VLANs, specify the first and last VLAN ID in the range separated by a hyphen (for example, 1-10).• <VLAN-ID> – Specify the VLAN ID or the range of IDs to add.remove <VLAN-ID> Removes a single VLAN or a range of VLANs from the list of allowed VLANs• <VLAN-ID> – Specify the VLAN ID or the range of IDs to remove.no Clears the list of VLANs allowed access to the mesh network
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 526.1.2 beacon-formatmeshpoint-config-instanceConfigures the beacon transmission format for this meshpoint. Beacons are transmitted periodically to advertise that a wireless network is available. It contains all the required information for a device to connect to the network.The beacon format advertises how a mesh capable AP7161 acts. APs can act either as an access point or a meshpoint.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbeacon-format [access-point|mesh-point]Parameters• beacon-format [access-point|mesh-point]Examplerfs6000-37FABE(config-meshpoint-test)#beacon-format mesh-pointrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsbeacon-format Configures how a mesh capable AP71XX acts in a mesh networkaccess-point Uses access point style beaconsmesh-point Uses meshpoint style beacons (this is the default setting)no Resets the beacon format for this meshpoint to its default (mesh-point)
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 626.1.3 control-vlanmeshpoint-config-instanceConfigures a VLAN as the dedicated control VLANMesh management traffic can be sent over a dedicated VLAN. This dedicated VLAN is known as the control VLAN, and should be configured in the backhaul port of all the access points configured as meshpont roots. Once configured, the control VLAN enables communication between meshpoint’s root APs.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontrol-vlan [<1-4094>|<VLAN-ALIAS-NAME>]Parameters• control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]Examplerfs6000-37FABE(config-meshpoint-test)#control-vlan 1rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandscontrol-vlan Configures a VLAN as a dedicated carrier of mesh management traffic[<1-4094>|<VLAN-ALIAS-NAME>]Configures the control VLAN• <1-4094> – Specify the control VLAN from 1 - 4094. The default is VLAN 1.• <VLAN-ALIAS-NAME> – Uses a vlan-alias to specify the control vlan. If using a vlan-alias, ensure that it is existing and configured.If VLAN 1 is configured as the control VLAN, ensure that the VLAN is configured in the wired port of all access points belonging to same meshpoint.Note: Control VLAN need not necessarily be added in the allowed VLAN list.no Resets the control VLAN for this meshpoint to its default of 1
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 726.1.4 data-ratesmeshpoint-config-instanceConfigures individual data rates for the 2.4 GHz and 5.0 GHz frequency bands. In Mesh network, a mesh point is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 mesh points can be created and 2 can be created per radio. Each mesh point radio can have carefully administrated radio rates specific to the 2.4 or 5 GHz band. Use this command to configure these radio rates.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdata-rates [2.4GHz|5GHz]data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)data-rates 5GHz [a-only|an|default]data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)Parameters• data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]• data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)NOTE: Ensure that the basic data rates configured on a meshpoint’s root and non-root access points is the same.data-rates 2.4GHz Configures preset data rates for the 2.4 GHz frequency.b-only Configures data rate for the meshpoint using 802.11b only rates.bg Configures data rate for the meshpoint using 802.11b and 802.11g rates.default Configures data rate for the meshpoint at a pre-configured default rate for this frequency.g-only Configures data rate for the meshpoint using 802.11g only rates.gn Configures data rate for the meshpoint using 802.11g and 802.11n rates.data-rates 2.4GHz Configures the preset data rates for the 2.4 GHz frequencyDefine both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band. Contd..
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 8• data-rates 5GHz [a-only|an|default]These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a supported MCS index.Set a Modulation and Coding Scheme (MCS) in respect to the radio's channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types.Meshpoints can communicate as long as they support the same basic MCS (as well as non-802.11n basic rates). The selected rates apply to associated client traffic within this mesh point only.custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)Configures custom rates• 1 – Configures the available rate at 1 Mbps• 2 – Configures the available rate at 2 Mbps• 5.5 – Configures the available rate at 5.5 Mbps• 6 – Configures the available rate at 6 Mbps• 9 – Configures the available rate at 9 Mbps• 11 – Configures the available rate at 11 Mbps• 12 – Configures the available rate at 12 Mbps• 18 – Configures the available rate at 18 Mbps• 24 – Configures the available rate at 24 Mbps• 36 – Configures the available rate at 36 Mbps• 48 – Configures the available rate at 48 Mbps• 54 – Configures the available rate at 54 Mbps• basic-1 – Configures the available rate at a basic rate of 1 Mbps• basic-2 – Configures the available rate at a basic rate of 2 Mbps• basic-5.5 – Configures the available rate at a basic rate of 5.5 Mbps• basic-6 – Configures the available rate at a basic rate of 6 Mbps• basic-9 – Configures the available rate at a basic rate of 9 Mbps• basic-11 – Configures the available rate at a basic rate of 11 Mbps• basic-12 – Configures the available rate at a basic rate of 12 Mbps• basic-18 – Configures the available rate at a basic rate of 18 Mbps• basic-24 – Configures the available rate at a basic rate of 24 Mbps• basic-36 – Configures the available rate at a basic rate of 36 Mbps• basic-48 – Configures the available rate at a basic rate of 48 Mbps• basic-54 – Configures the available rate at a basic rate of 54 Mbps• basic-mcs0-7 – Configures the MCS index range of 0 - 7 for basic rate• mcs0-7 – Configures the MCS index range of 0-7 as the data rate• mcs0-15 – Configures the MCS index range of 0-15 as the data rate• msc8-15 – Configures the MCS index range of 8-15 as the data rateMultiple choices can be made from the above list of rates.data-rates 5GHz Configures the preset data rates for the 5.0 GHz frequencya-only Configures the data rate for the meshpoint using 802.11a only ratesbn Configures the data rate for the meshpoint using 802.11a and 802.11n rates
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 9• data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)default Configures the data rate for the meshpoint at a pre-configured default rate for this frequencyg-only Configures the data rate for the meshpoint using 802.11g only ratesgn Configures the data rate for the meshpoint using 802.11g and 802.11n ratesdata-rates 5GHz Configures the preset data rates for the 5.0 GHz frequencyDefine both minimum Basic and optimal Supported rates as required for 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point.If supporting 802.11n, select a supported MCS index. Set a MCS in respect to the radio's channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Mesh points can communicate as long as they support the same basic MCS (as well as non-802.11n basic rates). The selected rates apply to associated client traffic within this mesh point only.custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)Configures custom rates• 6 – Configures the available rate at 6 Mbps• 9 – Configures the available rate at 9 Mbps• 12 – Configures the available rate at 12 Mbps• 18 – Configures the available rate at 18 Mbps• 24 – Configures the available rate at 24 Mbps• 36 – Configures the available rate at 36 Mbps• 48 – Configures the available rate at 48 Mbps• 54 – Configures the available rate at 54 Mbps• basic-1 – Configures the available rate at a basic rate of 1 Mbps• basic-2 – Configures the available rate at a basic rate of 2 Mbps• basic-5.5 – Configures the available rate at a basic rate of 5.5 Mbps• basic-6 – Configures the available rate at a basic rate of 6 Mbps• basic-9 – Configures the available rate at a basic rate of 9 Mbps• basic-11 – Configures the available rate at a basic rate of 11 Mbps• basic-12 – Configures the available rate at a basic rate of 12 Mbps• basic-18 – Configures the available rate at a basic rate of 18 Mbps• basic-24 – Configures the available rate at a basic rate of 24 Mbps• basic-36 – Configures the available rate at a basic rate of 36 Mbps• basic-48 – Configures the available rate at a basic rate of 48 Mbps• basic-54 – Configures the available rate at a basic rate of 54 MbpsCotnd..
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 10Examplerfs6000-37FABE(config-meshpoint-test)#data-rates 2.4GHz bgnrfs6000-37FABE(config-meshpoint-test)#data-rates 5GHz anrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commands• basic-mcs0-7 – Configures the MCS index range of 0-7 for basic rate• mcs0-7 – Configures the MCS index range of 0-7 as the data rate• mcs0-15 – Configures the MCS index range of 0-15 as the data rate• msc8-15 – Configures the MCS index range of 8-15 as the data rateMultiple choices can be made from the above list of rates.no Resets data rates for each frequency band for this meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1126.1.5 descriptionmeshpoint-config-instanceConfigures a brief description for this meshpoint. Use this command to describe this meshpoint and its features.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <DESCRIPTION>Parameters• description <DESCRIPTION>Examplerfs6000-37FABE(config-meshpoint-test)#description "This is an example of a meshpoint description"rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsdescription Configures a description for this meshpoint<DESCRIPTION> The text describing this meshpointno Removes the human friendly description provided for this meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 1226.1.6 forcemeshpoint-config-instanceForces formation of sub-optimal paths through the meshpoint’s root node. As per legacy behavior, non-root devices under the same root, communicated by forming direct paths through the network. This option allows non-root devices, within the meshpoint, to communicate by forming paths through the root node.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxforce peer-paths-through-rootParameters• force peer-paths-through-rootExamplenx9500-6C8809(config-meshpoint-test)#force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#Related Commandsforce Enables formation of sub-optimal paths through the meshpoint root node. This option is disabled by defaultpeer-paths-through-rootEnables non-root devices to communicate by forming sub-optimal paths through the root nodeno Disables formation of sub-optimal paths through the meshpoint’s root node
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1326.1.7 meshidmeshpoint-config-instanceConfigures a unique Service Set Identifier (SSID) for this meshpoint. This ID is used to uniquely identify this meshpoint.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmeshid <MESH-SSID>Parameters• meshid <MESH-SSID>Examplerfs6000-37FABE(config-meshpoint-test)#meshid TestingMeshPointrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsmeshid Configures a unique SSID for the meshpoint<MESH-SSID> The unique SSID configured for this meshpointNote: The mesh SSID is case sensitive and should not exceed 32 characters.no Removes the SSID configured for this meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 1426.1.8 neighbormeshpoint-config-instanceThis command configures the inactivity time out value for neighboring devices. If a frame is not received from the neighbor device for the configured time, then client resources are removed.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxneighbor inactivity-timeout <60-86400>Parameters• neighbor inactivity-timeout <60-86400>Examplerfs6000-37FABE(config-meshpoint-test)#neighbor inactivity-timeout 300rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsneighbor inactivity-timeout <60-86400>Configures the neighbor inactivity timeout in seconds. This represents the allowed interval between frames received from a neighbor before their client privileges are revoked.• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 120 seconds.no Removes the configured neighbor inactivity time out value for this meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1526.1.9 nomeshpoint-config-instanceNegates meshpoint commands or resets their values to defaultSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [allowed-vlans|beacon-format|control-vlan|description|force|meshid|root|security-mode|shutdown]no data-rates [2.4GHz|5GHz]no force peer-paths-through-rootno neighbor inactivity-timeoutno use [aaa-policy|meshpoint-qos-policy]no wpa2 [eap|key-rotation|psk]no wpa2 eap [auth-type|identity|peap-mschapv2|tls trustpoint]no wpa2 key-rotation [broadcast|unicast]no wpa2 pskno service allow-ht-onlyParameters• no <PARAMETERS>Examplerfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 rootrfs6000-37FABE(config-meshpoint-test)#rfs6000-37FABE(config-meshpoint-test)#no allowed-vlansrfs6000-37FABE(config-meshpoint-test)#no beacon-formatrfs6000-37FABE(config-meshpoint-test)#no control-vlanrfs6000-37FABE(config-meshpoint-test)#no descriptionrfs6000-37FABE(config-meshpoint-test)#no meshidrfs6000-37FABE(config-meshpoint-test)#no rootrfs6000-37FABE(config-meshpoint-test)#no security-modeno <PARAMETERS> Removes or reverts this meshpoint settings to default based on the parameters passed
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 16rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test beacon-format mesh-point control-vlan 1 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 no rootrfs6000-37FABE(config-meshpoint-test)#no data-rates 2.4GHzrfs6000-37FABE(config-meshpoint-test)#no data-rates 5GHzrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test beacon-format mesh-point control-vlan 1 neighbor inactivity-timeout 300 security-mode none wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 no rootrfs6000-37FABE(config-meshpoint-test)#nx9500-6C8809(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#nx9500-6C8809(config-meshpoint-test)#no force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no rootnx9500-6C8809(config-meshpoint-test)#
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1726.1.10 rootmeshpoint-config-instanceConfigures this meshpoint as the root meshpoint. Root meshpoints are generally tied to an Ethernet backhaul for wired connectivity. By default this option is disabled.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxrootParametersNoneExampleThere are two ways of configuring root access points within a meshpoint.1First method:• Configure two meshpoints, having the same meshid, one with the root option enabled and the other configured as no root:• Apply the root meshpoint to the root access point and the no-root meshpoint to the non-root access points.The following examples show the configuration of a meshpoint for the root access point:rfs6000-37FABE(config)#meshpoint rootrfs6000-37FABE(config-meshpoint-root)#rfs6000-37FABE(config-meshpoint-root)#meshid testrfs6000-37FABE(config-meshpoint-root)#rootrfs6000-37FABE(config-meshpoint-root)#security-mode eaprfs6000-37FABE(config-meshpoint-root)#commitrfs6000-37FABE(config-meshpoint-root)#show contextmeshpoint test-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap rootrfs6000-37FABE(config-meshpoint-root)#The following examples show the configuration of a meshpoint for non-root access points:rfs6000-37FABE(config)#meshpoint no-rootrfs6000-37FABE(config-meshpoint-no-root)#rfs6000-37FABE(config-meshpoint-no-root)#meshid testrfs6000-37FABE(config-meshpoint-no-root)#security-mode eaprfs6000-37FABE(config-meshpoint-no-root)#show contextmeshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no rootrfs6000-37FABE(config-meshpoint-no-root)#
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 182 Second method:•Configure a no-root meshpoint and apply to all access points in the meshpoint.•Log into the meshpoint-device > no-root configuration mode of the root access point and enable root.rfs6000-37FABE(config-meshpoint-no-root)#show contextmeshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no rootrfs6000-37FABE(config-meshpoint-no-root)#rfs6000-37FABE(config)#ap81xx B4-C7-99-71-17-28rfs6000-37FABE(config-device-B4-C7-99-71-17-28)#meshpoint-device no-rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#Related Commandsno Removes the configuration of this meshpoint as a root meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1926.1.11 security-modemeshpoint-config-instanceConfigures the security mode for this meshpointSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsecurity-mode [eap|none|psk]Parameters• security-mode [eap|none|psk]ExampleThe following example shows root meshpoint configuration with PSK authentication enabled:rfs6000-37FABE(config-meshpoint-test)#security-mode pskrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk rootrfs6000-37FABE(config-meshpoint-test)#The following example shows root meshpoint configuration with EAP authentication enabled:rfs6000-37FABE(config-meshpoint-root)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 use aaa-policy test security-mode eap rootrfs6000-37FABE(config-meshpoint-test)#Related Commandssecurity-mode Configures the security mode for this meshpointeap Uses 802.1X/EAP as the security mode. When using this option, use the wpa2 command to specify the EAP authentication type and related parameters.none No security is configured for this meshpointpsk Uses Pre Shared Key (PSK) as the security mode. When using this option, use the wpa2 command to enter a 64 character HEX or an 8-63 ASCII character passphrase used for authentication on the mesh point.no Resets the security configuration for this meshpoint to “none”. This indicates that no security is configured for this meshpoint.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 2026.1.12 servicemeshpoint-config-instanceUse this command to allow only those neighbors who are capable of 802.11n data rates to associate with this meshpoint.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [allow-ht-only|show cli]Parameters• service [allow-ht-only|show cli]Examplerfs6000-37FABE(config-meshpoint-test)#service allow-ht-onlyrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 root service allow-ht-onlyrfs6000-37FABE(config-meshpoint-test)#Related Commandsservice allow-ht-only Allows only those neighbors who are capable of high throughput data rates (802.11n data rates) to associate with the meshpointservice show cli Displays running system configurationno Removes the restriction that only 802.11n capable neighbor devices can associate with this meshpointservice Invokes service commands to troubleshoot or debug
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2126.1.13 shutdownmeshpoint-config-instanceShuts down this meshpoint. Use this command to prevent an AP from participating in a mesh network.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxshutdownParametersNoneExamplerfs6000-37FABE(config-meshpoint-test)#shutdownrfs6000-37FABE(config)Related Commandsno Enables an AP as a meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 2226.1.14 usemeshpoint-config-instanceUses a Quality of Service (QoS) policy defined specifically for meshpoints. To use this QoS policy, it must be defined. To define a meshpoint QoS policy, see meshpoint-qos-policy-config-instance.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [aaa-policy <AAA-POLICY-NAME>|meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>]Parameters• use [aaa-policy <AAA-POLICY-NAME>|meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>]Examplerfs6000-37FABE(config-meshpoint-test)#use meshpoint-qos-policy testrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk root use meshpoint-qos-policy testrfs6000-37FABE(config-meshpoint-test)#Related Commandsuse meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>Configures this meshpoint to use a predefined meshpoint QoS policy• <MESHPOINT-QOS-POLICY-NAME> – Specify the meshpoint QoS policy name (should be existing and configured).use aaa-policy <AAA-POLICY-NAME>Configures this meshpoint to use a predefined aaa-policy• <AAA-POLICY-NAME> – Specify the aaa-policy name (should be existing and configured).no Removes the meshpoint QoS policy associated with this meshpointmeshpoint-qos-policy-config-instanceCreates and configures a meshpoint QoS policy
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2326.1.15 wpa2meshpoint-config-instanceUse this command to configure the parameters of authentication mode specified using the ‘security-mode’ keyword. This command also allows you to set a unicast and broadcast key rotation interval.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwpa2 [eap|psk|key-rotation]wpa2 key-rotation [broadcast|unicast] <30-86400>wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]wpa2 eap [auth-type|identity|peap-mschapv2|tls]wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] {trustpoint <TRUSTPOINT-NAME>}wpa2 eap tls trustpoint <TRUSTPOINT-NAME>Parameters• wpa2 key-rotation [broadcast|unicast] <30-86400>• wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]wpa2 key-rotation Enables periodic rotation of encryption keys used for broadcast and unicast trafficbroadcast Configures key rotation interval for broadcast and multicast traffic. This option is disabled by default.When enabled, the key indices used for encrypting/decrypting broadcast traffic is alternatively rotated based on the defined interval. Key rotation enhances the broadcast traffic security on the WLAN.unicast Configures key rotation interval for unicast traffic. This option is disabled by default.<30-86400> Configures key rotation interval from 30 - 86400 seconds for unicast or broadcast transmissionwpa2 psk Configures the shared key for authentication mode PSK. If the security mode is set as ‘psk’ using the ‘security-mode’ keyword, use this command to configure the pre-shared key.secret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures the PSK used to authenticate this meshpoint with other meshpoints in the network• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The pre-shared key can be in ASCII (8 to 63 characters in length) or Hexadecimal (not exceeding 64 characters in length) formats.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 24• wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]• wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] {trustpoint <TRUSTPOINT-NAME>}• wpa2 eap tls trustpoint <TRUSTPOINT-NAME>Examplerfs6000-37FABE(config-meshpoint-test)#wpa2 key-rotation broadcast 600rfs6000-37FABE(config-meshpoint-test)#wpa2 key-rotation unicast 1200rfs6000-37FABE(config-meshpoint-test)#wpa2 psk Test Companyrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPointwpa2 eap Configures the 802.1X/EAP based authentication type for this meshpoint. If the security mode is set as ‘eap’ using the ‘security-mode’ keyword, use this command to specify the EAP type. The options are: peap-mschapv2 and tls.auth-type [peap-mschapv2|tls]Specifies the EAP authentication type. The options are:• peap-mschapv2 – Configures EAP authentication type as Protected Extensible Authentication Protocol (PEAP) with default auth type MSCHAPv2. This is the default setting. If using auth-type as ‘peap-mschapv2’, use the ‘peap-mschapv2’ keyword to configure user credentials and trustpoint details.• tls – Configures EAP authentication type as Transport Layer Security (TLS)If using auth-type as ‘tls’, use the ‘tls’ keyword to configure trustpoint details.Note: The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.identity <WORD> Configures identity to be used during phase1 authentication• <WORD> – Enter a string up to 256 characters in length (this should not be actual identity of user but some anonymous/bogus username)wpa2 eap peap-mschapv2 Configures PEAP-related user credentials and trustpoint detailsuser <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>]Specify the user credentials used for authentication• user <USER-NAME> – Specify the user name.• password [0 <WORD>|2 <WORD>|<WORD>] – Specify the password associated with the specified user.trustpoint <TRUSTPOINT-NAME>Optional. Associates a trustpoint used for installing CA certificate and verifying server certificate• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be existing and configured).wpa2 eap tls Configures TLS client related parameterstrustpoint <TRUSTPOINT-NAME>Configures trustpoint details• trustpoint <TRUSTPOINT-NAME> – Assigns a trustpoint to be used for installing TLS client certificate, client private key, and CA certificate• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be existing and configured)
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 25 shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 rootrfs6000-37FABE(config-meshpoint-test)#The following example shows root meshpoint configuration with EAP authentication enabled:rfs6000-37FABE(config-meshpoint-root)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 use aaa-policy test security-mode eap rootrfs6000-37FABE(config-meshpoint-test)#The following example shows non-root meshpoint configuration with EAP PEAP-MSCHAPv2 authentication:rfs6000-37FABE(config-meshpoint-testNoRoot)#show contextmeshpoint testNoRoot meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 security-mode eap wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1 wpa2 eap identity tester123 no rootrfs6000-37FABE(config-meshpoint-testNoRoot)#The following example shows non-root meshpoint configuration with EAP TLS authentication:rfs6000-37FABE(config-meshpoint-testNoRoot)#show contextmeshpoint testNoRoot meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 security-mode eap wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1 wpa2 eap tls trustpoint mesh1 wpa2 eap identity tester123 no rootrfs6000-37FABE(config-meshpoint-testNoRoot)#Related Commandsno Resets PSK configuration and key rotation duration
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 2626.2 meshpoint-qos-policy-config-instanceMESHPOINTMesh QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements when bandwidth is shared by different users and applications.Mesh QoS helps ensure each mesh point on the mesh network receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as video, voice and data.packets within each category are processed based on the weights defined for each mesh point.To create a meshpoint, see meshpoint-config-instance. A meshpoint QoS policy is created from the (config) instance. To create a meshpoint QoS policy use the following command:<DEVICE>(config)#meshpoint-qos-policy <POLICYNAME>rfs6000-37FABE(config)#meshpoint-qos-policy testrfs6000-37FABE(config-meshpoint-qos-test)#rfs6000-37FABE(config-meshpoint-qos-test)#?Mesh Point QoS Mode commands:  accelerated-multicast  Configure accelerated multicast streams address and                         forwarding QoS classification  no                     Negate a command or set its defaults  rate-limit             Configure traffic rate-limiting parameters on a                         per-meshpoint/per-neighbor basis  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-37FABE(config-meshpoint-qos-test)#The following table summarizes the meshpoint-qos-policy configuration commands:Table 26.2 Meshpoint-QoS-Policy Config CommandsCommand Description Referenceaccelerated-multicastConfigures accelerated multicast parameters page 26-27no Negates a command or reverts settings to their default page 26-29rate-limit Configures the rate limits for this QoS policy page 26-30
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2726.2.1 accelerated-multicastmeshpoint-qos-policy-config-instanceConfigures the accelerated multicast stream’s address and forwarding QoS classificationSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccelerated-multicast [<MULTICAST-IP>|autodetect] {classification [background|best-effort|trust|video|voice]}Parameters• accelerated-multicast [<MULTICAST-IP>|autodetect] {classification [background|best-effort|trust|video|voice]}NOTE: For accelerated multicast feature to work, IGMP querier must be enabled. When a user joins a multicast stream, an entry is created in the device’s (AP or wireless controller) snoop table and the entry is set to expire after a set time period. Multicast packets are forwarded to the appropriate wireless LAN or mesh until this entry is available in the snoop table. Snoop querier keeps the snoop table current by updating entries that are set to expire. It also keeps an entry for each multicast stream till there are users registered for the stream.accelerated-multicast Configures the accelerated multicast stream address and forwarding QoS classification<MULTICAST-IP> Specify a list of multicast addresses and classifications. Packets are accelerated when the destination address matches.autodetect Lets the system to automatically detect multicast streams to be acceleratedThis option allows the administrator to convert multicast packets to unicast in order to provide better overall airtime utilization and performance. The system can be configured to automatically detect multicast streams and convert them to unicast, or specify which multicast streams are to be converted to unicast. When the stream is converted and being queued up for transmission, there are a number of classification mechanisms applied to the stream and the administrator can select what type of classification they would want. Classification types are trust, voice, video, best effort, and background.classification Optional. Defines the QoS classification to apply to a multicast stream. The following options are available:•background• best effort•trust•video•voice
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 28Examplerfs6000-37FABE(config-meshpoint-qos-test)#accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#Related Commandsno Resets accelerated multicast configurations for this meshpoint QoS policy
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2926.2.2 nomeshpoint-qos-policy-config-instanceNegates the commands for meshpoint QoS policy or resets their values to their defaultSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accelerated-multicast|rate-limit]no accelerated-multicast [<MULTICAST-IP>|autodetect]no rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size|rate}no rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background|best-effort|video|voice]}Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test rate-limit meshpoint from-air rate 80000 rate-limit meshpoint from-air red-threshold video 80 rate-limit meshpoint from-air red-threshold voice 70 accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air raterfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air red-threshold video 80rfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air red-threshold voice 70rfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#no <PARAMETERS> Removes or reverts this meshpoint QoS policy settings to default based on the parameters passed
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 3026.2.3 rate-limitmeshpoint-qos-policy-config-instanceConfigures the rate limiting of traffic on a per meshpoint or per neighbor basisExcessive traffic can cause performance issues or bring down the network entirely. Excessive traffic, bombardments and interference are caused by numerous sources, such as network loops, faulty devices, or malicious software (such as a worm or virus) that has infected one or more branch-level devices. Rate limiting limits the maximum rate sent to or received from the wireless network (and meshpoint) per neighbor. It prevents any single user from overwhelming the wireless network. It also provides differential service for service providers. An administrator can set separate QoS rate limit configurations for data transmitted from the network and data transmitted from a mesh point's neighbor.Before defining rate limit thresholds for meshpoint transmit and receive traffic, it is recommended that you define the normal number of ARP, broadcast, multicast, and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) is dropped, resulting in intermittent outages and performance problems.A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX6524, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [meshpoint|neighbor]rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}Parameters• rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}meshpoint Configures rate limit parameters for all data received from any meshpoint in the mesh network. This option is disabled by default.neighbor Configures rate limit parameters for neighboring meshpoint devices. Enables rate limiting for data transmitted from the client to its associated access point radio and connected controller. This option is disabled by default.from-air Configures rate limits for traffic from the wireless neighbor to the network.to-air Configures rate limits for traffic from the network to the wireless neighbor.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 31• rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}max-burst-size <2-1024> Optional. Configures the maximum burst size in kilobytes.• <2-1024> – Set a value from 2 - 1024 kbytes.For a meshpoint: The smaller the burst, the less likely that the transmit packet transmission results in congestion for the meshpoint's client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site. The default burst size is 320 kbytes.For a neighbor: The smaller the burst, the less likely the transmit packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes.rate <50-1000000> Optional. Defines a receive or transmit rate limit in kilobytes per second• <50-1000000> – Set a value from 50 - 1000000 kbps.For a meshpoint: This limit constitutes a threshold for the maximum number of packets transmitted or received over the meshpoint (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps.For a neighbor: This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped by the client and a log message is generated. The default rate is 1,000 kbps.meshpoint Configures rate limit parameters for a meshpointneighbor Configures rate limit parameters for neighboring meshpoint devicesfrom-air Configures rate limits for traffic from the wireless neighbor to the networkto-air Configures rate limit value for traffic from the network to the wireless neighborred-threshold Optional. Configures random early detection threshold (RED threshold) for traffic classbackground <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• background <0-100> – Configures the threshold for low priority (background) traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%.For a neighbor: This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 32Examplerfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air max-burst-size 800rfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test rate-limit meshpoint from-air max-burst-size 800 accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air rate 80000rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air red-threshold video 80rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air red-threshold voice 70best-effort <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• best-effort <0-100> – Configures the threshold for best effort traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for normal priority traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%.For a neighbor: This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%.video <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• video <0-100> – Configures the threshold for video traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 25%.For a neighbor: This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 25%.voice <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• voice <0-100> – Configures the threshold for voice traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 0%.For a neighbor: This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0% and implies no early random drops will occur.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 33rfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test rate-limit meshpoint from-air rate 80000 rate-limit meshpoint from-air max-burst-size 800 rate-limit meshpoint from-air red-threshold video 80 rate-limit meshpoint from-air red-threshold voice 70 accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#Related Commandsno Resets traffic rate limit settings for this meshpoint QoS policy
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 3426.3 meshpoint-device-config-instanceMESHPOINTThe following table lists the meshpoint device configuration commands:Table 26.3 Other meshpoint-related commandsCommand Description Referencemeshpoint-device Configures an access point as a meshpoint device and enters its configuration modepage 26-35meshpoint-device-commandsInvokes the meshpoint-device configuration commands page 26-37
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3526.3.1 meshpoint-devicemeshpoint-device-config-instanceThis command configures an access point to use a defined meshpoint. To configure this feature use one of the following options:• navigate to the device profile config context (used when configuring access point profile on a controller)• navigate to the device’s config context using the self command (used when configuring a logged on access point) Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxmeshpoint-device <MESHPOINT-NAME>Parameters• meshpoint-device <MESHPOINT-NAME>Examplerfs6000-37FABE(config)#profile ap71xx AP71XXTestProfilerfs6000-37FABE(config-profile-AP71XXTestProfile)#meshpoint-device testrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#?Mesh Point Device Mode commands:  Mesh Point Device Mode commands:  acs          Configure auto channel selection parameters  exclude      Exclude neighboring Mesh Devices  hysteresis   Configure path selection SNR hysteresis values  monitor      Event Monitoring  no           Negate a command or set its defaults  path-method  Path selection method used to find a root node  preferred    Configure preferred path parameters  root         Set this meshpoint as root  root-select  Root selection method parameters  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#meshpoint-device Configures the AP as a meshpoint device and sets its parameters<MESHPOINT-NAME> The meshpoint to configure the AP with (should be existing and configured)
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 36ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#meshpoint-device testap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#?Mesh Point Device Mode commands:  acs          Configure auto channel selection parameters  exclude      Exclude neighboring Mesh Devices  hysteresis   Configure path selection SNR hysteresis values  monitor      Event Monitoring  no           Negate a command or set its defaults  path-method  Path selection method used to find a root node  preferred    Configure preferred path parameters  root         Set this meshpoint as root  root-select  Root selection method parameters  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#?
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3726.3.2 meshpoint-device-commandsmeshpoint-device-config-instanceThe following table lists the meshpoint-device configuration mode commands:Table 26.4 Meshpoint-Device Config CommandsCommand Description Referenceacs Enables Automatic Channel Selection (ACS) on this meshpoint device (access point)page 26-38exclude Excludes neighboring mesh devices page 26-43hysteresis Configures path selection SNR hysteresis values on this meshpoint-device (access point)page 26-44monitor Enables monitoring of critical resource and primary port links on a meshpoint devicepage 26-46path-method Configures the method used to select the path to the root node in a mesh networkpage 26-47preferred Configures the preferred path parameters for a meshpoint device page 26-48root Configures a meshpoint device as the root meshpoint page 26-49root-select Configures this meshpoint device as the cost root page 26-51no Negates the commands for a meshpoint device or resets values to defaultpage 26-52
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 3826.3.2.1 acsmeshpoint-device-commandsEnables Automatic Channel Selection (ACS) on this meshpoint device (access point). When enabled, this feature automatically selects the best channel for a meshpoint-device radio based on the device configuration, channel conditions, and network layout.In a wireless network deployment, it is advantageous for network devices to have the ability to operate in multiple channels and not be limited to only a single channel. Multiple channels increase the bandwidth and throughput of the wireless network. In such a scenario, each network device must have a mechanism to dynamically select a suitable channel of operation. ACS provides the required mechanism for a MCX enabled device.Use this command to configure the ACS settings and override the default meshpoint configurations.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxacs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration|ocs-frequency|path-min|path-threshold|preferred-interface-tolerance-period|preferred-radio-interface|priority-meshpoint|sample-count|snr-delta|signal-threshold|tolerance-period]acs channel-hold-time [2.4GHz|5GHz] <0-86400>acs channel-switch-delta [2.4GHz|5GHz] <5-35>acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]acs ocs-duration [2.4GHz|5GHz] <20-250>acs ocs-frequency [2.4GHz|5GHz] <1-60>acs path-min [2.4GHz|5GHz] <100-20000>acs path-threshold [2.4GHz|5GHz] <800-65535>acs preferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>acs preferred-radio-interface [2.4GHz|5GHz] <0-2>acs priority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>acs sample-count [2.4GHz|5GHz] <1-10>acs snr-delta [2.4GHz|5GHz] <1-100>acs signal-threshold [2.4GHz|5GHz] <-100-0>acs tolerance-period [2.4GHz|5GHz] <10-600>Parameters• acs channel-hold-time [2.4GHz|5GHz] <0-86400>acs Configures ACS settings and overrides on the selected meshpoint-device
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 39• acs channel-switch-delta [2.4GHz|5GHz] <5-35>• acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]• acs ocs-duration [2.4GHz|5GHz] <20-250>• acs ocs-frequency [2.4GHz|5GHz] <1-60>channel-hold-time [2.4GHz|5GHz] <0-86400>Configures the minimum time, in seconds, before a periodic scan, to assess channel conditions for a meshpoint root, is triggered.• 2.4GHz – Configures the channel hold interval for the 2.4GHz radio band• 5.0GHz – Configures the channel hold interval for the 5.0GHz radio bandThe following keyword is common to the ‘2.4GHz’ and ‘5.0GHz’ bands:• <0-86400> – Specify a value from 0 - 86400 seconds. The default is 1800seconds.A value of ‘0’ disables periodic channel assessment.acs Configures ACS settings and overrides on the selected meshpoint-devicechannel-switch-delta [2.4GHz|5GHz] <5-35>Configures the difference in interference between the current and best channel needed to trigger a channel change. Once the difference in the current channel and the best channel interference equals the configured value, a channel change is triggered.• 2.4GHz – Configures the channel switch delta for the 2.4GHz radio band• 5.0GHz – Configures the channel switch delta for the 5.0GHz radio bandThe following keyword is common to the ‘2.4GHz’ and ‘5.0GHz’ bands:• <5-35> – Specify a value from 5 - 35 dBm. The default is 10 dBm.acs Configures ACS settings and overrides on the selected meshpoint-devicechannel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]Configures the channel width that meshpoint auto channel selection assigns to the radio• 2.4 GHz – Configures the operating channel width for the 2.4 GHz radio band• 5.0 GHz – Configures the operating channel width for the 5.0 GHz radio bandThe following keywords are common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• 20 MHz – Assigns the 20 MHz channel width to the radio• 40 MHz – Assigns the 40 MHz channel width to the radio• 80 MHz – Assigns the 80 MHz channel width to the radio• auto – Selects and assigns the best possible channel from the 20/40/80 MHzwidth. This is the default setting.acs Configures ACS settings and overrides on the selected meshpoint-deviceocs-duration [2.4GHz|5GHz] <20-250>Configures the duration, in milliseconds, of off -channel scans (OCSs) • 2.4 GHz – Configures the ocs-duration for the 2.4 GHz radio band• 5.0 GHz – Configures the ocs-duration for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <20-250> – Specify a value from 20 - 250 milliseconds. The default value is50 milliseconds.acs Configures ACS settings and overrides on the selected meshpoint-device
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 40• acs path-min [2.4GHz|5GHz] <100-20000>• acs path-threshold [2.4GHz|5GHz] <800-65535>• acs preferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>• acs preferred-radio-interface [2.4GHz|5GHz] <0-2>ocs-frequency [2.4GHz|5GHz] <1-60>Configures the interval, in seconds, at which off-channel scan is performed. An ocs-frequency of 10 seconds means that an off-channel scan will be performed once every 10 seconds.• 2.4 GHz – Configures the ocs-frequency for the 2.4 GHz radio band• 5.0 GHz – Configures the ocs-frequency for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <1-60> – Specify a value form 1 - 60 seconds. The default is 6 seconds.acs Configures ACS settings and overrides on the selected meshpoint-devicepath-min [2.4GHz|5GHz] <100-20000>Configures the minimum root path metric needed for auto channel selection. This is the acceptance root path metric value to consider a root as a possible candidate mesh node.• 2.4 GHz – Configures the minimum root path metric for the 2.4 GHz radio band• 5.0 GHz – Configures the minimum root path metric for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <100-20000> – Specify a value from 100 - 20000. The default is 1000.acs Configures ACS settings and overrides on the selected meshpoint-devicepath-threshold [2.4GHz|5GHz] <800-65535>Configures the root path metric threshold for auto channel selection. This is the acceptance root path metric threshold beyond which the root bound to is considered as bad.• 2.4 GHz – Configures the root path metric threshold for the 2.4 GHz radio band• 5.0 GHz – Configures the root path metric threshold for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <800-65535> – Specify a value from 800 - 65535. The default is 1500.acs Configures ACS settings and overrides on the selected meshpoint-devicepreferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>Configures the maximum tolerance period, in seconds, for low root metrics on the preferred interface. This is the duration to wait before triggering an automatic channel selection for the next mesh-hop on the preferred interface.• 2.4 GHz – Configures the maximum tolerance period for the 2.4 GHz radio band• 5.0 GHz – Configures the maximum tolerance period for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <800-65535> – Specify a value from 10 - 600 seconds.acs Configures ACS settings and overrides on the selected meshpoint-device
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 41• acs priority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>• acs sample-count [2.4GHz|5GHz] <1-10>• acs snr-delta [2.4GHz|5GHz] <1-100>• acs signal-threshold [2.4GHz|5GHz] <-100-0>preferred-radio-interface [2.4GHz|5GHz] <0-2>Configures the preferred radio interface on dual band APs• 2.4 GHz – Configures the preferred radio interface for the 2.4 GHz radio band• 5.0 GHz – Configures the preferred radio interface for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <0-2> – Specify a value form 0 - 2. A value of 0 (zero) indicates no preferred radio.acs Configures ACS settings and overrides on the selected meshpoint-devicepriority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>Configures the priority meshpoint. Configuring a priority meshpoint overrides automatic meshpoint configuration.• 2.4 GHz – Configures the priority meshpoint for the 2.4 GHz radio band• 5.0 GHz – Configures the priority meshpoint for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <MESHPOINT-NAME> – Specify the meshpoint name for the selected radioband.acs Configures ACS settings and overrides on the selected meshpoint-devicesample-count [2.4GHz|5GHz] <1-10>Configures the minimum number of scan cycle samples to consider for auto channel selection• 2.4 GHz – Configures the sample count for the 2.4 GHz radio band• 5.0 GHz – Configures the sample count for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <1-10> – Specify a value from 1 -10. The default is 5 samples.acs Configures ACS settings and overrides on the selected meshpoint-devicesnr-delta [2.4GHz|5GHz] <1-100>Configures the channel SNR delta. A meshpoint on a candidate channel must have a SNR of a greater delta than the next hop on the current channel.• 2.4 GHz – Configures the snr-delta for the 2.4 GHz radio band• 5.0 GHz – Configures the snr-delta for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <1-100> – Specify a value from 1 - 100 dB. The default is 5 dB.acs Configures ACS settings and overrides on the selected meshpoint-devicesignal-threshold [2.4GHz|5GHz] <-100-0>Configures the signal strength threshold. If the signal strength of the next hop drops below the configured signal-threshold, a scan is triggered.• 2.4 GHz – Configures the signal-threshold for the 2.4 GHz radio band• 5.0 GHz – Configures the signal-threshold for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <-100-0> – Specify a value from -100 - 0 dB. The default is -65 dB.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 42• acs tolerance-period [2.4GHz|5GHz] <10-600>Examplerfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs channel-hold-time 2.4GHz 2500rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs ocs-duration 2.4GHz 30rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs ocs-frequency 2.4GHz 1rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test  acs ocs-frequency 2.4GHz 1  acs osc-duration 2.4GHz 30  acs channel-hold-time 2.4GHz 2500rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#Related Commandsacs Configures ACS settings and overrides on the selected meshpoint-devicetolerance-period [2.4GHz|5GHz] <10-600>Configures the maximum tolerance period in seconds. This is the interval to wait for the root bound to recovery from a bad link.• 2.4 GHz – Configures the tolerance-period for the 2.4 GHz radio band• 5.0 GHz – Configures the tolerance-period for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <10-600> – Specify a value from 10 - 600 seconds. the default is 60 seconds.no Reverts the configured ACS settings to default
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 4326.3.2.2 excludemeshpoint-device-commandsEnables wired-peer (that are wired MiNT level-1 neighbors) exclusionSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxexclude wired-peer mint-level-1Parameters• exclude wired-peer mint-level-1Examplerfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#exclude wired-peer mint-level-1rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test  exclude wired-peer mint-level-1rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#Related Commandsexclude wired-peer Excludes neighboring mesh deviceswired-peer mint-level-1 Excludes neighboring wired mesh devices with MiNTlevel-1 linkWhen enabled, all neighboring wired mesh devices are excluded from mesh links.no Disables wired-peer exclusion on this meshpoint
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 4426.3.2.3 hysteresismeshpoint-device-commandsConfigures path selection SNR hysteresis values on this meshpoint-device (access point). These are settings that facilitate dynamic path selection. Configuring hysteresis prevents frequent re-ranking of the shortest path cost.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxhysteresis [min-threshold|period|root-sel-snr-delta|snr-delta]hysteresis [min-threshold <-100-0>|period <0-600>|root-sel-snr-delta <1-100>|snr-delta <1-100>]Parameters• hysteresis [min-threshold <-100-0>|period <0-600>|root-sel-snr-delta <1-100>|snr-delta <1-100>]Examplerfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis period 15rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis root-sel-snr-delta 12rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis snr-delta 3rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis min-threshold -65rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test  hysteresis period 15  hysteresis snr-delta 3  hysteresis min-threshold -65  hysteresis root-sel-snr-delta 12rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#min-threshold <-100-0> Configures the minimum signal strength that a device should have to be considered a likely candidate in the mesh route (to the mesh root node) selection process.• <-100-0> – Specify a value from -100 - 0 dB. The default is 0 dB.period <0-600> Configures the interval, in seconds, for which a likely candidate’s path method hysteresis is sustained. In other words a device capable of sustaining the signal strength for the specified period of time is a likely candidate in the mesh route (to the mesh root node) selection process.• <0-600> – Specify a value from 0 - 600 seconds. The default is 1 second.root-sel-snr-delta <1-100>Configures the signal strength, in dB, that a device has to sustain, within the delta range, to be considered a likely candidate in the mesh route (to the mesh root node) selection process.• <1-100> – Specify a value from 1 - 100 dB.snr-delta <1-100> Configures the SNR delta. The device with must have a SNR of a greater delta than its current neighbor to be considered a likely candidate in the mesh route (to the mesh root) selection process.• <1-100> – Specify a value from 1 - 100 dB. The default is 1 dB.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 45Related Commandsno Removes the configured path selection SNR hysteresis values
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 4626.3.2.4 monitormeshpoint-device-commandsEnables monitoring of critical resource and primary port links. It also configures the action taken in case a critical resource goes down or a primary port link is lost.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxmonitor [critical-resource|primary-port-link-loss] action no-rootParameters• monitor [critical-resource|primary-port-link-loss] action no-rootExamplerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#monitor critical-resource action no-rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test  name test  monitor critical-resource action no-rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#Related Commandscritical-resource Enables critical resource down event monitoringprimary-port-link-loss Enables primary port link loss event monitoringaction  no-root The following are common to all of the above:• action – Sets the action taken if a critical resource goes down or if a primary port link is lost• no-root – Changes the meshpoint to be non root (this is the action taken incase any of the above mentioned two events occur)no Disables monitoring of critical resource and primary port links.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 4726.3.2.5 path-methodmeshpoint-device-commandsConfigures the path selection method used on a meshpoint device. This is the method used to select the route to the root node within a mesh network.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxpath-method [bound-pair|mobile-snr-leaf|snr-leaf|uniform]Parameters• path-method [bound-pair|mobile-snr-leaf|snr-leaf|uniform]Examplerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#path-method mobile-snr-leafrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device TEST  name TEST  path-method mobile-snr-leafrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#Related Commandspath-method Sets the method used to select the path to the root node in a mesh networkbound-pair Enables a meshpoint to form an exclusive path with only one other meshpoint. Select this option to bind one mesh point connection at a time. Once established, other mesh point connenction requests are denied.mobile-snr-leaf Configures the path selection method as mobile-snr-leaf. When selected, the path to the root node is selected based on the Signal-to-Noise Ratio (SNR) to a neighboring device. This option allows meshpoint devices to select a neighbor with the strongest SNR. Meshpoint devices using the mobile-snr-leaf method are non-forwarding nodes in the meshpoint traffic.Note: Select this option for Vehicular Mounted Modem (VMM) access points or other mobile devices.Note: VMM is supported only on the AP7161 model access point.snr-leaf This option allows meshpoints to select a neighbor with the strongest SNR. It is similar to the mobile-snr-leaf option, but is not applicable to mobile devices, such as VMMs.uniform Indicates the path selection method is uniform. When selected, two paths will be considered equivalent if the average goodput is the same for both paths. This is the default setting.Note: Select this option for infrastructure devices.no Resets the path selection method on a meshpoint device
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 4826.3.2.6 preferredmeshpoint-device-commandsConfigures the preferred path parameters for this meshpoint deviceSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxpreferred [neighbor <MAC>|root <MAC>|interface [2.4GHz|4.9GHz|5GHz]]Parameters• preferred [neighbor <MAC>|root <MAC>|interface [2.4GHz|4.9GHz|5GHz]]Examplerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#preferred neighbor 11-22-33-44-55-66rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#preferred root 22-33-44-55-66-77rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#preferred interface 5GHzrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test  name test  preferred root 22-33-44-55-66-77  preferred neighbor 11-22-33-44-55-66  preferred interface 5GHz  monitor critical-resource action no-rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#Related Commandspreferred Configures the preferred path parametersneighbor <MAC> Adds the MAC address of a neighbor meshpoint as a preferred neighborroot <MAC> Adds the MAC address of a root meshpoint as a preferred rootinterface [2.4GHz|4.9GHz|5GHz]Sets the preferred interfaceno Removes the configuration of preferred paths for this meshpoint device
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 4926.3.2.7 rootmeshpoint-device-commandsConfigures this meshpoint device as the root meshpointYou can optionally use the select-method option to enable dynamic mesh selection. When enabled, this option overrides root or no-root configuration and uses the selection method.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxroot {select-method [auto-mint|auto-proximity]}Parameters• root {select-method [auto-mint|auto-proximity]}root Configures this meshpoint device as the root meshpointselect-method auto-mintOptional. Enables dynamic mesh selection. When enabled, this option overrides root or no-root configuration and chooses the selection method.• auto-mint – Enables dynamic root selection using Auto-MiNT (based on path cost)The Auto-Mint or Cost Method dynamically determines the root/non-root configuration of a meshpoint by:• Monitoring and ranking the signal strength and path cost of neighboring meshpoints.• Setting the configuration to:• non-root: If the link with the shortest path to the cost-root mesh device is a MCXmeshpoint link• root: If the link with the shortest path to the cost-root mesh device is a non MCXmeshpoint link (wired link).• This requires that the meshpoint device, in the brain car, be configured as the‘cost root’ and the ‘cost root’ meshpoint-device be the l2 gateway to the controller.Use the root-select > cost-root command to configure a meshpoint-device as ‘cost-root’.• Using signal strength of neighboring meshpoint as the sole metric to determinethe next mesh hop to the root.• Loop detection with both meshpoints in a car select non-root and form a meshlink with the same root• auto-proximity – Enables dynamic root selection using meshpoint proximity. When auto-proximity is selected, root selection is based on signal strength of candidate roots.
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 50Examplerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test  name test  root  preferred root 22-33-44-55-66-77  preferred neighbor 11-22-33-44-55-66  preferred interface 5GHz  monitor critical-resource action no-rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#root select-method auto-mintap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#show context meshpoint-device test  root select-method auto-mintap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#Related Commandsno Removes the configuration of this meshpoint device as a root meshpoint. Also allows you to disable dynamic mesh selection (if enabled).
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 5126.3.2.8 root-selectmeshpoint-device-commandsConfigures this meshpoint device as the cost rootSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxroot-select cost-rootParameters• root-select cost-rootExampleap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#root-select cost-rootap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#show context meshpoint-device test  root select-method auto-mint  root-select cost-rootap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#Related Commandsroot-select cost-root Configures this meshpoint device as the cost root. This is necessary for dynamic root selection process. Select this option to set the meshpoint as the cost root for meshpoint root selection. This setting is disabled by default.no Removes this meshpoint-device as the cost-root
MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide  26 - 5226.3.2.9 nomeshpoint-device-commandsNegates the commands for a meshpoint device or resets values to defaultSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxno [acs|exclude|hysteresis|monitor|path-method|preferred|root|root-select]no acs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration|ocs-frequency|path-min|path-threshold|preferred-interface-tolerance-period|preferred-radio-interface|priority-meshpoint|sample-count|snr-delta|signal-threshold|tolerance-period] [2.4GHZ|5GHz]no exclude wired-peer mint-level-1no hysteresis [min-threshold|period|root-sel-snr-delta|snr-delta]no monitor [critical-resource|primary-port-link-loss]no [path-method|root {select-method}]no root-select cost-rootno preferred [interface|root|neighbor]Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test  name test  root  preferred root 22-33-44-55-66-77  preferred neighbor 11-22-33-44-55-66  preferred interface 5GHz  monitor critical-resource action no-rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no monitor critical-resourcerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no preferred neighborrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no rootrfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no preferred interfacerfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test  name test  no root  preferred root 22-33-44-55-66-77rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no <PARAMETERS> Removes or reverts this meshpoint device settings to default based on the parameters passed
27 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide27PASSPOINT POLICYA passpoint policy provides an interoperable platform for streamlining Wi-Fi access to access points deployed as public hotspots. Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. Passpoint makes connecting to Wi-Fi networks easier by authenticating the user with an account based on an existing relationship, such as the user's mobile carrier or broadband ISP.To migrate to the Passpoint policy configuration mode, use the following command:<DEVICE>(config)#passpoint-policy <POLICY-NAME>rfs4000-229D58(config)#passpoint-policy testrfs4000-229D58(config-passpoint-policy-test)#rfs4000-229D58(config-passpoint-policy-test)#?Passpoint Policy Mode commands:  3gpp                   Configure a 3gpp plmn (public land mobile network) id  access-network-type    Set the access network type for the hotspot  connection-capability  Configure the connection capability for the hotspot  domain-name            Add a domain-name for the hotspot  hessid                 Set a homogeneous ESSID value for the hotspot  internet               Advertise the hotspot having internet access  ip-address-type        Configure the advertised ip-address-type  nai-realm              Configure a NAI realm for the hotspot  net-auth-type          Add a network authentication type to the hotspot  no                     Negate a command or set its defaults  operator               Add configuration related to the operator of the                         hotspot  osu                    Online signup  roam-consortium        Add a roam consortium for the hotspot  venue                  Set the venue parameters of the hotspot  wan-metrics            Set the wan-metrics of the hotspot  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs4000-229D58(config-passpoint-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 227.1 passpoint-policyPASSPOINT POLICYThe following table summarizes passpoint policy configuration mode commands:Table 27.1 Hotspot-Policy-Config CommandsCommand Description Reference3gpp Configures a 3rd Generation Partnership Project (3gpp) Public Land Mobile Network (PLMN) IDpage 27-3access-network-typeConfigures the access network type element in this hotspot page 27-4connection-capabilityConfigures the connection capability element in this passpoint policy page 27-5domain-name Configures the RF Domains to which this hotspot is applicable page 27-7hessid Configures the Homogeneous Extended Service Set Identifier (HESSID) for a specified hotspot zonepage 27-8internet Advertises the availability of Internet access in this hotspot page 27-9ip-address-type Advertises the IP address type used in this hotspot. page 27-10nai-realm Configures a Network Access Identifier (NAI) realm name and enters its configuration modepage 27-12net-auth-type Configures the network authentication type used in this hotspot page 27-18no Removes or reverts passpoint policy configuration page 27-19operator Configures the operator friendly name for this hotspot page 27-20osu Configures an online sign up (OSU) SSID/provider and enters its configuration modepage 27-21roam-consortium Configures the list of Roaming Consortium Organization Identifiers (OIs) supported on this hotspotpage 27-31venue Configures the venue group and type for this passpoint policy page 27-32wan-metrics Configures the WAN performance metrics for this hotspot page 27-36NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 327.1.1 3gpppasspoint-policyConfigures a 3rd Generation Partnership Project (3GPP) Public Land Mobile Network (PLMN) information. The 3GPP PLMN information is a combination of the Mobile Country Code (MCC) and Mobile Network Code (MNC). This MCC and MNC combination uniquely identifies a cellular operator. For example, Telstar Corporation Ltd. in Australia is identified by MCC 505 and MNC 001.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntax3gpp mcc <MOBILE-COUNTRY-CODE> mnc <MOBILE-NETWORK-CODE> {description <LINE>}Parameters• 3gpp mcc <MOBILE-COUNTRY-CODE> mnc <MOBILE-NETWORK-CODE> {description <LINE>}Examplerfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 310 mnc 970rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commands3gpp Configures the 3GPP PLMN information that is returned in response to an ANQP querymcc <MOBILE-COUNTRY-CODE>Specifies the MCC. The MCC is a two or three digit decimal value. For example, the MCC for Australia is 505.mnc <MOBILE-NETWORK-CODE>Specifies the MNC. The MNC is a two or three decimal value used in combination with the MCC to uniquely identify a mobile network operator. The MNC and MCC combination (also known as the MCC/MNC tuple) forms the first five or six digits of the International Mobile Subscriber’s Identity (IMSI).If the MCC and MNC values are not configured, the hotspot will not return the element in an ANQP capability request and ignores any ANQP query for the element.description <LINE> Optional. Configures a description that uniquely identifies this PLMN. Provide a description not exceeding 64 characters in length.no Removes the specified 3gpp PLMN information and its corresponding MCC/MNC settings
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 427.1.2 access-network-typepasspoint-policyConfigures the access network type for this hotspot. The beacons and probe responses communicate the type of hotspot (public, private, guest-use, emergency, etc.) to clients seeking access.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxaccess-network-type [chargeable-public|emergency-services|experimental|free-public|personal-device|private|private-guest|wildcard]Parameters• access-network-type [chargeable-public|emergency-services|experimental|free-public|personal-device|private|private-guest|wildcard]Examplerfs4000-229D58(config-passpoint-policy-test)#access-network-type chargeable-publicrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsaccess-network-type Select the access network type for this hotspot. The options are:• chargeable-public – The network type is a chargeable public network• emergency-services – The network is used to provide emergency services only• experimental – The network is used for test or experimental purposes only• free-public – The network type is a free public• personal-device – The network is used for personal devices only• private – The network is a private network • private-guest – The network is a private network with guest access (default setting)• wildcard – Includes all access network typesIf the network type is set to chargeable-public, probe responses advertise this hotspot as a chargeable-public hotspot.no Reverts to the default access network type setting (private)
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 527.1.3 connection-capabilitypasspoint-policyConfigures the connection capability element in this passpoint policy. When configured, it communicates which ports are open or closed on the Hotspot, in response to an ANQP query.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxconnection-capability [ftp|http|icmp|ip-protocol|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn]connection-capability [ftp|http|icmp|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn] [closed|open|unknown]connection-capability ip-protocol <0-255> port <0-65535> [closed|open|unknown]Parameters• connection-capability [ftp|http|icmp|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn] [closed|open|unknown]• connection-capability ip-protocol <0-255> port <0-65535> [closed|open|unknown]connection-capability Configures the connection capability element in this passpoint policyftp Specifies the protocol type as FTP. Configures TCP port 20.http Specifies the protocol type as HTTP. Configures TCP port 80.icmp Specifies the protocol type as ICMPipsec-vpn Specifies the protocol type as IPSEC VPN. Configures ESP and UDP ports 500 and 4500.pptp-vpn Specifies the protocol type as PPTP VPN. Configures TCP port 1723.sip Specifies the protocol type as SIP. Configures TCP port 5060 and UDP port 5060.ssh Specifies the protocol type as SSH. Configures TCP port 20tls-vpn Specifies the protocol type as TLS VPN. Configures TCP port 443.port <0-65535> [closed|open|unknownAfter specifying the protocol type, specify the port (associated with the selected protocol) and its status.• closed – Specifies that the port(s) is/are closed• open – Specifies that the port(s) is/are open• unknown – Specifies that the port(s) status is not knownWhen the connection capability element is not configured, the hotspot does not return the element in an ANQP capability request and ignores any ANQP query for the element.connection-capability Configures the connection capability element in this passpoint policyip-protocol <0-255> Identifies the IP protocol by the protocol’s number. For example, for simple message protocol (SMP) specify 121.
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 6Examplerfs4000-229D58(config-passpoint-policy-test)#connection-capability 1 ip-protocol 2 port 10 closedrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsport <0-65535> [closed|open|unknownAfter specifying the IP protocol type, specify the port number.• port <0-65535> – Select a port for the IP protocol identified.After specifying the port number, specify the port status.• closed – Specifies that the port(s) is/are closed• open – Specifies that the port(s) is/are open• unknown – Specifies that the port(s) status is not knownWhen the connection capability element is not configured, the hotspot does not return the element in an ANQP capability request and ignores any ANQP query for the element.no Removes the configured connection capability element on the passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 727.1.4 domain-namepasspoint-policyConfigures the RF Domain(s) that are returned in response to an ANQP querySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#domain-name TechPubsrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsdomain-name <DOMAIN-NAME>Specify the RF Domain nameAn hotspot can be applied across multiple RF Domains. no Removes the RF Domain mapped to this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 827.1.5 hessidpasspoint-policyConfigures the Homogeneous Extended Service Set Identifier (HESSID) for the hotspot. The HESSID uniquely identifies a hotspot provider within a zone. This is essential in zones (such as an airport or shopping mall) having multiple hotspot service providers with overlapping coverage.An HESSID is a 6 (six) byte identifier that uniquely identifies a set of APs belonging to the same network and exhibiting same network behavior. It is the BSSID (MAC address) of one of the devices (AP) in the zone. When not configured, the radio’s BSSID is used as the HESSID.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxhessid <MAC>Parameters• hessid <MAC>Examplerfs4000-229D58(config-passpoint-policy-test)#hessid 00-23-68-88-0D-A7rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandshessid <MAC> Specify a unique 6 (six) byte identifier for this passpoint policy.no Removes the HESSID configured with this passpoint policy and reverts back to using the radio’s BSSID
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 927.1.6 internetpasspoint-policyAdvertises the availability of Internet access on this hotspot. The Internet bit in the hotspot’s beacon and probe responses indicates if Internet access is available or not. By default this feature is enabled.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000SyntaxinternetParametersNoneExamplerfs4000-229D58(config-passpoint-policy-test)#internetrfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes Internet access on this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 1027.1.7 ip-address-typepasspoint-policyAdvertises the IP address type used in this hotspot. This information is returned in response to ANQP queries.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxip-address-type [ipv4|ipv6]ip-address-type ipv4 [double-nat|not-available|port-restricted|port-restricted-double-nat|port-restricted-single-nat|public|single-nat|unknown]ip-address-type ipv6 [available|not-available|unknown]Parameters• ip-address-type ipv4 [double-nat|not-available|port-restricted|port-restricted-double-nat|port-restricted-single-nat|public|single-nat|unknown]• ip-address-type ipv6 [available|not-available|unknown]ip-address-type ipv4 Configures the as IPv4 address type availability informationdouble-nat Specifies double NATed private IPv4 address is availablenot-available Specifies IPv4 address is not availableport-restricted Specifies port-restricted IPV4 address is availableport-restricted-double-natSpecifies port-restricted IPv4 address and double NATed IPv4 address is availableport-restricted-single-natSpecifies port-restricted IPv4 address and single NATed IPv4 address is availablepublic Specifies public IPv4 address is availablesingle-nat Specifies single NATed IPv4 address is availableunknown Specifies no information configured regarding the IPv4 address availabilityip-address-type ipv6 Configures the IPv6 address type availability informationavailable Specifies IPv6 address is availablenot-available Specifies IPv6 address is not availableunknown Specifies no information configured regarding the IPv6 address availability
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 11Examplerfs4000-229D58(config-passpoint-policy-test)#ip-address-type ipv6 availablerfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes the IP address type configured for this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 1227.1.8 nai-realmpasspoint-policyA Network Access Identifier (NAI) realm element in the passpoint policy identifies a hotspot service provider by the unique NAI realm name.The following table lists NAI realm configuration mode commands:Table 27.2 NAI-Realm-Config CommandsCommand Description Referencenai-realm Creates a NAI realm name for this hotspot and enters its configuration modepage 27-13nai-realm-config-mode commandsInvokes the NAI realm configuration mode commands page 27-15
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1327.1.8.1 nai-realmnai-realmConfigures a NAI realm name and enters its configuration mode. The NAI realm name identifies the accessible hotspot service providers. You can configure a list of NAI realm names of service providers operating within a specific hotpsot zone.This NAI realm name list is presented in ANQP response to a NAI realm and NAI home realm query. The configured NAI realm name list is presented in ANQP response to a NAI realm and NAI home realm query.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxnai-realm <HOTSPOT2-NAI-REALM-NAME>Parameters• nai-realm <HOTSPOT2-NAI-REALM-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#nai-realm mail.example.comrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#?Hotspot2 NAI Realm Mode commands:  eap-method  Set an eap method  no          Negate a command or set its defaults  clrscr      Clears the display screen  commit      Commit all changes made in this session  do          Run commands from Exec mode  end         End current mode and change to EXEC mode  exit        End current mode and down to previous mode  help        Description of the interactive help system  revert      Revert changes  service     Service Commands  show        Show running system information  write       Write running configuration to memory or terminalrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#exitnai-realm <HOTSPOT2-NAI-REALM-NAME>Configures the NAI realm name for this passpoint policy• <HOTSPOT2-NAI-REALM-NAME> – Specify the NAI realm name for this passpoint policy.
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 14rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com nai-realm mail.testrealm.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes the NAI realm name configured for this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1527.1.8.2 nai-realm-config-mode commandsnai-realmThe following table summarizes NAI realm configuration mode commands:Table 27.3 NAI-Realm-Config-Mode CommandsCommand Description Referenceeap-method Specifies the Extensible Authentication Protocol (EAP) authentication mechanisms supported by each of the service providers associated with this passpoint policypage 27-16
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 1627.1.8.2.1 eap-methodnai-realm-config-mode commandsSpecifies the EAP authentication mechanisms supported by each of the service providers associated with this passpoint policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxeap-method <1-10> [<1-255>|fast|gtc|identity|ikev2|ms-auth|mschapv2|otp|peap|psk|rsa-public-key|sim|tls|ttls] auth-param [credential|expanded-eap|expanded-inner-eap|inner-eap|non-eap-inner|tunn-eap-credential|vendor] [cert|hw-token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]Parameters• eap-method <1-10> [<1-255>|fast|gtc|identity|ikev2|ms-auth|mschapv2|otp|peap|psk|rsa-public-key|sim|tls|ttls] auth-param [credential|expanded-eap|expanded-inner-eap|inner-eap|non-eap-inner|tunn-eap-credential|vendor][cert|hw-token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]eap-method <1-10> Creates an EAP authentication method and assigns it an index number• <1-10> – Specify a identifier for this EAP method from 1 - 10.A maximum of 10 (ten) authentication methods can be specified for every NAI realm. After creating the EAP authentication method, specify the associated authentication mechanisms (method types).<1-255> Identifies the EAP authentication method type from the corresponding Internet Assigned Numbers Authority (IANA) number<1-255> – Specify the IANA identity number for the authentication protocol from 1 -255.fast Specifies the EAP authentication method type as Flexible Authentication via Secure Tunneling (FAST)gtc Specifies the EAP authentication method type as Generic Token Card (GTC)identity Specifies the EAP authentication method type as Identificationikev2 Specifies the EAP authentication method type as Internet Key Exchange Protocol version 2 (IKEv2)ms-auth Specifies the EAP authentication method type as Microsoft Authentication (MS-Auth)mschapv2 Specifies the EAP authentication method type as Microsoft Challenge Handshake Authentication Protocol version 2(MSCHAPv2)opt Specifies the EAP authentication method type as One Time Password (OTP)peap Specifies the EAP authentication method type as Protected Extensible Authentication Protocol (PEAP)psk Specifies the EAP authentication method type as Pre-shared Key (PSK)rsa-public-key Specifies the EAP authentication method type as RSA public key protocolsim Specifies the EAP authentication method type as GSM Subscriber Identity Module (SIM)
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 17ExampleThe following examples show four EAP authentication methods associated with the NAI realm ‘mail.example.com’. Each method supports a different EAP authentication mechanism:rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-method 1 ttls auth-param vendor hex 00001Erfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-method 2 rsa-public-key auth-param credential certrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-method 4 peap auth-param credential certrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#show context nai-realm mail.example.com  eap-method 1 ttls auth-param vendor hex 00121F  eap-method 2 rsa-public-key auth-param credential cert  eap-method 3 otp auth-param credential username-password  eap-method 4 peap auth-param credential certrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#tls Specifies the EAP authentication method type as Transport Layer Security (TLS)ttls Specifies the EAP authentication method type as Tunneled Transport Layer Security (TTLS)auth-param After specifying the EAP authentication method type, specify the authentication parameters. These parameters depend on the EAP authentication mechanism selected.[cert|hw-token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]The following parameters are common to all the above authentication parameters:•  cert – Certificate•  hw-token – Hardware token• nfc-secure-elem – NFC secure element• none – No credential• sim – Subscriber identity module• soft-token – Soft token• username-password – Username and password• usim – Universal subscriber identity module• vendor – Vendor specific credential
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 1827.1.9 net-auth-typepasspoint-policyConfigures the network authentication type used in this hotspot. The details configured are returned in response to an ANQP query.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxnet-auth-type [accept-terms|dns-redirect|http-redirect|online-enroll] {url <URL>}Parameters• net-authtype [accept-terms|dns-redirect|http-redirect|online-enroll] {url <URL>}Examplerfs4000-229D58(config-passpoint-policy-test)#net-auth-type accept-terms url "www.test.com"rfs4000-229D58(config-passpoint-policy-test)#rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com  eap-method 1 ttls auth-param vendor hex 00001E  eap-method 2 rsa-public-key auth-param credential cert  eap-method 3 otp auth-param credential username-password  eap-method 4 peap auth-param credential cert nai-realm mail.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsnet-auth-type Specifies the network authentication type used with this passpoint policy. The options are: accept-terms, dns-redirect, http-redirect, and online-enrollaccept-terms Enables user acceptance of terms and conditionsdns-redirect Enables DNS redirection of userhttp-redirect Enables HTTP redirection of useronline-enroll Enables online user enrolmenturl <URL> Optional. Specify the location for each of above network authentication types.no Removes the network authentication type configured with this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1927.1.10 nopasspoint-policyRemoves or reverts the passpoint policy settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxno [3gpp|access-network-type|connection-capability|domain-name|hessid|internet|ip-address-type|nai-realm|net-auth-type|operator|osu|roam-consortium|venue|wan-metrics]Parameters• no <PARAMETERS>ExampleThe following example shows the passpoint policy ‘test’ settings before the ‘no’ commands are executed:rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com  eap-method 1 ttls auth-param vendor hex 00001E  eap-method 2 rsa-public-key auth-param credential cert  eap-method 3 otp auth-param credential username-password  eap-method 4 peap auth-param credential cert nai-realm mail.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#rfs4000-229D58(config-passpoint-policy-test)#no access-network-typerfs4000-229D58(config-passpoint-policy-test)#no hessidrfs4000-229D58(config-passpoint-policy-test)#no nai-realm mail.example.comrfs4000-229D58(config-passpoint-policy-test)#no 3gpp mcc 310 mnc 970rfs4000-229D58(config-passpoint-policy-test)#no internetrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#no <PARAMETERS> Removes or reverts the passpoint policy settings
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 2027.1.11 operatorpasspoint-policyConfigures the operator friendly name for this hotspot. The name can be configured in English or in any language other than English. When the name is specified in English, the system allows an ASCII input. If you are using a language other than English, first specify the ISO-639 language code, and then specify the name as an hexadecimal code.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxoperator name <OPERATOR-NAME>Parameters• operator name <OPERATOR-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#operator name emergencyservicesrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsname <OPERATOR-NAME>Configures the operator’s name in English• <OPERATOR-NAME> – Specify the operator friendly name in ASCII format.no Removes the operator friendly name configured for this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2127.1.12 osupasspoint-policyThe following table lists the OSU SSID/provider configuration commands:Table 27.4 OSU-SSID/Provider Config CommandsCommand Description Referenceosu Configures an online sign up (OSU) SSID/provider and enters its configuration modepage 27-22osu-config-mode commandsSummarizes the OSU SSID/provider configuration mode commands page 27-23
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 2227.1.12.1 osuosuAdds an online sign up (OSU) SSID (WLAN)/OSU provider and enters its configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxosu [provider <PASSPOINT-OSU-PROVIDER>|ssid <SSID>]Parameters• osu [provider <PASSPOINT-OSU-PROVIDER>|ssid <SSID>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#?Passpoint OSU Provider Mode commands:  description  Configure the english description of the online signup provider  icon         Add an icon for the online signup provider  method       Specify the online signup method supported by provider  nai          Configure the NAI for the online signup provider  name         Configure the english name of the online signup provider  no           Negate a command or set its defaults  server-url   Configure the signup url for the online signup provider  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsosu Use this command to configure an online sign up (OSU) SSID/OSU provider. In the OSU SSID/provider configuration mode, specify OSU details, such as names, descriptions, servers, methods, and icons available. This information is returned in response to a station’s Hotspot 2.0 query. When configured, this option enables a station to obtain credentials for an Hotspot 2.0 enabled SSID.provider <PASSPOINT-OSU-PROVIDER>Creates an OSU provider for this passpoint and enters its configuration mode• <PASSPOINT-OSU-PROVIDER> – Specify an identification for this OSU passpoint provider.ssid <SSID> Configures an OSU WLAN’s SSID. This is the open authentication SSID that a user can use to obtain credentials for the passpoint SSID.• <SSID> – Specify the SSID.no Removes the OSU WLAN/provider configured with this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2327.1.12.2 osu-config-mode commandsosuThe following table summarizes OSU SSID/provider configuration mode commands:Table 27.5 OSU-SSID/Provider-Config-Mode CommandsCommand Description Referencedescription Configures the OSU provider’s description page 27-24icon Adds the OSU provider’s icon page 27-25method Configures the open sign up methods available on this OSU provider page 27-26nai Configures the OSU provider’s NAI page 27-27name Configures the OSU provider’s name page 27-28no Removes the settings configured for this OSU provider page 27-29server-url Configures the OSU provider server’s URL page 27-30
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 2427.1.12.2.2 descriptionosu-config-mode commandsConfigures the OSU SSID/provider’s description. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxdescription [<DESCRIPTION>|iso-lang <ISO-LANG-CODE>]Parameters• description [<DESCRIPTION>|iso-lang <ISO-LANG-CODE>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#description "Provides free service for testing purposes"nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  description "Provides free service for testing purposes"nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commands<DESCRIPTION> Provides a description for the OSU provider. It should not exceed 253 characters in length.• <DESCRIPTION> – Specify the description in one or more languages. By default the system configures the name in English.iso-lang <ISO-LANG-CODE>Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’). By default the language is set to English. If specifying the description in any language other than English, specify the ISO language code.no Removes this OSU provider’s description
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2527.1.12.2.3 iconosu-config-mode commandsAdds the OSU provider’s icon. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxicon iso-lang <ISO-LANG-CODE> width <0-65535> height <0-65535> mime-type <FILE-MIME-TYPE> file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]Parameters• icon iso-lang <ISO-LANG-CODE> width <0-65535> height <0-65535> mime-type <FILE-MIME-TYPE> file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#icon iso-lang engwidth 128 height 128 mime-type image/png file flash:/wifi_iconnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  description "Provides free service for testing purposes"  icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_iconnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsicon iso-lang <ISO-LANG-CODE>Configures an icon representing the OSU provider• iso-lang <ISO-LANG-CODE> – Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’). By default the language is set to English. If specifying the image file name and path in any language other than English, specify the ISO language code.width <0-65535> Configures the icon’s width in pixels• <0-65535> – Specify a value from 0 - 65535 pixels.height <0-65535> Configures the icon’s height in pixels• <0-65535> – Specify a value from 0 - 65535 pixels.mime-type <FILE-MIME-TYPE>Configures a string describing the icon’s standard mime type. For example, image/png• <FILE-MIME-TYPE> – Specify the icon’s mime type.file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]Configures the location and name of the image file• <IMAGE-FILE-NAME/PATH> – Specify the path and filename. For example, flash:/icon.png• <FILE-NAME> – Use this option to specify the filename in the flash:/ directoryno Removes this OSU provider’s icon
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 2627.1.12.2.4 methodosu-config-mode commandsConfigures the open sign up methods available on this OSU provider. This value is returned, in the specified order of precedence, in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxmethod [oma-dm|soap-xml-spp] priority <1-2>Parameters• method [oma-dm|soap-xml-spp] priority <1-2>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#method soap-xml-spp priority 1nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  description "Provides free service for testing purposes"  icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon  method soap-xml-spp priority 1nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsmethod [oma-dm|soap-xml-spp] priority <1-2>Configures the online sign up methods supported by this OSU provider• oma-dm – Configures the OSU method used as Open Mobile Alliance (OMA) device management• soap-xml-spp – Configures the OSU method used as Soap-xml subscription provisioning protocol• priority <1-2> – Sets the priority of the specified method. Select a value from 1 - 2. Thedefault is one (1).no Removes the online sign up methods configured on this OSU provider
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2727.1.12.2.5 naiosu-config-mode commandsConfigures the OSU provider’s NAI. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxnai <WORD>Parameters• nai <WORD>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#nai wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  description "Provides free service for testing purposes"  icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon  method soap-xml-spp priority 1  nai wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsnai <WORD> Configures the OSU provider’s NAI• <WORD> – Specify the NAI.no Removes this OSU provider’s NAI
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 2827.1.12.2.6 nameosu-config-mode commandsConfigures the OSU provider’s name. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxname [<NAME>|iso-lang <ISO-LANG-CODE>]Parameters• name [<NAME>|iso-lang <ISO-LANG-CODE>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#name "WIFI Alliance OSU"nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFI  name "WIFI Alliance OSU"  description "Provides free service for testing purposes"  icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon  method soap-xml-spp priority 1  nai wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commands<NAME> Configures the OSU provider’s name. It should not exceed 253 characters in length.• <NAME> – Specify the name in one or more languages. By default the system configures the name in English.iso-lang <ISO-LANG-CODE>Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’). By default the language is set to English. If specifying the name in any language other than English, specify the ISO language code.no Removes this OSU provider’s name
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2927.1.12.2.7 noosu-config-mode commandsRemoves the settings configured for this OSU provider. Once removed the information is not included in the ANQP providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxno [description|icon|method|nai|name|server-url]no [description|icon|name] {iso-lang <ISO-LANG-CODE>}no [nai|server-url]no method [oma-dm|soap-xml-spp]Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  name "WIFI Alliance OSU"  description "Provides free service for testing purposes"  icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon  method soap-xml-spp priority 1  nai wifi.org  server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no descriptionnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no icon iso-lang engnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no namenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  method soap-xml-spp priority 1  nai wifi.org  server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no <PARAMETERS> Removes the settings configured for this OSU provider
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 3027.1.12.2.8 server-urlosu-config-mode commandsConfigures the OSU provider server’s URL. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxserver-url <URL>Parameters• server-url <URL>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi  name "WIFI Alliance OSU"  description "Provides free service for testing purposes"  icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon  method soap-xml-spp priority 1  nai wifi.org  server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsserver-url <URL> Configures the OSU provider server’s URL• <URL> – Specify the server’s url.no Removes this OSU provider’s server’s URL
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 3127.1.13 roam-consortiumpasspoint-policyConfigures a list of Roaming Consortium (RC) Organization Identifiers (OIs) supported on this hotspot. The beacons and probe responses communicate this Roaming Consortium list to devices. This information enables a device to identify the networks available through this AP.Each OI identifies a either a group of Subscription Service Providers (SSPs) or a single SSP.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxroam-consortium hex <WORD>Parameters• roam-consortium hex <WORD>Examplerfs4000-229D58(config-passpoint-policy-test)#roam-consortium hex 223344rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsroam-consortium hex <WORD>Adds a Roaming Consortium OI to this hotspot in hexadecimal format• <WORD> – Specify the Roaming Consortium OI in hexadecimal format (should not exceed 128 characters)hex <WORD> Configures a hexadecimal input• <WORD> – Specify the Roaming Consortium OI in hexadecimal format (should not exceed 128 characters)no Removes the Roaming Consortium OIs supported on this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 3227.1.14 venuepasspoint-policyConfigures the venue where this hotspot is located. The hotspot venue configuration informs prospective clients about the hotspot’s nature of activity, such as educational, institutional, residential, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxvenue [group|name]venue group [assembly|business|educational|industrial|institutional|mercantile|outdoor|residential|storage|unspecified|utility-and-misc|vehicular] typevenue name [<VENUE-NAME>|iso-lang]venue name <VENUE-NAME>venue name iso-lang <ISO-LANG-CODE> <VENUE-NAME>Parameters• venue group [assembly|business|educational|industrial|institutional|mercantile|outdoor|residential|storageunspecified|utility-and-misc|vehicular] typevenue group Configures the venue group associated with this hotspotassembly type Configures the venue group as assembly (1). This hotspot type is applicable to public assembly venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• amphitheater – Specifies the venue type as amphitheater (4)• amusement-park – Specifies the venue type as amusement park (5)• arena – Specifies the venue type as arena (1)• bar – Specifies the venue type as bar (12)• coffee-shop – Specifies the venue type as a coffee shop (13)• convention-centre – Specifies the venue type as a convention center (7)• emergency-coordination-center – Specifies the venue type as a emergency coordination center (15)• library – Specifies the venue type as a library (8)• museum – Specifies the venue type as a museum (9)• passenger-terminal – Specifies the venue type as a passenger terminal (3)• place-of-worship – Specifies the venue type as a place of worship (6)• restaurant – Specifies the venue type as a restaurant (10)• stadium – Specifies the venue type as a stadium (2)• theater – Specifies the venue type as a theater (11)• unspecified – Specifies the venue type as not specified (0)• zoo – Specifies the venue type as a zoo (14)
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 33business type Configures the venue group as business (2). This hotspot type is applicable to business venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• attorney – Specifies the venue type as the attorney’s office (9)• bank – Specifies the venue type as a bank (2)• doctor – Specifies the venue type as a doctor or dentist’s office (1)• fire-station – Specifies the venue type as a fire station (3)• police-station – Specifies the venue type as a police station (4)• post-office – Specifies the venue type as a post office (5)• professional-office – Specifies the venue type as a professional office (7)• research-and-development-facility – Specifies the venue type as a research facility (8)• unspecified – Specifies the venue type as not specified (0)educational Configures the venue group as educational (3). This hotspot type is applicable to educational institutions.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• school-primary – Specifies the venue type as a primary school (1)• school-secondary – Specifies the venue type as a secondary school (2)• university – Specifies the venue type as a university or college (3)• unspecified – Specifies the venue type as not specified (0)industrial Configures the venue group as industrial (4). This hotspot type is applicable to industrial venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• factory – Specifies the venue type as a factory (1)• unspecified – Specifies the venue type as not specified (0)institutional Configures the venue group as institutional (4). This hotspot type is applicable to public health and other institutions.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• group-home – Specifies the venue type as a group-home (4)• hospital – Specifies the venue type as a hospital (1)• long-term-care – Specifies the venue type as a long term care facility (2)• prison – Specifies the venue type as a prison or jail (5)• rehab – Specifies the venue type as a rehabilitation facility (3)• unspecified – Specifies the venue type as not specified (0)mercantile Configures the venue group as mercantile (6). This hotspot type is applicable to public mercantile venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• automotive – Specifies the venue type as a automotive service center (3)• gas-station – Specifies the venue type as a gas station (5)• grocery – Specifies the venue type as a grocery store (2)• mall – Specifies the venue type as a shopping mall (4)• retail – Specifies the venue type as a retail store (1)• unspecified – Specifies the venue type as not specified (0)
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 34outdoor Configures the venue group as outdoor (11). This hotspot type is applicable to public outdoor venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• bus-stop – Specifies the venue type as a bus stop (5)• city-park – Specifies the venue type as a city park (2)• kiosk – Specifies the venue type as a kiosk (6)• muni-mesh – Specifies the venue type as a muni-mesh (municipal wireless Wi-Fi) (1)• rest-area – Specifies the venue type as a rest area (3)• traffic-control – Specifies the venue type as a traffic control area (4)• unspecified – Specifies the venue type as not specified (0)residential Configures the venue group as residential (7). This hotspot type is applicable to residential complexes.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• boarding-house – Specifies the venue type as a boarding-house (4)• dorm – Specifies the venue type as a dormitory (3)• hotel – Specifies the venue type as a hotel or motel (2)• private – Specifies the venue type as a private residence (1)• unspecified – Specifies the venue type as not specified (0)storage Configures the venue group as storage (8). This hotspot type is applicable to storage groups.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• unspecified – Specifies the venue type as not specified (0)unspecified Configures the venue group as unspecified (0)• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• unspecified – Specifies the venue type as not specified (0)utility-and-misc Configures the venue group as utility and miscellaneous (8)• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• unspecified – Specifies the venue type as not specified (0)vehicular Configures the venue group as vehicular (7). This hotspot type is applicable to mobile venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• airplane – Specifies the venue type as an airplane (2)• auto – Specifies the venue type as an automobile or truck (1)• bus – Specifies the venue type as a bus (3)• ferry – Specifies the venue type as a ferry (5)• motor-bike – Specifies the venue type as a motor bike (7)• ship – Specifies the venue type as a ship or boat (5)• train – Specifies the venue type as a train (6)• unspecified – Specifies the venue type as not specified (0)
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 35• operator name <VENUE-NAME>• operator name iso-lang <ISO-LANG-CODE> <VENUE-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#venue name PublicSchoolrfs4000-229D58(config-passpoint-policy-test)#venue group assembly type coffee-shoprfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 venue group assembly type coffee-shop venue name PublicSchool 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsname <WORD> Configures the venue name in English• <WORD> – Specify the venue name in ASCII format.name iso-lang <ISO-LANG-CODE> <VENUE-NAME>Configures a non-English venue name• iso-lang <ISO-LANG-CODE> – Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’).• <ISO-LANG-CODE> – Specify the 3 character iso-639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’).• <VENUE-NAME> – Specifies the venue name as a hexadecimal codeno Removes the venue group and type configured with this passpoint policy
PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  27 - 3627.1.15 wan-metricspasspoint-policyConfigures the WAN performance metrics for this hotspot. This command configures the upstream and downstream speeds associated with this hotspot. The upstream and downstream speed values (in Kbps) are estimates of the bandwidth available on the WAN. This information is returned in response to client ANQP query, and is useful for clients having a minimum and/or large bandwidth requirement.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxwan-metrics down-speed <0-4294967295> up-speed <0-4294967295>Parameters• wan-metrics down-speed <0-4294967295> up-speed <0-4294967295>Examplerfs4000-229D58(config-passpoint-policy-test)#wan-metrics down-speed 2000 up-speed 2000rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 venue group assembly type coffee-shop venue name PublicSchool wan-metrics down-speed 2000 up-speed 2000 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandswan-metrics Specifies the WAN metrics for the up and down trafficdown-speed <0-4294967295>Configures the down stream traffic speed• <0-4294967295> – Specify a value from 0 - 4294967295 Kbps.up-speed <0-4294967295>Configures the up stream traffic speed• <0-4294967295> – Specify a value from 0 - 4294967295 Kbps.no Removes the WAN metrics configuration on this passpoint policy
28 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide28BORDER GATEWAY PROTOCOLThis chapter summarizes the Border Gateway Protocol (BGP) related configuration commands in the CLI command structure.BGP is a routing protocol, which establishes routing between ISPs. ISPs use BGP to exchange routing information between Autonomous Systems (ASs) on the Internet. The routing information shared includes details, such as ASs traversed to a particular destination, reachable ASs, best paths available, network policies and rules applied on a route, etc. These details appear as BGP attributes carried in routing update packets. BGP uses this information to make routing decisions. Therefore, the primary role of a BGP system is to exchange routing information with other BGP peers.BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). Routing information exchanged through BGP supports only destination-based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet).An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. There are two types of BGP systems: external BGP (eBGP) and internal BGP (iBGP). iBGP represents the exchange of routing information between BGP peers within an AS. Whereas, when two BGP peers, belonging to different ASs, are connected you have an eBGP setup.BGP peers (also referred to as neighbors) are BGP enabled devices that are directly connected through an established TCP connection. When two BGP enabled peers establish a TCP connection the first time, they exchange their BGP routing tables. All subsequent route table modifications are exchanged as route updates. BGP tracks these route updates by maintaining route table version numbers. With every update the version number changes. At any given point in time, all BGP peers should have the same route table version. The peer-to-peer TCP connections are kept alive through keepalive packets exchanged at specified intervals. Errors and special events are communicated between peers as notification packets.This chapter is organized as follows:•bgp-ip-prefix-list-config commands•bgp-ip-access-list-config commands•bgp-as-path-list-config commands•bgp-community-list-config commands•bgp-extcommunity-list-config commands•bgp-route-map-config commands•bgp-router-config commands•bgp-neighbor-config commandsNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 228.1 bgp-ip-prefix-list-config commandsBORDER GATEWAY PROTOCOLIP prefix lists are a convenient way to filter prefixes (contained in route update packets) transmitted to (or received from) other BGP supported routers. IP prefix lists are similar to access lists. They contain ordered entries (deny or permit prefix rules), identified by their sequence numbers. Each rule specifies match criteria (network and subnet prefixes and prefix masks) to match. When a prefix (received or transmitted) matches the prefix specified in one of the rules, it is filtered and an action is applied depending on where the IP prefix list is used. For example, when used in the BGP neighbor context, the prefixes received from the neighbor are filtered and the filtered prefixes are either rejected or accepted depending on the rule type (deny or permit).IP prefix lists are also used in the BGP route map context to filter prefixes. The action applied, on filtered prefixes is set within the route map. Another use case for IP prefix lists is to filter prefixes before redistribution of local OSPF routes to eBGP enabled ASs.Like in access lists, these deny and permit prefix rules are processed sequentially, in ascending order of their sequence number. Once a match is made, the BGP enabled router stops processing all subsequent rules in the ip-prefix-list.IP prefix lists are used as match criteria in the following contexts:• BGP neighbor. For more information, see use.• BGP route-map context. For more information, see match.To navigate to the ip-prefix-list configuration instance, use the following command:<DEVICE>(config)#bgp ip-prefix-list <IP-PREFIX-LIST-NAME><DEVICE>(config-bgp-ip-prefix-list-test)#?BGP IP Prefix List Mode commands:  deny     IP Prefix deny rule to specify packets to reject  no       Negate a command or set its defaults  permit   IP Prefix permit rule to specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminal<DEVICE>(config-bgp-ip-prefix-list-test)#
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3The following table summarizes the BGP IP prefix list configuration commands:Table 28.1 BGP-IP-Prefix-List-Config CommandsCommand Description Referencedeny Creates and configures a deny prefix-list rule page 28-4permit Creates and configures a permit prefix-list rule page 28-5no Removes the specified deny or permit prefix-list rule from this IP prefix listpage 28-6
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 428.1.1 denybgp-ip-prefix-list-config commandsCreates and configures a deny prefix-list rule. The deny rule specifies match criteria based on which prefixes received from (or transmitted to) a BGP neighbor are filtered. A deny action is applied on these filtered prefixes. For example, in the BGP router neighbor context a filter is applied using a IP prefix list. The list contains a deny rule with a prefix to match as 192.168.13.0/24. All prefixes received from the neighbor matching this prefix are denied.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK>|any]deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK> {ge <0-32>|le <0-32>}|any]Parameters• deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK> {ge <0-32>|le <0-32>}|any]Examplenx9500-6C8809(config-bgp-ip-prefix-list-test)#deny prefix-list 1 168.192.13.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#Related Commandsdeny prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Creates and configures a deny prefix-list rule• <1-4294967295> – Configures a sequence number for this deny rule. Specify a value from 1 - 4294967295. Within a prefix list, rules are applied in an ascending order of their sequence number. Rules with lower sequence number are applied first.• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match. For example 10.0.0.0/8or 192.168.13.0/24. Routes matching the specified prefix are filtered.• ge <0-32> – Optional. Specifies a greater than or equal to value for the IP prefixlength (subnet mask)• le <0-32> – Optional. Specifies a less than or equal to value for the IP prefix lengthThe ‘ge’ and ‘le’ options specify a IP prefix length range. Use these options to specify a more specific (granular) prefix match criteria.• any – Sets the prefix match criteria to any. When selected, all routes are filtered, andthe action applied is deny. At the backend, this option sets the match criteria to0.0.0.0/0 le 32.no Removes a deny prefix-list rule from this IP prefix list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 528.1.2 permitbgp-ip-prefix-list-config commandsCreates and configures a permit prefix-list rule. The permit rule specifies match criteria based on which prefixes received from (or transmitted to) a BGP neighbor are filtered. A permit action is applied on these filtered prefixes. For example, in the BGP router neighbor context a filter is applied using a IP prefix list. The list contains a permit rule with a prefix to match as 172.168.10.0/24. All prefixes received from the neighbor matching this prefix are permitted.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Parameters• permit prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Examplenx9500-6C8809(config-bgp-ip-prefix-list-test)#permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#Related Commandsdeny prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Creates and configures a permit prefix-list rule• <1-4294967295> – Configures a sequence number for this permit rule. Specify a value from 1 - 4294967295. Within a prefix list, rules are applied in an ascending order of their sequence number. Rules with lower sequence number are applied first.• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match. For example 10.0.0.0/8or 192.168.13.0/24. Routes matching the specified prefix are filtered.• ge – Optional. Specifies a greater than or equal to value for the IP prefix length(subnet mask)• le – Optional. Specifies a less than or equal to value for the IP prefix lengthUse the ‘ge’ and ‘le’ options to specify a IP prefix length range. Use these options to specify a more specific (granular) prefix match criteria.• any – Sets the prefix match criteria to any. When selected, all routes are filtered, andthe action applied is permit. At the backend, this option sets the match criteria to0.0.0.0/0 le 32.no Removes a permit prefix rule from this IP prefix list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 628.1.3 nobgp-ip-prefix-list-config commandsRemoves the specified deny or permit prefix-list rule from this IP prefix listSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit]no [deny|permit] prefix-list <1-4294967295> {<PREFIX-TO-MATCH/MASK>|any}Parameters• no <PARATMETERS>ExampleThe following example shows the IP prefix list ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#The following example shows the IP prefix list ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-prefix-list-test)#no deny prefix-list 1 168.192.13.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#no <PARAMETERS> Removes a deny or permit rule from this IP prefix list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 728.2 bgp-ip-access-list-config commandsBORDER GATEWAY PROTOCOLBGP peers and route maps can reference a single IP based access control list (ACL). Apply IP ACLs to both inbound and outbound route updates. When applied to a BGP enabled router, every route update is passed through the ACL. Each ACL contains deny and permit entries that are applied sequentially, in the order they appear within the list. When a route matches an entry, the decision to permit or deny the route is applied. Once a match is made the remaining entries in the ACL are not processed.BGP IP ACLs are used as match criteria in the following contexts:• BGP neighbor. For more information, see use.• BGP route-map context. For more information, see match.To navigate to the BGP IP ACL configuration instance, use the following command:<DEVICE>(config)#bgp ip-access-list <IP-ACL-NAME><DEVICE>(config-bgp-ip-access-list-<IP-ACL-NAME>)#?BGP IP Access List Mode commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminal<DEVICE>(config-bgp-ip-access-list-<IP-ACL-NAME>)#The following table summarizes the BGP IP access list configuration commands:Table 28.2 BGP-IP-ACL-Config CommandsCommand Description Referencedeny Creates and configures a deny entry rule for this BGP IP ACL page 28-8permit Creates and configures a permit entry for this BGP IP ACL page 28-9no Removes a deny or permit entry from this BGP IP ACL page 28-10
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 828.2.1 denybgp-ip-access-list-config commandsCreates and configures a deny entry for this BGP IP ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Parameters• deny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Examplenx9500-6C8809(config-bgp-ip-access-list-test)#deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#Related Commandsdeny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Creates and configures a deny entry for this BGP IP ACL• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match.• exact-match – Optional. Enables an exact match of the prefix provided in the pre-vious step. When configured, the route is denied only in case of an exact match.• any – Specifies the prefix to match as ‘any’. no Removes the specified the deny entry in this IP BGP ACL
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 928.2.2 permitbgp-ip-access-list-config commandsCreates and configures a permit entry for this BGP IP ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Parameters• permit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Examplenx9500-6C8809(config-bgp-ip-access-list-test)#permit access-list 172.168.10.0/24nx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test permit access-list 172.168.10.0/24 deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#Related Commandspermit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Creates and configures a permit entry for this BGP IP ACL• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match.• exact-match – Optional. Enables an exact match of the prefix provided in the pre-vious step. When configured, the route is permitted only in case of an exact match.• any – Specifies the prefix to match as ‘any’. no Removes the specified the permit entry in this IP BGP ACL
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 1028.2.3 nobgp-ip-access-list-config commandsRemoves a deny or permit entry from this BGP IP ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit]no [deny|permit] access-list [<PREFIX-TO-MATCH/MASK>|any]Parameters• no <PARAMETERS>ExampleThe following example shows the BGP IP ACL ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test permit access-list 172.168.10.0/24 deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#nx9500-6C8809(config-bgp-ip-access-list-test)#no permit access-list 172.168.10.0/24The following example shows the BGP IP ACL ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#no <PARAMETERS> Removes a deny or permit entry from this BGP IP ACL
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1128.3 bgp-as-path-list-config commandsBORDER GATEWAY PROTOCOLBGP enabled devices use routing updates to exchange network routing information with each other. This information includes route details, such as the network number, path specific attributes, and the list of Autonomous System Numbers (ASNs) that a route traverses to reach a destination. This list is contained in the AS path.An AS path access control list (ACL) filters AS paths (routes) included in routing updates. Each AS path access list consists of deny and/or permit rules that define regular expressions (match criteria). When configured and applied on inbound and outbound routing updates, the BGP AS path attributes are matched against the regular expressions specified in the AS path ACL. In case of a match, the route is filtered and an action (deny or permit) is applied. Once a match is made subsequent rules in the AS path access list are not processed.AS path access lists also help prevent looping within an AS. Routing loops are prevented by rejecting routing updates containing local ASNs. Since local ASNs indicate that the route has already traveled through that autonomous system, by rejecting them looping is avoided.AS path access lists are used as match criteria in the following contexts:• BGP neighbor. For more information, see use.• BGP route map context. For more information, see match.To navigate to the AS path configuration instance, use the following command:<DEVICE>(config)#bgp as-path <AS-PATH-LIST-NAME><DEVICE>(config-bgp-as-path-list-<AS-PATH-LIST-NAME>)#?BGP AS Path List Mode commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminal<DEVICE>(config-bgp-as-path-list-<AS-PATH-LIST-NAME>)#The following table summarizes the BGP AS path list configuration commands:Table 28.3 BGP-AS-Path-List-Config CommandsCommand Description Referencedeny Creates and configures a deny as-path-list rule page 28-12permit Creates and configures a permit as-path-list rule page 28-13no Removes a deny or permit rule from this AS path ACL page 28-14
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 1228.3.1 denybgp-as-path-list-config commandsCreates and configures a deny as-path-list rule. The deny rule specifies a regular expression to match. This regular expression, a string against the BGP AS paths contained in routing updates. AS paths matching the provided string are filtered and a deny action is applied.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny as-path <REG-EXP>Parameters• deny as-path <REG-EXP>Usage GuidelinesThe following table lists some of the characters used in forming regular expressions:Examplenx9500-6C8809(config-bgp-as-path-list-test)#deny as-path ^100$nx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$nx9500-6C8809(config-bgp-as-path-list-test)#Related Commandsdeny as-path <REG-EXP>Configures a match criteria (regular expression).• <REG-EXP> – Specify the regular expression to match (should not exceed 64 characters and should be unique to the AS path list rule)Regular expressions are treated as a ‘ASCII string’ and not as a sequence of numbers. Create a regular expression ideally suited to filter the required AS paths.Character to use Description^ Indicates the start of a string$ Indicates the end of a string_ (underscore) Indicates a comma, left brace, right brace, start and end of an input string, or a space. For example, “_ _”.no Removes the specified deny as-path ACL rule
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1328.3.2 permitbgp-as-path-list-config commandsCreates and configures a permit as-path-list rule. The permit rule specifies a regular expression to match. This regular expression is matched against the BGP AS paths contained in routing updates. AS paths matching the provided string are filtered and a permit action is applied.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit as-path <REG-EXP>Parameters• permit as-path <REG-EXP>Usage GuidelinesThe following table lists some of the characters used in forming regular expressions:Examplenx9500-6C8809(config-bgp-as-path-list-test)#permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#permit as-path _323_nx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$ permit as-path _323_ permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#Related Commandspermit as-path <REG-EXP>Configures a match criteria (regular expression).• <REG-EXP> – Specify the regular expression to match (should not exceed 64 characters and should be unique to the AS path list rule)Regular expressions are treated as a ‘ASCII string’ and not as a sequence of numbers. Create a regular expression which is ideally suited to filter the required AS paths.Character to use Description^ Indicates the start of a string$ Indicates the end of a string_ (underscore) Indicates a comma, left brace, right brace, start and end of an input string, or a space. For example, “_ _”.no Removes the specified permit as-path ACL rule
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 1428.3.3 nobgp-as-path-list-config commandsRemoves a deny or permit rule from this AS path ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno as-path-list [deny|permit] <REG-EXP>Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$ permit as-path _323_ permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#nx9500-6C8809(config-bgp-as-path-list-test)#no permit as-path _323_nx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$ permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#no <PARAMETERS> Removes a deny or permit rule from this AS path ACL
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1528.4 bgp-community-list-config commandsBORDER GATEWAY PROTOCOLCreates and configures a named community listIP BGP routes have a set of attributes, mandatory and optional. The community and extended community attributes are optional. Optional attributes are specified by network administrators to mark (color) routes received in updates containing these attributes. These marked routes are filtered and special actions applied (accepted, preferred, distributed, or advertised). For example, the NO_EXPORT community, indicates that routes attached to it are local and not to be advertised to external ASs. Similarly, a set of routes using a common routing policy can be tagged to a community, and the policy applied to the community.A BGP community is a group of routes sharing common attributes. Route updates contain community information in the form of path attributes. These attributes help identify community members.A BGP community list is a list of deny or permit entries. It is either assigned a name (regular expressions, predefined community names) or a number. Assigning names to communities increases the number of configurable community lists. All rules applicable to numbered communities apply to named communities too. The only difference being in the number of attributes configurable for a named community list.Since the community attribute is optional, it is shared only between devices that understand communities and are configured to handle communities. By default the community attribute is not sent to neighbors unless the send-community command option is enabled in the BGP neighbor context. For more information, see send-community.Some of the predefined, globally used communities are:• no-export – Routes tagged to this community are not advertised to external BGP peers• no-advertise – Routes tagged to this community are not advertised to any BGP peers• local-as – Routes tagged to this community are not advertised outside the local AS• internet – Routes tagged to this community are advertised to the internet community. By default all BGP enabled devices belong to this community.BGP community lists are used in the following context as match clauses:• BGP route map context. For more information, see match.To navigate to the BGP community configuration instance, use the following command:<DEVICE>(config)#bgp community-list <COMMUNITY-LIST-NAME><DEVICE>(config-bgp-community-list-<COMMUNITY-LIST-NAME>)#?BGP Community List Mode commands:  deny     Add a BGP Community List deny rule to Specify community to reject  no       Negate a command or set its defaults  permit   Add a BGP Community List permit rule to Specify community to accept  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 16  show     Show running system information  write    Write running configuration to memory or terminal<DEVICE>(config-bgp-community-list-<COMMUNITY-LIST-NAME>)#The following table summarizes the BGP community list configuration commands:Table 28.4 BGP-Community-List-Config CommandsCommand Description Referencedeny Creates and configures a deny community (expanded or standard) rule page 28-17permit Creates and configures a permit community (expanded or standard) rulepage 28-19no Removes an existing deny or permit community rule from this community listpage 28-21
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1728.4.1 denybgp-community-list-config commandsCreates and configures a deny community (expanded or standard) ruleStandard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny community [expanded|standard]deny community expanded <LINE>deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]Parameters• deny community expanded <LINE>• deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]deny community expanded <LINE>Configures a deny expanded community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the community attributes.• <LINE> – Provide the regular expression.deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]Configures a deny standard community list entry and associates it with a predefined, globally used, known community or community number. The options are:• aa:nn - Configures the community number. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number.• internet – Advertises this route to the internet community• local-AS – Prevents transmission of this route outside the local AS• no-advertise – Prevents advertisement of this route to any peer (internal or external• no-export – Prevents advertisement of this route to external BGP peers (keeping this route within an AS)
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 18Examplenx9500-6C8809(config-bgp-community-list-test)#deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#show contextbgp community-list test deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.0.0-029R!!version 2.5!!.......................................................!bgp ip-prefix-list PrefixList_01 deny prefix-list 1 192.163.0.0/16 ge 17 le 17!bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24!bgp community-list test deny community expanded 100!--More--nx9500-6C8809(config)#Related Commandsno Removes the specified deny community rule from this community list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1928.4.2 permitbgp-community-list-config commandsCreates and configures a permit community (expanded or standard) ruleStandard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit community [expanded|standard]permit community expanded <LINE>permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]Parameters• permit community expanded <LINE>• permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]Examplenx9500-6C8809(config-bgp-community-list-test)#permit community expanded 300nx9500-6C8809(config-bgp-community-list-test)# show contextbgp community-list test permit community expanded 300 deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#nx9500-6C8809(config-bgp-community-list-test1)#permit community standard no-exportnx9500-6C8809(config-bgp-community-list-test1)#show contextbgp community-list test1 permit community standard no-exportnx9500-6C8809(config-bgp-community-list-test1)#permit community expanded <LINE>Configures a permit expanded community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the community attributes.• <LINE> – Provide the regular expression.permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]Configures a permit standard community list entry and associates it with a predefined, globally used, known community or community number. The options are:• aa:nn – Configures the community number. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number.• internet – Advertises this route to the internet community• local-AS – Prevents transmission of this route outside the local AS• no-advertise – Prevents advertisement of this route to any peer (internal or external• no-export – Prevents advertisement of this route to external BGP peers (keeping this route within an AS)
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 20nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-026R!version 2.5!!........................................................!bgp ip-prefix-list PrefixList_01 deny prefix-list 1 192.163.0.0/16 ge 17 le 17!bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24!bgp community-list test permit community expanded 300 deny community expanded 100!bgp community-list test1 permit community standard no-export!--More--nx9500-6C8809(config)#Related Commandsno Removes the specified permit community rule from this community list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2128.4.3 nobgp-community-list-config commandsRemoves a deny or permit community rule from this community listSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit] community expanded <LINE>no [deny|permit] community standard [AA:NN|internet|local-AS|no-advertise|no-export]Parameters• no <PARAMETERS>ExampleThe following example shows the settings of the community list ‘test’ before the ‘no’ command is executed:nx9500-6C8809(config-bgp-community-list-test)#show contextbgp community-list test permit community expanded 300 deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#nx9500-6C8809(config-bgp-community-list-test)#no deny community expanded 100The following example shows the settings of the community list ‘test’ after the ‘no’ command is executed:nx9500-6C8809(config-bgp-community-list-test)#show contextbgp community-list test permit community expanded 300nx9500-6C8809(config-bgp-community-list-test)#no <PARAMETERS> Removes a deny or permit expanded community rule from this community list• <LINE> – Specify the regular expression associated with the rule.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 2228.5 bgp-extcommunity-list-config commandsBORDER GATEWAY PROTOCOLCreates an configures a named extended community listA BGP extended community is a group of routes sharing a common attribute, regardless of their network or physical boundary. By using a BGP extended community attribute, routing policies can implement inbound or outbound route filters based on the extended community tag, rather than a long list of individual permit or deny rules. A BGP extended community list is used to create groups of communities to use in a match clause of a route map. An extended community list is used to control which routes are accepted, preferred, distributed, or advertised.The BGP extended community and standard community attributes are identical in function and structure, except that the former is an eight octet and the latter is a four octet attribute.BGP extended community lists are used as match clauses in the following context:• BGP route map context. For more information, see match.To navigate to the extended community configuration instance, use the following command:<DEVICE>(config)#bgp extcommunity-list <EXTCOMMUNITY-LIST-NAME><DEVICE>(config-bgp-extcommunity-list-<EXTCOMMUNITY-LIST-NAME>)#?BGP Extcommunity List Mode commands:  deny     Add a BGP Community List deny rule to specify extcommunity to           reject  no       Negate a command or set its defaults  permit   Add a BGP Community List permit rule to specify extcommunity to           accept  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminal<DEVICE>(config-bgp-excommunity-list-<EXTCOMMUNITY-LIST-NAME>)#The following table summarizes the BGP extended community list configuration commands:Table 28.5 BGP-Extcommunity-List-Config CommandsCommand Description Referencedeny Creates and configures a deny extended community (expanded or standard) rulepage 28-23permit Creates and configures a permit extended community (expanded or standard) rulepage 28-25no Removes an existing deny or permit extended community rule from this extcommunity listpage 28-27
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2328.5.1 denybgp-extcommunity-list-config commandsCreates and configures a deny extended community (expanded or standard) ruleSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny extcommunity [expanded|standard]deny extcommunity expanded <LINE>deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Parameters• deny extcommunity expanded <LINE>• deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Examplenx9500-6C8809(config-bgp-extcommunity-list-test)#deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-026R!!version 2.5!......................................................!bgp community-list test1 permit community standard no-export!bgp extcommunity-list test deny extcommunity standard rt 200:12!--More--nx9500-6C8809(config)#deny extcommunity expanded <LINE>Configures a deny expanded named extended community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the extended community attributes.• <LINE> – Provide the regular expression.deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Configures a deny standard named extended community list entry. and associates it with the target or origin community attributes.• rt – Configures the route target (RT) extended community attribute• soo – Configures the site-of-origin (SOO) extended community attribute• <COMMUNITY-NUMBER> – Specify the community number in one of the followingformats: AA:NN or A.B.C.D:NN
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 24Related Commandsno Removes the specified deny extended community rule from this extcommunity list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2528.5.2 permitbgp-extcommunity-list-config commandsCreates and configures a permit extended community (expanded or standard) ruleSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit extcommunity [expanded|standard]permit extcommunity expanded <LINE>permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Parameters• permit extcommunity expanded <LINE>• permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Examplenx9500-6C8809(config-bgp-extcommunity-list-test)#permit extcommunity standard rt 192.168.13.13:12nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-026R!!version 2.5!......................................................!bgp community-list test1 permit community standard no-export!bgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12!permit extcommunity expanded <LINE>Configures a permit expanded named extended community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the extended community attributes.• <LINE> – Provide the regular expression.permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Configures a permit standard named extended community list entry. and associates it with the target or origin community attributes.• rt – Configures the RT extended community attribute• soo – Configures the SOO extended community attribute• <COMMUNITY-NUMBER> – Specify the community number in one of the followingformats: AA:NN or A.B.C.D:NN
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 26--More--nx9500-6C8809(config)#Related Commandsno Removes the specified permit extended community rule from this extcommunity list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2728.5.3 nobgp-extcommunity-list-config commandsRemoves an existing deny or permit extended community rule from this extcommunity listSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit] extcommunity expanded <LINE>no [deny|permit] extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Parameters• no <PARAMETERS>ExampleThe following example shows the extended community ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#nx9500-6C8809(config-bgp-extcommunity-list-test)#no permit extcommunity standard 192.168.13.13:12The following example shows the extended community ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#no <PARAMETERS> Removes a deny or permit expanded extended community rule from this community list
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 2828.6 bgp-route-map-config commandsBORDER GATEWAY PROTOCOLBGP route maps are used to control and modify routing information. A BGP route map is a collection of deny and/or permit route rules that define and control redistribution of routes between routers and routing processes. Each rule consists of match criteria and set lines. If a route matches a criteria, the corresponding set line is applied, and the route is passed to the BGP table or to the neighbor, depending on whether the route map is set for incoming or outgoing route updates.Use the (config) instance to configure BGP route map related parameters.To navigate to this instance, use the following command:<DEVICE>(config)#route-map <ROUTE-MAP-NAME><DEVICE>(config)#route-map test<DEVICE>(config-dr-route-map-test)#?Route Map Mode commands:  deny     Add a deny route map rule to deny set operations  no       Negate a command or set its defaults  permit   Add a permit route map rule to permit set operations  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminal<DEVICE>(config-dr-route-map-test)#In the route-map configuration mode, use the following commands to create and configure a deny or permit route map rule:<DEVICE>(config-dr-route-map-test)#deny route-map <1-65535><DEVICE>(config-dr-route-map-test)#permit route-map <1-65535>For example:<DEVICE>(config-dr-route-map-test)#permit route-map 1<DEVICE>(config-dr-route-map-test)#deny route-map 2<DEVICE>(config-dr-route-map-test)#show contextroute-map test permit route-map 1 deny route-map 2<DEVICE>(config-dr-route-map-test)#
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 29<DEVICE>(config-dr-route-map-test-dr-route-map-rule-1)#?Route Map Rule Mode commands:  description  Configure comment for this route map  match        Match values from routing table  no           Negate a command or set its defaults  set          Set values in destination routing protocol  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminal<DEVICE>(config-dr-route-map-test-dr-route-map-rule-1)#The following table summarizes BGP deny/permit route map rules configuration mode commands:Table 28.6 BGP-Route-Map-Config-Mode CommandsCommand Description Referencedescription Configures a description for this route-map rule (deny or permit) that uniquely distinguishes it from others with similar access permissionspage 28-30match Configures the match criteria associated with this deny or permit BGP route mappage 28-31no Removes or reverts the settings defined for a deny or permit route-map rulepage 28-34set Configures the values attributed to a route matching the match criteria specified in the BGP deny or permit route-map rulespage 28-35
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 3028.6.1 descriptionbgp-route-map-config commandsConfigures a description for this route map rule (deny or permit) that uniquely distinguishes it from others with similar access permissionsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#description "This is a deny route map rule"nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1  description "This is a deny route map rule"nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#Related Commandsdescription <LINE> Provide a description for the route map rule (should not exceed 64 characters in length)no Removes this deny/permit route-map rule’s description
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3128.6.2 matchbgp-route-map-config commandsConfigures the match criteria associated with this deny or permit BGP route mapSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxmatch [as-path|community|extcommunity|ip-address|ip-next-hop|ip-route-source|metric|origin|tag]match [as-path <AS-PATH-LIST-NAME>|community <COMMUNITY-LIST-NAME> {exact-match}|extcommunity <EXTCOMMUNITY-LIST-NAME>]match [ip-address|ip-next-hop|ip-route-source] [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]match metric <0-4294967295>match origin [egp|igp|incomplete]match tag <0-65535>Parameters• match [as-path <AS-PATH-LIST-NAME>|community <COMMUNITY-LIST-NAME> {exact-match}|extcommunity <EXTCOMMUNITY-LIST-NAME>]• match [ip-address|ip-next-hop|ip-route-source] [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]as-path <AS-PATH-LIST-NAME>Configures a BGP AS path list to matchAn AS path is a list of ASs a packet traverses to reach its destination.• <AS-PATH-LIST-NAME> – Specify the AS path list name (should be existing and configured)community <COMMUNITY-LIST-NAME> {exact-match}Configures the AS community list string to match• <COMMUNITY-LIST-NAME> – Specify the AS community list name (should be existing and configured).• exact-match – Optional. Does an exact match when matching the specified AScommunity string. This option is disabled by default.extcommunity <EXTCOMMUNITY-LIST-NAME>Configures the external community list string to match• <EXTCOMMUNITY-LIST-NAME> – Specify the external community list name (should be existing and configured).match Configures match criteria used to filter BGP routes when forwarding packetsip-address [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]Configures a string of IP addresses, in the route, to matchThe IP Address is a list of IP addresses in the route used to filter the route. Use one of the following options to provide a list of IP addresses:• BGP-IP-ACCESS-LIST <BGP-ACL-NAME> – Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured).• prefix-list <PREFIX-LIST-NAME> – Associates an existing IP address prefix list with this BGP route map. The IP Address Prefix List is a list of prefixes in the route used to filter route. Specify the prefix list name (should be existing and configured).
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 32• match metric <0-4294967295>• match origin [egp|igp|incomplete]• match tag <0-65535>ip-next-hop [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]Configures the next-hop’s IP address to matchThe IP Next Hop is a list of IP addresses used to filter routes based on the IP address of the next-hop in the route. Use one of the following options to provide next-hop’s IP addresses:• BGP-IP-ACCESS-LIST <BGP-ACL-NAME> – Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured).• prefix-list <PREFIX-LIST-NAME> – Associates an existing IP next-hop prefix list with this BGP route map. The IP Next Hop Prefix List is a list of prefixes for the route’s next-hop determining how the route is filtered. Specify the prefix list name (should be existing and configured).ip-route-source [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]Configures the advertised route source IP address to matchThe IP Route Source is a list of IP addresses used to filter routes based on the advertised IP address of the source. Use one of the following options to provide route-source IP addresses:• BGP-IP-ACCESS-LIST <BGP-ACL-NAME> – Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured).• prefix-list <PREFIX-LIST-NAME> – Associates an existing IP route source prefix list with this BGP route map. The IP Route Source Prefix List is a list of prefixes used to filter routes based on the prefix list used for the source. Specify the prefix list name (should be existing and configured).match metric <0-4294967295>Defines the exterior metric, used for route map distribution, to matchBGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost.• <0-4294967295> – Specify the external metric value from 0 - 4294967295.match origin [gp|igp|incomplete]Configures the source of the BGP route to match. Options include:• egp – Matches if the origin of the route is from the exterior gateway protocol (eBGP). eBGP exchanges routing table information between hosts outside an autonomous system.• igp – Matches if the origin of the route is from the interior gateway protocol (iBGP). iBGP exchanges routing table information between routers within an autonomous system.• incomplete – Matches if the origin of the route is not identifiablematch tag <0-65535> Configures the BGP route tag to matchThe Tag is a way to preserve a route’s AS path information for routers in iBGP. This option is disabled by default.• <0-65535> – Specify the iBGP route’s tag from 0 - 65535.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 33ExampleThe following examples show the configuration of match criteria for the deny route-map rule 1:nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#match as-path FilterList_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#match ip-route-source prefix-list PrefixList_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1  description "This is a deny route map rule"  match as-path FilterList_01  match ip-route-source prefix-list PrefixList_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#A permit route-map rule 2 is added to the BGP route-map “test”.nx9500-6C8809(config-dr-route-map-test)#permit route-map 2A match criteria is added for the permit route-map rule 2.nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#show context permit route-map 2  match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#The following example displays the BGP route-map “test” settings:nx9500-6C8809(config-dr-route-map-test)#show contextroute-map test deny route-map 1  description "This is a deny route map rule"  match as-path FilterList_01  match ip-route-source prefix-list PrefixList_01 permit route-map 2  match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test)#Related Commandsno Removes match criteria associated with a deny or permit route-map rule
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 3428.6.3 nobgp-route-map-config commandsRemoves or reverts the settings defined for a deny or permit route-map ruleSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [description|match <PARAMETERS>|set <PARAMETERS>]Parameters• no <PARAMETERS>ExampleThe following example shows the ‘deny route-map rule-1’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1  description "This is a deny route map rule"  match as-path FilterList_01  match ip-route-source prefix-list PrefixList_01  set aggregator-as 1 192.168.13.7  set as-path exclude 20  set ip next-hop peer-address  set metric 300  set local-preference 30  set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no match as-pathnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no set aggregator-asnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no set metricThe following example shows the ‘deny route-map rule-1’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1  description "This is a deny route map rule"  match ip-route-source prefix-list PrefixList_01  set as-path exclude 20  set ip next-hop peer-address  set local-preference 30  set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#The following example shows the route-map ‘test’ settings:nx9500-6C8809(config-dr-route-map-test)#show contextroute-map test deny route-map 1  description "This is a deny route map rule"  match ip-route-source prefix-list PrefixList_01  set as-path exclude 20  set ip next-hop peer-address  set local-preference 30  set community internet permit route-map 2  match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test)#no <PARAMETERS> Removes the description configured for a deny or permit route-map rule
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3528.6.4 setbgp-route-map-config commandsConfigures the values attributed to a route matching the match criteria specified in the BGP deny or permit route-map rules. These attributes are applied before the route is sent out.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxset [aggregator-as|as-path|atomic-aggregate|comm-list|community|extcommunity|ip|local-preference|metric|origin|originator-id|source-ip|tag|weight]set aggregator-as <1-4294967295> <IP>set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}set atomic-aggregateset comm-list delete <COMMUNITY-LIST-NAME>set community [<COMMUNITY-NUMBER>|none]set extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>set ip next-hop [<IP>|peer-address]set local-preference <0-4294967295>set metric <0-4294967295>set origin [egp|igp|incomplete]set originatorid <IP>set source-ip <IP>set tag <0-65535>set weight <0-4294967295>Parameters• set aggregator-as <1-4294967295> <IP>set aggregator-as <1-4294967295> <IP>Configures the BGP aggregator’s ASN and IP address. Aggregates minimize the size of routing tables. Aggregation combines the characteristics of multiple routes and advertises them as a single route. The configured BGP aggregator settings are applied to filtered routes.• <1-4294967295> – Specify the route aggregator’s ASN from 1- 4294967295. This option is disabled by default.• <IP> – Specify the route aggregator’s IP address. BGP allows the aggregation ofspecific routes into one route using an aggregate IP address.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 36• set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}• set atomic-aggregate• set comm-list delete <COMMUNITY-LIST-NAME>• set community [<COMMUNITY-NUMBER>|none]• set extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}Configures the BGP transform AS path attribute to be applied to filtered routes• exclude – Configures a single AS, or a list of ASs, excluded from the AS path• prepend – Configures a single AS, or a list of ASs, prepended to the AS path• <1-4294967295> – This keyword is common to the ‘exclude’ and ‘prepend’ param-eters. Use it to specify the AS number. The ASs identified here are excluded or pre-pended depending on the option selected.You can configure multiple ASNs.set atomic-aggregate Enables BGP atomic aggregate attributesWhen a BGP enabled wireless controller or service platform receives a set of overlapping routes from a peer, or if the set of routes selects a less specific route, then the local device must set this value when propagating the route to its neighbors. This option is disabled by default.set comm-list delete <COMMUNITY-LIST-NAME>Deletes specified BGP communities. All communities matching the community list name string are deleted from the route.A BGP community is a group of routes sharing a common attribute.• <COMMUNITY-LIST-NAME> – Specify the community list name.set community [<COMMUNITY-NUMBER>|none]Configures a community attribute for this route• <COMMUNITY-NUMBER> – Specify a community attribute. Use one of the following formats:• internet - Advertises this route to the Internet. This is a global community.• local-AS - Prevents the transmit of packets outside the local AS• no-advertise - Prevents advertisement of this route to any peer, either internal orexternal• no-export - Prevents advertisement of this route to BGP peers, keeping this routewithin an AS.• aa:nn - Configures the first part (aa) representing the AS number. The second part(nn) represents a 2-byte number.• none – Specifies community attribute as noneset extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>Configures a extended community attribute for this route• rt – Identifies the route target (rt) extended community• soo – Identifies the site-of-origin (soo) community. This is the origin community associated with the route reflector.• <EXTCOMMUNITY-NUMBER> – This keyword is common to the ‘rt’ and ‘soo’ param-eters. Use it to specify the extended community number.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 37• set ip next-hop [<IP>|peer-address]• set local-preference <0-4294967295>• set metric <0-4294967295>• set origin [egp|igp|incomplete]• set originatorid <IP>• set source-ip <IP>• set tag <0-65535>• set weight <0-4294967295>set ip next-hop [<IP>|peer-address]Configures the next hop for this route. Use one of the following options to identify the next hop:• <IP> – Specify the nest hop’s IP address• peer-address – Enables the identification of the next-hop address for peer devices. This option is disabled by default set local-preference <0-4294967295>Configures the BGP local preference path attribute for this route map. When configured, enables the communication of preferred routes out of the AS between peers. This option is disabled by default• <0-4294967295> – Specify the preference value from 0 - 4294967295.set metric <0-4294967295>Configures a metric for the routeBGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost.• <0-4294967295> – Specify the metric from 0 - 4294967295.set origin [egp|igp|incomplete]Configures the origin code for this BGP route map• egp - Sets the origin of the route to eBGP• igp - Sets the origin of the route to iBGP• incomplete - Sets the origin of the route as not identifiable. Use this option if the route is from a source other than eBGP or iBGP.set originatorid <IP> Configures this route map’s originator IP addressset source-ip <IP> Configures this route map’s source IP address• <IP> – Specify the IP address in the A.B.C.D format.set tag <0-65535> Configures this route map’s tag valueThe Tag is a way to preserve a route’s AS path information for routers in iBGP. • <0-65335> – Specify a tag value from 0 - 65535.set weight <0-4294967295>Enables assignment of a weighted priority to the aggregate route• <0-4292967295> – Specify a value from 0 - 4294967295.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 38Examplenx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set aggregator-as 1192.168.13.7nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set as-path exclude 20nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set ip next-hop peer-addressnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set local-preference 30nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set metric 300nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1  description "This is a deny route map rule"  match as-path FilterList_01  match ip-route-source prefix-list PrefixList_01  set aggregator-as 1 192.168.13.7  set as-path exclude 20  set ip next-hop peer-address  set metric 300  set local-preference 30  set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#Related Commandsno Removes the attributes configured for this route map
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3928.7 bgp-router-config commandsBORDER GATEWAY PROTOCOLUse the (device-config) or (profile-config) instance to configure BGP router related parameters.To navigate to the BGP router configuration instance, in the device-config mode, use the following commands:<DEVICE>(config)#self<DEVICE>(config-device-<MAC>)#router bgp<DEVICE>config-device <MAC>-router-bgp)#<DEVICE>config-device <MAC>-router-bgp)#?Router BGP Mode commands:  aggregate-address   Configure aggregate address  asn                 Configure local Autonomous System Number  bgp                 Border Gateway Protocol  bgp-route-limit     Limit for number of routes handled by BGP process  distance            Configure administrative distance  ip                  Internet Protocol (IP)  network             Configure a local network  no                  Negate a command or set its defaults  route-redistribute  Redistribute information from another routing protocol  timers              Adjust routing timers  clrscr              Clears the display screen  commit              Commit all changes made in this session  do                  Run commands from Exec mode  end                 End current mode and change to EXEC mode  exit                End current mode and down to previous mode  help                Description of the interactive help system  revert              Revert changes  service             Service Commands  show                Show running system information  write               Write running configuration to memory or terminal<DEVICE>config-device <MAC>-router-bgp)#When configured as a profile, the router settings are applied to all devices using the profile. To navigate to the BGP router configuration instance, in the profile-config mode, use the following commands:<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME><DEVICE>(config-profile-<PROFILE-NAME>)#router bgp<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#?Router BGP Mode commands:  aggregate-address   Configure aggregate address  asn                 Configure local Autonomous System Number  bgp                 Border Gateway Protocol  bgp-route-limit     Limit for number of routes handled by BGP process  distance            Configure administrative distance  ip                  Internet Protocol (IP)  network             Configure a local network  no                  Negate a command or set its defaults  route-redistribute  Redistribute information from another routing protocol  timers              Adjust routing timers  clrscr              Clears the display screen  commit              Commit all changes made in this session  do                  Run commands from Exec mode
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 40  end                 End current mode and change to EXEC mode  exit                End current mode and down to previous mode  help                Description of the interactive help system  revert              Revert changes  service             Service Commands  show                Show running system information  write               Write running configuration to memory or terminal<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#The following table summarizes BGP router configuration mode commands:Table 28.7 BGP-Router-Config-Mode CommandsCommand Description Referenceaggregate-addressCreates and configures an aggregate address entry in the BGP database page 28-41asn Configures this BGP router’s ASN page 28-42bgp Configures BGP router parameters page 28-43bgp-route-limit Configures the BGP route limit parameters page 28-48distance Configures administrative distance parameters page 28-49ip Configures the BGP default gateway’s priority page 28-50network Configures the local network IP addresses and masks page 28-51no Removes the BGP router settings page 28-52route-redistribute Enables redistribution of routes learnt from other routing protocols into BGPpage 28-53timers Enables adjustment of keepalive and holdtime intervals page 28-55
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 4128.7.1 aggregate-addressbgp-router-config commandsCreates and configures an aggregate address entry in the BGP databaseSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxaggregate-address <IP/M> {as-set {summary-only}|summary-only}Parameters• aggregate-address <IP/M> {as-set {summary-only}|summary-only}Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#aggregate-address 192.168.13.10/32 as-set summary-onlynx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 192.168.13.10/32 as-set summary-only   bgp neighbor 192.168.13.199   remote-as 1   use route-map UnSupMap_01 in  bgp neighbor 192.168.13.99   remote-as 199   timers connect 10   timers 20 40   maximum-prefix 9999 80 restart 50  bgp neighbor 1.1.1.1   remote-as 2   timers connect 10   timers 20 40   maximum-prefix 1000000  bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#Related Commandsaggregate-address <IP/M>Specify the aggregate IP address and maskas-set {summary-only}Optional. Summarizes the AS_PATH attributes of the individual routes aggregated• summary-only – Optional. Filters more specific routes from updatesno Removes the aggregate address entry
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 4228.7.2 asnbgp-router-config commandsConfigures the ASN. The ASN represents a group of routers under the same administration   and using IGP and common metrics to define how to route packets. In short the ASN represents all routers within an AS.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxasn <1-4294967295>Parameters• asn <1-4294967295>Examplenx9500-6C8809(config-profile NX9500Profile-router-bgp)#asn 1nx9500-6C8809(config-profile NX9500Profile-router-bgp)#show context router bgp  asn 1nx9500-6C8809(config-profile NX9500Profile-router-bgp)#asn <1-4294967295> Specify the ASN from 1 - 4294967295.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 4328.7.3 bgpbgp-router-config commandsConfigures BGP router parametersSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxbgp [always-compare-med|bestpath|client-to-client|cluster-id|confederation|dampening|default|deterministic-med|enable|enforce-first-as|fast-external-failover|graceful-restart|log-neighbor-changes|neighbor|network|router-id|scan-time]bgp [always-compare-med|deterministic-med|enable|enforce-first-as|fast-external-failover|log-neighbor-changes]bgp best-path [as-path [confed|ignore]|compare-router-id|med {confed {missing-as-worst}|missing-as-worst}]bgp client-to-client reflectionbgp cluster <IP>bgp confederation [identifier|peers] <1-4294967295>bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>bgp default [ipv4-unicast|local-preference <0-4294967295>]bgp graceful-restart {stalepath-time <1-3600>}bgp neighbor <IP>bgp network import-checkbgp router-id <IP>bgp scan-time <5-60>Parameters• bgp [always-compare-med|deterministic-med|enable|enforce-first-as|fast-external-failover|log-neighbor-changes]always-compare-med Enables comparison of Multi-exit Discriminators (MEDs) received from neighbors. This option is disabled by default.MED is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared when selecting the best route to the host network. A route with a lower MED value is preferred over a route with a higher MED value. BGP does not discriminate between iBGP and eBGP when using MED for route selection. This option is mutually exclusive to the deterministic-med option.deterministic-med Enables selection of the best MED path from amongst all paths advertised by neighboring ASs. This option is disabled by default.MED is used by BGP peers to select the best route among multiple routes. When enabled, MED route values (from the same AS) are compared to select the best route. This best route is then compared with other routes in the BGP route table to select the best overall route. This option is mutually exclusive to the always-compare-med option.enable Starts the BGP daemon on the device (wireless controller or service platform). BGP is disabled by default.enforce-first-as Enforces the first AS for all BGP routes. This option is disabled by default.When enforced, devices deny updates received from an external neighbor that does not have the neighbor’s configured AS at the beginning of the received AS path parameter. This enhances security by not allowing traffic from an unauthorized AS.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 44• bgp best-path [as-path [confed|ignore]|compare-router-id|med {confed {missing-as-worst}|missing-as-worst}]• bgp client-to-client reflectionfast-external-failover Enables immediate resetting of BGP session on the interface once the BGP connection goes down. This option is enabled by default.When enabled, a session is reset as soon as the direct link to an external peer goes down. Normally, when a BGP connection goes down, the device waits for the expiry of the duration specified in holdtime parameter before bringing down the interface.To configure the ‘holdtime’, use the timers > bgp > <keepalive-time> > <holdtime> command in this (BGP router) configuration mode.log-neighbor-changes Enables logging of a BGP neighbor’s status change (active or not active) events. It also enables the logging of the reason for such change in status.best-path Modifies the bestpath selection algorithm. The route selection algorithm uses the following criteria when selecting the preferred route: as-path, router-id, and med.as-path [confed|ignore]Enables an AS path from being considered as a criteria for selecting the preferred route• confed – Enables comparison of path lengths (including confederation sets and sequences) when selecting a route (EXPERIMENTAL). This option is disabled by default.• ignores – Disables an AS path length from being considered as a criteria for selecting a preferred route. When, disabled the AS path length is ignored. This option is disabled by default.compare-router-id Enables the use of router ID as a selection criteria when selecting the preferred route. When enabled, the router ID is used to select the best path between two identical BGP routes. The route with the lower router ID is selected over a route with a higher router ID. This option is disabled by default.med {confed {missing-as-worst}|missing-as-worst}Enables comparison of AS path MED value when selecting the preferred routeMED is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared to determine the best route to the host network. A route with a lower MED value is preferred over a route with a higher MED value.• confed – Optional. Enables comparison of MED value among confederation paths (EXPERIMENTAL). When enabled, you can optionally enable the treatment of AS paths without the MED value as the least preferable route. This option is disabled by default.• missing-as-worst – Optional. Enables the treatment of AS paths without the MED value as the least preferable route. This option is disabled by default.client-to-client reflectionEnables client-to-client route reflection (EXPERIMENTAL)Route reflectors are used when all iBGP speakers are not fully meshed. If the clients are fully meshed, the route-reflectors are not required. This option is enabled by default.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 45• bgp cluster <IP>• bgp confederation [identifier|peers] <1-4294967295>• bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>• bgp default [ipv4-unicast|local-preference <0-4294967295>]cluster <IP> Enables and sets a cluster ID, in case the BGP cluster has more than one route-reflectorA cluster generally consists of a single route-reflector and its clients. The cluster is usually identified by the router ID of this single route-reflector. Sometimes, to increase redundancy, a cluster might have more than one route-reflector configured. In this case, all route-reflectors in the cluster are identified by the cluster ID (configured in the IP format).confederation [identifier|peers] <1-4294967295>Configures AS confederation (group of ASs) parameters (identifier and peers)• identifier – Enables and sets a BGP confederation identifier to allow an AS to be divided into several ASs. In other words an AS is divided into multiple ASs, and together they form a confederation. This confederation is visible to external routers as a single AS. The ASN is usually the confederation ID. Specify a value from 1 - 4294967295.Forming AS confederation reduces iBGP mesh inside an AS.• peers – Configures the maximum number of the ASs constituting this BGP confederation. Specify the AS number from 1 - 4294967295. Multiple ASs can be added to the list of confederation members.bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>Enables dampening and configures dampening parameters. This option is disabled by default.Dampening minimizes the instability caused by route flapping. A penalty is added for every flap in the flapping route. As soon as the total penalty reaches the specified Route Suppress Limit value, the advertisement of this route is suppressed. This penalty is delayed when the time specified in Half Lifetime occurs. Once the penalty becomes lower than the value specified in Start Route Reuse, the advertisement of the route is un-suppressed.• <1-45> – Optional. Configures the half lifetime (in minutes). A penalty is imposed on a route that flaps. This is the time for the penalty to decrease to half its current value. Specify a value from 1 - 45 minutes. The default is 1 minute.• <1-20000> – Optional. Configures the route reuse value. When the penalty for a suppressed route decays below the value specified here, the route is un-suppressed (reused). Specify a value from 1 - 20000.• <1-20000> – Configures the route suppress value. When a route flaps, a penalty is added to the route. When the penalty reaches or exceeds the value specified as the ‘maximum duration to suppress a stable route’. Specify a value from 1 - 20000.The maximum duration to suppress a stable route, is the next set of value configured in this command from 1 - 255.• <1-255> – Configures the maximum duration, in minutes, a suppressed route is suppressed. This is the maximum duration for which a route remains suppressed before it is reused. Specify a value from 1 - 255 minutes.default  Configures the following defaults for BGP neighbor-related parameters: IPv4 unicast and local preference
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 46• bgp graceful-restart {stalepath-time <1-3600>}• bgp neighbor <IP>• bgp network import-check• bgp router-id <IP>• bgp scan-time <5-60>Examplenx9500-6C8809(config-profile testNX9000-router-bgp)#bgp router-id 192.168.13.13nx9500-6C8809(config-profile testNX9000-router-bgp)#aggregate-address 116.117.118.0/24 as-set summary-onlynx9500-6C8809(config-profile testNX9000-router-bgp)#bgp neighbor 192.168.13.99nx9500-6C8809(config-profile testNX9000-router-bgpp)#show context router bgp  aggregate-address 116.117.118.0/24 as-set summary-only  bgp router-id 192.168.13.13  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50nx9500-6C8809(config-profile testNX9000-router-bgp)#ipv4-unicast Enable IPv4 unicast traffic for neighbors. This option is enabled by default.local-preference <0-4294967295>Configures a local preference for the neighbor. Higher the value higher is the preference.• <0-4294967295> – Specify a value from 10 - 4294967295.default graceful-restart {stalepath-time <1-3600>}Enables graceful restart on this BGP router. This option is disabled by default• stalepath-time <1-3600> – Optional. Configures the maximum time, in seconds, to retain stale paths from restarting neighbor. This is the time the paths from a restarting neighbor are preserved. All stale paths, unless reinstated by the neighbor after re-establishment, are deleted at the expiry of the time specified here.• <1-3600> – Specify a value from 1 - 3600 seconds.neighbor <IP> Configures the BGP neighbor’s IP address and enters its configuration mode. Use this command to configure a BGP neighbor’s parameters.• <IP> – Specify the IP address in the A.B.C.D format.For BGP neighbor configuration parameters, see bgp-neighbor-config commands.network import-checkEnables checking of the existence of BGP network route in IGP before importingrouter <IP> Enables the device (BGP supported wireless controller or service platform) identified by the <IP> parameter as a router. The router’s IP address is configured as its ID, and uniquely identifies it. When not specified, the IP address of the interface is configured as the router ID. This option is disabled by default.scan-time <5-60> Configures the scanning interval, in seconds, for updating BGP routes. This is the interval between two consecutive scans the BGP device performs in order to validate routes in its routing table. To disable scanning, set the value to Zero (0).• <5-60> – Specify a value from 5 - 60 seconds. The default is 60 seconds.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 47Related Commandsno Removes the BGP router parameters. The no > bgp > enable command disabled BGP.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 4828.7.4 bgp-route-limitbgp-router-config commandsConfigures the BGP route limit parametersSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxbgp-route-limit [num-routes <VALUE>|reset-time <1-86400>|retry-count <1-32>|retry-timeout <1-3600>]Parameters• bgp-route-limit [num-routes <VALUE>|reset-time <1-86400>|retry-count <1-32>|retry-timeout <1-3600>]Examplenx9500-6C8809(config-profile NX9500Profile-router-bgp)#bgp-route-limit num-routes 10nx9500-6C8809(config-profile NX9500Profile-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 116.117.118.0/24 as-set summary-only  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50  bgp-route-limit num-routes 10nx9500-6C8809(config-profile NX9500Profile-router-bgp)#Related Commandsnum-routes <VALUE> Configures the number of routes that can be stored on this BGP router. Set this value based on the available memory on this BGP router (wireless controller or service platform).• <VALUE> – Specify a value from 1 - 4,294,967,295. The default is 9216 routes.reset-time <1-86400> Configures the reset time in seconds. This is the time after which the retry count value is set to Zero (0). • <1-86400> – Specify a value from 1- 86,400 seconds. The default is 360 seconds.retry-count <1-32> Configures the maximum number of times the BGP process is reset before being permanently shut down. Once shut down, the BGP process has to be started manually. The BGP process is reset if it is flooded with route entries that exceed the maximum number of routes configured for this device.• <1-32> – Specify a value from 1 - 32. The default is 5 routes.retry-timeout <1-3600>Configures the duration, in seconds, the BGP process is temporarily shut down, before a reset of the process is attempted.• <1-3600> – Specify a value from 1 - 3600 seconds. The default is 60 seconds.no Removes BGP route limitations configured. Use the no command to revert back to default.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 4928.7.5 distancebgp-router-config commandsConfigures administrative distance parameters. The distance parameter is a rating of the trustworthiness of a route. The higher the distance, lower is the trust rating. The distance can be set for each type of route indicating its trust rating.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdistance [<IP/M> <1-255> <BGP-ACL-NAME>|bgp <1-255> <1-255> <1-255>]Parameters• distance [<IP/M> <1-255> <BGP-ACL-NAME>|bgp <1-255> <1-255> <1-255>]Examplenx9500-6C8809(config-profile testNX9000-router-bgp)#distance bgp 200 100 200nx9500-6C8809(config-profile testNX9000-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 116.117.118.0/24 as-set summary-only  distance bgp 200 100 200  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50  bgp-route-limit num-routes 10nx9500-6C8809(config-profile testNX9000-router-bgp)#Related Commandsdistance <IP/M> <1-255> <BGP-ACL-NAME>Configures the default administrative distance, specified by the <1-255> parameter, when the route’s source IP address matches the specified IP prefix • <IP/M> – Specify the IP source prefix and prefix length.• <1-255> – Specify the distance from 1 - 255.• <BGP-ACL-NAME> – Optional. Specify the BGP access list name.bgp <1-255> <1-255> <1-255>Configures the default administrative distance for different route types• <1-255> – Configures the default administrative distance for routes external to this AS. Specify a value from 1 - 255.• <1-255> – Configures the default administrative distance for routes internal to thisAS. Specify a value from 1 - 255.• <1-255> – Configures the default administrative distance for local routes. Specifya value from 1 - 255.no Removes the administrative distance related configurations
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 5028.7.6 ipbgp-router-config commandsConfigures the BGP default gateway’s prioritySupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxip default-gateway priority <1-8000>Parameters• ip default-gateway priority <1-8000>Examplenx9500-6C8809(config-profile testNX9000-router-bgp)#ip default-gateway priority 1nx9500-6C8809(config-profile testNX9000-router-bgp)#show context router bgp  bgp enable  asn 1  ip default-gateway priority 1  bgp-route-limit num-routes 10nx9500-6C8809(config-profile testNX9000-router-bgpp)#Related Commandsdefault-gateway priority <1-8000>Configures the default gateway’s (acquired through BGP) priority• <1-8000> – Specify a value from 1 - 8000. The default is 7500.Lower the value, higher is the priority.no Removes the BGP default gateway configuration
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5128.7.7 networkbgp-router-config commandsConfigures the local network IP addresses and masks. These network addresses are broadcasted to neighboring BGP peers. You can configure a single IP address or a range of IP addresses in the A.B.C.D/M notation.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxnetwork <IP/M> {backdoor|pathlimit|route-map}network <IP/M> {backdoor pathlimit <1-255>network <IP/M> {pathlimit <1-255>}network <IP/M> {route-map <ROUTE-MAP-NAME>}Parameters• network <IP/M> {backdoor pathlimit <1-255>|pathlimit <1-255>|route-map <ROUTE-MAP-NAME>}Examplenx9500-6C8809(config-profile testNX9000-router-bgp)#network 192.168.13.0/24 backdoor pathlimit 200nx9500-6C8809(config-profile testNX9000-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 116.117.118.0/24 as-set summary-only  distance bgp 200 100 200  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50  network 1.2.3.0/24  network 192.168.13.0/24 backdoor pathlimit 200  bgp-route-limit num-routes 10nx9500-6C8809(config-profile testNX9000-router-bgp)#Related Commandsnetwork <IP/M> Configures the local network’s address in the A.B.C.D/M format• <IP/M> – Specify the network address.backdoor pathlimit <1-255>Optional. Configures a BGP backdoor route. After configuring the backdoor route, you can optionally configure the as-path hop count limit attribute for this backdoor route.• pathlimit <1-255> – Specify the hop count limit from 1 - 255.pathlimit <1-255> Optional. Configures the maximum path limit for this AS• <1-255> – Specify the hop count limit from 1 - 255.route-map <ROUTE-MAP-NAME>Optional. Associates a BGP route map with this local network. When applied, the route-map values take precedence• <ROUTE-MAP-NAME> – Specify the route map name.no Removes the list of local networks configured
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 5228.7.8 nobgp-router-config commandsRemoves the BGP router settingsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms —  NX9500, NX9510, NX9600Syntaxno [aggregate-address|bgp|bgp-route-limit|distance|ip|network|route-redistribute|timers]Parameters• no <PARAMETERS>ExampleThe following example shows the BGP router settings before the ‘no’ commands have been executed:nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 116.117.118.0/24 as-set summary-only  bgp neighbor 192.168.13.199   remote-as 1   use route-map UnSupMap_01 in  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50  bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no bgp neighbor 192.168.13.99nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no aggregate-address 116.117.118.0/24nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no bgp-route-limit The following example shows the BGP router settings after the ‘no’ commands have been executed:nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp  bgp enable  asn 1  bgp neighbor 192.168.13.199   remote-as 1   use route-map UnSupMap_01 innx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no <PARAMETERS> Removes the BGP router settings
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5328.7.9 route-redistributebgp-router-config commandsEnables redistribution of routes learnt from other routing protocols into BGPLarge ISP networks using multiple routing protocols, need to enable redistribution of routes across routing protocols. Routing protocols differ in their basic characteristics, such as metrics, administrative distance, classful and classless capabilities, etc. When enabling redistribution, these differences have to be taken into consideration.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxroute-redistribute [connected|kernel|ospf|static] {metric <0-4294967295>|route-map <ROUTE-MAP-NAME>}Parameters• route-redistribute [connected|kernel|ospf|static] {metric <0-4294967295>|route-map <ROUTE-MAP-NAME>}route-redistribute Redistributes routes learnt from other protocolsconnected Redistributes directly connected routes• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.kernel Redistributes kernel routes. These are routes that are neither connected, nor static, nor dynamic.• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.ospf Redistributes OSPF routes• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.static Redistributes static routes• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 54Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#route-redistribute connected metric 200nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 116.117.118.0/24 as-set summary-only  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50  bgp neighbor 192.168.13.199   remote-as 1   use route-map UnSupMap_01 in  route-redistribute connected metric 200  bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#Related Commandsno Disables redistribution of routes learnt from other routing protocols into BGP
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5528.7.10 timersbgp-router-config commandsEnables adjustment of keepalive and holdtime intervalsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxtimers bgp <0-65535> <0-65535>Parameters• timers bgp <0-65535> <0-65535>Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#timers bgp 100 100nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp  bgp enable  asn 1  aggregate-address 116.117.118.0/24 as-set summary-only  bgp neighbor 192.168.13.199   remote-as 1   use route-map UnSupMap_01 in  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50  timers bgp 100 100  bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#Related Commandstimers bgp <0-65535> <0-65535>Configures the keepalive and holdtime interval in seconds• <0-65535> – Specify a keepalive interval from 0 - 65535 seconds. It is the interval, in seconds, between two successive keepalive packets exchanged with this router and its neighbor to keep the TCP connection alive.• <0-65535> – Specify a holdtime value from 0 - 65535 seconds. This is the time thisrouter will wait without receiving a keepalive packet from its neighbor before declaringit dead. If the time since the last keepalive packet received (from its neighbor) exceedsthe value set here, the neighbor is declared dead.no Reverts BGP timers to default
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 5628.8 bgp-neighbor-config commandsBORDER GATEWAY PROTOCOLBGP enabled devices connected through an established TCP connection are referred to as BGP peers or neighbors. To establish a TCP connection, BGP routers exchange open messages containing the following information: AS number, BGP version running, BGP router ID, and timer values (keepalive and holdtime). Once these values are accepted by both devices, the connection is established and the routers become neighbors. With the TCP connection established the BGP neighbors begin sharing routing information and updates. A failure in the establishment of the TCP connection indicates that the routers are not neighbors and cannot exchange routing information.Use the (profile/device-config) instance to configure BGP neighbors.To navigate to the BGP neighbor configuration instance, use the following commands:<DEVICE>(config)#profile <PROFILE-NAME><DEVICE>(config-profile <PROFILE-NAME>)#router bgp<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#?<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#bgp neighbor ?  A.B.C.D  IP address of the bgp neighbor<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#bgp neighbor <IP><DEVICE>(config-profile <PROFILE-NAME>-router--bgp-neighbor-<IP>)#?Router BGP Neighbor Mode commands:  activate                   Enable the Address Family for this Neighbor                             (EXPERIMENTAL)  advertisement-interval     Minimum interval between BGP routing updates  allowas-in                 Accept as-path with my AS present in it                             (EXPERIMENTAL)  attribute-unchanged        BGP attribute is propagated unchanged to this                             neighbor (EXPERIMENTAL)  capability                 Advertise capability to the peer  default-originate          Originate default route to this neighbor  description                Neighbor specific description  disable-connected-check    One-hop away EBGP peer using loopback address                             (EXPERIMENTAL)  dont-capability-negotiate  Do not perform capability negotiation                             (EXPERIMENTAL)  ebgp-multihop              Allow EBGP neighbors not on directly connected                             networks  enforce-multihop           Enforce EBGP neighbors perform multihop                             (EXPERIMENTAL)  local-as                   Specify a local-as number (EXPERIMENTAL)  maximum-prefix             Maximum number of prefix accept from this peer  next-hop-self              Disable the next hop calculation for this                             neighbor  no                         Negate a command or set its defaults  override-capability        Override capability negotiation result  passive                    Don't send open messages to this neighbor  password                   Set a password  peer-group                 Set peer-group for this neighbor (EXPERIMENTAL)  port                       Neighbor's BGP port (EXPERIMENTAL)  remote-as                  Specify a BGP neighbor  remove-private-as          Remove private AS number from outbound updates                             (EXPERIMENTAL)  route-server-client        Configure a neighbor as Route Server client                             (EXPERIMENTAL)  send-community             Send Community attribute to this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 57  shutdown                   Administratively shut down this neighbor  soft-reconfiguration       Per neighbor soft reconfiguration  strict-capability-match    Strict capability negotiation match                             (EXPERIMENTAL)  timers                     BGP per neighbor timers  unsuppress-map             Route-map to selectively unsuppress suppressed                             routes  update-source              Source of routing updates  use                        Set setting to use  weight                     Set default weight for routes from this neighbor  clrscr                     Clears the display screen  commit                     Commit all changes made in this session  do                         Run commands from Exec mode  end                        End current mode and change to EXEC mode  exit                       End current mode and down to previous mode  help                       Description of the interactive help system  revert                     Revert changes  service                    Service Commands  show                       Show running system information  write                      Write running configuration to memory or terminal<DEVICE>(config-profile <PROFILE-NAME>-router--bgp-neighbor-<IP>)#The following table summarizes BGP deny/permit route map rules configuration mode commands:Table 28.8 BGP-Neighbor-Config-Mode CommandsCommand Description Referenceactivate Enables an address family for this neighbor (EXPERIMENTAL) page 28-59advertisement-intervalConfigures the minimum interval between two consecutive BGP router updatespage 28-60allowas-in Enables re-advertisement of all prefixes containing duplicate ASNs (EXPERIMENTAL)page 28-61attribute-unchangedEnables the propagation of BGP attribute values unchanged to this neighbor BGP device (EXPERIMENTAL)page 28-62capability Enables the advertisement of capability (dynamic and ORF) to BGP peerspage 28-63default-originate Enables the sending of the default route to BGP neighbors. It also allows the configuration of the default route.page 28-64description Configures a description for a BGP neighbor device page 28-65disable-connected-checkEnables one-hop away EBGP peer using loop back address (EXPERIMENTAL)page 28-66dont-capability-negotiateDisables capability negotiation with BGP neighbors (EXPERIMENTAL) page 28-67ebgp-multihop Enables eBGP Multihop on this BGP neighbor, and configures the maximum number of hops that can be between eBGP neighbors not directly connected to each other.page 28-68enforce-multihop Forces EBGP neighbors to perform multi-hop checks (EXPERIMENTAL) page 28-69local-as Configures this neighbor’s local AS number. Also enables the prepending of this AS number in route updates. (EXPERIMENTAL)page 28-70maximum-prefix Configures the maximum number of prefixes that can be received from a BGP neighborpage 28-71next-hop-self Enables next-hop calculation for this neighbor page 28-72
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 58no Removes this BGP neighbor’s settings, or reverts them back to default page 28-73override-capabilityEnables the overriding of capability negotiation results page 28-74passive Enables this BGP neighbor device (or devices using this profile) as passivepage 28-75password Sets a password for this BGP neighbor device (or devices using this profile)page 28-76peer-group Sets the peer group for this BGP neighbor device (or devices using this profile) (EXPERIMENTAL)page 28-77port Configures a non-standard BGP port for this BGP neighbor (EXPERIMENTAL)page 28-78remote-as Configures the ASN for this neighbor BGP device (or devices using this profile)page 28-79remove-private-as Removes the private ASN from outbound updates (EXPERIMENTAL) page 28-80route-server-client Enables this BGP neighbor device (or devices using this profile) to act as a route server client (EXPERIMENTAL)page 28-81send-community Enables sending of the community attribute to the BGP neighbor page 28-82shutdown Shuts down this BGP neighbor device (or devices using this profile) page 28-83soft-reconfigurationEnables storing of updates for inbound soft reconfiguration page 28-84strict-capability-matchEnables a strict capability match before allowing a neighbor BGP peer to open a connection (EXPERIMENTAL)page 28-85timers Configures this BGP neighbor’s keepalive and holdtime durations page 28-86unsuppress-map Uses a route-map that selectively un suppresses routes that have been suppressed using the aggregate-address commandpage 28-88update-source Allows BGP sessions to use any operational interface to establish the TCP connection with this neighborpage 28-89use Configures filters for this neighbor. These filters are BGP IP ACL, IP prefix list, AS path list, and route map. Based on the filters used, updates received from this neighbor are filtered.page 28-90weight Configures a weight for all routes learned from this BGP neighbor page 28-91Table 28.8 BGP-Neighbor-Config-Mode CommandsCommand Description Reference
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5928.8.1 activatebgp-neighbor-config commandsEnables an address family for this neighbor. This option is enabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600SyntaxactivateParametersNoneExamplenx9500-6C8809(config-profile testNX9500-router-bgp-neighbor-192.168.13.99)#activate
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 6028.8.2 advertisement-intervalbgp-neighbor-config commandsConfigures the minimum interval, in seconds, between two consecutive BGP router updatesSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxadvertisement-interval <0-600>Parameters• advertisement-interval <0-600>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)# advertisement-interval 100nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#showcontext  bgp neighbor 192.168.13.99   advertisement-interval 100nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsadvertisement-interval <0-600>Configures the minimum interval, in seconds, between two consecutive BGP router updates. Sending too many router updates creates flapping of routes leading to possible disruptions. Specify a minimum interval so that the BGP routing updates are sent after the set interval.• <0-600> – Specify a value from 0 - 600 seconds. The default is 5 seconds.no Reverts the advertisement interval to default (5 seconds)
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 6128.8.3 allowas-inbgp-neighbor-config commandsEnables re-advertisement of all prefixes containing duplicate ASNs. Use this command to configure the maximum number of times an ASN is advertised. This option is disabled by default.When enabled, Provider Edge (PE) routers can re-advertise all prefixes containing duplicate ASNs. This creates a pair of VPN Routing/Forwarding (VRF) instances on each PE router to receive and re-advertise prefixes. The PE router receives prefixes with ASNs from all PE routers and advertises to its neighbor PE routers on one VRF. The other VRF receives prefixes with ASNs from the Customer Edge (CE) routers and re-advertises them to all PE routers in the configuration.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxallowas-in <1-10>Parameters• allowas-in <1-10>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#allowas-in 10nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#showcontext  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsallowas-in <1-10> Enables and configures the maximum number of times an ASN is advertised.• <1-10> – Specify a value from 1 - 10.no Disables re-advertisement of all prefixes containing duplicate ASNs
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 6228.8.4 attribute-unchangedbgp-neighbor-config commandsEnables propagation of BGP attribute values unchanged to this neighbor BGP device. The BGP attributes are: as-path, med, and next-hop.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxattribute-unchanged {(as-path|med|next-hop)}Parameters• attribute-unchanged {(as-path|med|next-hop)}Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#attribute-unchanged as-pathnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#showcontext  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-pathnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsattribute-unchanged Enables the propagation of the following BGP attribute values unchanged:• as-path – Optional. Enables propagation of AS path BGP attribute unchanged to this neighbor BGP device. This option is disabled by default.• med – Optional. Enables propagation of MED BGP attribute unchanged to this neighbor BGP device. This option is disabled by default• next-hop – Optional. Enables propagation of the next-hop BGP attribute value unchanged to this neighbor BGP device. This option is disabled by default.no Disables propagation of BGP attribute values unchanged to this neighbor BGP device
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 6328.8.5 capabilitybgp-neighbor-config commandsEnables the advertisement of capability (dynamic and ORF) to BGP peersSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxcapability [dynamic|orf]capability dynamiccapability orf prefix-list [both|receive|send]Parameters• capability dynamic• capability orf prefix-list [both|receive|send]Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#capability orf prefix-list bothnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#showcontext  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list bothnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandscapability dynamic Enables the advertisement of dynamic capabilityEnable this option to show a neighbor device’s capability to advertise or withdraw and address capability to other peers in a non-disruptive manner. This option is disabled by default.capability dynamic [both|receive|send]Enables the advertisement of Outbound Router Filtering (ORF) capability. This option is disabled by default.Enable this option to enable ORF, and advertise this capability to peer devices. ORFs send and receive capabilities to lessen the number of updates exchanged between BGP peers. By filtering updates, ORF minimizes update generation and exchange overhead.The local BGP device advertises ORF in the send mode. The peer BGP device receives the ORF capability in the receive mode. The two devices exchange updates to maintain the ORF for each router. Only a peer group or an individual BGP router can be configured to be in receive or send mode. A a peer group member cannot be configured.• both – Advertises the capability to send and receive the ORF to/from this neighbor• receive – Advertises the capability to receive the ORF from this neighbor• send – Advertises the capability to send the ORF to this neighborno Disables advertisement of capability (dynamic and ORF) to BGP peers
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 6428.8.6 default-originatebgp-neighbor-config commandsEnables the sending of the default route to BGP neighbors. It also allows the configuration of the default route. When enabled and configured, local BGP routers send the default route 0.0.0.0 (or a route map specified route) to its neighbor for use as the default route.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdefault-originate {route-map <BGP-ROUTE-MAP-NAME>}Parameters• default-originate {route-map <BGP-ROUTE-MAP-NAME>}Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#default-originatenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originatenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsdefault-originate {route-map <BGP-ROUTE-MAP-NAME>}Enables default originate on this BGP neighbor. This option is disabled by default.• route-map <BGP-ROUTE-MAP> – Optional. Use this keyword to specify a route map to use as the default originate routeIf no route-map is specified, the default route 0.0.0.0 is sent.no Disables the sending of the default route to BGP neighbors
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 6528.8.7 descriptionbgp-neighbor-config commandsConfigures a description for this BGP neighbor deviceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdescription neighbor <LINE>Parameters• description neighbor <LINE>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#description neighbor "This neighbor is an external AS neighbor"nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsneighbor <LINE> Specify a description for this BGP neighbor device (should not exceed 80 characters).no Removes this BGP neighbor’s description
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 6628.8.8 disable-connected-checkbgp-neighbor-config commandsEnables one-hop away eBGP peer using loop back address. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdisable-connected-checkParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#disable-connected-checknx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-checknx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Disables one-hop away eBGP peer using loop back address
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 6728.8.9 dont-capability-negotiatebgp-neighbor-config commandsDisables capability negotiation with BGP neighbors. This is to allow compatibility with older BGP versions that have no capability parameters used in the open messages between peers. Capability negotiation is enabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdont-capability-negotiateParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#dont-capability-negotiatenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiatenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Enables capability negotiation with BGP neighbors
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 6828.8.10 ebgp-multihopbgp-neighbor-config commandsEnables eBGP Multihop on this BGP neighbor. When enabled, allows neighbor connection to be established between two eBGP neighbors that are not directly connected to each other. Use this command to configure the maximum number of hops possible between two such eBGP neighbors. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxebgp-multihop <1-255>Parameters• ebgp-multihop <1-255>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#ebgp-multihop 20nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsebgp-multihop <1-255>Configures the maximum number of hops that can be between eBGP neighbors not directly connected to each other.• <1-255> – Specify a value from 1 - 255. The default is 255.no Disables eBGP Multihop on this BGP neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 6928.8.11 enforce-multihopbgp-neighbor-config commandsForces eBGP neighbors to perform multi-hop checksA multihop route is a route to external peers on indirectly connected networks. When enforced, eBGP neighbors perform multi-hop check. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxenforce-multihopParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#enforce-multihopnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihopnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Disables enforcement of multihop route checks
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 7028.8.12 local-asbgp-neighbor-config commandsConfigures this neighbor’s local AS numberSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxlocal-as <1-4294967295> {no-prepend}Parameters• local-as <1-4294967295> {no-prepend}Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#local-as 20 no-prependnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prependnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandslocal-as <1-4294967295> {no-prepend}Configures the local AS number• <1-4292967295> – Specify a value from 1 - 4294967295.• no-prepend – Optional. Select to enable. When enabled, the local AS number is notprepended to route updates from eBGP peers. AS numbers are prepended to routeupdates by default.no Removes the local AS number. And also reverts prepending of AS numbers to default (allows prepending).
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 7128.8.13 maximum-prefixbgp-neighbor-config commandsConfigures the maximum number of prefixes that can be received from a BGP neighbor. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxmaximum-prefix <1-4294967295> {(<1-100>|restart <1-65535>|warning-only)}Parameters• maximum-prefix <1-4294967295> {(<1-100>|restart|warning-only)}Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#maximum-prefix 400 50 warning-onlynx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show con  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-onlynx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsmaximum-prefix <1-4294967295>Configures the maximum number of prefixes that can be received from a BGP neighbor• <1-4294967295> – Specify a value for 1 - 4294967295.• <1-100> – Optional. Sets the threshold limit for generating a log message. This valuerepresents a percentage of the maximum-prefix configured in the preceding step.When this value is reached, a log entry is generated. For example if the maximum-pre-fix is set to 100 and threshold limit is set to 65, then after receiving 65 prefixes, a logentry is generated. This option is disabled by default.• restart <1-65535> – Optional. Restarts BGP peer connection once the maximum-prefix limit specified is exceeded. For example, If the value specified is 10, then after re-ceiving 10 prefixes from the neighbor, the system restarts the connection with thatneighbor. Specify a value from 1 - 65535. This option is disabled by default.• warning-only – Configure to enable. When the maximum-prefix limit is exceeded,the connection is restarted. However, when this option is enabled, the connection isnot restarted and an event is generated instead. This option is disabled by default.no Removes the maximum prefix settings configured for this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 7228.8.14 next-hop-selfbgp-neighbor-config commandsEnables next-hop calculation for this neighbor. This option is disabled by default.When enabled, this device (or devices using this profile) are configured as the next hop for the BGP speaking neighbor or peer group. This allows the BGP device to change the next hop information that is sent to iBGP peers. The next hop address is set to the IP address of the interface used to communicate with the eBGP neighbor.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxnext-hop-selfParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#next-hop-selfnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-selfnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Disables next-hop calculation for this neighbor (this is the default)
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 7328.8.15 nobgp-neighbor-config commandsRemoves this BGP neighbor’s settings, or reverts them back to defaultSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno <PARAMETER>Parameters• no <PARAMETER>ExampleThe following example shows the neighbor 192.168.13.99 settings before the ‘no’ commands are executed:nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-selfnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no advertisement-intervalnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no disable-connected-checknx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no default-originatenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no local-asnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#showcontext  bgp neighbor 192.168.13.99   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   description neighbor "This neighbor is an external AS neighbor"   dont-capability-negotiate   ebgp-multihop 20   maximum-prefix 400 50 warning-only   next-hop-selfnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no <PARAMETER> Specify the parameter details to remove or revert to default
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 7428.8.16 override-capabilitybgp-neighbor-config commandsEnables the overriding of capability negotiation results. This option is disabled by default. Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxoverride-capabilityParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#override-capabilitynx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capabilitynx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Disables the overriding of capability negotiation results
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 7528.8.17 passivebgp-neighbor-config commandsEnables this BGP neighbor device (or devices using this profile) as passive. When enabled, local devices do not attempt to open a connection to passive BGP neighbors. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600SyntaxpassiveParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#passivenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passivenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Disables this BGP neighbor device (or devices using this profile) as passive
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 7628.8.18 passwordbgp-neighbor-config commandsSets a password for this BGP neighbor device (or devices using this profile). When configured, this password is used for Message Digest 5 (MD5) authentication between two BGP peers connected over TCP. To enable MD5 authentication between two BGP peers, configure both with the same password.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpassword neighbor <LINE>Parameters• password neighbor <LINE>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#password neighbor eBGPneighbor@300nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)# show context  bgp neighbor 192.168.13.99   advertisement-interval 100   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandspassword neighbor <LINE>Specify the password.no Removes the password configured for this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 7728.8.19 peer-groupbgp-neighbor-config commandsSets the peer group for this BGP neighbor device (or devices using this profile). Peer groups are a set of BGP neighbors with the same update policies. This facilitates the updates of various policies, such as, distribute lists and filter lists.The peer group can be configured as a single entity. Any changes made to the peer group is propagated to all members.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpeer-group <PEER-GROUP-NAME>Parameters• peer-group <PEER-GROUP-NAME>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#peer-group eBGPPeerGrp1nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   peer-group eBGPPeerGrp1   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandspeer-group <PEER-GROUP-NAME>Specify the peer group name. Once specified, this neighbor device becomes a member of the peer group identified by the <PEER-GROUP-NAME> keyword.• <PEER-GROUP-NAME> – Specify the peer group name.no Removes the peer group configuration. This neighbor peer group setting is removed.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 7828.8.20 portbgp-neighbor-config commandsConfigures a non-standard BGP port for this BGP neighborBy default BGP uses port 179. Use this command to set a non standard port for this BGP neighbor.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxport <0-65535>Parameters• port <0-65535>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#port 21nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsport <0-65535> Specify a value from 0 - 65535.no Removes the non standard port configured for this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 7928.8.21 remote-asbgp-neighbor-config commandsConfigures the ASN for this neighbor BGP device (or devices using this profile). ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxremote-as <1-4294967295>Parameters• remote-as <1-4294967295>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#remote-as 100nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#remote-as <1-4294967295>Specify the remote ASN from 1 - 4294967295.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 8028.8.22 remove-private-asbgp-neighbor-config commandsRemoves the private ASN from outbound updates. By default private ASNs are included in outbound updates.Private AS numbers are not advertised to the Internet. This option is used with external BGP (eBGP) peers only. The router removes the AS numbers only if the update includes private AS numbers. If the update includes both private and public AS numbers, the system treats it as an error.This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxremove-private-asParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#remove-private-asnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300   remove-private-asnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Includes private ASNs in outbound updates (this is the default setting)
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 8128.8.23 route-server-clientbgp-neighbor-config commandsEnables this BGP neighbor device (or devices using this profile) to act as a route server client. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxroute-server-clientParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#route-server-clientnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300   remove-private-as   route-server-clientnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Disables this BGP neighbor device (or devices using this profile) to act as a route server client
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 8228.8.24 send-communitybgp-neighbor-config commandsEnables sending of the community attribute to the BGP neighbor. The community attribute groups destinations in a certain community and applies routing decisions based on the community. On receiving community attribute, the BGP router announces it to the neighbor.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxsend-community [both|extended|standard]Parameters• send-community [both|extended|standard]Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#send-community bothnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300   remove-private-as   route-server-client   send-community bothnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandssend-community [both|extended|standard]Enables sending of the community attributes to the BGP neighbor• both – Sends extended and standard community attributes• extended – Sends extended community attributes only• standard – Sends standard community attributes onlyno Disables sending of the community attribute to the BGP neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 8328.8.25 shutdownbgp-neighbor-config commandsShuts down this BGP neighbor device (or devices using this profile). When configured, this neighbor is administratively shut down. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600SyntaxshutdownParametersNoneExamplenx9500-6C8809(config-profile testNX500-router-bgp-neighbor-192.168.13.99)#shutdownnx9500-6C8809(config-profile testNX500-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remove-private-as   route-server-client   shutdownnx9500-6C8809(config-profile testNX500-router-bgp-neighbor-192.168.13.99)#Related Commandsno Removes the administrative shut down of this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 8428.8.26 soft-reconfigurationbgp-neighbor-config commandsEnables storing of updates for inbound soft reconfiguration. This option is disabled by default.Soft-reconfiguration can be used in lieu of BGP route refresh capability. Enabling this option enables local storage of all received routes and their attributes. This requires additional memory on the BGP device.When a soft reset (inbound) is performed on the neighbor device, the locally stored routes are reprocessed according to the inbound policy. The BGP neighbor connection is not affected.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxsoft-reconfiguration inboundParameters• soft-reconfiguration inboundExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#soft-reconfiguration inboundRelated Commandssoft-reconfiguration inboundPerforms a soft reconfiguration (inbound) on the BGP neighbor deviceno Disables soft reconfiguration
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 8528.8.27 strict-capability-matchbgp-neighbor-config commandsEnforces a strict capability match before allowing a TCP connection with this neighbor. In case capabilities do not match, the BGP connection is not established. This option is disabled by default.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxstrict-capability-matchParametersNoneExamplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#strict-capability-matchRelated Commandsno Disables a strict capability match before allowing a connection with this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 8628.8.28 timersbgp-neighbor-config commandsConfigures this BGP neighbor’s keepalive and holdtime durationsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxtimers [<0-65535> <0-65535>|connect <0-65535>]Parameters• timers [<0-65535> <0-65535>|connect <0-65535>]Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#timers 20 40nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#timers connect 20nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   strict-capability-match   timers connect 20   timers 20 40   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihopNOTE: The keepalive and holdtime settings configured at the neighbor level override those configured on the BGP router.timers <0-65535> <0-65535>Sets the keepalive and holdtime intervals• <0-65535> – Specifies the keepalive interval from 0 - 65535 seconds. It is the interval, in seconds, between two successive keepalive packets exchanged with this neighbor to keep the TCP connection alive.• <0-65535> – Specifies the holdtime interval from 0 - 65535. This is the time thisneighbor will wait without receiving a keepalive packet from its neighbor before declaring it dead. If the time since the last keepalive packet received (from its neighbor) exceeds the value set here, the neighbor is declared dead.timers connect <0-65535>Sets the BGP connect time. This is the interval, in seconds, after which BGP tries to connect to a dead peer.• <0-65535> – Specify a value from 1 - 65535 seconds.
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 87   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300   remove-private-as   route-server-client   send-community bothnx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsno Removes the holdtime value set for this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 8828.8.29 unsuppress-mapbgp-neighbor-config commandsUnsuppresses map to selectively advertise routes that have been suppressed using the aggregate-address commandThe aggregate-address command creates a route map with a IP/mask address that consolidates subnets under it. This reduces the number of route maps on the BGP device to one consolidated entry. Use unsuppress-map to selectively allow/deny a subnet or a set of subnets from this consolidated entry.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxunsuppress-map <ROUTE-MAP-NAME>Parameters• unsuppress-map <ROUTE-MAP-NAME>Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99# unsuppress-map testnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99#show context  bgp neighbor 192.168.13.99   remote-as 199   maximum-prefix 9999 80 restart 50   unsuppress-map testnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99#Related Commandsunsuppress-map <ROUTE-MAP-NAME>Unsuppresses the specified route map• <ROUTE-MAP-NAME> – Specify the route map name.no Removes the unsuppress flag applied on the specified route map
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 8928.8.30 update-sourcebgp-neighbor-config commandsAllows BGP sessions to use any operational interface to establish the TCP connection with this neighborSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxupdate-source <IPv4>Parameters• update-source <IPv4>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#update-source 192.168.13.1nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   strict-capability-match   timers connect 20   timers 20 40   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300   remove-private-as   route-server-client   send-community both   update-source 192.168.13.1nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsupdate-source <IPv4> Specify the BGP enabled neighbor’s IPv4 address.no Removes the source of routing updates
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide  28 - 9028.8.31 usebgp-neighbor-config commandsConfigures filters for this neighbor. These filters are BGP IP ACL, IP prefix list, AS path list, and route map. Based on the filters used, updates received from this neighbor are filtered.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxuse [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]Parameters• use [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#use filter-list FilterList_01 innx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#use route-map testBGPRouteMap outnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 199   use filter-list FilterList_01 in   maximum-prefix 9999 80 restart 50   use route-map testBGPRouteMap out   unsuppress-map testnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#Related Commandsuse [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]Uses predefined and configured filters with this neighbor• distribute-list <BGP-IP-ACL-NAME> – Uses a BGP IP ACL• <BGP-IP-ACL-NAME> – Specify the BGP IP ACL name.• filter-list <AS-PATH-LIST-NAME> – Uses an AS path list• <AS-PATH-LIST-NAME> – Specify the AS path list name.• prefix-list <IP-PREFIX-LIST-NAME> – Uses a IP prefix list• <IP-PREFIX-LIST-NAME> – Specify the IP prefix list name.• route-map <BGP-ROUTE-MAP-NAME> – Uses a route map• <BGP-ROUTE-MAP-NAME> – Specify the route map name.no Removes the filters used to filter updates received from this neighbor
BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 9128.8.32 weightbgp-neighbor-config commandsConfigures a weight for all routes learned from this BGP neighbor. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The highest weight is always chosen.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxweight <0-65535>Parameters• weight <0-65535>Examplenx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#weight 10nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context  bgp neighbor 192.168.13.99   remote-as 100   advertisement-interval 100   peer-group eBGPPeerGrp1   port 21   strict-capability-match   timers connect 20   timers 20 40   allowas-in 10   attribute-unchanged as-path   capability orf prefix-list both   default-originate   description neighbor "This neighbor is an external AS neighbor"   disable-connected-check   dont-capability-negotiate   ebgp-multihop 20   enforce-multihop   local-as 20 no-prepend   maximum-prefix 400 50 warning-only   next-hop-self   override-capability   passive   password neighbor eBGPneighbor@300   remove-private-as   route-server-client   send-community both   update-source 192.168.13.1   weight 10nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#Related Commandsweight <0-65535> Specifies a relative weightage for all routes learned from this neighbor• <0-65535> – Specify a value from 0 - 65535.no Reverts to default value
29 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide29CRYPTO-CMP-POLICYThis chapter summarizes the crypto certificate management protocol (CMP) policy commands in the CLI command structure.CMP is an Internet protocol designed to enable devices (access point, wireless controller, or service platform) to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP.WiNG CMP implementation allows you to configure a crypto CMP policy that enables auto installation and auto management of device certificates. When configured and implemented on a device, the crypto CMP policy allows the device to automatically trigger a certification request to a configured, CMP supported CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. You can use a manually created trustpoint for one service (like HTTPS) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication.Use the (config) instance to configure a crypto CMP policy. To navigate to the crypto CMP policy configuration instance, use the following commands:<DEVICE>(config)#crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>ap6522-D8273A(config)#crypto-cmp-policy CMPap6522-D8273A(config-cmp-policy-CMP)#ap6522-D8273A(config-cmp-policy-CMP)#?CMP Policy Mode commands:  ca-server              CMP CA Server configuration commands  cert-key-size          Set key size for certificate request  cert-renewal-timeout   Trigger a cert renewal request on timeout  cross-cert-validate    Validate cross-cert using factory-cert  no                     Negate a command or set its defaults  subjectAltName         Configure subjectAltName value  trustpoint             Trustpoint for CMP  use                    Set setting to use  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalap6522-D8273A(config-cmp-policy-CMP)#This chapter is organized as follows:•crypto-cmp-policy-instance•other-cmp-related-commandsNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 229.1 crypto-cmp-policy-instanceCRYPTO-CMP-POLICYThe following table summarizes crypto CMP policy configuration commands:Table 29.1 Crypto-CMP-Policy CommandsCommand Description Referenceca-server Configures the CA server details page 29-3cert-key-size Configures the size of the key associated with a certificate request page 29-5cert-renewal-timeoutConfigures a certificate renewal timeout in days page 29-6cross-cert-validateEnables validation of the cross certificate with the factory certificate page 29-7subjectAltName Configures an alternate subject name for this CMP policy page 29-8trustpoint Configures a trustpoint and its associated information, such as the subject name, the sender’s (device requesting certification) details, and the recipient's (CA) detailspage 29-9use Associates a device’s autogen-uniqueid with this crypto CMP policy page 29-11no Removes the crypto CMP policy settings page 29-12NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 329.1.1 ca-servercrypto-cmp-policy-instanceConfigures the primary and secondary CMP CA server details.The CA is an external network authority (usually a trusted third-party server) that generates and issues digital certificates in response to requests received from network devices. Use this command to configure the primary and secondary CA server details, such as name of the device hosting the CA server, the port used to access the CA server, and the path where the certificate is stored. Once defined, devices using this CMP policy automatically send requests to the specified primary CA server, and retrieve the certificate from the specified location. If the primary CA server is not reachable, the requests are sent to the secondary CA server.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxca-server [primary|secondary] host <IP> port <1-65535> path <PATH>Parameters• ca-server [primary|secondary] host <IP> port <1-65535> path <PATH>ca-server [primary|secondary]Configures the primary and secondary CMP CA server details (IPv4 address, port, and path)• primary – Configures the primary CMP CA server’s details• secondary – Configures the secondary CMP CA server’s detailsThe secondary CMP CA is used in case the primary CA server is not reachable. CA server settings are required to complete CMP requests.host <IP> Configures IPv4 address of the device hosting the primary/secondary CA server• <IP/HOSTNAME> – Specify the server’s IPv4 address.port <1-65535> Configures the port on which the primary/secondary CA server can be reached• <1-65535> – Specify the port number from 1 - 65535.path <PATH> Configures the path or filename of the primary/secondary CMP CA certificate. Enter the complete relative path to the file on the server.• <PATH> – Specify the path. Once specified, the certificate is downloaded from this location and installed on the device.
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 4Exampleap6522-D8273A(config-cmp-policy-CMP)#ca-server primary host 192.168.8.74 port 8 path cmpap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMPca-server primary host 192.168.8.74 port 80 path cmpap6522-D8273A(config-cmp-policy-CMP)#Related Commandsno Removes the configured primary/secondary CA server details
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 529.1.2 cert-key-sizecrypto-cmp-policy-instanceConfigures the size of the key associated with a certificate requestSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcert-key-size [2048|3072|4096]Parameters• cert-key-size [2048|3072|4096]Examplenx9500-6C8809(config-cmp-policy-test)#cert-key-size 3072nx9500-6C8809(config-cmp-policy-test)#show contextcrypto-cmp-policy test cert-key-size 3072 trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 2 osr2bwjR+0L+G64ny3wfuAAAAAtTFjeFnvOIixTHLDfgt7Bu  reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"nx9500-6C8809(config-cmp-policy-test)#Related Commandscert-key-size [2048|3072|4096]Configures the certificate request key size. The options are:• 2048 – Sets the key size to 2048 bits. This is the default setting.• 3072 – Sets the key size to 3072 bits• 4096 – Sets the key size to 4096 bitsno Reverts the certificate request key size to default (2048 bits)
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 629.1.3 cert-renewal-timeoutcrypto-cmp-policy-instanceConfigures a certificate renewal timeout in days. This is the number of days, before the expiration of the device’s certificate, that a certificate renewal is triggered.The expiration of device’s certificate is checked once a day. When a certificate is about to expire a certificate renewal is initiated with the dedicated CMP CA server resource through an existing IPSec tunnel. If the tunnel is not established, the CMP renewal request is not sent. If a renewal succeeds the newly obtained certificate overwrites an existing certificate. If the renewal fails, an error is logged.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcert-renewal-timeout <1-60>Parameters• cert-renewal-timeout <1-60>Exampleap6522-D8273A(config-cmp-policy-CMP)#cert-renewal-timeout 60ap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmpap6522-D8273A(config-cmp-policy-CMP)#Related Commandscert-renewal-timeout <1-60>Configures the certificate renewal timeout in days. This is the number of days, before the expiration of the device’s certificate, that a certificate renewal is triggered. Once the configured time is completed, the device triggers a certificate renewal request.• <1-60> – Specify a value from 1 - 60 days. The default is fourteen (14) days. Therefore, by default a device triggers certificate renewal request 14 days before its certificate expires.no Reverts the certificate renewal timeout to default (14 days)
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 729.1.4 cross-cert-validatecrypto-cmp-policy-instanceEnables validation of the cross certificate using the factory certificate. When enabled, the obtained cross-certificate is validated against the operator’s certificate configured using the trustpoint > cmp-auth-operator command. An error message is displayed in case the cross-certificate is not obtained or if the cross-certificate is found to be invalid. This option is disabled by default.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcross-cert-validateParametersNoneExamplenx9500-6C8809(config-cmp-policy-test)#cross-cert-validatenx9500-6C8809(config-cmp-policy-test)#show contextcrypto-cmp-policy test cert-key-size 3072 cross-cert-validate trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 2 9piulK/GqvD+G64ny3wfuAAAAAuqCi8WJkNJwryMD9IAPk4T reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"nx9500-6C8809(config-cmp-policy-test)#Related CommandsNOTE: To the operator certificate, in the device configuration mode execute the trustpoint > cmp-auth-operator command. For more information, see trustpoint (device-config-mode).no Disables validation of the cross certificate with the factory certificate
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 829.1.5 subjectAltNamecrypto-cmp-policy-instanceConfigures the subjectAltName identity for this CMP policySupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxsubjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn <FQDN>|string <USER-DEFINED-STRING>]Parameters• subjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn <FQDN>|string <USER-DEFINED-STRING>]Exampleap6522-D8273A(config-cmp-policy-CMP)#subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-update cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#Related CommandssubjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn <FQDN>|string <USER-DEFINED-STRING>]Configures the subjectAltName identity using one of the following options:• address <IP> – Uses IP address as identity• <IP> – Specify the IP address.• dn <DISTINGUISHED-NAME> – Uses distinguished name as identity• <DISTINGUISHED-NAME> – Specify the DISTINGUISHED-NAME.• email <EMAIL-ID> – Uses e-mail address as identity• <EMAIL-ID> – Specify the e-mail address.• fqdn <FQDN> – Uses FQDN as identity• <FQDN> – Specify the FQDN.• string <USER-DEFINED-STRING> – Uses a user specified name as identity• <USER-DEFINED-STRING> – Specify the string to use as identity.no Removes the subjectAltName identity configured with this CMP policy
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 929.1.6 trustpointcrypto-cmp-policy-instanceConfigures a trustpoint and its associated information, such as the subject name, the sender’s (device requesting certification) details, and the recipient's (CA) details. This information is needed to obtain the certificate from the CA server using CMP.Each certificate is digitally signed by a trustpoint and contains device-specific information, such as device name, IP address, serial number. It helps to uniquely identify a device. Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtrustpoint <TRUSTPOINT-NAME> subject-name <WORD> secret [0 <WORD>|2 <WORD>] reference-id <WORD> sender-name <WORD> [recipient-name <WORD>|ca-psk <CERT-PATH>]Parameters• trustpoint <TRUSTPOINT-NAME> subject-name <WORD> secret [0 <WORD>|2 <WORD>] reference-id <WORD> sender-name <WORD> [recipient-name <WORD>|ca-psk <CERT-PATH>]trustpoint <TRUSTPOINT-NAME>Configures a trustpoint name (should not exceed 32 characters)• <TRUSTPOINT-NAME> – Specify the trustpoint’s name.subject-name <WORD>Configures a subject name for this trustpoint. The subject name should uniquely identify the certificate and should not exceed 512 characters in length.secret [0 <WORD>|2 <WORD>]Configures the secret used to encrypt the trustpoint. The secret should not exceed 128 characters in length.• 0 <WORD> – Configures a clear text password• 2 <WORD> – Configures an encrypted passwordreference-id <WORD>Configures the reference ID. The CA server uses this information to identify the shared secret key used.• <WORD> – Specify the reference ID.sender-name <WORD>Configures the sender’s name. The CA server uses this information to identify the shared secret key used. The sender’s name should not exceed 512 characters in length.• <WORD> – Specify the sender name.recipient-name Configures the recipient’s name. The CA server uses this information to validate the request. The recipient's name should not exceed 256 characters in length.ca-psk <CERT-PATH> Configures the certificate path for the server certificate• <CERT-PATH> – Specify the certificate path.
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 10Exampleap6522-D8273A(config-cmp-policy-CMP)#trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"ap6522-D8273A(config-cmp-policy-CMP)#ap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-update cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret  reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com" subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#Related Commandsno Removes the trustpoint associated with this crypto CMP policy
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1129.1.7 usecrypto-cmp-policy-instanceAssociates a device’s autogen-uniqueid with this crypto CMP policyA device’s autogen-uniqueid is a combination of a user-defined string (prefix or suffix) and a substitution token. The WiNG software implementation provides two built-in substitution tokens: $SN and $MiNT-ID that represent the device’s serial number and MiNT ID respectively. These substitution tokens are internally retrieved and combined with the user-defined string to auto generate a unique identity for a device.To auto generate the device’s unique ID, in the device configuration mode execute the following command:autogen-uniqueid <WORD>For more information on the autogen-uniqueid command, see autogen-uniqueid.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse autogen-uniqueidParameters• use autogen-uniqueidExampleap6522-D8273A(config-cmp-policy-CMP)#use autogen-uniqueidap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-update cert-renewal-timeout 60 use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret  reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com" subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#Related Commandsuse autogen-uniqueidAssociates a device’s autogen-uniqueid with this crypto CMP policy. The device’s autogen-uniqueid should be existing and configured.no Removes the device’s autogen-uniqueid associated with this crypto CMP policy
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 1229.1.8 nocrypto-cmp-policy-instanceRemoves or reverts this crypto CMP policy settingsSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ca-server <SERVER-NAME>|cert-key-size|cert-renewal-timeout|cross-cert-validate|subjectAltName|trustpoint <TRUSTPOINT-NAME>|use autogen-uniqueid]Parameters• no <PARAMETERS>Exampleap6522-D8273A(config-cmp-policy-CMP)#show context cert-update cert-renewal-timeout 60 use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret  reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com" subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#ap6522-D8273A(config-cmp-policy-CMP)#no cert-renewal-timeoutap6522-D8273A(config-cmp-policy-CMP)#no subjectAltNameap6522-D8273A(config-cmp-policy-CMP)#show context cert-update use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret  reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"ap6522-D8273A(config-cmp-policy-CMP)#no <PARAMETERS> Removes or reverts this crypto CMP policy settings
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1329.2 other-cmp-related-commandsCRYPTO-CMP-POLICYThe following table summarizes other commands associated with the implementation of the crypto CMP policy:Table 29.2 Other-CMP-Related CommandsCommand Description Referenceuse Associates a crypto CMP policy with a device page 29-14show Displays current status of CMP requests in progress. This command also displays trustpoint details (CMP and non-CMP trustpoints).page 29-15
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  29 - 1429.2.1 useother-cmp-related-commandsApplies a crypto CMP policy to a device. Once CMP enabled, the device automatically requests for a certificate from the CA server and installs it. After applying the CMP policy, commit and write the change to memory. This is needed to apply this configuration across reboots.To apply a CMP policy on a device, navigate to the device’s config-device mode and execute the use > crypto-cmp-policy> <CRYPTO-CMP-POLICY-NAME> command.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>Parameters• use crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>Exampleap6522-D8273A(config-device-00-11-3F-D8-27-3A)#use crypto-cmp-policy CMPap6522-D8273A(config-device-00-11-3F-D8-27-3A)#commit cmp-policy <CRYPTO-CMP-POLICY-NAME>Applies an existing crypto CMP policy on this device. When associated with a profile, the crypto CMP policy is applied to all devices using the profile.• <CRYPTO-CMP-POLICY-NAME> – Specify the crypto CMP policy name. Should be existing and configured.
CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1529.2.2 showother-cmp-related-commandsDisplays current status of CMP requests in progress. This command also displays trustpoint details (CMP and non-CMP trustpoints).Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow crypto [cmp|pki]show crypto cmp request status {on <DEVICE-NAME>}show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {on <DEVICE-NAME>}Parameters• show crypto cmp request status {on <DEVICE-NAME>}• show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {on <DEVICE-NAME>}Exampleap6522-D8273A#show crypto pki trustpoints---------------------------------------------------------------------------------------    TRUSTPOINT                     KEY NAME                               VALID UNTIL---------------------------------------------------------------------------------------  cmp-test                           cmp-test-key                      Fri May  9 09:44:22 2014 GMT  default-trustpoint               default_rsa_key                   Fri Dec 30 00:00:40 2022 GMT---------------------------------------------------------------------------------------ap6522-D8273A#ap6522-D8273A(config)#show crypto cmp request statusCMP Request Status:   cmp-completeap6522-D8273A#show crypto cmp request {on <DEVICE-NAME>}Displays the current status of all on-going CMP requests• on <DEVICE-NAME> – Optional. Optionally specify the name of the AP, wireless controller, or service platform to view CMP request status on a specified device.show pki trustpoints {<TRUSTPOINT-NAME>|all} on <DEVICE-NAME>Displays all trustpoints including CMP generated trustpoints• <TRUSTPOINT-NAME> – Optional. Specify a trustpoint name. Displays details of the trustpoint identified by the <TRUSTPOINT-NAME> parameter.• all – Optional. Displays details of all configured trustpoints• on <DEVICE-NAME> – Optional.Optionally specify the name of the AP, wireless con-troller, or service platform to view trustpoints configured on a specified device.
30 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide30ROAMING ASSIST POLICYThis chapter summarizes the Roaming Assist policy commands in the CLI command structure. By constantly monitoring a client's packets and the received signal strength indicator (RSSI) of a given client by a group of access points, decision can be made on the optimal access point to which the client needs to roam. Then forcefully direct the client to the optimal access point. The threshold intervals are configurable and can be adjusted based on the client load.Use the (config) instance to configure a Roaming Assist policy. To navigate to the Roaming Assist policy configuration instance, use the following commands:<DEVICE> (config) roaming-assist-policy <ROAMING-ASSIST-POLICY-NAME>nx9500-6C8809(config)roaming-assist-policy testnx9500-6C8809(config-roaming-assist-policy-test)#?Roaming Assist Mode commands:  action               Configure action - action is deauth / log /                       assisted-roam  aggressiveness       Configure the roaming aggressiveness for a wireless                       client  detection-threshold  Configure the detection threshold - when exceeded,                       client monitoring starts  disassoc-time        Configure the disassociation time - time after which a                       disassociation is sent  handoff-count        Configure the handoff count - number of times client                       can exceed handoff threshold  handoff-threshold    Configure the handoff threshold - when exceeds an                       action is taken.  monitoring-interval  Configure the monitoring interval - interval at which                       client monitoring occurs  no                   Negate a command or set its defaults  sampling-interval    Configure the sampling interval - interval at which                       client rssi values are checked  clrscr               Clears the display screen  commit               Commit all changes made in this session  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalnx9500-6C8809(config-roaming-assist-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  30 - 230.1 roaming-assist-policy-instanceROAMING ASSIST POLICYThe following table summarizes roaming assist policy configuration mode commands:Table 30.1 Crypto-CMP-Policy CommandsCommand Description Referenceaction Specifies the action to be invoked on the client page 30-3aggressiveness Configures a roaming aggressiveness value for wireless clients page 30-4detection-thresholdConfigures the detection-threshold value page 30-5disassoc-time Configures the disassociation interval page 30-6handoff-count Configures the handoff-count value page 30-7handoff-thresholdConfigures the handoff-threshold value page 30-8monitoring-intervalConfigures the client monitoring interval page 30-9sampling-interval Configures the interval at which clients are sampled to determine their RSSI valuepage 30-10no Removes or reverts this roaming assist policy settings based on the parameters passedpage 30-11NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 330.1.1 actionroaming-assist-policy-instanceSpecifies the action invoked on the client once it reaches a specified threshold value. The threshold values are configured based on the client load.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaction [assisted-roam|deauth|log]Parameters• action [assisted-roam|deauth|log]Examplerfs6000-81742D(config-roaming-assist-policy-test)#action logrfs6000-81742D(config-roaming-assist-policy-test)#Related Commandsaction [assisted-roam|deauth|log]Configures the action invoked on the client once it reaches the specified threshold value. The options are:• assisted-roam – Provides 802.11v assisted roaming facility to the client• deauth – De-authenticates the client. This is the default setting.•log – Generates a logIn all three cases an event is generated. However, the message generated differs and is based on the action specified.no Removes the configured action details
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  30 - 430.1.2 aggressivenessroaming-assist-policy-instanceConfigures a roaming aggressiveness value for wireless clients. Configuring this value increases the client’s roaming capabilities in scenarios where the client’s location is likely to change drastically and suddenly. For example, when a client hops on to a train that speeds up quickly. In such a scenario, the access point receives a maximum of 2 (two) messages, from the client, having relatively low RSSI value. This results in a decaying-average, which is above the specified handover-threshold value. Consequently, the client is unable to roam.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaggressiveness [highest|lowest|medium|medium-high|medium-low]Parameters• aggressiveness [highest|lowest|medium|medium-high|medium-low]Examplenx9500-6C8809(config-roaming-assist-policy-test)#aggressiveness mediumnx9500-6C8809(config-roaming-assist-policy-test)#show contextroaming-assist-policy test aggressiveness mediumnx9500-6C8809(config-roaming-assist-policy-test)#Related Commandsaggressiveness [highest|lowest|medium|medium-high|medium-low]Configures a roaming aggressiveness value for wireless clients. The options are:• highest – De-authenticates client in case of any degradation in the client’s link quality. When selected, the access point considers only the RSSI value of the last message received from the client.• lowest – De-authenticates client only in case of significant degradation in the client’s link quality. When selected, the access point uses a weighted average [80% of decaying average + 20% of last seen RSSI] as the final reported RSSI value. This is the default setting.• medium – This is an intermediate setting between not roaming and performance• medium-high – Allows roaming even if performance goes down. When selected, the access point calculates the client’s signal strength based on average received signal as well as last received signal level, weighted towards the last received value.• medium-low – Allows roaming even if performance goes average. When selected, the access point calculates the client’s signal strength based on average received signal as well as last received signal level, weighted towards the average value.no Reverts the aggressiveness value to default (lowest)
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 530.1.3 detection-thresholdroaming-assist-policy-instanceSpecifies the detection-threshold determining when a client is monitoredSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdetection-threshold <-100--40>Parameters• detection-threshold <-100--40>Examplerfs6000-81742D(config-roaming-assist-policy-test)#detection-threshold -90rfs6000-81742D(config-roaming-assist-policy-test)#Related Commandsdetection-threshold <-100--40>Configures the detection threshold value determining when a client is monitored. The clients with bad RSSI values are monitored more frequently.• <-100--40> – Specify the RSSI value from -100 dBm - -40 dBm. The default is -75 dBm.no Removes the configured detection threshold details
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  30 - 630.1.4 disassoc-timeroaming-assist-policy-instanceConfigures the disassociation time. This is time period after which a disassociation message is sent.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdisassoc-time <1-10>Parameters• disassoc-time <1-10>Examplenx9500-6C8809(config-roaming-assist-policy-test)#disassoc-time 7nx9500-6C8809(config-roaming-assist-policy-test)#show contextroaming-assist-policy test disassoc-time 7nx9500-6C8809(config-roaming-assist-policy-test)#Related Commandsdisassoc-time <1-10> Configures the disassociation time in seconds• <1-10> – Specify a value from 1 - 10 seconds. The default is 5 seconds.no Removes the configured disassociation time
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 730.1.5 handoff-countroaming-assist-policy-instanceSpecifies the number of times a client can exceed the specified handoff-threshold value before an action is invokedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhandoff-count <1-10>Parameters• handoff-count <1-10>Examplerfs6000-81742D(config-roaming-assist-policy-test)#handoff-count 1rfs6000-81742D(config-roaming-assist-policy-test)#Related Commandshandoff-count <1-10> Specifies the number of times a client can exceed the specified handoff-threshold value before an action is invoked• <1-10> – Specify a value from 1 - 10. The default is 3.If the client’s RSSI increases beyond the set handoff-threshold, it is removed from the queue for monitoring and action invocation.no Removes the configured handoff-count details
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  30 - 830.1.6 handoff-thresholdroaming-assist-policy-instanceConfigures the handoff-threshold, which specifies client status for handoff-action. Once exceeded an action is invoked.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhandoff-threshold <-100--40>Parameters• handoff-threshold <-100--40>Examplerfs6000-81742D(config-roaming-assist-policy-test)#handoff-threshold -78rfs6000-81742D(config-roaming-assist-policy-test)#Related Commandshandoff-threshold <-100--40>Configures the handoff-threshold, which specifies client status for handoff-action. Once exceeded an action is invoked.• <-100--40> – Specify the RSSI value from -100 dBm - -40 dBm. The default is -80 dBm.If the client’s RSSI increases beyond the set handoff-threshold, it is removed from the queue for monitoring and action invocation.no Removes the configured handoff-threshold details
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 930.1.7 monitoring-intervalroaming-assist-policy-instanceConfigures the interval, in seconds, at which clients are monitored to determine if their RSSI value is below the specified handoff-threshold valueSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmonitoring-interval <1-60>Parameters• monitoring-interval <1-60>Examplerfs6000-81742D(config-roaming-assist-policy-test)#monitoring-interval 10rfs6000-81742D(config-roaming-assist-policy-test)#Related Commandsmonitoring interval <1-60>Specifies the interval, in seconds, at which clients are monitored to determine if their RSSI is below the specified handoff-threshold• <1-60> – Specify the duration from 1 - 60 seconds. The default is 5 seconds.no Removes the configured monitoring interval details
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide  30 - 1030.1.8 sampling-intervalroaming-assist-policy-instanceConfigures the interval, in seconds, at which clients are sampled to determine their RSSI valueSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsampling-interval <5-60>Parameters• sampling-interval <5-60>Examplerfs6000-81742D(config-roaming-assist-policy-test)#sampling-interval 20rfs6000-81742D(config-roaming-assist-policy-test)#Related Commandssampling-interval <5-60>Configures the interval, in seconds, between two successive client samplings• <5-60> – Specify a value from 5 - 60 seconds. The default value is 15 seconds.Higher the RSSI value, stronger is the signal.no Removes the configured sampling interval details
ROAMING ASSIST POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 1130.1.9 noroaming-assist-policy-instanceRemoves or reverts this roaming assist policy settings based on the parameters passedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [action|aggressiveness|detection-threshold|disassoc-time|handoff-count|handoff-threshold|monitoring-interval|sampling-interval]Parameters• no <PARAMETERS>Examplerfs6000-81742D(config-roaming-assist-policy-test)#no actionrfs6000-81742D(config-roaming-assist-policy-test)#no detection-thresholdrfs6000-81742D(config-roaming-assist-policy-test)#no handoff-thresholdrfs6000-81742D(config-roaming-assist-policy-test)#show contextroaming-assist-policy test sampling-interval 20 monitoring-interval 10rfs6000-81742D(config-roaming-assist-policy-test)#no <PARAMETERS> Removes or reverts this roaming assist policy settings to default based on the parameters passed
A - 1Access Point, Wireless Controller and Service Platform CLI Reference GuideACONTROLLER MANAGED WLAN USE CASEThis section describes the activities required to configure a WLAN. Instructions are provided using the wireless controller CLI.•Creating a First Controller Managed WLAN-Assumptions-Design-Using the Command Line Interface to Configure the WLANA.1 Creating a First Controller Managed WLANCONTROLLER MANAGED WLAN USE CASEThis section describes the process of creating managed WLAN on an RFS4000 wireless controller.Upon completion, you will have created a WLAN on a RFS4000 model wireless controller using a DHCP server to allocate IP addresses to associated wireless clients.A.1.1 AssumptionsVerify the following conditions have been satisfied before attempting the WLAN configuration activities described in this section:• It is assumed the RFS4000 wireless controller has the latest firmware version available.• It is assumed the AP7161 access point also has the latest firmware version available.• It is assumed there are no previous configurations on the wireless controller or access point and default factory configurations are running on the devices.• It is assumed you have administrative access to the wireless controller and access point CLI.• It is assumed the individual administrating the network is a professional network installer.
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  A - 2A.1.2 DesignThis section defines the network design being implemented.Figure A-1 Network DesignThis is a simple deployment scenario, with the access points connected directly to the wireless controller. One wireless controller port is connected to an external network.On the RFS4000 wireless controller, the GE1 interface is connected to an external network. Interfaces GE3 and GE4 are used by the access points.On the external network, the wireless controller is assigned an IP address of 192.168.10.188. The wireless controller acts as a DHCP server for the wireless clients connecting to it, and assigns IP addresses in the range of 172.16.11.11 to 172.16.11.200. The rest of IPs in the range are reserved for devices requiring static IP addresses.A.1.3 Using the Command Line Interface to Configure the WLANCreating a First Controller Managed WLANThese instructions are for configuring your first WLAN using the wireless controller CLI.Use a serial console cable when connecting to the wireless controller for the first time. Set the following configuration when using the serial connection:• Bits per second:19200•Data Bit: 8•Parity: None•Stop Bit: 1• Flow Control: NoneThe steps involved in creating a WLAN on a wireless controller are:1Logging Into the Controller for the First Time2Creating a RF Domain
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide A - 33Creating a Wireless Controller Profile4Creating an AP Profile5Creating a DHCP Server Policy6Completing and Testing the ConfigurationA.1.3.1 Logging Into the Controller for the First TimeUsing the Command Line Interface to Configure the WLANWhen powering on the wireless controller for the first time, you are prompted to replace the existing administrative password. The credentials for logging into the wireless controller for the first time are:• User Name: admin•Password: admin123Ensure the new password created is strong enough to provide adequate security for the wireless controller managed network.A.1.3.2 Creating a RF DomainUsing the Command Line Interface to Configure the WLANA RF Domain is a collection of configuration settings specific to devices located at the same physical deployment, such as a building or a floor. Create a RF Domain and assign the country code where the devices are deployed. This is a mandatory step, and the devices will not function as intended if this step is omitted.The instructions in this section must be performed from the Global Configuration mode of the wireless controller. To navigate to this mode:rfs4000>enablerfs4000#rfs4000#configure terminalEnter configuration commands, one per line.  End with CNTL/Z.rfs4000(config)#1 Create the RF Domain using the following commands:rfs4000(config)#rf-domain RFDOMAIN_UseCase1rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#This command creates a profile with the name RFDOMAIN_UseCase1.2 Set the country code for the RF Domain.rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#country-code usThis sets the country code for this RF Domain. Save this change and exit the RF Domain profile context.rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#commit writerfs4000(config-rf-domain-RFDOMAIN_UseCase1)#exitrfs4000(config)#3 To define the wireless controller’s physical location, use the same RF Domain configuration.rfs4000(config)#selfrfs4000(config-device-03-14-28-57-14-28)#rfs4000(config-device-03-14-28-57-14-28)#use rf-domain RFDOMAIN_UseCase14 Commit the changes and write to the running configuration. Exit this context.rfs4000(config-device-03-14-28-57-14-28)#commit writerfs4000(config-device-03-14-28-57-14-28)#exitrfs4000(config)#
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  A - 4A.1.3.3 Creating a Wireless Controller ProfileUsing the Command Line Interface to Configure the WLAN1 The first step in creating a WLAN is to configure a profile defining the parameters applied to a wireless controller. To create a profile:rfs4000(config)#profile rfs4000 RFS4000_UseCase1rfs4000(config-profile-RFS4000_UseCase1)#This creates a profile with the name RFS4000_UseCase1 and moves the cursor into its context. Any configuration made under this profile is available when it is applied to a device.Configure a VLAN2 Create the VLAN to use with the WLAN configuration. This can be done using the following commands:rfs4000(config-profile-RFS4000_UseCase1)#interface vlan 2rfs4000(config-profile-RFS4000_UseCase1-if-vlan2)#ip address 172.16.11.1/24The above command assigns the IP address 172.16.11.1 with the mask of 255.255.255.0 to VLAN 2. Exit the VLAN 2 context.rfs4000(config-profile-RFS4000_UseCase1-if-vlan2)#exitrfs4000(config-profile-RFS4000_UseCase1)#3 The next step is to assign this newly created VLAN to a physical interface. In this case, VLAN 2 is mapped to GE3 and GE4 to support two access points, an AP6521 and an AP7161. The AP6521 is connected to the gigabit interface GE3 and the AP7161 to the GE4 interface.rfs4000(config-profile-RFS4000_UseCase1)#interface ge 3rfs4000(config-profile-RFS4000_UseCase1-if-ge3)#4 Map VLAN 2 to this interface. This assigns the IP address to the selected physical interface.rfs4000(config-profile-RFS4000_UseCase1-if-ge3)#switchport access vlan 2rfs4000(config-profile-RFS4000_UseCase1-if-ge3)#exitrfs4000(config-profile-RFS4000_UseCase1)#5 Similarly, map the defined VLAN 2 to the GE4 interface.rfs4000(config-profile-1_UseCase1)#interface ge 4rfs4000(config-profile-RFS4000_UseCase1-if-ge4)#switchport access vlan 2rfs4000(config-profile-RFS4000_UseCase1-if-ge4)#exitrfs4000(config-profile-RFS4000_UseCase1)#6 Exit the profile and save it.rfs4000(config-profile-RFS4000_UseCase1)#exitrfs4000(config)#commit writeConfigure the Wireless Controller to use the Profile7 Before the wireless controller can be further configured, the profile must be applied to the wireless controller.rfs4000(config)#selfrfs4000(config-device-03-14-28-57-14-28)#rfs4000(config-device-03-14-28-57-14-28)#use profile RFS4000_UseCase1rfs4000(config-device-03-14-28-57-14-28)#exitrfs4000(config)#commit writeCreate a WLAN8 Use the following commands to create a WLAN:rfs4000(config)#wlan 1rfs4000(config-wlan-1)#9 Configure the SSID for the WLAN. This is the value that identifies and helps differentiate this WLAN.rfs4000(config-wlan-1)#ssid WLAN_USECASE_0110 Enable the SSID to be broadcast so wireless clients can find it and associate.
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide A - 5rfs4000(config-wlan-1)#broadcast-ssid11 Associate VLAN 2 to the WLAN and exit.rfs4000(config-wlan-1)#vlan 2rfs4000(config-wlan-1)#exit12 Commit the ChangesOnce these changes have been made, they have to be committed before proceeding.rfs4000(config)#commit writeA.1.3.4 Creating an AP ProfileUsing the Command Line Interface to Configure the WLANAn AP profile provides a method of applying common settings to access points of the same model. The profile significantly reduces the time required to configure access points within a large deployment. For more information, see:•Creating an AP6521 Profile•Creating an AP7161 ProfileA.1.3.4.1 Creating an AP6521 ProfileCreating an AP ProfileAn AP6521’s firmware is updated directly by its associated wireless controller. The process is automatic, and no intervention is required. To create a profile for use with an AP6521:rfs4000(config)#profile ap6521 AP6521_UseCase1rfs4000(config-profile-AP6521_UseCase1)#1 Assign the access point to be a member of the same VLAN defined in Creating an AP Profile on page A-5. In this section, the VLAN was defined as VLAN 2. Configure the access point to be a member of VLAN 2.rfs4000(config-profile-AP6521_UseCase1)#interface vlan 2rfs4000(config-profile-AP6521_UseCase1-if-vlan2)#2 Configure this VLAN to use DHCP, so any device that is associated using this access point is automatically assigned a unique IP address. Once completed, exit this context.rfs4000(config-profile-AP6521_UseCase1-if-vlan2)#ip address dhcprfs4000(config-profile-AP6521_UseCase1-if-vlan2)#exit3 The VLAN has to be mapped to a physical interface on the access point. Since the only available physical interface on the AP6521 is GE1, this VLAN is mapped to it.rfs4000(config-profile-AP6521_UseCase1)#interface ge 1rfs4000(config-profile-AP6521_UseCase1-if-ge1)#switchport access vlan 2rfs4000(config-profile-AP6521_UseCase1-if-ge1)#exit4 Before a WLAN can be implemented, it has to be mapped to a radio on the access point. An AP6521 has 2 radios, in this scenario, both radios are utilized.rfs4000(config-profile-AP6521_UseCase1)#interface radio 1rfs4000(config-profile-AP6521_UseCase1-if-radio1)#wlan 1rfs4000(config-profile-AP6521_UseCase1-if-radio1)#exitrfs4000(config-profile-AP6521_UseCase1)#interface radio 2rfs4000(config-profile-AP6521_UseCase1-if-radio2)#wlan 1rfs4000(config-profile-AP6521_UseCase1-if-radio2)#exitrfs4000(config-profile-AP6521_UseCase1)#5 Commit the changes made to this profile and exit.rfs4000(config-profile-AP6521_UseCase1)#commit writerfs4000(config-profile-AP6521_UseCase1)#exitrfs4000(config)#
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  A - 66 Apply this Profile to the discovered AP6521.7 Access the discovered access point using the following command. The discovered device’s MAC address is used to access its context.rfs4000(config)#ap6521 00-A0-F8-00-00-01rfs4000(config-device-00-A0-F8-00-00-01)#8 Assign the AP profile to this AP6521 access point.rfs4000(config-device-00-A0-F8-00-00-01)#use profile AP6521_UseCase1rfs4000(config-device-00-A0-F8-00-00-01)#commit write9 Apply the RF Domain profile to the AP.10 Apply the previously created RF Domain to enable a country code to be assigned to the discovered access point. A discovered access point only works properly if its country code is the country code of its associated wireless controller.rfs4000(config-device-00-A0-F8-00-00-01)#use rf-domain RFDOMAIN_UseCase1rfs4000(config-device-00-A0-F8-00-00-01)#commit writerfs4000(config-device-00-A0-F8-00-00-01)#exitrfs4000(config)#A.1.3.4.2 Creating an AP7161 ProfileCreating an AP ProfileTo create a profile for use with an AP7161:rfs4000(config)#profile ap7161 AP7161_UseCase1rfs4000(config-profile-AP7161_UseCase1)#1 Set the access point to be a member of the same VLAN defined in Creating an AP Profile on page A-5. In this section, the VLAN was defined as VLAN 2. Configure the access point to be a member of the VLAN 2.rfs4000(config-profile-AP7161_UseCase1)#interface vlan 2rfs4000(config-profile-AP7161_UseCase1-if-vlan2)#2 Configure this VLAN to use DHCP, so any device associated using this access point is automatically assigned a unique IP address. Once completed, exit this context.rfs4000(config-profile-AP7161_UseCase1-if-vlan2)#ip address dhcprfs4000(config-profile-AP7161_UseCase1-if-vlan2)#exit3 The configured VLAN has to be mapped to a physical interface on the access point. Map VLAN 2 to the GE1 and GE2 interfaces on the AP7161. To configure the GE1 interface:rfs4000(config-profile-AP7161_UseCase1)#interface ge 1rfs4000(config-profile-AP7161_UseCase1-if-ge1)#switchport access vlan 2rfs4000(config-profile-AP7161_UseCase1-if-ge1)#exit4 Similarly configure the GE2 interface.rfs4000(config-profile-AP7161_UseCase1)#interface ge 2rfs4000(config-profile-AP7161_UseCase1-if-ge2)#switchport access vlan 2rfs4000(config-profile-AP7161_UseCase1-if-ge2)#exit5 Before the WLAN can be implemented, it has to be mapped to the physical radio on the access point. An AP7161 has 3 radios (on certain models), two of which can be configured for WLAN support. In this scenario, two radios are used.rfs4000(config-profile-AP7161_UseCase1)#interface radio 1rfs4000(config-profile-AP7161_UseCase1-if-radio1)#wlan 1rfs4000(config-profile-AP7161_UseCase1-if-radio1)#exitrfs4000(config-profile-AP7161_UseCase1)#interface radio 2rfs4000(config-profile-AP7161_UseCase1-if-radio2)#wlan 1rfs4000(config-profile-AP7161_UseCase1-if-radio2)#exitrfs4000(config-profile-AP7161_UseCase1)#6 Commit the changes made to the profile and exit this context.
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide A - 7rfs4000(config-profile-AP7161_UseCase1)#commit writerfs4000(config-profile-AP7161_UseCase1)#exitrfs4000(config)#7 Apply this Profile to the Discovered AP7161.8 Access the discovered access point using the following command. The discovered device’s MAC address is used to access its context.rfs4000(config)#ap7161 00-23-68-16-C6-C4rfs4000(config-device-00-23-68-16-C6-C4)#9 Assign the AP profile to this access point.rfs4000(config-device-00-23-68-16-C6-C4)#use profile AP7161_UseCase1rfs4000(config-device-00-23-68-16-C6-C4)#commit write10 Apply the RF Domain profile to the AP.11 Apply the previously created RF Domain to enable a country code to be assigned to the discovered access point. A discovered access point only works properly if its country code is the same as its associated wireless controller.rfs4000(config-device-00-23-68-16-C6-C4)#use rf-domain RFDOMAIN_UseCase1rfs4000(config-device-00-23-68-16-C6-C4)#commit writerfs4000(config-device-00-23-68-16-C6-C4)#Exitrfs4000(config)#A.1.3.5 Creating a DHCP Server PolicyUsing the Command Line Interface to Configure the WLANThe DHCP server policy defines the parameters required to run a DHCP server on the wireless controller and assign IP addresses automatically to devices that associate. Configuring DHCP enables the reuse of a limited set of IP addresses.To create a DHCP server policy:rfs4000-37FABE(config)#dhcp-server-policy DHCP_POLICY_UseCase1rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#The following table displays how IP addresses are used.In the table, the IP address range of 172.16.11.11 to 172.16.11.200 is available using the DHCP server. To configure the DHCP server:rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#dhcp-pool DHCP_POOL_USECASE1_01rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE1_01)#1 Configure the address range as follows:rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE1_01)#address range 172.16.11.11 172.16.11.200rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE1_01)#Table A.1 IP Address UsageIP Range Usage172.16.11.1 till 172.16.11.10 Reserved for devices that require a static IP address172.16.11.11 till 172.16.11.200 Range of IP addresses that can be assigned using the DHCP server.172.16.11.201 till 172.16.11.254 Reserved for devices that require a static IP address
CONTROLLER MANAGED WLAN USE CASEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  A - 82 Configure the IP pool used with a network segment. This starts the DHCP server on the specified interface.rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE1_01)#network 172.16.11.0/24rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-DHCP_POOL_USECASE1_01)#exitrfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#exitrfs4000-37FABE(config)#commit writeConfigure the RFS4000 to use the DHCP Policy3 For the DHCP to work properly, the new DHCP Server Policy must be applied to the wireless controller. To apply the DHCP Server Policy to the wireless controller:rfs4000-37FABE(config)#selfrfs4000-37FABE(config-device-03-14-28-57-14-28)#use dhcp-server-policy DHCP_POLICY_UseCase1rfs4000-37FABE(config-device-03-14-28-57-14-28)#commit writerfs4000-37FABE(config-device-03-14-28-57-14-28)#exitrfs4000-37FABE(config)#A.1.3.6 Completing and Testing the ConfigurationUsing the Command Line Interface to Configure the WLANA wireless client must be configured to associate with the wireless controller managed WLAN. The following information must be defined:•SSID: WLAN_USECASE_01• Country: Same as the country configured in Creating a RF Domain on page A-3. In this scenario, the country code is set to US.• Mode: InfrastructureWith the WLAN set to beacon, use the wireless client’s discovery client to discover the configured WLAN and associate.
B - 1Access Point, Wireless Controller, and Service Platform System Reference GuideBPUBLICLY AVAILABLE SOFTWAREB.1 General InformationThis document contains information regarding licenses, acknowledgments and required copyright notices for open source packages used in the following products:Access Points• AP6521, AP6522, AP6522M, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432 and AP8533.Wireless Controllers and Service Platforms• Wireless Controllers – RFS4000, RFS6000• Service Platforms – NX5500, NX5500E, NX7500, NX75XX, NX7510E, NX9500, NX9510, NX9600, NX9610, VX9000, VX9000E
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 2B.2 Open Source Software UsedThe Support site, located at www.extremenetworks.com/support provides information and online assistance including developer tools, software downloads, product manuals, support contact information and online repair requests.Name Version URL LicenseApache Web Server1.3.41 http://www.apache.org/ Apache License, Version 2.0Asterisk 1.2.24 http://www.asterisk.org/ GNU General Public License 2.0accepts 1.2.10 http://registry.npmjs.org/accepts/-/accepts-1.2.10.tgz MIT Licenseadvas 0.2.3 http://advas.sourceforge.net/ GNU General Public License, version 2alivepdf 0.1.4.9 https://code.google.com/p/alivepdf/ MIT Licenseapscheduler 3.0.1 https://pypi.python.org/pypi/APScheduler/ MIT Licenseasync 1.3.0 http://registry.npmjs.org/async/-/async-1.3.0.tgz MIT Licenseautoconf 2.69 http://www.gnu.org/software/autoconf/ GNU General Public License, version 2automake 1.11.6 http://www.gnu.org/software/automake/ GNU General Public License, version 2bash 4.2 http://www.gnu.org/software/bash/ GNU General Public License, version 2binutils 2.23 http://www.gnu.org/software/binutils/ GNU General Public License, version 2bison 2.3 http://www.gnu.org/software/bison/ GNU General Public License, version 2bluez 5.7 http://www.bluez.org/ GNU General Public License, version 2body-parser 1.13.2 http://registry.npmjs.org/body-parser/-/body-parser-1.13.2.tgz MIT Licensebridge 1.0.4 http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge/GNU General Public License, version 2bridge-utils 1.0.4 http://sourceforge.net/projects/bridge/ GNU General Public License, version 2buffer-crc32 0.2.5 http://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.5.tgz MIT Licensebusybox 1.14.4 http://www.busybox.net/ GNU General Public License, version 2
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 3bytes 2.1.0 http://registry.npmjs.org/bytes/-/bytes-2.1.0.tgz MIT Licensecolors 1.1.2 http://registry.npmjs.org/colors/-/colors-1.1.2.tgz MIT Licensecompression 1.5.1 http://registry.npmjs.org/compression/-/compression-1.5.1.tgz MIT Licenseconect-mongo 0.8.2 http://registry.npmjs.org/connect-mongo/-/connect-mongo-0.8.2.tgz MIT Licensecookie 0.1.3 http://registry.npmjs.org/cookie/-/cookie-0.1.3.tgz MIT Licensecookie-parser 1.3.5 http://registry.npmjs.org/cookie-parser/-/cookie-parser-1.3.5.tgz MIT Licensecookie-signature 1.0.6 http://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz MIT Licensecuint 0.2.0 http://registry.npmjs.org/cuint/-/cuint-0.2.0.tgz MIT Licensecycle 1.0.3 https://registry.npmjs.org/cycle/-/cycle-1.0.3.tgz MIT Licenseczjson 1.0.8 https://pypi.python.org/pypi/czjson/1.0.8 GNU Lesser General Public License 2.1dash 0.5.7 http://gondor.apana.org.au/~herbert/dash/ The BSD Licensedebug 2.2.0 https://registry.npmjs.org/debug/-/debug-2.2.0.tgz MIT Licensedepd 1.0.1 http://registry.npmjs.org/depd/-/depd-1.0.1.tgz  MIT Licensedfu-util 0.8 http://dfu-util.gnumonks.org/ GNU General Public License, version 2dhcp 3.0.3 http://www.isc.org/software/dhcp ISC Licensediffutils 2.8.1 http://www.gnu.org/software/diffutils/ GNU General Public License, version 2dmalloc 5.5.2 http://dmalloc.com/ Nonedmidecode 2.11 http://savannah.nongnu.org/projects/dmidecode/ GNU General Public License, version 2dnsmasq 2.47 http://www.thekelleys.org.uk/dnsmasq/doc.html GNU General Public License, version 2dosfstools 2.11 http://www.daniel-baumann.ch/software/dosfstools/ GNU General Public License, version 2dropbear 0.55 http://matt.ucc.asn.au/dropbear/dropbear.html DropBear Licensee2fsprogs 1.41.13 http://e2fsprogs.sourceforge.net/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 4ejs 2.3.3 http://registry.npmjs.org/ejs/-/ejs-2.3.3.tgz Apache License, Version 2.0engine.io 1.5.2 http://registry.npmjs.org/engine.io/-/engine.io-1.5.2.tgz MIT Licenseescape-html 1.0.2 http://registry.npmjs.org/escape-html/-/escape-html-1.0.2.tgz MIT Licenseethtool 2.6.35 http://www.kernel.org/pub/software/network/ethtool/ GNU General Public License, version 2event-loop-lag 1.1.0 http://registry.npmjs.org/event-loop-lag/-/event-loop-lag-1.1.0.tgz MIT Licenseexpress 4.13.1 http://registry.npmjs.org/express/-/express-4.13.1.tgz MIT Licenseexpress-session 1.11.3 http://registry.npmjs.org/express-session/-/express-session-1.11.3.tgz MIT Licenseeyes 0.1.8 http://github.com/cloudhead/eyes.js MIT Licensefinalhandler 0.4.0 http://registry.npmjs.org/finalhandler/-/finalhandler-0.4.0.tgz MIT Licenseflashrom 0.9.4 http://flashrom.org/Flashrom GNU General Public License, version 2flex 4.5.1.21328 http://flex.sourceforge.net/ The BSD Licensefluks 0.2 https://github.com/markuspeloquin/fluks MIT Licensefreedos 4.5.1.21328 http://www.freedos.org/download/ GNU General Public License, version 2freeipmi 1.1 http://www.gnu.org/software/freeipmi/ GNU General Public License, version 3fresh 0.3.0 http://registry.npmjs.org/fresh/-/fresh-0.3.0.tgz MIT Licensefutures 2.2.0 https://github.com/agronholm/pythonfutures The BSD Licensegcc 4.1.2 http://gcc.gnu.org/ GNU General Public License, version 2gdb 7.2 http://www.gnu.org/software/gdb/ GNU General Public License, version 3gdbm 1.8.3 http://www.gnu.org/s/gdbm/ GNU General Public License, version 2genext2fs 1.4.1 http://genext2fs.sourceforge.net/ GNU General Public License, version 2glib2 2.30.2 http://www.gtk.org/ GNU Lesser General Public License 2.1glibc 2.7 http://www.gnu.org/software/libc/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 5has-binary-data 0.1.5 http://registry.npmjs.org/has-binary-data/-/has-binary-data-0.1.5.tgz MIT Licensehdparm 9.38 http://sourceforge.net/projects/hdparm/ GNU General Public License, version 2hooks 0.3.2 http://registry.npmjs.org/hooks/-/hooks-0.3.2.tgz MIT Licensehostapd 0.6.9 http://hostap.epitest.fi/hostapd/ GNU General Public License, version 2hotplug 1.3 http://sourceforge.net/projects/linux-hotplug/ GNU General Public License, version 2hotplug2 0.9 http://isteve.bofh.cz/~isteve/hotplug2/ GNU General Public License, version 2i2ctools 3.0.3 http://www.lm-sensors.org/wiki/I2CTools GNU General Public License, version 2iconv-lite 0.4.11 http://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.11.tgz MIT Licenseigb 5.2.9.4 http://sourceforge.net/projects/e1000/ GNU General Public License, version 2ipaddr 2.1.0 http://code.google.com/p/ipaddr-py/ Apache License, Version 2.0ipkg-utils 1.7 http://www.handhelds.org/sources.html GNU General Public License, version 2ipmitool 1.8.11 http://ipmitool.sourceforge.net/ The BSD Licenseiproute2 050816 http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2GNU General Public License, version 2iptables 1.4.3 http://www.netfilter.org/projects/iptables/index.html GNU General Public License, version 2ipxe 1.0.0 http://ipxe.org/ GNU General Public License, version 2isstream 0.1.2 https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz MIT Licensejs-yaml 3.3.1 http://registry.npmjs.org/js-yaml/-/js-yaml-3.3.1.tgz MIT Licensekerberos None http://web.mit.edu/Kerberos/ GNU General Public License, version 2kexec-tools 2.0.3 http://kernel.org/pub/linux/utils/kernel/kexec/ GNU General Public License, version 2libbson 1.1.0 http://github.com/mongodb/libbson Apache License, Version 2.0libcares 1.7.1 http://c-ares.haxx.se/ The BSD LicenseName Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 6libcurl 7.30.0 http://curl.haxx.se/libcurl/ The BSD Licenselibdevmapper 2.02.66 ftp://sources.redhat.com/pub/lvm2/old GNU Lesser General Public License 2.1libexpat 2.0.0 http://expat.sourceforge.net/ MIT Licenselibffi 3.0.7 http://sourceware.org/libffi/ MIT Licenselibgcrypt 1.4.5 ftp://ftp.gnupg.org/GnuPG/libgcrypt/ GNU Lesser General Public License 2.1libgmp 4.2.2 http://gmplib.org/ GNU Lesser General Public License, version 3.0libgnutls 3.2.12 ftp://ftp.gnupg.org/GnuPG/gnutls/v3.0/ GNU Lesser General Public License, version 3.0libgpg-error 1.6 ftp://ftp.gnupg.org/GnuPG/libgpg-error/ GNU Lesser General Public License 2.1libharu 2.1.0 http://libharu.org/ MIT Licenselibhttp-parser None None MIT Licenselibiconv 1.14 http://savannah.gnu.org/projects/libiconv/ GNU General Public License 2.0libjson 0.10 http://sourceforge.net/projects/libjson/ The BSD Licenselibkerberos 0.1 http://web.mit.edu/kerberos/dist/ The BSD Licenselibncurses 5.4 http://www.gnu.org/software/ncurses/ MIT Licenselibnettle 2.7 http://www.lysator.liu.se/~nisse/nettle/ GNU Lesser General Public License 2.1libnuma 2.0.10 https://github.com/numactl/numactl/ GNU Lesser General Public License, version 2.0libpam 1.1.1 http://www.kernel.org/pub/linux/libs/pam/ The BSD Licenselibpcap 1.0.0 http://www.tcpdump.org/ The BSD Licenselibpcre 8.21 ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ The BSD Licenselibpopt 1.14 http://freecode.com/projects/popt MIT Licenselibraryopt 1.01 http://sourceforge.net/projects/libraryopt/ GNU General Public License, version 2libreadline 4.3 http://cnswww.cns.cwru.edu/php/chet/readline/rltop.html GNU General Public License, version 2libtool 2.4.2 http://www.gnu.org/software/libtool/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 7libusb 0.1.12 http://www.libusb.org/ GNU Lesser General Public License, version 2.0libusb 1.0.18 http://www.libusb.org/ GNU Lesser General Public License, version 2.0libvirt 0.9.11 http://libvirt.org/sources/ GNU Lesser General Public License 2.1libxml2 2.8.0 http://xmlsoft.org/ MIT Licenselibxslt 1.1.26 http://xmlsoft.org/xslt/ MIT Licenselighttpd 1.4.37 http://www.lighttpd.net/ MIT Licenselilo 22.6 http://lilo.alioth.debian.org/ The BSD Licenselinux 2.6.28.9 http://www.kernel.org/ GNU General Public License, version 2linux 2.6.35.9 http://www.kernel.org/ GNU General Public License, version 2lodash 3.10.0 http://registry.npmjs.org/lodash/-/lodash-3.10.0.tgz MIT Licenselog-timestamp 0.1.2 http://registry.npmjs.org/log-timestamp/-/log-timestamp-0.1.2.tgz MIT Licenseltp 20130904 https://github.com/linux-test-project/ltp GNU General Public License, version 2lxml 2.3beta1 http://lxml.de/ The BSD Licenselzma 4.32 http://www.7-zip.org/sdk.html GNU Lesser General Public License, version 2.0lzma 4.57 http://www.7-zip.org/sdk.html GNU Lesser General Public License, version 2.0lzo 2.03 http://www.oberhumer.com/opensource/lzo/ GNU General Public License, version 2M2Crypto 0.21.1 http://chandlerproject.org/bin/view/Projects/MeTooCrypto The BSD Licensem4 1.4.16 http://www.gnu.org/software/m4/ GNU General Public License, version 2madwifi trunk-r3314 http://madwifi-project.org/ The BSD Licensemdadm 3.2.2 http://neil.brown.name/blog/mdadm GNU General Public License, version 2media-typer 0.3.0 http://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz MIT Licensememtester 4.0.8 http://pyropus.ca/software/memtester/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 8merge-descriptors1.0.0 http://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.0.tgz MIT Licensemethod-override 2.3.4 http://registry.npmjs.org/method-override/-/method-override-2.3.4.tgz MIT Licensemethods 1.1.1 http://registry.npmjs.org/methods/-/methods-1.1.1.tgz MIT Licensemii-diag 2.09 http://freecode.com/projects/mii-diag GNU General Public License, version 2mkyaffs None http://www.yaffs.net/ GNU General Public License, version 2mod_ssl 2.8.3.1-1.3.41 http://www.modssl.org/ The BSD Licensemongo-c-driver 1.1.0 http://github.com/mongodb/mongo-c-driver Apache License, Version 2.0mongo-python-driver2.7.1 http://github.com/mongodb/mongo-python-driver Apache License, Version 2.0mongodb 3.0.5 http://www.mongodb.org/ GNU Lesser General Public License, version 3.0mongoose 4.0.7 http://registry.npmjs.org/mongoose/-/mongoose-4.0.7.tgz MIT Licensempath 0.2.1 http://registry.npmjs.org/mpath/-/mpath-0.2.1.tgz MIT Licensempromise 0.5.5 http://registry.npmjs.org/mpromise/-/mpromise-0.5.5.tgz MIT Licensemquery 1.6.2 http://registry.npmjs.org/mquery/-/mquery-1.6.2.tgz MIT Licensems 0.7.1 http://registry.npmjs.org/ms/-/ms-0.7.1.tgz MIT Licensemtd 2009-05-05 http://www.linux-mtd.infradead.org/ GNU General Public License, version 2mtd-utils 1.4.4 http://www.linux-mtd.infradead.org/ GNU General Public License, version 2mtd-utils 2009-05-05 http://www.linux-mtd.infradead.org/ GNU General Public License, version 2muri 1.1.0 http://registry.npmjs.org/muri/-/muri-1.1.0.tgz MIT Licensenano 1.2.4 http://www.nano-editor.org/ GNU General Public License, version 2net-snmp 5.3.0.1 http://net-snmp.sourceforge.net/ The BSD Licenseno-vnc None http://kanaka.github.io/noVNC/ Mozilla Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 9node-mongodb-native1.4.35 http://github.com/mongodb/node-mongodb-native Apache License, Version 2.0node.js 0.12.7 http://nodejs.org/ MIT Licensentp 4.2.6p4 http://www.ntp.org/index.html The BSD Licensenumactl 2.0.10 https://github.com/numactl/numactl/ GNU General Public License, version 2Open Scales 2.2 http://openscales.org/ GNU Lesser General Public License, version 3.0OpenStreetMap http://www.openstreetmap.org/ Creative Commons Attribution-ShareAlike License, version 3.0on-headers 1.0.0 http://registry.npmjs.org/on-headers/-/on-headers-1.0.0.tgz MIT Licenseopenldap 2.4.40 http://www.openldap.org/foundation/ The Open LDAP Public Licenseopenllpd 0.0.3alpha http://openlldp.sourceforge.net/ GNU General Public License, version 2openssh 6.6p1 http://www.openssh.com/ The BSD Licenseopenssl 0.9.8zg http://www.openssl.org/ OpenSSL Licenseopenssl 1.0.0i http://www.openssl.org/ OpenSSL Licenseopenssl 1.0.1g http://www.openssl.org/ OpenSSL Licenseopenssl-fips 1.2.3 http://www.openssl.org/ OpenSSL Licenseopenwrt trunk-r15025 http://www.openwrt.org/ GNU General Public License, version 2opkg trunk-r4564 http://code.google.com/p/opkg/ GNU General Public License, version 2oprofile 0.9.2 http://oprofile.sourceforge.net/news/ GNU Lesser General Public License 2.1ProGuard 4.8 http://proguard.sourceforge.net/ GNU General Public License, version 2PyPDF2 1.23 http://mstamy2.github.com/PyPDF2 The BSD Licenseparseurl 1.3.0 http://registry.npmjs.org/parseurl/-/parseurl-1.3.0.tgz MIT Licensepath-to-regexp 1.2.0 http://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.2.0.tgz MIT Licensepciutils 3.1.8 http://mj.ucw.cz/sw/pciutils/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 10pdnsd 1.2.5 http://members.home.nl/p.a.rombouts/pdnsd/ GNU General Public License, version 2picocom 1.6 http://code.google.com/p/picocom/ GNU General Public License, version 2pillow 2.8.1 http://python-pillow.github.io/ MIT Licenseping 1.0 None The BSD Licensepkg-config 0.22 http://pkg-config.freedesktop.org/wiki/ GNU General Public License, version 2portmap 6.0 http://neil.brown.name/portmap/ The BSD Licenseposix 2.0.1 http://registry.npmjs.org/posix/-/posix-2.0.1.tgz MIT Licenseppp 2.4.5 http://ppp.samba.org/ppp/ The BSD Licenseppp 2.4.3 http://ppp.samba.org/ppp/ The BSD Licensepreppy 2.3.1 https://bitbucket.org/rptlab/preppy The BSD Licenseprocname 0.2 http://code.google.com/p/procname/ GNU Lesser General Public License, version 2.0procps 3.2.8 http://procps.sourceforge.net/ GNU General Public License, version 2proxy-addr 1.0.8 http://registry.npmjs.org/proxy-addr/-/proxy-addr-1.0.8.tgz MIT Licensepsmisc 22.8 http://sourceforge.net/projects/psmisc/ GNU General Public License, version 2pure-ftpd 1.0.22 http://www.pureftpd.org/project/pure-ftpd The BSD Licensepychecker 0.8.18 http://pychecker.sourceforge.net/ The BSD Licensepyparsing 1.5.1 http://sourceforge.net/projects/pyparsing/ The BSD Licensepytz 2014.10 http://pythonhosted.org/pytz MIT Licensepyxapi 0.1 http://www.pps.jussieu.fr/%7Eylg/PyXAPI/ GNU General Public License, version 2pyyaml 3.11 http://pyyaml.org/ MIT Licenseqdbm 1.8.77 http://qdbm.sourceforge.net/ GNU General Public License, version 2qs 4.0.0 http://registry.npmjs.org/qs/-/qs-4.0.0.tgz The BSD Licensequagga 0.99.16 http://www.quagga.net GNU General Public License, version 2quilt 0.47 http://savannah.nongnu.org/projects/quilt/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 11radius 2.2.3 http://freeradius.org/ GNU General Public License, version 2range-parser 1.0.2 http://registry.npmjs.org/range-parser/-/range-parser-1.0.2.tgz MIT Licenseraw-body 2.1.2 http://registry.npmjs.org/raw-body/-/raw-body-2.1.2.tgz MIT Licenseredis 3.0.3 http://redis.io/ The BSD Licenseredis 0.12.1 http://registry.npmjs.org/redis/-/redis-0.12.1.tgz MIT Licenseregexp-clone 0.0.1 http://registry.npmjs.org/regexp-clone/-/regexp-clone-0.0.1.tgz MIT Licensereport-lab 3.1.44 http://www.reportlab.com The BSD Licenserp-pppoe 3.1.0 http://www.roaringpenguin.com/products/pppoe GNU General Public License, version 2rsync 3.0.6 http://rsync.samba.org/ GNU General Public License, version 3safestr 1.0.3 http://www.zork.org/ The BSD Licensesamba 3.5.1 http://www.samba.org GNU General Public License, version 3sed 4.1.2 http://www.gnu.org/software/sed/ GNU General Public License, version 2semaphore 1.0.3 http://registry.npmjs.org/semaphore/-/semaphore-1.0.3.tgz MIT Licensesend 0.13.0 http://registry.npmjs.org/send/-/send-0.13.0.tgz MIT Licenseserve-static 1.10.0 http://registry.npmjs.org/serve-static/-/serve-static-1.10.0.tgz MIT Licensesetproctitle 1.1.8 http://code.google.com/p/py-setproctitle The BSD Licensesetuptools 11.3.1 https://bitbucket.org/pypa/setuptools Python License, Version 2 (Python-2.0)sliced 1.0.1 http://registry.npmjs.org/sliced/-/sliced-1.0.1.tgz MIT Licensesmarttools 6.2 http://smartmontools.sourceforge.net GNU General Public License, version 2snmpagent 5.0.9 http://sourceforge.net/ The BSD Licensesocket.io 1.3.6 http://registry.npmjs.org/socket.io/-/socket.io-1.3.6.tgz MIT Licensesocket.io-adapter0.3.1 http://registry.npmjs.org/socket.io-adapter/-/socket.io-adapter-0.3.1.tgz MIT LicenseName Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 12socket.io-adapter-mongo0.1.4 http://registry.npmjs.org/socket.io-adapter-mongo/-/socket.io-adapter-mongo-0.1.4.tgzMIT Licensesocket.io-client 1.3.6 http://registry.npmjs.org/socket.io-client/-/socket.io-client-1.3.6.tgz MIT Licensesocket.io-parser 2.2.4 http://registry.npmjs.org/socket.io-parser/-/socket.io-parser-2.2.4.tgz MIT Licensesqlite3 3070900 http://www.sqlite.org/ Nonesquashfs 3.0 http://squashfs.sourceforge.net/ GNU General Public License, version 2squid 2.7.STABLE9 http://www.squid-cache.org/ GNU General Public License, version 2stack-trace 0.0.9 https://registry.npmjs.org/stack-trace/-/stack-trace-0.0.9.tgz MIT Licensestackless python 2.7.5 http://www.stackless.com/ GNU General Public License, version 2sticky-session 0.1.0 http://registry.npmjs.org/sticky-session/-/sticky-session-0.1.0.tgz MIT Licensestrace 4.5.20 http://sourceforge.net/projects/strace/ The BSD Licensestress 1.0.4 http://people.seas.harvard.edu/~apw/stress/ GNU General Public License, version 2strongswan 4.4.0 http://www.strongswan.org GNU General Public License, version 2stunnel 4.31 http://www.stunnel.org/ GNU General Public License, version 2svg2rlg 0.3 http://code.google.com/p/svg2rlg/ The BSD Licensesysstat 9.0.5 http://sebastien.godard.pagesperso-orange.fr/ GNU General Public License, version 2tar 1.17 http://www.gnu.org/software/tar/ GNU General Public License, version 2tcpdump 4.0.0 http://www.tcpdump.org/ The BSD Licensetinyproxy 1.8.3 https://banu.com/tinyproxy/ GNU General Public License, version 2type-is 1.6.4 http://registry.npmjs.org/type-is/-/type-is-1.6.4.tgz MIT Licensetz 2014b http://www.iana.org/time-zones/repository/releases/ GNU General Public License, version 2u-boot trunk-2010-03-30http://www.denx.de/wiki/U-Boot/ GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 13u-boot trunk-2010-05-10http://www.denx.de/wiki/U-Boot/ GNU General Public License, version 2uClibc 0.9.29 http://www.uclibc.org/ GNU General Public License, version 2uClibc 0.9.30.2 http://www.uclibc.org/ GNU General Public License, version 2uci 0.7.5 http://www.openwrt.org/ GNU General Public License, version 2udev 147 https://launchpad.net/udev GNU General Public License, version 2udev r147 http://www.kernel.org/pub/linux/utils/kernel/hotplug/ GNU General Public License, version 2usbutils 0.73 http://www.linux-usb.org/ GNU General Public License, version 2util-linux 2.20 http://www.kernel.org/pub/linux/utils/util-linux/ GNU General Public License, version 2utils-merge 1.0.0 http://registry.npmjs.org/utils-merge/-/utils-merge-1.0.0.tgz MIT Licensevalgrind 3.5.0 http://valgrind.org/ GNU General Public License, version 2validator 3.41.2 http://registry.npmjs.org/validator/-/validator-3.41.2.tgz MIT Licensevary 1.0.1 http://registry.npmjs.org/vary/-/vary-1.0.1.tgz MIT Licensewanpipe 3.5.18 http://wiki.sangoma.com/wanpipe-linux-drivers GNU General Public License, version 2websocket 2.4 https://github.com/nori0428/mod_websocket MIT Licensewget 1.14 http://www.gnu.org/software/wget/ GNU General Public License, version 3winston 1.0.1 http://registry.npmjs.org/winston/-/winston-1.0.1.tgz MIT Licensewireless_tools r29 http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html GNU General Public License, version 2wpa_supplicant 2.0 http://hostap.epitest.fi/wpa_supplicant/ The BSD Licensews 0.7.2 http://registry.npmjs.org/ws/-/ws-0.7.2.tgz MIT Licensewuftpd 1.0.21 http://wu-ftpd.therockgarden.ca/ WU-FTPD Software LicenseXenAPI None http://docs.vmd.citrix.com/XenServer/4.0.1/api/client-examples/python/index.html GNU General Public License, version 2Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 14xen 4.1.5 http://www.xen.org/ GNU General Public License, version 2xen-crashdump-analyser20130505 http://xenbits.xen.org/people/andrewcoop/ GNU General Public License, version 2xen-tools 4.2.1 http://xen-tools.org/software/xen-tools/ GNU General Public License, version 2xxhashjs 0.1.1 http://registry.npmjs.org/xxhashjs/-/xxhashjs-0.1.1.tgz MIT Licensez3c-rml 2.7.2 http://pypi.python.org/pypi/z3c.rml Zope Public License (ZPL) Version 2.0zlib 1.2.8 http://www.zlib.net/ zlib Licensezope-event 4.0.3 http://pypi.python.org/pypi/zope.event Zope Public License (ZPL) Version 2.0zope-interface 4.1.1 http://pypi.python.org/pypi/zope.interface Zope Public License (ZPL) Version 2.1zope-schema 4.4.2 http://pypi.python.org/pypi/zope.schema Zope Public License (ZPL) Version 2.0zwave 0.1 http://code.google.com/p/open-zwave/ GNU Lesser General Public License, version 2.1Name Version URL License
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 15B.3  OSS LicensesB.3.1 Apache License, Version 2.0Apache LicenseVersion 2.0, January 2004http://www.apache.org/licensesTERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTIONDefinitions."License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document."Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License."Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity."You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License."Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files."Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types."Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below)."Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof."Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 16"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:You must give any other recipients of the Work or Derivative Works a copy of this License; andYou must cause any modified files to carry prominent notices stating that You changed the files; andYou must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; andIf the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 17Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.END OF TERMS AND CONDITIONSB.3.2 The BSD LicenseRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ”AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 18STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.B.3.3 Creative Commons Attribution-ShareAlike License, version 3.0Creative CommonsAttribution-ShareAlike 3.0 UnportedCREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. REATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USELicenseTHE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITEDBY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.Definitions1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined below) for the purposes of this License.3. "Creative Commons Compatible License" means a license that is listed at http://creativecommons.org/compatiblelicenses that has been approved by Creative Commons as being essentially equivalent to this License, including, at a minimum, because that license: (i) contains terms that have the same purpose, meaning and effect as the License Elements of this License; and, (ii) explicitly permits the relicensing of adaptations of works made available under that license under this License or a Creative Commons jurisdiction license with the same License Elements as this License.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 194. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership.5. "License Elements" means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, ShareAlike.6. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.7. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.8. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.9. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.10. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.11. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.12. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 2013. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and,d. to Distribute and Publicly Perform AdaptationsFor the avoidance of doubt:1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and,3. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License.The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved.4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(c), as requested.b. You may Distribute or Publicly Perform an Adaptation only under the terms of: (i) this License; (ii) a later version of this License with the same License Elements as this License; (iii) a Creative Commons jurisdiction
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 21license (either this or a later license version) that contains the same License Elements as this License (e.g., Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible License. If you license the Adaptation under one of the licenses mentioned in (iv), you must comply with the terms of that license. If you license the Adaptation under the terms of any of the licenses mentioned in (i), (ii) or (iii) (the "Applicable License"), you must comply with the terms of the Applicable License generally and the following provisions: (I) You must include a copy of, or the URI for, the Applicable License with every copy of each Adaptation You Distribute or Publicly Perform; (II) You may not offer or impose any terms on the Adaptation that restrict the terms of the Applicable License or the ability of the recipient of the Adaptation to exercise the rights granted to that recipient under the terms of the Applicable License; (III) You must keep intact all notices that refer to the Applicable License and to the disclaimer of warranties with every copy of the ork as included in the Adaptation You Distribute or Publicly Perform; (IV) when You Distribute or Publicly Perform the Adaptation, You may not impose any effective technological measures on the Adaptation that restrict the ability of a recipient of the Adaptation from You to exercise the rights granted to that recipient under the terms of the Applicable License. This Section 4(b) applies to the Adaptation as incorporated in a Collection, but this does not require the Collection apart from the Adaptation itself to be made subject to the terms of the Applicable License.c. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.d. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise.5. Representations, Warranties and Disclaimer.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 22UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.7. Termination.This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.8. Miscellaneous.Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the emainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of he Licensor and You.The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 23Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.Creative Commons NoticeCreative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor.Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, Creative Commons does not authorize the use by either party of the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. For the avoidance of doubt, this trademark restriction does not form part of the License.Creative Commons may be contacted at http://creativecommons.org/.B.3.4 DropBear LicenseDropbear contains a number of components from different sources, hence there are a few licenses and authors involved. All licenses are fairly non-restrictive.The majority of code is written by Matt Johnston, under the license below. Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the same license:Copyright (c) 2002-2004 Matt JohnstonPortions copyright (c) 2004 Mihnea StoenescuAll rights reserved.Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 24HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.LibTomCrypt and LibTomMath are written by Tom St Denis, and are .=====sshpty.c is taken from OpenSSH 3.5p1,   Copyright (c) 1995 Tatu Ylonen , Espoo, Finland                     All rights reserved"As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this   software must be clearly marked as such, and if the derived work is   incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell". "=====loginrec.cloginrec.hatomicio.hatomicio.cand strlcat() (included in util.c) are from OpenSSH 3.6.1p2, and are licensed under the 2 point  license.loginrec is written primarily by Andre Lucas, atomicio.c by Theo de Raadt.strlcat() is (c) Todd C. Miller=====Import code in keyimport.c is modified from PuTTY's import.c, licensed as follows:PuTTY is copyright 1997-2003 Simon Tatham.Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, and CORE SDI S.A.Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 25THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.-------------------------------------------------------------------------------B.3.5 GNU General Public License, version 2GNU GENERAL PUBLIC LICENSEVersion 2, June 1991Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too.When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 26proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.The precise terms and conditions for copying, distribution and modification follow.B.3.6 GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATIONThis License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:The modified work must itself be a software library.You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.IIf a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 27These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted,
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 28regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under     Sections 1 and 2 above); and, if the work is an executable linked     with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the     user can modify the Library and then relink to produce a modified executable containing the modified Library.  (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)Use a suitable shared library mechanism for linking with the     Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 29that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 30in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTYBECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.                                           END OF TERMS AND CONDITIONS B.3.7 GNU Lesser General Public License 2.1GNU LESSER GENERAL PUBLIC LICENSEVersion 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 31[This is the first released version of the Lesser GPL.  It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]PreambleThe licenses for most software are designed to take away yourfreedom to share and change it.  By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it.  You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.When we speak of free software, we are referring to freedom of use, not price.  Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights.  These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you.  You must make sure that they, too, receive or can get the source code.  If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it.  And you must show them these terms so they know their rights.We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.To protect each distributor, we want to make it very clear that there is no warranty for the free library.  Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.Finally, software patents pose a constant threat to the existence of any free program.  We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder.  Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License.  This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License.  We use this license for certain libraries in order to permit linking those libraries into non-free programs.When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library.  The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom.  The Lesser General Public License permits more lax criteria for linking other code with the library.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 32We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License.  It also provides other free software developers Less of an advantage over competing non-free programs.  These disadvantages are the reason we use the ordinary General Public License for many libraries.  However, the Lesser license provides advantages in certain special circumstances.For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard.  To achieve this, non-free programs must be allowed to use the library.  A more frequent case is that a free library does the same job as widely used non-free libraries.  In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software.  For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.The precise terms and conditions for copying, distribution and modification follow.  Pay close attention to the difference between a "work based on the library" and a "work that uses the library".  The former contains code derived from the library, whereas the latter must be combined with the library in order to run.Creative Commons Legal Code CC0 1.0 Universal CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 33Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:The modified work must itself be a software library.You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 34You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 35 Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under     Sections 1 and 2 above); and, if the work is an executable linked     with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the     user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)Use a suitable shared library mechanism for linking with the     Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 36you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 37                                                                  NO WARRANTYBECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.B.3.8 CCO 1.0 UniversalCreative Commons Legal CodeCC0 1.0 UniversalCREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDELEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS  INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER.Statement of PurposeThe laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 38Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;moral rights retained by the original author(s) and/or performer(s);publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;rights protecting the extraction, dissemination, use and reuse of data in a Work;database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); andother similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as  future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future  medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and  successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the “License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.Limitations and Disclaimers.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 39No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.B.3.9 GNU General Public License, version 3GNU GENERAL PUBLIC LICENSEVersion 3, 29 June 2007Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.PreambleThe GNU General Public License is a free, copyleft license for software and other kinds of works.The licenses for most software and other practical works are designed to take away your freedom to share and change the works.  By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users.  We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors.  You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price.  Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights.  Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received.  You must make sure that they, too, receive or can get the source code.  And you must show them these terms so they know their rights.Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 40For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software.  For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so.  This is fundamentally incompatible with the aim of protecting users' freedom to change the software.  The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable.  Therefore, we have designed this version of the GPL to prohibit the practice for those products.  If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary.  To prevent this, the GPL assures that patents cannot be used to render the program non-free.The precise terms and conditions for copying, distribution andmodification follow.TERMS AND CONDITIONSDefinitions."This License" refers to version 3 of the GNU General Public License."Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks."The Program" refers to any copyrightable work licensed under this License.  Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations.To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy.  The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work.A "covered work" means either the unmodified Program or a work based on the Program.To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy.  Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.To "convey" a work means any kind of propagation that enables other parties to make or receive copies.  Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License.  If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.1. Source Code.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 41The "source code" for a work means the preferred form of the work for making modifications to it.  "Object code" means any non-source form of a work.A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case o interfaces specified for a particular programming language, one that is widely used among developers working in that language.The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form.  A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities.  However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.  For example, Corresponding Source includes interface definition files associated with source files forthe work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.The Corresponding Source for a work in source code form is that same work.2. Basic Permissions.All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met.  This License explicitly affirms your unlimited permission to run the unmodified Program.  The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work.  This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force.  You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright.  Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.Conveying under any other circumstances is permitted solely under the conditions stated below.  Sublicensing i not allowed; section 10 makes it unnecessary.3. Protecting Users' Legal Rights From Anti-Circumvention Law.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 42No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of echnological measures.4. Conveying Verbatim Copies.You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.5. Conveying Modified Source Versions.You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:a) The work must carry prominent notices stating that you modified it, and giving a relevant date.b) The work must carry prominent notices stating that it is released under this License and any conditions added under section7.  This requirement modifies the requirement in section 4 to "keep intact all notices".c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy.  This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged.  This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit.  Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.6. Conveying Non-Source Forms.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 43You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source.  This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge.  You need not require recipients to copy the Corresponding Source along with the object code.  If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source.  Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling.  In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage.  For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product.  A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product."Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source.  The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 44If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information.  But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed.  Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules andprotocols for communication across the network.Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.7. Additional Terms."Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law.  If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it.  (Additional permissions may be written to require their own removal in certain cases when you modify the work.)  You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; orb) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; orc) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; ord) Limiting the use for publicity purposes of names of licensors or authors of the material; ore) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; orf) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 45All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10.  If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term.  If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.8. Termination.You may not propagate or modify a covered work except as expressly provided under this License.  Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License.  If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.9. Acceptance Not Required for Having Copies.You are not required to accept this License in order to receive or run a copy of the Program.  Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance.  However, nothing other than this License grants you permission to propagate or modify any covered work.  These actions infringe copyright if you do not accept this License.  Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.10. Automatic Licensing of Downstream Recipients.Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License.  You are not responsible for enforcing compliance by third parties with this License.An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations.  If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 46whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License.  For example, you may not impose a license fee, royalty, or other charge for exercise ofights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.11. Patents.A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based.  The work thus licensed is called the contributor's "contributor version".A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version.  For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement).  To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients.  "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License.  You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 47of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.12. No Surrender of Others' Freedom.If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.  If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.13. Use with the GNU Affero General Public License.Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work.  The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.14. Revised Versions of this License.The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time.  Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number.  If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation.  If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.Later license versions may give you additional or different permissions.  However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.15. Disclaimer of Warranty.THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 48PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.16. Limitation of Liability.IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OFSUCH DAMAGES.17. Interpretation of Sections 15 and 16.If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.                         END OF TERMS AND CONDITIONSB.3.10 ISC LicensePermission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OFTHIS SOFTWARE.B.3.11 GNU Lesser General Public License, version 3.0GNU LESSER GENERAL PUBLIC LICENSEVersion 3, 29 June 2007Copyright (C) 2007 Free Software Foundation, Inc.Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General PublicLicense, supplemented by the additional permissions listed below.Additional Definitions.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 49As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License."The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below.An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library.A "Combined Work" is a work produced by combining or linking an Application with the Library.  The particular version of the Library with which the Combined Work was made is also called the "Linked Version".The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version.The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work.1. Exception to Section 3 of the GNU GPL.You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions.If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version:a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, orb) under the GNU GPL, with none of the additional permissions of this License applicable to that copy.3. Object Code Incorporating Material from Library Header Files.The object code form of an Application may incorporate material from a header file that is part of the Library.  You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following:a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License.b) Accompany the object code with a copy of the GNU GPL and this license document.4. Combined Works.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 50You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each ofthe following:a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License.b) Accompany the Combined Work with a copy of the GNU GPL and this license document.c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document.d) Do one of the following:0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.1) Use a suitable shared library mechanism for linking with the Library.  A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.)5. Combined Libraries.You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following:a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License.b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.6. Revised Versions of the GNU Lesser General Public License.The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 51have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation.If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library.B.3.12  GNU General Public License 2.0GNU GENERAL PUBLIC LICENSEVersion 2, June 1991Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too.When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 52Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, thus in effect making the program proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license.The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library,and the ordinary General Public License treats it as such.Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better.However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries.The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library.Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one.TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION0. This License Agreement applies to any software library which contains notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 53Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:The modified work must itself be a software library.You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.IIf, a facility in the modified Library, refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 54version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.6 As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under     Sections 1 and 2 above); and, if the work is an executable linked     with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the     user can modify the Library and then relink to produce a modified executable containing the modified Library.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 55(It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.10 Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.11 If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 56receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.12 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.  NO WARRANTY15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 57TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.                                           END OF TERMS AND CONDITIONS B.3.13 GNU Lesser General Public License, version 2.0GNU LIBRARY GENERAL PUBLIC LICENSEVersion 2, June 1991Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA  02110-1301, USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.[This is the first released version of the library GPL.  It is numbered 2 because it goes with version 2 of the ordinary GPL.]PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too.When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it.For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights.Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library.Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 58Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which wa designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license.The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing thelibrary, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such.Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better.However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries.The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library.Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one.TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 59"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:* a) The modified work must itself be a software library.* b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.* c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.* d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other han as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest you rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 60In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, s the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 61You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:* a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)* b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.* c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.* d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:* a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.* b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 62law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose thatchoice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 63NO WARRANTY15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.B.3.14 GNU Lesser General Public License, version 2.1GNU LESSER GENERAL PUBLIC LICENSEVersion 2.1, February 1999Copyright (C) 1991, 1999 Free Software Foundation, Inc.51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.This is the first released version of the Lesser GPL.  It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.PreambleThe licenses for most software are designed to take away yourfreedom to share and change it.  By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it.  You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.When we speak of free software, we are referring to freedom of use, not price.  Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 64To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights.  These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you.  You must make sure that they, too, receive or can get the source code.  If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it.  And you must show them these terms so they know their rights.We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.To protect each distributor, we want to make it very clear that there is no warranty for the free library.  Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.Finally, software patents pose a constant threat to the existence of any free program.  We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder.  Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License.  This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License.  We use this license for certain libraries in order to permit linking those libraries into non-free programs.When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library.  The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom.  The Lesser General Public License permits more lax criteria for linking other code with the library.We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License.  It also provides other free software developers Less of an advantage over competing non-free programs.  These disadvantages are the reason we use the ordinary General Public License for many libraries.  However, the Lesser license provides advantages in certain special circumstances.For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard.  To achieve this, non-free programs must be allowed to use the library.  A more frequent case is that a free library does the same job as widely used non-free libraries.  In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software.  For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 65Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.The precise terms and conditions for copying, distribution and modification follow.  Pay close attention to the difference between a "work based on the library" and a "work that uses the library".  The former contains code derived from the library, whereas the latter must be combined with the library in order to run.B.3.15 GNU LESSER GENERAL PUBLIC LICENSEERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATIONThis License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:a. The modified work must itself be a software library.b. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.c. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 66d. If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 67When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.6 As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:a.  Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under     Sections 1 and 2 above); and, if the work is an executable linked     with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the     user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)b. Use a suitable shared library mechanism for linking with the     Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.c.  Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.d. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.e. Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 68It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:a.  Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.b.  Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.10 Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.11 If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 6912 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.                                                                   NO WARRANTY15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.B.3.16 MIT LicensePermission is hereby granted, without written agreement and without icense or royalty fees, to use, copy, modify, and distribute this software and its documentation for any purpose, provided that the above copyright notice and the following two paragraphs appear in all copies of this software.IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 70THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.B.3.17 Mozilla Public License, version 2Version 2.01. Definitions1.1. Contributor means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software.1.2. Contributor Versionâ means the combination of the Contributions of others (if any) used by a Contributor and that particular Contribution.1.3. Contribution means Covered Software of a particular Contributor.1.4. Covered Software means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof.1.5. Incompatible With Secondary Licenses means1. that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or2. that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License.1.6. Executable Form means any form of the work other than Source Code Form.1.7. Larger Work means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software.1.8. License means this document.1.9. Licensable means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License.1.10. Modifications means any of the following:1. any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or2. any new file in Source Code Form that contains any Covered Software.1.11. Patent Claims of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version.1.12. Secondary License means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses.1.13. Source Code Form means the form of the work preferred for making modifications.1.14. You (orYour) means an individual or a legal entity exercising rights under this License. For legal entities, You includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, control means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 712. License Grants and Conditions2.1. GrantsEach Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:1. under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and2. under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version.2.2. Effective DateThe licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution.2.3. Limitations on Grant ScopeThe licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:1. for any code that a Contributor has removed from Covered Software; or2. for infringements caused by: (i) Your and any other third party’s modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or3. under Patent Claims infringed by Covered Software in the absence of its Contributions.This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4).2.4. Subsequent LicensesNo Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3).2.5. RepresentationEach Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License.2.6. Fair UseThis License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents.2.7. ConditionsSections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1.3. Responsibilities3.1. Distribution of Source FormAll distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients’ rights in the Source Code Form.3.2. Distribution of Executable FormIf You distribute Covered Software in Executable Form then:
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 721. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and2. You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients’ rights in the Source Code Form under this License.3.3. Distribution of a Larger WorkYou may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s).3.4. NoticesYou may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies.3.5. Application of Additional TermsYou may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction.4. Inability to Comply Due to Statute or RegulationIf it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.5. Termination5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 735.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate.5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination.6. Disclaimer of WarrantyCovered Software is provided under this License on an “as isâ€? basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer.7. Limitation of LiabilityUnder no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party’s negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You.8. LitigationAny litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party’s ability to bring cross-claims or counter-claims.9. MiscellaneousThis License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor.10. Versions of the License10.1. New VersionsMozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number.10.2. Effect of New VersionsYou may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 7410.3. Modified VersionsIf you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License).10.4. Distributing Source Code Form that is Incompatible With Secondary LicensesIf You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached.Exhibit A - Source Code Form License NoticeThis Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. You may add additional accurate notices of copyright ownership.Exhibit B - Incompatible With Secondary Licenses NoticeThis Source Code Form is Incompatible With Secondary Licenses, as defined by the Mozilla Public License, v. 2.0.B.3.18 The Open LDAP Public LicenseThe OpenLDAP Public LicenseVersion 2.8, 17 August 2003Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:1. Redistributions in source form must retain copyright statements and notices,2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and3. Redistributions must contain a verbatim copy of this document.The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number.  You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license.THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 75The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission.  Title to copyright in this Software shall at all times remain with copyright holders.OpenLDAP is a registered trademark of the OpenLDAP Foundation.Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA.  All Rights Reserved.  Permission to copy and distribute verbatim copies of this document is granted.B.3.19 OpenSSL LicenseOpenSSL LicenseCopyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org)4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contac openssl-core@openssl.org5. Products derived from this software may not be called "OpenSSL" nor may OpenSSL" appear in their names without prior written permission of the OpenSSL Project.6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org)"THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes oftware written by Tim Hudson (tjh@cryptsoft.com).
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 76B.3.20 WU-FTPD Software LicenseWU-FTPD SOFTWARE LICENSEUse, modification, or redistribution (including distribution of any modified or derived work) in any form, or on any medium, is permitted only if all the following conditions are met:1. Redistributions qualify as "freeware" or "Open Source Software" under the following terms:a. Redistributions are made at no charge beyond the reasonable cost of materials and delivery. Where redistribution of this software is as part of a larger package or combined work, this restriction applies only to the costs of materials and delivery of this software, not to any other costs associated with the larger package or combined work.b. Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide a copy of the Source Code for up to three years at the cost of materials and delivery. Such redistributions must allow further use, modification, and redistribution of the Source Code under substantially the same terms as this license. For the purposes of redistribution "Source Code" means all files included in the original distribution, including all modifications or additions, on a medium and in a form allowing fully working executable programs to be produced. 2.  Redistributions of Source Code must retain the copyright notices as they appear in each Source Code file and the COPYRIGHT file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below.3.  Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other materials provided with the distribution. For the purposes of binary distribution the"Copyright Notice" refers to the following language:Copyright (c) 1999,2000,2001 WU-FTPD Development Group.All rights reserved.Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994The Regents of the University of California.Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.Portions Copyright (c) 1998 Sendmail, Inc.Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman.Portions Copyright (c) 1989 Massachusetts Institute of Technology.Portions Copyright (c) 1997 Stan Barber.Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 Free Software Foundation, Inc.Portions Copyright (c) 1997 Kent Landfield.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 77Use and distribution of this software and its source code are governed by the terms and conditions of the WU-FTPD Software License ("LICENSE").If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/license.html4.   All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software developed by the WU-FTPD Development Group, the Washington University at Saint Louis, Berkeley Software Design, Inc., and their contributors."5.   Neither the name of the WU-FTPD Development Group, nor the names of any copyright holders, nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission. The names "wuftpd" and "wu-ftpd" are trademarks of the WU-FTPD Development Group and the Washington University at Saint Louis.6.   Disclaimer/Limitation of Liability:THIS SOFTWARE IS PROVIDED BY THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, AND CONTRIBUTORS, "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, OR CONTRIBUTORS, BE LIABLE FOR ANY DIRECT, NDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.7.   USE, MODIFICATION, OR REDISTRIBUTION, OF THIS SOFTWARE IMPLIES   ACCEPTANCE OF ALL TERMS AND CONDITIONS OF THIS LICENSE.B.3.21 zlib LicenseCopyright (C) 1995-2005 Jean-loup Gailly and Mark AdlerThis software is provided 'as-is', without any express or implied warranty.  In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.Jean-loup Gailly Mark Adler
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 78jloup@gzip.org, madler@alumni.caltech.edu B.3.22 Python License, Version 2 (Python-2.0)PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2------ ---------------------------------------------------------------------------This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and  otherwise using this software ("Python") in source or binary form and its associated documentation. Subject to the terms and conditions of this License Agreement, PSF  hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee.In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python.PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.This License Agreement will automatically terminate upon a material breach of its terms and conditions.Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSFtrademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party.By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement.B.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0    ------------------------------------------------------------------------------BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an  office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the Software").
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 79Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive,royalty-free, world-wide license to reproduce, analyze, test, perform    and/or display publicly, prepare derivative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee.BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.This License Agreement will automatically terminate upon a material breach of its terms and conditions.This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to     create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html may be used according to the permissions granted on that web page.By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of this License Agreement.B.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1)    -----------------------------------------------------------------------------------------IMPORTANT: PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY.BY CLICKING ON "ACCEPT" WHERE INDICATED BELOW, OR BY COPYING, INSTALLING OR OTHERWISE USING PYTHON 1.6, beta 1 SOFTWARE, YOU ARE DEEMED TO HAVE AGREED TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization    ("Licensee") accessing and otherwise using Python 1.6, beta 1 software in source or binary form and its associated documentation,as released at the www.python.org Internet site on August 4, 2000 ("Python 1.6b1").Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is retained in Python 1.6b1, alone or in any derivative version prepared by Licensee.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 80Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6, beta 1, is made available subject to the terms and conditions in CNR Is License Agreement. This Agreement may be located on the Internet using the following unique, persistent identifier (known as a handle): 1895.22/1011. This Agreement may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011".In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1 or any part thereof, and wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any such work the nature of the modifications made to Python 1.6b1.CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR  IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1  WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1,    OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.This License Agreement will automatically terminate upon a material  breach of its terms and conditions.This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark    sense to endorse or promote products or services of Licensee, or any third party.By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee agrees to be bound by the terms and conditions of this License Agreement.ACCEPTB.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2-----------------------------------------------------------------------------------------Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that    both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to    distribution of the software without specific, written prior permission.STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND  FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide B - 81OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT  OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.B.3.26 Zope Public License (ZPL) Version 2.0Zope Public License (ZPL) Version 2.0 -----------------------------------------------This software is Copyright (c) Zope Corporation (tm) and Contributors. All rights reserved.This license has been certified as open source. It has also been designated as GPL compatible by the Free Software Foundation (FSF).Redistribution and use in source and binary forms, with or without modification, are permitted provided that the, following conditions are met:Redistributions in source code must retain the above copyright notice, this list of conditions, and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.The name Zope Corporation (tm) must not be used to endorse or promote products derived from this software without prior written permission from Zope Corporation.The right to distribute this software or to use it for any purpose does not give you the right to use Servicemarks (sm) orTrademarks (tm) of Zope Corporation. Use of them is covered in a separate agreement (see http://www.zope.com/Marks).If any files are modified, you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.DisclaimerTHIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL ZOPE CORPORATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)      HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This software consists of contributions made by Zope Corporation and many individuals on behalf of Zope Corporation. Specific attributions are listed in the accompanying credits file.
PUBLICLY AVAILABLE SOFTWAREAccess Point, Wireless Controller, and Service Platform System Reference Guide  B - 82B.3.27 Zope Public License (ZPL) Version 2.1Zope Public License (ZPL) Version 2.1 --------------------------------------------------A copyright notice accompanies this license document that identifies the copyright holders.This license has been certified as open source. It has also been designated as GPL compatible by the Free Software Foundation (FSF).Redistribution and use in source and binary forms, with or without modification, are permitted provided that the, following conditions are met:Redistributions in source code must retain the above copyright notice, this list of conditions, and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.The name Zope Corporation (tm) must not be used to endorse or promote products derived from this software without prior written permission from Zope Corporation.The right to distribute this software or to use it for any purpose does not give you the right to use Servicemarks (sm) orTrademarks (tm) of Zope Corporation. Use of them is covered in a separate agreement (see http://www.zope.com/Marks).If any files are modified, you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.DisclaimerTHIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL ZOPE CORPORATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Navigation menu