Extreme Networks AP3917E Wireless 802.11 a/ac+b/g/n Access Point User Manual WiNG 5 9 1 WC CLI

Extreme Networks, Inc. Wireless 802.11 a/ac+b/g/n Access Point WiNG 5 9 1 WC CLI

UserManual.wiki >

Extreme Networks >

AP3917E User Manual >

WiNG 5.9.1 CLI Reference Guide Part 2

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2227.1.36.3.5 ipinterface-config-vlan-instanceConfigures the VLAN interface’s IP settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [address|dhcp|helper-address|nat|ospf]ip helper-address <IP>ip address [<IP/M>|<NETWORK-ALIAS-NAME>|dhcp|zeroconf]ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}ip address dhcpip dhcp client request options allip nat [inside|outside]ip ospf [authentication|authentication-key|bandwidth|cost|message-digest-key|priority]ip ospf authentication [message-digest|null|simple-password]ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]Parameters• ip helper-address <IP>• ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}helper-address <IP> Enables DHCP and BOOTP requests forwarding for a set of clients. Configure a helper address on the VLAN interface connected to the client. The helper address should specify the address of the BOOTP or DHCP servers to receive the requests. If you have multiple servers, configure one helper address for each server.• <IP> – Specify the IP address of the DHCP or BOOTP server.address Sets the VLAN interface’s IP address<IP/M> Specifies the interface IP address in the A.B.C.D/M format• secondary – Optional. Sets the specified IP address as a secondary address<NETWORK-ALIAS-NAME>Uses a pre-defined network alias to provide this VLAN interface’s IP address. Specify the network alias name.• secondary – Optional. Sets the network-alias provided IP address as the secondary addresszeroconf {secondary} Uses Zero Configuration Networking (zeroconf) to generate an IP address for this interfaceContd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 223• ip address dhcp• ip dhcp client request options all• ip nat [inside|outside]• ip ospf authentication [message-digest|null|simple-password]• ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]• ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device.• secondary – Optional. Sets the generated IP address as a secondary addressaddress Sets the VLAN interface’s IP addressdhcp Uses a DHCP client to obtain an IP address for this VLAN interfacedhcp Uses a DHCP client to configure a request on this VLAN interfaceclient Configures a DHCP clientrequest Configures DHCP client requestoptions Configures DHCP client request optionsall Configures all DHCP client request optionsnat [inside|outside] Defines NAT settings for the VLAN interface. NAT is disabled by default.• inside – Enables NAT on the inside interface. The inside network is transmitting data over the network to the intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address.• outside – Enables NAT on the outside interface. Packets passing through the NAT on the way back to the managed LAN are searched against the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network.ospf authentication Configures OSPF authentication scheme. Options are message-digest, null, and simple-password.message-digest Configures md5 based authenticationnull No authentication requiredsimple-password Configures simple password based authenticationospf authentication-keyConfigures an OSPF authentication keysimple-password[0 <WORD>|2 <WORD>]Configures a simple password OSPF authentication key• 0 <WORD> – Configures clear text key• 2 <WORD> – Configures encrypted keybandwidth<1-10000000>Configures bandwidth for the physical port mapped to this layer 3 interface• <1-10000000> – Specify the bandwidth from 1 - 10000000.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2257.1.36.3.6 ipv6interface-config-vlan-instanceConfigures the VLAN interface’s IPv6 settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [accept|address|dhcp|enable|enforce-dad|mtu|redirects|request-dhcpv6-options|router-advertisements]ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}ipv6 address [<IPv6/M>|autoconfig|eui-64|link-local|prefix-from-provider]ipv6 address [<IPv6/M>|autoconfig]ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>]ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>ipv6 address link-local <LINK-LOCAL-ADD>ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination <DEST-IPv6-ADD>]ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcpv6-options]ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>] {no-autoconfig|off-link|site-prefix|valid-lifetime}Parameters• ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}ipv6 accept ra Enables processing of router advertisements (RAs) on this VLAN interface. This option is enabled by default.When enabled, IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to the request with a router advertisement packet containing Internet layer configuration parameters.no-default-router Optional. Disables inclusion of routers on this interface in the default router selection process. This option is disabled by default.no-hop-limit Optional. Disables the use of RA advertised hop-count value on this interface. This option is disabled by default.no-mtu Optional. Disables the use of RA advertised MTU value on this interface. This option is disabled by default.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 226• ipv6 address [<IPv6/M>|autoconfig]• ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>]ipv6 address[<IPv6/M>|autoconfig]Configures IPv6 address related settings on this VLAN interface• <IPv6> – Specify the non-link local static IPv6 address and prefix length of the interface in the X:X::X:X/M format.• autoconfig – Enables stateless auto-configuration of IPv6 address, based on the prefixes received from RAs (with auto-config flag set). These prefixes are used to auto-configure the IPv6 address. This option is enabled by default. Use the no > ipv6 > address > autoconfig command to negate the use of prefixes received in RAs.ipv6 address eui-64 Configures the IPv6 prefix and prefix length. This prefix is used to auto-generate the static IPv6 address (for this interface) in the modified Extended Unique Identifier (EUI)-64 format.Implementing the IEEE's 64-bit EUI64 format enables a host to automatically assign itself a unique 64-bit IPv6 interface identifier, without manual configuration or DHCP. This is accomplished on a virtual interface by referencing the already unique 48-bit MAC address, and reformatting it to match the EUI-64 specification.In the EUI-64 IPv6 address the prefix and host portions are each 64 bits in length.<IPv6/M> Specify the IPv6 prefix and prefix length. This configured value is used as the prefix portion of the auto-generated IPv6 address, and the host portion is derived from the MAC address of the interface.Any bits of the configured value exceeding the prefix-length “M” are ignored and replaced by the host portion derived from the MAC address.For example:Prefix portion provided using this command: ipv6 > address > eui-64 > 2004:b055:15:dead::1111/64.Host portion derived using the interface’s MAC address (00-15-70-37-FB-5E): 215:70ff:fe37:fb5eAuto-configured IPv6 address using the above prefix and host portions: 2004:b055:15:dead:215:70ff:fe37:fb5e/64In this example, the host part “::1111” is ignored and replaced with the modified eui-64 formatted host address.prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-LENGTH>Configures the “prefix-from-provider” named object and the associated IPv6 prefix and prefix length. This configured value is used as the prefix portion of the auto-generated IPv6 address, and the host portion is derived from the MAC address of the interface.• <WORD> – Specify the IPv6 “prefix-from-provider” object’s name. This is the IPv6 general prefix (32 character maximum) name provided by the Internet service provider.Contd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 227• ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>]• ipv6 address link-local <LINK-LOCAL-ADD>• ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination <DEST-IPv6-ADD>]• <IPv6-PREFIX/PREFIX-LENGTH> – Specify the IPv6 address subnet and host parts along with prefix length (site-renumbering).For example:Prefix portion provided using this command: ipv6 > address > eui-64 > prefix-from-provider > ISP1-prefix > 2002::/64Host portion derived using the interface’s MAC address (00-15-70-37-FB-5E): 215:70ff:fe37:fb5eAuto-configured IPv6 address using the above prefix and host portions: 2002::215:70ff:fe37:fb5e/64ipv6 address Configures the IPv6 address related settings on this VLAN interfaceprefix-from-provider <WORD> <HOST-PORTION/LENGTH>Configures the “prefix-from-provider” named object and the host portion of the IPv6 interface address. The prefix derived from the specified “prefix-from-provide” and the host portion (second parameter) are combined together (using the prefix-length of the specified “prefix-from-provide”) to generate the interface’s IPv6 address.• <WORD> – Provide the “prefix-from-provider” object’s name. This is the IPv6 general prefix (32 character maximum) name provided by the service provider.• <HOST-PORTION/LENGTH> – Provide the subnet number, host portion, and prefix length used to form the actual address along with the prefix derived from the “prefix-from-provider” object identified by the <WORD> keyword.ipv6 address Configures the IPv6 address related settings on this VLAN interfacelink-local <LINK-LOCAL-ADD>Configures IPv6 link-local address on this interface. The configured value overrides the default link-local address derived from the interface’s MAC address. Use the no > ipv6 > link-local command to restore the default link-local address derived from MAC address.It is mandatory for an IPv6 interface to always have a link-local address.ipv6 dhcp client [information|prefix-from-provider <WORD>]Configures DHCPv6 client-related settings on this VLAN interface• information – Configures stateless DHCPv6 client on this interface. When enabled. the device can request configuration information from the DHCPv6 server using stateless DHCPv6. This option is disabled by default.• prefix-from-provider – Configures prefix-delegation client on this interface. Enter the IPv6 general prefix (32 character maximum) name provided by the service provider. This option is disabled by default.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 228• ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcp-options]• ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>] {no-autoconfig|off-link|site-prefix <SITE-PREFIX>|valid-lifetime}relay destination <DEST-IPv6-ADD>Enables DHCPv6 packet forwarding on this VLAN interface• destination – Forwards DHCPv6 packets to a specified DHCPv6 relay• <DEST-IPv6-ADD> – Specify the destination DHCPv6 relay’s address.DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When a DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client.ipv6 Configures IPv6 settings on this VLAN interfaceenable Enables IPv6 on this interface. This option is disabled by default.enforce-dad Enforces Duplicate Address Detection (DAD) on wired ports. This option is enabled by default.mtu <1280-1500> Configures the Maximum Transmission Unit (MTU) for IPv6 packets on this interface• <1280-1500> – Specify a value from 1280 - 1500. The default is 1500.redirects Enables ICMPv6 redirect messages sending on this interface. This option is enabled by default.request-dhcp-options Requests options from DHCPv6 server on this interface. This option is disabled by default.ipv6 router-advertisementsConfigures IPv6 RA related settings on this VLAN interfaceprefix <IPv6-PREFIX> Configures a static prefix and its related parameters. The configured value is advertised on RAs.• <IPv6-PREFIX> – Specify the IPv6 prefix.prefix-from-provider <WORD>Configures a static “prefix-from-provider” named object and its related parameters on this VLAN interface. The configured value is advertised on RAs.• <WORD> – Specify the “prefix-from-provider” named object’s nameno-autoconfig This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• no-autoconfig – Optional. Disables the setting of the auto configuration flag in the prefix. When configured, the configured prefixes are not used for IPv6 address generation. The autoconfiguration option is enabled by default. Using no-autoconfig disables it.off-link This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• off-link – Optional. Disables the setting of the on-link flag in the prefix. The on-link option is enabled by default. Using off-link disables it.site-prefix <SITE-PREFIX>This parameter is common to the “general-prefix”, “prefix”, and “prefix-from-provider” keywords.• site-prefix <SITE-PREFIX> – Configures subnet (site) prefix

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2337.1.36.3.9 useinterface-config-vlan-instanceAssociates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-router-advertisement policy with this VLAN interfaceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>]Parameters• use [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>]bonjour-gw-discovery-policy <POLICY-NAME>Uses an existing Bonjour GW Discovery policy with this VLAN interface. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming over the VLAN interface.• <POLICY-NAME> – Specify the Bonjour GW Discovery policy name (should be existing and configured).For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-policy.ip-access-list in <IP-ACCESS-LIST-NAME>Uses a specified IPv4 access list with this interface• in – Applies IPv4 ACL to incoming packets• <IP-ACCESS-LIST-NAME> – Specify the IPv4 access list name.ipv6-access-list in <IPv6-ACCESS-LIST-NAME>Uses a specified IPv6 access list with this interface• in – Applies IPv6 ACL to incoming packets• <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list name.ipv6-router-advertisement-policy <POLICY-NAME>Uses an existing IPv6 router advertisement policy with this VLAN interface.• <POLICY-NAME> – Specify the IPv6 router advertisement policy name (should be existing and configured).url-filter <URL-FILTER-NAME>Enforces URL filtering on this VLAN interface by associating a URL filter• <URL-FILTER-NAME> – Specify the URL filter name (should be existing and configured).

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2457.1.36.4.9 spanning-treeinterface-config-port-channel-instanceConfigures spanning-tree related parameters on this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxspanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|port-cisco-interoperability|portfast]spanning-tree [bpdufilter|bpduguard] [default|disable|enable]spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability [disable|enable]]spanning-tree link-type [point-to-point|shared]spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]]Parameters• spanning-tree [bpdufilter|bpduguard] [default|disable|enable]• spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability [disable|enable]]spanning-tree [bpdufilter|bpduguard]Configures the following BPDU related parameters for this port channel:• bpdufilter – Configures the BPDU filtering options. The options are:• default – When selected, makes the bridge BPDU filter value to take effect. This isthe default setting.• disable – Disables BPDU filtering• enable – Enables BPDU filtering. Enabling the BPDU filter feature ensures this portchannel does not transmit or receive any BPDUs.• bpduguard – Configures the BPDU guard options. The options are• default – When selected, makes the bridge BPDU guard value to take effect. This isthe default setting.• disable – Disables guarding this port from receiving BPDUs• enable – Enables BPDU guarding. Enabling the BPDU guard feature means this portwill shutdown on receiving a BPDU. Thus, no BPDUs are processed.Execute the portfast command to ensure that fast transitions is enabled on this port channel before configuring BPDU filtering and guarding.spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-interoperability [disable|enable]Configures the following MSTP related parameters for this port channel:• force-version <0-3> – Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting• guard root – Enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. Contd...

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2497.1.36.4.11 sw i tc hpor tinterface-config-port-channel-instanceConfigures the VLAN switching parameters for this port-channel interfaceSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxswitchport [access|mode|trunk]switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]switchport mode [access|trunk]switchport trunk [allowed|native]switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Parameters• switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]• switchport mode [access|trunk]• switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]access vlan [<1-4094>|<VLAN-ALIAS-NAME>]Configures the VLAN to which this port-channel interface is mapped when the switching mode is set to access.• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name (should be existing and configured).mode [access|trunk] Configures the VLAN switching mode over the port channel• access – If selected, the port channel accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. This is the default setting.• trunk – If selected, the port channel allows packets from a list of VLANs you add to the trunk. A port channel configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged.trunk allowed If configuring the VLAN switching mode as trunk, use this option to configure the VLANs allowed on this port channel. Add VLANs that exclusively send packets over the port channel.vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>Use this keyword to add/remove the allowed VLANs• <VLAN-ID> – Allows a group of VLAN IDs. Specify the VLAN IDs, can be either a range (55-60) or a comma-separated list (35, 41, etc.)• none – Allows no VLANs to transmit or receive through the layer 2 interfaceContd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 255rf-mode Configures the radio’s RF mode page 7-312rifs Configures Reduced Interframe Spacing (RIFS) parameters on this radiopage 7-314rts-threshold Configures the Request to Send (RTS) threshold value on this radio page 7-315service Enables dynamic control function. This dynamic function controls performance of the radio receiver's low noise amplifiers (LNAs).page 7-316shutdown Terminates or shuts down selected radio interface page 7-317smart-rf Overrides Smart RF channel width setting on the selected radio interfacepage 7-318sniffer-redirect Captures and redirects packets to an IP address running a packet capture/analysis toolpage 7-319stbc Configures radio’s Space Time Block Coding (STBC) mode page 7-321transmit-beamformingEnables transmit beamforming on the selected radio interface page 7-322use Enables use of an association ACL policy and a radio QoS policy by selected radio interfacepage 7-323wips Enables access point to change its channel of operation in order to terminate rogue devicespage 7-324wireless-client Configures wireless client parameters on selected radio page 7-325wlan Enables a WLAN on selected radio page 7-326Commands Description Reference

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2587.1.36.5.3 aggregationinterface-config-radio-instanceConfigures 802.11n frame aggregation parameters. Frame aggregation increases throughput by sending two or more data frames in a single transmission. There are two types of frame aggregation: MAC Service Data Unit (MSDU) aggregation and MAC Protocol Data Unit (MPDU) aggregation. Both modes group several data frames into one large data frame.Supported in the following platforms:• Access Points — AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxaggregation [ampdu|amsdu]aggregation ampdu [rx-only|tx-only|tx-rx|none|max-aggr-size|min-spacing]aggregation ampdu [rx-only|tx-only|tx-rx|none]aggregation ampdu max-aggr-size [rx|tx]aggregation ampdu max-aggr-size rx [8191|16383|32767|65535]aggregation ampdu max-aggr-size tx <2000-65535>aggregation ampdu min-spacing [0|1|2|4|8|16]aggregation amsdu [rx-only|tx-rx]Parameters• aggregation ampdu [rx-only|tx-only|tx-rx|none]• aggregation ampdu max-aggr-size rx [8191|16383|32767|65535]aggregation Configures 802.11n frame aggregation parametersampdu Configures Aggregate MAC Protocol Data Unit (AMPDU) frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.tx-only Supports the transmission of AMPDU aggregated frames onlyrx-only Supports the receipt of AMPDU aggregated frames onlytx-rx Supports the transmission and receipt of AMPDU aggregated frames (default setting)none Disables support for AMPDU aggregationaggregation Configures 802.11n frame aggregation parametersampdu Configures AMPDU frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.max-aggr-size Configures AMPDU packet size limits. Configure the packet size limit on packets both transmitted and received.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 259• aggregation ampdu max-aggr-size tx <2000-65535>• aggregation ampdu min-spacing [0|1|2|4|8|16|auto]• aggregation amsdu [rx-only|tx-rx]rx [8191|16383|32767|65535]Configures the maximum limit (in bytes) advertised for received frames• 8191 – Advertises a maximum of 8191 bytes• 16383 – Advertises a maximum of 16383 bytes• 32767 – Advertises a maximum of 32767 bytes• 65535 – Advertises a maximum of 65535 bytes (default setting)aggregation Configures 802.11n frame aggregation parametersampdu Configures AMPDU frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.max-aggr-size Configures AMPDU packet size limits. Configure the packet size limit on packets both transmitted and received.tx <2000-65535> Configures the maximum size (in bytes) for AMPDU aggregated transmitted frames • <2000-65535> – Sets the limit from 2000 - 65535 bytes. The default is 65535 bytes.aggregation Configures 802.11n frame aggregation parametersampdu Configures AMPDU frame aggregation parametersAMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually.mn-spacing [0|1|2|4|8|16]Configures the minimum gap, in microseconds, between AMPDU frames• 0 – Configures the minimum gap as 0 microseconds• 1 – Configures the minimum gap as 1 microseconds• 2 – Configures the minimum gap as 2 microseconds• 4 – Configures the minimum gap as 4 microseconds• 8 – Configures the minimum gap as 8 microseconds• 16 – Configures the minimum gap as 16 microseconds• auto – Auto configures the minimum gap depending on the platform and radio type (default setting)aggregation Configures 802.11n frame aggregation parametersamsdu Configures Aggregated MAC Service Data Unit (AMSDU) frame aggregation parameters. AMSDU aggregation collects Ethernet frames addressed to a single destination. But, unlike AMPDU, it wraps all frames in a single 802.11n frame.rx-only Supports the receipt of AMSDU aggregated frames only (default setting)tx-rx Supports the transmission and receipt of AMSDU aggregated frames

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2647.1.36.5.7 antenna-elevationinterface-config-radio-instanceConfigures an antenna's elevation gain. Antenna gain is the ratio of an antenna's radiation intensity in a given direction to the intensity produced by a no-loss, isotropic antenna radiating equally in all directions. An antenna's gain along the horizon and at an elevation of 30 degree may vary. The elevation gain is defined as the maximum antenna gain at 30 to 150 degrees above the horizon. If elevation gain is configured, the transmit (TX) power calculations maximize the allowable TX power for an elevation below 30 degree.Access Points must conform to U.S. Federal Communications Commission's (FCC) limitations. FCC has now stipulated a 21dBm Effective Isotropic Radiated Power (EIRP) limit for power directed 30 degrees above the horizon.For Extreme Networks -supplied antennas, compatible with 5.0 GHz on the AP7562 access point, refer to the Antenna Guide for "Elevation Gain" information. If using a third-party antenna, it is required that you obtain the antenna-elevation gain information from the antenna manufacturer.The elevation gain should be configured if the access point:• Is deployed outdoors, and • Is used with a dipole antenna (panel antenna and polarized antenna are for point to point only, and are excluded from this requirement), and• Is transmitting in the 5.15 - 5.25 GHz Unlicensed National Information Infrastructure-1 (UNII-1) band.Professional installers must complete the following steps to ensure compliance with the FCC rule:1 Configure the antenna type. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#service antenna-type dipole2 Configure the antenna peak gain. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-gain 7.03 Configure the antenna placement. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#placement outdoor4 Configure the antenna elevation gain. For example:ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0After the professional installer enters the antenna type, gain, placement, and elevation gain using the CLI as outlined above, the firmware will use this information and hardcoded maximum limits determined during testing (See Annex C in FCC Report #FR4D0448AB) to limit the EIRP below 21dBm for outdoor use in UNII-1 band. The antenna information is provided in the Installation guide and antenna guide.Supported in the following platforms:• Access Points — AP7562Syntaxantenna-elevation <-30.0-36.0>NOTE: The antenna elevation gain feature is supported only on the AP7562 model access point.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 265Parameters• antenna-elevation <-30.0-36.0>Exampleap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#show contextinterface radio2 antenna-elevation 5.0ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#Related Commandsantenna-elevation <-30.0-36.0>Configures the antenna elevation gain from -30.0 - 36.0 dB. Refer to the antenna specifications for antenna-elevation gain information.The default value is 0 dB.no Resets antenna elevation gain to default (0 dB)

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2707.1.36.5.12 be a co ninterface-config-radio-instanceConfigures radio beacon parametersA beacon is a packet broadcasted by adopted radios to keep the network synchronized. Included in a beacon is information, such as the WLAN service area, the radio address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a Delivery Traffic Indication Message (DTIM). Increase the DTIM/beacon settings (lengthening the time) to let nodes sleep longer and preserve battery life. Decrease these settings (shortening the time) to support streaming-multicast audio and video applications that are jitter sensitive.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxbeacon [dtim-period|period]beacon dtim-period [<1-50>|bss]beacon dtim-period [<1-50>|bss <1-16> <1-50>]beacon period [50|100|200]Parametersd• beacon dtim-period [<1-50>|bss <1-8> <1-50>]• beacon period [50|100|200]beacon Configures radio beacon parametersdtim-period Configures the radio DTIM interval. A DTIM is a message that informs wireless clients about the presence of buffered multicast or broadcast data. These are simple data frames that require no acknowledgement, so nodes sometimes miss them. Increase the DTIM/ beacon settings (lengthening the time) to let nodes sleep longer and preserve their battery life. Decrease these settings (shortening the time) to support streaming multicast audio and video applications that are jitter-sensitive.<1-50> Configures a single value to use on the radio. Specify a value between 1 and 50.bss <1-16> <1-50> Configures a separate DTIM for a Basic Service Set (BSS) on this radio interface• <1-16> – Sets the BSS number from 1 - 16• <1-50> – Sets the BSS DTIM from 1 - 50. The default is 2.period [50|100|200] Configures the beacon period (the interval between consecutive radio beacons)• 50 – Configures 50 K-uSec interval between beacons• 100 – Configures 100 K-uSec interval between beacons (default)• 200 – Configures 200 K-uSec interval between beacons

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2727.1.36.5.13 br i dgeinterface-config-radio-instanceConfigures the client-bridge parameters for radios with rf-mode set to bridge. When configured as a client bridge, the radio can authenticate and associate to the Wireless LAN (WLAN) hosted on the infrastructure access point. After successfully associating with the infrastructure WLAN, the client-bridge access point switches frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources.Supported in the following platforms:• Access Points — AP6522, AP6562, AP7522, AP7532, AP7562, AP7602, AP7622Syntaxbridge [authentication-type [eap|none]|channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-bridges|eap [password <PASSWORD>|type [peap-mschapv2|tls]|username <USERNAME>]|encryption-type [ccmp|none|tkip]|inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|interval <0-36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--40>]|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]Parameters• bridge [authentication-type [eap|none]|channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-bridges|eap [password <PASSWORD>]|type [peap-mschapv2|tls]|username <USERNAME>]|encryption-type [ccmp|none|tkip]|inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|interval <0-36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--40>]|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]NOTE: The radio interface configured to form the client-bridge will not be able to service wireless clients as its RF mode is set to bridge and not 2.5 GHz or 5.0 GHz.bridge Configures client-bridge related parameters on the selected radioPrior to configuring the client-bridge parameters, set the radio’s rf-mode to bridge.authentication-type [eap|none]Configures the authentication method used to authenticate with the infrastructure WLAN. The authentication mode specified here should be the same as that configured on the infrastructure WLAN. The options are:• eap – Uses EAP authentication (802.1X). If using EAP, use the ‘eap’ keyword to configure EAP related parameters.• none – Uses no authentication. This is the default setting.channel-dwell-time <50-2000>Configures the channel-dwell time in milliseconds. This is the time the client-bridge radio dwells on each channel (configured in the channel-list) when scanning for an infrastructure WLAN.• <50-2000> – Specify a value from 50 -2000 milliseconds. The default is 150 milliseconds.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 273channel-list [2.4GHz|5GHz] <LIST>Configures the list of channels the radio scans when scanning for an infrastructure WLAN access point to associate• 2.4GHz <LIST> – Configures a list of channels for scanning across all the channels in the 2.4GHz radio band• 5GHz <LIST> – Configures a list of channels for scanning across all the channels in the 5.0 GHz radio bandThe following parameter is common to both of the 2.5 GHz and 5.0 GHz bands:• <LIST> – Provide the list of channels separated by commas.connect-through-bridgesEnables the client-bridge access point radio to connect to an infrastructure WLAN, which already has other client-bridge radios associated with it. The client-bridge access points, in this scenario, are said to be daisy chained together.eap [password [<PASSWORD>]|type [peap-mschapv2|tls]|username <UESERNAME>]Configures EAP authentication parameters if the authentication mode is set as EAP• password [0|2|<PASSWORD>] – Configures the EAP authentication password to use with the infrastructure WLAN. The password type depends on the EAP authentication type configured.PEAP-MSCHAPv2 - PEAP passwordTLS – PKCS #12 certificate secretUse of EAP-TLS authentication is recommended since it is stronger than PEAP-MSCHAPv2.• <PASSWORD> – Enter the password.• type [peap-mschapv2|tls] – Configures the EAP authentication type as:• PEAP-MSCHAPv2 – Configures the EAP authentication type as PEAP-MSCHAPv2.This is the default setting.• TLS – Configures the EAP authentication type as TLS• username <USERNAME> – Configures the EAP authentication user name to use with the infrastructure WLAN.• <USERNAME> – Specify the EAP username.PEAP-MSCHAPv2 – PEAP username (example client-bridge)TLS – Username in the CN field of the installed PKCS #12 client certificate (example client-bridge@example.com)encryption-type [ccmp|none|tkip]Configures the encryption mode. The encryption mode specified here should be the same as that configured on the infrastructure WLAN. The options are:• ccmp – Uses WPA/WPA2 CCMP encryption• none – Uses no encryption method. This is the default setting.• tkip – Uses WPA/WPA2 TKIP encryptionIf using CCMP or TKIP, use the ‘wpa2-wpa2’ keyword to configure the pre-shared key (PSK).inactivity-timeout <0-864000>Configures the inactivity timeout for each bridge MAC address. This is the time for which the client-bridge access point waits before deleting a MAC address from which a frame has not been received for more than the time specified here. For example, if the inactivity time is set at 120 seconds, and if no frames are received from a MAC address for 120 seconds, it is deleted. The default value is 600 seconds.• <0-864000> – Specify a value from 0 - 864000 seconds. The default is 600 seconds.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 274keepalive [frame-type [null-data|wnmp]|interval <0-36000>]Configures the keep-alive frame type and interval• frame-type – Configures the keepalive frame type exchanged between the client-bridge access point and the infrastructure access point/controller. The options are:• null-data – Transmits 802.11 NULL data frames. This is the default setting.• wnmp – Transmits Wireless Network Management Protocol (WNMP) multicastpacket• interval <0-36000> – Configures the interval, in seconds, between two successive keep-alive frame transmission.• <0-36000> – Specify a value from 0 - 36000 seconds. The default is 300 seconds.max-clients <1-64> Configures the maximum number of clients that the client-bridge AP can support• <1-14> – Specify a value from 1 - 64. The default is 64.on-link-loss shutdown-other-radio <1-1800>Configures the radio-link behaviour when the link between the client-bridge and infrastructure access points is lost.• shutdown-other-radio – Enables shutting down of the non-client bridge radio (this is the radio to which wireless-clients associate) when the link between the client-bridge and infrastructure access points is lost. When enabled, clients associated with the non-client bridge radio are pushed to search for and associate with other access points having backhaul connectivity. This option is disabled by default.• <1-1800> – If enabling this option, use this parameter to configure the time, in sec-onds, for which the non-client bridge radio is shut down. Specify a value from 1 - 1800seconds.on-link-up refresh-vlan-interfaceConfigures the radio-link behaviour when the link between the client-bridge and infrastructure access points comes up.• refresh-vlan-interface – Enables the SVI to refresh on re-establishing client bridge link to infrastructure Access Point. And, if using a DHCP assigned IP address, causes a DHCP renew. This option is enabled by default.roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--40>]Configures the following roaming criteria parameters• missed-beacons <1-60> – Configures the missed beacon interval from 0 - 60 seconds.This is the time for which the client-bridge Access Point waits for after missing a beacon from the associated infrastructure Access Point, before roaming to another infrastructure Access Point. For example, if the missed-beacon time is set to 30 seconds, and if more than 30 seconds have passed since the last received beacon, from the associated infrastructure Access Point, the client-bridge Access Point resumes scanning for another infrastructure Access Point. The default value s 20 seconds.• <1-60> – Specify a value from 1 - 60 seconds. The default is 20 seconds.• rssi-threshold <-128--40> – Configures the minimum signal strength, received from target AP, for the bridge connection to be maintained before roaming• <-128--40> – Specify a value from -128 - -40 dBm. If the RSSI value of signals re-ceived from the infrastructure access point falls below the specified value, the client-bridge access point resumes scanning for another infrastructure access point. Thedefault is -75 dBm.ssid <SSID> Configures the infrastructure WLAN SSID the client bridge connects to• <SSID> – Specify the SSID.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 275Usage Guidelines EAP AuthenticationUse the following commands to view client-bridge configuration:1 show > wireless > bridge > configShows the current client bridge configuration.2 show > wireless > bridge > candidate-apShows the available infrastructure WLAN candidates that are found during the last scan.3 show > wireless > bridge > hostShows the wired/wireless clients that are being bridged.4 show > wireless > bridge > statistics > rfShows the client bridge RF statistics.5 show > wireless > bridge > statistics > trafficShows the client bridge traffic statistics.6 show > wireless > bridge > certificate > statusShows the client bridge authentication certificate status.ExampleThe following examples show the basic parameters that need to be configured on the Infrastructure and the client-bridge APs in order to enable the client-bridge AP to associate with the Infrastructure WLAN. Note, in this example, the authentication mode is set to ‘none’ and the encryption-type is set to ‘ccmp’. The authentication and encryption modes used will vary as per requirement.1 Configuring the Infrastructure WLAN:InfrastrNOC(config)#wlan cb-pskInfrastrNOC(config-wlan-cb-psk)#ssid cb-pskInfrastrNOC(config-wlan-cb-psk)#encryption-type ccmpInfrastrNOC(config-wlan-cb-psk)#wpa-wpa2 psk extreme@123InfrastrNOC(config-wlan-cb-psk)#authentication-type noneInfrastrNOC(config)#show running-config wlan cb-psk wlan cb-psk ssid cb-psk bridging-mode local encryption-type ccmp authentication-type none wpa-wpa2 psk 0 extreme@123InfrastrNOC(config)#2 Associating the ‘cb-psk’ WLAN to the Infrastructure AP’s radio.Infra7131-5F5078(config-device-B4-C7-99-5F-50-78-if-radio2)#wlan cb-pskwpa-wpa2 psk [0|2|<LINE>]Configures the encryption pre-shared key (PSK) to use with the infrastructure WLAN• 0 – Configures clear text psk• 2 – Configures encrypted psk• <LINE> – Enter the keyNote: Pre-shared keys are valid only when the authentication-type is set to none and the encryption-type is set to tkip or ccmp.Note: The PSK should be 8 - 32 characters in length.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 277----------------------------------------------------------------------------------------------RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER #CLIENT----------------------------------------------------------------------------------------------ap7532-85B274:R1 84-24-8D-AC-2D-B0 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0ap7532-85B274:R2 84-24-8D-AC-CC-10 bridge On 165 ( smt) 20 (smt) 0----------------------------------------------------------------------------------------------Total number of radios displayed: 2===================================================ap7532-85B274(config-device-84-24-8D-85-B2-74)#6Viewing the candidate-ap (connected Infrastructure AP’s) details on the client-bridge AP.ap7532-85B274(config-device-84-24-8D-85-B2-74)#show wireless bridge candidate-ap 84-24-8D-AC-CC-10 Client Bridge Candidate APs: AP-MAC BAND CHANNEL SIGNAL(dbm) STATUS B4-C7-99-5E-1A-40 5 GHz 165 -21 selectedTotal number of candidates displayed: 1Total number of client bridges displayed: 1=======================================================ap7532-85B274(config-device-84-24-8D-85-B2-74)#7 Viewing the bridge host details on the client-bridge AP.ap7532-85B274(config-device-84-24-8D-85-B2-74)#show wireless bridge hosts-----------------------------------------------------------------------------HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY (sec ago)-----------------------------------------------------------------------------84-24-8D-85-B2-74 84-24-8D-AC-CC-10 10.1.0.249 UP 00:00:07-----------------------------------------------------------------------------Total number of hosts displayed: 1ap7532-85B274(config-device-84-24-8D-85-B2-74)#Related Commandsno Removes or resets this client-bridge settings

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 279Related Commandsno Resets a radio’s channel of operation

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2807.1.36.5.15 data-ratesinterface-config-radio-instanceConfigures the 802.11 data rates on this radioThis command sets the rate options depending on the 802.11 protocol and the radio band selected. If 2.4 GHz is selected as the radio band, select separate 802.11b, 802.11g and 802.11n rates and define how they are used in combination. If 5.0 GHz is selected as the radio band, select separate 802.11a and 802.11n rates then define how they are used together.If dedicating the radio to either 2.4 or 5.0 GHz support, use the custom keyword to set a 802.11n modulation and coding scheme (MCS) in respect to the radio’s channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non-11n basic rates).Data rates are fixed and not user configurable for radios functioning as sensors.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxdata-rates [b-only|g-only|a-only|bg|bgn|gn|an|default|custom|mcs]data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54|mcs-1s|mcs-2s|mcs-3s|basic-1|basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|basic-36|basic-48|basic-54|basic-mcs-1s]data-rates mcs qam-onlyParameters• data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]NOTE: Use the rf-mode command to configure a radio’s mode of operation.NOTE: The MCS-1s and MCS-2s options are available for each supported access point. However, the MCS-3s option is only available to the AP8232 model access point, and its ability to provide 3x3x3 MIMO support.data-rates Configures the 802.11 data rates on this radiob-only Supports operation in the 802.11b mode only (applicable for 2.4 and 4.9 GHz bands)g-only Uses rates that support operation in the 802.11g mode only (applicable for 2.4 and 4.9 GHz bands)a-only Uses rates that support operation in the 802.11a mode only (applicable for 5.0 GHz band only)

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 281• data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54||mcs-1s|mcs-2s|mcs-3s|basic-1|basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|basic-36|basic-48|basic-54|basic-mcs-1s]bg Uses rates that support 802.11b and 802.11g wireless clients (applicable for 2.4 and 4.9 GHz bands)bgn Uses rates that support 802.11b, 802.11g, and 802.11n wireless clients (applicable for 2.4 and 4.9 GHz bands)gn Uses rates that support 802.11g and 802.11n wireless clients (applicable for 2.4 and 4.9 GHz bands)an Uses rates that support 802.11a and 802.11n wireless clients (applicable for 5.0 GHz band only)default Enables the default data rates according to the radio’s band of operationdata-rates Configures the 802.11 data rates on this radiocustom Configures a list of data rates by specifying each rate individually. Use 'basic-' prefix before a rate to indicate it’s used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11')• 1 – 1-Mbps• 2 – 2-Mbps• 5.5 – 5.5-Mbps• 6 – 6-Mbps• 9 – 9-Mbps• 11 – 11-Mbps• 12 – 12-Mbps• 18 – 18-Mbps• 24 – 24-Mbps• 36 – 36-Mbps• 48 – 48-Mbps• 54 – 54-Mbps• mcs-1s – Applicable to 1-spatial stream data rates• mcs-2s – Applicable to 2-spatial stream data rates• mcs-3s – Applicable to 3-spatial stream data rates (supported only on AP8232 for the MIMO feature)• basic-1 – Basic 1-Mbps• basic-2 – Basic 2-Mbps• basic-5.5 – Basic 5.5-Mbps• basic-6 – Basic 6-Mbps• basic-9 – Basic 9-Mbps• basic-11 – Basic 11-Mbps• basic-12 – Basic 12-Mbps• basic-18 – Basic 18-Mbps• basic-24 – Basic 24-Mbps• basic-36 – Basic 36-MbpsContd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 282• data-rates mcs qam-onlyUsage Guidelines (Supported data rates)The following table defines the 802.11n MCS for MCS 1 streams, both with and without SGI:The following table defines the 802.11n MCS for MCS 2 streams, both with and without SGI:The following table defines the 802.11n MCS for MCS 3 streams, both with and without SGI:• basic-48 – Basic 48-Mbps• basic-54 – Basic 54-Mbps• basic-mcs-1s – Modulation and Coding Scheme data rates for 1 Spatial StreamNote: Refer to the Usage Guidelines (Supported data rates) section for 802.11an and 802.11ac MCS detailed dates rates for both with and without short guard intervals (SGI).data-rates Configures the 802.11 data rates on this radiomcs qam-only Configures supports for MCS QAM data rates onlyMCS-1Stream Index Number of Streams20 MHz No SGI 20 MHz With SGI40 MHz No SGI 20 MHz With SGI0 1 6.5 7.2 13.5 151 1 13 14.4 27 302 1 19.5 21.7 40.5 453 1 26 28.9 54 60413943.48190515257.81081206 1 58.5 65 121.5 135716572.2135150MCS-2Stream Index Number of Streams20 MHz No SGI 20 MHz With SGI40 MHz No SGI 20 MHz With SGI021314.427301 2 26 28.9 54 60223943.48190325257.81081204 2 78 86.7 162 1805 2 104 115.6 216 240621171302432707 2 130 144.4 270 300MCS-3Stream Index Number of Streams20 MHz No SGI 20 MHz With SGI40 MHz No SGI20 MHz With SGI0 3 19.5 21.7 40.5 45133943.381902 3 58.5 65 121.5 1353 3 78 86.7 162 18043117130.724327053156173.33243606 3 175.5 195 364.5 40573195216.7405450

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2947.1.36.5.26 meshinterface-config-radio-instanceUse this command to configure radio mesh parameters. A Wireless Mesh Network (WMN) is a network of radio nodes organized in a mesh topology. It consists of mesh clients, mesh routers, and gateways.Each radio setting can have a unique mesh mode and link configuration. This provides a customizable set of connections to other mesh supported radios within the same radio coverage area.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533Syntaxmesh [client|links|portal|preferred-peer|psk]mesh [client|links <1-6>|portal|preferred-peer <1-6> <MAC>|psk [0 <LINE>|2 <LINE>|<LINE>]]Parameters• mesh [client|links <1-6>|portal|preferred-peer <1-6> <MAC>|psk [0 <LINE>|2 <LINE>|<LINE>]]mesh Configures radio mesh parameters, such as maximum number of mesh links, preferred peer device, client operations, etc.client Enables operation as a clientSetting the mesh mode to ‘client’ enables the radio to operate as a mesh client that scans for and connects to mesh portals or nodes that are connected to portals.links <1-6> Configures the maximum number of mesh links a radio attempts to create• <1-6> – Sets the maximum number of mesh links from 1 - 6. The default is 6.portal Enables operation as a portalSetting the mesh mode to ‘portal’ turns the radio into a mesh portal. The radio starts beaconing immediately and accepts connections from other mesh nodes, typically the node with a connection to the wired network.preferred-peer <1-6> <MAC>Configures a preferred peer device• <1-6> – Configures the priority at which the peer node will be addedWhen connecting to the mesh infrastructure, nodes with lower priority are given precedence over nodes with higher priority.• <MAC> – Sets the MAC address of the preferred peer device (Ethernet MAC of either a AP, wireless controller, or service platform with onboard radios)psk [0 <LINE>|2 <LINE>| <LINE>]Configures the pre-shared key. Ensure this key is configured on the access point when staged for mesh, and added to the mesh client and to the portal access point’s configuration on the controller or service platform.• 0 <LINE> – Enter a clear text key• 2 <LINE> – Enter an encrypted key• <LINE> – Enter the pre-shared keyPre-shared keys should be 8 - 64 characters in length.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3017.1.36.5.30 non-unicastinterface-config-radio-instanceConfigures support for forwarding of non-unicast (multicast and broadcast) frames on this radioSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxnon-unicast [forwarding|queue|tx-rate]non-unicast forwarding [follow-dtim|power-save-aware]non-unicast queue [<1-200>|bss]non-unicast queue [<1-200>|bss <1-16> <1-200>]non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic|lowest-basic]non-unicast tx-rate bss <1-16> [dynamic-all|dynamic-basic|highest-basic|lowest-basic]Parameters• non-unicast forwarding [follow-dtim|power-save-aware]• non-unicast queue [<1-200>|bss <1-16> <1-200>]• non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic|lowest-basic]non-unicast forwarding Enables non-unicast frame forwarding on this radio. Once enabled, select one of the available options to specify whether these frames should always follow DTIM, or only follow DTIM when using power save aware mode.follow-dtim Specifies frames always wait for the DTIM interval to time out. The DTIM interval is configured using the beacon command. This is the default setting.power-save-aware Enables immediate forwarding of frames only if all associated wireless clients are in the power save modenon-unicast queue Enables non-unicast frame forwarding on this radio. Once enabled, specify the number of broadcast packets queued per BSS on this radio. This option is enabled by default.This command also enables you to override the default on a specific BSS.<1-200> Specify a number from 1 - 200. This value applies to all BSSs. The default is 50 frames per BSS.bss <1-16> <1-200> Overrides the default on a specified BSS• <1-16> – Select the BSS number from 1 - 16.• <1-200> – Specify the number of broadcast packets queued for the selected BSSfrom 1 - 200.non-unicast tx-rate Enables non-unicast frame forwarding on this radio. Once enabled, use one of the available options to configure the rate at which these frames are transmitted.bss <1-16> Overrides the default on a specified BSS• <1-16> – Select the BSS number from 1 - 16. The transmit rate selected is applied only to the BSS specified here. The tx-rate options are: dynamic-all, dynamic-basic, highest-basic, lowest-basic.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3037.1.36.5.31 off-channel-scaninterface-config-radio-instanceEnables off channel scanning on this radio. This option is disabled by default.Channel scanning uses the access point’s resources and is time consuming. Therefore, enable this option only if the radio has the bandwidth to support channel scan without negatively impacting client support.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxoff-channel-scan {channel-list|max-multicast|scan-interval|sniffer-redirect}off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}off-channel-scan {sniffer-redirect tzsp <IP>}Parameters• off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}• off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}• off-channel-scan {sniffer-redirect tzsp <IP>}off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified.channel-list [2.4GHz|5GHz]Optional. Selects the 2.4GHz or 5GHz access point radio band. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all channels.• 2.4GHz – Selects the 2.4 GHz band• 5GHz – Selects the 5.0 GHz band<CHANNEL-LIST> Optional. Specifies a list of 20 MHz, 40 MHz, or 80 MHz channels for the selected band (the channels are separated by commas or hyphens)off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified.max-multicast <0-100> Optional. Configures the maximum multicast/broadcast messages used to perform OCS• <0-100> – Specify a value from 0 - 100. The default is 4.scan-interval <2-100> Optional. Configures the scan interval in dtims• <2-100> – Specify a value from 2 - 100. The default is 20 dtims.off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified.sniffer-redirect tzsp <IP> Optional. Captures and redirects packets to a host running a packet capture/analysis tool. Use this command to configure the IP address of the host.• tzsp – Encapsulates captured packets in TZSP before redirecting to the specified host• <IP> – Specify the destination device IP address.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3097.1.36.5.36 radio-resource-measurementinterface-config-radio-instanceEnables 802.11k radio resource measurement. When enabled, the radio station sends channel and neighbor reports.The IEEE 802.11 Task Group k defined a set of specifications regarding radio resource measurements. These specifications specify the radio resources to be measured and the mechanism used to communicate measurement requests and results.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxradio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]Parameters• radio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]Examplerfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-measurement attenuation-threshold 20rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-measurement max-entries 10rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#show context interface radio1 radio-resource-measurement max-entries 10 radio-resource-measurement attenuation-threshold 20rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#Related Commandsradio-resource-measurementEnables 802.11k radio resource measurement on the radioattenuation-threshold <1-199>Configures the neighbor attenuation threshold, considered when generating channel and neighbor reports• <1-199> – Specify the attenuation threshold from 1 -199. The default is 90.max-entries <1-12> Configures the maximum number of entries to include in channel and neighbor reports• <1-12> – Specify a value from 1 - 12. The default is 6.no Disables 802.11k radio resource measurement support

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3127.1.36.5.39 rf-modeinterface-config-radio-instanceConfigures the radio’s RF mode of operationThis command sets the mode to either 2.4 GHz WLAN or 5.0 GHz WLAN support depending on the radio’s intended client support. If you are currently licensed to use 4.9 GHz, configure the 4.9 GHz-WLAN option. Set the mode to sensor if using the radio for rogue device detection. The radio cannot support rogue detection when one of the other radios is functioning as a WIPS sensor. To set a radio as a detector, disable sensor support on the other access point radios.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533Syntaxrf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|bridge|scan-ahead|sensor]Parameters• rf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|bridge|scan-ahead|sensor]rf-mode Configures the radio’s RF mode of operation2.4GHz-wlan Provides WLAN service in the 2.4 GHz bandwidth4.9GHz-wlan Provides WLAN service in the 4.9 GHz bandwidth5GHz-wlan Provides WLAN service in the 5.0 GHz bandwidthbridge Enables this radio to operate as client bridge that can authenticate and associate to a defined infrastructure Wireless LAN (WLAN) access pointNote: This option is applicable only on the AP6522, AP6562, AP7522, AP7532, and AP7562 model access points. Enable this option only if the access point is to provide client-bridge support. Once enabled, configure the client-bridge parameters. For more information, see bridge.scan-ahead Enables this radio to operate as a scan-ahead radioA radio functioning in the scan-ahead mode is used for forward scanning only. The radio does not support WLAN or mesh services.The scan ahead feature is used in Dynamic Frequency Selection (DFS) aware countries for infrastructure devices, static, and vehicular mounted modems (VMMs). It enables a secondary radio to scan ahead for an active channel for backhaul transmission, in the event of a radar trigger on the primary radio. The device then switches radios allowing transmission to continue. This is required in environments where handoff is required and DFS triggers are common.With a secondary radio dedicated for forward scanning, the primary radio, in case of radar hit, hands over the channel availability check (CAC) function to the secondary radio. This avoids a break in data communication, which would have resulted if the primary radio was to do CAC itself.The secondary radio periodically does a scan of the configured channel list, searching for the other available meshpoint roots. When configured on the root meshpoint, the scan-ahead feature also scans for cleaner channels.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 338eddystone Configures Eddystone beacon payload parameters. Configure these parameters if the operational mode is set to ‘le-beacon’ and the beacon transmission pattern is set to ‘eddystone-url1’ or ‘eddystone-url2’.page 7-342ibeacon Configures iBeacon beacon payload parameters. Configure these parameters if the operational mode is set to ‘le-beacon’ and the beacon transmission pattern is set to ‘ibeacon’.page 7-343mode Configures the Bluetooth radio’s mode of operation page 7-345shutdown Shutdowns the selected Bluetooth radio interface page 7-346no Removes or reverts to default this Bluetooth radio interface’s settings page 7-347Commands Description Reference

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3397.1.36.7.1 b e aco ninterface-config-bluetooth-instanceConfigures the Bluetooth radio’s beacon’s emitted transmission pattern for Bluetooth radios functioning in the low energy beacon (le-beacon) mode. This option is applicable only if the Bluetooth radio’s operational mode is set to le-beacon.Supported in the following platforms:• Access Points – AP8432, AP8533Syntaxbeacon [pattern|period]beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]beacon period <100-10000>Parameters• beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]• beacon period <100-10000>beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]When the beacon mode is set to ‘le-beacon’, use this command to configure the Bluetooth radio’s beacon’s emitted transmission pattern. Select one of the following beacon patterns:• eddystone-url1 – Transmits an Eddystone-URL beacon using URL 1. This is the default setting.• eddystone-url2 – Transmits an Eddystone-URL beacon using URL 2An Eddystone-URL frame broadcasts a URL using a compressed encoding scheme to better fit within a limited advertisement packet. Once decoded, the URL can be used by a client for Internet access. If an Eddystone-URL beacon broadcasts https:anysite, clients receiving the packet can access that URL. If setting the transmission pattern as ‘eddystone-url1’ or ‘eddystone-ulr2’, use the ‘eddystone’ keyword to configure Eddystone beacon payload parameters. For more information, see eddystone.• ibeacon – Transmits an ibeacon beacon. iBeacon was created by Apple for use in iPhone OS (iOS) devices (beginning with iOS version 7.0). There are three data fields Apple has made available to iOS applications, a Universally Unique IDentifier (UUID) for device identification, a Major value for device class and a Minor value for more refined information like product category. If setting the transmission pattern as ‘ibeacon’, use the ‘ibeacon’ keyword to configure ibeacon beacon payload parameters. For more information, see ibeacon.For more information on configuring the Bluetooth radio’s operational mode, see mode.beacon period <100-10000>Configures the Bluetooth radio’s beacon transmission period, in milliseconds, from 100 - 10000. As the defined period increases, so does the CPU processing time and the number of packets incrementally transmitted (typically one per minute).• <100-10000> – Specify a value from 100 - 10000 milliseconds. The default value is 1000 milliseconds.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3497.1.37.1 ipipConfigures IPv4 routing components, such as default gateway, DHCP, DNS server forwarding, name server, domain name, routing standards, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxip [default-gateway|dhcp|dns-server-forward|domain-lookup|domain-name|igmp|name-server|nat|route|routing]ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-1800>|static-route <1-1800>]]ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server <IP>|routing]ip dhcp client [hostname|persistent-lease]ip igmp snooping {fast-leave|forward-unknown-multicast|querier}ip igmp snooping {fast-leave|forward-unknown-multicast}ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-3>}ip nat [crypto|inside|outside|pool]ip nat [crypto source pool|pool] <NAT-POOL-NAME>ip nat [inside|outside] [destination|source]ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]ip nat [inside|outside] source [list|static]ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address <IP>|interface <L3-IF-NAME>|overload|pool <NAT-POOL-NAME>)]ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]Parameters• ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-1800>|static-route <1-1800>]]NOTE: The command ‘ip igmp snooping’ can be configured under bridge VLAN context also. For example: rfs7000-37FABE(config-device 00-15-70-37-FA-BE-bridge-vlan-1)#ip igmp snooping forward-unknown-multicastip Configures IPv4 routing components

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 350• ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server <IP>|routing]• ip dhcp client [hostname|persistent-lease]default-gateway Configures default gateway (next-hop router) parameters<IP> Configures default gateway’s IP address• <IP> – Specify the default gateway’s IP address.failover Configures failover to the gateway (with next higher priority) when the current default gateway is unreachable (In case of multiple default gateways). This option is enabled by default.<HOST-ALIAS-NAME> Configures the host alias mapped to the required default gateway• <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and configured). Host alias names begin with a ‘$’.priority [dhcp-client <1-1800>|static-route <1-1800>]Configures default gateway priority• dhcp-client <1-1800> – Defines a priority for the default gateway acquired by the DHCP client on the VLAN interface. The default setting is 1000.• static-route <1-1800> – Defines the weight (priority) assigned to this static route versus others that have been defined to avoid potential congestion. The default setting is 100.The following keyword is common to ‘dhcp-client’ and ‘static-route’ parameters:• <1-1800> – Specify the priority from 1 - 18000 (lower the value higher is the priority).ip Configures IPv4 routing componentsdns-server-forward Enables DNS forwarding. This command enables the forwarding of DNS queries to DNS servers outside of the network. This option is disabled by default.domain-lookup Enables domain lookup. When enabled, human friendly domain names are converted into numerical IP destination addresses. The option is enabled by default.domain-name <DOMAIN-NAME>Configures a default domain name• <DOMAIN-NAME> – Specify a name for the DNS (should not exceed 64 characters in length).name-server <IP> Configures the name server’s IP address• <IP> – Specify the IP address of the name server.routing Enables IP routing of logically addressed packets from their source to their destination. IPv4 routing is enabled by default.ip Configures IPv4 routing componentsdhcp Configures the DHCP client and hostclient[hostname|persistent-lease]Sets the DHCP client• hostname – Includes the hostname in the DHCP lease for the requesting client. This option is enabled by default.• persistent-lease – Retains the last lease across reboots if the DHCP server is unreachable. A persistent DHCP lease assigns the same IP address and other network information to the device each time it renews its DHCP lease. This option is disabled by default.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 351• ip igmp snooping {fast-leave|forward-unknown-multicast}• ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-3>}• ip nat [crypto source pool|pool <NAT-POOL-NAME>]• ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]ip Configures IPv4 routing componentsfats-leave Optional. Enables fast leave processing. When enabled, leave messages are processed quickly, preventing the host from receiving further traffic. Should be configured for one (wired) host network only. This option is disabled by default.This feature is supported only on the AP7502, AP8232, AP8533 model access points.igmp snooping forward-unknown-multicastOptional. Enables unknown multicast data packets to be flooded in the specified VLAN. This option is disabled by default.ip Configures IPv4 routing componentsigmp snooping querierOptional. Enables the IGMP querier functionality for the specified VLAN. By default IGMP snooping querier is disabled.max-response-time <1-25>Configures the IGMP maximum query response interval used in IGMP V2/V3 queries for the given VLAN. The default is 10 seconds.query-interval <1-18000>Configures the IGMP querier query interval in seconds. Specify a value from 1 - 18000 seconds. The default is 60 seconds.robustness-variable <1-7>Configures the IGMP robustness variable from 1 - 7. The default is 2.timer expiry <60-300>Configures the other querier time out value for the given VLAN. The default is 60 seconds.version <1-3> Configures the IGMP query version for the given VLAN. The default is 3.ip Configures IPv4 routing componentsnat Configures the NAT parameterscrypto source pool <NAT-POOL-NAME>Configures the NAT source address translation settings for IPSec tunnels• <NAT-POOL-NAME> – Specify a NAT pool name.pool <NAT-POOL-NAME>Configures a pool of IP addresses for NAT• <NAT-POOL-NAME> – Specify a name for the NAT pool.ip Configures IPv4 routing componentsnat Configures the NAT parameters[inside|outside] Configures inside and outside address translation for the destination• inside – Configures inside address translation• outside – Configures outside address translationdestination static <ACTUAL-IP>The following keywords are common to the ‘inside’ and ‘outside’ parameters:• destination – Specifies destination address translation parameters• static – Specifies static NAT local to global mapping• <ACTUAL-IP> – Specify the actual outside IP address to map.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 352• ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-IP> {<1-65535>})]• ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address <IP>|interface <L3-IF-NAME>|overload|pool <NAT-POOL-NAME>)]<1-65535> [tcp|udp] • <1-65535> – Configures the actual outside port. Specify a value from 1 - 65535.• tcp – Configures Transmission Control Protocol (TCP) port• udp – Configures User Datagram Protocol (UDP) port<NATTED-IP> <1-65535>Enables configuration of the outside natted IP address• <NATTED-IP> – Specify the outside natted IP address.• <1-65535> – Optional. Configures the outside natted port. Specify a value from 1 - 65535.ip Configures IPv4 routing componentsnat Configures the NAT parameters[inside|outside] Configures inside and outside address translation for the source• inside – Configures inside address translation• outside – Configures outside address translationsource static <ACTUAL-IP> The following keywords are common to the’ inside’ and ‘outside’ parameters:• source – Specifies source address translation parameters• static – Specifies static NAT local to global mapping• <ACTUAL-IP> – Specify the actual inside IP address to map.<1-65535> [tcp|udp] • <1-65535> – Configures the actual outside port. Specify a value from 1 - 65535.• tcp – Configures Transmission Control Protocol (TCP) port• udp – Configures User Datagram Protocol (UDP) port<NATTED-IP> <1-65535>Enables configuration of the outside natted IP address• <NATTED-IP> – Specify the outside natted IP address.• <1-65535> – Optional. Configures the outside natted port. Specify a value from 1 - 65535.ip Configures IPv4 routing componentsnat Configures the NAT parameters[inside|outside] Configures inside and outside IP access listsource list <IP-ACCESS-LIST-NAME>Configures an access list describing local addresses• <IP-ACCESS-LIST-NAME> – Specify a name for the IP access list.interface [<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1]Selects an interface to configure. Select a layer 3 router interface or a VLAN interface.• <INTERFACE-NAME> – Selects a layer 3 interface. Specify the layer 3 router interface name.• vlan – Selects a VLAN interface• <1-4094> – Set the SVI VLAN ID of the interface.• pppoe1 – Selects PPP over Ethernet interface• wwan1 – Selects Wireless WAN interfaceaddress <IP> The following keyword is recursive and common to all interface types:• address <IP> – Configures the interface IP address used with NAT

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 359• ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}• ipv6 mld snooping {forward-unknown-multicast}hop-limit <1-255> Configures the IPv6 hop count limit• <1-255> – Specify a value between 1 - 255. The default is 64.name-server <IPv6> Configures the IPv6 name server’s address• <IPv6> – Specify the address of the IPv6 name server.nd-reachable-time <5000-3600000>Configures the time, in milliseconds, that a neighbor is assumed to be reachable after having received neighbor discovery (ND) confirmation for their reachability• <5000-3600000> – Specify a value from 5000 - 3600000 milliseconds. The default is 30,000 milliseconds.ns-interval <1000-3600000>Configures the interval, in milliseconds, between two consecutive retransmitted neighbor solicitation (NS) messages. NS messages are sent by a node to determine the link layer address of a neighbor, or verify a neighbor is still reachable via a cached link-layer address.• <1000-3600000> – Specify a value from 1000 - 3600000. The default is 1000 milliseconds.ula-reject-route Installs a "reject" route for Unique Local Address (ULA) prefixes. This ensures that site-border routers and firewalls do not forward packets with ULA source or destination addresses outside of the site, unless explicitly configured with routing information about specific /48 or longer Local IPv6 prefixes. This option is disabled by default.The ULA is an IPv6 address used in private networks for local communication within a site (for example a company, campus, or within a set of branch office networks). These site local addresses are IPv6 addresses that fall in the block fc00::/7, defined in RFC 4193.unicast-routing Enables IPv6 unicast routing. This feature is enabled by default.ipv6 Configures IPv6 routing componentsra-convert {throttle interval <3-1800> max-RAs <1-256>Enables conversion of multicast router advertisements (RAs) to unicast RAs at the dot11 layer. This feature is disabled by default.• throttle – Optional. Throttles multicast RAs before converting to unicast• interval <3-1800> – Throttles multicast RAs for a specified time period. Specify theinterval from 3 - 1800 seconds. The default is 3 seconds.• max-RAs <1-256> – Specifies the maximum number of RAs per IPv6 routerduring the specified throttle interval. Specify a value from 1 - 256. The default is 1.ipv6 Configures IPv6 routing componentsmld snooping forward-unknown-multicastEnables multicast listener discovery (MLD) protocol snooping. This feature is disabled by default.When enabled, IPv6 devices (access point, wireless controller, or service platform) can examine MLD messages exchanged between hosts and multicast routers to discern which hosts are receiving multicast group traffic. Based on the information gathered these devices forward multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. This prevents VLANs from getting flooded with IPv6 multicast traffic.Contd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 360• ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval <1-18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-2>}• ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] {dhcp-server|router}• forward-unknown-multicast – Optional. Enables unknown multicast forwarding. This feature is enabled by default.ipv6 Configures IPv6 routing componentsmld snooping querier Enables MLD protocol snooping• querier – Optional. Enables the on-board MLD querier. When enabled, IPv6 devices send query messages to discover which network devices are members of a given multicast group.This option is disabled by default.max-response-time <1-25000>Configures the MLD querier’s maximum query response time. This is the time for which the querier waits before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic.• <1-25000> – Specify a value from 1 - 25000 milliseconds. The default is 10 milliseconds.query-interval <1-18000>Configures the interval, in seconds, between two consecutive MLD querier’s queriesThe robustness variable is an indication of how susceptible the subnet is to lost packets. MLD can recover from robustness variable minus 1 lost MLD packets.• <1-18000> – Specify a value from 1 - 18000 seconds. The default is 60 seconds.robustness-variable <1-7>Configures the MLD IGMP robustness variable. This value is used by the sender of a query.• <1-7> – Select a value from 1 - 7. The default is 2.timer expiry <60-300>Configures the MLD other querier (any external querier) timeout• <60-300> – Specify a value from 60 - 300 seconds. The default is 60 seconds.version <1-2> Configures the MLD querier’s version. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2.• <1-2> – Select the MLD version from 1 - 2. The default is 2.ipv6 Configures IPv6 routing componentsneighbor Configures static IPv6 neighbor entries<IPv6> Specify the IPv6 address for which a static neighbor entry is created.<MAC> Specify the MAC address associated with the specified IPv6 address.[<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] Specify the following interface settings:• <INTF-NAME> – Selects the layer 3 router interface. Specify the interface name.• pppoe1 – Selects the PPP over Ethernet interface• vlan <1-4094> – Selects the VLAN interface. Specify the VLAN interface index.• wwan1 – Selects the wireless WAN interface{dhcp-server|router} After specifying interface type, you can optionally specify the device type for this neighbor solicitation.• dhcp-server – Optional. States this neighbor entry is for a DHCP server• router – Optional. States this neighbor entry is for a router

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 367Related Commandsno Disables LED-timeout timer

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 373• load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band] <0-100>• throughput-weightage – Specifies weightage assigned to throughput, when calculating the 2.4 GHz loadThe following keyword is common to the ‘client-weightage’ and ‘throughput-weightage’ parameters:• <0-100> – Sets the margin as a load percentage from 1 - 100. The default client-weightage is 90%. The default throughput-weightage is 10%.5GHz-load [client-weightage|throughput-weightage] <0-100>Configures 5.0 GHz load calculation weightages• client-weightage – Specifies weightage assigned to the client-count when calculating the 5.0 GHz load• throughput-weightage – Specifies weightage assigned to throughput, when calculating the 5.0 GHz loadThe following keyword is common to the ‘client-weightage’ and ‘throughput-weightage’ parameters:• <0-100> – Sets the margin as a load percentage from1 - 100. The default client-weightage is 90%. The default throughput-weightage is 10%.ap-load [client-weightage|throughput-weightage] <0-100>Configures AP load calculation weightages• client-weightage – Specifies weightage assigned to the client-count, when calculating the AP load• throughput-weightage – Specifies weightage assigned to throughput, when calculating the AP loadThe following keyword is common to the ‘client-weightage’ and ‘throughput-weightage’ parameters:• <0-100> – Sets the margin as a load percentage from 1 - 100. The default client-weightage is 90%. The default throughput-weightage is 10%.load-balancing advanced-paramsConfigures advanced load balancing parametersequality-margin [2.4GHz|5GHz|ap|band] <0-100>Configures the maximum load difference considered equal. The load is compared for different 2.4 GHz channels, 5.0 GHz channels, APs, or bands.• 2.4GHz – Configures the maximum load difference considered equal when comparing loads on different 2.4 GHz channels• 5GHz – Configures the maximum load difference considered equal when comparing loads on different 5.0 GHz channels• ap – Configures the maximum load difference considered equal when comparing loads on different APs• band – Configures the maximum load difference considered equal when comparing loads on different bandsThe following keyword is common to 2.4 GHz channels, 5.0 GHz channels, APs, and bands:• <0-100> – Sets the margin as a load percentage from 1 - 100. The default equality-margin for 2.5 GHz, 5.0 GHz, ap, and band loads is 1%.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 374• load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|channel-5GHz] <0-100>• load-balancing advanced-params max-preferred-band-load [2.4GHGz|5GHzd] <0-100>• load-balancing advanced-params [max-neighbors <0-16>|min-common-clients <0-256>|min-neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]load-balancing advanced-paramsConfigures advanced load balancing parametershiwater-threshold Configures the load beyond which load balancing is invoked[ap|channel-2.4GHz|channel-5GHz] <0-100>Select one of the following options:• ap – Configures the AP load beyond which load balancing begins• channel-2.4GHz – Configures the AP load beyond which load balancing begins (for APs on 2.4 GHz channel)• channel-5GHz – Configures the AP load beyond which load balancing begins for (APs on 5.0 GHz channel)The following keyword is common for the ‘AP’, ‘channel-2.4GHz’, and ‘channel-5GHz’ parameters:• <0-100> – Sets the load threshold as a number from 1 - 100. The default hiwater-threshold for channel-2.5GHz, channel-5GHz, and ap loads is 5.load-balancing advanced-paramsConfigures advanced load balancing parametersmax-preferred-band-loadConfigures the maximum load on the preferred band, beyond which the other band is equally preferred[2.4GHz|5GHz] <0-100>Select one of the following options:• 2.4GHz – Configures the maximum load on 2.4 GHz, when it is the preferred band• 5GHz – Configures the maximum load on 5.0 GHz, when it is the preferred bandThe following keyword is common to the 2.4 GHz and 5.0 GHz bands:• <0-100> – Configures the maximum load as a percentage from 0 - 100. The de-fault value for 2.4GHz and 5.GHz is 75%.load-balancing advanced-paramsConfigures advanced load balancing parametersmax-neighbors <0-16> Configures the maximum number of confirmed neighbors to balance• <0-16> – Specify a value from 0 - 16. Optionally configure a minimum of 0 neighbors and a maximum of 16 neighbors. The default is 16.min-common-clients <0-256>Configures the minimum number of common clients that can be shared with the neighbor for load balancing• <0-256> – Specify a value from 0 - 256. Optionally configure a minimum of 0 clients and a maximum of 256 clients. The default is 0.min-neighbor-rssi <-100-30>Configures the minimum signal strength (RSSI) of a neighbor detected• <-100-30> – Sets the signal strength in dBm. Specify a value from -100 - 30 dBm. The default is -65 dBm.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 375• load-balancing [balance-ap-loads|balance-band-loads|balance-channel-loads [2.4GHz|5GHz]]• load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz|prefer-5GHz]• load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]min-probe-rssi <-100-30>Configures the minimum received probe signal strength required to qualify the sender as a common client• <0-100> – Sets the signal strength in dBm. Specify a value from -100 - 30 dBm. The default is -100 dBm.load-balancing Configures the following load balancing parameters: ap-loads, band-loads, and channel-loads.balance-ap-loads Enables neighbor AP load balancing. This option distributes the access point’s radio load amongst other controller managed access point radios. This option is disabled by default.balance-band-loads Enables balancing of the total band load amongst neighbors. This option balances the access point’s radio load by assigning a ratio to both the 2.4 GHz and 5.0 GHz bands. Balancing radio load by band ratio allows an administrator to assign a greater weight to radio traffic on either the 2.4 GHz or 5.0 GHz band. This option is disabled by default.balance-channel-loads [2.4GHz|5GHz]Enables the following:• 2.4GHz – Channel load balancing on 2.4 GHz band. This option is disabled by default.Balances the access point’s 2.4 GHz radio load across channels supported within the country of deployment. This can prevent congestion on the 2.4 GHz radio if a channel is over utilized.• 5GHz – Channel load balancing on 5.0 GHz band. This option is disabled by default.Balances the access point’s 5.0 GHz radio load across channels supported within the country of deployment. This can prevent congestion on the 5.0 GHz radio if a channel is over utilized.load-balancing band-control-strategyConfigures a band control strategyBy default, this option steers 5.0 GHz-capable clients to the 5.0 GHz band. When an access point hears a request from a client to associate on both the 2.4 GHz and 5.0 GHz bands, it knows the client is capable of operation in 5.0 GHz. Band steering steers the client by responding only to the 5.0 GHz association request and not the 2.4 GHz request. Consequently, the client only associates in the 5.0 GHz band.distribute-by-ratio Distributes clients to either band according to the band-ratioprefer-2.4GHz Nudges all dual-band clients to 2.4 GHz bandprefer-5GHz Nudges all dual-band clients to 5.0 GHz band. This is the default setting.load-balancing band-ratioConfigures the relative loading of 2.4 GHz band and 5.0 GHz band.This allows an administrator to weight client traffic load if wishing to prioritize client traffic load on the 2.4 GHz or the radio band. The higher the value set, the greater the weight assigned to radio traffic load on the 2.4 GHz or 5.0 GHz radio band.2.4GHz [0|<1-10>] Configures the relative loading of 2.4 GHz band• 0 – Selecting ‘0’ steers all dual-band clients preferentially to the other band• <0-10> – Configures a relative load as a number from 0 - 10. The default is 0.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 387NOTE: For more information on the meshpoint-device configuration parameters, see Chapter 26, MESHPOINT.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 391• mint inter-tunnel-bridging• mint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]• mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2] {adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-NAME>]}}dis priority-adjustment <-255-255>Sets the relative priority for the router to become DIS (designated router)• priority-adjustment – Sets priority adjustment added to base priorityThe Designated IS (DIS) priority adjustment is the value added to the base level DIS priority to influence the DIS election. A value of +1 or greater increases DISiness.• <-255-255> – Specify a value from -255 - 255. The default is 0.Higher numbers result in higher prioritiesstrict-evis-reachability Enables reaching Ethernet Virtualization Interconnect (EVIS) election winners through MiNT. This option is enabled by default.mint Configures MiNT protocol parameters required for MiNT link creation, adoption and communicationinter-tunnel-bridging Enables forwarding of broadcast multicast (BCMC) packets between devices communicating via Level 2 MiNT links. When enabled, MiNT tunnels across Level 2, adopted access points are bridged. One of the advantages of inter-tunnel bridging is the enabling of roaming between these access points. This option is disabled by default.If enabling this option, use ACLs to filter unwanted BCMC traffic.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlevel 1 Configures local MiNT routing settings• 1 – Configures local MiNT routing levelarea-id [<1-16777215>|<NUMBER-ALIAS-NAME>]Specifies the level 1 routing area identifier. Use one of the following options to specify the area ID:• <1-16777215> – Specify a value from 1 - 16777215.• <NUMBER-ALIAS-NAME> – Specify a number alias (should be existing and configured). Aliases are configuration items that can be defined once and used in different configuration contexts. For more information on creating a number alias, see alias.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlink force Creates a MiNT routing link as a forced link• force – Forces a MiNT routing link to be created even if not necessaryip [<IPv4>|<IPv6>] Creates a MiNT tunnel over UDP/IPv4 or IPv6Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for inter-operation when supporting the MINT protocol.• <IPv4> – Specify the MiNT tunnel peer’s IPv4 address.• <IPv6> – Specify the MiNT tunnel peer’s IPv6 address.After specifying the MiNT peer’s address, configure the following MiNT link parameters: UDP port, adjacency-hold-time, cost, hello-interval, IPSec security gateway, and routing level.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 392• mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>] {adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw [<IP>|<HOST-NAME>]}}<1-65535> level 2 Optional. Specifies a custom UDP port for MiNT links. Specify the port from 1 - 65535.• level – Specifies the routing level• 2 – Configures level 2 inter-site MiNT routingadjacency-hold-time <2-600>Optional. Specifies the adjacency lifetime after hello packets cease• <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.cost <1-100000> Optional. Specifies the link cost in arbitrary units• <1-100000> – Specify a value from 1 - 100000. The default is 100.hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets• <1-120> – Specify a value from 1 - 120 seconds. The default is 15 seconds.ipsec-security {gw [<IP>|<HOST-NAME>]}Optional. Enables IPSec secure peer authentication on the MiNT link connection (link). This option is disabled by default.• gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateway’s numerical IP address or administrator defined hostname.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlink listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]Creates a MiNT routing link• listen – Creates a MiNT listening link• ip – Creates a MiNT listening link over UDP/IP or IPv6• <IPv4> – Specify the IPv4 address of the listening UDP/IP link.• <IPv6> – Specify the IPv6 address of the listening UDP/IP link.• <HOST-ALIAS-NAME> – Specify the host alias identifying the MiNT link ad-dress. The host alias should existing and configured.UDP/IP links can be created by configuring a matching pair of links, one on each end point. However, that is error prone and does not scale. So UDP/IP links can also listen (in the TCP sense), and dynamically create connected UDP/IP links when contacted. The typical configuration is to have a listening UDP/IP link on the IP address S.S.S.S, and for all the APs to have a regular UDP/IP link to S.S.S.S.link vlan <1-4094> Enables MiNT routing on VLAN• vlan – Defines a VLAN ID used by peers for inter-operation when supporting the MINT protocol.• <1-4094> – Select VLAN ID from 1 - 4094.adjacency-hold-time <2-600>This parameter is common to the ‘listen’ and ‘vlan’ parameters:• adjacency-hold-time <2-600> – Optional. Specifies the adjacency lifetime after hello packets cease• <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.For MiNT VLAN routing, the default is 13 seconds.cost <1-100000> This parameter is common to the ‘listen’ and ‘vlan’ parameters:• cost <1-100000> – Optional. Specifies the link cost in arbitrary units• <1-100000> – Specify a value from 1 - 100000. The default is 100. For MiNT VLAN routing, the default is 10.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 393• mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw [<IP>|<HOST-NAME>]}}hello-interval <1-120> This parameter is common to the ‘listen’ and ‘vlan’ parameters:• hello-interval <1-120> – Optional. Specifies the interval, in seconds, between successive hello packets• <1-120> – Specify a value from 1 - 120. The default is 15 seconds.For MiNT VLAN routing the default is 4 seconds.level [1|2] This parameter is common to the ‘listen’ and ‘vlan’ parameters:Optional. Specifies the routing levels for this routing link. The options are:• 1 – Configures local routing• 2 – Configures inter-site routingipsec-security {gw [<IP>|<HOST-NAME>]}This parameter is common to the ‘listen’ and ‘vlan’ parameters:• ipsec-security – Optional. Enables IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default.• gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway. Whenenabling IPSec, you can optionally specify the IPSec secure gateway’s numerical IPaddress or administrator defined hostname.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionlink ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]Creates a MiNT routing link• ip – Creates a MiNT tunnel over UDP/IP or IPv6Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for inter-operation when supporting the MINT protocol.• <IPv4> – Specify the IPv4 address used by peers.• <IPv6> – Specify the IPv6 address used by peers.• <HOST-ALIAS-NAME> – Specify the host alias identifying the MiNT tunnel peer’saddress. The host alias should existing and configured.<1-65535> Select the peer UDP port from 1 - 65535.adjacency-hold-time <2-600>Optional. Specifies the adjacency lifetime after hello packets cease• <2-600> – Specify a value from 2 - 600 seconds. The default is 46 seconds.cost <1-100000> Optional. Specifies the link cost in arbitrary units• <1-100000> – Specify a value from 1 - 100000. The default is 100.hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets<1-120> – Specify a value from 1 - 120. The default is 15 seconds.level [1|2] Optional. Specifies the routing levels for this routing link. The options are:• 1 – Configures local routing• 2 – Configures inter-site routingipsec-security {gw [<IP>|<HOST-NAME>]}Optional. Enables IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default.• gw [<IP>|<HOSTNAME>] – Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateway’s numerical IP address or administrator defined hostname.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 394• mint mlcp [ip|ipv6|vlan]• mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan <1-4094>]|mlcp [ip|ipv6|vlan]] rate <50-1000000> max-burst-size <2-1024> {red-threshold [background|best-effort|video|voice] <0-100>}mint Configures MiNT protocol parameters required for MiNT link creation and adoptionmlcp [ip|ipv6|vlan] Configures the MLCP using the IP address or VLAN. MLCP is used to create a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a wireless controller or service platform, it can be another access point with a path to the wireless controller or service platform.• vlan – Enables MLCP over layer 2 (VLAN) links• ip – Enables MLCP over layer 3 (UDP/IP) links. When enabled, allows adoption over IPv4 address.• ipv6 – Enables MLCP over layer 3 (UDP/IPv6) links. When enabled, allows adoption over IPv6 address.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionmint rate-limit level2 Applies rate limits on extended VLAN trafficExcessive traffic can cause performance issues on an extended VLAN. Excessive traffic can be caused by numerous sources including network loops, faulty devices, or malicious software.Rate limiting reduces the maximum rate sent or received per wireless client. It prevents any single user from overwhelming the wireless network, and also provides differential service for service providers. Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS server’s response. When such attributes are not present, the settings defined on the controller, service platform or access point are applied. You can set separate QoS rate limit configurations for data types transmitted from the network (upstream) and data transmitted from a wireless clients back to associated radios (downstream).link [ip <IPv4/IPv6> <1-65535>|vlan <1-4094>]Configures rate limit parameters applicable for all statically configured MiNT links on level2. Select the link-type as ‘IP’ or ‘VLAN’.• ip <IPv4/IPv6> – Configures rate limits for MiNT link traffic over UDP/IP• <IPv4/IPv6> – Specify the MiNT peer’s IPv4 or IPV6 address in the A.B.C.D andX:X::X:X formats respectively.• <1-65535> – Configures the virtual port used for rate limiting traffic. Specify theUDP port from 1 - 65535.• vlan <1-4094 – Configures rate limits for MiNT link traffic on specified VLAN• <1-4094> – Specify the VLAN ID from 1 - 4094.mlcp [ip|ipv6|vlan] Configures rate limit parameters applicable for MLCPMLCP creates a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be an access point with a path to the controller or service platform.• ip – Configures rate-limits for MLCP over UDP/IPv4 links• ipv6 – Configures rate-limits for MLCP over UDP/IPv6 links• vlan – Configures rate-limits for MLCP over VLAN links

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 395• mint spf-latency <0-60>• mint tunnel-across-extended-vlanrate <50-1000000> Configures the rate limit from 50 - 1000000 KbpsThis limit constitutes a threshold for the maximum number of packets transmitted or received (from all access categories). Traffic exceeding the defined rate is dropped and a log message is generated. The default setting is 5000 Kbps.max-burst-size <2-1024> Configures the maximum burst size from 0 - 1024 KbytesSmaller the burst size, lesser is the probability of the upstream packet transmission resulting in congestion for the WLAN’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 Kbytes.red-threshold [background|best-effort|video|voice] <0-100>Optional. Configures the random early detection (RED) threshold (as a percentage) for the following traffic types:• background – Configures the RED threshold for low priority background traffic. Background packets are dropped and a log message generated if the rate exceeds the set value. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default setting is 50%.• best-effort – Configures the RED threshold for low priority best-effort traffic. Best-effort packets are dropped and a log message generated if the rate exceeds the set value. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 50%.• video – Configures the RED threshold for high priority video traffic. Video packets are dropped and a log message generated if the rate exceeds the set value. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 25%.• voice – Configures the RED threshold for high priority voice traffic. Voice packets are dropped and a log message generated if the rate exceeds the set value. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 0%.• <0-100> – After selecting the traffic type, specify the RED threshold from 0 - 100%.mint Configures MiNT protocol parameters required for MiNT link creation and adoptionspf-latency <0-60> Specifies the latency of SPF routing recalculationThis option allows you to set the latency of routing recalculation option (within the Shortest Path First (SPF) field). This option is disabled by default.• <0-60> – Specify the latency from 0 - 60 seconds.mint Configures MiNT protocol parameters required for MiNT link creation and adoptiontunnel-across-extended-vlanEnables tunneling of MiNT protocol packets across an extended VLAN. This setting is disabled by default.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 404• nsight database statistics max-apps-per-client <1-1000>• nsight database statistics [max-http-usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-metadata] <1-1000>contd.. When configured, RF Domain managers posting data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the update-interval configured here.Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ keywords to configure update interval for AVC-related and wireless-clients related information respectively.wireless-clients-update-intervalConfigures the interval, in seconds, at which wireless-client statistics is updated to the NSIght server. This interval represents the rate at which wireless-clients related statistics is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting wireless-client related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the wireless-clients-update-interval configured here.[120|30|300|60|600] The following keywords are common to all of the above parameters:• 120 – Sets the data-update periodicity as 120 seconds (2 minutes)• 30 – Sets the data-update periodicity as 30 seconds• 300 – Sets the data-update periodicity as 300 seconds (5 minutes). This is the default setting for the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ parameters.• 60 – Sets the data-update periodicity as 60 seconds (1 minute). This is the default setting for the ‘update-interval’ parameter.• 600 – Sets the data-update periodicity as 600 seconds (10 minutes)nsight database statisticsConfigures NSight database statistics related parametersmax-apps-per-client Configures the maximum number of applications per wireless-client to be posted to the NSight server within the configured data-update interval. This information is included in the AVC statistics posted by RF Domain managers to the NSight server.<1-1000> Specify the number of applications posted from 1 - 1000. The default is 10 applications per wireless client.nsight database statisticsConfigures NSight database statistics related parameters[max-http-usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-metadata]Configures the number of HTTP and/or SSL metadata posted within an update interval• max-http-usage-metadata – Configures the NSight database maximum http-metadata by usage (rx+tx) to be posted in an update-interval• max-http-visits-metadata – Configures the NSight database’s maximum http-metadata by the number of visits to be posted within an update-interval• max-ssl-usage-metadata – Configures the NSight database maximum ssl-metadata by usage (rx+tx) to be posted in an update-intervalContd...

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 405• nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>Usage Guidelines(Data Aggregation and Expiration)Data Aggregation:The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes within the managed wireless LAN. For large WLAN networks, generating significantly large amount of data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one record by taking an average of them. Although this causes a loss in the data’s granularity, average numbers for any given time period is still available.Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets (database collections) within the NSight database. There are four buckets in total. These are:• First bucket (termed as the RAW bucket) - B1• Second bucket - B2• Third bucket - B3•Fourth bucket - B4On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes the next bucket’s granularity. For example, the B1 records (that have exceeded the data storage duration configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default storage duration for each bucket is as follows:contd... • max-ssl-visits-metadata – Configures the NSight database’s maximum ssl-metadata by the number of visits to be posted within an update-intervalThe following keyword is common to all of the above mentioned metadata options:• <1-1000> – Specify a value from 1 - 1000. The default is 10 metadata for each.nsight database summaryConfigures the NSight database’s per-bucket data storage durationduration <1-24> <1-168> <1-2160> <24-26280>Configures the duration for which data is stored on a per-bucket basis• <1-24> – Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day). The default is 8 hours.• <1-168> – Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7 days).The default is 24 hours.• <1-2160> – Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1 hour to 90days). The default is 7 days (168 hours).• <24-26280> – Specify the bucket 4 duration from 24 - 26280 hours (i.e. 1day to 3 years). The default is 365 days (1 year).A bucket is a database collection that holds statistical data for each RF Domain within the network. (Note, only those RF Domain’s that are using an NSight policy with the NSight server host configured will post data to the NSight server. (For more information, see use in the RF Domain configuration mode.) NSight database has four (4) buckets. The data from each bucket is aggregated and pushed to the next bucket once the data storage duration, specified for the bucket, has exceeded. For more information on data aggregation, see (Data Aggregation and Expiration).

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 406•B1: storage duration 8 hours• B2: granularity 10 minutes / storage duration 24 hours • B3: granularity 1 hour / storage duration 7 days• B4: granularity 1 day / storage duration 1 yearLet us consider (with default update-interval settings) the growth of any one of the statistical buckets.• Since B1’s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF Domain after 8 hours (updated at the rate of 30 seconds).• Since B2’s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into a single record and inserted into B2.• Since B2’s default storage duration is 24 hours, it will contain a maximum of 144 records per RF Domain after 24 hours.• Since B3’s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record and inserted into B3.• Since B3’s default storage duration is 7 days, it will contain a maximum of 168 records per RF Domain after 7 days.• Since B4’s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record and inserted into B4.• Since B4’s default storage duration is 365 days, it will contain a maximum of 365 records per RF Domain after 1 year.Data Expiration:The expiration of older records (also referred to as purging or deleting of records) occurs along with data aggregation for each bucket.Let us consider (with default data storage-duration settings) the expiration of data for any one of the statistical buckets.• As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8 hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first 10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is triggered every 10 minutes.• At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10 minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of data.• At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data.• At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records (corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to enable B4 to maintain exactly 365 days worth of data.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 409• ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}• ntp server <PEER-IP/HOSTNAME> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}• ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4> prefer}ntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. minpoll [1024|128|256|512|64]Optional. Configures the minimum polling interval. Once set, the specified NTP server is polled no sooner than the defined interval. Select one of the following options:• 1024 – Configures the minimum polling interval as 1024 seconds• 128 – Configures the minimum polling interval as 128 seconds• 256 – Configures the minimum polling interval as 256 seconds• 512 – Configures the minimum polling interval as 512 seconds• 64 – Configures the minimum polling interval as 64 seconds. This is the default setting.ntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME>> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. key <1-65534> md5 [0 <WORD>|2 <WORD>|<WORD>]Optional. Defines the authentication key for the specified NTP server. This option is used to configure the key when ‘autokey’ configuration is not enabled.• <1-65534> – Specify the peer key number. Should not exceed 64 characters in length.• md5 – Sets MD5 authentication• 0 <WORD> – Configures a clear text password• 2 <WORD> – Configures an encrypted password• <WORD> – Sets an authentication keyntp server <PEER-IP/HOSTNAME>Configures NTP server resources that are used to obtain system time• <PEER-IP/HOSTNAME> – Identifies the NTP server resource by its IP address or hostname. Specify the NTP server’s IP address or hostname. prefer version <1-4> Optional. Designates the specified NTP server as a preferred NTP resource. This setting is disabled by default.• version – Optional. Configures the NTP version• <1-4> – Select the NTP version from 1 - 4. If not specified, the default value of ‘0’ is applied, which implies that the NTP server’s version is ignored.version <1-4> prefer Optional. Configures the version number used by the specified NTP server resource• <1-4> – Select the NTP version from 1 - 4. The default setting is 0. A value of ‘0’ implies that the NTP server’s version is ignored.• prefer – Optional. Designates the specified NTP server as a preferred NTP resource.This setting is disabled by default. The NTP version number specified using the ‘ver-sion <1-4>’ keyword is applied to this preferred NTP resource.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 412• otls data-port [2.4GHz|5GHz] <0-65535>• otls forward [2.4GHz|5GHz] [disable|enable]• otls server-ip <OTLS-SERVER-IP>Exampleap8533-84A224(config-device-84-24-8D-84-A2-24)#otls apid 112233ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 2.4GHz enableap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 5GHz enableap8533-84A224(config-device-84-24-8D-84-A2-24)#otls control-port 8890ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 2.4GHz 8888ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 5GHz 8889ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls server-ip 192.168.13.10ap8533-84A224(config-device-84-24-8D-84-A2-24)#show context include-factory | include otls otls forward 5GHz enable otls forward 2.4GHz enable otls server-ip 192.168.13.10 otls control-port 8890 otls data-port 2.4GHz 8888 otls data-port 5GHz 8889 otls apid 112233ap8533-84A224(config-device-84-24-8D-84-A2-24)otls data-port [2.4GHz|5GHz] <0-65535>Configures the port used by the AP to forward OTLS beacons to the OTLS server. However, OTLS data forwarding has to be enabled on the APs. Use the otls > forward > [2.4GHz|5GHz] > [disable|enable] command to enable data forwarding.• 2.4GHz – Configures the port used to forward OTLS beacons received on the 2.4 GHz band• 5.0GHz – Configures the port used to forward OTLS beacons received on the 5.0 GHz bandThe following keyword is common to the above parameters:• <0-65535> – Specify a data-forwarding port from 0 - 65535. otls forward [2.4GHz|5GHz] [disable|enable]Enables or disables OTLS tag forwarding• 2.4GHz – Enables or disables forwarding of OTLS beacons received on the 2.4 GHz band• 5GHz – Enables or disables forwarding of OTLS beacons received on the 5.0 GHz bandThe following keywords are common to the above parameters:• disable – Disables OTLS tag forwarding. By default OTLS beacon forwarding is dis-abled for both 2.4 GHz and 5.0 GHz bands.• enable – Enables OTLS tag forwardingotls server-ip <OTLS-SERVER-IP>Configures the OTLS server’s IP address• <OTLS-SERVER-IP> – Specify the OTLS server’s IP address.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 424• spanning-tree portfast [bpdufilter|bpduguard] default<0-15> priority <0-61440>Specifies the number of instances required to configure MST. Select a value from 0 -15.• priority – Sets the bridge priority to the specified value. This value is used to determine the root bridge. Use the no parameter with this command to restore the default bridge priority value.• <0-61440> – Sets the bridge priority in increments (Lower priority indicates greaterlikelihood of becoming root)cisco interoperability [enable|disable]Enables CISCO interoperabilityEnables interoperability with CISCO’s version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default.enable Enables MST protocolforward-time <4-30> Specifies the forwarding delay time in seconds• <4-30> – Specify a value from 4 - 30 seconds. The default is 15 seconds.hello-time <1-10> Specifies the hello BDPU interval in seconds• <1-10> – Specify a value from 1 - 10 seconds. The default is 2 seconds.instance <1-15> Defines the instance ID to which the VLAN is associated• <1-15> – Specify an instance ID from 1 - 10.max-age <6-40> Defines the maximum time to listen for the root bridge• <6-40> – Specify a value from 4 - 60 seconds. The default is 20 seconds.max-hops <7-127> Defines the maximum hops when BPDU is valid• <7-127> – Specify a value from 7 - 127. The default is 20.region <LINE> Specifies the MST region• <LINE> – Specify the region name.revision <0-255> Sets the MST bridge revision number. This enables the retrieval of configuration information.• <0-255> – Specify a value from 0 - 255. This default is 0.spanning-tree Configures spanning-tree related parametersportfast [bpdufilter| bpduguard] defaultEnables PortFast on a bridge• bpdufilter default – Sets the BPDU filter for the port. The BPDU filter is disabled by default. The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU filter ensures that PortFast enabled ports do not transmit or receive BPDUs.• bpduguard default – Guards PortFast ports against BPDU receive. The BPDU guard is disabled by default.Enabling the BPDU guard means this port will shutdown on receiving a BPDU.• default – Enables the BPDU filter and/or BPDU guard on PortFast enabled ports bydefault

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 429traffic-shape priority-map <0-7>traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]traffic-shape enableParameters• traffic-shape activation-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]• traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>NOTE: The available range for the ‘rate’ field will vary depending on the unit selected. It is 250 - 250000 for Kbps and 1 - 250 for Mbps.NOTE: The available range for the ‘total-bandwidth’ field will vary depending on the unit selected. It is 250 - 1000000 for Kbps and 1 - 1000 for Mbps.traffic-shape activation-criteriaConfigures traffic-shape activation criteria that determines when the device invokes traffic shapingalways Always invokes traffic shaping. This is the default setting.cluster-master Invokes traffic shaping when the device is the cluster master. The solitary cluster master (elected using a priority assignment scheme) is a cluster member that provides management configuration and Smart RF data to other members within the cluster. Cluster requests go through the elected master before dissemination to other cluster members.rf-domain-manager Invokes traffic shaping when the device is the RF Domain manager. The RF Domain manager is the elected member capable of storing and provisioning configuration and firmware images for other members of the RF Domain.vrrp-master <1-255> Invokes traffic shaping when the device is the VRRP master. As the VRRP master, the device responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router.• <1-255> – Specify the VRRP group ID from 1 - 255.traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>Configures an application category to traffic-class mapping. Use this option to apply an application category to traffic-shaper class mapping. Naming and categorizing applications that do not fall into existing groups is an additional means of filtering and potentially limiting network airtime to consumptive non required applications negatively impacting network performance.Note: app-category <APP-CATEGORY-NAME> – Specify the application category name. To list the available application categories, press [TAB] after entering app-category. Select the required category from the displayed list.Contd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 430• traffic-shape application <APPLICATION-NAME> class <1-4>• traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-percent <1-100>}• class <1-4> – Map the specified application category to a traffic-shaper class from 1- 4.Before configuring an application category to class mapping, ensure that the specified classes have been configured. Use the ‘class > [max-buffers|max-latency|rate]’ option available with this command to configure a traffic shaper class. For more information, see following parameter tables.traffic-shape app-category <APPLICATION-NAME> class <1-4>Configures an application to traffic-class mapping. Use this option to apply an application to traffic-shaper class mapping.• app-category <APPLICATION-NAME> – Specify the application name.• class <1-4> – Map the specified application to a traffic-shaper class from 1 - 4.Note: Before configuring an application to class mapping, ensure that the specified classes have been configured. Use the ‘class > [max-buffers|max-latency|rate] option available with this command to configure a traffic shaper class. For more information, see following tables.traffic-shape class <1-4> max-buffers <1-400>Configures the queue length limit for different traffic-shaper class• class <1-4> – Specify the traffic-shaper class from 1 - 4.• max-buffers <1-400> – Configures the maximum queue lengths for packets of dif-ferent priority queues, after which the queue starts to drop packets. • <1-400> – Configure the queue length limit from 1 - 400 for packets of priorityqueues 0, 1, 2, 3, 4, 5, 6, and 7.Note: For access points the upper queue length limit is 400.red-level <1-400> Optional. Performs Random Early Drop (RED) when a specified queue length in packets is reached• <1-400> – Configure the queue length limit from 1 - 400 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.The RED algorithm is a queuing technique for congestion avoidance. RED monitors the average queue size and drops or marks packets. If the buffer is near empty, all incoming packets are accepted. When the queue grows, the probability for dropping an incoming packet also grows. When the buffer is full, the probability has reached 1 and all incoming packets are dropped.Note: For more information on default values, see the Usage Guidelines section in this topic.red-percent <1-100> Optional. Performs RED when a specified value, which is a percentage of the max-buffers configured, is reached• <1-100> – Configure the percentage of the maxi-buffers from 1 - 100 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 431• traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]• traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-percent <1-100>]• traffic-shape priority-map <0-7>traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]Configures the max-latency for different traffic-shaper class. Max latency specifies the time limit after which packets start dropping (maximum packet delay in the queue). The maximum number of entries is 8.• class <1-4> – Specify the traffic-shaper class from 1 - 4.• max-latency <1-1000000> – Configures the max-latency for packets of differentpriority queues, after which the queue starts to drop packets. • <1-1000000> – Configure the max-latency from 1 - 100000 for packets of priorityqueues 0, 1, 2, 3, 4, 5, 6, and 7.• [msec|usec] – Configures the unit for measuring latency as milliseconds(msec) or microseconds (usec). The default setting is msec.traffic-shape class <1-4> rate Configures traffic rate, in either Kbps, Mbps or percentage, for the different traffic shaper class. Specify rates for different traffic shaper class to control the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority.• class <1-4> – Specify the traffic-shaper class from 1 - 4.<1-250000> [Kbps|Mbps]Configures the traffic rate, in Kbps, Mbps, for the class specified in the previous step• <1-250000> – Specify the rate from 1 - 250000.• [Kbps|Mbps] – Configures the unit for measuring bandwidth as Kbps or Mbps. Thedefault setting is Kbps.Note: The range varies depending on the unit selected. It is 1 - 250 Mbps, or 250 - 250000 Kbps.total-bandwidth-percent <1-100>Configures the traffic rate, as a percentage of the total available bandwidth, for the class specified in the previous first step• <1-100> – Specify the traffic rate from 1 - 100% of the total bandwidth.traffic-shape priority-map <0-7>Configures the traffic-shaper queues, within a class, having different priority values (0, 1, 2, 3, 4, 5, 6, and 7). There are 8 queues (0 - 7), and traffic is queued in each based on the incoming packet’s 802.1p 3-bit priority markings.• priority-map <0-7> – Specify the priority from 0 - 7 for priority levels 0, 1, 2, 3, 4, 5, 6, and 7.The IEEE 802.1p standards sets a 3-bit value in the MAC header to indicate prioritization. This 3-bit value provides priority levels ranging from 0 to 7 (i.e., a total of 8 levels), with level 7 representing the highest priority. This permits packets to cluster and form different traffic classes. In case of network congestion, packets with higher priority receive preferential treatment while low priority packets are kept on hold.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 444vrrp version [2|3]Parameters• vrrp <1-255> [delta-priority <1-253>|description <LINE>|vrrp ip <IP> {<IP>}|preempt {delay <1-65535>}|priority <1-254>|sync-group]• vrrp <1-255> interface vlan <1-4094>• vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-NAME3> <CRM-NAME4> (action [decrement-priority|increment-priority] {<IF-NAME>|pppoe1|vlan|wwan1})vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.delta-priority <1-253> Configures the priority to decrement (local link monitoring and critical resource monitoring) or increment (critical resource monitoring). When the monitored interface is down, the configured priority decrements by a value defined by the delta-priority option. When monitoring critical resources, the value increments by the delta-priority option.• <1-253> – Specify the delta priority level from 1- 253.description <LINE> Configures a text description for the virtual router to further distinguish it from other routers with similar configuration• <LINE> – Provide a description (a string from 1- 64 characters in length)ip <IP-ADDRESSES> Identifies the IP address(es) backed by the virtual router. These are IP addresses of Ethernet switches, routers, and security appliances defined as virtual router resources.• <IP-ADDRESSES> – Specify the IP address(es) in the A.B.C.D format.This configuration triggers VRRP operation.preempt {delay <1-65535>}Controls whether a high priority backup router preempts a lower priority master. This field determines if a node with higher priority can takeover all virtual IPs from a node with lower priority. This feature is disabled by default.• delay – Optional. Configures the pre-emption delay timer from 1 - 65535 seconds (default is 0 seconds). This option can be used to delay sending out the master advertisement or, in case of monitored link coming up, adjusting the VRRP priority by priority delta.priority <1-254> Configures the priority level of the router within a VRRP group. This value determines which node is elected as the Master. Higher values imply higher priority, value 254 has the highest precedence (default is 100).sync-group Adds this VRRP group to a synchronized group. To trigger VRRP failover, it is essential all individual groups within a synchronized group have failover. VRRP failover is triggered if an advertisement is not received from the virtual masters that are part of this VRRP sync group. This feature is disabled by default.vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.interface vlan <1-4094>Enables VRRP on the specified switch VLAN interface (SVI)• vlan <1-4094> – Specify the VLAN interface ID from 1 - 4094.vrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.monitor Enables link monitoring or Critical Resource Monitoring (CRM)

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 445• vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>]• vrrp version [2|3]critical-resource <CRM-NAME1>Specifies the name of the critical resource to monitor. VRRP can be configured to monitor maximum of four critical resources. Use the <CRM-NAME2>, <CRM-NAME3>, and <CRM-NAME4> to provide names of the remaining three critical resources.By default VRRP is configured to monitor all critical resources on the device.action [decrement-priority|increment-priority]Sets the action on critical resource down event. It is a recursive parameter that sets the action for each of the four critical resources being monitored.• decrement-priority – Decrements the priority of virtual router on critical resource down event• increment-priority – Increments the priority of virtual router on critical resource down event<IF-NAME> Optional. Enables interface monitoring• <IF-NAME> – Specify the interface name to monitorpppoe1 Optional. Enables Point-to-Point Protocol (PPP) over Ethernet interface monitoringvlan <1-4094> Optional. Enables VLAN (switched virtual interface) interface monitoring• <1-4094> – Specify the VLAN interface ID from 1- 4094.wwan1 Optional. Enables Wireless WAN interface monitoringvrrp <1-255> Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for.timers Configures the timer that runs every intervaladvertise [<1-255>|centiseconds <25-4095>|msec <250-999>]Configures the VRRP advertisements time interval. This is the interval at which a master sends out advertisements on each of its configured VLANs.• <1-255> – Configures the timer interval from 1- 255 seconds. (applicable for VRRP version 2 only)• centiseconds <25-4095> – Configures the timer interval in centiseconds (1/100th of a second). Specify a value between 25 - 4095 centiseconds (applicable for VRRP version 3 only).• msec <250-999> – Configures the timer interval in milliseconds (1/1000th of a second). Specify a value between 250 - 999 msec (applicable for VRRP version 2 only).Default is 1 second.vrrp version [2|3] Configures one of the following VRRP versions:• 2 – VRRP version 2 (RFC 3768). This is the default setting.• 3 – VRRP version 3 (RFC 5798 only IPV4)The VRRP version determines the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 449• virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}Exampleap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller autoap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-interface ip address 110.110.110.120/24ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-interface vlan 100ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show context | include virtual-controllervirtual-controller autovirtual-controller management-interface ip address 110.110.110.120/24virtual-controller management-interface vlan 100ap8533-9A1529(config-device-74-67-F7-9A-15-29)#The following example shows the management interface VLAN IP address being configured as the secondary IP address.ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show ip interface brief-------------------------------------------------------------------------------INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL-------------------------------------------------------------------------------vlan1 10.1.1.11/24 primary UP upvlan100 110.110.110.110/24 primary UP upvlan100 110.110.110.120/24 secondary UP up-------------------------------------------------------------------------------virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}Enables an AP as a virtual-controller. If enabling DVC, use this option to configure management interface details.• management-interface – Configures the management interface for the DVC. Configuring the management interface ensures failover in case the RF Domain manager is unreachable.• ip address <IP/M> – Specify the management interface IP address. Due to the ran-dom nature of DVC, specifying an explicit management interface IP address makesit easier to manage VCs. In case of fail over, this IP address is installed as the second-ary IP address on the new VC.• vlan <1-4094> – Optional. Specifies the VLAN from 1 - 4094 on which the man-agement interface IP address is configured.Note: For DVC, configuring management-interface ip address is mandatory. However, VLAN configuration is optional. If you configure the ip address without specifying the VLAN, the system configures the specified ip address as secondary ip on VLAN 1.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 453• service memory kernel decrease• service meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-4>|port-channel <1-2>]• service pm sys-restart• service power-config [3af-out|force-3at]• service radius dynamic-authorization additional-port <1-65535>• service remote-config apply-delay <0-600>• service rss-timeout <0-86400>service memory kernel decreaseEnables reduction in kernel memory usage. When enabled, firewall flows are reduced by 75% resulting in reduced kernel memory usage. A reboot is required for the option to take effect. This option is disabled by default.meshpoint loop-prevention-portLimits meshpoint loop prevention to a single port<L2-INTERFACE-NAME>Limits meshpoint loop prevention on a specified Ethernet interface• <L2-INTERFACE-NAME> – Specify the layer 2 Ethernet interface name.ge <1-4> Limits meshpoint loop prevention on a specified GigabitEthernet interface• ge <1-4> – Specify the GigabitEthernet interface index from 1 - 4.port-channel <1-2> Limits meshpoint loop prevention on a specified port-channel interface• port-channel <1-2> – Specify the port-channel interface index from 1 - 2.pm sys-restart Enables the process monitor (PM) to restart the system when a process fails. This option is enabled by default.power-config 3af-out Enables LLDP power negotiation, but uses 3af power. This option is disabled by default.power-config force-3at Disables LLDP negotiation and forces 802.3at power configuration. This option is disabled by default.radius dynamic-authorization additional-port <1-65535>Configures an additional UDP port used by the device to listen for dynamic authorization messages• <1-65535> – Specify a value from 1 - 65535. The default is 3799.The Cisco Identity Services Engine (ISE) server uses port 1700.remote-config apply-delay <0-600>Delays configuration of a remote device (after it becomes active) by the specified time period• <0-600> – Specify a value from 0 - 600 seconds. The default is 0 seconds.rss-timeout <0-86400>Configures the duration, in seconds, for which an adopted access point will continue to provide wireless functions even after loosing controller adoption.• <0-86400> – Specify a value from 0 - 86400 seconds. The default is 300 seconds.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 454• service watchdog• service wireless anqp-frag-always• service wireless anqp-frag-size <100-1500>• service wireless client tx-deauth on-radar-detection• service wireless cred-cache-sync [full|interval <30-864000>|never|partial]• service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]• service wireless noise-immunity• service wireless reconfig-on-rx-stallwatchdog Enables the watchdog. This feature is enabled by default.Enabling the watchdog option implements heartbeat messages to ensure other associated devices are up and running and capable of effectively inter-operating with the controller.wireless anqp-frag-alwaysEnables fragmentation of all ANQP packets. This option is disabled by default.wireless anqp-frag-size <100-1500>Configures the ANQP packet fragment size• <100-1500> – Specify a value from 100 - 1500. The default is 1200.wireless client Configures wireless client and stations related settingstx-deauth on-radar-detectionEnables access points to transmit deauth to clients when changing channels on radar detection. This option is enabled by default.wireless cred-cache-sync Configures the credential cache’s synchronization parameters. The parameters are: full, interval, never, and partial.full Enables synchronization of all credential cache entriesinterval <30-864000> Sets the interval, in seconds, at which the credential cache is synchronized• <30-864000> – Specify a value from 30 - 864000 seconds. The default is 1200 seconds.never Disables credential cache entry synchronization for all associated clients other than roaming clients. This is the default setting.partial Enables partial synchronization of parameters for associated clients, with credential cache close to aging outwireless inter-ap-key Configure encryption key used for securing inter-ap messages. This option is disabled by default.[0<WORD>|2<WORD>|<WORD>]Specify a clear text or encrypted key.wireless noise-immunityPolls for status and reconfigures radio in case of receive stall. This option is enabled by default.wireless reconfig-on-rx-stallEnables noise immunity on the radio

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4577.2 Device Config CommandsPROFILESUse the (config) instance to configure device specific parametersTo navigate to this instance, use the following commands:<DEVICE>(config)#<DEVICE-TYPE> <MAC><DEVICE>(config-device-<MAC>)#?Device Mode commands: adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-mode Configure the adoption mode for the access-points in this RF-Domain adoption-site Set system's adoption site alias Alias application-policy Application Policy configuration area Set name of area where the system is located? arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol channel-list Configure channel list to be advertised to wireless clients cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup config file) contact Configure the contact controller WLAN controller configuration country-code Configure the country of operation critical-resource Critical Resource crypto Encryption related commands database Database command device-upgrade Device firmware upgrade device-onboard Device-onboarding configuration dot1x 802.1X dpi Enable Deep-Packet-Inspection (Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged eguest-server Enable EGuest Server functionality frames email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located geo-coordinates Configure geo coordinates for this device gre GRE protocol hostname Set system's network name http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 459 rsa-key Assign a RSA key to a service sensor-server AirDefense sensor server configuration slot PCI expansion Slot spanning-tree Spanning tree timezone Configure the timezone traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication zone Configure Zone name clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-device-<MAC>)#The following table summarizes device configuration mode commands:Command Description Referenceadopter-auto-provisioning-policy-lookupEnables the use of a centralized auto provisioning policy on this devicepage 7-11adoption Configures a minimum and maximum delay time in the initiation of the device adoption processpage 7-13adoption-site Sets the device’s adoption site name page 7-464alias Configures network, VLAN, and service aliases on a device page 7-15application-policy Associates a RADIUS server provided application policy with this device. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane.page 7-22area Sets the name of area where the system is deployed page 7-465arp Configures ARP parameters page 7-25

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 462misconfiguration-recovery-timeVerifies device connectivity after a configuration is received page 7-397neighbor-inactivity-timeoutConfigures neighbor inactivity timeout value page 7-398neighbor-info-intervalConfigures the neighbor information exchange interval page 7-399no Negates a command or resets values to their default settings page 7-479noc Configures NOC settings page 7-402nsight Configures NSight database statistics related parameters. Use this command to set the interval at which data is updated by the RF Domain managers to the NSight server. This command is applicable only on the NX95XX series and NX9600 service platforms and is configured on the NSight server.page 7-480ntp Configures NTP server settings page 7-408offline-duration Sets the duration, in minutes, for which a device remains unadopted before it generates offline eventpage 7-414override-wlan Configures WLAN RF Domain level overrides on the logged device page 7-484power-config Configures power mode features page 7-415preferred-controller-groupSpecifies the wireless controller or service platform group the system prefers for adoptionpage 7-417preferred-tunnel-controllerConfigures the tunnel wireless controller or service platform preferred by the system for tunneling extended VLAN trafficpage 7-418radius Configures device-level RADIUS authentication parameters page 7-419remove-override Removes device overrides page 7-486rf-domain-managerEnables the RF Domain manager page 7-420router Configures dynamic router protocol settings. page 7-421rsa-key Assigns a RSA key to SSH page 7-488sensor-server Configures an AirDefense sensor server page 7-489spanning-tree Enables spanning tree commands on the logged device page 7-423traffic-class-mappingMaps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p prioritypage 7-426traffic-shape Enables traffic shaping and configures traffic shaping parameters on this devicepage 7-428trustpoint (device-config-mode)Assigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external LDAP server, etc.page 7-491timezone Configures wireless controller or service platform’s time zone settings page 7-490tunnel-controller Configures the tunneled WLAN (extended VLAN) wireless controller or service platform’s namepage 7-436use Associates different policies and settings with this device page 7-437vrrp Configures VRRP group settings page 7-443Command Description Reference

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 463vrrp-state-check Publishes interface via OSPF or BGP based on Virtual Router Redundancy Protocol (VRRP) statuspage 7-447wep-shared-key-authEnables support for 802.11 WEP shared key authentication page 7-450raid Enables alarm on the array. This command is supported only on the NX9500 series service platform.page 7-493Command Description Reference

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4647.2.1 adoption-siteDevice Config CommandsSets the device’s adoption site nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadoption-site <SITE-NAME>Parameters• adoption-site <SITE-NAME>Examplerfs4000-229D58(config-device-00-23-68-22-9D-58)#adoption-site SanJoseMainOfficeRelated Commandsadoption-site <SITE-NAME>Sets the device’s adoption site nameno Disables or reverts settings to their default

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4727.2.9 lacpDevice Config CommandsConfigures an LACP-enabled peer’s system priority value. LACP uses this system priority value along with the peer’s MAC address to form the system ID. In a LAG, the peer with the lower system ID initiates LACP negotiations with another peer. In scenarios, where both peers have the same system-priority value assigned, the peer with the lower MAC gets precedence.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxlacp system-priority <1-65535>Parameters• lacp system-priority <1-65535>Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#lacp system-priority 1nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include lacp lacp system-priority 1 lacp-channel-group 1 mode active lacp port-priority 2 lacp-channel-group 1 mode active lacp port-priority 2nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related CommandsNOTE: For more information on enabling link aggregation, see lacp and lacp-channel-group.lacp system-priority <1-65535>Configures the LACP system priority value• <1-65535> – Specify a value from 1 - 65535. Lower the value, higher is the priority. Therefore, ‘1’ and ‘65535’ indicate highest and lowest system-priority values respectively. The default value is 32768.no Removes this device’s configured system-priority value

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4747.2.11 licenseDevice Config CommandsAdds a license pack on the device for the specified feature (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/NSIGHT-PER/EGUEST-DEV)The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy.The NOC controllers and/or site controllers can both have license packs installed. Adoption of APs by the NOC and site controllers depends on the number of licenses available on each of these controllers.The NOC controllers and/or site controllers can both have license packs installed. When a AP is adopted by a site controller, the site controller pushes a license on to the AP. The various possible scenarios are:• AP licenses installed only on NOC controller:The NOC controller provides the site controllers with AP licenses, ensuring that per platform limits are not exceeded. • AP licenses installed on site controller:The site controller uses its installed licenses, and then asks the NOC controller for additional licenses in case of a shortage.In a hierarchical and centrally managed network, the NOC controller can pull unused AP licenses from site controllers and relocate to other site controllers when required.• AP licenses installed on any member of a site cluster:The site controller shares installed and borrowed (from the NOC) licenses with other controllers within a site cluster.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlicense <WORD> <LICENSE-KEY>Parameters• license <WORD> <LICENSE-KEY>

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 475<WORD> Specify the feature name (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/NSIGHT-PER/EGUEST-DEV) for which license is addedAP License: This is the license key required for AP adoptions. The number of APs that can be adopted depends on the installed license count. If the installed license count is 10 APs and the number of AP adoptions is 5, 5 additional APs can still be adopted under the terms of the license.AAP License: This is the license key required for AAP adoptions. The number of AAPs that can be adopted depends on the installed license count. If the installed license count is 10 APs and the number of AAP adoptions is 5, 5 additional AAPs can still be adopted under the terms of the license.ADSEC License: This is the license key required to install the Role Based Firewall feature and increase the number of IPSec VPN tunnels. The number of IPSec tunnels varies by platform.HTANLT: This is the license key required to install Analytics (an enhanced statistical management tool) for NX95XX series service platforms.WEBF License: This is the license key required to install the Web filtering feature. Web filtering is used to restrict access to specific resources on the Internet.NSIGHT/NSIGHT-PER Licenses: This is the license key required to install NSight on a supported service platform. The NSight UI displays a comprehensive, day-to-day overview of the network in a graphical, visually interactive, and easy-to-use format. However, NSight being a licensed service, on expiration of the first 120 days grace period, the NSight server’s NSight UI can be launched only on the application of the NSight or NSight-Per (NSight Perpetual) license.The difference between the NSight and NSight-Per licenses is that the first one has an expiration date, whereas the latter doesn’t have an expiration date. Once purchased and applied, the NSight-Per license is active forever, and is therefore ideally suited for a Replica-set, NSight deployment, where it is essential that the license is perpetually active and synched across the NSight servers and their primary and secondary databases.Note: NSight is supported only on NX9500, NX9510, NX9600 model service platforms, and the VX9000 virtual controller.EGUEST-DEV License - This is the per-device license key installed on the EGuest server. Once installed the EGuest feature is activated. The EGuest-DEV license defines the number of APs supported by each EGuest server. The maximum limit for per-device license is 100,000. The EGuest server is supported only on the VX9000 platform.<LICENSE-KEY> Specify the license key.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4807.2.15 nsightDevice Config CommandsConfigures NSight database related parameters. Use this command to configure the data-update periodicity, number of applications posted to the NSight server for a wireless client, and the duration for which data is stored in the NSight database’s buckets. These parameters impact the amount of data stored in the NSight DB and interval at which data is aggregated and expired within the NSight DB. For more information on data aggregation and expiration, see (Data Aggregation and Expiration).Configure these parameters in the NSight server’s device configuration mode.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxnsight database [statistics|summary]nsight database statistics [avc-update-interval|max-apps-per-client|update-interval|wireless-clients-update-interval]nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-interval] [120|30|300|60|600]nsight database statistics max-apps-per-client <1-1000>nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>Parameters• nsight database statistics [avc-update-interval|update-interval|wireless-clients-update-interval] [120|30|300|60|600]nsight database statisticsConfigures NSight database statistics related parametersavc-update-interval Configures the interval, in seconds, at which Application Visibility and Control (AVC) statistics is updated to the NSight database. This interval represents the rate at which AVC-related data is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting AVC-related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the avc-update-interval configured here.update-interval Configures the interval, in seconds, at which data is updated to the NSIght server. This interval represents the rate at which data (excluding AVC and wireless-clients related statistics) is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the update-interval configured here.Note: Use the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ keywords to configure update interval for AVC-related and wireless-clients related information respectively.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 481• nsight database statistics max-apps-per-client <1-1000>• nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>wireless-clients-update-intervalConfigures the interval, in seconds, at which wireless-client statistics is updated to the NSIght server. This interval represents the rate at which wireless-clients related statistics is inserted in the NSight database’s first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration).When configured, RF Domain managers posting wireless-client related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the ‘next update time’ based on the wireless-clients-update-interval configured here.[120|30|300|60|600] The following keywords are common to all of the above parameters:• 120 – Sets the data-update periodicity as 120 seconds (2 minutes)• 30 – Sets the data-update periodicity as 30 seconds• 300 – Sets the data-update periodicity as 300 seconds (5 minutes). This is the default setting for the ‘avc-update-interval’ and ‘wireless-clients-update-interval’ parameters.• 60 – Sets the data-update periodicity as 60 seconds (1 minute). This is the default setting for the ‘update-interval’ parameter.• 600 – Sets the data-update periodicity as 600 seconds (10 minutes)nsight database statisticsConfigures NSight database statistics related parametersmax-apps-per-client Configures the maximum number of applications per wireless-client to be posted to the NSight server within the configured data-update interval. This information is included in the AVC statistics posted by RF Domain managers to the NSIght server.<1-1000> Specify the number of applications posted from 1 - 1000. The default is 10 applications per wireless client.nsight database summaryConfigures the NSight database’s per-bucket data storage durationduration <1-24> <1-168> <1-2160> <24-26280>Configures the duration for which data is stored on a per-bucket basis• <1-24> – Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day). The default is 8 hours.• <1-168> – Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7 days).The default is 24 hours.• <1-2160> – Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1 hour to 90days). The default is 7 days (168 hours).• <24-26280> – Specify the bucket 4 duration from 24 - 26280 hours (i.e. 1day to 3 years). The default is 365 days (1 year).Note: A bucket is a database collection that holds statistical data for each RF Domain within the network. (Note, only those RF Domain’s that are using an NSight policy with the NSight server host configured will post data to the NSight server. For more information, see use in the RF Domain configuration mode.) NSight database has four (4) buckets. The data from each bucket is aggregated and pushed to the next bucket once the data storage duration, specified for the bucket, has exceeded. For more information on data aggregation, see (Data Aggregation and Expiration).

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 482Usage Guidelines (Data Aggregation and Expiration)Data Aggregation:The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes within the managed wireless LAN. For large WLAN networks, generating significantly large amount of data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one record by taking an average of them. Although this causes a loss in the data’s granularity, average numbers for any given time period is still available.Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets (database collections) within the NSight database. There are four buckets in total. These are:• First bucket (termed as the RAW bucket) - B1• Second bucket - B2• Third bucket - B3•Fourth bucket - B4On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes the next bucket’s granularity. For example, the B1 records (that have exceeded the data storage duration configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default storage duration for each bucket is as follows:•B1: storage duration 8 hours• B2: granularity 10 minutes / storage duration 24 hours • B3: granularity 1 hour / storage duration 7 days• B4: granularity 1 day / storage duration 1 yearLet us consider (with default update-interval settings) the growth of any one of the statistical buckets.• Since B1’s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF Domain after 8 hours (updated at the rate of 30 seconds).• Since B2’s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into a single record and inserted into B2.• Since B2’s default storage duration is 24 hours, it will contain a maximum of 144 records per RF Domain after 24 hours.• Since B3’s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record and inserted into B3.• Since B3’s default storage duration is 7 days, it will contain a maximum of 168 records per RF Domain after 7 days.• Since B4’s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record and inserted into B4.• Since B4’s default storage duration is 365 days, it will contain a maximum of 365 records per RF Domain after 1 year.Data Expiration:

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 483The expiration of older records (also referred to as purging or deleting of records) occurs along with data aggregation for each bucket.Let us consider (with default data storage-duration settings) the expiration of data for any one of the statistical buckets.• As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8 hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first 10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is triggered every 10 minutes.• At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10 minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of data.• At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data.• At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records (corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to enable B4 to maintain exactly 365 days worth of data.Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics avc-update-interval 120nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics update-interval 30nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics wireless-clients-update-interval 600nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics max-apps-per-client 20nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database summary duration 12 30 200 500nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include nsight use nsight-policy nsight-noc nsight database statistics update-interval 30 nsight database statistics wireless-clients-update-interval 600 nsight database summary duration 12 30 200 500 nsight database statistics avc-update-interval 120 nsight database statistics max-apps-per-mu 20nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related Commandsno Reverts the NSight database related parameters configured to default values

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4847.2.16 override-wlanDevice Config CommandsConfigures WLAN’s RF Domain level overridesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoverride-wlan <WLAN> [shutdown|ssid|vlan-pool|wep128|wpa-wpa2-psk]override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}|wpa-wpa2-psk <WORD>]override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>]Parameters• override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}|wpa-wpa2-psk <WORD>]• override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>]<WLAN> Specify the WLAN name.Configure the following WLAN parameters: SSID, VLAN pool, and WPA-WPA2 key.shutdown Shuts down the WLAN’s (identified by the <WLAN> keyword) operations on all mapped radiosSSID <SSID> Configures the WLAN’s Service Set Identifier (SSID)• <SSID> – Specify an SSID ID.vlan-pool <1-4094> {limit <0-8192>}Configures a pool of VLANs for the selected WLAN• <1-4094> – Specifies a VLAN pool ID from 1 - 4094.• limit – Optional. Limits the number of users on this VLAN pool• <0-8192> – Specify the user limit from 0 - 8192.Note: The VLAN pool configuration overrides the VLAN configuration.wpa-wpa2-psk <WORD>Configures the WLAN WPA-WPA2 key or passphrase for the selected WLAN• <WORD> – Specify a WPA-WPA2 key or passphrase.<WLAN> Specify the WLAN name.wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>Configures the WEP128 key for this WLAN, and also enables key transmissionWired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP 128 uses a 104 bit key, which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. This results in a level of security and privacy comparable to that of a wired LAN.Contd..

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 492ExampleA device’s default HTTPS, RADIUS, and CMP certificate/trustpoint configuration is as follows:nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include trustpoint trustpoint https default-trustpoint no trustpoint radius-ca trustpoint radius-server default-trustpoint no trustpoint radius-ca-ldaps trustpoint radius-server-ldaps default-trustpoint no trustpoint cmp-auth-operatornx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#trustpoint https testnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include trustpoint trustpoint https test no trustpoint radius-ca trustpoint radius-server default-trustpoint no trustpoint radius-ca-ldaps trustpoint radius-server-ldaps default-trustpoint no trustpoint cmp-auth-operatornx9500-6C8809(config-device-B4-C7-99-6C-88-09)#radius-ca-ldaps Assigns an existing trustpoint to validate external LDAP serverradius-server Assigns an existing trustpoint to validate RADIUS server certificateradius-server-ldaps Assigns an existing trustpoint to RADIUS server certificate to validate LDAP server<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:• <TRUSTPOINT-NAME> – After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device).Note: By default, the system assigns the default-trustpoint to validate the following: https, radius-server, and radius-server-ldaps.

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5107.4.1.2 interface-ge-config commandsinterfaceThe following table lists the EX35XX GE interface configuration mode commands:Command Description Referenceaccess-group Binds an EX3500 ACL to the selected port page 7-511port Enables port monitoring on the selected port page 7-512power Turns power on or off for the selected port page 7-514shutdown Shuts down the selected port page 7-516speed-duplex Configures the speed and duplex mode of the selected port when auto-negotiation is disabled. Auto-negotiation is enabled by default.page 7-517switch-port Configures the switch mode characteristics of the selected port page 7-518use Applies a EX3500 QoS policy map with the selected port page 7-520no Removes or reverts the selected port’s settings page 7-521

$PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5117.4.1.2.1 access-groupinterface-ge-config commandsBinds an EX3500 ACL to the selected portWhen applied to the port, the ACL takes effect. Only one ACL can be bound to a port at a time. In case you bind a new ACL to a port with an existing ACL binding, the old binding is replaced with the new one.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxaccess-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME> in {time-range <TIME-RANGE-NAME>}Parameters• access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME> in {time-range <TIME-RANGE-NAME>}Examplenx9500-6C8809(config-profile-testEX3524-if-ge1-20)#access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#Related Commandsaccess-group Binds a EX3500 ACL with this GE port. Select ACL type and specify the ACL name. The ACL should be existing and configured.ex3500-ext-access-list <ACL-NAME>Binds an existing and configured EX3500 extended ACL• <ACL-NAME> – Specify the ACL name.ex3500-std-access-list <ACL-NAME>Binds an existing and configured EX3500 standard ACL• <ACL-NAME> – Specify the ACL name.mac-access-list <ACL-NAME>Binds an existing and configured EX3500 MAC ACL• <ACL-NAME> – Specify the MAC ACL name.in Applies the specified ACL to all incoming packetstime-range <TIME-RANGE-NAME>Optional. Associates a EX3500 absolute or periodic time range with this access group. The specified ACL is bound to the port during the time period specified by the associated time range.• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured).no Removes the GE port EX3500 ACL binding$

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5127.4.1.2.2 po rtinterface-ge-config commandsEnables port monitoring on the selected port. This allows the port to monitor specified ports and/or MAC address(es). When enabled, the switch sends a copy of the network packets seen on the specified switch port (or VLAN interface) to the monitoring switch port. These packets are analyzed and debugged to provide vital information, such as network performance, intrusion alerts, etc.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxport monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|mac-access-list|mac-address|vlan]port monitor ethernet 1 <1-52> {both|rx|tx}port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME>port monitor mac-address <MAC>port monitor vlan <1-4094>Parameters• port monitor ethernet 1 <1-52> {both|rx|tx}• port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]<ACL-NAME>• port monitor mac-address <MAC>port monitor ethernet 1 <1-52>Configures the characteristics of this GE port• monitor – Enables monitoring of another port• ethernet 1 – Selects Ethernet interface and configures the port identifier as 1• <1-52> – Configures the Ethernet unit number from 1 - 52{both|rx|tx} After specifying the port, optionally configure the following:• both – Optional. Monitors both incoming and outgoing traffic• rx – Optional. Monitors only incoming traffic• tx – Optional. Monitors only outgoing trafficport monitor Configures the characteristics of this GE port• monitor – Enables monitoring of another port[ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]<ACL-NAME>After specifying the port, apply one of the following ACLs:• ex3500-ext-access-list – Applies a EX3500 extended ACL• ex3500-std-access-list – Applies a EX3500 standard ACL• mac-access-list – Applies a MAC ACL with EX3500 deny or permit rules• <ACL-NAME> – Specify the ACL name (should be existing and configured).port monitor Configures the characteristics of this GE port• monitor – Enables monitoring of another port

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5147.4.1.2.3 powe rinterface-ge-config commandsEnables power allocation to the selected port. When enabled, the power is allocated to this port. Use the command to configure the power allocation settings, such as maximum power allocated, priority level of this port in connection with power allocation, and the time range within which these power settings are applied.This option is enabled by default.Supported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxpower inline {maximum|priority|time-range}power inline {maximum allocation milliwatts <3000-34200>}power inline {priority [critical|high|low]}power inline {time-range <TIME-RANGE-NAME>}Parameters• power inline {maximum allocation milliwatts <3000-34200>}• power inline {priority [critical|high|low]}• power inline {time-range <TIME-RANGE-NAME>}power inline Turns power on or off for the selected port. This option is enabled by default.maximum allocation milliwatts <3000-34200>Optional. Configures the maximum power allocation, in milliwatts, for this port• <3000-34200> – Specify a value from 3000 - 34200 milliwatts. The default is 34200 milliwatts.power inline Turns power on or off for the selected port. This option is enabled by default.priority [critical|high|low]Optional. Configures the PoE power priority as:• critical – Configures the PoE power priority as critical• high – Configures the PoE power priority as high• low - Configures the PoE power priority as low (this is the default setting)power inline Turns power on or off for the selected port. This option is enabled by default.time-range <TIME-RANGE-NAME>Optional. Binds a EX3500 time range to this port• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured).

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5187.4.1.2.6 sw i tc h- po r tinterface-ge-config commandsConfigures the switch mode characteristics of the selected portSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxswitchport [allowed|l2protocol-tunnel|mode|native]switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]switchport mode [access|hybrid|trunk]switchport native Parameters• switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]• switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]• switchport mode [access|hybrid|trunk]switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]Configures VLAN groups on the selected interface.• add <VLAN-ID> – Configures the list of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained.• <VLAN-ID> – Specify the list of VLANs to add.• none – Removes all VLANs from the current list• remove <VLAN-ID> – Configures the list of VLAN identifiers to remove. When the remove option is used, the specified VLANs are removed from the current list.• <VLAN-ID> – Specify the list of VLANs to remove.switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]Enables layer 2 protocol tunneling (L2PT) for the specified protocol. Specify the protocol:• cdp – Cisco Discovery Protocol• lldp – Link Layer Discovery Protocol• pvst+ – Cisco Per VLAN Spanning Tree Plus• spanning-tree – Spanning Tree (STP, RSTP, MSTP)• vtp – Cisco VLAN Trunking ProtocolL2PT is disabled for all of the above specified protocols by default.switchport mode [access|hybrid|trunk]Configures the VLAN membership mode for this port• access – The port is configured as an access VLAN interface. It transmits and receives packets untagged frames on a single VLAN.Contd..

$PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5217.4.1.2.8 n ointerface-ge-config commandsRemoves or reverts the selected port’s settingsSupported in the following platforms:• Switches — EX3524, EX3548Syntaxno [access-group|port|power|shutdown|speed-duplex|switchport|use]no access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME> inno port monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|mac-access-list|mac-address|vlan]no port monitor ethernet 1 <1-52>no port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list] <ACL-NAME>no port monitor mac-address <MAC>no port monitor vlan <1-4094>no power inline {maximum allocation|priority|time-range}no shutdownno speed-duplexno switchport [l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]|native vlan]no use ex3500-policy-map inParameters• no <PARAMETERS>ExampleThe following example shows the EX3524 profile’s GE port 20’s settings before the ‘no’ commands are executed:nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 shutdown speed-duplex 100half switchport mode access use ex3500-policy-map in test power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no shutdownnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no power inline maximum allocationnx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no use ex3500-policy-map inno <PARAMETERS> Removes or reverts the selected port’s settings based on the parameters passed$

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5237.4.1.3 interface-vlan-config commandsinterfaceThe following table lists the VLAN interface configuration mode commands:Command Description Referenceip Configures IP related settings for this VLAN interface page 7-524no Removes the IP related settings configured for this VLAN interface page 7-526

PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5247.4.1.3.1 ipinterface-vlan-config commandsConfigures IP related settings for this VLAN interfaceSupported in the following platforms:• Switches — EX3524, EX3548• Wireless Controllers – RFS4000, RFS6000• Service Platforms – NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxip address [<IP/M>|bootp|dhcp]ip address <IP/M> {default-gateway <IP>|secondary <IP>}ip address [bootp|dhcp]Parameters• ip address <IP/M> {default-gateway <IP>|secondary <IP>}• ip address [bootp|dhcp]ip address <IP/M> {default-gateway <IP>|secondary <IP>}Manually configures the selected VLAN interface’s primary and secondary IPv4 addresses. It also allows to optionally configure the default gateway.• <IP/M> – Manually configures this VLAN interface’s IP address in the A.B.C.D/M format. Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. The network mask can be either in the traditional format xxx.xxx.xxx.xxx or use classless format with the range /5 to /32. For example the subnet 255.255.224.0 would be /19.• default-gateway <IP> – Optional. Configures the default gateway’s IP address. Thisis the gateway through which this switch can reach other subnets not found in the lo-cal routing table. Before specifying the default gateway, ensure that the network in-terface directly connecting to the gateway is configured on the route. By default nogateway is specified.• <IP> – Specify the IP address in the A.B.C.D address.• secondary <IP> – Optional. Configures this VLAN interface’s secondary IP address• <IP> – Specify the secondary IP address in the A.B.C.D addressip address [bootp|dhcp]Enables a DHCP or Bootp server to provide the primary IPv4 address for the selected VLAN interface• bootp – Enables the VLAN interface to get its IP address from a Bootp server• dhcp – Enables the VLAN interface to get its IP address from a DHCP serverIf selecting DHCP/Bootp, ensure that a server on the network has been configured to provide the necessary configuration to the switch. Using DHCP or Bootp results in frequent connectivity loss between the browser interface and the switch. Further, DHCP and Bootp cannot configure secondary IP addresses needed for multinetting.

8 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide8AAA-POLICYThis chapter summarizes the Authentication, Authorization, and Accounting (AAA) policy commands in the CLI command structure.A AAA policy enables administrators to define access control settings governing network permissions. External RADIUS and LDAP servers (AAA servers) also provide user database information and user authentication data. Each WLAN maintains its own unique AAA configuration.AAA provides a modular way of performing the following services: Authentication — Provides a means for identifying users, including login and password dialog, challenge and response, messaging support and (depending on the security protocol), encryption. Authentication is the technique by which a user is identified before allowed access to the network. Configure AAA authentication by defining a list of authentication methods, and then applying the list to various interfaces. The list defines the authentication schemes performed and their sequence. The list must be applied to an interface before the defined authentication technique is conducted. Authorization — Authorization occurs immediately after authentication. Authorization is a method for remote access control, including authorization for services and individual user accounts and profiles. Authorization functions through the assembly of attribute sets describing what the user is authorized to perform. These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database could be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be defined through AAA. When AAA authorization is enabled it’s applied equally to all interfaces. Accounting — Collects and sends security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored locally on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, it is applied equally to all interfaces on the access servers.Use the (config) instance to configure AAA policy commands. To navigate to the config-aaa-policy instance, use the following commands:<DEVICE>(config)#aaa-policy <POLICY-NAME>rfs6000-37FABE(config)#aaa-policy testrfs6000-37FABE(config-aaa-policy-test)#?AAA Policy Mode commands: accounting Configure accounting parameters attribute Configure RADIUS attributes in access and accounting requests authentication Configure authentication parameters health-check Configure server health-check parameters mac-address-format Configure the format in which the MAC address must be filled in the Radius-Request frames no Negate a command or set its defaults proxy-attribute Configure radius attribute behavior when proxying through controller or rf-domain-manager server-pooling-mode Configure the method of selecting a server from the

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 2 pool of configured AAA servers use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-aaa-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 38.1 aaa-policyAAA-POLICYThe following table summarizes AAA policy configuration commands:Table 8.1 AAA-Policy-Config CommandsCommand Description Referenceaccounting Configures accounting parameters page 8-4attribute Configure RADIUS attributes in access and accounting requests page 8-8authentication Configures authentication parameters page 8-11health-check Configures health check parameters page 8-16mac-address-formatConfigures the MAC address format page 8-17no Negates a command or sets its default page 8-19proxy-attribute Configures the RADIUS server’s attribute behavior when proxying through the wireless controller or the RF Domain managerpage 8-21server-pooling-modeDefines the method for selecting a server from the pool of configured AAA serverspage 8-22use Defines the AAA command settings page 8-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 48.1.1 accountingaaa-policyConfigures the server type and interval at which interim accounting updates are sent to the server. A maximum of 6 accounting servers can be configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccounting [interim|server|type]accounting interim interval <60-3600>accounting server [<1-6>|preference]accounting server preference [auth-server-host|auth-server-number|none]accounting server <1-6> [dscp|host|nai-routing|onboard|proxy-mode|retry-timeout-factor|timeout]accounting server <1-6> [dscp <0-63>|retry-timeout-factor <50-200>]accounting server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT> {strip}accounting server <1-6> onboard [centralized-controller|self|controller]accounting server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]accounting server <1-6> timeout <1-60> {attempts <1-10>}accounting type [start-interim-stop|start-stop|stop-only]Parameters• accounting interim interval <60-3600>• accounting server preference [auth-server-host|auth-server-number|none]interim Configures the interim accounting interval. This is the interval at which interim accounting updates are posted to the accounting server.interval <60-3000> Specify the interim interval from 60 - 3600 seconds. The default is 1800 seconds.server Configures a RADIUS accounting server’s settingspreference Configures the accounting server’s preference mode. Authentication requests are forwarded to a accounting server, from the pool, based on the preference mode selected.auth-server-host Sets the authentication server as the accounting server. This is the default setting.This parameter indicates the same server is used for authentication and accounting. The server is identified by its hostname.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 5• accounting server <1-6> [dscp <0-63>|retry-timeout-factor <50-200>]• accounting server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}• accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT> {strip}auth-server-number Sets the authentication server as the accounting serverThis parameter indicates the same server is used for authentication and accounting. The server is identified by its index or number.none Indicates the accounting server is independent of the authentication serverserver <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.dscp <0-63> Sets the Differentiated Services Code Point (DSCP) value for Quality of Service (QOS) monitoring. This value is used in generated RADIUS packets.• <0-63> – Sets the DSCP value from 0 - 63. The default value is 34.retry-timeout-factor <50-200>Sets the scaling factor for retransmission timeouts. The timeout at each attempt is a function of this retry-timeout factor and the attempt number.• <50-200> – Specify a value from 50 - 200. The default is 100.If the scaling factor is 100, the interval between two consecutive retries remains the same, irrespective of the number of retries.If the scaling factor is less than 100, the interval between two consecutive retires reduces with subsequent retries.If this scaling factor is greater than 100, the interval between two consecutive retries increases with subsequent retries.server <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.host <IP/HOSTNAME/HOST-ALIAS>Configures the accounting server’s hostname IP address, or host-aliasThe host alias should be existing and configured.secret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures a common secret key used to authenticate with the accounting server• 0 <SECRET> – Configures a clear text secret key• 2 <SECRET> – Configures an encrypted secret key• <SECRET> – Specify the secret key. This shared secret should not exceed 127 characters.port <1-65535> Optional. Configures the accounting server’s UDP port (the port used to connect to the accounting server)• <1-65535> – Sets the port number from 1 - 65535 (default port is 1813)server <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 6• accounting server <1-6> onboard [centralized-controller|self|controller]• accounting server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]nai-routing Enables Network Access Identifier (NAI) routing. This option is disabled by default.The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be.realm-type Specifies whether the prefix or suffix of the username is used as the match criteria. For example, if the option selected is prefix, the username’s prefix is matched to the realm.[prefix|suffix] Select one of the following options:• prefix – Matches the prefix of the username (For example, username is of type DOMAIN/user1, DOMAIN/user2). This is the default setting.• suffix – Matches the suffix of the username (For example, user1@DOMAIN, user2)@DOMAIN)realm <REALM-TEXT>Configures the text matched against the username. Enter the realm name (should not exceed 50 characters). When the RADIUS accounting server receives a request for a user name, the server references a table of user names. If the user name is known, the server proxies the request to the RADIUS server.• <REALM-TEXT> – Specifies the matching text including the delimiter (a delimiter is typically '' or '@')strip Optional. When enabled, strips the realm from the username before forwarding the request to the RADIUS server. This option is disabled by default.server <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.onboard Selects an onboard server instead of an external hostcentralized-controllerConfigures the server on the centralized controller managing the networkself Configures the onboard server on a AP, wireless controller, or service platform (where the client is associated)controller Configures local RADIUS server settingsserver <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.proxy-mode Select the mode used to proxy requests. The options are: none, through-controller, and through-rf-domain-manager.none No proxy required. Sends the request directly using the IP address of the device. This is the default setting.through-centralized-controllerProxy requests through the centralized controller that is configuring and managing the network

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 7• accounting server <1-6> timeout <1-60> {attempts <1-10>}• accounting type [start-interim-stop|start-stop|stop-only]Examplerfs6000-37FABE(config-aaa-policy-test)#accounting interim interval 65rfs6000-37FABE(config-aaa-policy-test)#accounting server 2 host 172.16.10.10 secret test1 port 1rfs6000-37FABE(config-aaa-policy-test)#accounting server 2 timeout 2 attempts 2rfs6000-37FABE(config-aaa-policy-test)#accounting type start-stoprfs6000-37FABE(config-aaa-policy-test)#accounting server preference auth-server-numberrfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-numberrfs6000-37FABE(config-aaa-policy-test)#Related Commandsthrough-controller Proxies requests through the controller (access point, wireless controller, or service platform) configuring the devicethrough-mint-host <HOSTNAME/MINT-ID>Proxies requests through a neighboring MiNT device. Provide the device’s MiNT ID or hostname.through-rf-domain-managerProxies requests through the local RF Domain Managerserver <1-6> Configures an accounting server. Up to 6 accounting servers can be configured.timeout <1-60> Configures the timeout for each request sent to the RADIUS server• <1-60> – Specify a value from 1 - 60 seconds. The default is 5 seconds.attempts <1-10> Optional. Specifies the number of times a transmission request is attempted• <1-10> – Specify a value from 1 - 10. The default is 3.type Configures the type of RADIUS accounting packets sent. The options are: start-interim-stop, start-stop, and stop-only.start-interim-stop Sends accounting-start and accounting-stop messages when the session starts and stops. This parameter also sends interim accounting updates.start-stop Sends accounting-start and accounting-stop messages when the session starts and stops. This is the default setting.stop-only Sends an accounting-stop message when the session endsno Removes or resets accounting server parameters

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 88.1.2 attributeaaa-policyConfigures RADIUS Framed-MTU attribute used in access and accounting requests. The Framed-MTU attribute reduces the Extensible Authentication Protocol (EAP) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation.To ensure network security, some firewall software drop UDP fragments from RADIUS server EAP packets. Consequently, the packets are large. Using Framed MTU reduces the packet size. EAP authentication uses Framed MTU to notify the RADIUS server about the Maximum Transmission Unit (MTU) negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxattribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|cisco-vsa|framed-ip-address|framed-mtu|location-information|nas-ip-address|nas-ipv6-address|operator-name|service-type]attribute acct-delay-timeattribute acct-multi-session-idattribute chargeable-user-identityattribute cisco-vsa audit-session-idattribute framed-ip-addressattribute framed-mtu <100-1500>attribute location-information [include-always|none|server-requested]attribute nas-ip-address <WORD>attribute nas-ipv6-addressattribute operator-name <OPERATOR-NAME>attribute service-type [framed|login]Parameters• attribute acct-delay-time• attribute acct-multi-session-idacct-delay-time Enables support for accounting-delay-time attribute in accounting requests. When enabled, this attribute indicates the number of seconds the client has been trying to send a request to the accounting server. By subtracting this value from the time the packet is received by the server, the system is able to calculate the time of a request-generating event. Note, the network transit time is ignored. This option is disabled by default.Including the acct-delay-time attribute in accounting requests updates the acct-delay-time value whenever the packet is retransmitted, This changes the content of the attributes field, requiring a new identifier and request authenticator.acct-multi-session-id Enables support for accounting-multi-session-id attribute. When enabled, it allows linking of multiple related sessions of a roaming client. This option is useful in scenarios where a client roaming between access points sends multiple RADIUS accounting requests to different access points. This option is disabled by default.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 9• attribute chargeable-user-identity• attribute cisco-vsa audit-session-id• attribute framed-ip-address• attribute framed-mtu <100-1500>• attribute location-information [include-always|none|server-requested]• attribute nas-ip-address <WORD>chargeable-user-identityEnables support for chargeable-user-identity attribute. This option is disabled by default.cisco-vsa audit-session-idConfigures the CISCO Vendor Specific Attribute (VSA) attribute included in access requests. This feature s disabled by default.This VSA allows CISCO’s Identity Services Engine (ISE) to validate a requesting client’s network compliance, such as the validity of virus definition files (anti virus software or definition files for an anti-spyware software application).• audit-session-id – Includes the audit session ID attribute in access requestsThe audit session ID is included in access requests when Cisco ISE is configured as an authentication server.Note: If the Cisco VSA attribute is enabled, configure an additional UDP port to listen for dynamic authorization messages from the Cisco ISE server. For more information, see service.framed-ip-address Enables inclusion of framed IP address attribute in access requests. This option is disabled by default.framed-mtu <100-1500>Configures Framed-MTU attribute used in access requests• <100-1500> – Specify the Framed-MTU attribute from 100 - 1500. The default value is 1400.location-information [include-always|none|server-requested]Enables support for RFC5580 location information attribute, based on the option selected. The various options are:• include-always – Always includes location information in RADIUS authentication and accounting messages• none – Disables sending of location information in RADIUS authentication and accounting messages. This is the default setting.• server-requested – Includes location information in RADIUS authentication and accounting messages only when requested by the serverWhen enabled, location information is exchanged in authentication and accounting messages.nas-ip-address <WORD>Enables configuration of an IP address, which is used as the RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. If you are using a cluster of small network access servers (NASs) to simulate a large NAS, use this option to improve scalability. The IP address configured using this option allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.• <WORD> – Provide the IPv4 address.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 10• attribute nas-ipv6-address• attribute operator-name <OPERATOR-NAME>• attribute service-type [framed|login]Examplerfs6000-37FABE(config-aaa-policy-test)#attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#rfs6000-37FABE(config-aaa-policy-test1)#attribute cisco-vsa audit-session-idrfs6000-37FABE(config-aaa-policy-test1)#show contextaaa-policy test attribute cisco-vsa audit-session-idrfs6000-37FABE(config-aaa-policy-test)#Related Commandsnas-ipv6-address Enables support for NAS IPv6 address. This option is disabled by default.When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6 addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a larger address space.operator-name <OPERATOR-NAME>Enables support for RFC5580 operator name attribute. When enabled, the network operator’s name is included in all RADIUS authentication and accounting messages and uniquely identifies the access network owner. This option is disabled by default.• <OPERATOR-NAME> – Specify the network operator’s name (should not exceed 63 characters in length). service-type [framed|login]Configures the service-type (6) attribute value. This attribute identifies the following: the type of service requested and the type of service to be provided.• framed – Sets service-type to framed (2) in the authentication packets. When enabled, a framed protocol, Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP), is started for the client. This is the default setting.• login – Sets service-type to login (1) in the authentication packets. When enabled, the client is connected to the host.no Resets values or disables commands

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 118.1.3 authenticationaaa-policyConfigures user authentication parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [eap|protocol|server]authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]authentication protocol [chap|mschap|mschapv2|pap]authentication server <1-6> [dscp|host|nac|nai-routing|onboard|proxy-mode|retry-timeout-factor|timeout]authentication server <1-6> dscp <0-63>authentication server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}authentication server <1-6> nacauthentication server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-NAME>{strip}authentication server <1-6> onboard [centralized-controller|controller|self]authentication server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]authentication server <1-6> retry-timeout-factor <50-200>authentication server <1-6> timeout <1-60> {attempts <1-10>}Parameters• authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]eap Configures EAP authentication parameterswireless-client Configures wireless client’s EAP parametersattempts <1-10> Configures the maximum number of attempts allowed to authenticate a wireless client• <1-10> – Specify a value from 1 - 10. The default is 3.identity-request-retry-timeout <10-5000>Configures the interval, in milliseconds, after which an EAP-identity request to the wireless client is retried• <10-5000> – Specify a value from 10 - 5000 milliseconds. The default is 1000 milliseconds.

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 12• authentication protocol [chap|mschap|mschapv2|pap]• authentication server <1-6> dscp <0-63>• authentication server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}identity-request-timeout <1-60>Configures the timeout, in seconds, after the last EAP-identity request message retry attempt (to allow time to manually enter user credentials)• <1-60> – Specify a value from 1 - 60 seconds. The default is 30 seconds.retry-timeout-factor <50-200>Configures the spacing between successive EAP retries• <50-200> – Specify a value from 50 - 200. The default is 100.A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry.timeout <1-60> Configures the interval, in seconds, between successive EAP-identity request sent to a wireless client• <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds.protocol [chap|mschap|mschapv2|pap]Configures one of the following protocols for non-EAP authentication:• chap – Uses Challenge Handshake Authentication Protocol (CHAP)• mschap – Uses Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)• mschapv2 – Uses MS-CHAP version 2•pap – Uses Password Authentication Protocol (PAP) (default authentication protocol used)server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.dscp <0-63> Configures the Differentiated Service Code Point (DSCP) quality of service parameter generated in RADIUS packets. The DSCP value specifies the class of service provided to a packet, and is represented by a 6-bit parameter in the header of every IP packet.• <0-63> – Specify the value from 0 - 63. The default is 46.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.host <IP/HOSTNAME/HOST-ALIAS>Sets the RADIUS authentication server’s IP address, hostname, or host-aliasThe host alias should be existing and configured.

$AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 13• authentication server <1-6> nac• accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}secret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures the RADIUS authentication server’s secret. This key is used to authenticate with the RADIUS server.• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The shared key should not exceed 127 characters in length.port <1-65535> Optional. Specifies the RADIUS authentication server’s UDP port (this port is used to connect to the RADIUS server)• <1-65535> – Specify a value from 1 - 65535. The default port is 1812.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.nac Enables Network Access Control (NAC) on the RADIUS authentication server identified by the <1-6> parameter.Using NAC, the controller hardware and software grant access to specific network resources. NAC performs a user and client authorization check for resources that do not have a NAC agent. NAC verifies the client’s compliance with the controller’s security policy. The controller supports only the EAP/802.1x type of NAC. However, the controller also provides a means to bypass NAC authentication for client’s that do not have NAC 802.1x support (printers, phones, PDAs, etc.).server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured. • <1-6> – Specifies the RADIUS server index from 1 - 6.nai-routing Enables NAI routing. When enabled, AAA servers identify clients using NAI. This option is disabled by default.The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be.realm-type [prefix|suffix]Configures the realm-type used for NAI authentication• prefix – Sets the realm prefix. For example, in the realm name ‘AC\JohnTalbot’, the prefix is ‘AC’ and the user name ‘JohnTalbot’.• suffix – Sets the realm suffix. For example, in the realm name ‘JohnTalbot@AC.org’ the suffix is ‘AC.org’ and the user name is ‘JohnTalbot’.$

$AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 14• authentication server <1-6> onboard [centralized-controller|controller|self]• authentication server <1-6> proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]realm <REALM-NAME>Sets the realm information used for RADIUS authentication. The realm name should not exceed 64 characters in length. When the wireless controller or access point’s RADIUS server receives a request for a user name the server references a table of usernames. If the user name is known, the server proxies the request to the RADIUS server.• <REALM-NAME> – Sets the realm used for authentication. This value is matched against the user name provided for RADIUS authentication. Example:Prefix - AC\JohnTalbotSuffix - JohnTalbot@AC.orgstrip Optional. Indicates the realm name must be stripped from the user name before sending it to the RADIUS server for authentication. For example, if the complete username is ‘AC\JohnTalbot’, then with the strip parameter enabled, only the ‘JohnTalbot’ part of the complete username is sent for authentication. This option is disabled by default.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.onboard [centralized-controller|controller|self]Selects the onboard RADIUS server for authentication instead of an external host• centralized-controller – Configures the server on the centralized controller managing the network• controller – Configures the wireless controller, to which the AP is adopted, as the onboard wireless controller• self – Configures the onboard server on the device (AP or wireless controller) where the client is associated as the onboard wireless controllerserver <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.proxy-mode [none|through-centralized-controller|through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]Configures the mode for proxying a request• none – Proxying is not done. The packets are sent directly using the IP address of the device. This is the default setting.• through-centralized-controller – The traffic is proxied through the centralized controller that is configuring and managing the network.• through-controller – The traffic is proxied through the wireless controller configuring this device.• through-mint-host <HOSTNAME/MINT-ID> – The traffic is proxied through a neighboring MiNT device. Provide the device’s hostname or MiNT ID.• through-rf-domain-manager – The traffic is proxied through the local RF Domain manager.$

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 15• authentication server <1-6> retry-timeout-factor <50-200>• authentication server <1-6> timeout <1-60> {attempts <1-10>}Examplerfs6000-37FABE(config-aaa-policy-test)#authentication server 5 host 172.16.10.10 secret 0 test1 port 1rfs6000-37FABE(config-aaa-policy-test)#authentication server 5 timeout 10 attempts 3rfs6000-37FABE(config-aaa-policy-test)#authentication protocol chaprfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#Related Commandsserver <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.retry-timeout-factor <50-200>Configures the scaling of timeouts between two consecutive RADIUS authentication retries• <50-200> – Specify the scaling factor from 50 - 200. The default is 100.A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry.server <1-6> Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.• <1-6> – Specify the RADIUS server index from 1 - 6.timeout <1-60> Configures the timeout, in seconds, for each request sent to the RADIUS server. This is the time allowed to elapse before another request is sent to the RADIUS server. If a response is received from the RADIUS server within this time, no retry is attempted.• <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds. attempts <1-10> Optional. Indicates the number of retry attempts to make before giving up• <1-10> – Specify a value from 1 -10. The default is 3.no Resets authentication parameters on this AAA policy

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 168.1.4 health-checkaaa-policyAn AAA server could go offline. When a server goes offline, it is marked as down. This command configures the interval after which a server marked as down is checked to see if it has come back online and is reachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhealth-check interval <60-86400>Parameters• health-check interval <60-86400>Examplerfs6000-37FABE(config-aaa-policy-test)#health-check interval 4000rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number health-check interval 4000 attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#Related Commandsinterval <60-86400> Configures an interval (in seconds) after which a down server is checked to see if it is reachable again• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 3600 seconds.no Resets the health-check interval for AAA servers

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 178.1.5 mac-address-formataaa-policyConfigures the format MAC addresses are filled in RADIUS request framesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot]mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper] attributes [all|username-password]Parameters]• mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper] attributes [all|username-password]Examplerfs6000-37FABE(config-aaa-policy-test)#mac-address-format quad-dot case upper attributes username-passwordrfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 mac-address-format quad-dot case upper attributes username-password authentication protocol chap --More--rfs6000-37FABE(config-aaa-policy-test)#middle-hyphen Configures the MAC address format as AABBCC-DDEEFFno-delim Configures the MAC address format as AABBCCDDEEFF (without delimiters)pair-colon Configures the MAC address format as AA:BB:CC:DD:EE:FFpair-hyphen Configures the MAC address display format as AA-BB-CC-DD-EE-FF (default setting)quad-dot Configures the MAC address display format as AABB.CCDD.EEFFcase [lower|upper] Indicates the case the MAC address is formatted• lower – Indicates MAC address is in lower case. For example, aa:bb:cc:dd:ee:ff• upper – Indicates MAC address is in upper case. For example, AA:BB:CC:DD:EE:FF (default setting)attributes [all|username-password]Configures RADIUS attributes to which this MAC format is applicable• all – Applies to all attributes with MAC addresses such as username, password, calling-station-id, and called-station-id• username-password – Applies only to the username and password fields (default setting)

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 18Related Commandsno Resets the MAC address format to default (pair-hyphen)

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 198.1.6 noaaa-policyNegates a AAA policy command or sets its defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accounting|attribute|authentication|health-check|mac-address-format|proxy-attribute|server-pooling-mode|use]no accounting interim intervalno accounting server preferenceno accounting server <1-6> {dscp|nai-routing|proxy-mode|retry-timeout-factor|timeout}no accounting typeno attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|cisco-vsa audit-session-id|framed-ip-address|framed-mtu|location-information|nas-ipv6-address|operator-name|service-type]no authentication [eap|protocol|server]no authentication eap wireless-client [attempts|identity-request-retry-timeout|identity-request-timeout|retry-timeout-factor|timeout]no authentication protocolno authentication server <1-6> {dscp|nac|nai-routing|proxy-mode|retry-timeout-factor|timeout}no health-check intervalno mac-address-formatno proxy-attribute [nas-identifier|nas-ip-address]no server-pooling-modeno use nac-listParameters• no <PARAMETERS>no <PARAMETERS> Negates a AAA policy command or sets its default

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 20ExampleThe following example shows the AAA policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 mac-address-format quad-dot case upper attributes username-password authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number health-check interval 4000 attribute framed-mtu 110rfs6000-37FABE(config-aaa-policy-test)#rfs6000-37FABE(config-aaa-policy-test)#no accounting server 2 timeout 2rfs6000-37FABE(config-aaa-policy-test)#no accounting interim intervalrfs6000-37FABE(config-aaa-policy-test)#no health-check intervalrfs6000-37FABE(config-aaa-policy-test)#no attribute framed-mturfs6000-37FABE(config-aaa-policy-test)#no authentication protocolThe following example shows the AAA policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000rfs6000-37FABE(config-aaa-policy-test)#

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 218.1.7 proxy-attributeaaa-policyConfigures RADIUS server’s attribute behavior when proxying through a wireless controller or a RF Domain managerSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-attribute [nas-identifier|nas-ip-address]proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]]Parameters• proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address [none|proxier]]Examplerfs6000-37FABE(config-aaa-policy-test)#proxy-attribute nas-ip-address proxierrfs6000-37FABE(config-aaa-policy-test)#proxy-attribute nas-identifier originatorRelated Commandsnas-identifier[originator|proxier]Uses NAS identifier• originator – Configures the NAS identifier as the originator of the RADIUS request. The originator could be an AP, or a wireless controller with radio. This is the default setting.• proxier – Configures the proxying device as the NAS identifier. The device could be a controller or a RF Domain manager.nas-ip-address[none|proxier]Uses NAS IP address• none – NAS IP address attribute is not filled• proxier – NAS IP address is filled by the proxying device.The device could be a controller or a RF Domain manager. This is the default setting.no Resets RADIUS server’s proxying attributes

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 228.1.8 server-pooling-modeConfigures the server selection method from a pool of AAA servers. The available methods are failover and load-balance.In the failover scenario, when a configured AAA server goes down, the server with the next higher index takes over for the failed server.In the load-balance scenario, when a configured AAA server goes down, the remaining servers distribute the load amongst themselves.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver-pooling-mode [failover|load-balance]Parameters• server-pooling-mode [failover|load-balance]Examplerfs6000-37FABE(config-aaa-policy-test)#server-pooling-mode load-balancerfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test2 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 server-pooling-mode load-balance mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000rfs6000-37FABE(config-aaa-policy-test)#Related Commandsfailover Sets the pooling mode to failover. This is the default setting.When a configured AAA server fails, the server with the next higher index takes over the failed server’s load.load-balance Sets the pooling mode to load balancingWhen a configured AAA server fails, all servers in the pool share the failed server’s load transmitting requests in a round-robin fashion.no Resets the method of selecting a server, from the pool of configured AAA servers

AAA-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 238.1.9 useaaa-policyAssociates a Network Access Control (NAC) with this AAA policy. This allows only the set of configured devices to use the configured AAA servers.For more information on creating a NAC list, see nac-list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse nac-list <NAC-LIST-NAME>Parameters• use nac-list <NAC-LIST-NAME>Examplerfs6000-37FABE(config-aaa-policy-test)#use nac-list test1rfs6000-37FABE(config-aaa-policy-test)#show contextaaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 server-pooling-mode load-balance mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000use nac-list test1rfs6000-37FABE(config-aaa-policy-test)#Related Commandsnac-list <NAC-LIST-NAME>Associates a NAC list with this AAA policy• <NAC-LIST-NAME> – Specify the NAC list name (should be existing and configured).no Resets set values or disables commandsnac-list Creates a NAC list

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 3NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

$AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 6• adopt[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [area <AREA-NAME>|cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|floor <FLOOR-NAME>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]precedence <1-10000>Sets the rule precedence from 1 - 10000. A rule with a lower value has a higher precedence.profile <DEVICE-PROFILE-NAME>Sets the device profile for this provisioning policy. The selected device profile must be appropriate for the device being provisioned. For example, use an AP7502 device profile for an AP7502. Using an inappropriate device profile can result in unpredictable results. Provide a device profile name.Provide a device profile name (should be existing and configured). Or a template with appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-indoor'.Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.rf-domain <RF-DOMAIN-NAME>Sets the RF Domain for this auto provisioning policy. The provisioning policy is only applicable to devices that try to become a part of the specified RF Domain. Provide the full RF Domain name OR use a string alias to identify the RF Domain.Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, ‘alias string $DOMAIN test.example_company.com’. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias.any Indicates any device. Any device seeking adoption is adopted.adopt Adds an adopt device rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7502, AP7522, AP7532, AP7562, AP7161, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530, NX95XX, VX9000, and NX9600.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.precedence <1-10000>Sets the rule precedence. A rule with a lower value has a higher precedence.$

$AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 8ip [<START-IP> <END-IP>|<IP/MASK>]Adopts a device if its IP address matches the specified IPv4 address or is within the specified IP address range. Or if the device is a part of the specified subnet.• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.ipv6 [<START-IP> <END-IP>|<IP/MASK>]Adopts a device if its IP v6 address matches the specified IPv6 address or is within the specified IP address range. Or if the device is a part of the specified subnet.• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IPv6 address.lldp-match <LLDP-STRING>Matches a substring in a list of Link Layer Discovery Protocol (LLDP) snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com,'controller1', 'example', 'example.com', are examples of the substrings that will match.LLDP is a vendor neutral link layer protocol that advertises a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the LLDP string. Devices matching the specified value are adopted.mac <START-MAC> {<END-MAC>}Adopts a device if its MAC address matches the specified MAC address or is within the specified MAC address range• <START-MAC> – Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Adopts a device if its model number matches <MODEL-NUMBER>• <MODEL-NUMBER> – Specify the model number.rf-domain <RF-DOMAIN-NAME>Adopts a device if its RF Domain matches <RF-DOMAIN-NAME><RF-DOMAIN-NAME> – Specify the RF Domain name. You can use a string alias to specify a RF Domain.Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system.Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, ‘alias string $DOMAIN test.example_company.com’. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias.serial-number <SERIAL-NUMBER>Adopts a device if its serial number matches <SERIAL-NUMBER>• <SERIAL-NUMBER> – Specify the serial number.vlan <VLAN-ID> Adopts a device if its VLAN matches <VLAN-ID>• <VLAN-ID> – Specify the VLAN ID.$

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 109.1.2 auto-create-rfd-templateauto-provisioning-policyEnables auto creation of an RF Domain:• when tokens are used to select the RF Domain to apply to devices matching the adoption criteria, and• the token-specified RF Domain does not exist.During device adoption, if the token-specified RF Domain (configured using the ‘adopt’ rule) is not found, the system auto creates a new RF Domain based on an existing RF Domain template specified using this command. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauto-create-rfd-template <RF-DOMAIN-NAME>Parameters• auto-create-rfd-template <RF-DOMAIN-NAME>ExampleThe following example configures an adopt rule for adopting any AP7532 and applying an RF Domain matching the token “$MODEL[1:5]” to the adopted AP:nx9500-6C8809(config-auto-provisioning-policy-test)#adopt ap7532 precedence 20 rf-domain $MODEL[1:5] anynx9500-6C8809(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap7532 precedence 20 rf-domain $MODEL[1:5] anynx9500-6C8809(config-auto-provisioning-policy-test)#The following example enables auto creation of the following RF Domain using an existing RF Domain ‘rfd-AP’ as template:• RF Domain name “AP-75”: Applicable to any AP7532nx9500-6C8809(config-auto-provisioning-policy-test)#auto-create-rfd-template rfd-APnx9500-6C8809(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test adopt ap7532 precedence 20 rf-domain $MODEL[1:5] any auto-create-rfd-template rfd-APnx9500-6C8809(config-auto-provisioning-policy-test)#auto-creates-rfd-template <RF-DOMAIN-NAME>Auto creates a new RF Domain based on an existing RF Domain template• <RF-DOMAIN-NAME> – Specify the RF Domain name (should be existing and configured). The new RF Domain created is saved with the token name specified in the ‘adopt’ command.Note: For more information on configuring tokens, see adopt.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 11As per the above configurations, when an AP7532 comes up for first-time adoption, the system:• Checks for an RF Domain matching the options provided in the ‘adopt’ rule, and if not found• auto creates the RF Domain only if:- A token is specified in the ‘adopt’ rule. For example, $MODEL[1:5], and- the ‘auto-create-rfd-template’ option is configured• Uses the ‘RF Domain’ specified in the auto-create-rfd-template command as a template. Therefore, the specified RF Domain should be existing and configured.• Applies the new RF Domain to the AP.Related Commandsno Disables auto creation of an RF Domain

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 139.1.4 denyauto-provisioning-policyDefines a deny device adoption ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anydeny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]Parameters• deny[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|aap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anydeny Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.precedence <1-10000> Sets the rule precedence. A rule with a lower value has a higher precedence.any Indicates any device. Any device seeking adoption is denied adoption.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 14• deny[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-1000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]deny Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600.precedence <1-10000>Sets the rule precedence. A rule with a lower value has a higher precedence.After specifying the rule precedence, specify the match criteria. Devices matching the specified criteria are denied adoption.cdp-match <LOCATION-SUBSTRING>Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com, 'controller1', ‘example’, 'example.com', are examples of the substrings that will match.• <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the specified value are denied adoption.dhcp-option <DHCP-OPTION>Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present.• <DHCP-OPTION> – Specify the DHCP option value to match. Devices matching the specified value are denied adoption.fqdn <FQDN> Matches a substring to the FQDN of a device (case insensitive)FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.• <FQDN> – Specify the FQDN. Devices matching the specified value are denied adoption.ip [<START-IP> <END-IP>|<IP/MASK>]Denies adoption if a device's IP address matches the specified IPv4 address or is within the specified IP address range• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.ipv6 [<START-IP> <END-IP>|<IP/MASK>]Denies adoption if a device's IPv6 address matches the specified IP address or is within the specified IP address range• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IP address.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 169.1.5 evaluate-alwaysauto-provisioning-policySets flag to run this auto-provisioning policy every time an access point is adopted. The access point’s previous adoption status is not taken into consideration.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevaluate-alwaysParametersNoneExamplerfs4000-229D58(config-auto-provisioning-policy-test)#evaluate-alwaysrfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test evaluate-alwaysrfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandsno Disables the running of this policy every time an AP is adopted

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 179.1.6 redirectauto-provisioning-policyAdds a rule redirecting device adoption to another controller within the system. Devices seeking adoption are redirected to a specified controller based on the redirection parameters specified.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxredirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]redirect [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>] [any|cdp-match|dhcp-option|fqdn|ip|ipv6|level|lldp-match|mac|model-number|pool|serial-number|vlan]redirect [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] anyredirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|level [1|2]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>] {upgrade}Parameters• redirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] anyredirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, AP7632, AP7662, NX9600 series.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.Note: An adoptee controller, such as RFS4000 and RFS6000 can be redirected to another controller (configured to adopt controllers) with a capacity equal to or higher than its own. For more information, see controller.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 18• redirect [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-1000> controller [<CONTROLLER-IP>| <CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6[<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>] {upgrade}precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6]Configures the controller to which the adopting devices are redirected. Specify the controller’s IP address or hostname.• <CONTROLLER-IP> – Specifies the controller’s IP address• <CONTROLLER-HOSTNAME> – Specifies the controller’s hostname• ipv6 – Specify the controller’s IPv6 addressany Indicates any device. Any device seeking adoption is redirected.redirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device type options are: anyap, AP6521, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600.Note: An adoptee controller, such as RFS4000, RFS6000, and RFS7000, can be redirected to another controller (configured to adopt controllers) with a capacity equal to or higher than its own. For more information, see controller.precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6]Configures the controller to which the adopting devices are redirected. Specify the controller’s IP address or hostname.• <CONTROLLER-IP> – Specifies the controller’s IP address• <CONTROLLER-HOSTNAME> – Specifies the controller’s hostname• ipv6 – Specify the controller’s IPV6 address.After specifying the rule precedence and the controller, specify the match criteria.cdp-match <LOCATION-SUBSTRING>Configures the device location to match, based on CDP snoop strings• <LOCATION-SUBSTRING> – Specify the location. Devices matching the specified string are redirected.dhcp-option <DHCP-OPTION>Configures the DHCP options to matchDHCP options identify the vendor and DHCP client functionalities. This information is used by the client to convey to the DHCP server that the client requires extra information in a DHCP response.• <DHCP-OPTION> – Specify the DHCP option value. Devices matching the specified value are redirected.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 19fqdn <FQDN> Configures the FQDN to matchFQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.• <FQDN> – Specify the FQDN. Devices matching the specified value are redirected.ip [<START-IP> <END-IP>|<IP/MASK>]Configures a range of IP addresses and subnet address. Devices having IPv4 addresses within the specified range or are part of the specified subnet are redirected.• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.level[1|2] Configures the routing level• level1 – Specifies level 1 as local routing• level2 – Specifies level2 as inter-site routingipv6 [<START-IP> <END-IP>|<IP/MASK>]Redirects if a device's IPv6 address matches the specified IP address or is within the specified IP address range• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IP address.lldp-match <LLDP-STRING>Configures the device location to match, based on LLDP snoop stringsLLDP is a vendor neutral link layer protocol used to advertise a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the location. Devices matching the specified string are redirected.mac <START-MAC> {<END-MAC>}Configures a single or a range of MAC addresses. Devices matching the specified values are redirected.• <START-MAC> – Specify the first MAC address in the range. Provide only this MAC address to filter a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Configures the device model number• <MODEL-NUMBER> – Specify the model number. Devices matching the specified model number are redirected.pool <1-2> Configures the controller pool• <1-2> – Configures the pool to which the specified controller belongs to. The default pool value is 1. serial-number <SERIAL-NUMBER>Configures the device’s serial number• <SERIAL-NUMBER> – Specify the serial number. Devices matching the specified serial number are redirected.vlan <VLAN-ID> Configures the VLAN ID• <VLAN-ID> – Specify the VLAN ID. Devices assigned to the specified VLAN are redirected.upgrade Optional. Upgrades APs before redirecting the device for adoption within the system

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 219.1.7 upgradeauto-provisioning-policyAdds a device upgrade rule to this auto provisioning policy. When applied to a controller, the upgrade rule ensures adopted devices, of the specified type, are upgraded automatically. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxupgrade[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anyupgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]Parameters• upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> anyupgrade Adds a device upgrade rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series.precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.any Indicates any device. Any device, of the selected type, is upgraded.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 22• upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]redirect Adds a device upgrade rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule.The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series.Note: ‘anyap’ is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type.precedence <1-10000>Sets the rule precedence. Rules with lower values get precedence over rules with higher values.cdp-match <LOCATION-SUBSTRING>Configures the device location to match, based on CDP snoop strings• <LOCATION-SUBSTRING> – Specify the location. Devices matching the specified string are upgraded.dhcp-option <DHCP-OPTION>Configures the DHCP options to matchDHCP options identify the vendor and DHCP client functionalities. This information is used by the client to convey to the DHCP server that the client requires extra information in a DHCP response.• <DHCP-OPTION> – Specify the DHCP option value. Devices matching the specified value are upgraded.fqdn <FQDN> Configures the FQDN to matchFQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.• <FQDN> – Specify the FQDN. Devices matching the specified value are upgraded.ip [<START-IP> <END-IP>|<IP/MASK>]Configures a range of IP addresses and subnet address. Devices having IPv4 addresses within the specified range or are part of the specified subnet are upgraded.• <START-IP> – Specify the first IPv4 address in the range.• <END-IP> – Specify the last IPv4 address in the range.• <IP/MASK> – Specify the IPv4 subnet and mask to match against the device’s IP address.ipv6 [<START-IP> <END-IP>|<IP/MASK>]Upgrades if a device's IPv6 address matches the specified IP address or is within the specified IP address range• <START-IP> – Specify the first IPv6 address in the range.• <END-IP> – Specify the last IPv6 address in the range.• <IP/MASK> – Specify the IPv6 subnet and mask to match against the device’s IP address.

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 23Examplerfs4000-229D58(config-auto-provisioning-policy-test)#upgrade ap6521 precedence 1 anyrfs4000-229D58(config-auto-provisioning-policy-test)#upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test upgrade ap6521 precedence 1 any upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#Related Commandslldp-match <LLDP-STRING>Configures the device location to match, based on LLDP snoop stringsLLDP is a vendor neutral link layer protocol used to advertise a network device’s identity, capabilities, and neighbors on a local area network.• <LLDP-STRING> – Specify the location. Devices matching the specified string are upgraded.mac <START-MAC> {<END-MAC>}Configures a single or a range of MAC addresses. Devices matching the specified values are upgraded.• <START-MAC> – Specify the first MAC address in the range. Provide only this MAC address to filter a single device.• <END-MAC> – Optional. Specify the last MAC address in the range.model-number <MODEL-NUMBER>Configures the device model number• <MODEL-NUMBER> – Specify the model number. Devices matching the specified model number are upgraded.serial-number <SERIAL-NUMBER>Configures the device’s serial number• <SERIAL-NUMBER> – Specify the serial number. Devices matching the specified serial number are upgraded.vlan <VLAN-ID> Configures the VLAN ID• <VLAN-ID> – Specify the VLAN ID. Devices assigned to the specified VLAN are upgraded.no Removes an upgrade rule

AUTO-PROVISIONING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 25rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test upgrade ap6521 precedence 1 any upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#rfs4000-229D58(config-auto-provisioning-policy-test)#no upgrade precedence 1rfs4000-229D58(config-auto-provisioning-policy-test)#show contextauto-provisioning-policy test upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5rfs4000-229D58(config-auto-provisioning-policy-test)#

10 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide10ASSOCIATION-ACL-POLICYThis chapter summarizes the association ACL policy commands in the CLI command structure. An association ACL is a policy-based Access Control List (ACL) that either allows or denies wireless clients from connecting to a wireless controller, service platform, or access point managed WLAN.System administrators can use an association ACL to grant or restrict wireless clients access to the WLAN by specifying a client’s MAC address or a range of MAC addresses to either include or exclude from WLAN connectivity. Association ACLs are applied to WLANs as an additional access control mechanism.Use the (config) instance to configure the association ACL policy. To navigate to the association-acl-policy instance, use the following commands:<DEVICE>(config)#association-acl-policy <POLICY-NAME>rfs6000-37FABE(config)#association-acl-policy testrfs6000-37FABE(config-assoc-acl-test)#rfs6000-37FABE(config-assoc-acl-test)#?Association ACL Mode commands: deny Specify MAC addresses to be denied no Negate a command or set its defaults permit Specify MAC addresses to be permitted clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-assoc-acl-test)#Before defining an association ACL policy and applying it to a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:• The name and configuration of an association ACL policy should meet the requirements of the WLANs it may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN.• You cannot apply more than one MAC based ACL to a layer 2 interface. If a MAC ACL is already configured on a layer 2 interface, and a new MAC ACL is applied to the interface, the new ACL replaces the previously configured one.NOTE: If creating an new association ACL policy, provide a name specific to its function. Avoid naming it after a WLAN it may support. The name cannot exceed 32 characters.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 210.1 association-acl-policyASSOCIATION-ACL-POLICYThe following table summarizes association ACL policy configuration commands:Table 10.1 Association-ACL-Policy-Config CommandsCommand Description Referencedeny Specifies a range of MAC addresses denied access to the WLAN page 10-3no Removes a deny or permit rule from this association ACL policy page 10-5permit Specifies a range of MAC addresses allowed access to the WLAN page 10-6NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 310.1.1 denyassociation-acl-policyCreates a list of devices denied access to the managed network. Devices are identified by their MAC address. A single MAC address or a range of MAC addresses can be denied access. This command also sets the precedence on how deny rules are applied. Up to a thousand (1000) deny rules can be defined for every association ACL policy. Each rule has a unique sequential precedence value assigned, and is applied to packets on the basis of the precedence value. Lower the precedence, higher is the priority. This results in the rule with the lowest precedence being applied first. No two rules can have the same precedence. The default precedence is 1, prioritize ACLs accordingly as they are added.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny <STARTING-MAC> [<ENDING-MAC>|precedence]deny <STARTING-MAC> precedence <1-1000>deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Parameters• deny <STARTING-MAC> precedence <1-1000>• deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Usage GuidelinesEvery rule has a unique sequential precedence value. You cannot add two rules with the same precedence. Rules are applied in an increasing order of precedence. That means the rule with precedence 1 is applied first, then the rule with precedence 2 and so on.deny Adds a single device or a set of devices to the deny list<STARTING-MAC> To add a single device, enter its MAC address in the <STARTING-MAC> parameter.precedence <1-1000>Sets a precedence rule. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a precedence value from 1 - 1000.deny Adds a single device or a set of devices to the deny listTo add a set of devices, provide the range of MAC addresses.<STARTING-MAC> Specify the first MAC address in the range.<ENDING-MAC> Specify the last MAC address in the range.precedence <1-1000>Sets a precedence rule. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a value from 1 - 1000.

ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 4Examplerfs6000-37FABE(config-assoc-acl-test)#deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150rfs6000-37FABE(config-assoc-acl-test)#deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160rfs6000-37FABE(config-assoc-acl-test)#Related Commandsno Removes a deny rule based on its precedence value

ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 510.1.2 noassociation-acl-policyRemoves a deny or permit rule from this association ACL policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|permit]no deny <STARTING-MAC> precedence <1-1000>no deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>no permit <STARTING-MAC> precedence <1-1000>no permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Parameters• no <PARAMETERS>ExampleThe following example shows the association ACL policy ‘test’ settings before the ‘no’ commands is executed:rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160rfs6000-37FABE(config-assoc-acl-test)#rfs6000-37FABE(config-assoc-acl-test)#no deny 11-22-33-44-56-01 11-22-33-44-56-FF precedence 160The following example shows the association ACL policy ‘test’ settings after the ‘no’ commands is executed:rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150rfs6000-37FABE(config-assoc-acl-test)#no <PARAMETERS> Removes a deny or permit rule from this association ACL policy

ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 610.1.3 permitassociation-acl-policyCreates a list of devices allowed access to the managed network. Devices are permitted access based on their MAC address. A single MAC address or a range of MAC addresses can be specified. This command also sets the precedence on how permit list rules are applied. Up to a thousand (1000) permit rules can be defined for every association ACL policy. Each rule has a unique sequential precedence value assigned, and are applied to packets on the basis of this precedence value. Lower the precedence of a rule, higher is its priority. This results in the rule with the lowest precedence being applied first. No two rules can have the same precedence. The default precedence is 1, so be careful to prioritize ACLs accordingly as they are added.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit <STARTING-MAC> [<ENDING-MAC>|precedence]permit <STARTING-MAC> precedence <1-1000>permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Parameters• permit <STARTING-MAC> precedence <1-1000>• permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>Usage GuidelinesEvery rule has a unique sequential precedence value. You cannot add two rules with the same precedence. Rules are applied to packets in an increasing order of precedence. That means the rule with precedence 1 is applied first, then the rule with precedence 2 and so on.permit Adds a single device or a set of devices to the permit list<STARTING-MAC> To add a single device, enter its MAC address in the <STARTING-MAC> parameter.precedence <1-1000>Specifies a rule precedence. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a value from 1 - 1000.permit Adds a single device or a set of devices to the permit listTo add a set of devices, provide the MAC address range.<STARTING-MAC> Specify the first MAC address of the range.<ENDING-MAC> Specify the last MAC address of the range.precedence <1-1000>Specifies a rule precedence. Rules are applied in an increasing order of precedence.• <1-1000> – Specify a value from 1 - 1000.

ASSOCIATION-ACL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 7Examplerfs6000-37FABE(config-assoc-acl-test)# permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170rfs6000-37FABE(config-assoc-acl-test)# permit 11-22-33-44-67-01 precedence 180rfs6000-37FABE(config-assoc-acl-test)#show contextassociation-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170 permit 11-22-33-44-67-01 11-22-33-44-67-01 precedence 180rfs6000-37FABE(config-assoc-acl-test)#Related Commandsno Removes a permit rule based on its precedence

11 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide11ACCESS-LISTThis chapter summarizes IPv4, IPv6, and MAC access list commands in the CLI command structure.Access lists control access to the managed network using a set of rules also known as Access Control Entries (ACEs). Each rule specifies an action taken when a packet matches that rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. A set of deny and/or permit rules based on IP (IPv4 and IPv6) addresses constitutes a IP Access Control List (ACL). Similarly, a set of deny and/or permit rules based on MAC addresses constitutes a MAC ACL.Within a managed network, IP ACLs are used as firewalls to filter packets and also mark packets. IP based firewall rules are specific to the source and destination IP addresses and have unique precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying an IP ACL. With either IPv4 or IPv6, create access rules for traffic entering a controller, service platform, or access point interface, because if you are going to deny specific types of packets, it’s recommended you do it before the controller, service platform, or access point spends time processing them, since access rules are given priority over other types of firewall rules.MAC ACLs are firewalls that filter or mark packets based on the MAC address which they arrive, as opposed to filtering packets on layer 2 ports. Optionally filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to controller managed packet traffic.Once defined, an IP and/or MAC ACL (consisting of a set of firewall rules) must be applied to an interface to be a functional filtering tool.Firewall supported devices (access points, wireless controllers, and service platforms) process firewall rules (within an IP/MAC ACL) sequentially, in ascending order of their precedence value. When a packet matches a rule, the firewall applies the action specified in the rule to determine whether the traffic is allowed or denied. Once a match is made, the firewall does not process subsequent rules in the ACL.The WiNG software enables the configuration of IP SNMP ACLs. These ACLs control access by combining IP ACLs with SNMP server community strings.The following ACLs are supported:•ip-access-list•mac-access-list•ipv6-access-list•ip-snmp-access-list•ex3500-ext-access-list•ex3500-std-access-listUse IP and MAC commands under the global configuration to create an access list.• When the access list is applied on an Ethernet port, it becomes a port ACL.• When the access list is applied on a VLAN interface, it becomes a router ACL.Use the (config) instance to configure a new ACL or modify an existing ACL. To navigate to the (config-access-list) instance, use the following commands:

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 2<DEVICE>(config)#ip access-list <IP-ACCESS-LIST-NAME><DEVICE>(config)#mac access-list <MAC-ACCESS-LIST-NAME><DEVICE>(config)#ipv6 access-list <IPv6-ACCESS-LIST-NAME><DEVICE>(config)#ip snmp-access-list <SNMP-ACCESS-LIST-NAME><DEVICE>(config)#ex3500-ext-access-list <EX3500-EXT-ACCESS-LIST-NAME><DEVICE>(config)#ex3500-std-access-list <EX3500-STD-ACCESS-LIST-NAME>ip-access-listrfs6000-37FABE(config)#ip access-list testrfs6000-37FABE(config-ip-acl-test)#?ACL Configuration commands: deny Specify packets to reject disable Disable rule if not needed insert Insert this rule (instead of overwriting a existing rule) no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-ip-acl-test)#mac-access-listrfs6000-37FABE(config)#mac access-list testrfs6000-37FABE(config-mac-acl-test)#?MAC Extended ACL Configuration commands: deny Specify packets to reject disable Disable rule if not needed ex3500 EX3500 device insert Insert this rule (instead of overwriting a existing rule) no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen do Run commands from Exec mode commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalNOTE: If creating an new ACL policy, provide a name that uniquely identifies its purpose. The name cannot exceed 32 characters.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3rfs6000-37FABE(config-mac-acl-test)#ipv6-access-listrfs6000-37FABE(config-ipv6-acl-test)#?IPv6 Access Control Mode commands: deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-ipv6-acl-test)#ip-snmp-access-listnx9500-6C8809(config-ip-snmp-acl-test)#?SNMP ACL Configuration commands: deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalnx9500-6C8809(config-ip-snmp-acl-test)#The WiNG NOC controller also has the capabilities of adopting and managing EX3500 series switch. These switches are Gigabit Ethernet layer 2 switches with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. Once adopted to the NOC, various ACLs specifically defined for a EX3500 switch can be used to either prevent or allow specific clients from using it.The following EX3500 ACLs are supported:•ex3500-ext-access-list•ex3500-std-access-list•ex3500: This configures a EX3500 deny or permit rule in a MAC ACL.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 411.1 ip-access-listACCESS-LISTThe following table summarizes IP access list configuration commands:Table 11.1 IP-Access-List-Config CommandsCommand Description Referencedeny Creates a deny access rule or modifies an existing rule. A deny access rule rejects packets from specified address(es) and/or destined for specified address(es).page 11-5disable Disables an existing deny or permit rule without removing it from the ACL page 11-17insert Inserts a rule in an IP ACL without overwriting or replacing an existing rule having the same precedencepage 11-20no Removes a deny and/or a permit access rule from a IP ACL page 11-22permit Creates a permit access rule or modifies an existing rule. A permit access rule accepts packets from specified address(es) and/or destined for specified address(es).page 11-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 511.1.1 denyip-access-listCreates a deny rule that rejects packets from a specified source IP and/or to a specified destination IP. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}deny dns-name [contains|exact|suffix]deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6Parameters• deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}<NETWORK-SERVICE-ALIAS-NAME>Applies this deny rule to packets based on service protocols and ports specified in the network-service alias• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured).A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL deny rule.Note: For more information on configuring network-service alias, see alias.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny).any Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are dropped.any Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are dropped.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7• deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the headerrule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).dns-name Applies this deny rule to packets based on dns-names specified in the network-servicecontains Matches any hostname which has this DNS label. (for example, *.test.*)exact Matches an exact hostname as specified in the network-servicesuffix Matches any hostname as suffix (for example, *.test)<WORD> Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.log Logs all deny events matching this dns entry. If a dns-name is matched an event is logged.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 8• deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>](<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).icmp Applies this deny rule to Internet Control Message Protocol (ICMP) packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. ICMP packets received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the destination as any IP address. ICMP packets addressed to any destination are dropped.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 9• deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}<ICMP-TYPE> Defines the ICMP packet typeFor example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.<ICMP-CODE> Defines the ICMP message typeFor example, an ICMP code 3 indicates “Destination Unreachable”, code 1 indicates “Host Unreachable”, and code 3 indicates “Port Unreachable.”Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match.log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).ip Applies this deny rule to IP packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. IP packets received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are dropped.any Specifies the destination as any IP address. IP packets addressed to any destination are dropped.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 10• deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter<PROTOCOL-NUMBER>Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the Enhanced Internet Gateway Routing Protocol (EIGRP) protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the General Routing Encapsulation (GRE) protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 11igmp Identifies the Internet Group Management Protocol (IGMP) protocol (number 2)IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)ospf Identifies the OSPF protocol (number 89)OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.vrrp Identifies the Virtual Router Redundancy Protocol (VRRP) protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are dropped.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are dropped.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are dropped.• <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are dropped.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 12• deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}any Specifies the destination as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are dropped.• <SOURCE-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-group alias are dropped.• <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).Note: After specifying the source and destination IP address(es), specify the action taken in case of a match.log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).tcp Applies this deny rule to TCP packets onlyudp Applies this deny rule to UDP packets only<SOURCE-IP/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are dropped.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are dropped.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).After specifying the source and destination IP address(es), specify the action taken in case of a match.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 13any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any IP address. TCP/UDP packets received from any source are dropped.from-vlan <VLAN-ID>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are dropped.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are dropped.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are dropped.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are dropped.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 14Usage GuidelinesUse this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:•IP•ICMP•TCP•UDP• PROTO (any Internet protocol other than TCP, UDP, and ICMP)eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated Border Gateway Protocol (BGP) protocol port (179)• dns – The designated Domain Name System (DNS) protocol port (53)• ftp – The designated File Transfer Protocol (FTP) protocol port (21)• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated Lightweight Directory Access Protocol (LDAP) protocol port (389)• nntp – The designated Network News Transfer Protocol (NNTP) protocol port (119)•ntp – The designated Network Time Protocol (NTP) protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated Session Initiation Protocol (SIP) protocol port (5060)• smtp – The designated Simple Mail Transfer Protocol (SMTP) protocol port (25)• ssh – The designated Secure Shell (SSH) protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated Trivial File Transfer Protocol (TFTP) protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all deny events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 15The last access control entry (ACE) in the access list is an implicit deny statement.Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration.• Filtering TCP/UDP allows you to specify port numbers as filtering criteria• Select ICMP as the protocol to allow or deny ICMP packets. Selecting ICMP filters ICMP packets based on ICMP type and code.Examplerfs6000-37FABE(config-ip-acl-test)#deny proto vrrp any any log rule-precedence 600rfs6000-37FABE(config-ip-acl-test)#deny proto ospf any any log rule-precedence 650rfs6000-37FABE(config-ip-acl-test)#show contextip access-list test deny proto vrrp any any log rule-precedence 600 deny proto ospf any any log rule-precedence 650rfs6000-37FABE(config-ip-acl-test)#Using aliases in IP access list.The following examples show the usage of network-group aliases:rfs4000-229D58(config)#ip access-list barExample 1:rfs4000-229D58(config-ip-acl-bar)#permit ip $foo any rule-precedence 10Example 2rfs4000-229D58(config-ip-acl-bar)#permit tcp 192.168.100.0/24 $foobar eq ftp rule-precedence 20Example 3rfs4000-229D58(config-ip-acl-bar)#deny ip $guest $lab rule-precedence 30- In example1, network-group alias $foo is used as a source- In example 2, network-group alias $foobar is used as a destination- In example 3, network-group aliases $guest and $lab are used as source and destination respectively.The following examples show the usage of network-service aliases:Example 4rfs4000-229D58(config-ip-acl-bar)# permit $kerberos 10.60.20.0/24 $kerberos-servers log rule-precedence 40Example 5rfs4000-229D58(config-ip-acl-bar)#permit $Tandem 10.60.20.0/24 $Tandem-servers log rule-precedence 50In examples 4, and 5:- The network-service aliases ($kerberos and $Tandem) define the destination protocol-port combinations- The source network is 10.60.20.0/24- The destination network-address combinations are defined by the network-group aliases ($kerberos-servers and $Tandem-servers)NOTE: The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet that matches the entry sent to the console.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 16Related Commandsno Removes a specified IP deny access rulealias Creates and configures aliases (network, VLAN, and service)

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 1711.1.2 disableip-access-listDisables an existing deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdisable [deny|insert|permit]disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence)Parameters• disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence)disable [deny|insert [deny|permit]|permit]Disables a deny or permit access rule without removing it from the ACLThis command also enables the insertion of a disable deny or permit rule without overwriting an existing rule in the IP ACL.Note: To disable an existing deny/permit rule, provide the exact values used to configure the deny or permit rule.<NETWORK-SERVICE-ALIAS-NAME>Specifies the network-service alias, identified by the <NETWORK-SERVICE-ALIAS-NAME> keyword, associated with the deny/permit ruledns-name [contains|exact|suffix]Specifies the packets to reject based on the dns-name match. Applies this deny rule to packets based on dns-names specified in the network-serviceicmp Disables a rule applicable to ICMP packets onlyip Disables a rule applicable to IP packets onlyproto <PROTOCOL-OPTIONS>Disables a rule applicable to any Internet protocol other than TCP, UDP, or ICMP packets• <PROTOCOL-OPTIONS> – Identify the Internet protocol using the options available.tcp Disables a rule applicable to TCP packets only

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 18ExampleThe following example shows the ‘auto-tunnel-acl’ settings before the disable command is executed:rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#show contextip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#The following example shows the ‘auto-tunnel-acl’ settings after the disable command is executed:rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#show contextip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2udp Disables a rule applicable to UDP packets onlyNote: After specifying the packet type, specify the source and destination devices and network address(es) to match.<SOURCE-IP/MASK>Specify the source IP address and mask in the A.B.C.D/M format.<NETWORK-GROUP-ALIAS-NAME>Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit ruleany Select ‘any’ if the rule is applicable to any source IP address.from-vlan <VLAN-ID>Specify the VLAN IDs.host <SOURCE-HOST-IP>Specify the source host’s exact IP address.<DEST-IP/MASK> Specify the destination IP address and mask in the A.B.C.D/M format.<NETWORK-GROUP-ALIAS-NAME>Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME> keyword, associated with this deny/permit ruleany Select ‘any’ if the rule is applicable to any destination IP address.host <DEST-HOST-IP>Specify the destination host’s exact IP address.log Select log, if the rule has been configured to log records in case of a match.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the headerrule-precedence <1-5000>Specify the rule precedence. The deny or permit rule with the specified precedence is disabled.Note: To enable a disabled rule, enter the rule again without the ‘disable’ keyword.Note: The no > disable command removes a disabled rule from the ACL.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 19 disable permit ip host 200.200.200.99 any rule-precedence 3rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#rfs4000-229D58(config-ip-acl-test)#deny icmp any any log rule-precedence 1rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny icmp any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#rfs4000-229D58(config-ip-acl-test)#disable deny icmp any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#show contextip access-list test disable deny icmp any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#In the following example a disable deny rule has been inserted in the IP ACL “test”:rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2rfs4000-229D58(config-ip-acl-test)#rfs4000-229D58(config-ip-acl-test)#disable insert deny ip any any log rule-precedence 2rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 disable deny ip any any log rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3rfs4000-229D58(config-ip-acl-test)#Related Commandsno Enables a disabled deny or permit ruledeny Creates a new deny access rule or modifies an existing rulepermit Creates a new permit access rule or modifies an existing rulealias Creates and configures a aliases (network, VLAN, and service)

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 2011.1.3 insertip-access-listEnables the insertion of a rule in an IP ACL without overwriting or replacing an existing rule having the same precedenceThe insert option allows a new rule to be inserted within a IP access list. Consider an IP ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule’s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinsert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule.[deny|permit] Inserts a deny or a permit rule within an IP ACL<PARMETERS> Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here.For more information on the deny rule, see deny.For more information on the permit rule, see permit.log After specifying the match criteria, specify the action taken for filtered packetsLogs all deny/permit events matching this entry. If a source and/or destination IP address is matched an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 21Examplerfs4000-229D58(config-ip-acl-test)#deny tcp from-vlan 1 any any rule-precedence 1rfs4000-229D58(config-ip-acl-test)#permit icmp any host 192.168.13.7 1 1 rule-precedence 2rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2rfs4000-229D58(config-ip-acl-test)#In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2’ rule changes to precedence 3.rfs4000-229D58(config-ip-acl-test)#insert deny ip any any rule-precedence 2rfs4000-229D58(config-ip-acl-test)#show contextip access-list test deny tcp from-vlan 1 any any rule-precedence 1 deny ip any any rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3rfs4000-229D58(config-ip-acl-test)#Related Commandsrule-precedence <1-5000> rule-description <LINE>Assigns a precedence for this deny/permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this new rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128characters in length).NOTE: The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet that matches the entry sent to the console.alias Creates and configures aliases (network, VLAN, and service)

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 2211.1.4 noip-access-listRemoves a deny, permit, or disable ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|disable|permit]no [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp] <RULE-PARAMETERS>no disable [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp] <RULE-PARAMETERS>Parameters• no <PARAMETERS>Usage GuidelinesRemoves an access list control entry. Provide the rule-precedence value when using the no command.ExampleThe following example shows the ACL ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-ip-acl-test)#show contextip access-list test deny proto vrrp any any log rule-precedence 600 deny proto ospf any any log rule-precedence 650rfs6000-37FABE(config-ip-acl-test)#rfs6000-37FABE(config-ip-acl-test)#no deny proto vrrp any any rule-precedence 600rfs6000-37FABE(config-ip-acl-test)#no deny proto ospf any any rule-precedence 650The following example shows the ACL ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-ip-acl-test)#show contextip access-list testrfs6000-37FABE(config-ip-acl-test)#no <PARAMETERS> Removes a deny, permit, or disable rule

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 2311.1.5 permitip-access-listCreates a permit rule that marks packets (from a specified source IP and/or to a specified destination IP) for forwarding. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}permit dns-name [contains|exact|suffix]permit dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit dns-name exact <WORD> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 24Parameters• permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) {(rule-description <LINE>)}<NETWORK-SERVICE-ALIAS-NAME>Applies this permit rule to packets based on service protocols and ports specified in the network-service alias• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured).A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL permit rule.Note: For more information on configuring network-service alias, see alias.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny).any Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are permitted.any Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are permitted.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 25• permit dns-name [contains|exact (mark)|suffix] <WORD> (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the headerrule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).dns-name Applies this permit rule to packets based on dns-names specified in the network-servicecontains Matches any hostname which has this DNS label. (for example, *.test.*)exact Matches an exact hostname as specified in the network-servicesuffix Matches any hostname as suffix (for example, *.test)<WORD> Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are forwarded.log Logs all permit events matching this dns entry. If a dns-name is matched an event is logged.mark [8021p <0-7>|dscp <0-63>]Specifies packets to mark• 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority• dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 26• permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128characters in length).icmp Applies this permit rule to ICMP packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any source IP address. ICMP packets received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the destination as any destination IP address. ICMP packets addressed to any destination are permitted.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 27• permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}<ICMP-TYPE> Defines the ICMP packet typeFor example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.<ICMP-CODE> Defines the ICMP message typeFor example, an ICMP code 3 indicates “Destination Unreachable”, code 1 indicates “Host Unreachable”, and code 3 indicates “Port Unreachable.”Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match.log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).ip Applies this permit rule to IP packets only<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any source IP address. IP packets received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are permitted.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 28• permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}any Specifies the destination as any destination IP address. IP packets addressed to any destination are permitted.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.<PROTOCOL-NUMBER>Filters protocols using their IANA protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the EIGRP protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the GRE protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 29igmp Identifies the IGMP protocol (number 2)IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are: Routing Information Protocol (RIP) and Open Shortest Path First (OSPF)ospf Identifies the OSPF protocol (number 89)OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.vrrp Identifies the VRRP protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IP/MASK>Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are permitted.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are permitted.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are permitted.from-vlan <VLAN-ID>Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are permitted.• <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are permitted.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 30• permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID> |host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT> |host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}any Specifies the destination as any destination IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are permitted.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are permitted.• <SOURCE-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-group alias are permitted.• <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).Note: After specifying the source and destination IP address(es), specify the action taken in case of a match.log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).tcp Applies this permit rule to TCP packets onlyudp Applies this deny rule to UDP packets only<SOURCE-IP/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are permitted.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are permitted.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).After specifying the source and destination IP address(es), specify the action taken in case of a match.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 31any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any source IP address. TCP/UDP packets received from any source are permitted.from-vlan <VLAN-ID>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are permitted.• <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).Note: Use this option with WLANs and port ACLs.host <SOURCE-HOST-IP>Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are permitted.• <SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.<DEST-IP/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are permitted.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are permitted.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are permitted.• <DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.<NETWORK-GROUP-ALIAS-NAME>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are permitted.• <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated Border Gateway Protocol (BGP) protocol port (179)• dns – The designated Domain Name System (DNS) protocol port (53)• ftp – The designated File Transfer Protocol (FTP) protocol port (21)Contd..

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 32Usage GuidelinesUse this command to permit traffic between networks/hosts based on the protocol type selected in the access list. The following protocols are supported:•IP•ICMP•ICP•UDP• PROTO (any Internet protocol other than TCP, UDP, and ICMP)The last ACE in the access list is an implicit deny statement.• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated Lightweight Directory Access Protocol (LDAP) protocol port (389)• nntp – The designated Network News Transfer Protocol (NNTP) protocol port (119)• ntp – The designated Network Time Protocol (NTP) protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated Session Initiation Protocol (SIP) protocol port (5060)• smtp – The designated Simple Mail Transfer Protocol (SMTP) protocol port (25)• ssh – The designated Secure Shell (SSH) protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated Trivial File Transfer Protocol (TFTP) protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all permit events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128characters in length).

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 33Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. The packet is allowed or denied based on the ACL configuration.• Filtering on TCP or UDP allows you to specify port numbers as filtering criteria.• Select ICMP to allow/deny packets. Selecting ICMP filters ICMP packets based on ICMP type and code.Examplerfs6000-37FABE(config-ip-acl-test)#show contextip access-list testrfs6000-37FABE(config-ip-acl-test)#rfs6000-37FABE(config-ip-acl-test)#permit ip 172.16.10.0/24 any log rule-precedence 750rfs6000-37FABE(config-ip-acl-test)#permit tcp 172.16.10.0/24 any log rule-precedence 800rfs6000-37FABE(config-ip-acl-test)#show contextip access-list test permit ip 172.16.10.0/24 any log rule-precedence 750 permit tcp 172.16.10.0/24 any log rule-precedence 800rfs6000-37FABE(config-ip-acl-test)#Related CommandsNOTE: The log option is functional only for router ACL’s. The log option displays an informational logging message about the packet matching the entry sent to the console.no Removes a specified IP permit access rulealias Creates and configures aliases (network, VLAN, and service)

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3411.2 mac-access-listACCESS-LISTThe following table summarizes MAC Access list configuration commands:Table 11.2 MAC-Access-List-Config CommandsCommand Description Referencedeny Creates a new deny access rule or modifies an existing rule. A deny access rule marks packets for rejection.page 11-35disable Disables a MAC deny or permit rule without removing it from the ACL page 11-38ex3500 Creates a MAC ACL deny and/or permit rule applicable only to the EX3500 switchpage 11-40insert Inserts a rule in an MAC ACL without overwriting or replacing an exciting rule having the same precedencepage 11-43no Removes a deny and/or a permit access rule from a MAC ACL page 11-45permit Creates a new permit access rule or modifies an existing rule. A deny access rule marks packets for forwarding.page 11-46

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3511.2.1 denymac-access-listCreates a deny rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for rejection. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.<SOURCE-MAC> <SOURCE-MAC-MASK>Configures the source MAC address and mask to match• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC address mask.Packets received from the specified MAC addresses are dropped.any Identifies all devices as the source to deny access. Packets received from any source are dropped.host <SOURCE-HOST-MAC>Identifies a specific host as the source to deny access• <SOURCE-HOST-MAC> – Specify the source host’s exact MAC address to match. Packets received from the specified host are dropped.<DEST-MAC> <DEST-MAC-MASK>Configures the destination MAC address and mask to match• <DEST-MAC> – Specify the destination MAC address to match. • <DEST-MAC-MASK> – Specify the destination MAC address mask to match.Packets addressed to the specified MAC addresses are dropped.any Identifies all devices as the destination to deny access. Packets addressed to any destination are dropped.host <DEST-HOST-MAC>Identifies a specific host as the destination to deny access• <DEST-HOST-MAC> – Specify the destination host’s exact MAC address to match. Packets addressed to the specified host are dropped.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 36Usage GuidelinesThe deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic from a list of MAC addresses based on the source mask.The MAC access list can disallow traffic based on the VLAN and EtherType.•ARP•WISP•IP•802.1qdotp1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling• <0-7> – Specify 802.1p priority from 0 - 7.type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp]Configures the EtherType valueAn EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:• 8021q – Indicates a 802.1q payload (0x8100)• <1-65535> – Indicates the EtherType protocol number• aarp – Indicates the Appletalk Address Resolution Protocol (ARP) payload (0x80F3)• appletalk – Indicates the Appletalk Protocol payload (0x809B)• arp – Indicates the ARP payload (0x0806)• ip – Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800)• ipv6 – Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD)• ipx – Indicates the Novell’s IPX payload (0x8137)• mint – Indicates the MiNT protocol payload (0x8783)• rarp – Indicates the reverse Address Resolution Protocol (ARP) payload (0x8035)• wisp – Indicates the Wireless Internet Service Provider (WISP) payload (0x8783)vlan <1-4095> Configures the VLAN where the traffic is received• <1-4095> – Specify the VLAN ID from 1 - 4095.log Logs all deny events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).NOTE: MAC ACLs always take precedence over IP based ACLs.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 37The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is allowed or denied based on the ACL’s configuration.Examplerfs4000-229D58(config-mac-acl-test)#deny 41-85-45-89-66-77 ff-ff-ff-00-00-00 any vlan 1 rule-precedence 1rfs4000-229D58(config-mac-acl-test)#deny host 00-01-ae-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#show contextmac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#The MAC ACL (in the example below) denies traffic from any source MAC address to a particular host MAC address:rfs6000-37FABE(config-mac-acl-test)#deny any host 00:01:ae:00:22:11The following example denies traffic between two hosts based on MAC addresses:rfs6000-37FABE(config-mac-acl-test)#deny host 01:02:fe:45:76:89 host 01:02:89:78:78:45Related Commandsno Removes a specified MAC deny access rule

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3811.2.2 disablemac-access-listDisables a MAC deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdisable [deny|insert|permit]disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}disable insert [deny|permit]Parameters• disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}disable [deny|insert|permit]Disables a deny, insert or permit access rule without removing it from the MAC ACLNote: Provide the exact values used to configure the deny or permit rule that is to be disabled.<SOURCE-MAC> <SOURCE-MAC-MASK>Specifies the source MAC address and mask to match• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC address mask.any Select ‘any’ if the rule is applicable to any source MAC addresshost <SOURCE-HOST-MAC>Specify the source host’s exact MAC address<DEST-MAC> <DEST-MAC-MASK>Specifies the destination MAC address and mask to match• <DEST-MAC> – Specify the destination MAC address.• <DEST-MAC-MASK> – Specify the destination MAC address mask.any Select ‘any’ if the rule is applicable to any destination MAC addresshost <DEST-HOST-MAC>Specify the destination host’s exact MAC addresslog The following keyword defines the action taken when a packet matches any or all of the above specified criteria• log – Logs a record. when a packet matches the specified criteria

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 39ExampleThe following example shows the MAC access list ‘test’ settings before the ‘disable’ command is executed:rfs4000-229D58(config-mac-acl-test)#show contextmac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#rfs4000-229D58(config-mac-acl-test)#disable deny host 00-01-AE-00-22-11 any rule-precedence 2The following example shows the MAC access list ‘test’ settings after the ‘disable’ command is executed:rfs4000-229D58(config-mac-acl-test)#show contextmac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 disable deny host 00-01-AE-00-22-11 any rule-precedence 2rfs4000-229D58(config-mac-acl-test)#Related Commandsdotp1p <0-7> Specify the 802.1p priority from 0 - 7.mark [8021p <0-7>|dscp <0-63>]Marks/modifies packets that match the criteria specified here• 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63Note: This option is applicable only to the disable > permit MAC ACL rule.type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp]Use the available options to specify the EtherType value.vlan <1-4095> Specify the VLAN ID(s)log Select log, if the rule has been configured to log records in case of a match.rule-precedence <1-5000> {(rule-description <LINE>)}The following keywords are recursive and common to all of the above parameters:• rule-precedence – Provide the precedence assigned to this deny or permit rule.• <1-5000> – Specify a value from 1 - 5000. The rule with the specified precedence isremoved form the MAC ACL.• rule-description <LINE> – Optional. Enter the description configured for this denyor permit rule.no Enables a disabled deny or permit ruledeny Creates a new deny access rule or modifies an existing rulepermit Creates a new permit access rule or modifies an existing rule

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 41[all|tagged-eth2|untagged-eth2]Specifies the packet type• all – Applies this deny/permit rule to all packets• tagged-eth2 – Applies this deny/permit rule only to tagged Ethernet-2 packets• untagged-eth2 – Applies this deny/permit rule only to untagged Ethernet-2 packetsAfter specifying the packet type, configure the source and/or EX3500 MAC addresses to match.[any|host <SOURCE-MAC>|network <SOURCE-MAC> <SOURCE-MAC-MASK>]Enter the Source MAC addresses• any – Identifies all EX3500 devices as a source to match• host <SOURCE-MAC> – Identifies a specific EX3500 host as the source to match• <SOURCE-MAC> – Specify the source host’s exact MAC address• network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a range of MAC addresses as the source to match. Packets received from any of these MAC addresses are dropped.• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC bit mask.For a deny rule, packets received from EX3500 device(s) matching the specified MAC address(es) are dropped.For a permit rule, packets received from EX3500 device(s) matching the specified MAC address(es) are forwarded.[any|host <DEST-MAC>|network <DEST-MAC> <DEST-MAC-MASK>]Enter the Destination MAC addresses• any – Identifies all EX3500 devices as a destination to match• host <SOURCE-MAC> – Identifies a specific EX3500 host as the destination to match• <SOURCE-MAC> – Specify the destination host’s exact MAC address• network <SOURCE-MAC> <SOURCE-MAC-MASK> – Configures a range of MAC addresses as the destination to match. Packets addressed to any of these MAC addresses are dropped.• <SOURCE-MAC> – Specify the destination MAC address to match.• <SOURCE-MAC-MASK> – Specify the destination MAC bit mask.For a deny rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are dropped.For a permit rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are forwarded.ether-type <0-65535>Configures the Ethertype protocol number. The ether type is a two-octet field within an Ethernet frame. It indicates the protocol encapsulated in the payload of an Ethernet frame.• <0-65535> – Specify the value from 0 - 65535. The default value is 1.ethertype-mask <0-65535>Configures the Ethertype mask• <0-65535> – Specify the value from 0 - 65535. The default value is 1.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 42Examplenx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500 deny tagged-eth2 any any vlan20 rule-precedence 1nx9500-6C8809(config-mac-acl-ex3500MacACL)#show contextmac access-list ex3500MacACL ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1nx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500-time-range <TIME-RANGE-NAME>Applies a specified EX3500 time range (should be existing and configured). The deny or permit rule is applied during the time period specified in the EX3500 time range.• <TIME-RANGE-NAME> – Specify the time range name.An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed).Note: For information on configuring EX3500 time-range, see ex3500.vlan <1-4094> Configures a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server)• <1-4094> – Specify the VLAN ID from 1 - 4094.vlan-mask <1-4095> Configures the VLAN ID bit mask value• <1-4095> – Specify the VLAN bit mask from 1 - 4095.rule-precedence <1-128>Configures a precedence for this EX3500 MAC ACL• <1 - 128> – Specify a value from 1 - 128. ACLs with lower precedence are applied first to packets.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4311.2.4 insertmac-access-listEnables the insertion of a rule in an MAC ACL without overwriting or replacing an existing rule having the same precedenceThe insert option allows a new rule to be inserted within a MAC ACL. Consider an MAC ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rule’s precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinsert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule.insert [deny|permit] Inserts a deny or permit rule within an MAC ACL<PARAMETERS> Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here.For more information on the deny rule, see deny.For more information on the permit rule, see permit.dot1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling• <0-7> – Specify 802.1p priority from 0 - 7.mark [8021p <0-7>|dscp <0-63>]Marks/modifies packets that match the criteria specified here• 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63Note: This option is applicable only to the insert > permit MAC ACL rule.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 44Examplerfs4000-229D58(config-mac-acl-test1)#deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1rfs4000-229D58(config-mac-acl-test1)#deny host B4-C7-99-6D-CD-9B any rule-precedence 2rfs4000-229D58(config-mac-acl-test1)#show contextmac access-list test1 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 deny host B4-C7-99-6D-CD-9B any rule-precedence 2rfs4000-229D58(config-mac-acl-test1)#In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence ‘2’ rule changes to precedence 3.rfs4000-229D58(config-mac-acl-test1)#insert permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2rfs4000-229D58(config-mac-acl-test1)#show contextmac access-list test1 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2 deny host B4-C7-99-6D-CD-9B any rule-precedence 3rfs4000-229D58(config-mac-acl-test1)#type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp]Configures the EtherType valueAn EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:• 8021q – Indicates a 802.1q payload (0x8100)• <1-65535> – Indicates the EtherType protocol number• aarp – Indicates the Appletalk ARP payload (0x80F3)• appletalk – Indicates the Appletalk Protocol payload (0x809B)• arp – Indicates the ARP payload (0x0806)• ip – Indicates the IPv4 payload (0x0800)• ipv6 – Indicates the IPv6 payload (0x86DD)• ipx – Indicates the Novell’s IPX payload (0x8137)• mint – Indicates the MiNT protocol payload (0x8783)• rarp – Indicates the reverse ARP payload (0x8035)• wisp – Indicates the WISP payload (0x8783)vlan <1-4095> Configures the VLAN where the traffic is received• <1-4095> – Specify the VLAN ID from 1 - 4095.log Logs all deny/permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4511.2.5 nomac-access-listNegates a command or sets its defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|disable|permit]no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}no disable [deny|permit] <RULE-PARAMETERS>Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-mac-acl-test)#show contextmac access-list test permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610deny any host 33-44-55-66-77-88 log rule-precedence 700rfs6000-37FABE(config-mac-acl-test)#no deny any host 33-44-55-66-77-88 log rule-precedence 700rfs6000-37FABE(config-mac-acl-test)#show contextmac access-list test permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610no <PARAMETERS> Removes a deny or permit rule from the MAC ACL

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4611.2.6 permitmac-access-listCreates a permit rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for forwarding. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.<SOURCE-MAC> <SOURCE-MAC-MASK>Configures the source MAC address and mask to match• <SOURCE-MAC> – Specify the source MAC address to match.• <SOURCE-MAC-MASK> – Specify the source MAC address mask.Packets addressed to the specified MAC addresses are forwarded.any Identifies all devices as the source to permit access. Packets addressed from any source are forwarded.host <SOURCE-HOST-MAC>Identifies a specific host as the source to permit access• <SOURCE-HOST-MAC> – Specify the source host’s exact MAC address to match. Packets addressed to the specified host are forwarded.<DEST-MAC> <DEST-MAC-MASK>Configures the destination MAC address and mask to match• <DEST-MAC> – Specify the destination MAC address to match. • <DEST-MAC-MASK> – Specify the destination MAC address mask to match.Packets addressed to the specified MAC addresses are forwarded.DEST-MAC-MASK Specifies the destination MAC address mask to matchany Identifies all devices as the destination to permit access. Packets addressed to any destination are forwarded.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 47host <DEST-HOST-MAC>Identifies a specific host as the destination to permit access• <DEST-HOST-MAC> – Specify the destination host’s exact MAC address to match. Packets addressed to the specified host are forwarded.dotp1p <0-7> Configures the 802.1p priority value. Sets the service classes for traffic handling• <0-7> – Specify 802.1p priority from 0 - 7.mark [8021p <0-7>,dscp <0-63>]Marks/modifies packets that match the criteria specified here• 8021p <0-7> – Modifies 802.1p VLAN user priority from 0 - 7• dscp <0-63> – Modifies DSCP TOS bits in the IP header from 0 - 63Note: This option is applicable only to the MAC ACL permit rule.type [8021q|<1-65535>|aarp|appletalk| arp|ip|ipv6|ipx|mint|rarp|wisp]Configures the EtherType valueAn EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:• 8021q – Indicates a 802.1q payload (0x8100)• <1-65535> – Indicates the EtherType protocol number• aarp – Indicates the Appletalk Address Resolution Protocol (ARP) payload (0x80F3)• appletalk – Indicates the Appletalk Protocol payload (0x809B)• arp – Indicates the ARP payload (0x0806)• ip – Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800)• ipv6 – Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD)• ipx – Indicates the Novell’s IPX payload (0x8137)• mint – Indicates the MiNT protocol payload (0x8783)• rarp – Indicates the reverse Address Resolution Protocol (ARP) payload (0x8035)• wisp – Indicates the Wireless Internet Service Provider (WISP) payload (0x8783)vlan <1-4095> Configures the VLAN ID• <1-4095> – Specify the VLAN ID from 1 - 4095.log Logs all permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is addressed to a specified MAC address or is destined for a specified MAC address), an event is logged.rule-precedence <1-5000> rule-description <LINE>The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.• rule-description – Optional. Configures a description for this permit rule. Provide adescription that uniquely identifies the purpose of this rule (should not exceed 128characters in length).

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 48Usage GuidelinesThe permit command in the MAC ACL allows traffic based on layer 2 (data-link layer) information. A MAC access list permits traffic from a source MAC address or any MAC address. It also has an option to allow traffic from a list of MAC addresses (based on the source mask).The MAC access list can be configured to allow traffic based on VLAN information, or Ethernet type. Common types include:•ARP•WISP•IP•802.1qLayer 2 traffic is not allowed by default. To adopt an access point through an interface, configure an ACL to allow an Ethernet WISP.Use the mark option to specify the type of service (tos) and priority value. The tos value is marked in the IP header and the 802.1p priority value is marked in the dot1q frame. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is marked based on the ACL’s configuration.Examplerfs6000-37FABE(config-mac-acl-test)#permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600rfs6000-37FABE(config-mac-acl-test)#permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610rfs6000-37FABE(config-mac-acl-test)#show contextmac access-list testPF permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610rfs6000-37FABE(config-mac-acl-test)#Related CommandsNOTE: To apply an IP based ACL to an interface, a MAC access list entry is mandatory to allow ARP. A MAC ACL always takes precedence over IP based ACLs.no Removes or resets a specified MAC ACL permit rule

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4911.3 ipv6-access-listACCESS-LISTConfigures a IPv6 ACLAn IPv6 ACL defines a set of rules that filter IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.The WiNG software supports IPv6 only on VLAN interfaces. Therefore, IPv6 ACLs can be applied only on the VLAN interface.The following table summarizes IPv6 access list configuration commands:Table 11.3 IPv6-Access-List-Config CommandsCommand Description Referencedeny Creates a deny access rule or modifies an existing rule. A deny access rule rejects IPv6 packets from specified address(es) and/or destined for specified address(es).page 11-50no Removes a deny and/or a access rule from a IPv6 ACL page 11-56permit Creates a permit access rule or modifies an existing rule. A permit access rule accepts IPv6 packets from specified address(es) and/or destined for specified address(es).page 11-57

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 5011.3.1 denyipv6-access-listCreates a deny rule that rejects packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [icmpv6|ipv6|proto|tcp|udp]deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}icmpv6 Applies this deny rule to ICMPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are dropped.any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are dropped.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are dropped.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are dropped.any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are dropped.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 51• deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are dropped.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.<ICMPv6-TYPE> [eq|range]Defines the ICMPv6 type field filter• eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type value.• range – Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values.Note: ICMPv6 packets with type field value matching the values specified here are dropped.<ICMPv6-CODE> Defines the ICMPv6 code field filter• eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code value.• range – Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values.Note: ICMPv6 packets with code field value matching the values specified here are dropped.log Logs all deny events matching this entryrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).ipv6 Applies this deny rule to IPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are dropped.any Specifies the source as any IPv6 address. IPv6 packets received from any source are dropped.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are dropped.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are dropped.any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are dropped.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are dropped.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 52• deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}log Logs all deny events matching this entryrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.<PROTOCOL-NUMBER>Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the EIGRP protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the GRE protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF.ospf Identifies the OSPF protocol (number 89)OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 53• deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}vrrp Identifies the VRRP protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are dropped.any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are dropped.any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are dropped.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.log Logs all deny events matching this entryrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).tcp Applies this deny rule to TCP packets onlyudp Applies this deny rule to UDP packets only<SOURCE-IPv6/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are dropped.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any IPv6 address. TCP/UDP packets received from any source are dropped.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 54host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are dropped.• <SOURCE-HOST-IP> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are dropped.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are dropped.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IP>Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are dropped.• <DEST-HOST-IP> – Specify the destination host’s exact IP address.range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated BGP protocol port (179)• dns – The designated DNS protocol port (53)• ftp – The designated FTP protocol port (21)• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated LDAP protocol port (389)• nntp – The designated NNTP protocol port (119)• ntp – The designated NTP protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated SIP protocol port (5060)• smtp – The designated SMTP protocol port (25)• ssh – The designated SSH protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated TFTP protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all deny events matching this entry

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 55Examplerfs6000-81742D(config-ipv6-acl-test)#deny icmpv6 any any type eq 1 code eq 0 log rule-precedence 1rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1rfs6000-81742D(config-ipv6-acl-test)#Related Commandsrule-precedence <1-5000>Assigns a precedence for this deny rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).no Removes a specified deny access rule

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 5611.3.2 noipv6-access-listRemoves a deny or permit ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|permit]no [deny|permit] [icmpv6|ipv6|proto|tcp|udp] <RULE-PARAMETERS> {(rule-description <LINE>)}Parameters• no <PARAMETERS>ExampleThe following example shows the ACL ‘test’ settings before the ‘no’ commands are executed:rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1 permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#rfs6000-81742D(config-ipv6-acl-test)#no deny icmpv6 any any type eq 1 log rule-precedence 1rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#no <PARAMETERS> Removes a deny or permit rule from the selected IPv6 access list

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 5711.3.3 permitipv6-access-listCreates a permit rule that accepts packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [icmpv6|ipv6|proto|tcp|udp]permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}Parameters• permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE> <ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}icmpv6 Applies this permit rule to ICMPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are accepted.any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are accepted.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are accepted.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are accepted.any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are accepted.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 58• permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are accepted.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.<ICMPv6-TYPE> [eq|range]Defines the ICMPv6 type field filter• eq – Configures a specific ICMPv6 type. Specify the ICMPv6 type value.• range – Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values.Note: ICMPv6 packets with type field value matching the values specified here are forwarded.<ICMPv6-CODE> Defines the ICMPv6 code field filter• eq – Configures a specific ICMPv6 code. Specify the ICMPv6 code value.• range – Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values.Note: ICMPv6 packets with code field value matching the values specified here are forwarded.log Logs all permit events matching this entryrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).ipv6 Applies this permit rule to IPv6 packets only<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are forwarded.any Specifies the source as any IPv6 address. IPv6 packets received from any source are forwarded.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are forwarded.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are forwarded.any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are forwarded.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are forwarded.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 59• permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}log Logs all permit events matching this entryrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).proto Configures the ACL for additional protocolsAdditional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter.<PROTOCOL-NUMBER>Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number• <PROTOCOL-NUMBER> – Specify the protocol number.<PROTOCOL-NAME>Filters protocols using their IANA protocol name• <PROTOCOL-NAME> – Specify the protocol name.eigrp Identifies the EIGRP protocol (number 88)EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.gre Identifies the GRE protocol (number 47)GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.igp Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF.ospf Identifies the OSPF protocol (number 89)OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 60• permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}vrrp Identifies the VRRP protocol (number 112)VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.<SOURCE-IPv6/MASK>Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are forwarded.any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are forwarded.host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are forwarded.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are forwarded.any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are forwarded.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are forwarded.• <DEST-HOST-IPv6> – Specify the destination host’s exact IPv6 address.log Logs all permit events matching this entryrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).tcp Applies this permit rule to TCP packets onlyudp Applies this permit rule to UDP packets only<SOURCE-IPv6/MASK>This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are forwarded.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the source as any IPv6 address. TCP/UDP packets received from any source are forwarded.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 61host <SOURCE-HOST-IPv6>Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are forwarded.• <SOURCE-HOST-IPv6> – Specify the source host’s exact IPv6 address.<DEST-IPv6/MASK> This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are forwarded.any This keyword is common to the ‘tcp’ and ‘udp’ parameters.Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are forwarded.eq <SOURCE-PORT>Identifies a specific source port• <SOURCE-PORT> – Specify the exact source port.host <DEST-HOST-IPv6>Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are forwarded.• <DEST-HOST-IPv6> – Specify the destination host’s exact IP address.range <START-PORT> <END-PORT>Specifies a range of source ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.eq [<1-65535>|<SERVICE-NAME>||bgp|dns|ftp|ftp-data|gropher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]Identifies a specific destination or protocol port to match• <1-65535> – The destination port is designated by its number• <SERVICE-NAME> – Specifies the service name• bgp – The designated BGP protocol port (179)• dns – The designated DNS protocol port (53)• ftp – The designated FTP protocol port (21)• ftp-data – The designated FTP data port (20)• gropher – The designated GROPHER protocol port (70)• https – The designated HTTPS protocol port (443)• ldap – The designated LDAP protocol port (389)• nntp – The designated NNTP protocol port (119)• ntp – The designated NTP protocol port (123)• pop3 – The designated POP3 protocol port (110)• sip – The designated SIP protocol port (5060)• smtp – The designated SMTP protocol port (25)• ssh – The designated SSH protocol port (22)• telnet – The designated Telnet protocol port (23)• tftp – The designated TFTP protocol port (69)• www – The designated www protocol port (80)range <START-PORT> <END-PORT>Specifies a range of destination ports• <START-PORT> – Specify the first port in the range.• <END-PORT> – Specify the last port in the range.log Logs all permit events matching this entry

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 62Examplerfs6000-81742D(config-ipv6-acl-test)#permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#show contextipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-command log rule-precedence 1 permit proto gre any any log rule-precedence 2rfs6000-81742D(config-ipv6-acl-test)#Related Commandsrule-precedence <1-5000>Assigns a precedence for this permit rule• <1-5000> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.rule-description <LINE>Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).no Removes a specified permit access rule

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6311.4 ip-snmp-access-listACCESS-LISTSNMP performs network management functions using a data structure called a Management Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files.Use SNMP ACLs to help reduce SNMP’s vulnerabilities, as SNMP traffic can be exploited to produce a denial of service (DoS).The following table summarizes SNMP access list configuration commands:Table 11.4 SNMP-Access-List-Config CommandsCommand Description Referencedeny Creates a deny SNMP MIB object traffic rule page 11-64permit Creates a permit SNMP MIB object traffic rule page 11-65no Removes a deny or permit SNMP MIB object traffic rule page 11-66

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6411.4.1 denyip-snmp-access-listCreates a deny SNMP MIB object traffic rule. Use this command to specify the match criteria based on which SNMP traffic is deniedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [<IP/M>|any|host <IP>]Parameters• deny [<IP/M>|any|host <IP>]Examplerfs6000-81742D(config-ip-snmp-acl-test)#deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#Related Commandsdeny [<IP/M>|any|host <IP>]Configures the match criteria for this deny rule• <IP/M> – Specifies a network address and mask in the A.B.C.D/M format. Packets received or destined for this network are dropped• any – Specifies the match criteria as any. Packets received or destined from any address are dropped• host <IP> – Identifies a host by its IP address. Packets received or destined for this host are droppedno Removes this deny rule form the IP SNMP ACL

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6511.4.2 permitip-snmp-access-listCreates a permit SNMP MIB object traffic rule. Use this command to specify the match criteria based on which SNMP traffic is permitted.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit [<IP/M>|any|host <IP>]Parameters• permit [<IP/M>|any|host <IP>]Examplerfs6000-81742D(config-ip-snmp-acl-test)#permit host 192.168.13.13rfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test permit host 192.168.13.13 deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#Related Commandspermit [<IP/M>|any|host <IP>]Configures the match criteria for this permit rule• <IP/M> – Specifies a network address and mask in the A.B.C.D/M format. Packets received or destined for this network are forwarded• any – Specifies the match criteria as any. Packets received or destined from any address are forwarded• host <IP> – Identifies a host by its IP address. Packets received or destined for this host are forwardedno Removes this permit rule form the IP SNMP ACL

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6611.4.3 noip-snmp-access-listRemoves a deny or permit rule from the IP SNMP ACL. Use this command to remove IP SNMP ACL as they become obsolete for filtering network access permissions.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [deny|permit] [<IP/M>|any|host <IP>]Parameters• no <PARAMETERS>Examplerfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test permit host 192.168.13.13 deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#rfs6000-81742D(config-ip-snmp-acl-test)#no permit host 192.168.13.13rfs6000-81742D(config-ip-snmp-acl-test)#show contextip snmp-access-list test deny 192.168.13.0/24rfs6000-81742D(config-ip-snmp-acl-test)#no <PARAMETERS> Removes deny and/or permit access rule from this IP SNMP ACL

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6811.5.1 denyex3500-ext-access-listCreates a deny ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing deny rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxdeny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]Parameters• deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]deny [<0-255>|tcp|udp]Creates a deny rule and identifies the protocol type. This deny rule is applied only to packets matching the protocol specified here.• <0-255> – Identifies the protocol from its number. Specify the protocol number from 0 - 255.• tcp – Configures the protocol as TCP• udp – Configures the protocol as UDP[<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Specifies the source IP address as any, host, or network• <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any device[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>]Specifies the destination IP address as any, host, or network. • <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide the network’s IPv4 address along with the mask• host <DEST-HOST-IP> – Configures a single device as the destination. Provide the host device’s IPv4 address• any – Specifies that the destination can be any devicecontrol-flag <0-63> Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header<0-63> – Specify a value from 0 - 63.Note: Control flags can be used only in ACLs designed to filter TCP traffic.Contd..

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 69The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags.• URG flag - Marks incoming packet as urgent. • ACK flag - Acknowledges receipt of packet• PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer.• RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag.• SYN flag - Establishes the 3-way handshake between two hosts• FIN flag - Tears down the connection established between two hosts via the 3-way SYN processdestination-port <0-65535>Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the destination port from 0 - 65535.destination-port-bitmark <0-65535>Configures the decimal number representing the protocol destination port bits to match• <0-65535> – Specify the destination port bits from 0 - 65535.dscp <0-63> Configures the DSCP priority level • <0-63> – Specify a value from 0 - 63.Note: If specifying DSCP priority, ip-precedence cannot be specified.ex3500-time-range <TIME-RANGE-NAME>Applies a periodic or absolute time range to this rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500.ip-precedence <0-7>Configures the IP header precedence• <0-7> – Specify a value from 0 - 7.source-port <0-65535>Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the source port from 0 - 65535.source-port-bitmark <0-65535>Configures the decimal number representing the protocol source port bits to match<0-65535> – Specify the source port bits from 0 - 65535.rule-precedence <1-128> The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence to this deny rule• <1-128> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 70Usage GuidelinesUse this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:•TCP•UDP• <0-255> (any Internet protocol other than TCP, UDP, and ICMP)Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the ACL configuration.• Filtering TCP/UDP allows you to specify port numbers as filtering criteriaExampleThe following example denies TCP outgoing packets from all sources p indentwithin the 192.168.14.0 network to a specific host 192.168.13.13:nx9500-6C8809(config-ip-ex3500-ext-acl-test)#deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1#nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1nx9500-6C8809(config-ip-ex3500-ext-acl-test)#Related Commandsno Removes a specified deny access rule from this IPv4 EX3500 extended ACL

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7111.5.2 permitex3500-ext-access-listCreates a permit ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing permit rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxpermit [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NEWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]Parameters• permit [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NEWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]permit [<0-255>|tcp|udp]Creates a permit rule and identifies the protocol type. This permit rule is applied only to packets matching the protocol specified here.• <0-255> – Identifies the protocol from its number. Specify the protocol number from 0 - 255.• tcp – Configures the protocol as TCP• udp – Configures the protocol as UDP[<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Specifies the source IP address as any, host, or network. • <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any device[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>]Specifies the destination IP address as any, host, or network. • <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide the network’s IPv4 address along with the mask.• host <DEST-HOST-IP> – Configures a single device as the destination. Provide the host device’s IPv4 address.• any – Specifies that the destination can be any device

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 72control-flag <0-63> Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header• <0-63> – Specify a value from 0 - 63.Note: Control flags can be used only in ACLs designed to filter TCP traffic.The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags.• URG flag - Marks incoming packet as urgent.• ACK flag - Acknowledges receipt of packet• PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer.• RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag.• SYN flag - Establishes the 3-way handshake between two hosts• FIN flag - Tears down the connection established between two hosts via the 3-way SYN processdestination-port <0-65535>Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the destination port from 0 - 65535.destination-port-bitmark <0-65535>Configures the decimal number representing the protocol destination port bits to match• <0-65535> – Specify the destination port bits from 0 - 65535.dscp <0-63> Configures the DSCP priority level• <0-63> – Specify a value from 0 - 63.Note: If specifying DSCP priority, ip-precedence cannot be specified.ex3500-time-range <TIME-RANGE-NAME>Applies a periodic or absolute time range to this rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500.ip-precedence <0-7>Configures the IP header precedence• <0-7> – Specify a value from 0 - 7.source-port <0-65535>Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).• <0-65535> – Specify the source port from 0 - 65535.source-port-bitmark <0-65535>Configures the decimal number representing the protocol source port bits to match• <0-65535> – Specify the source port bits from 0 - 65535.rule-precedence <1-128> The following keywords are recursive and common to all of the above parameters:• rule-precedence – Assigns a precedence to this permit rule• <1-128> – Specify a value from 1 - 5000.Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets.

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 73Usage GuidelinesUse this command to permit traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:•TCP•UDP• <0-255> (any Internet protocol other than TCP, UDP, and ICMP)Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration.• Filtering TCP/UDP allows you to specify port numbers as filtering criteriaExampleThe following example permits outgoing TCP packets from all sources within the 192.168.14.0 network to any destination, with the TCP control flag set to 16 (acknowledge):nx9500-6C8809(config-ip-ex3500-ext-acl-test)#permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2nx9500-6C8809(config-ip-ex3500-ext-acl-test)#Related Commandsno Removes a specified permit access rule from this IPv4 EX3500 extended ACL

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7411.5.3 noex3500-ext-access-listRemoves a deny or permit access rule from this IPv4 EX3500 extended ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxno [deny|permit] [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-65535>|source-port-bitmark <0-65535>]Parameters• no <PARAMETERS>Usage GuidelinesThe keyword ‘control-flag <0-63>’ is only applicable to ACL rules filtering TCP traffic.ExampleThe following example shows the IPv4 EX3500 extended ACL ‘test’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2nx9500-6C8809(config-ip-ex3500-ext-acl-test)#nx9500-6C8809(config-ip-ex3500-ext-acl-test)#no permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2The following example shows the IPv4 EX3500 extended ACL ‘test’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show contextip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1nx9500-6C8809(config-ip-ex3500-ext-acl-test)#no <PARAMETERS> Removes a deny or permit access rule based on the parameters passed

ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7611.6.1 denyex3500-std-access-listCreates a deny rule that rejects packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing deny rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxdeny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Parameters• deny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Examplenx9500-6C8809(config-ip-ex3500-std-acl-test)#deny 192.168.14.0/24nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test deny 192.168.13.0/24nx9500-6C8809(config-ip-ex3500-std-acl-test)#Related Commandsdeny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Creates a deny rule that rejects packets from a specified source or a network. Use one of the following options to specify the source: any, host, or network.• <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any deviceex3500-time-range <TIME-RANGE-NAME>Optional. Applies a periodic or absolute time range to this deny rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). The ACL is triggered during the time period configured in the specified EX3500 time range. For information on configuring EX3500 time-range, see ex3500.no Removes a specified deny access rule from this IPv4 EX3500 standard ACL

$ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7711.6.2 permitex3500-std-access-listCreates a permit rule that allows packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing permit rule.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxpermit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Parameters• permit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range <TIME-RANGE-NAME>}Examplenx9500-6C8809(config-ip-ex3500-std-acl-test)#permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test deny 192.168.14.0/24 permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#Related Commandspermit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]Creates a permit rule that allows packets from a specified source or a network. Use one of the following options to specify the source: any, host, or network.• <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the network’s IPv4 address along with the mask.• host <SOURCE-HOST-IP> – Configures a single device as the source. Provide the host device’s IPv4 address.• any – Specifies that the source can be any deviceex3500-time-range <TIME-RANGE-NAME>Optional. Applies a periodic or absolute time range to this deny rule• <TIME-RANGE-NAME> – Specify the time range name (should be existing and configured). The ACL is triggered during the time period configured in the specified EX3500 time range. For information on configuring EX3500 time-range, see ex3500.no Removes a specified permit access rule from this IPv4 EX3500 standard ACL$

$ACCESS-LISTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7811.6.3 noex3500-std-access-listRemoves a deny or permit access rule from this IPv4 EX3500 standard ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxno [deny|permit] [<SOURCE-IP/MASK>|any|host <IP>] {ex3500-time-range <TIME-RANGE-NAME>}Parameters• no <PARAMETERS>ExampleThe following example shows the IPv4 EX3500 standard ACL ‘test’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test deny 192.168.14.0/24 permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#nx9500-6C8809(config-ip-ex3500-std-acl-test)#no deny 192.168.14.0/24The following example shows the IPv4 EX3500 standard ACL ‘test’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-ip-ex3500-std-acl-test)#show contextip ex3500-std-access-list test permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01nx9500-6C8809(config-ip-ex3500-std-acl-test)#no <PARAMETERS> Removes a deny or permit access rule based on the parameters passed$

12 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide12DHCP-SERVER-POLICYThis chapter summarizes Dynamic Host Control Protocols (DHCP) server policy commands in the CLI command structure.DHCP automatically assigns network IP addresses to requesting clients to enable them access to network resources. DHCP tracks IP address assignments, their lease times and their availability. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnet’s address pool. When the controller's (wireless controller, service platform, or access point) onboard DHCP server allocates an address to a DHCP client, the client is assigned a lease, which expires after a pre-determined interval. Before a lease expires, wireless clients (with assigned leases) are expected to renew them to continue using the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. The controller's DHCP server policy ensures all IP addresses are unique, and no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). IP address management is conducted by a controller’s DHCP server and not by an administrator.The controller’s internal DHCP server groups wireless clients based on defined user-class options. Clients with a defined set of user-class values are segregated by class. A DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are compared against classes. If the client matches one of the classes assigned to the pool, it receives an IP address from the range assigned to the class. If the client doesn't match any of the classes in the pool, it receives an IP address from a default pool range (if defined). Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses, each belonging to different subnets. Class configuration allows a DHCP client to obtain an address from the first pool to which the class is assigned.Use the (config) instance to configure DHCP/DHCPv6 server policy parameters. To navigate to the config DHCP server policy instance, use the following commands:<DEVICE>(config)#dhcp-server-policy <POLICY-NAME>rfs6000-37FABE(config)#dhcp-server-policy testrfs6000-37FABE(config-dhcp-server-policy-test)#rfs6000-37FABE(config-dhcp-policy-test)#?DHCP policy Mode commands: bootp BOOTP specific configuration dhcp-class Configure DHCP class (for address allocation using DHCP user-class options) dhcp-pool Configure DHCP server address pool dhcp-server Activating dhcp server based on criteria no Negate a command or set its defaults option Define DHCP server option ping Specify ping parameters used by DHCP Server clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test)#

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2To navigate to the config DHCPv6 server policy instance, use the following commands:<DEVICE>(config)#dhcpv6-server-policy <POLICY-NAME>rfs6000-37FABE(config)#dhcpv6-server-policy testrfs6000-37FABE(config-dhcpv6-server-policy-test)#rfs6000-37FABE(config-dhcpv6-server-policy-test)#?DHCPv6 server policy Mode commands: dhcpv6-pool Configure DHCPV6 server address pool no Negate a command or set its defaults option Define DHCPv6 server option restrict-vendor-options Restrict vendor specific options to be sent in server reply server-preference Server preference value sent in the reply, by the server to client clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-dhcpv6-server-policy-test)#This chapter is organized as follows:•dhcp-server-policy•dhcpv6-server-policyNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 312.1 dhcp-server-policyDHCP-SERVER-POLICYThe following table summarizes DHCP server policy configuration commands:Table 12.1 DHCP-Server-Policy-Config CommandsCommand Description Referencebootp Configures a BOOTP specific configuration page 12-4dhcp-class Configures a DHCP server class page 12-5dhcp-pool Configures a DHCP server address pool page 12-11dhcp-server Configures the activation-criteria that triggers dynamic activation of DHCP service running on a redundancy devicepage 12-56no Negates a command or sets its default page 12-58option Defines the DHCP option used in DHCP pools page 12-59ping Specifies ping parameters used by a DHCP server page 12-60NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 412.1.1 bootpdhcp-server-policyConfigures a BOOTP specific configurationBootstrap Protocol (BOOTP) requests are used by UNIX diskless workstations to obtain the location of their boot image and IP address within the managed network. A BOOTP configuration server provides this information and also assigns an IP address from a configured pool of IP addresses. By default, all BOOTP requests are forwarded to the BOOTP configuration server by the controller. When enabled, this feature allows controllers, using this DHCP server policy, to ignore BOOTP requests.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbootp ignoreParameters• bootp ignoreExamplerfs6000-37FABE(config-dhcp-policy-test)#bootp ignorerfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test bootp ignorerfs6000-37FABE(config-dhcp-policy-test)#Related Commandsbootp ignore Enables controllers to ignore BOOTP requestsno Disables the ignore BOOTP requests option

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 512.1.2 dhcp-classdhcp-server-policyA controller, service platform, or access point’s local DHCP server assigns IP addresses to requesting DHCP clients based on user class option names. The DHCP server can assign IP addresses from as many IP address ranges as defined by an administrator. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range.A DHCP user class applies different DHCP settings to a set of wireless clients. Wireless clients using the same DHCP settings are grouped under one DHCP class. Grouping users into classes facilitates the provision of differentiated service.The following table summarizes DHCP class configuration commands:Table 12.2 DHCP-Class Config CommandsCommand Description Referencedhcp-class Creates a DHCP class and enters its configuration mode page 12-6dhcp-class-mode commandsInvokes DHCP class configuration commands page 12-7

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 612.1.2.1 dhcp-classdhcp-classCreates a DHCP server class and enters its configuration mode. Use this command to configure user class option values. Once defined, the controller’s internal DHCP server uses the configured values to group wireless clients into DHCP classes. Therefore, each user class consists of wireless clients sharing the same set of user class values.You can also use this command to modify an existing DHCP user class settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-class <DHCP-CLASS-NAME>Parameters• dhcp-class <DHCP-CLASS-NAME>Examplerfs6000-37FABE(config-dhcp-policy-test)#dhcp-class dhcpclass1rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#?DHCP class Mode commands: multiple-user-class Enable multiple user class option no Negate a command or set its defaults option Configure DHCP Server options clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#Related Commands<DHCP-CLASS-NAME> Creates a DHCP user class• <DHCP-CLASS-NAME> – Specify a name that appropriately identifies this class of wireless clients. If the class does not exist, it is created. The class name should not exceed 32 characters in length.no Removes a configured DHCP user class policy

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 712.1.2.2 dhcp-class-mode commandsdhcp-classUse DHCP class mode commands to configure the parameters of the DHCP user class.The following table summarizes DHCP user class configuration commands:Table 12.3 DHCP-Class-Config-Mode CommandsCommand Description Referencemultiple-user-class Enables multiple user class option for this DHCP user class policy page 12-8no Negates a command or sets its default page 12-9option Configures DHCP user class options for this DHCP user class policy page 12-10

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 812.1.2.2.1 multiple-user-classdhcp-class-mode commandsEnables multiple user class option for this DHCP user class policy. Enabling this option allows this user class to transmit multiple option values to other DHCP servers also supporting multiple user class options.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmultiple-user-classParametersNoneExamplerfs6000-37FABE(config-dhcp-policy-test-class-class1)#multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#Related Commandsno Disables the multiple user class option for the selected DHCP user class policy

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 912.1.2.2.2 nodhcp-class-mode commandsRemoves this DHCP user class policy’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [multiple-user-class|option]no option user-class <VALUE>Parameters• no <PARAMETERS>ExampleThe following example shows the DHCP class settings before the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 option user-class hex multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#rfs6000-37FABE(config-dhcp-policy-test-class-class1)#no multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#no option user-class hexThe following example shows the DHCP class settings after the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#no <PARAMETERS> Disables multiple user class options on this DHCP user class policy

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1012.1.2.2.3 optiondhcp-class-mode commandsConfigures DHCP user class options for this DHCP user class policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption user-class <VALUE>Parameters• option user-class <VALUE>Examplerfs6000-37FABE(config-dhcp-policy-test-class-class1)#option user-class hexrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 option user-class hex multiple-user-classrfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#Related Commandsuser-class <VALUE> Configures DHCP user class options• <VALUE> – Specify the DHCP user class option’s ASCII value.no Removes the configured DHCP user class option

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1112.1.3 dhcp-pooldhcp-server-policyThe DHCP pool command creates and manages a pool of IP addresses. These IP addresses are assigned to devices using the DHCP protocol. IP addresses have to be unique for each device in the network. Since IP addresses are finite, DHCP ensures that every device, in the network, is issued a unique IP address by tracking the issue, release, and reissue of IP addresses.The DHCP pool command configures a finite set of IP addresses that can be assigned whenever a device joins a network.The following table summarizes DHCP pool configuration mode commands:Table 12.4 DHCP-Pool-Config CommandsCommand Description Referencedhcp-pool Creates a DHCP pool and enters its configuration mode page 12-12dhcp-pool-mode commandsSummarizes DHCP pool configuration mode commands page 12-14

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1212.1.3.1 dhcp-pooldhcp-poolConfigures a DHCP server address poolDHCP services are available for specific IP interfaces. A pool (or range) of IP network addresses and DHCP options can be created for each IP interface defined. This range of addresses is available to DHCP enabled wireless devices on either a permanent or leased basis. This enables the reuse of limited IP address resources for deployment in any network. DHCP options are provided to each DHCP client with a DHCP response and provides DHCP clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCP client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCP client.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-pool <POOL-NAME>Parameters• dhcp-pool <POOL-NAME>Examplerfs6000-37FABE(config-dhcp-policy-test)#dhcp-pool pool1rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#?DHCP pool Mode commands: address Configure network pool's included addresses bootfile Boot file name ddns Dynamic DNS Configuration default-router Default routers dns-server DNS Servers domain-name Configure domain-name excluded-address Prevent DHCP Server from assigning certain addresses lease Address lease time netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type network Network on which DHCP server will be deployed next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages static-binding Configure static address bindings static-route Add static routes to be installed on dhcp clients update Control the usage of DDNS service<POOL-NAME> Creates a DHCP server address pool• <POOL-NAME> – Specify a name that appropriately identifies this DHCP address pool. If the pool does not exist, it is created. The pool name cannot be modified as part of the edit process. However, an obsolete address pool can be deleted.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 13 clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#Related Commandsno Removes a specified DHCP address pool

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1412.1.3.2 dhcp-pool-mode commandsdhcp-poolConfigures the DHCP pool parametersThe following table summarizes DHCP pool configuration commands:Table 12.5 DHCP-Pool-Config-Mode CommandsCommand Description Referenceaddress Specifies a range of addresses for a DHCP address pool page 12-15bootfile Assigns a bootfile name. The bootfile name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted.page 12-17ddns Configures dynamic DNS parameters page 12-18default-router Configures a default router or gateway IP address for the network poolpage 12-20dns-server Sets a DNS server’s IP address available to all DHCP clients connected to the DHCP poolpage 12-22domain-name Sets the domain name for the network pool page 12-24excluded-address Prevents a DHCP server from assigning certain addresses to the DHCP poolpage 12-25lease Sets a valid lease for the IP address used by DHCP clients in the DHCP poolpage 12-27netbios-name-serverConfigures a NetBIOS (WINS) name server’s IP address page 12-29netbios-node-type Defines the NetBIOS node type page 12-30network Configures the network on which the DHCP server is deployed page 12-31next-server Configures the next server in the boot process page 12-32no Negates a command or sets its default page 12-9option Configures RAW DHCP options page 12-10respond-via-unicastSends a DHCP offer and DHCP Ack as unicast messages page 12-37static-route Configures a static route for a DHCP pool page 12-36update Controls the usage of the DDNS service page 12-38static-binding Configures static address bindings page 12-39

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1512.1.3.2.1 addressdhcp-pool-mode commandsAdds IP addresses to the DHCP address pool. These IP addresses are assigned to each device joining the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaddress [<IP>|<HOST-ALIAS-NAME>|range]address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]] {class <DHCP-CLASS-NAME>}Parameters• address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]] {class <DHCP-CLASS-NAME>}<IP> Adds a single IP address to the DHCP address pool<HOST-ALIAS-NAME> Adds a single host mapped to the specified host alias. The host alias should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]Adds a range of IP addresses to the DHCP address pool. Use one of the following options to provide the first IP address in the range:• <START-IP> – Specifies the first IP address in the range• <START-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the first IP address in the rangeUse one of the following options to provide the last IP address in the range:• <END-IP> – Specifies the last IP address in the range• <END-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the last IP ad-dress in the rangeThe host aliases should be existing and configured.class <DHCP-CLASS-NAME>Optional. Applies additional DHCP options, or a modified set of options to those available to wireless clients. For more information, see dhcp-class.• <DHCP-CLASS-NAME> – Sets the DHCP class.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 16Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#address 192.168.13.4 class dhcpclass1rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsno Removes the DHCP pool’s configured IP addressesdhcp-class Creates and configures the DHCP class parametersalias Creates and configures a network, VLAN, host, string, and network-service aliases

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1712.1.3.2.2 bootfiledhcp-pool-mode commandsThe Bootfile command provides a diskless node path to the image file while booting up. Only one file can be configured for each DHCP pool.For more information on the BOOTP protocol with reference to the DHCP policy, see bootp.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbootfile <IMAGE-FILE-PATH>Parameters• bootfile <IMAGE-FILE-PATH>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#bootfile test.txtrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 bootfile test.txtrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IMAGE-FILE-PATH> Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted.no Resets the boot image path for BOOTP clientsbootp Configures BOOTP protocol parameters

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 19• ddns ttl <1-864000>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns domainname WIDrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns multiple-user-classrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns server 192.168.13.9rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class bootfile test.txtrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary DDNS server. If the primary server is not reachable, this server is used.Use one of the following options to identify the secondary DDNS server:• <IP> – Specifies the secondary DDNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the secondary DDNS server’s IP address. The host alias should be existing and configured.ttl <1-864000> Configures the Time To Live (TTL) value for DDNS updates• <1-86400> – Specify a value from 1 - 864000 seconds.no Resets or disables a DHCP pool’s DDNS settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2012.1.3.2.4 default-routerdhcp-pool-mode commandsConfigures a default router or gateway IP address for a network poolAfter a DHCP client has booted, the client begins sending packets to its default router. Set the IP address of one or a group of routers the controller uses to map host names into IP addresses available to DHCP supported clients. Up to 8 default router IP addresses are supported.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Usage GuidelinesThe IP address of the router should be on the same subnet as the client subnet.Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#default-router 192.168.13.8 192.168.13.9rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class bootfile test.txt default-router 192.168.13.8 192.168.13.9rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#[<IP>|<HOST-ALIAS-NAME>]Configures the primary default router, using one of the following options:• <IP> – Specifies the primary default router’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary default router’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary default router, using one of the following options:• <IP1> – Specifies the secondary default router’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary default router’s IP address. If the primary default router is unavailable, the secondary router is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.A maximum of 8 default routers can be configured.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 21Related Commandsno Removes the default router settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2212.1.3.2.5 dns-serverdhcp-pool-mode commandsConfigures a network’s DNS server. The DNS server supports all clients connected to networks supported by the DHCP server.For DHCP clients, the DNS server’s IP address maps the hostname to an IP address. DHCP clients use the DNS server’s IP address based on the order (sequence) configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1> <HOST-ALIAS-NAME1>}[<IP>|<HOST-ALIAS-NAME>]Configures the primary DNS server, using one of the following options:• <IP> – Specifies the primary DNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DNS server’s IP addressA maximum of 8 DNS servers can be configured.To enable redirection of DNS queries to OpenDNS it is necessary that the DNS server IP addresses provided here should point to the OpenDNS resolver (208.67.220.220 or 208.67.222.222). OpenDNS is a proxy DNS server that provides additional functionality, such as Web filtering, reporting, and performance enhancements in addition to DNS services. When configured on a WLAN, DNS queries from wireless clients are redirected to OpenDNS. The following example illustrates the configuration:dhcp-server-policy dhcppolicy dhcp-pool dhcppool network 192.168.1.0/24 address range 192.168.1.160 192.168.1.200 default-router 192.168.1.105 dns-server 208.67.220.220Note, the above example shows the OpenDNS server as being 208.67.2202.220. The alternative IP address 208.67.222.222 can also be used.For more information on the entire configuration that needs to be done to integrate WiNG access point, controllers, and service platform with OpenDNS , see opendns.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 23Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary DNS server, using one of the following options:• <IP1> – Specifies the secondary DNS server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary DNS server’s IP address. If the primary DNS server is unavailable, the secondary server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.A maximum of 8 DNS servers can be configured.no Removes DNS server settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2412.1.3.2.6 domain-namedhcp-pool-mode commandsSets the domain name for the DHCP pool. This is the domain name used by the controller with this pool.Domain names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. The FQDN consists of the host name and the domain name. For example, computername.domain.com. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#domain-name documentationrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<DOMAIN-NAME> Defines the DHCP pool’s domain nameno Removes a DHCP pool’s domain name

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2512.1.3.2.7 excluded-addressdhcp-pool-mode commandsIdentifies a single IP address or a range of IP addresses, included in the DHCP address pool, that cannot be assigned to clients by the DHCP serverSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxexcluded-address [<IP>|<HOST-ALIAS-NAME>|range]excluded-address <IP>excluded-address <HOST-ALIAS-NAME>excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]Parameters• excluded-address <IP>• excluded-address <HOST-ALIAS-NAME>• excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]<IP> Adds a single IP address to the excluded address list<HOST-ALIAS-NAME> Adds a host alias. The host alias is mapped to a host’s IP address. The host identified by the host alias is added to the excluded address list. The host alias should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>] Adds a range of IP addresses to the excluded address list. Use one of the following options to provide the first IP address in the range:• <START-IP> – Specifies the first IP address in the range• <START-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the first IP address in the rangeUse one of the following options to provide the last IP address in the range:• <END-IP> – Specifies the last IP address in the range• <END-HOST-ALIAS-NAME> – Specifies a host alias, mapped to the last IP ad-dress in the rangeThe host aliases should be existing and configured.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 26Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#excluded-address range 192.168.13.25 192.168.13.28rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsno Removes the exclude IP addresses settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2712.1.3.2.8 leasedhcp-pool-mode commandsA lease is the duration a DHCP issued IP address is valid. Once a lease expires, and if the lease is not renewed, the IP address is revoked and is available for reuse. Generally, before an IP lease expires, the client tries to get the same IP address issued for the next lease period. This feature is enabled by default, with a lease period of 24 hours (1 day).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlease [<0-365>|infinite]lease infinitelease <0-365> {0-23} {0-59} {0-59}Parameters• lease infinite• lease <0-365> {<0-23>} {<0-59>} {<0-59>}Usage GuidelinesIf lease parameter is not configured on the DHCP pool, the default is used. The default is 24 hours.Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#lease 100 23 59 59rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#infinite The lease never expires (equal to a static IP address assignment)<0-365> Configures the lease duration in daysNote: Days may be 0 only when hours and/or minutes are greater than 0.<0-23> Optional. Sets the lease duration in hours<0-59> Optional. Sets the lease duration in minutes<0-59> Optional. Sets the lease duration in seconds

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 28Related Commandsno Resets values or disables the DHCP pool lease settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2912.1.3.2.9 netbios-name-serverdhcp-pool-mode commandsConfigures the NetBIOS (WINS) name server’s IP address. This server is used to resolve NetBIOS host names.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary NetBIOS name server, using one of the following options:• <IP> – Specifies the primary NetBIOS name server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary NetBIOS name server’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary NetBIOS name server, using one of the following options:• <IP1> – Specifies the secondary NetBIOS name server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary NetBIOS name server’s IP address. If the primary NetBIOS name server is unavailable, the secondary server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Removes the NetBIOS name server settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3012.1.3.2.10 netbios-node-typedhcp-pool-mode commandsDefines the predefined NetBIOS node type. The NetBIOS node type resolves NetBIOS names to IP addresses.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-node-type [b-node|h-node|m-node|p-node]Parameters• netbios-node-type [b-node|h-node|m-node|p-node]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#netbios-node-type b-noderfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands[b-node|h-node|m-node|p-node]Defines the netbios node type• b-node – Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name.• h-node – Sets the node type as hybrid. Uses a combination of two or more nodes.• m-node – Sets the node type as mixed. A mixed node uses broadcast queries to find a node, and failing that, queries a known p-node name server for the address.• p-node – Sets the node type as peer-to-peer. Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine.no Removes the NetBIOS node type settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3112.1.3.2.11 networkdhcp-pool-mode commandsConfigures the DHCP server’s network settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetwork [<IP/M>|<NETWORK-ALIAS-NAME>]Parameters• network [<IP/M>|<NETWORK-ALIAS-NAME>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#network 192.168.13.0/24rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IP/M> Configures the network number and mask (for example, 192.168.13.0/24)<NETWORK-ALIAS-NAME>Configures a network alias to identify the network number and mask• <NETWORK-ALIAS-NAME> – Specify the network alias name. It should be existing and configured.A network alias defines a single network address. For example, ‘alias network $NET 1.1.1.0/24’. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24. For more information, see alias.no Removes the network number and mask configured for this DHCP pool

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3212.1.3.2.12 next-serverdhcp-pool-mode commandsConfigures the next server in the boot processSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnext-server [<IP>|<HOST-ALIAS-NAME>]Parameters• next-server [<IP>|<HOST-ALIAS-NAME>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#next-server 192.168.13.26rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 next-server 192.168.13.26rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IP> Configures the next server’s (the first server in the boot process) IP address<HOST-ALIAS-NAME> Configures a host alias, mapped to the next server’s IP address• <HOST-ALIAS-NAME> – Specify the host alias name. It should be existing and configured.A host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Removes the next server configuration settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3312.1.3.2.13 nodhcp-pool-mode commandsRemoves or resets this DHCP user pool’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [address|bootfile|ddns|default-router|dns-server|domain-name|excluded-address|lease|netbios-name-server|netbios-node-type|network|next-server|option|respond-via-unicast|static-binding|static-route|update]no [bootfile|default-router|dns-server|domain-name|lease|netbios-name-server|netbios-node-type|next-server|network|respond-via-unicast]no address [<IP>|<HOST-ALIAS-NAME>|all]no address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]no ddns [domainname|multiple-user-class|server|ttl]no excluded-address [<IP>|<HOST-ALIAS-NAME>]no excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-NAME>]no option <OPTION-NAME>no static-binding client-identifier <CLIENT-IDENTIFIER>no static-binding hardware-address <MAC>no static-route <IP/MASK> <GATEWAY-IP>no update dns {override}Parameters• no <PARAMETERS>ExampleThe following example shows the DHCP pool settings before the ‘no’ commands are executed:rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txtno <PARAMETERS> Removes or resets this DHCP user pool’s settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 34 default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 next-server 192.168.13.26rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no bootfilerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no networkrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no default-routerrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no next-serverrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no domain-namerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no ddns domainnamerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no leaseThe following example shows the DHCP pool settings after the ‘no’ commands are executed:rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#

$DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3512.1.3.2.14 optiondhcp-pool-mode commandsConfigures raw DHCP options. The DHCP option must be configured under the DHCP server policy. The options configured under the DHCP pool/DHCP server policy can also be used in static-bindings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Parameters• option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#option option1 157.235.208.80rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<OPTION-NAME> Sets the name of the DHCP option<DHCP-OPTION-IP> Sets DHCP option as an IP address<DHCP-OPTION-ASCII> Sets DHCP option as an ASCII stringNOTE: An option name in ASCII format accepts backslash (\) as an input but is not displayed in the output (Use show runnig config to view the output). Use a double backslash to represent a single backslash.no Resets values or disables the DHCP pool option settings$

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3612.1.3.2.15 static-routedhcp-pool-mode commandsConfigures a static route for a DHCP pool. Static routes define a gateway for traffic intended for other networks. This gateway is always used when an IP address does not match any route in the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstatic-route <IP/M> <IP>Parameters• static-route <IP/M> <IP>Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-route 192.168.13.0/24 192.168.13.7rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast static-route 192.168.13.0/24 192.168.13.7rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commands<IP/M> Specifies the IP destination prefix (for example, 10.0.0.0/8)<IP> Specifies the gateway IP addressno Removes static route settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3712.1.3.2.16 respond-via-unicastdhcp-pool-mode commandsSends DHCP offer and acknowledgement as unicast messagesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrespond-via-unicastParametersNoneExamplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#respond-via-unicastrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicastrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsno Disables sending of a DHCP offer and DHCP Ack as unicast messages. When disabled, sends offer and acknowledgement as broadcast messages.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3812.1.3.2.17 updatedhcp-pool-mode commandsControls the use of the DDNS serviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxupdate dns {override}Parameters• update dns {override}Usage GuidelinesA DHCP client cannot perform updates for RR’s A, TXT and PTR resource records. Use update (dns)(override)to enable the internal DHCP server to send DDNS updates for resource records. The DHCP server can override the client, even if the client is configured to perform the updates.In the DHCP server’s DHCP pool, FQDN is configured as the DDNS domain name. This is used internally in DHCP packets between the DHCP server and the DNS server.Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#update dns overriderfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 update dns override ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast static-route 192.168.13.0/24 192.168.13.7rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#Related Commandsdns {override} Configures Dynamic DNS parameters• override – Optional. Enables Dynamic DNS updates on an onboard DHCP serverno Removes dynamic DNS service control

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3912.1.3.3 static-bindingdhcp-pool-mode commandsConfigures static IP address information for a particular device. Static address binding is executed on the device’s hostname, client identifier, or MAC address. Static bindings allow the configuration of client parameters, such as DHCP server, DNS server, default routers, fixed IP address etc.The following table summarizes static binding configuration commands:Table 12.6 Static-Binding-Config CommandsCommand Description Referencestatic-binding Creates a static binding policy and enters its configuration mode page 12-40static-binding-mode commandsInvokes static binding configuration commands page 12-42

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4012.1.3.3.1 static-bindingstatic-bindingConfigures static address bindingsA static address binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client. Bindings are managed by DHCP servers. DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses. Static bindings assign IP addresses without creating numerous host pools with manual bindings. Static host bindings use a text file the DHCP server reads. It eliminates the need for a lengthy configuration file and reduces the space required to maintain address pools.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstatic-binding [client-identifier <CLIENT>|hardware-address <MAC>]Parameters• static-binding [client-identifier <CLIENT>|hardware-address <MAC>]Examplerfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-binding client-identifier testrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 update dns override ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast static-route 192.168.13.0/24 192.168.13.7 static-binding client-identifier testrfs4000-229D58(config-dhcp-policy-test-pool-testPool)#client-identifier <CLIENT>Enables a static binding configuration for a client based on its client identifier (as provided by DHCP option 61 and its key value)• <CLIENT> – Specify the client identifier (DHCP option 61).hardware-address <MAC>Enables a static binding configuration for a client based on its MAC address• <MAC> – Specify the MAC address of the client.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 41rfs4000-229D58(config-dhcp-policy-test-pool-testPool-binding-test)#?DHCP static binding Mode commands: bootfile Boot file name client-name Client name default-router Default routers dns-server DNS Servers domain-name Configure domain-name ip-address Fixed IP address for host netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages static-route Add static routes to be installed on dhcp clients clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs4000-229D58(config-dhcp-policy-test-pool-testPool-binding-test)#rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#static-binding hardware-address 11-22-33-44-55-66rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-11-22-33-44-55-66)#?DHCP static binding Mode commands: bootfile Boot file name client-name Client name default-router Default routers dns-server DNS Servers domain-name Configure domain-name ip-address Fixed IP address for host netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages static-route Add static routes to be installed on dhcp clients clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-11-22-33-44-55-66)#Related Commandsno Resets values or disables the DHCP policy static binding settingsstatic-binding-mode commandsInvokes static binding configuration commands

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4212.1.3.3.2 static-binding-mode commandsstatic-bindingThe following table summarizes static binding configuration mode commands:Table 12.7 Static-Binding-Config-Mode CommandsCommand Description Referencebootfile Assigns a Bootfile name for the DHCP configuration on the network poolpage 12-43client-name Configures a client name page 12-44default-router Configures default router or gateway IP address page 12-45dns-server Sets the DNS server’s IP address available to all DHCP clients connected to the DHCP poolpage 12-46domain-name Sets the network pool’s domain name page 12-47ip-address Configures a host’s fixed IP address page 12-48netbios-name-serverConfigures a NetBIOS (WINS) name server IP address page 12-49netbios-node-type Defines the NetBIOS node type page 12-50next-server Specifies the next server used in the boot process page 12-51no Negates a command or sets its default page 12-52option Configures raw DHCP options page 12-53respond-via-unicast Sends a DHCP offer and DHCP Ack as unicast messages page 12-54static-route Adds static routes installed on DHCP clients page 12-55

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4312.1.3.3.3 bootfilestatic-binding-mode commandsThe Bootfile command provides a diskless node the path to the image file used while booting up. Only one file can be configured for each static IP binding.For more information on the BOOTP protocol with reference to static binding, see bootp.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbootfile <IMAGE-FILE-PATH>Parameters• bootfile <IMAGE-FILE-PATH>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#bootfile test.txtrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test bootfile test.txtrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IMAGE-FILE-PATH> Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted.no Resets values or disables DHCP pool static binding settingsbootp Configures BOOTP protocol parameters

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4412.1.3.3.4 client-namestatic-binding-mode commandsConfigures the client’s nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-name <NAME>Parameters• client-name <NAME>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#client-name RFIDrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID bootfile test.txtrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<NAME> Specify the name of the client using this static IP address host pool. Do not include the domain name.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4512.1.3.3.5 default-routerstatic-binding-mode commandsConfigures a default router or gateway IP address for the static binding configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Usage GuidelinesThe IP address of the router should be on the same subnet as the client subnet.Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#default-router 172.16.10.8 172.16.10.9rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID bootfile test.txt default-router 172.16.10.8 172.16.10.9rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary default router, using one of the following options:• <IP> – Specifies the primary default router’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary default router’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary default router, using one of the following options:• <IP1> – Specifies the secondary default router’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary default router’s IP address. If the primary default router is unavailable, the secondary router is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4612.1.3.3.6 dns-serverstatic-binding-mode commandsConfigures the DNS server for this static binding configuration. This DNS server supports the client for which the static binding has been configured.For this client, the DNS server’s IP address maps the host name to an IP address. DHCP clients use the DNS server’s IP address based on the order (sequence) configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary DNS server, using one of the following options:• <IP> – Specifies the primary DNS server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary DNS server’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary DNS server, using one of the following options:• <IP1> – Specifies the secondary DNS server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary DNS server’s IP address. If the primary DNS server is unavailable, the secondary DNS server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4712.1.3.3.7 domain-namestatic-binding-mode commandsSets the domain name for the static binding configurationDomain names are not case sensitive and contain alphabetic or numeric letters (or a hyphen). A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.comSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#domain-name documentationrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<DOMAIN-NAME> Defines the domain name for the static binding configurationno Resets values or disables the DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4812.1.3.3.8 ip-addressstatic-binding-mode commandsConfigures a fixed IP address for a hostSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip-address [<IP>|<HOST-ALIAS-NAME>]Parameters• ip-address [<IP>|<HOST-ALIAS-NAME>]Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#ip-address 172.16.10.9rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IP> Configures a fixed IP address (in dotted decimal format) of the client using this host pool<HOST-ALIAS-NAME> Configures a host alias identifying the fixed IP address of the client using this host poolA network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4912.1.3.3.9 netbios-name-serverstatic-binding-mode commandsConfigures the NetBIOS (WINS) name server’s IP address. This server is used to resolve NetBIOS host names.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Parameters• netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#netbios-name-server 172.16.10.23rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[<IP>|<HOST-ALIAS-NAME>]Configures the primary NetBIOS server, using one of the following options:• <IP> – Specifies the primary NetBIOS name server’s IP address• <HOST-ALIAS-NAME> – Specifies a host alias, mapped to the primary NetBIOS name server’s IP address{<IP1>|<HOST-ALIAS-NAME1>}Optional. Configures the secondary NetBIOS name server, using one of the following options:• <IP1> – Specifies the secondary NetBIOS name server’s IP address• <HOST-ALIAS-NAME1> – Specifies a host alias, mapped to the secondary NetBIOS name server’s IP address. If the primary NetBIOS name server is unavailable, the secondary server is used.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5012.1.3.3.10 netbios-node-typestatic-binding-mode commandsConfigures different predefined NetBIOS node types. The NetBIOS node defines the way a device resolves NetBIOS names to IP addresses.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetbios-node-type [b-node|h-mode|m-node|p-node]Parameters• netbios-node-type [b-node|h-node|m-node|p-node]Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#netbios-node-type b-noderfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation netbios-node-type b-node bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands[b-node|h-mode|m-node|p-node]Defines the netbios node type• b-node – Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name.• h-node – Sets the node type as hybrid. Uses a combination of two or more nodes.• m-node – Sets the node type as mixed. A mixed node uses broadcast queries to find a node, and failing that, queries a known p-node name server for the address.• p-node – Sets the node type as peer-to-peer. Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5112.1.3.3.11 next-serverstatic-binding-mode commandsConfigures the next server utilized in the boot processSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnext-server [<IP>|<HOST-ALIAS-NAME>]Parameters• next-server [<IP>|<HOST-ALIAS-NAME>]Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation netbios-node-type b-node bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23 next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IP> Configures the next server’s (the first server in the boot process) IP address<HOST-ALIAS-NAME> Configures a host alias, mapped to the next server’s IP address• <HOST-ALIAS-NAME> – Specify the host alias name. It should be existing and configured.A network host alias maps a name to a single network host. For example, ‘alias host $HOST 1.1.1.100’. In this example the host alias is ‘$HOST’ and it maps to a single host ‘1.1.1.100’. For more information, see alias.no Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5212.1.3.3.12 nostatic-binding-mode commandsNegates or reverts static binding settings for the selected DHCP server policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bootfile|client-name|default-router|dns-server|domain-name|ip-address|netbios-name-server|netbios-node-type|next-server|option|respond-via-unicast|static-route]no option <OPTION-NAME>no static-route <IP/MASK> <GATEWAY-IP>Parameters• no <PARAMETERS>ExampleThe following example shows the DHCP pool static binding settings before the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation netbios-node-type b-node bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23 next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no bootfilerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no ip-addressrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no default-routerrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no dns-serverThe following example shows the DHCP pool static binding settings after the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no <PARAMETERS> Negates or reverts static binding settings for the selected DHCP server policy

$DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5312.1.3.3.13 optionstatic-binding-mode commandsConfigures the raw DHCP options in the DHCP policy. The DHCP options can be used only in static bindings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Parameters• option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]Usage GuidelinesDefines non standard DHCP option codes (0-254)Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#option option1 172.16.10.10rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 option option1 172.16.10.10rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#<OPTION-NAME> Sets the DHCP option name<DHCP-OPTION-IP> Sets the DHCP option as an IP address<DHCP-OPTION-ASCII> Sets the DHCP option as an ASCII stringNOTE: An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash.$

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5412.1.3.3.14 respond-via-unicaststatic-binding-mode commandsSends a DHCP offer and DHCP acknowledge as unicast messagesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrespond-via-unicastParametersNoneExamplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#respond-via-unicastrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 option option1 172.16.10.10 respond-via-unicastrfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commandsno Resets values or disables DHCP pool static binding settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5512.1.3.3.15 static-routestatic-binding-mode commandsAdds static routes to the static binding configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstatic-route <IP/MASK> <GATEWAY-IP>Parameters• static-route <IP/MASK> <GATEWAY-IP>Examplerfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-1)#static-route 10.0.0.0/10 157.235.208.235rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 option option1 172.16.10.10 respond-via-unicast static-route 10.0.0.0/10 157.235.208.235rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#Related Commands<IP/MASK> Sets the subnet for which the static route is configured<GATEWAY-IP> Specify the gateway’s IP addressno Resets values or disables DHCP pool static route settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5612.1.4 dhcp-serverdhcp-server-policyConfigures the activation-criteria (run-criteria) that triggers dynamic activation of DHCP service running on a redundancy deviceIn a managed wireless network, when the primary, active DHCP server fails (is unreachable), network clients are unable to access DHCP services, such as new IP address leasing and renewal of existing IP address leases. In such a scenario, the activation-criteria, when configured, triggers dynamic activation of the secondary DHCP server, allowing network clients to continue accessing DHCP services. The WiNG implementation provides activation-criteria options specific to a RF Domain, cluster setup, and a Virtual Router Redundancy Protocol (VRRP) master/client setup.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-server activation-criteria [cluster-master|rf-domain-manager|vrrp-master]Parameters• dhcp-server activation-criteria [cluster-master|rf-domain-manager|vrrp-master]dhcp-server Enables dynamic activation of the DHCP server, running on a redundancy device, based on the activation criteria specifiedactivation-criteria [cluster-master|rf-domain-manager|vrrp-master]Configures the activation criteria. Specify one of the following options as the activation criteria:• cluster-master – Configures the cluster-master criteria in a cluster setup. Within a cluster, DHCP service is enabled on the cluster master. While it remains disabled on the other cluster members. In case of the cluster master failing, the cluster-master activation criteria, when configured, triggers dynamic activation of DHCP service on the new cluster master.• rf-domain-manger – Configures the rf-domain-manager criteria on an RF Domain. Within a RF Domain, DHCP service is enabled on the RF Domain manager. While it remains disabled on the other devices within the RF Domain. In case of the RF Domain manager failing, the rf-domain-manager activation criteria, when configured, triggers dynamic activation of DHCP service on the new RF Domain manager.• vrrp-master – Configures the vrrp-master criteria within a VRRP master/client setup. In such a setup, the DHCP service is enabled on the VRRP master. While it remains disabled on the other members. In case of the VRRP master failing, the vrrp-master activation criteria, when configured, triggers dynamic activation of DHCP service on the new VRRP master.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 57Examplerfs4000-229D58(config-dhcp-policy-test)#dhcp-server activation-criteria rf-domain-managerrfs4000-229D58(config-dhcp-policy-test)#show contextdhcp-server-policy test dhcp-server activation-criteria rf-domain-managerrfs4000-229D58(config-dhcp-policy-test)#rfs4000-229D58(config-dhcp-policy-test)#no dhcp-server activation-criteriarfs4000-229D58(config-dhcp-policy-test)#show contextdhcp-server-policy testrfs4000-229D58(config-dhcp-policy-test)#Related Commandsno Removes the DHCP service activation criteria configured on this DHCP server policy

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5812.1.5 nodhcp-server-policyNegates a command or sets its default. When used in the DHCP server configuration context, the ‘no’ command resets or reverts the DHCP server policy settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bootp|dhcp-class|dhcp-pool|dhcp-server|option|ping]no bootp ignoreno dhcp-class <DHCP-CLASS-NAME>no dhcp-pool <DHCP-POOL-NAME>no dhcp-server activation-criteriano option <DHCP-OPTION>no ping timeoutParameters• no <PARAMETERS>ExampleThe following example shows the DHCP policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test bootp ignore dhcp-class dhcpclass1 dhcp-pool pool1 address 1.2.3.4 class dhcpclass1 update dns override --More--rfs6000-37FABE(config-dhcp-policy-test)#rfs6000-37FABE(config-dhcp-policy-test)#no bootp ignorerfs6000-37FABE(config-dhcp-policy-test)#no dhcp-class dhcpclass1rfs6000-37FABE(config-dhcp-policy-test)#no dhcp-pool pool1The following example shows the DHCP policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy testrfs6000-37FABE(config-dhcp-policy-test)#no <PARAMETERS> Negates a command or sets its default. When used in the DHCP server configuration context, the ‘no’ command resets or reverts the DHCP server policy settings

$DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5912.1.6 optiondhcp-server-policyConfigures raw DHCP options. The DHCP option has to be configured in the DHCP server policy. The options configured in the DHCP pool/DHCP server policy can also be used in static bindings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> <0-254> [ascii|hexstring|ip]Parameters• option <OPTION-NAME> <0-254> [ascii|hexstring|ip]Usage GuidelinesDefines non standard DHCP option codes (0-254)Examplerfs6000-37FABE(config-dhcp-policy-test)#option option1 200 asciirfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test option option1 200 asciirfs6000-37FABE(config-dhcp-policy-test)#Related Commands<OPTION-NAME> Configures the option name<0-254> Configures the DHCP option code from 0 - 254ascii Configures the DHCP option as an ASCII stringhexstring Configures the DHCP option as a hexadecimal stringip Configures the DHCP option as an IP addressNOTE: An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash.no Removes DHCP server options$

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6012.1.7 pingdhcp-server-policyConfigures the DHCP server’s ping timeout interval. The controller uses the timeout to intermittently ping and discover whether a client requested IP address is available or in use.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxping timeout <1-10>Parameters• ping timeout <1-10>Examplerfs6000-37FABE(config-dhcp-policy-test)#ping timeout 2rfs6000-37FABE(config-dhcp-policy-test)#show contextdhcp-server-policy test ping timeout 2 option option1 200 asciirfs6000-37FABE(config-dhcp-policy-test)#Related Commandstimeout <1-10> Sets the ping timeout from 1 - 10 seconds. The default is 1 second.no Resets the ping interval to 1 second

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6112.2 dhcpv6-server-policyDHCP-SERVER-POLICYDHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network.DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool.The following table summarizes DHCPv6 server policy configuration commands:Table 12.8 DHCPv6-Server-Policy-Config CommandsCommand Description Referencedhcpv6-pool Creates a DHCPv6 pool and enters its configuration mode page 12-62option Configures this DHCPv6 server policy’s DHCP option settings, such as enterprise (vendor ID)page 12-73restrict-vendor-optionsRestricts the use of vendor-specific DHCP options on this DHCPv6 server policypage 12-75server-preferenceConfigures this DHCP server’s preference value. This value is sent in DHCP server replies to the IPv6 client.page 12-76no Negates or reverts this DHCPv6 server policy’s settings page 12-77

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6212.2.1 dhcpv6-pooldhcpv6-server-policyThe following table summarizes DHCPv6 pool configuration mode commands:Table 12.9 DHCPv6-Pool-Config CommandsCommand Description Referencedhcpv6-pool Creates a DHCPv6 pool and enters its configuration mode page 12-63dhcpv6-pool-mode commandsSummarizes DHCPv6 pool configuration mode commands page 12-65

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6312.2.1.1 dhcpv6-pooldhcpv6-poolConfigures a DHCPv6 server address pool and enters its configuration modeA DHCPv6 IPv6 pool is a resource from which IPv6 formatted addresses can be issued on DHCPv6 client requests. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcpv6-pool <POOL-NAME>Parameters• dhcpv6-pool <POOL-NAME>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#dhcpv6-pool DHCPv6Pool1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#?DHCPv6 pool Mode commands: dns-server DNS Servers domain-name Configure domain-name network Network on which DHCPv6 server will be deployed no Negate a command or set its defaults option Raw DHCPv6 options refresh-time Upper limit specifying the timer for which client should wait before refreshing information sip SIP server options clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#<POOL-NAME> Creates a DHCPv6 server address pool• <POOL-NAME> – Specify a name that appropriately identifies this DHCPv6 address pool. If the pool does not exist, it is created. The pool name cannot be modified as part of the edit process. However, an obsolete address pool can be deleted.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 64rfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsno Removes the DHCPv6 pool identified by the <POOL-NAME> keyword

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6512.2.1.2 dhcpv6-pool-mode commandsdhcpv6-poolConfigures the DHCPv6 pool parametersThe following table summarizes DHCPv6 pool configuration commands:Table 12.10 DHCPv6-Pool-Config-Mode CommandsCommand Description Referencedns-server Configures this DHCPv6 pool’s DNS server page 12-66domain-name Configures this DHCPv6 pool’s domain name page 12-67network Configures this DHCPv6 pool’s network page 12-68option Configures this DHCPv6 pool’s raw DHCPv6 options. This is the vendor-specific option used in this DHCPv6 pool.page 12-70refresh-time Configures this DHCPv6 pool’s refresh time in seconds page 12-71sip Configures this DHCPv6 pool’s Session Initiation Protocol (SIP) server settingpage 12-72no Negates or reverts this DHCPv6 pool’s settings page 12-69

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6612.2.1.2.1 dns-serverdhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s DNS server. The DNS server supports all clients connected to networks supported by the DHCPv6 server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server <IPv6> {<SECONDARY-IPv6>}Parameters• dns-server <IPv6> {<SECONDARY-IPv6>}Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<IPv6> Configures the primary DNS server’s IPv6 address• <IPv6> – Specify the DNS server’s IPv6 address (the server associated with this DHCP pool).<SECONDARY-IPv6> Configures the secondary DNS server’s IPv6 address• <SECONDARY-IPv6> – Specify the secondary DNS server’s IPv6 address (the server associated with this DHCP pool).no Removes this DHCPv6 pool’s configured DNS server settings

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6712.2.1.2.2 domain-namedhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s domain nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#domain-name TechPubsrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 domain-name TechPubs dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<DOMAIN-NAME> Specify the DHCP pool’s hostname or hostnames of the domain or domainsno Removes this DHCPv6 pool’s domain name

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6812.2.1.2.3 networkdhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s network. Use this command to configure the address of the network on which this DHCP server is deployed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnetwork [<IPv6/M>|<NETWORK-ALIAS-NAME>]Parameters• network [<IPv6/M>|<NETWORK-ALIAS-NAME>]Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#network 2002::0/64rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<IPv6/M> Specify this DHCPv6 pool network’s IPv6 address and mask (for example, 1:2::1:0/96)<NETWORK-ALIAS-NAME>Specify this DHCPv6 pool network’s alias nameno Removes the network IPv6 address and mask configured for this DHCPv6 pool

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6912.2.1.2.4 nodhcpv6-pool-mode commandsNegates a command or sets its default. When used in the DHCPv6 pool configuration context, the ‘no’ command resets or reverts the DHCPv6 pool’s settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dns-server|domain-name|network|option|refresh-time|sip]Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 refresh-time 1000 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no option DHCPv6Pool1Optionrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no refresh-timerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no <PARAMETERS> Negates a command or sets its default. When used in the DHCPv6 pool configuration context, the ‘no’ command resets or reverts the DHCPv6 pool’s settings.

$DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7012.2.1.2.5 optiondhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s raw DHCPv6 options. This is the vendor-specific option used in this DHCPv6 pool.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> [<DHCPv6-OPTION-IP>|<DHCPv6-OPTION-ASCII>]Parameters• option <OPTION-NAME> [<DHCPv6-OPTION-IP>|<DHCPv6-OPTION-ASCII>]Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs dns-server 2002::1 option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commands<OPTION-NAME> Sets the name of the DHCPv6 option<DHCPv6-OPTION-IP> Sets DHCPv6 option as an IPv6 address<DHCPv6-OPTION-ASCII> Sets DHCPv6 option as an ASCII stringNOTE: An option name in ASCII format accepts backslash (\) as an input but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash.no Removes this DHCPv6 pool’s DHCP option settings$

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7112.2.1.2.6 refresh-timedhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s refresh time in seconds. This is the interval between two successive DHCP pool refreshes. The DHCP refresh process refreshes IPv6 client information.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrefresh-time <600-4294967295>Parameters• refresh-time <600-4294967295>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#refresh-time 1000rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 refresh-time 1000 domain-name TechPubs dns-server 2002::1 option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commandsrefresh-time <600-4294967295>Specify this DHCPv6 pool’s refresh time from 600 -4294967295 seconds.no Removes or reverts the configured DHCPv6 pool’s refresh time

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7212.2.1.2.7 sipdhcpv6-pool-mode commandsConfigures this DHCPv6 pool’s Session Initiation Protocol (SIP) server settingConfigures the domain name or domain names associated with the SIP servers. The SIP server is used to prioritize voice and video traffic on the network. SIP is an application-layer control protocol that can establish, modify and terminate multimedia sessions or calls. A SIP system has several components (user agents, proxy servers, redirect servers, and registrars). User agents can contain SIP clients; proxy servers always contain SIP clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsip [address <IPv6>|domain-name <DOMAIN-NAME>]Parameters• sip [address <IPv6>|domain-name <DOMAIN-NAME>]Examplerfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#sip domain-name TechPubsSIPrfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 refresh-time 1000 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 option DHCPv6Pool1Option 60rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#Related Commandssip [address <IPv6>|domain-name <DOMAIN-NAME>]Configures the SIP server’s setting, such as address and/or domain nameno Removes this DHCPv6 pool’s SIP server setting

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7312.2.2 optiondhcpv6-server-policyConfigures this DHCPv6 server policy’s DHCP option settings, such enterprise (vendor) IDDHCPv6 services are available for specific IP interfaces. A pool (or range) of IPv6 network addresses and DHCPv6 options can be created for each IPv6 interface defined. This range of addresses can be made available to DHCPv6 enabled devices on either a permanent or leased basis. DHCPv6 options are provided to each client with a DHCPv6 response and provide DHCPv6 clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCPv6 client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCPv6 client.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoption <OPTION-NAME> <0-254> [ascii|hexstring|ipv6] <1-4294967295>Parameters• option <OPTION-NAME> <0-254> [ascii|hexstring|ipv6] <1-4294967295>option <OPTION-NAME>Specify a unique name for this DHCP option. The name should describe option's function.<0-254> Specify a DHCP option code for this option.• <0-254> – Specify a value from 0 -254. The system allows only one code, of the same value, for each DHCP option used in each DHCPv6 server policy.ascii Specifies the option type as ASCII (sends an ASCII compliant string to the client)hexstring Specifies the option type as a string of hexadecimal characters (sends a hexadecimal string to the client)ipv6 Specifies the option type as IPv6 address (sends an IPv6 compatible address to the client)<1-4294967295> This parameter is common to all option types.• <1-4294967295> – Specifies the enterprise (vendor) ID. Specify a value from 1 - 4294967295. The option code (1) is reserved for subnet-mask and cannot be used.Each vendor should have a unique vendor ID used by the DHCP server to issue vendor-specific DHCP options.

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 74Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#option DHCPServerOption1 10 ascii 50rfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsno Removes the DHCPv6 server option settings configured for this DHCPv6 server policy

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7512.2.3 restrict-vendor-optionsdhcpv6-server-policyRestricts the use of vendor-specific DHCP options on this DHCPv6 server policy. When restricted, vendor-specific DHCP options, configured on this DHCPv6 server policy, are not included in the DHCPv6 server replies to IPv6 clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrestrict-vendor-optionsParametersNoneExamplerfs6000-37FABE(config-dhcpv6-server-policy-test)#restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsno Removes restriction on sending of vendor-specific options in DHCPv6 server replies to IPv6 clients

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7612.2.4 server-preferencedhcpv6-server-policyConfigures this DHCPv6 server’s preference value. When configured, the server preference value is included in the DHCPv6 server’s replies to IPv6 clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver-preference <0-255>Parameters• server-preference <0-255>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#server-preference 1rfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 server-preference 1 restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#Related Commandsserver-preference <0-255>Configures this DHCP server’s preference value• <0-255> – Specify a value from 0 - 255.no Removes this DHCPv6 server’s preference value

DHCP-SERVER-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7712.2.5 nodhcpv6-server-policyNegates or reverts this DHCPv6 server policy’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dhcpv6-pool|option|restrict-vendor-options|server-preference]Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 server-preference 1 restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#rfs6000-37FABE(config-dhcpv6-server-policy-test)#no restrict-vendor-optionsrfs6000-37FABE(config-dhcpv6-server-policy-test)#no server-preferencerfs6000-37FABE(config-dhcpv6-server-policy-test)#show contextdhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1rfs6000-37FABE(config-dhcpv6-server-policy-test)#no <PARAMETERS> Negates or reverts this DHCPv6 server policy’s settings

13 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide13FIREWALL-POLICYThis chapter summarizes the firewall policy commands in the CLI command structure.A firewall protects a network from attacks and unauthorized access from outside the network. Simultaneously, it allows authorized users to access required resources. Firewalls work on multiple levels. Some work at layers 1, 2 and 3 to inspect each packet. The packet is either passed, dropped or rejected based on rules configured on the firewall.Firewalls use application layer filtering to enforce compliance. These firewalls can understand applications and protocols and can detect if an unauthorized protocol is being used, or an authorized protocol is being abused in any malicious way.The third set of firewalls, ‘Stateful Firewalls’, consider the placement of individual packets within each packet in the series of packets being transmitted. If there is a packet that does not fit into the sequence, it is automatically identified and dropped.Use (config) instance to configure firewall policy commands. To navigate to the config-fw-policy instance, use the following commands:<DEVICE>(config)#firewall-policy <POLICY-NAME>rfs6000-37FABE(config)#firewall-policy testrfs6000-37FABE(config-fw-policy-test)#?Firewall policy Mode commands: acl-logging Log on flow creating traffic alg Enable ALG clamp Clamp value dhcp-offer-convert Enable conversion of broadcast dhcp offers to unicast dns-snoop DNS Snooping firewall Wireless firewall flow Firewall flow ip Internet Protocol (IP) ip-mac Action based on ip-mac table ipv6 Internet Protocol version 6 (IPv6) ipv6-mac Action based on ipv6-mac table logging Firewall enhanced logging no Negate a command or set its defaults proxy-arp Enable generation of ARP responses on behalf of another device proxy-nd Enable generation of ND responses (for IPv6) on behalf of another device stateful-packet-inspection-l2 Enable stateful packet inspection in layer2 firewall storm-control Storm-control virtual-defragmentation Enable virtual defragmentation for IPv4 packets (recommended for proper functioning of firewall) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-fw-policy-test)#

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 2NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 313.1 firewall-policyFIREWALL-POLICYThe following table summarizes default firewall policy configuration commands:Table 13.1 Firewall-Policy-Config CommandsCommand Description Referenceacl-logging Enables logging on flow creating traffic page 13-4alg Enables an algorithm page 13-5clamp Sets a clamp value to limit TCP MSS to inner path-MTU for tunnelled packets page 13-7dhcp-offer-convert Enables the conversion of broadcast DHCP offers to unicast page 13-8dns-snoop Sets the timeout value for DNS entries page 13-9firewall Configures the wireless firewall page 13-10flow Defines a session flow timeout page 13-11ip Configures Internet Protocol (IP) components on this firewall policy page 13-13ip-mac Defines an action based on IP-MAC table page 13-20ipv6 Configures IPv6 components on this firewall policy page 13-22ipv6-mac Defines an action based on IPv6-MAC table page 13-26logging Enables enhanced firewall logging page 13-28no Negates a command or reverts settings to their default page 13-30proxy-arp Enables the generation of ARP responses on behalf of another device page 13-32proxy-nd Enables the generation of ND responses (for IPv6) on behalf of another devicepage 13-33stateful-packet-inspection-12Enables stateful packets-inspection in layer 2 firewall page 13-34storm-control Defines storm control and logging settings page 13-35virtual-defragmentationEnables virtual defragmentation of IPv4 packets page 13-37NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 413.1.1 acl-loggingfirewall-policyEnables logging on flow creating traffic. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxacl-loggingParametersNoneExamplerfs4000-229D58(config-fw-policy-test)#acl-loggingrfs4000-229D58(config-fw-policy-test)#no acl-loggingrfs4000-229D58(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window no acl-loggingrfs4000-229D58(config-fw-policy-test)#Related Commandsno Disables logging on flow creating traffic

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 513.1.2 algfirewall-policyEnables traffic filtering at the application layer using the Application Layer Gateway (ALG) featureSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxalg [dns|facetime|ftp|pptp|sccp|sip|tftp]Parameters• alg [dns|facetime|ftp|pptp|sccp|sip|tftp]alg Enables traffic filtering at the application layer. The ALG provides filters for the fol lowi n g common p rotocols : DNS , Face time, F TP, PPTP, S CCP, S IP, an d TFTP.dns Allows Domain Name System (DNS) traffic through the firewall using its default ports. This option is enabled by default.When enabled, you can easily permit or deny traffic based on a packet’s DNS name, instead of the IP address. Use this option when configuring ACLs allowing or denying traffic for Web sites that have a single domain name resolving to any one of multiple IP addresses.facetime Allows Apple’s FaceTime video calling traffic through the firewall using its default ports. This option is disabled by default.ftp Allows File Transfer Protocol (FTP) traffic through the firewall using its default ports. This option is enabled by default.pptp Allows Point-to-Point Tunneling Protocol (PPTP) traffic through the firewall using its default ports. PPTP, a network protocol, enables secure transfer of data from a remote client to an enterprise server by encapsulating PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This option is enabled by defaultsccp Allows Signalling Connection Control Part (SCCP) traffic through the firewall using its default ports. This option is disabled by default.SCCP is a network protocol that provides routing, flow control and error correction in telecommunication networks.sip Allows Session Initiation Protocol (SIP) traffic through the firewall using its default ports. This option is enabled by default.tftp Enables the Trivial File Transfer Protocol (TFTP) algorithm. When enabled, allows TFTP traffic through the firewall using its default ports. This option is enabled by default.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 6Examplenx4500-5CFA2B(config-fw-policy-test)#alg facetimenx4500-5CFA2B(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window alg facetimenx4500-5CFA2B(config-fw-policy-test)#Related Commandsno Removes or reverts ALG related settings

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 713.1.3 clampfirewall-policyThis option limits the TCP Maximum Segment Size (MSS) to the size of the Maximum Transmission Unit (MTU) discovered by path MTU discovery for the inner protocol. This ensures the packet traverses through the inner protocol without fragmentation. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclamp tcp-mssParameters• clamp tcp-mssExamplerfs6000-37FABE(config-fw-policy-test)#clamp tcp-mssRelated Commandstcp-mss Limits the TCP MSS size to the MTU value of the inner protocol for tunneled packetsno Disables limiting of the TCP MSS

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 813.1.4 dhcp-offer-convertfirewall-policyEnables the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-offer-convertParametersNoneExamplerfs6000-37FABE(config-fw-policy-test)#dhcp-offer-convertrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window dhcp-offer-convertrfs6000-37FABE(config-fw-policy-test)#Related Commandsno Disables the conversion of broadcast DHCP offers to unicast

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 913.1.5 dns-snoopfirewall-policySets the timeout interval for DNS snoop table entries. DNS snoop entries provide information, such as client to IP address and client to default gateway(s) mappings. This information is used to detect if the client is sending routed packets to a wrong MAC address.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-snoop entry-timeout <30-86400>Parameters• dns-snoop entry-timeout <30-86400>Examplerfs6000-37FABE(config-fw-policy-test)#dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandsentry-timeout <30-86400>Sets the DNS snoop table entry timeout interval from 30 - 86400 seconds. An entry is retained in the DNS snoop table only for the specified time, and is deleted once this time is exceeded. The default is 1,800 seconds.no Removes the DNS snoop table entry timeout interval

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 1013.1.6 firewallfirewall-policyEnables a device’s firewallSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfirewall enableParameters• firewall enableExamplerfs6000-37FABE(config-fw-policy-default)#firewall enablerfs6000-37FABE(config-fw-policy-default)#Related Commandsfirewall enable Enables wireless firewallsno Disables a device’s firewall

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 1113.1.7 flowfirewall-policyDefines the session flow timeout interval for different packet typesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxflow [dhcp|timeout]flow dhcp statefulflow timeout [icmp|other|tcp|udp]flow timeout [icmp|other] <1-32400>flow timeout udp <15-32400>flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-general] <1-32400>flow timeout tcp established <15-32400>Parameters• flow dhcp stateful• flow timeout [icmp|other] <1-32400>• flow timeout udp <15-32400>• flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-general] <1-32400>dhcp Configures DHCP packet flowstateful Performs a stateful check on DHCP packets. This feature is enabled by default.timeout Configures a packet timeouticmp Configures the timeout for ICMP packets. The default is 30 seconds.other Configures the timeout for packets other than ICMP, TCP, or UDP. The default is 30 seconds.<1-32400> Configures the timeout from 1 - 32400 secondstimeout Configures a packet timeoutudp Configures the timeout for UDP packets. The default is 30 seconds.<15-32400> Configures the timeout from 15 - 32400 secondstimeout Configures a packet timeouttcp Configures the timeout for TCP packetsclose-wait Configures the closed TCP flow timeout. The default is 10 seconds.reset Configures the reset TCP flow timeout. The default is 10 seconds.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 12• flow timeout tcp established <15-32400>Examplerfs6000-37FABE(config-rw-policy-test)#flow timeout udp 10000rfs6000-37FABE(config-rw-policy-test)#flow timeout icmp 16000rfs6000-37FABE(config-rw-policy-test)#flow timeout other 16000rfs6000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500rfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandssetup Configures the opening TCP flow timeout. The default is 10 seconds.stateless-fin-or-reset Configures stateless TCP flow timeout created with the FIN or RESET packets. The default is 10 seconds.stateless-general Configures the stateless TCP flow timeout. The default is 90 seconds (1m 30 s).<1-32400> Configures the timeout from 1 - 32400 secondstimeout Configures the packet timeouttcp Configures the timeout for TCP packetsestablished Configures the established TCP flow timeout. The default is 5400 seconds.<15-32400> Configures the timeout from 15 - 32400 secondsno Removes session timeout intervals configured for different packet types

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 1313.1.8 ipfirewall-policyConfigures Internet Protocol (IP) componentsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [dos|tcp]ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-max-incomplete|tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke}ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [drop-only]ip dos tcp-max-incomplete [high|low] <1-1000>ip tcp [adjust-mss|optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]ip tcp adjust-mss <472-1460>ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]Parameters• ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]dos Identifies IP events as DoS eventsascend Optional. Detects ASCEND DoS attacksAscend DoS attacks target known vulnerabilities in various versions of Ascend routers. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 14broadcast-multicast-icmpOptional. Detects broadcast or multicast ICMP Dos attacksBroadcast or multicast ICMP DoS attacks take advantage of ICMP behavior in response to echo replies. These attacks spoof the source address of the target and send ICMP broadcast or multicast echo requests to the rest of the network, flooding the target machine with replies.chargen Optional. Detects Chargen attacks The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services.fraggle Optional. Detects Fraggle DoS attacksThe Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address' echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic.ftp-bounce Optional. Detects FTP bounce attacksA FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client.invalid-protocol Optional. Enables a check for an invalid protocol numberAttackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, call hijacking, or a DoS attack.ip-ttl-zero Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time to Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload.ipsproof Optional. Enables a check for the IP spoofing DoS attacksIP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker.land Optional. Detects LAND DoS attacksA Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target device’s IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously.option-route Optional. Enables an IP Option Record Route DoS check

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 15router-advt Optional. Detects router-advertisement attacksThis attack uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions).router-solicit Optional. Detects router solicitation attacksThe ICMP router solicitation scan is used to actively find routers on a network. A hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network.ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122).By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requestssmurf Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies.snork Optional. This attack causes a remote Windows™ NT to consume 100% of the CPU’s resources. This attack uses a UDP packet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack.tcp-bad-sequence Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TCP connectiontcp-fin-scan Optional. Detects TCP FIN scan attacksHackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting.If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 16tcp-intercept Optional. Prevents TCP intercept attacks by using TCP SYN cookiesA SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing e-mail, using FTP service, and so on.The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the software's aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.tcp-null-scan Optional. Detects TCP NULL scan attacksHackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings.If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply.tcp-post-syn Optional. Detects TCP post SYN DoS attacksA remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS.tcp-sequence-past-windowOptional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.tcp-xmas-scan Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.tcphdrfrag Optional. A DoS attack where the TCP header spans IP fragmentstwinge Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 17• ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke} [drop-only]udp-short-hdr Optional. Enables the identification of truncated UDP headers and UDP header length fieldswinnuke Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT.The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and results in high CPU utilization on the target machine.log-and-drop Logs the event and drops the packetlog-only Logs the event only, the packet is not droppedlog-level Configures the log level<0-7> Sets the numeric logging levelemergencies Numerical severity 0. System is unusablealerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditionerrors Numerical severity 3. Indicates an error conditionwarnings Numerical severity 4. Indicates a warning conditionnotification Numerical severity 5. Indicates a normal but significant conditioninformational Numerical severity 6. Indicates a informational conditiondebugging Numerical severity 7. Debugging messagesdos Identifies IP events as DoS eventsascend Optional. Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash.broacast-multicast-icmpOptional. Detects broadcast or multicast ICMP packets as an attackchargen Optional. The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.fraggle Optional. A Fraggle DoS attack checks for UDP packets to or from port 7 or 19ftp-bounce Optional. A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client.invalid-protocol Optional. Enables a check for invalid protocol numberip-ttl-zero Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)ipsproof Optional. Enables a check for IP spoofing DoS attack

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 18• ip dos tcp-max-incomplete [high|low] <1-1000>land Optional. A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target device’s IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously.option-route Optional. Enables an IP Option Record Route DoS checkrouter-advt Optional. This is an attack, where a default route entry is added remotely to a device. This route entry is given preference, and thereby exposes an attack vector.router-solicit Optional. Router solicitation messages are sent to locate routers as a form of network scanning. This information can then be used to attack a device.smurf Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies.snork Optional. This attack causes a remote Windows™ NT to consume 100% of the CPU’s resources. This attack uses a UDP packtet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack.tcp-bad-sequence Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TCP connectiontcp-fin-scan Optional. A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.tcp-intercept Optional. Prevents TCP intercept attacks by using TCP SYN cookiestcp-null-scan Optional. A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open portstcp-post-syn Optional. Enables a TCP post SYN DoS attacktcp-sequence-past-windowOptional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.tcp-xmas-scan Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.tcphdrfrag Optional. A DoS attack where the TCP header spans IP fragmentstwinge Optional. A twinge attack is a flood of false ICMP packets to try and slow down a systemudp-short-hdr Optional. Enables the identification of truncated UDP headers and UDP header length fieldswinnuke Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to crash with a blue screendrop-only Optional. Drops a packet without loggingdos Identifies IP events as DoS eventstcp-max-incomplete Sets the limits for the maximum number of incomplete TCP connectionshigh Sets the upper limit for the maximum number of incomplete TCP connectionslow Sets the lower limit for the maximum number of incomplete TCP connections<1-1000> Sets the range limit from 1 - 1000 connections

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 19• ip tcp adjust-mss <472-1460>• ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]Examplerfs6000-37FABE(config-rw-policy-test)#ip dos fraggle drop-onlyrfs6000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete high 600rfs6000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete low 60rfs6000-37FABE(config-fw-policy-test)#ip dos tcp-sequence-past-window drop-onlyrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandstcp Identifies and configures TCP events and configuration itemsadjust-mss Adjusts the TCP Maximum Segment Size (MSS). Use this option to adjust the MSS for TCP segments on the router.<472-1460> Sets the TCP MSS value from 472 - 1460 bytes. The default is 472 bytes.tcp Identifies and configures TCP events and configuration itemsoptimize-unnecessary-resendsEnables the validation of unnecessary TCP packetsrecreate-flow-on-out-of-state-syncAllows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and TCP_CLOSED_STATE states and create a new flowvalidate-icmp-unreachableEnables the validation of the sequence number in ICMP unreachable error packets, which abort an established TCP flowvalidate-rst-ack-number Enables the validation of the acknowledgment number in RST packets, which abort a TCP flowvalidate-rst-seq-number Enables the validation of the sequence number in RST packets, which abort an established TCP flowno Resets firewall policy IP components

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 2013.1.9 ip-macfirewall-policyDefines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addressesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip-mac [conflict|routing]ip-mac conflict drop-onlyip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]ip-mac routing conflict drop-onlyip-mac routing [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]Parameters• ip-mac conflict drop-only• ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]conflict Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default.drop-only Drops a packet without loggingconflict Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default.log-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level Configures the log level<0-7> Sets the numeric logging levelalerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditiondebugging Numerical severity 7. Debugging messagesemergencies Numerical severity 0. System is unusableerrors Numerical severity 3. Indicates an error conditioninformational Numerical severity 6. Indicates a informational conditionnotification Numerical severity 5. Indicates a normal but significant conditionwarnings Numerical severity 4. Indicates a warning condition. This is the default setting

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 21• ip-mac routing conflict drop-only• ip-mac routing [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|emergencies|errors|informational|notifications|warnings]Examplerfs6000-37FABE(config-rw-policy-test)#ip-mac conflict drop-onlyrfs6000-37FABE(config-rw-policy-test)#ip-mac routing conflict log-and-drop log-level notificationsrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 ip-mac conflict drop-only ip-mac routing conflict log-only log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandsrouting Enables IPMAC routing conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.conflict Defines the action performed when a routing table conflict is detected. This option is enabled by default.drop-only Drops a packet without loggingrouting Defines a routing table based actionconflict Action performed when a conflict exists in the routing table. This option is enabled by default.log-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level Configures the log level to log this event under<0-7> Sets the numeric logging levelalerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditiondebugging Numerical severity 7. Debugging messagesemergencies Numerical severity 0. System is unusableerrors Numerical severity 3. Indicates an error conditioninformational Numerical severity 6. Indicates a informational conditionnotification Numerical severity 5. Indicates a normal but significant conditionwarnings Numerical severity 4. Indicates a warning condition. This is the default setting.no Disables actions based on device IP MAC table, IP address, and MAC address conflict detection

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 2213.1.10 ipv6firewall-policyConfigures IPv6 components on this firewall policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|strict-ext-hdr-check|unknown-options]ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|log-and-drop|log-only]ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] [drop-only|log-and-drop|log-only]ipv6 option {endpoint-identification|network-service-access-point|router-alert|strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]ipv6 [firewall enable|rewrite-flow-label]Parameters• ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|log-and-drop|log-only]dos Identifies IPv6 events as DoS eventshop-limit-zero Optional. Enables checking of IPv6 hop limit field. If the IPv6 hop limit field is ZERO (0) it is considered as attack. This option is enabled by default.multicast-icmpv6 Optional. Enables detection of multicast ICMPv6 traffic as attack. This option is applicable only to ICMPv6 Echo request or reply packets. This option is enabled by default.tcp-intercept-mobility Optional. Enables detection of IPv6 TCP packets with mobility option "HAO(Home-Address-Option)" or "RH(Routing Header) type two". When enabled, this option also detects the “don't generate TCP syn cookies” for such packets. This option is enabled by default.drop-only This parameter is common to all of the above keywords.Drops all packets. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility).log-and-drop Logs the event and drops the packet. Drops the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility) and logs an event.log-only Logs the event only, the packet is not dropped. Does not drop the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility). But, an event is logged.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 23• ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options] [drop-only|log-and-drop|log-only]log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:• <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.duplicate-options Enables handling of duplicate options in hop-by-hop and destination option extension headers. This configuration excludes HAO handling. This option is enabled by default.routing-type [one|two] Enables checking of the following IPv6 routing types:• one – Routing Type 1(Nimrod routing). This option is disabled by default.• two – Routing Type 2(Mobile IP). This option is disabled by default.strict-ext-hdr-check Enables strict checking for out of order and number of occurrences of extension header. This option is enabled by default.unknown-options Enables handling unknown options in hop-by-hop and destination option extension headers. This option is enabled by default.drop-only This parameter is common to all of the above keywords.Drops all packets. Drops the packet if matching any of the above specified types.log-and-drop Logs the event and drops the packet. Drops the packet, if matching any of the above specified types, and logs an event.log-only Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified types. But an event is logged.log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:• <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 24• ipv6 option {endpoint-identification|network-service-access-point|router-alert|strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]• ipv6 [firewall enable|rewrite-flow-label]Examplenx4500-5CFA2B(config-fw-policy-test)#ipv6 dos hop-limit-zero drop-onlynx4500-5CFA2B(config-fw-policy-test)#ipv6 routing-type two log-and-drop log-level warningsnx4500-5CFA2B(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window ipv6 routing-type two log-and-drop log-level warnings ipv6 dos hop-limit-zero drop-onlynx4500-5CFA2B(config-fw-policy-test)#option Enables checking for the following ipv6 extension header options: • End point identification option (disabled by default)• Network service access point address option (disabled by default)• Router alert option (disabled by default)• Home address option in destination option extension header (enabled by default)• Pad1 and PadN options validating (enabled by default)All of these are optional parameters. If no option is specified, the system enables checks as per the default values.drop-only This parameter is common to all of the above keywords.Drops all packets. Drops the packet if matching any of the above specified “option” types.log-and-drop Logs the event and drops the packet. Drops the packet, if matching any of the above specified “option” types, and logs an event.log-only Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified “option” types. But an event is logged.log-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are:• <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting. firewall enable Enables IPv6 firewall. This option is enabled by default.rewrite-flow-label Rewrites the IPv6 flow label field of every packet. This option is disabled by default.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 25Related Commandsno Resets this firewall policy’s IPv6 components

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 2613.1.11 ipv6-macfirewall-policyDefines an action based on conflicts detected in a device’s IPv6 and MAC addressesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6-mac [conflict|routing]ipv6-mac conflict [drop-only|log-and-drop|log-only]ipv6-mac routing conflict [drop-only|log-and-drop|log-only]Parameters• ipv6-mac conflict [drop-only|log-and-drop|log-only]• ipv6-mac routing conflict [drop-only|log-and-drop|log-only]conflict Enables detection of conflict between a device’s IPv6 and MAC addresses. This option is enabled by default.This command also specifies the action to be performed when a such a conflict is detected. The options are: drop-only, log-and-drop, and log-onlydrop-only Drops a packet (with conflicting IPv6 and MAC address) without logginglog-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: • <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.routing conflict Enables detection of conflict between the next-hop’s IPv6 and MAC addresses. This option is enabled by default.This command also specifies the action to be performed when a such a conflict is detected. The options are: drop-only, log-and-drop, and log-only

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 27Examplenx4500-5CFA2B(config-fw-policy-test)#ipv6-mac routing conflict drop-onlynx4500-5CFA2B(config-fw-policy-test)#show contextfirewall-policy test no ip dos tcp-sequence-past-window ipv6 routing-type two log-and-drop log-level warnings ipv6 dos hop-limit-zero drop-only ipv6-mac routing conflict drop-onlynx4500-5CFA2B(config-fw-policy-test)#Related Commandsdrop-only Drops a packet (with conflicting next-hop IPv6 and MAC addresses) without logginglog-and-drop Logs the event and drops the packet. This is the default setting.log-only Logs the event only, the packet is not droppedlog-level If selecting the “log-and-drop” and “log-only” action type, specify the log level. The options are: • <0-7> – Sets the numeric logging level• alerts – Numerical severity 1. Indicates a condition where immediate action is required• critical – Numerical severity 2. Indicates a critical condition• debugging – Numerical severity 7. Debugging messages• emergencies – Numerical severity 0. System is unusable• errors – Numerical severity 3. Indicates an error condition• informational – Numerical severity 6. Indicates a informational condition• notifications – Numerical severity 5. Indicates a normal but significant condition• warnings – Numerical severity 4. Indicates a warning condition. This is the default setting.no Disables actions based on device IPv6 MAC table, next-hop’s IPv6 and MAC address conflict detection

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 2813.1.12 loggingfirewall-policyConfigures enhanced firewall loggingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging [icmp-all|icmp-packet-drop|malformed-packet-drop|verbose]logging icmp-alllogging verboselogging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]Parameters• logging icmp-all• logging verbose• logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]logging Configures enhanced firewall logging parametersicmp-all Enables logging of all ICMPv4/v6 packets allowed by the firewall. This option is disabled by default.logging Configures enhanced firewall logging parameters. This option is disabled by default.verbose Enables verbose logginglogging Configures enhanced firewall logging parametersicmp-packet-drop Drops ICMP (ICMPv4 and ICMPv6) packets that do not pass sanity checks. The default is none.malformed-packet-drop Drops raw IP (IPv4 and IPv6) packets that do not pass sanity checks. The default is none.all Logs all messagesrate-limited Enables rate-limited logging. This option sets the rate limit for log messages to one message every 20 seconds.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 29Examplerfs6000-37FABE(config-rw-policy-test)#logging verboserfs6000-37FABE(config-rw-policy-test)#logging icmp-packet-drop rate-limitedrfs6000-37FABE(config-rw-policy-test)#logging malformed-packet-drop allrfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 ip-mac conflict drop-only ip-mac routing conflict log-only log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#nx9500-6C8809(config-fw-policy-test2)#show contextfirewall-policy test2 no ip dos tcp-sequence-past-windownx9500-6C8809(config-fw-policy-test2)#nx9500-6C8809(config-fw-policy-test2)#logging icmp-allnx9500-6C8809(config-fw-policy-test2)#show contextfirewall-policy test2 no ip dos tcp-sequence-past-window logging icmp-allnx9500-6C8809(config-fw-policy-test2)Related Commandsno Disables enhanced firewall logging

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3013.1.13 nofirewall-policyNegates a command or sets the default for firewall policy commandsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [acl-logging|alg|clamp|dhcp-offer-convert|dns-snoop|firewall|flow|ip|ip-mac|ipv6|ipv6-mac|logging|proxy-arp|proxy-nd|stateful-packet-inspection-l2|storm-control|virtual-defragmentation]no [acl-logging|dhcp-offer-convert|proxy-arp|proxy-nd|stateful-packet-inspection-l2]no alg [dns|facetime|ftp|pptp|sccp|sip|tftp]no clamp tcp-mssno dns-snoop entry-timeoutno firewall enableno flow dhcp statefulno flow timeout [icmp|other|udp]no flow timeout tcp [closed-wait|established|reset|setup|stateless-fin-or-reset|stateless-general]no ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke}no ip tcp [adjust-mss|optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]no ip-mac conflictno ip-mac routing conflictno ipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|strict-ext-hdr-check|unknown-options]no ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility}no ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-options]no ipv6 option {endpoint-identification|network-service-access-point|router-alert|strict-hao-opt-alert|strict-padding}no ipv6 [firewall enable|rewrite-flow-label]no logging [icmp-all|icmp-packet-drop|verbose|malformed-packet-drop]

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 31no storm-control [arp|broadcast|multicast|unicast] {fe <1-4>|ge <1-8>|log|port-channel <1-8>|up1|wlan <WLAN-NAME>}no virtual-defragmentation {maximum-fragments-per-datagram|minimum-first-fragment-length|maximum-defragmentation-per-host|timeout}Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#rfs6000-37FABE(config-fw-policy-test)#no ip dos fragglerfs6000-37FABE(config-fw-policy-test)#no storm-control arp logrfs6000-37FABE(config-fw-policy-test)#no dhcp-offer-convertrfs6000-37FABE(config-fw-policy-test)#no logging malformed-packet-droprfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test no ip dos fraggle no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log none ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 logging icmp-packet-drop rate-limited logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#no <PARAMETERS> Negates a command or sets the default for firewall policy commands.

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3213.1.14 proxy-arpfirewall-policyEnables the generation of ARP responses on behalf of another device. Proxy ARP allows the Firewall to handle ARP routing requests for devices behind the firewall. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-arpParametersNoneExamplerfs6000-37FABE(config-fw-policy-test)#proxy-arprfs6000-37FABE(config-fw-policy-test)#Related Commandsno Disables the generation of ARP responses on behalf of another device

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3313.1.15 proxy-ndfirewall-policy Enables generation of ND responses (for IPv6) on behalf of another deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-ndParametersNoneExamplenx9500-6C8809(config-fw-policy-fw1)#proxy-ndnx9500-6C8809(config-fw-policy-fw1)#Related Commandsno Disables the generation of ND responses on behalf of another device

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3413.1.16 stateful-packet-inspection-12firewall-policyEnables layer 2 firewall stateful packet inspection. When enabled, allows stateful packet inspection for RF Domain manager routed interfaces within the layer 2 firewall. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstateful-packet-inspection-l2ParametersNoneExamplerfs6000-37FABE(config-fw-policy-test)#stateful-packet-inspection-l2rfs6000-37FABE(config-fw-policy-test)#Related Commandsno Disables stateful packet inspection in a layer 2 firewall

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3513.1.17 storm-controlfirewall-policyEnables storm control on the firewall policyStorms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the RF Domain manager interface.Storm control limits multicast, unicast and broadcast frames accepted and forwarded by a device. Messages are logged based on their severity level.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstorm-control [arp|broadcast|multicast|unicast]storm-control [arp|broadcast|multicast|unicast] [level|log]storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>|ge <1-8>|port-channel <1-8>|up1|wlan <WLAN-NAME>]storm-control [arp|broadcast|multicast|unicast] log [<0-7>|alerts|critical|debugging|emergencies|errors|informational|none|notifications|warnings]Parameters• storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>|ge <1-8>|port-channel <1-8>|up1|wlan <WLAN-NAME>]arp Configures storm control for ARP packetsbroadcast Configures storm control for broadcast packetsmulticast Configures storm control for multicast packetsunicast Configures storm control for unicast packetslevel <1-1000000> Configures the allowed number of packets received per second before storm control begins• <1-1000000> – Sets the number of packets received per secondfe <1-4> Sets the FastEthernet port for storm control from 1 - 4ge <1-8> Sets the GigabitEthernet port for storm control from 1 - 8port-channel <1-8> Sets the port channel for storm control from 1- 8up1 Sets the uplink interfacewlan <WLAN-NAME> Configures the WLAN• <WLAN-NAME> – Sets the WLAN ID for the storm control configuration

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 36• storm-control [arp|bcast|multicast|unicast] log [<0-7>|alerts|critical|debugging|emergencies|errors|informational|none|notifications|warnings]Examplerfs6000-37FABE(config-fw-policy-test)#storm-control arp log warningrfs6000-37FABE(config-fw-policy-test)#storm-control broadcast level 20000 ge 4rfs6000-37FABE(config-fw-policy-test)#show contextfirewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35rfs6000-37FABE(config-fw-policy-test)#Related Commandsarp Configures storm control for ARP packetsbroadcast Configures storm control for broadcast packetsmulticast Configures storm control for multicast packetsunicast Configures storm control for unicast packetslog Configures the storm control log level for storm control events<0-7> Sets the numeric logging level from 0 - 7alerts Numerical severity 1. Indicates a condition where immediate action is requiredcritical Numerical severity 2. Indicates a critical conditiondebugging Numerical severity 7. Debugging messagesemergencies Numerical severity 0. System is unusableerrors Numerical severity 3. Indicates an error conditioninformational Numerical severity 6. Indicates a informational conditionnone Disables storm control loggingnotification Numerical severity 5. Indicates a normal but significant conditionwarnings Numerical severity 4. Indicates a warning condition. This is the default setting.no Disables storm control limits on multicast, unicast, and broadcast frames accepted and forwarded by a device

FIREWALL-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3713.1.18 virtual-defragmentationfirewall-policyEnables the virtual de-fragmentation of IPv4 and IPv6 packets. This parameter is required for optimal firewall functionality and is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvirtual-defragmentation {maximum-defragmentation-per-host <1-16384>|maximum-fragments-per-datagram <2-8129>|minimum-first-fragment-length <8-1500>|timeout <1-60>}Parameters• virtual-defragmentation {maximum-defragmentation-per-host <1-16384>|maximum-fragments-per-datagram <2-8129>|minimum-first-fragment-length <8-1500>|timeout <1-60>}Examplerfs6000-37FABE(config-fw-policy-test)#virtual-defragmentation maximum-fragments-per-datagram 10rfs6000-37FABE(config-fw-policy-test)#virtual-defragmentation minimum-first-fragment-length 100Related Commandsmaximum-defragmentation-per-host <1-16384>Optional. Configures the maximum number of active defragmentations allowed per host before it is dropped (applicable to IPv4 and IPV6 packets)• <1-16384> – Sets a value from 1 - 16384. The default is 8.maximum-fragments-per-datagram <2-8129>Optional. Configures the maximum number of fragments allowed in a datagram before it is dropped (applicable to IPv4 and IPV6 packets)• <2-8129> – Sets a value from 2 - 8129. The default is 140.minimum-first-fragment-length <8-1500>Optional. Defines the minimum length required for the first fragment (applicable to IPv4 and IPV6 packets)• <8-1500> – Sets a value from 8 - 1500 bytes. The default is 8 bytes.timeout <1-60> Optional. Configures a virtual defragmentation timeout, in seconds, applicable to both IPv4 and IPv6 packets• <1-60> – Specify a value from 1 - 60 seconds. The default is 1 second.no Resets values or disables virtual defragmentation settings

14 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide14MINT-POLICYThis chapter summarizes MiNT policy commands in the CLI command structure.All communication using the MiNT transport layer can be optionally secured. This includes confidentiality, integrity and authentication of all communications. In addition, a device can be configured to communicate over MiNT with other devices authorized by an administrator.Use the (config) instance to configure mint-policy related configuration commands. To navigate to the config MiNT policy instance, use the following command:<DEVICE>(config)#mint-policy global-defaultrfs6000-37FABE(config-mint-policy-global-default)#?Mint Policy Mode commands: level Mint routing level lsp LSP mtu Configure the global Mint MTU no Negate a command or set its defaults router Mint router udp Configure mint UDP/IP encapsulation clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-mint-policy-global-default)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 214.1 mint-policyMINT-POLICYThe following table summarizes MiNT policy configuration commands:Table 14.1 MiNT-Policy-Config CommandsCommand Description Referencelevel Configures the MiNT routing level page 14-3lsp Enables adding of checksum to LSP messages forwarded across MiNT linkspage 14-4mtu Configures the global MiNT MTU page 14-5no Negates a command or sets its default page 14-8router Configures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN)page 14-6udp Configures the MiNT UDP/IP encapsulation parameters page 14-7NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 314.1.1 levelmint-policyConfigures the global MiNT routing levelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlevel 2 area-id <1-16777215>Parameters• level 2 area-id <1-16777215>Examplerfs6000-37FABE(config-mint-policy-global-default)#level 2 area-id 2000rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default level 2 area-id 2000rfs6000-37FABE(config-mint-policy-global-default)#Related Commandslevel 2 Configures level 2 inter-site MiNT routingarea-id <1-16777215>Configures the routing area identifier• <1-16777215> – Specify a value from 1 - 16777215.The level 2 area ID is the global MiNT area identifier. This area identifier separates two overlapping MiNT networks. Configure the level 2 area ID only if there are two MiNT networks sharing the same packet broadcast domain.no Disables level 2 MiNT packet routing (inter-site packet routing)

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 414.1.2 lspmint-policyEnables adding of checksum to label-switched path (LSP) messages forwarded across MiNT links. When enabled, this option helps to verify integrity of LSP messages. LSP messages exchanged over MiNT links are often corrupted. These LSP corruptions cause inaccuracies in the Shortest Path First (SPF) calculation process, leading to access point adoption related issues. Enabling LSP checksum helps troubleshooting adoption-related issues.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlsp checksumParameters• lsp checksumExamplenx4500-5CFA2B(config-mint-policy-global-default)#lsp checksumnx4500-5CFA2B(config-mint-policy-global-default)#show contextmint-policy global-default lsp checksumnx4500-5CFA2B(config-mint-policy-global-default)#Related Commandslsp checksum Enables adding of checksum to LSP messages forwarded across MiNT links. When enabled, the integrity of LSP messages is verified by matching the LSP message checksum at the MiNT link end nodes. In case of a match the message is uncorrupted.no Disables adding of checksum to LSP messages forwarded across MiNT links

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 514.1.3 mtumint-policyConfigures global MiNT Multiple Transmission Unit (MTU). Use this command to specify the maximum packet size, in bytes, for MiNT routing. Higher the MTU values, greater is the network efficiency. The user data per packet increases, while protocol overheads, such as headers or underlying per-packet delays remain the same.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmtu <900-1500>Parameters• mtu <900-1500>Examplerfs6000-37FABE(config-mint-policy-global-default)#mtu 1000rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default mtu 996 level 2 area-id 2rfs6000-37FABE(config-mint-policy-global-default)#Related Commands<900-1500> Specifies the maximum packet size from 900 - 1500 bytesThe maximum packet size specified is rounded down to a value using the following formula: 4 + a multiple of 8.The MTU setting specifies the maximum packet size used for MiNT packets. Larger packets are fragmented to fit within the specified packet size limit. You may want to configure this parameter if the MiNT backhaul network requires or recommends smaller packet sizes. The default value is 1500 bytes.no Reverts the configured MiNT MTU value to its default (1500 bytes)Negates the configured maximum packet size for MiNT routing

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 614.1.4 routermint-policyConfigures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouter packet priority <0-7>Parameters• router packet priority <0-7>Examplerfs4000-229D58(config-mint-policy-global-default)#router packet priority 4rfs4000-229D58(config-mint-policy-global-default)#show contextmint-policy global-default router packet priority 4rfs4000-229D58(config-mint-policy-global-default)#Related Commandsrouter packet priority <0-7>Allows you to configure the priority for MiNT router packets from 0 - 7. The default is 5.Higher the value higher is the priority. Therefore, seven (7) represents highest priority.no Reverts the MiNT router packet priority to default (5)

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 714.1.5 udpmint-policyConfigures MiNT UDP/IP encapsulation parameters. Use this command to configure the default UDP port used for MiNT control packet encapsulation.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxudp port <2-65534>Parameters• udp port <2-65534>Examplerfs6000-37FABE(config-mint-policy-global-default)#udp port 1024rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default udp port 1024 mtu 996 level 2 area-id 2000 sign-unknown-device security-level control-and-data rejoin-timeout 1000rfs6000-37FABE(config-mint-policy-global-default)#Related Commandsport <2-65534> Configures default UDP port used for MiNT control packet encapsulation• <2-65534> – Enter a value from 2 - 65534. This value specifies an alternate UDP port used by MiNT control packets and must be an even number. The specified port number plus 1 is used to carry MiNT data packets. The default value is 24576.no Reverts MiNT UDP/IP encapsulation to its default

MINT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 814.1.6 nomint-policyNegates a command or reverts values to their default. When used in the config MiNT policy mode, the no command resets or reverts the following global MiNT policy parameters: routing level, MTU, router packet priority, and UDP or IP encapsulation settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [level|lsp|mtu|router|udp]no level 2 area-idno lsp checksumno mtuno router packet priorityno udp port <LINE-SINK>Parameters• no <PARAMETERS>ExampleThe following example shows the global Mint Policy parameters before the ‘no’ commands are executed:rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default udp port 1024 mtu 996 level 2 area-id 2000 sign-unknown-device security-level control-and-data rejoin-timeout 1000rfs6000-37FABE(config-mint-policy-global-default)#rfs6000-37FABE(config-mint-policy-global-default)#no level 2 area-idrfs6000-37FABE(config-mint-policy-global-default)#no mturfs6000-37FABE(config-mint-policy-global-default)#no udp portThe following example shows the global Mint Policy parameters after the ‘no’ commands are executed:rfs6000-37FABE(config-mint-policy-global-default)#show contextmint-policy global-default sign-unknown-device security-level control-and-data rejoin-timeout 1000rfs6000-37FABE(config-mint-policy-global-default)#no <PARAMETERS> The no command resets or reverts the following global MiNT policy parameters: routing level, MTU, router packet priority, and UDP or IP encapsulation settings.

15 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide15MANAGEMENT-POLICYThis chapter summarizes management policy commands in the CLI command structure.A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles.A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, FTP, Telnet, SSH or SNMP). Management access can be enabled or disabled as required for unique policies. The management access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces.Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service.To enhance security, administrators can do the following:• Restrict SNMP, CLI and Web UI access to specific hosts or subnets.• Disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.• Provide authentication for management users.• Apply access restrictions and permissions to management users.Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed.Access Points utilize a single management access policy, so ensure all the intended administrative roles, permissions, authentication and SNMP settings are correctly set. If an access point is functioning as a virtual controller AP, these are the access settings used by adopted access points of the same model as the virtual controller AP.It is recommended to disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices.Use the (config) instance to configure a management policy. To navigate to the config management policy instance, use the following commands:<DEVICE>(config)#management-policy <POLICY-NAME>

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2To commit a management-policy, the policy must have at least one admin user account configured.<DEVICE>(config-management-policy-<POLICY-NAME>)#user admin password 0 test role superuser access all<DEVICE>(config-management-policy-<POLICY-NAME>)#<DEVICE>(config-management-policy-<POLICY-NAME>)#?Management Mode commands: aaa-login Set authentication for logins allowed-locations Add allowed locations banner Define a login banner ftp Enable FTP server http Hyper Text Terminal Protocol (HTTP) https Secure HTTP idle-session-timeout Configure idle timeout for a configuration session (GUI or CLI) ipv6 IPv6 Protocol no Negate a command or set its defaults passwd-retry Lockout user if too many consecutive login failures privilege-mode-password Set the password for entering CLI privilege mode rest-server Enable rest server for device on-boarding functionality restrict-access Restrict management access to the device snmp-server SNMP ssh Enable ssh t5 T5 configuration telnet Enable telnet user Add a user account clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-management-policy-<POLICY-NAME>)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 315.1 management-policyMANAGEMENT-POLICYThe following table summarizes management policy configuration commands:Table 15.1 Management-Policy-Config CommandsCommand Description Referenceaaa-login Configures login authentication settings page 15-5allowed-locations Configures a user-role based access control to RF Domains and locations with respect to the NSight user interface (UI)page 15-7banner Configures the message of the day (motd) text page 15-9ftp Enables FTP on this management policy page 15-10http Enables HTTP on this management policy page 15-12https Enables HTTPS on this management policy page 15-13idle-session-timeoutSets the interval after which an idle session is terminated page 15-15ipv6 Restricts management access to specified hosts and/or subnets based on their IPv6 addresses and prefixes respectivelypage 15-16no Removes or resets this management policy’s settings page 15-18passwd-entry Configures user-account lockout and unlock parameters page 15-20privilege-mode-passwordConfigures the CLI’s privilege mode access password page 15-22rest-server Enables the Representational State Transfer (REST) server to facilitate device on-boardingpage 15-24restrict-access Restricts management access to a set of hosts or subnets page 15-25snmp-server Sets the SNMP server settings on this management policy page 15-28ssh Enables SSH on this management policy page 15-33t5 Configures SNMP server settings for T5 devices on this management policy. This command is available only RFS4000, RFS6000, and NX95XX platforms.page 15-34telnet Enables Telnet on this management policy page 15-36user Creates a new user account page 15-37service Invokes service commands to troubleshoot or debug (config-if) instance configurationspage 15-41

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 4NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 515.1.1 aaa-loginmanagement-policyConfigures Authentication, Authorization and Accounting (AAA) authentication mode used with this management policy. The different modes are: local authentication and external RADIUS server authentication.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaaa-login [local|radius|tacacs]aaa-login localaaa-login radius [external|fallback|policy]aaa-login radius [external|fallback|policy <AAA-POLICY-NAME>]aaa-login tacacs [accounting|authentication|authorization|fallback|policy]aaa-login tacacs [accounting|authentication|authorization|fallback|policy <AAA-TACACS-POLICY-NAME>]Parameters• aaa-login local• aaa-login radius [external|fallback|policy <AAA-POLICY-NAME>]local Sets local as the preferred authentication mode. Local authentication uses the local username database to authenticate a user.Note: The AP6511 and AP6521 platforms do not support local RADIUS resource.radius Configures the RADIUS server parametersNote: If local authentication is disabled, use this command to specify if the RADIUS server used is external, fallback, or specified by a AAA policy.external Configures external RADIUS server as the preferred authentication modefallback Configures RADIUS server authentication as the primary authentication modeWhen RADIUS server authentication fails, the system uses local authentication. This command configures local authentication as a backup mode.policy <AAA-POLICY-NAME>Associates a specified AAA policy with this management policy. The AAA policy determines if a client is granted access to the network.• <AAA-POLICY-NAME> – Specify the AAA policy name (should be existing and configured).Note: For more information on configuring AAA policy, see AAA-POLICY.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 6• aaa-login tacacs [accounting|authentication|authorization|fallback|policy <AAA-TACACS-POLICY-NAME>]Usage GuidelinesUse AAA login to determine whether management user authentication must be performed against a local user database or an external RADIUS server.Examplerfs6000-37FABE(config-management-policy-test)#aaa-login radius externalrfs6000-37FABE(config-management-policy-test)#aaa-login radius policy testrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh aaa-login radius external aaa-login radius policy testrfs6000-37FABE(config-management-policy-test)#Related Commandstacacs Configures Terminal Access Control Access-Control System (TACACS) server parametersaccounting Configures TACACS accountingauthentication Configures TACACS authenticationauthorization Configures TACACS authorizationfallback Configures TACACS as the primary authentication mode. When TACACS authentication fails, the system uses local authentication. This command configures local authentication as a backup mode.policy <AAA-TACACS-POLICY-NAME>Associates a specified AAA TACACS policy with this management policy. TACACS policies control user access to devices and network resources while providing separate accounting, authentication, and authorization services.• <AAA-TACACS-POLICY-NAME> – Specify the TACACS policy name (should be existing and configured).Note: For more information on configuring AAA TACACS policy, see AAA-TACACS-POLICY.no Removes the TACACS server settings

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 715.1.2 allowed-locationsmanagement-policyConfigures a user-role based access control to RF Domains and locations with respect to the NSight user interface (UI). When configured, this access control is enforced only on the NSight UI. The WiNG and NSight applications may have the same users with different permissions defined in each application. Various user roles are supported in WiNG (superuser, system-admin, network-admin, security-admin, device-provisioning-admin, helpdesk and monitor). With NSight, a user logging into the NSight UI should also have an access control restriction based on the role they’re assigned. For example, a WiNG user with helpdesk privileges should have access to only the site (RF Domain) in which the helpdesk is situated, and the location tree should contain only one RF Domain. Similarly, when a user responsible for a set of sites logs in NSight, their location tree needs to contain the RF Domains for which they’re responsible.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxallowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]Parameters• allowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]NOTE: For more information on NSight-policy configuration, see nsight-policy.allowed-locations <WORD>Configures a location tag and associates a list locations with the tag<WORD> – Provide a location tag not exceeding 32 characters in length.locations [NONE|ALL|<LIST-OF-LOCATIONS>]Associates locations with the above created location tag• NONE – When specified, states that none of the locations are to be allowed access.• ALL – When specified, states that all the locations are to be allowed access.• <LIST-OF-LOCATIONS> – Specifies a list of locations or individual RF Domains. When specified, states that the specified list of locations or RF Domain are allowed access.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 8Examplenx9500-6C8809(config-management-policy-test)#allowed-locations Ecospace locations TechPubs ALLnx9500-6C8809(config-management-policy-test)#allowed-locations TEST locations NONEnx9500-6C8809(config-management-policy-test)#show contextmanagement-policy test no telnet no http server https server ssh allowed-location TEST locations NONE allowed-location Ecospace locations TechPubs ALLnx9500-6C8809(config-management-policy-test)##Related Commandsno Removes the allowed-locations configuration

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 915.1.3 bannermanagement-policyConfigures the message of the day (motd) text. This text is displayed at login to clients connecting through Telnet or SSH.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbanner motd <LINE>Parameters• banner motd <LINE>Examplerfs6000-37FABE(config-management-policy-test)#banner motd “Have a Good Day”rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh aaa-login radius external aaa-login radius policy test banner motd “Have a Good Day”rfs6000-37FABE(config-management-policy-test)#Related Commandsmotd <LINE> Sets the motd banner• <LINE> – Enter the message string. The message string should not exceed 255 characters.no Removes the motd banner

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1015.1.4 ftpmanagement-policyEnables File Transfer Protocol (FTP) on this management policy. FTP is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally. FTP access is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxftp {password|rootdir|username}ftp {password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>]}ftp {rootdir <DIR>}ftp {username <USERNAME> password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>] rootdir <DIR>}Parameters• ftp {password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>]}• ftp {rootdir <DIR>}• ftp {username <USERNAME> password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>] rootdir <DIR>}ftp password Optional. Configures the FTP server password1 <ENCRYPTED-PASSWORD>Configures an encrypted password. Use this option when copy pasting the password from another device.• <ENCRYPTED-PASSWORD> – Specify the password. The password should not exceed 63 characters in length.<PASSWORD> Configures a clear text passwordftp rootdir <DIR> Optional. Configures the root directory for FTP logins• <DIR> – Specify the root directory path. By default the root directory is set to flash:/ftp username <USERNAME>Optional. Configures a new user account on the FTP server. The FTP user file lists users with FTP server access.• <USERNAME> – Specify the username. The username should not exceed 32 characters in length.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 11Usage GuidelinesThe string size of an encrypted password (option 1, password is encrypted with a SHA1 algorithm) must be exactly 40 characters.Examplerfs6000-37FABE(config-management-policy-test)#ftp username superuser password test@123 rootdir dirrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#Related Commandspassword 1 [<ENCRYPTED-PASSWORD>|<PASSWORD>]Configures an encrypted password• <ENCRYPTED-PASSWORD> – Specifies an encrypted password (use this option if copy pasting from another device). The password should not exceed 63 characters in length.• <PASSWORD> – Configures a clear text passwordrootdir <DIR> After specifying the password, configure the FTP root directory.• rootdir <DIR> – Configures the root directory for FTP logins. Specify the root directory path.no Disables FTP and its settings, such as the server password, root directory, and users

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1215.1.5 httpmanagement-policyEnables Hyper Text Transport Protocol (HTTP) on this management policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttp serverParameters• http serverExamplerfs6000-37FABE(config-management-policy-test)#http serverrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#Related Commandshttp server Enables HTTP on this management policy. HTTP provides limited authentication and no encryption.no Disables HTTP on this management policy

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1315.1.6 httpsmanagement-policyEnables Hyper Text Transport Protocol Secure (HTTPS) on this management policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttps [server|sslv3|use-secure-ciphers-only]Parameters• https [server|sslv3|use-secure-ciphers-only]Examplerfs6000-37FABE(config-management-policy-test)#https serverrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#NOTE: If the a RADIUS server is not reachable, HTTPS management access to the controller or access point may be denied. RADIUS support is available locally on controllers and access points, with the exception of AP6511 and AP6522 models, which require an external RADIUS resource.https Configures secure HTTP related parameters on this management policyserver Enables HTTPS on this management policy. HTTPS provides both authentication and data encryption as opposed to just authentication. This option is enabled by default.sslv3 Enables the use of SSLv3 protocol to connect to a Web page. When enabled, SSLv2 Web authentication is disabled, and enforces the use of Web browsers supporting SSLv3, which is a more secure protocol. This option is disabled by default.use-secure-ciphers-onlyEnables the use of TLS v1.2 ciphers to secure client-server network communications. When enabled, for HTTPS connections the TLS v1.2 protocol is used, instead of the less secure TLS v1.0 or TLS v1.1 protocols. This option is enabled by default.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 14The following example shows that the ‘use-secure-ciphers-only’ option is enabled by default:rfs6000-817379(config-management-policy-default)#show context include-factory |incl httpshttps serverno https sslv3https use-secure-ciphers-onlyrfs6000-817379(config-management-policy-default)#Related Commandsno Disables HTTPS on this management policy

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1515.1.7 idle-session-timeoutmanagement-policyConfigures a session’s idle timeout. An idle session is automatically terminated after the specified interval is exceeded.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxidle-session-timeout <1-4320>Parameters• idle-session-timeout <1-4320>Examplerfs6000-37FABE(config-management-policy-test)#idle-session-timeout 100rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#Related Commands<1-4320> Sets the interval, in minutes, after which an idle session is timed out. Specify a value from 1 - 4320 minutes. The default is 30 minutes.no Removes the configured idle session timeout value

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1615.1.8 ipv6management-policyRestricts management access to specified hosts and/or subnets based on their IPv6 addresses and prefixes respectivelySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 restrict-access [host|ipv6-access-list|subnet]ipv6 restrict-access host <IPv6> {log|subnet}ipv6 restrict-access host <IPv6> {log [all|denied-only]}ipv6 restrict-access host <IPv6> {subnet <IPv6-PREFIX> {log [all|denied-only]}}ipv6 restrict-access ipv6-access-list <IPv6-ACCESS-LIST-NAME>ipv6 restrict-access subnet <IPv6-PREFIX> {host|log}ipv6 restrict-access subnet <IPv6-PREFIX> {log [all|denied-only]}ipv6 restrict-access subnet <IPv6-PREFIX> {host <IPv6> {log [all|denied-only]}}Parameters• ipv6 restrict-access host <IPv6> {log [all|denied-only]}• ipv6 restrict-access host <IPv6> {subnet <IPv6-PREFIX> {log [all|denied-only]}}host <IPv6> Restricts management access to a specified host, based on the host’s IPv6 address• <IPv6> – Specify the host’s IPv6 address.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host is denied access)host <IPv6> Restricts management access to a specified host, based on the host’s IPv6 address.• <IPv6> – Specify the host’s IPv6 address.subnet <IPv6-PREFIX> Optional. Restricts access to the host on a specified IPv6 subnet• <IPv6-PREFIX> – Specify the subnet’s IPv6 prefix in the X:X::X:X/M format.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host/subnet is denied access)

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 17• ipv6 restrict-access ipv6-access-list <IPv6-ACCESS-LIST-NAME>• ipv6 restrict-access subnet <IPv6-PREFIX> {log [all|denied-only]}• ipv6 restrict-access subnet <IPv6-PREFIX> {host <IPv6> {log [all|denied-only]}}Examplerfs6000-37FABE(config-management-policy-test)#ipv6 restrict-access host 2001:fdbc:06cf:0011::13 subnet 2001:fdbc:06cf:0011::0/64 log allrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh ipv6 restrict-access host 2001:fdbc:06cf:0011::13 subnet 2001:fdbc:06cf:0011::0/64 log allrfs6000-37FABE(config-management-policy-test)#Related Commandsipv6-access-list <IPv6-ACCESS-LIST-NAME>Uses an IPv6 Access Control List (ACL) to filter access requests. IPv6 ACLs filter/mark packets based on the IPv6 address from which they arrive. IPv6 hosts configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. An existing IPv6 ACL can be created and used in the management policy context to permit or deny access to specific hosts and/or subnets.• <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 ACL name.subnet <IPv6-PREFIX>Restricts management access to a specified IPv6 subnet• <IPv6-PREFIX> – Specify the subnet’s IPv6 prefix in the X:X::X:X/M format.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host/subnet is denied access)subnet <IPv6-PREFIX>Restricts management access to a specified IPv6 subnet• <IPv6-PREFIX> – Specify the subnet’s IPv6 prefix in the X:X::X:X/M format.host <IPv6> Optional. Restricts management access to a specific host within the specified subnet• <IPv6> – Specify the host’s IPv6 address.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when a host/subnet is denied access)no Removes management access restriction settings

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1815.1.9 nomanagement-policyNegates a command or reverts values to their default. When used in the config management policy mode, the no command negates or reverts management policy settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [aaa-login|allowed-locations|banner|ftp|http|https|idle-session-timeout|ipv6|passwd-entry|privilege-mode-password|rest-server|restrict-access|snmp-server|ssh|t5|telnet|user|service]no aaa-login tacacs [accounting|authentication|authorization|fallback|policy]no allowed-location <LOCATION-TAG>no banner motdno ftp {password|rootdir}no http serverno https [server|sslv3|use-secure-ciphers-only]no passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin]no [idle-session-timeout|privilege-mode-password|rest-server|restrict-access]no ipv6 restrict-accessno snmp-server [community|display-vlan-info-per-radio|enable|host|manager|max-pending-requests|request-timeout|suppress-security-configuration-level|throttle|user]no snmp-server [community <WORD>|display-vlan-info-per-radio|enable traps|host <IP> {<1-65535>}|manager [all|v1|v2|v3]|max-pending-requests|request-timeout|suppress-security-configuration-level|throttle|user [snmpmanager|snmpoperator|snmptrap]]no ssh {login-grace-time|port|use-key}no t5 snmp-server [community|enable|host]no [telnet|user <USERNAME>]no service prompt crash-infoParameters• no <PARAMETERS>no <PARAMETERS> Removes or reverts this Management policy settings based on the parameters passed

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 19ExampleThe following example shows the management policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day"rfs6000-37FABE(config-management-policy-test)#rfs6000-37FABE(config-management-policy-test)#no banner motdrfs6000-37FABE(config-management-policy-test)#no idle-session-timeoutrfs6000-37FABE(config-management-policy-test)#no http serverThe following example shows the management policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 0rfs6000-37FABE(config-management-policy-test)#

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2015.1.10 passwd-entrymanagement-policyConfigures user-account lockout and unlock parameters. Use this option to configure the maximum number of consecutive, failed login attempts allowed before an account is locked out, and the duration of lockout.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpasswd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <<0-600>Parameters• passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <0-600>passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-100> lockout-time <<0-600>Configures user-role based account lockout criteria• role – Select the user-role. The options are:• device-provisioning-admin•helpdesk• monitor•network-admin•security-admin• system-admin• vendor-admin• web-user-admin] • max-fail <1-100> – Specify the maximum number of consecutive, failed at-tempts allowed before an account is locked. Specify a value from 1 - 100. • lockout-time <<0-600> – Specify the maximum time, in minutes, forwhich an account remains locked. The value ‘0’ indicates that the ac-count is permanently locked. Specify a value from 0 - 600 minutes.When configured, the lockout is individually applied to each account within the specified role/roles. For example, consider the ‘monitor’ role having two users: ‘user1’ and ‘user2’. The max-fail and lockout-time is set at ‘5’ attempts and ‘10’ minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active.Note: Note, in the event-system-policy context, enable ‘login-lockout’ and ‘login-unlocked’ event notification to trigger e-mail or syslog notification to users on occurrence of the login-lockout and login-unlock events. For more information, see event.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 21Examplerfs6000-817379(config-management-policy-default)#passwd-retry role monitor max-fail 5 lockout-time 10rfs6000-817379(config-management-policy-default)#show conmanagement-policy defaultno telnetno http serverhttps serversshuser admin password 1 979cfb9288837ee26d74d07b5ea328fd0e9a2b55cf5104649c2b496cc94e7003 role superuser access allpasswd-retry role monitor max-fail 2 lockout-time 5snmp-server community 0 private rwsnmp-server community 0 public rosnmp-server user snmptrap v3 encrypted des auth md5 0 admin123snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123rfs6000-817379(config-management-policy-default)#Related Commandsno Removes the user-account lockout and unlock parameters configured here

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2215.1.11 privilege-mode-passwordmanagement-policyConfigures the CLI’s privilege mode access password. Use this option to strengthen security by enforcing a second level authentication to access the privilege configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxprivilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>Parameters• privilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>ExampleThe following example shows the privilege mode password being configured as a hashed string:rfs6000-37FABE(config-management-policy-test)#privilege-mode-password 1 2e9f038ac2ed27f919ed5a4dceb3d30e32f356f2ceff6fbf26a153d0339c734frfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test http server no ssh privilege-mode-password 1 2e9f038ac2ed27f919ed5a4dceb3d30e32f356f2ceff6fbf26a153d0339c734frfs6000-37FABE(config-management-policy-test)#privilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>Configures the password required to enter the privilege configuration mode. When configured, users are prompted to provide the password when enabling the privilege configuration mode.• <PASSWORD/HASHED-STRING-ALIAS-NAME> – Enter the password as a clear text, or provide a hashed-string alias. Enter the password as a clear text, or provide a hashed-string alias. If using a hashed-string alias, ensure that the alias is existing and configured.Note, the clear text password is saved and displayed as a hashed string. Hashing is a means of establishing the integrity of transmitted messages. Before transmission, a hash of the message is generated, encrypted and sent along with the message. At the receiving end, the message and the hash are both decrypted, and another hash is generated from the received message. The two hashes are compared. If both are identical the message is considered to have been transmitted intact.Note: For more information on configuring a hashed-string alias, see alias.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 23Follow the steps below to configure a hashed-string alias and use it as a privilege mode password:1 In the global-configuration context, create a hashed-string alias.nx9500-6C8809(config)#alias hashed-string $PriMode Test12345nx9500-6C8809(config)#show context | include aliasalias vlan $BLR-01 1alias string $IN-Blr-EcoSpace-Floor-4 IBEF4alias encrypted-string $READ 0 publicalias encrypted-string $WRITE 0 privatealias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75nx9500-6C8809(config)#2 In the management-policy context, configure the hashed-string alias created in step 1 as the privilege mode password.nx9500-6C8809(config-management-policy-test)#privilege-mode-password $PrivModenx9500-6C8809(config-management-policy-default)#show contextmanagement-policy defaulthttps server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 privilege-mode-password $PriModenx9500-6C8809(config-management-policy-default)#3 Confirm, if the privilege mode is password protected.nx9500-6C8809 login: adminPassword:Feb 07 14:40:47 2017: %AUTH-6-INFO: login[28768]: user 'admin' on 'ttyS0' from 'Console' logged inFeb 07 14:40:47 2017: nx9500-6C8809 : %SYSTEM-5-LOGIN: Successfully logged in user 'admin' with privilege 'superuser' from 'ttyS0'nx9500-6C8809>enPassword:Related Commandsno Removes the configured CLI privilege mode access password

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2415.1.12 rest-servermanagement-policyEnables the Representational State Transfer (REST) server. When enabled, the REST server allows vendor users access to the online device registration portal. All requests and responses to and from the on-boarding portal are handled by the REST server through restful Application Programming Interface (API) transactions. The REST server serves the Web pages used to associate a device’s MAC address with a specific vendor group.Each vendor has a ‘vendor-admin’ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can access the online device registration portal to on-board devices. For more information on vendor-admin user configuration, see user.The REST server is enabled by default.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxrest-serverParametersNoneExamplenx9500-6C8809(config-management-policy-testMNGTPolicy)#show contextmanagement-policy testMNGTPolicy no telnet no http server https server rest-server sshnx9500-6C8809(config-management-policy-testMNGTPolicy)#nx9500-6C8809(config-management-policy-testMNTPolicy)#no rest-servernx9500-6C8809(config-management-policy-testMNGTPolicy)#show contextmanagement-policy testMNGTPolicy no telnet no http server https server no rest-server sshnx9500-6C8809(config-management-policy-testMNGTPolicy)#Related Commandsno Disables the REST server

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2515.1.13 restrict-accessmanagement-policyRestricts management access to a set of hosts or subnetsRestricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network.Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrestrict-access [host|ip-access-list|subnet]restrict-access host <IP> {log|subnet}restrict-access host <IP> {log [all|denied-only]}restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}restrict-access ip-access-list <IP-ACCESS-LIST-NAME>restrict-access subnet <IP/M> {host|log}restrict-access subnet <IP/M> {log [all|denied-only]}restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}Parameters• restrict-access host <IP> {log [all|denied-only]}• restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}host <IP> Restricts management access to a specified host, based on the host’s IPv4 address• <IP> – Specify the host’s IPv4 address.log [all|denied-only] Optional. Configures a logging policy for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access (when an access request is received from a host denied access, a record is logged)host <IP> Restricts management access to a specified host, based on the host’s IPv4 address• <IP> – Specify the host’s IPv4 address.subnet <IP/M> Optional. Restricts access to the host on a specified subnet• <IP/M> – Specify the subnet’s IPv4 address and mask in the A.B.C.D/M format.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 26• restrict-access ip-access-list <IP-ACCESS-LIST-NAME>• restrict-access subnet <IP/M> {log [all|denied-only]}• restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}log [all|denied-only] Optional. Configures a logging policy for access requests.• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when access request received from a host is denied)ip-access-list Uses an IPv4 ACL to filter access requestsIPv4 ACLs filter/mark packets based on the IPv4 address from which they arrive. IP and non-IP traffic, on the same layer 2 interface, can be filtered by applying an IPv4 ACL. Each IPv4 ACL contains a set of deny and/or permit rules. Each rule is specific to source and destination IPv4 addresses and the unique rules and precedence definitions assigned. When the network traffic matches the criteria specified in one of these rules, the action defined in that rule is used to determine whether the traffic is allowed or denied.<IP-ACCESS-LIST-NAME>Specify the IPv4 ACL name.subnet <IP/M> Restricts management access to a specified subnet• <IP/M> – Specify the subnet’s IPv4 address and mask in the A.B.C.D/M format.log [all|denied-only] Optional. Configures a logging policy for access requests. Sets the log type generated for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when access request received from a subnet is denied)subnet <IP/M> Restricts management access to a specified subnet• <IP/M> – Specify the subnet’s IPv4 address and mask in the A.B.C.D/M formathost <IP> Optional. Uses the host IP address as a second filter• <IP> – Specify the host’s IPv4 address.log [all|denied-only] Optional. Configures a logging policy for access requests. Sets the log type generated for access requests• all – Logs all access requests, both denied and permitted• denied-only – Logs only denied access events (when access request received from a host within the specified subnet is denied)

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 27Examplerfs6000-37FABE(config-management-policy-test)#restrict-access host 172.16.10.4 log denied-onlyrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.4 log denied-onlyrfs6000-37FABE(config-management-policy-test)#Related Commandsno Removes device access restrictions

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2815.1.14 snmp-servermanagement-policyConfigures the Simple Network Management Protocol (SNMP) engine settings. SNMP is an application layer protocol that facilitates the exchange of management information between the controller and a managed device. SNMP enabled devices listen on port 162 (by default) for SNMP packets from the controller’s management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string gathers statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system’s performance and other parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsnmp-server [community|enable|display-vlan-info-per-radio|host|manager|max-pending-requests|request-timeout|suppress-security-configuration-level|throttle|user]snmp-server community [0 <WORD>|2 <WORD>|<WORD>] [ro|rw] {ip-snmp-access-list <IP-SNMP-ACL-NAME>}snmp-server enable trapssnmp-server host <IP> [v1|v2c|v3] {<1-65535>}snmp-server manager [all|v1|v2|v3]snmp-server [max-pending-requests {<64-1024>}|request-timeout {<2-720>}]snmp-server [display-vlan-info-per-radio|throttle <1-100>|suppress-security-configuration-level [0|1]]snmp-server user [snmpmanager|snmpoperator|snmptrap]snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 [auth|encrypted]snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 auth md5 [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 encrypted [auth md5|des auth md5] [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 29Parameters• snmp-server community [0 <WORD>|2 <WORD>|<WORD>] [ro|rw] {ip-snmp-access-list <IP-SNMP-ACL-NAME>}• snmp-server enable traps• snmp-server host <IP> [v1|v2c|v3] {<1-65535>}community [0 <WORD>|2 <WORD>|<WORD>]Sets the community string and associated access privileges. Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public for the read-only community string, and private for the read-write community string.• 0 <WORD> – Sets a clear text SNMP community string• 2 <WORD> – Sets an encrypted SNMP community string• <WORD> – Sets the SNMP community string[ro|rw] After configuring the SNMP community string, set the access permission for each community string used by devices to retrieve or modify information. Available options include• ro – Assigns read-only access to the specified SNMP community (allows a remote device to retrieve information)• rw – Assigns read and write access to the specified SNMP community (allows a remote device to modify settings)ip-snmp-access-list <IP-SNMP-ACL-NAME>Optional. Associates an IP SNMP access list (should be existing and configured). The IP SNMP ACL sets the SNMP management station’s IP address. SNMP trap information is received at this address.enable traps Enables trap generation (using the trap receiver configuration defined). This feature is disabled by default. Enabling this feature ensures the dispatch of SNMP notifications to all hosts.In a managed network, the controller uses SNMP trap receivers to notify faults. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices and are therefore an important fault management tool.A SNMP trap receiver is the destination of SNMP messages (external to the controller). A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community, etc.SNMP trap notifications exist for most controller operations, but not all are necessary for day-to-day operation.host <IP> Configures a host’s IP address. This is the external server resource dedicated to receiving SNMP traps on behalf of the controller.[v1|v2c|v3] Configures the SNMP version used to send the traps• v1 – Uses SNMP version 1. This option is disabled by default.• v2c – Uses SNMP version 2c. This option is disabled by default.• v3 – Uses SNMP version 3. This option is enabled by default.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 30• snmp-server manager [all|v1|v2|v3]• snmp-server [max-pending-requests {<64-1024>}|request-timeout {<2-720>}]• snmp-server [display-vlan-info-per-radio|throttle <1-100>|suppress-security-configuration-level [0|1]]<1-65535> Optional. Configures the virtual port of the server resource dedicated to receiving SNMP traps• <1-65535> – Optional. Specify a value from 1 - 65535. The default port is 162.manager [all|v2|v3] Enables SNMP manager and specifies the SNMP version• all – Enables SNMP manager version v2 and v3• v1 – Enables SNMP manager version v1 only. SNMPv1 uses a simple password (“community string”). Data is unencrypted (clear text). Consequently it provides limited security, and should be used only inside LANs behind firewalls, not in WANs.• v2 – Enables SNMP manager version v2 only. SNMPv2 provides device management using a hierarchical set of variables. SNMPv2 uses Get, GetNext, and Set operations for data management. SNMPv2 is enabled by default.• v3 – Enables SNMP manager version v3 only. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control. The architecture supports the concurrent use of different security, access control and message processing techniques. SNMPv3 is enabled by default.max-pending-requests {<64-1024>}Sets the maximum number of requests that can be pending at any given time• <64-1024> – Optional. Specify a value from 64 - 1024. The default is 128.request-timeout{<2-720>}Sets the interval, in seconds, after which an error message is returned for a pending request• <2-720> – Optional. Specify a value from 2 - 720 seconds. The default is 240 seconds.display-vlan-info-per-radioEnables the display of the VLAN ID along with the radio interface IDthrottle <1-100> Sets CPU usage for SNMP activities. Use this command to set the CPU usage from 1 - 100.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 31• snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 auth md5 [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]• snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 encrypted [auth md5|des auth md5] [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]suppress-security-configuration-level [0|1]Sets the level of suppression of SNMP security configuration information• 0 – If this option is selected, an empty string is returned for the SNMP request for security configuration information. Security configuration information consists of:•Passwords•Keys• Shared secretsThe default setting is 0.• 1 – Suppresses the display of the policy, IP ACL, passwords, keys and shared secrets. If this option is selected, in addition to suppression from ‘Level 0’, an empty string is returned for a SNMP request on following items:• Management policies•IP ACL• Tables containing user names and community stringsuser [snmpmanager|snmpoperator|snmptrap]Defines user access to the SNMP engine• snmpmanager – Sets user as a SNMP manager• snmpoperator – Sets user as a SNMP operator• snmptrap – Sets user as a SNMP trap userv3 auth md5 Uses SNMP version 3 as the security model• auth – Uses an authentication protocol• md5 – Uses HMAC-MD5 algorithm for authentication[0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]Configures password using one of the following options:• 0 <PASSWORD> – Configures clear text password• 2 <ENCRYPTED - PASSWORD> – Configures encrypted password• <PASSWORD> – Specifies a password for authentication and privacy protocolsuser [snmpmanager|snmpoperator|snmptrap]Defines user access to the SNMP engine• snmpmanager – Sets user as a SNMP manager• snmpoperator – Sets user as a SNMP operator• snmptrap – Sets user as a SNMP trap userv3 encrypted Uses SNMP version 3 as the security model• encrypted – Uses encrypted privacy protocolauth md5 Uses authentication protocol• auth – Sets authentication parameters• md5 – Uses HMAC-MD5 algorithm for authenticationdes auth md5 Uses privacy protocol for user privacy• des – Uses CBC-DES for privacyAfter specifying the privacy protocol, specify the authentication mode.• auth – Sets user authentication parameters• md5 – Uses HMAC-MD5 algorithm for authentication

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 32Examplerfs6000-37FABE(config-management-policy-test)#snmp-server community snmp1 rorfs6000-37FABE(config-management-policy-test)#snmp-server host 172.16.10.23 v3 162rfs6000-37FABE(config-management-policy-test)#commitrfs6000-37FABE(config-management-policy-test)#snmp-server user snmpmanager v3 auth md5 test@123rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#Related Commands[0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]The following are common to both the auth and des parameters:Configures password using one of the following options:• 0 <PASSWORD> – Configures a clear text password• 2 <ENCRYPTED - PASSWORD> – Configures an encrypted password• <PASSWORD> – Specifies a password for authentication and privacy protocolsno Disables or resets the SNMP server settings

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3315.1.15 sshmanagement-policyEnables Secure Shell (SSH) for this management policySSH, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssh {login-grace-time <60-300>|port <1-65535>}Parameters• ssh {login-grace-time <60-300>|port <1-65535>}Examplerfs6000-37FABE(config-management-policy-test)#ssh port 162rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#Related CommandsNOTE: If the a RADIUS server is not reachable, SSH management access to the controller or access point may be denied. RADIUS support is available locally on controllers and access points, with the exception of AP6511 and AP6522 models, which require an external RADIUS resource.ssh Enables SSH communication between client and serverlogin-grace-time <60-300>Optional. Configures the login grace time. This is the interval, in seconds, after which an unsuccessful login is disconnected.• <60-300> – Specify a value from 60 - 300 seconds. The default is 60 seconds.port <1-65535> Optional. Configures the SSH port. This is the port used for SSH connections.• <1-65535> – Specify a value from 1 - 165535. The default port is 22.no Resets SSH access port to factory default (port 22)

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3415.1.16 t5management-policyConfigures SNMP server settings for T5 devices on this management policyA T5 controller is an external device that can be adopted and managed by a WiNG controller. When enabled as a supported external device, a T5 controller can provide data to WiNG to assist in it’s management within a WiNG supported subnet.This command enables SNMP to communicate with T5 devices within the network. SNMP facilitates the exchange of management information between the controller or service platform and the T5 device. For more information, see snmp-server.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxt5 snmp-server [community|contact|enable|host|location]t5 snmp-server community <COMMUNITY-NAME> [ro|rw] <SNMP-STATION-IP>t5 snmp-server contact <LINE>t5 snmp-server enable [server|traps]t5 snmp-server host <IP>t5 snmp-server location <LINE>Parameters• t5 snmp-server community <COMMUNITY-NAME> [ro|rw] <SNMP-STATION-IP>• t5 snmp-server contact <LINE>community <COMMUNITY-NAME> [ro|rw]Defines a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string.• <COMMUNITY-NAME> – Specify the SNMP community name, and configure the access permission for this community string (used by devices to retrieve or modify information).• ro – Allows a remote device to retrieve information only• rw – Allows a remote device to retrieve information and modify settings<SNMP-STATION-IP> Specify the SNMP management station IP address for receiving trap informationcontact <LINE> Configures the administrator of SNMP trap events for the T5 controller.• <LINE> – Specify the administrator’s name (should not exceed 64 characters).

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 35• t5 snmp-server enable [server|traps]• t5 snmp-server host <IP>• t5 snmp-server location <LINE>Examplenx9500-6C8809(config-management-policy-test)#t5 snmp-server community lab rw 192.168.13.7nx9500-6C8809(config-management-policy-test)#show contextmanagement-policy test http server no ssh t5 snmp-server community lab rw 192.168.13.7nx9500-6C8809(config-management-policy-test)#Related Commandsenable [server|traps] Enables the following:• server – Enables the SNMP server. When enabled, the system accepts SNMP management data. This is enabled by default.• traps – Enables SNMP traps. When enabled, the system generates SNMP traps. This is enabled by default.host <IP> Configures the T5 SNMP host’s IP address. The SNMP host receives the SNMP notifications.• <IP> – Specify the SNMP host’s IP address.location <LINE> Configures the system location for SNMP traps.• <LINE> – Specify the SNMP trap location (should not exceed 64 characters).no Removes or reverts SNMP server configuration for T5 devices

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3615.1.17 telnetmanagement-policyEnables Telnet. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default.By default Telnet, when enabled, uses Transmission Control Protocol (TCP) port 23. Use this command to change the TCP port.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtelnet {port <1-65535>}Parameters• telnet {port <1-65535>}Examplerfs6000-37FABE(config-management-policy-test)#telnet port 200rfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test telnet port 200 no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#Related Commandstelnet Enables Telnetport <1-65535> Optional. Configures the Telnet port. This is the port used for Telnet connections.• <1-65535> – Sets a value from 1 - 65535. The default port is 23.no Disables Telnet

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3715.1.18 usermanagement-policyAdds new user account. Use this option to add a new user, and define the role, access type, and allowed locations assigned to the user.Management services like Telnet, SSHv2, HTTP, HTTPs and FTP require users (administrators) enter a valid username and password, which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password, which is authenticated by the SNMPv3 module. For CLI users, the controller or service platform also requires user role information to know what permissions to assign.• If local authentication is used, associated role information is defined on the controller or service platform when the user account is created.• If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions.Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the user’s access assignment to determine if the user has permissions to access an interface:• If local authentication is used, role information is defined on the controller or service platform when the user account is created.• If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes.The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the account’s access mode list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|vendor-admin|web-user-admin]user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 38Parameters• user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web] ({allowed-locations <ALLOWED-LOCATIONS>})user <USERNAME> Adds a new user account to this management policy• <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>]Configures a password• 0 <PASSWORD> – Sets a clear text password• 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password• <PASSWORD> – Sets the passwordrole Configures the user role. The options are:• device-provisioning-admin – Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived.• helpdesk – Helpdesk administrator. Performs troubleshooting tasks, such as run troubleshooting utilities (like a sniffer), view/retrieve logs, clear statistics, reboot, create and copy technical support dumps. The helpdesk administrator can also create a guest user account and password for registration. However, the helpdesk admin cannot execute controller or service platform reloads.• monitor – Monitor. Has read-only access to the system. Can view configuration and statistics except for secret information.• network-admin – Network administrator. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF• security-admin – Security administrator. Modifies WLAN keys and passphrases• superuser – Superuser. Has full access, including halt and delete startup-config• system-admin – System administrator. Upgrades image, boot partition, time, and manages admin access• web-user-admin – Web user administrator. This role is used to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.access [all|console|ssh|telnet|web]Configures the access type• all – Allows all types of access: console, SSH, Telnet, and Web• console – Allows console access only• ssh – Allows SSH access only• telnet – Allows Telnet access only• web – Allows Web access onlyallowed-locations <ALLOWED-LOCATIONS>Optional. This keyword is recursive and optional. It configures a list of locations (either as a path or a RF Domain) to which this user is allowed access.• <ALLOWED-LOCATIONS> – Specify the allowed locations.Note: Use this option to configure a list of RF Domains or its tree nodes to which this user is allowed access with respect to the Nsight policy.Note: This option is not applicable to the user role ‘web-user-admin’.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 39• user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>Examplerfs6000-37FABE(config-management-policy-test)#user TESTER password test123 rolesuperuser access allrfs6000-37FABE(config-management-policy-test)#show contextmanagement-policy test telnet port 200 no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 user TESTER password 1 b6b37c51405f4e93c67fe8af82d450c9fd6af69324cd56a55055cefe695b6a14 role superuser access all snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162user <USERNAME> Adds a new user account to this management policy• <USERNAME> – Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role.password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>]Configures a password• 0 <PASSWORD> – Sets a clear text password• 1 <SHA1-PASSWORD> – Sets the SHA1 hash of the password• <PASSWORD> – Sets the passwordrole vendor-admin Configures this user’s role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which he/she belongs. Vendor-admins have only Web access to the device registration portal.The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a ‘vendor-admin’ user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN. On subsequent associations with this SSID, registered devices are dynamically placed into the vendor-allowed VLAN.If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration.Note: Use the service > show > wireless > credential-cache command to view on-boarded device’s VLAN assignment.Note: Ensure that the REST server is enabled, to allow vendor users access to the online device registration portal. Note, by default the REST server is enabled. For more information, see rest-server.group <VENDOR-GROUP-NAME>Associates this vendor-admin user with a vendor group, required for RADIUS authentication. The vendor group should be existing and configured in the RADIUS group policy. For more information on configuring RADIUS groups, see radius-group.• <VENDOR-GROUP-NAME> – Provide the vendor group name. In case of multiple allowed groups, provide a list of comma-separated group names.

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 40 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log allrfs6000-37FABE(config-management-policy-test)#nx9500-6C8809(config-management-policy-OB)#user test password 0 test123 role vendor-admin group Apple,Sony,Samsungnx9500-6C8809(config-management-policy-OB)#user Samsung password 0 samsungrole vendor-admin group Samsungnx9500-6C8809(config-management-policy-OB)#show contextmanagement-policy OB no telnet no http server https server rest-server ssh user admin password 1 d9849649218dcaa79109fbd47bbf1a24ecdf1edda220d21f76ce4c15a4e7e696 role superuser access all user test password 1 62fca173a1ffc0e9cc4eef782b1978a5e0c47f66bc57a32992f03e3e00fe0bc4 role vendor-admin group Apple,Sony,Samsung user Samsung password 1 39cb036b8e09c2ec625ebcda6e4001f4584263ed86fa69fc1f6b284113772eb0 role vendor-admin group Samsungnx9500-6C8809(config-management-policy-OB)#Related Commandsno Removes a user account

MANAGEMENT-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 4115.1.19 servicemanagement-policyInvokes service commandsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [prompt|show]service [prompt crash-info|show cli]Parameters• service [prompt crash-info|show cli]Examplerfs6000-37FABE(config-management-policy-test)#service show cliManagement Mode mode:+-help [help] +-search +-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)] +-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)] +-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)] +-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)] +-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]+-show +-commands [show commands] +-simulate +-stats [show simulate stats] +-eval +-WORD [show eval WORD] +-debugging [show debugging (|(on DEVICE-OR-DOMAIN-NAME))] +-cfgd [show debugging cfgd] +-on +-DEVICE-OR-DOMAIN-NAME [show debugging (|(on DEVICE-OR-DOMAIN-NAME))] +-fib [show debugging fib(|(on DEVICE-NAME))] +-on +-DEVICE-NAME [show debugging fib(|(on DEVICE-NAME))] +-wireless [show debugging wireless (|(on DEVICE-OR-DOMAIN-NAME))] +-on--More--Related Commandsservice promptcrash-infoUpdates CLI prompt settings• crash-info – Includes an asterix at the end of the prompt if the device has crash files in the flash:/crashinfo folderservice show cli Displays running system information• cli – Displays the current mode’s CLI treeno Disables the inclusion of an asterix indicator notifying the presence of crash files

16 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide16RADIUS-POLICYThis chapter summarizes the RADIUS group, server, and user policy commands in the CLI command structure.Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to authenticate users and authorize their access to the network. RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients send authentication requests to the local RADIUS server containing user authentication and network service access information.RADIUS enables centralized management of authentication data (usernames and passwords). When a client attempts to associate to a network, the authentication request is sent to the local RADIUS server. The authentication and encryption of communications takes place through the use of a shared secret password (not transmitted over the network).The local RADIUS server stores the user database locally, and can optionally use a remote user database. It ensures higher accounting performance. It allows the configuration of multiple users, and assigns policies for group authorization.Controllers and access points allow enforcement of user-based policies. User policies include dynamic VLAN assignment and access based on time of day. A certificate is required for EAP TTLS, PEAP, and TLS RADIUS authentication (configured with the RADIUS service).Dynamic VLAN assignment is achieved based on the RADIUS server response. A user who associates to WLAN1 (mapped to VLAN1) can be assigned a different VLAN after RADIUS server authentication. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the user associates.The chapter is organized into the following sections:•radius-group•radius-server-policy•radius-user-pool-policyNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 216.1 radius-groupRADIUS-POLICYThis section describes RADIUS user group configuration commands.The local RADIUS server allows the configuration of user groups with common user policies. User group names and associated users are stored in the local database. The user ID in the received access request is mapped to the associated wireless group for authentication. The configuration of groups allows enforcement of the following policies that control user access:• Assign a VLAN to the user upon successful authentication• Define start and end of time (HH:MM) when the user is allowed to authenticate• Define the SSID list to which a user, belonging to this group, is allowed to associate• Define the days of the week the user is allowed to login• Rate limit traffic (for non-management users)RADIUS users are categorized into three groups: normal user, management user, and guest user. A RADIUS group not configured as management or guest is a normal user group. User access and role settings depends on the RADIUS group the user belongs.Use the (config) instance to configure RADIUS group commands. This command creates a group within the existing RADIUS group. To navigate to the RADIUS group instance, use the following commands:<DEVICE>(config)#radius-group <GROUP-NAME>rfs6000-37FABE(config)#radius-group testrfs6000-37FABE(config-radius-group-test)#?Radius user group configuration commands: guest Make this group a Guest group no Negate a command or set its defaults policy Radius group access policy configuration rate-limit Set rate limit for group clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-radius-group-test)#The following table summarizes RADIUS group configuration commands:NOTE: The RADIUS group name cannot exceed 32 characters, and cannot be modified as part of the group edit process.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3Table 16.1 RADIUS-Group-Config CommandsCommand Description Referenceguest Enables guest access for the newly created group page 16-4no Negates a command or reverts settings to their default page 16-10policy Configures RADIUS group access policy parameters page 16-5rate-limit Sets the default rate limit per user in Kbps, and applies it to all enabled WLANspage 16-9NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 416.1.1 guestradius-groupConfigures this group as a guest (non-management) group. A guest user group has temporary permissions to the controller’s local RADIUS server. You can configure multiple guest user groups, each having a unique set of settings. Guest user groups cannot be made management groups with access and role permissions.Guest users and policies are used for captive portal authorization to the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxguestParametersNoneExamplerfs6000-37FABE(config-radius-group-test)#guestrfs6000-37FABE(config-radius-group-test)#show contextradius-group test guestrfs6000-37FABE(config-radius-group-test)#Related Commandsno Makes this group a non-guest group

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 516.1.2 policyradius-groupSets a RADIUS group’s authorization settings, such as access day/time, WLANs, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpolicy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]policy vlan <1-4094>policy access [all|console|ssh|telnet|web]policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|weekdays)}policy inactivity-timeout <60-86400>policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin]policy session-time <5-144000>policy ssid <SSID>policy time start <HH:MM> end <HH:MM>Parameters• policy vlan <1-4094>NOTE: A user-based VLAN is effective only if dynamic VLAN authorization is enabled for the WLAN.NOTE: Access and role settings are applicable only to a management group. They cannot be configured for a RADIUS non-management group.vlan <1-4094> Sets the guest RADIUS group’s VLAN ID from 1 - 4094. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the network (once authenticated by the local RADIUS server).This option applicable to a guest user group, which has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each group. Guest user groups cannot be made management groups with unique access and role permissions.Enable dynamic VLAN assignment for the WLAN for the VLAN assignment to take effect.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 6• policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}• policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin]• policy inactivity-timeout <60-86400>access Configures access type for a management group. Management groups can be assigned unique access and role permissions.• all – Allows all access. Wireless client access to the console, ssh, telnet, and/or Web• console – Allows console access only• ssh – Allows SSH access only• telnet – Allows Telnet access only•web – Allows Web access onlyThese parameters are recursive, and you can provide access to more than one component.role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|superuser|system-admin|web-user-admin]Configures the role assigned to a management RADIUS group. If a group is listed as a management group, it may also have a unique role assigned. Available roles include:• device-provisioning-admin – Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived.• helpdesk – Helpdesk administrator. Performs troubleshooting tasks, such as clear statistics, reboot, create and copy tech support dumps. The helpdesk administrator can also create a guest user account and password for registration. These details can be e-mailed or sent as SMS to a mobile phone.• monitor – Monitor. Has read-only access to the network. Can view configuration and statistics except for secret information• network-admin – Network administrator. has wired and wireless access to the network. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF• security-admin – Security administrator. Has full read/write access to the network. Modifies WLAN keys and passphrases• superuser – Superuser. Has full access, including halt and delete startup config• system-admin – System administrator. Upgrades image, boot partition, time, and manages admin access• web-user-admin – Web user administrator. This role is used to create guest users and credentials. The web-user-admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.inactivity-timeout <60-86400>Configures the inactivity time for this RADIUS group users. If a frame is not received from a client for the specified period, then the client’s session is removed. When defined, this value is used instead of the captive-portal inactivity timeout. If the inactivity timeout is not configured in the radius-group context or the captive-portal context, the default timeout (60 seconds) is applied.• <60-86400> – Specify a value from 60 - 86400 seconds. This option is disabled by default.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 7• policy session-time <5-144000>• policy ssid <SSID>• policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|weekdays)}• policy time start <HH:MM> end <HH:MM>Usage GuidelinesA management group access policy provides:• access details•user roles• policy’s start and end timeThe SSID, day, and VLAN settings are not applicable to a management user group.session-time <5-144000>Configures the session duration for client’s belonging to a specific vendor group. Once configured, this is the duration for which over-the-air, on-boarded, successfully authenticated devices, belonging to a vendor group, get online access. The session is removed on completion of this duration. The vendor’s RADIUS group takes precedence over statically configured group for device registration.• <5-144000> – Specify a value from 5 - 144000 minutes. This option is disabled by default.For more information, see configuring device registration with dynamic VLAN assignment.ssid <SSID> Sets the Service Set Identifier (SSID) for this guest RADIUS group. Use this command to assign SSIDs that users within this RADIUS group are allowed to associate. Assign SSIDs of those WLANs only that the guest users need to access. This option is not available for a management group.• <SSID> – Specify a case-sensitive alphanumeric SSID, not exceeding 32 characters.day [all|fr|mo|sa|su|th|tu|we|weekdays]Configures the days on which this guest RADIUS group members can access the local RADIUS resources. The options are recursive, and you can provide access on multiple days.• fr – Allows access on Friday only• mo – Allows access on Mondays only• sa – Allows access on Saturdays only• su – Allows access on Sundays only• th – Allows access on Thursdays only• tu – Allows access on Tuesdays only• we – Allows access on Wednesdays only• weekdays – Allows access on weekdays only (Monday to Friday)time start<HH:MM> end <HH:MM>Configures the time when this RADIUS group can access the network• start <HH:MM> – Sets the start time in the HH:MM format (for example, 13:30 means the user can login only after 1:30 PM). Specifies the time users, within each listed group, can access the local RADIUS resources.• end <HH:MM> – Sets the end time in the HH:MM format (for example, 17:30 meansthe user is allowed to remain logged in until 5:30 PM). Specifies the time users, within each listed group, lose access to the local RADIUS resources.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 8ExampleThe following example shows a RADIUS guest group settings:rfs6000-37FABE(config-radius-group-test)#policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#policy day allrfs6000-37FABE(config-radius-group-test)#policy vlan 1rfs6000-37FABE(config-radius-group-test)#policy ssid testrfs6000-37FABE(config-radius-group-test)#show contextradius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#The following example shows a RADIUS management group settings:rfs6000-37FABE(config-radius-group-management)#policy access console ssh telnetrfs6000-37FABE(config-radius-group-management)#policy role network-adminrfs6000-37FABE(config-radius-group-management)#policy time start 9:30 end 20:30rfs6000-37FABE(config-radius-group-management)#show contextradius-group management policy time start 9:30 end 20:30 policy access console ssh telnet web policy role network-adminrfs6000-37FABE(config-radius-group-management)#Related Commandsno Removes or modifies a RADIUS group’s access settings

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 916.1.3 rate-limitradius-groupSets the rate limit for the guest RADIUS server groupSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [from-air|to-air] <100-1000000>Parameters• rate-limit [from-air|to-air] <100-1000000>Examplerfs6000-37FABE(config-radius-group-test)#rate-limit to-air 200rfs6000-37FABE(config-radius-group-test)#show contextradius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su rate-limit to-air 200 policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#Related CommandsNOTE: The rate-limit setting is not applicable to a management group.to-air <100-1000000> Sets the rate limit in the downlink direction, from the network to the wireless client• <100-1000000> – Specify the rate from 100 - 1000000 Kbps.from-air <100-1000000>Sets the rate limit in the uplink direction, from the wireless client to the network• <100-1000000> – Specify the rate from 100 - 1000000 Kbps.no Removes the RADIUS guest group’s rate limits

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1016.1.4 noradius-groupNegates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no command removes or modifies the following settings: access type, access days, role type, VLAN ID, and SSID.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [guest|policy|rate-limit]no policy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]no policy access [all|console|ssh|telnet|web]no policy day [all|fr|mo|sa|su|th|tu|we|weekdays]no policy session-timeno policy ssid [<SSID>|all]no policy [inactivity-timeout|role|time|vlan]no rate-limit [from-air|to-air]Parameters• no <PARAMETERS>ExampleThe following example shows the RADIUS guest group ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-radius-group-test)#show contextradius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su rate-limit to-air 200 policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#rfs6000-37FABE(config-radius-group-test)#no guestrfs6000-37FABE(config-radius-group-test)#no rate-limit to-airrfs6000-37FABE(config-radius-group-test)#no policy day allno <PARAMETERS> Negates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no command removes or modifies the following settings: access type, access days, role type, VLAN ID, and SSID.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 11The following example shows the RADIUS guest group ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-radius-group-test)#show contextradius-group test policy vlan 1 policy ssid test policy time start 13:30 end 17:30rfs6000-37FABE(config-radius-group-test)#

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1216.2 radius-server-policyRADIUS-POLICYCreates an onboard device RADIUS server policy and enters its configuration modeA RADIUS server policy is a unique authentication and authorization configuration that receives user connection requests, authenticates users, and returns configuration information necessary for the RADIUS client to deliver service to the user. The client is the entity with authentication information requiring validation. The local RADIUS server has access to a database of authentication information used to validate the client's authentication request.The local RADIUS server uses authentication schemes like PAP, CHAP, or EAP to verify and confirm information provided by a user. The user's proof of identification is verified, along with, optionally, other information. A local RADIUS server policy can also be configured to refer to an external Lightweight Directory Access Protocol (LDAP) resource to verify a user's credentials.Use the (config) instance to configure RADIUS-Server-Policy related parameters. To navigate to the RADIUS-Server-Policy instance, use the following commands:<DEVICE>(config)#radius-server-policy <POLICY-NAME>rfs6000-37FABE(config)#radius-server-policy testrfs6000-37FABE(config-radius-server-policy-test)#?Radius Configuration commands: authentication Radius authentication bypass Bypass Certificate Revocation List( CRL ) check chase-referral Enable chasing referrals from LDAP server crl-check Enable Certificate Revocation List( CRL ) check ldap-agent LDAP Agent configuration parameters ldap-group-verification Enable LDAP Group Verification setting ldap-server LDAP server parameters local RADIUS local realm nas RADIUS client no Negate a command or set its defaults proxy RADIUS proxy server session-resumption Enable session resumption/fast reauthentication by using cached attributes termination Enable Eap termination for proxy requests use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-radius-server-policy-test)#The following table summarizes RADIUS server policy configuration commands:

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 13Table 16.2 RADIUS-Server-Policy-Config CommandsCommands Description Referenceauthentication Configures RADIUS authentication settings page 16-14bypass Enables bypassing of CRL check page 16-16chase-referral Enables LDAP server referral chasing page 16-17crl-check Enables a certificate revocation list (CRL) check page 16-18ldap-agent Configures the LDAP agent’s settings page 16-19ldap-group-verificationEnables LDAP group verification page 16-21ldap-server Configures the LDAP server’s settings page 16-22local Configures a local RADIUS realm page 16-25nas Configures the key sent to a RADIUS client page 16-26no Removes or resets the RADIUS server policy’s settings page 16-28proxy Configures the RADIUS proxy server’s settings page 16-30session-resumptionEnables session resumption page 16-32termination Enables EAP termination on this current RADIUS server policy. When enabled, EAP authentication is terminated at the controller level.page 16-33use Defines settings used with the RADIUS server policy page 16-34

$RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1416.2.1 authenticationradius-server-policySpecifies the RADIUS datasource used for user authentication. Options include local for the local user database or LDAP for a remote LDAP resource.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [data-source|eap-auth-type]authentication data-source [ldap|local]authentication data-source [ldap {fallack}|local] {(ssid <SSID> precedence <1-5000>)}authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-mschapv2|ttls-pap]Parameters• authentication data-source [ldap {fallback}|local] {(ssid <SSID> precedence <1-5000>)}data-source The RADIUS sever can either use the local database or an external LDAP server to authenticate a user. It is necessary to specify the data source. The options are: LDAP and local.ldap fallback Uses a remote LDAP server as the data source• fallback – Optional. Enables fallback to local authentication. This feature ensures that if the designated external LDAP resource were to fail or become unavailable, the client is authenticated against the local RADIUS resource. This option is disabled by default.When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server.local Uses the local user database to authenticate a user. This is the default setting.ssid <SSID> precedence <1-5000>The following keywords are recursive and common to both ‘ldap’ and ‘local’ parameters:• ssid – Optional. Associates the data source, selected in the previous step, with a SSID• <SSID> – Specify the SSID for this authentication data source. The SSID is case sen-sitive and should not exceed 32 characters in length. Do not use any of the followingcharacters (< > | " & \ ? ,).Contd..$

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 15• authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-mschapv2|ttls-pap]Examplerfs6000-37FABE(config-radius-server-policy-test)#authentication eap-auth-type tlsrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tlsrfs6000-37FABE(config-radius-server-policy-test)#Related Commands• precedence <SSID> – Sets the precedence for this authentication rule. The pre-cedence value allows systematic evaluation and application of rules. Rules withthe lowest precedence receive the highest priority.• <1-5000> – Specify a precedence from 1- 5000.Specifying the SSID allows the RADIUS server to use the SSID attribute in access requests to determine the data source to use. This option is applicable to onboard RADIUS servers only.eap-auth-type Uses Extensible Authentication Protocol (EAP), with this RADIUS server policy, for user authenticationThe EAP authentication types supported by the local RADIUS server are: all, peap-gtc, peap-mschapv2, tls, ttls-md5, ttls-mschapv2, ttls-pap.all Enables both TTLS and PEAP authentication. This is the default setting.peap-gtc Enables PEAP with default authentication using GTCpeap-mschapv2 Enables PEAP with default authentication using MSCHAPv2When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server.tls Enables TLS as the EAP typettls-md5 Enables TTLS with default authentication using md5ttls-mschapv2 Enables TTLS with default authentication using MSCHAPv2ttls-pap Enables TTLS with default authentication using PAPno Removes the RADIUS authentication settings

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1616.2.2 bypassradius-server-policyEnables bypassing a CRL check. When enabled, this feature bypasses checks for missing and expired CRLs. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbypass [crl-check|expired-crl]Parameters• bypass [crl-check|expired-crl]Examplenx9500-6C8809(config-radius-server-policy-test)#bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#no bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#show contextradius-server-policy test no bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#Related Commandsbypass [crl-check|expired-crl]Bypasses CRL check based on the parameters passed• crl-check – Bypasses CRL check of missing CRLs• expired-crl – Bypasses CRL check of expired CRLsNote: A CRL is a list of certificates that have been revoked or are no longer valid.no Disables bypassing of checking for missing CRLs or expired CRLs

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1716.2.3 chase-referralradius-server-policyEnables chasing of referrals from an external LDAP server resourceAn LDAP referral is a controller or service platform’s way of indicating to a client it does not hold the section of the directory tree where a requested content object resides. The referral is the controller or service platform’s direction to the client a different location is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the domain controller to generate another referral, although it usually does not take long to discover the object does not exist and inform the client.This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchase-referralParametersNoneExamplerfs6000-37FABE(config-radius-server-policy-test)#chase-referralRelated Commandsno Disables LDAP server referral chasing

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1816.2.4 crl-checkradius-server-policyEnables a certificate revocation list (CRL) check on this RADIUS server policyA CRL is a list of revoked certificates issued and subsequently revoked by a Certification Authority (CA). Certificates can be revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. The mechanism used for certificate revocation depends on the CA.This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrl-checkParametersNoneExamplerfs6000-37FABE(config-radius-server-policy-test)#crl-checkrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-checkrfs6000-37FABE(config-radius-server-policy-test)#Related Commandsno Disables CRL check on a RADIUS server policy

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1916.2.5 ldap-agentradius-server-policyConfigures the LDAP agent’s settings in the RADIUS server policy contextWhen a user's credentials are stored on an external LDAP server, the local RADIUS server cannot successfully conduct PEAP-MSCHAPv2 authentication, since it is not aware of the user's credentials maintained on the external LDAP server resource. Therefore, up to two LDAP agents can be provided locally so remote LDAP authentication can be successfully accomplished on the remote LDAP resource (using credentials maintained locally).This feature is available to all controller, service platforms and access point models, with the exception of AP6511 and AP6521 models running in standalone AP or virtual controller AP mode. However, this feature is supported by dependent mode AP6511 and AP6521 model access points when adopted and managed by a controller or service platform.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-agent [join|join-retry-timeout|primary|secondary]ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user <ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]Parameters• ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]ldap-agent Configures the LDAP agent’s settingsjoin {on <DEVICE-NAME>}Initiates the join process, which binds the RADIUS server with the LDAP server’s (Windows) domain. When successful, the hostname (name of the AP, wireless controller, or service platform) is added to the LDAP server’s Active Directory.• on <DEVICE-NAME> – Optional. Specifies the device name• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.To confirm the join status of a controller, use the show > ldap-agent > join-status command.join-retry-timeout <60-300>If the join process fails (i.e. the RADIUS server fails to join the LADP server’s domain), the process is retried after a specified interval. This command configures the interval (in seconds) between two successive join attempts.• <60-300> – Set the timeout value from 60 - 300 seconds. The default is 60 seconds.A retry timer is initiated as soon as the join process starts, which tracks the time lapse in case of a failure.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 20• ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user <ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]Examplerfs4000-229D58(config-radius-server-policy-test)#ldap-agent primary domain-nametest domain-admin-user Administrator domain-admin-password 0 test@123rfs4000-229D58(config-radius-server-policy-test)#rfs4000-229D58(config-radius-server-policy-test)#show contextradius-server-policy test ldap-agent primary domain-name test domain-admin-user Administrator domain-admin-password 0 test@123rfs4000-229D58(config-radius-server-policy-test)#Related Commandsldap-agent Configures the LDAP agent’s settingsprimary Configures the primary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the primary LDAP server.secondary Configures the secondary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the secondary LDAP server.domain-name <LDAP-DOMAIN-NAME>This keyword is common to both the ‘primary’ and ‘secondary’ parameters.• domain-name – Configures the primary or secondary LDAP server’s domain name• <LDAP-DOMAIN-NAME> – Specify the domain name.domain-admin-user <ADMIN-USER-NAME>This keyword is common to both the ‘primary’ and ‘secondary’ parameters.• domain-admin-user – Configures the primary or secondary LDAP server’s admin user name• <ADMIN-USER-NAME> – Specify the admin user’s name.domain-admin-password [0 <WORD>|2 <WORD>]This keyword is common to both the ‘primary’ and ‘secondary’ parameters.• domain-admin-password – Configures the primary or secondary LDAP server’s admin user password• 0 <WORD> – Specifies the password in the unencrypted format• 2 <WORD> – Specifies the password in the encrypted formatno Removes LDAP agent settings from this RADIUS server policy

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2116.2.6 ldap-group-verificationradius-server-policyEnables LDAP group verification settings on this RADIUS server policy. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-group-verificationParametersNoneExamplerfs6000-37FABE(config-radius-server-policy-test)#ldap-group-verificationrfs6000-37FABE(config-radius-server-policy-test)#Related Commandsno Disables LDAP group verification settings

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2216.2.7 ldap-serverradius-server-policyConfigures the LDAP server’s settings. Configuring LDAP server allows users to login and authenticate from anywhere on the network.Administrators have the option of using the local RADIUS server to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative user management overhead making RADIUS authorization more secure and efficient.RADIUS is not just a database. It is a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials used optionally with the local RADIUS server to free up resources and manage user credentials from a secure remote location. It is the local RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic. A LDAP user database alone cannot perform such complex authorization checks.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-server [dead-period|primary|secondary]ldap-server dead-period <0-600>ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD> {net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}Parameters• ldap-server dead-period <0-600>• ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-membership <WORD> {net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}}dead-period <0-600> Sets an interval, in seconds, during which the local server will not contact its LDAP server resource once its been defined as unavailable. A dead period is only implemented when additional LDAP servers are configured and available.• <0-600> – Specify a value from 0 - 600 seconds. The default is 300 seconds.ldap primary Configures the primary LDAP server settingsldap secondary Configures the secondary LDAP server settingshost <IP> Specifies the LDAP host’s IP address• <IP> – Specify the LDAP server’s IP address.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 23port <1-65535> Configures the LDAP server port• <1-65535> – Specify a port between 1 - 65535.login <LOGIN-NAME> Configures the login name of a user to access the LDAP server• <LOGIN-NAME> – Specify a login ID (should not exceed 127 characters).bind-dn <BIND-DN> Configures a distinguished bind name. This is the distinguished name (DN) used to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.• <BIND-DN> – Specify a bind name (should not exceed 127 characters).base-dn <BASE-DN> Configures a distinguished base name. This is the DN that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with a specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent• <BASE-DN> – Specify a base name (should not exceed 127 characters).passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]Sets a valid password for the LDAP server.• 0 <PASSWORD> – Sets an UNENCRYPTED password• 2 <ENCRYPTED-PASSWORD> – Sets an ENCRYPTED password• <PASSWORD> – Sets the LDAP server bind password, specified UNENCRYPTED, with a maximum size of 31 characterspasswd-attr <ATTR> Specify the LDAP server password attribute (should not exceed 63 characters).group-attr <ATTR> Specify a name to configure group attributes (should not exceed 31 characters).LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password or group membership name.group-filter <FILTER> Specify a name for the group filter attribute (should not exceed 255 characters).This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service.group-membership <WORD>Specify a name for the group membership attribute (should not exceed 63 characters).This attribute is sent to the LDAP server when authenticating users.net-time <1-10> Optional. Select a value from 1 - 10 to configure the network timeout (number of seconds to wait for a response from the target primary or secondary LDAP server). The default is 10 seconds.start-tls net-timeout <1-10>Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using start_tls support on the external LDAP server.tls-mode net-timeout <1-10>Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using tls_mode support on the external LDAP server.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 24Examplerfs6000-37FABE(config-radius-server-policy-test)#ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#ldap-server primary host 172.16.10.19 port 162 login test bind-dn bind-dn1 base-dn base-dn1 passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter groupfilter1 group-membership groupmembership1 net-timeout 2rfs6000-37FABE(config-radius-server-policy-test)#rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsno Disables the LDAP server parameters

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2516.2.8 localradius-server-policyConfigures a local RADIUS realm on this RADIUS server policyWhen the local RADIUS server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal realm <RADIUS-REALM>Parameters• local realm <RADIUS-REALM>Examplerfs6000-37FABE(config-radius-server-policy-test)#local realm realm1rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsrealm <RADIUS-REALM>Configures a local RADIUS realm• <RADIUS-REALM> – Sets a local RADIUS realm name (a string not exceeding 50 characters)no Removes the RADIUS local realm

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2616.2.9 nasradius-server-policyConfigures the key sent to a RADIUS clientA RADIUS client is a mechanism to communicate with a central server to authenticate users and authorize access to the controller, service platform or Access Point managed network.The client and server share a secret (a password). That shared secret followed by the request authenticator is put through a MD5 hash algorithm to create a 16 octet value which is XORed with the password entered by the user. If the user password is greater than 16 octets, additional MD5 calculations are performed, using the previous ciphertext instead of the request authenticator. The server receives a RADIUS access request packet and verifies the server possesses a shared secret for the client. If the server does not possess a shared secret for the client, the request is dropped. If the client received a verified access accept packet, the username and password are considered correct, and the user is authenticated. If the client receives a verified access reject message, the username and password are considered to be incorrect, and the user is not authenticated.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnas <IP/M> secret [0|2|<LINE>]nas <IP/M> secret [0 <LINE>|2 <LINE>|<LINE>]Parameters• nas <IP/M> secret [0 <LINE>|2<LINE>]Examplerfs6000-37FABE(config-radius-server-policy-test)#nas 172.16.10.10/24 secret 0 wirelesswellrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100rfs6000-37FABE(config-radius-server-policy-test)#<IP/M> Sets the RADIUS client’s IP address• <IP/M> – Sets the RADIUS client’s IP address in the A.B.C.D/M formatsecret [0 <LINE>|2 <LINE>|<LINE>]Sets the RADIUS client’s shared secret. Use one of the following options:• 0 <LINE> – Sets an UNENCRYPTED secret• 2 <LINE> – Sets an ENCRYPTED secret• <LINE> – Defines the secret (client shared secret) up to 64 characters

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 27Related Commandsno Removes a RADIUS server’s client on a RADIUS server policy

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2816.2.10 noradius-server-policyNegates a command or reverts back to default settings. When used with in the config RADIUS server policy mode, the no command removes settings, such as crl-check, LDAP group verification, RADIUS client, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [authentication|bypass|chase-referral|clr-check|ldap-agent|ldap-group-verification|ldap-server|local|nas|proxy|session-resumption|termination|use]no bypass [crl-check|expired-crl]no authentication [data-source|eap]no authentication [data-source {ldap {fallback}|local|ssid}|eap configuration]no [chase-referral|clr-check|ldap-group-verification|nas <IP/M>|session-resumption]no ldap-agent [join-retry-timeout|primary|secondary]no local realm [<REALM-NAME>|all]no proxy [realm <REALM-NAME>|retry-count|retry-delay]no ldap-server [dead-period|primary|secondary]no terminationno use [radius-group [<RAD-GROUP-NAME>|all]|radius-user-pool-policy [<RAD-USER-POOL-NAME>|all]]Parameters• no <PARAMETERS>ExampleThe following example shows the RADIUS server policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test authentication eap-auth-type tls crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100no <PARAMETERS> Negates a command or reverts back to default settings. When used with in the config RADIUS server policy mode, the no command removes settings, such as crl-check, LDAP group verification, RADIUS client etc

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 29rfs6000-37FABE(config-radius-server-policy-test)#rfs6000-37FABE(config-radius-server-policy-test)#no authentication eap configurationrfs6000-37FABE(config-radius-server-policy-test)#no crl-checkrfs6000-37FABE(config-radius-server-policy-test)#no local realm realm1rfs6000-37FABE(config-radius-server-policy-test)#no nas 172.16.10.10/24rfs6000-37FABE(config-radius-server-policy-test)#no ldap-server dead-periodThe following example shows the RADIUS server policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2rfs6000-37FABE(config-radius-server-policy-test)#

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3016.2.11 proxyradius-server-policyConfigures a proxy RADIUS server based on the realm/suffix. The realm identifies where the RADIUS server forwards AAA requests for processing.A user’s access request is sent to a proxy RADIUS server if it cannot be authenticated by the local RADIUS resources. The proxy server checks the information in the user access request and either accepts or rejects the request. If the proxy server accepts the request, it returns configuration information specifying the type of connection service required to authenticate the user.The RADIUS proxy appears to act as a RADIUS server to NAS, whereas the proxy appears to act as a RADIUS client to the RADIUS server.When the proxy server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy [realm|retry-count|retry-delay]proxy realm <REALM-NAME> server <IP> port <1024-65535> secret [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]proxy retry-count <3-6>proxy retry-delay <5-10>Parameters• proxy realm <REALM-NAME> server <IP> port <1024-65535> secret [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]proxy realm <REALM-NAME>Configures the realm name• <REALM-NAME> – Specify the realm name. The name should not exceed 50 characters.server <IP> Configures the proxy server’s IP address. This is the address of server checking the information in the user access request and either accepting or rejecting the request on behalf of the local RADIUS server.• <IP> – Sets the proxy server’s IP addressport <1024-65535> Configures the proxy server’s port. This is the TCP/IP port number for the server that acts as a data source for the proxy server.• <1024-65535> – Sets the proxy server’s port from 1024 - 65535 (default port is 1812)secret [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>Sets the proxy server secret string. The options are:• 0 <PASSWORD> – Sets an UNENCRYPTED password• 2 <ENCRYPTED-PASSWORD> – Sets an ENCRYPTED password• <PASSWORD> – Sets the proxy server shared secret value

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 31• proxy retry-count <3-6>• proxy retry-delay <5-10>Usage GuidelinesA maximum of five RADIUS proxy servers can be configured. The proxy server attempts six retries before it times out. The retry count defines the number of times RADIUS requests are transmitted before giving up. The timeout value is the defines the interval between successive retransmission of a RADIUS request (in case of no reply).Examplerfs6000-37FABE(config-radius-server-policy-test)#proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123rfs6000-37FABE(config-radius-server-policy-test)#proxy retry-count 4rfs6000-37FABE(config-radius-server-policy-test)#proxy retry-delay 8rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsretry-count <3-6> Sets the proxy server’s retry count. This is the maximum number attempts made by a controllers RADIUS server to connect to the proxy server.• <3-6> – Sets a value from 3 - 6 (default is 3 counts)retry-delay <5-10> Sets the proxy server’s retry delay count. This is the interval the controller’s RADIUS server waits before making an additional connection attempt.• <5-10> – Sets a value from 5 - 10 seconds (default is 5 seconds)no Removes or resets the RADIUS proxy server’s settings

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3216.2.12 session-resumptionradius-server-policyEnables session resumption or fast re-authentication by using cached attributes. This feature controls the volume and duration cached data is maintained by the server policy, upon termination of a server policy session. The availability and quick retrieval of the cached data speeds up session resumption.This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsession-resumption {lifetime|max-entries}session-resumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-1024>}Parameters• session-resumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-1024>}Examplerfs6000-37FABE(config-radius-server-policy-test)#session-resumption lifetime 10 max-entries 11rfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 session-resumption lifetime 10 max-entries 11rfs6000-37FABE(config-radius-server-policy-test)#Related Commandslifetime <1-24>{max-entries <10-1024>}Optional. Sets the lifetime of cached entries• <1-24> – Specify the lifetime period from 1 - 24 hours (default is 1 hour)• max-entries – Optional. Configures the maximum number of entries in the cache• <10-1024> – Sets the maximum number of entries in the cache from 10 - 1024(default is 128 entries)max-entries <10-1024> Optional. Configures the maximum number of entries in the cache• <10-1024> – Sets the maximum number of entries in the cache from 10 - 1024 (default is 128 entries)no Disables session resumption on this RADIUS server policy

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3316.2.13 terminationradius-server-policyEnables EAP termination on this RADIUS server policy. When enabled, EAP authentication is terminated at the controller level. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxterminationParametersNoneExamplenx9500-6C8809(config-radius-server-policy-test)#terminationnx9500-6C8809(config-radius-server-policy-test)#show contextradius-server-policy test termination no bypass crl-checknx9500-6C8809(config-radius-server-policy-test)#Related Commandsno Disables EAP termination on this RADIUS server policy

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3416.2.14 useradius-server-policyDefines settings used with the RADIUS server policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [radius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}|radius-user-pool-policy <RAD-USER-POOL-NAME>]Parameters• use [radius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}|radius-user-pool-policy <RAD-USER-POOL-NAME>]Examplerfs6000-37FABE(config-radius-server-policy-test)#use radius-group testrfs6000-37FABE(config-radius-server-policy-test)#show contextradius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1" base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter "groupfilter1" group-membership groupmembership1 net-timeout 2 use radius-group test session-resumption lifetime 10 max-entries 11rfs6000-37FABE(config-radius-server-policy-test)#Related Commandsradius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}Associates a specified RADIUS group (for LDAP users) with this RADIUS server policyYou can optionally associate two RADIUS groups with one RADIUS server policy.radius-user-pool-policy <RAD-USER-POOL-NAME>Associates a specified RADIUS user pool with this RADIUS server policy. Specify a user pool name.no Disassociates a RADIUS group or a RADIUS user pool policy from this RADIUS server policy

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3516.3 radius-user-pool-policyRADIUS-POLICYConfigures a RADIUS user pool policy and enters its configuration modeA user pool defines policies for individual user access to the internal RADIUS resources. User pool policies define unique permissions (either temporary or permanent) that control user access to the local RADIUS resources. A pool can contain a single user or multiple users.Use the (config) instance to configure RADIUS user pool policy commands. To navigate to the radius-user-pool-policy instance, use the following commands:<DEVICE>(config)#radius-user-pool-policy <POOL-NAME>rfs6000-37FABE(config)#radius-user-pool-policy testuserrfs6000-37FABE(config-radius-user-pool-testuser)#rfs6000-37FABE(config-radius-user-pool-testuser)#?Radius User Pool Mode commands: duration Set a guest user's access duration no Negate a command or set its defaults user Radius user configuration clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-radius-user-pool-testuser)#The following table summarizes RADIUS user pool policy configuration commands:Table 16.3 RADIUS-User-Pool-Policy-Config CommandsCommands Description Referenceduration Modifies a guest user’s duration of captive-portal access page 16-36user Configures the RADIUS user parameters page 16-37no Negates a command or sets its default page 16-40

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3616.3.1 durationradius-user-pool-policyModifies the duration, in minutes, that a guest user can access the captive portalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxduration <GUEST-USER-NAME> <0-525600>Parameters• duration <GUEST-USER-NAME> <0-525600>Examplerfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 500rfs4000-229D58(config-radius-user-pool-wdws)#rfs4000-229D58(config-radius-user-pool-wdws)#duration guestuser1 200rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 200rfs4000-229D58(config-radius-user-pool-wdws)#duration <GUEST-USER-NAME> <0-525600>Modifies the duration of captive-portal access (in minutes) for the guest user identified by the <GUEST-USER-NAME> keyword• <GUEST-USER-NAME> – Specify the guest user’s name.• <0-525600> – Specify the access duration from 0 - 525600 minutes. A value of“0” indicates unlimited access. The default is 1440 minutes.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3716.3.2 userradius-user-pool-policyConfigures RADIUS user parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest}user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM/DD/YYYY> {access-duration <0-525600>|data-limit|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM/DD/YYYY> {access-duration <0-525600>|data-limit <1-102400> committed-downlink <100-1000000> committed-uplink <100-1000000> reduced-downlink <100-1000000> reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}} Parameters• user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM:DD:YYY> {access-duration <0-525600>|data-limit <1-102400> committed-downlink <100-1000000> committed-uplink <100-1000000> reduced-downlink <100-1000000> reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}user <USERNAME> Adds a new RADIUS user to the RADIUS user pool• <USERNAME> – Specify the name of the user. The username should not exceed 64 characters.Note: The username is a unique alphanumeric string identifying this user, and cannot be modified with the rest of the configuration.passwd [0 <UNENCRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]Configures the user password (provide a password unique to this user)• 0 <UNENCRYPTED-PASSWORD> – Sets an unencrypted password• 2 <ENCRYPTED-PASSWORD> – Sets an encrypted password• <PASSWORD> – Sets a password (specified unencrypted) up to 21 charactersgroup <RAD-GROUP-NAME>Optional. Configures the RADIUS server group of which this user is a member• <RAD-GROUP-NAME> – Specify the group name in the local database.If the user is a guest, assign the user a group with temporary access privileges.guest Optional. Specifies that this user is a guest user. Guest users have restricted access. After enabling a guest user account, specify the expiry time and date for this account.A guest user can be assigned only to a guest user group.

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 38expiry-time <HH:MM> Specify the user account expiry time in the HH:MM format (for example, 12:30 means 30 minutes after 12:00 the user login will expire).expiry-date <MM:DD:YYYY>Specify the user account expiry date in the MM:DD:YYYY format (for example. 02:15:2014).{access-duration <0-525600>|data-limit <1-102400> committed-downlink <100-1000000> committed-uplink <100-1000000> reduced-downlink <100-1000000> reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date <MM:DD:YYY>|telephone <TELEPHONE-NUMBER>}After configuring the above user details, optionally configure the following user information:• access-duration <0-525600> – Configures the duration, in minutes, for which this guest user can access the captive portal.• <0-525600> – Specify a value from 0 - 525600 minutes.• data-limit <1-102400> – Configures the data limit for which this guest user can access the captive portal. Specify a value from 1 - 102400 bytes.• committed-downlink <100-1000000> – Configures committed downlink bandwidth until data limit is reached. This value represents the download speed (inkilobits per second) allocated to the guest user. When bandwidth is available, theuser can download data at the specified rate. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to the reduceddownlink rate (specified using this command). Specify a value from 100 - 1000000Kbps.• committed-uplink <100-1000000> – Configures committed uplink bandwidthuntil data limit is reached. This value represents the upload speed (in kilobitsper second) allocated to the guest user. When bandwidth is available, the usercan upload data at the specified rate. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to the re-duced uplink rate (specified using this command). Specify a value from 100 -1000000 Kbps.• reduced-downlink <100-1000000> – Configures reduced downlinkbandwidth after data Limit is reached. This value represents the reducedspeed the guest utilizes (in kilobits per second) when exceeding thespecified data limit, if applicable. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to thereduced downlink rate specified here. Specify a value from 100-1000000 Kbps.• reduced-uplink <100-1000000> – Configures reduced uplink band-width after data Limit is reached. This value represents the reducedspeed the guest utilizes (in kilobits per second) when exceeding thespecified data limit, if applicable. If a guest user has a bandwidth basedpolicy and exceeds the specified data limit, the speed is throttled to thereduced uplink rate specified here. Specify a value from 100 - 1000000Kbps.• email-id – Optional. User’s e-mail ID• start-time – Optional. User’s account activation time. After specifying the activation time, specify the activation date.• start-date – User’s account activation date• telephone – Optional. User’s telephone number (should include the area code)Contd..

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 39Examplerfs4000-229D58(config-radius-user-pool-wdws)#user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 500rfs4000-229D58(config-radius-user-pool-wdws)#rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 500rfs4000-229D58(config-radius-user-pool-wdws)#nx4500-5CFA2B(config-radius-user-pool-pool1)#user word password 0 word group group1 guest expiry-time 11:10 expiry-date 12/12/2014 data-limit 10 committed-downlink 103 committed-uplink 100 reduced-downlink 102 reduced-uplink 101nx4500-5CFA2B(config-radius-user-pool-pool1)#Related CommandsTo view access details of guest users on a RADIUS server, in the Priv Executable Configuration mode, use the following command:show > radius > guest-usersrfs6000-37FABE#show radius guest-users time TIME (min:sec) USED REMAINING GUEST USER 0:00 500:00 user1Current time: 09:03:07rfs6000-37FABE#no Deletes a user from a RADIUS user pool

RADIUS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 4016.3.3 noradius-user-pool-policyNegates a command or sets its default. When used in the RADIUS user pool policy mode, the no command deletes a user from a RADIUS user poolSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno user <USERNAME>Parameters• no user <USERNAME>ExampleThe following example shows the RADIUS user pool ‘wdws’ settings before the ‘no’ command is executed:rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-duration 500rfs4000-229D58(config-radius-user-pool-wdws)#rfs4000-229D58(config-radius-user-pool-wdws)#no user guestuser1The following example shows the RADIUS user pool ‘wdws’ settings after the ‘no’ command is executed:rfs4000-229D58(config-radius-user-pool-wdws)#show contextradius-user-pool-policy wdwsrfs4000-229D58(config-radius-user-pool-wdws)#Related Commandsno user <USERNAME> Deletes a RADIUS user• <USERNAME> – Specify the user name.user Configures the RADIUS user parameters

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 2WMM includes advanced parameters (CWMin, CWMax, AIFSN and TXOP) specifying back-off duration and inter-frame spacing when accessing the network. These parameters are relevant to both connected access point radios and their wireless clients. Parameters impacting access point transmissions to their clients are controlled using per radio WMM settings, while parameters used by wireless clients are controlled by a WLAN’s WMM settings.Wireless network controllers (access points, controllers, and service platforms) include a Session Initiation Protocol (SIP), Skinny Call Control Protocol (SCCP) and Application Layer Gateway (ALG) enabling devices to identify voice streams and dynamically set voice call bandwidth. Wireless network controllers also support static QoS mechanisms per WLAN to provide prioritization of WLAN traffic when legacy (non WMM) clients are deployed. When enabled on a WLAN, traffic forwarded to a client is prioritized and forwarded based on the WLAN’s WMM access control setting.Wireless network administrators can also assign weights to each WLAN in relation to user priority levels. The lower the weight, the lower the priority. Use a weighted technique to achieve different QoS levels across WLANs. All devices rate-limit bandwidth for WLAN sessions. This form of per-user rate limiting enables administrators to define uplink and downlink bandwidth limits for users and clients. This sets the level of traffic a user or client can forward and receive over the WLAN. If the user or client exceeds the limit, excessive traffic is dropped. Rate limits can be applied to WLANs using groups defined locally or externally from a RADIUS server using Vendor Specific Attributes (VSAs). Rate limits can be applied to users authenticating using 802.1X, captive portal authentication, and devices using MAC authentication.Use the (config) instance to configure radios QoS policy related configuration commands. To navigate to the radio QoS policy instance, use the following commands:<DEVICE>(config)#radio-qos-policy <POLICY-NAME>rfs6000-37FABE(config)#radio-qos-policy testrfs6000-37FABE(config-radio-qos-test)#?Radio QoS Mode commands: accelerated-multicast Configure multicast streams for acceleration admission-control Configure admission-control on this radio for one or more access categories no Negate a command or set its defaults smart-aggregation Configure smart aggregation parameters wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-radio-qos-test)#NOTE: Statistically setting a WLAN WMM access category value only prioritizes traffic to the client.

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 3NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 417.1 radio-qos-policyRADIO-QOS-POLICYThe following table summarizes radio QoS policy configuration commands:Table 17.1 Radio-QoS-Policy-Config CommandsCommand Description Referenceaccelerated-multicastConfigures multicast streams for acceleration page 17-5admission-controlEnables admission control across all radios for one or more access categoriespage 17-6no Negates a command or resets configured settings to their default page 17-10smart-aggregationConfigures smart aggregation parameters page 17-12service Invokes service commands in the radio QoS configuration mode page 17-14wmm Configures 802.11e/wireless multimedia parameters page 17-16NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 517.1.1 accelerated-multicastradio-qos-policyConfigures multicast streams for acceleration. Multicasting allows group transmission of data streams.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccelerated-multicast [client-timeout|max-client-streams|max-streams|overflow-policy|stream-threshold]accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>|max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>]Parameters• accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>|max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>]Examplerfs6000-37FABE(config-radio-qos-test)#accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#accelerated-multicast stream-threshold 15rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#Related Commandsclient-timeout <5-6000>Configures a timeout period in seconds for wireless clients• <5-6000> – Specify a value from 5 - 6000 seconds. The default is 60 seconds.max-client-streams <1-4>Configures the maximum number of accelerated multicast streams per client• <1-4> – Specify a value from 1 - 4. The default is 2.max-streams <0-256> Configures the maximum number of accelerated multicast streams per radio• <0-256> – Specify a value from 0 - 256. The default is 25.overflow-policy [reject|revert]Specifies the policy in case too many clients register simultaneously. The radio QOS policy can be configured to follow one of the following courses of action:• reject – Rejects new clients. The default overflow policy is reject.• revert – Reverts to regular multicast deliveryWhen the number of wireless clients using accelerated multicast exceeds the configured value (max-streams), the radio can either reject new wireless clients or revert existing clients to a non-accelerated state.stream-threshold <1-500>Configures the number of multicast packets per second threshold value. Once this threshold is crossed, the system triggers streams to accelerate.• <1-500> – Specify a value from 1 - 500. The default is 25 packets per second.no Reverts accelerated multicasting settings to their default

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 617.1.2 admission-controlradio-qos-policyEnables admission control across all radios for one or more access categories. Enabling admission control for an access category, ensures clients associated to an access point and complete WMM admission control before using that access category.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadmission-control [background|best-effort|firewall-detected-traffic|implicit-tspec|video|voice]admission-control [firewall-detected-traffic|implicit-tspec]admission-control [background|best-effort|video|voice] {max-airtime-percent|max-clients|max-roamed-clients|reserved-for-roam-percent}admission-control [background|best-effort|video|voice] {max-airtime-percent <0-150>|max-clients <0-256>|max-roamed-clients <0-256>|reserved-for-roam-percent <0-150>}Parameters• admission-control [firewall-detected-traffic|implicit-tspec]• admission-control [background|best-effort|video|voice] {max-airtime-percent <0-150>|max-clients <0-256>|max-roamed-clients <0-256>|reserved-for-roam-percent <0-150>}admission-control firewall-detected-trafficEnforces admission control for traffic whose access category is detected by the firewall ALG. For example, SIP voice calls. This feature is enabled by default.When enabled, the firewall simulates reception of frames for voice traffic when the voice traffic was originated via SIP or SCCP control traffic. If a client exceeds configured values, the call is stopped and/or received voice frames are forwarded at the next non admission controlled traffic class priority. This applies to clients that do not send TSPEC frames only.admission-control implicit-tspecEnables implicit traffic specifiers for clients that do not support WMM TSPEC, but are accessing admission-controlled access categories. This feature is enabled by default.This feature requires wireless clients to send their traffic specifications to an access point before they can transmit or receive data. If enabled, this setting applies to this radio QoS policy. When enabled, the access point simulates the reception of frames for any traffic class by looking at the amount of traffic the client is receiving and sending. If the client sends more traffic than has been configured for an admission controlled traffic class, the traffic is forwarded at the priority of the next non admission controlled traffic class. This applies to clients that do not send TSPEC frames only.admission-control backgroundConfigures background access category admission control parameters

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 7admission-control best-effortConfigures best effort access category admission control parametersadmission-control video Configures video access category admission control parametersadmission-control voice Configures voice access category admission control parametersmax-airtime-percent <0-150>Optional. Specifies the maximum percentage of airtime, including oversubscription, for the following access category:• background – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for low (background) client traffic. Background traffic only needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved to support background data.• best-effort – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for normal (best-effort) client traffic. Normal best effort traffic needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved for best effort data support.• video – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for voice supported client traffic. Video traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support video.• voice – Sets the maximum airtime (in the form of a percentage of the radio’s bandwidth) allotted to admission control for voice supported client traffic. Voice traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support voice.The following keyword is common to all of the above traffic types:• <0-150> – Specify a value from 0 - 150. This is the maximum percentage of air-time, including oversubscription, for the selected access category. The default is75%.max-clients <0-256> Optional. Specifies the maximum number of wireless clients admitted to the following access categories:• background – Sets the number of wireless clients supporting low (background) traffic allowed to exist (and consume bandwidth) within the radio’s QoS policy• best-effort – Sets the number of wireless clients supporting normal (best-effort) traffic allowed to exist (and consume bandwidth) within the radio’s QoS policy• video – Sets the number of video supported wireless clients allowed to exist (and consume bandwidth) within the radio’s QoS policy.• voice – Sets the number of voice supported wireless clients allowed to exist (and consume bandwidth) within the radio’s QoS policy.Since voice and video supported wireless clients use a greater portion of a controller’s resources than lower bandwidth traffic (like low and best effort categories), consider setting the max-client value proportionally to the number of other QoS policies supporting voice access category clients.The following keyword is common to all of the above traffic types:• <0-256> – Specify a value from 0 - 256. This is the maximum number of wirelessclients admitted to the selected access category. The default is 100 clients.

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 8Examplerfs6000-37FABE(config-radio-qos-test)#admission-control best-effort max-clients 200rfs6000-37FABE(config-radio-qos-test)#admission-control voice reserved-for-roam-percent 8rfs6000-37FABE(config-radio-qos-test)#admission-control voice max-airtime-percent 9rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#max-roamed-clients <0-256>Optional. Specifies the maximum number of roaming wireless clients admitted to the selected access category• background – Sets the number of low (background) supported wireless clients allowed to roam to a different access point radio• best-effort – Sets the number of normal (best-effort) supported wireless clients allowed to roam to a different access point radio• video – Sets the number of video supported wireless clients allowed to roam to a different access point radio• voice – Sets the number of voice supported wireless clients allowed to roam to a different access point radioThe following keyword is common to all of the above traffic types:• <0-256> – Specify a value from 0 - 256. This is the maximum number of roamingwireless clients admitted to the selected access category. The default is 10 roamedclients.reserved-for-roam-percent <0-150>Optional. Calculates the percentage of air time, including oversubscription, allocated exclusively for roaming clients. This value is calculated relative to the configured max air time for this access category.• background – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for low (background) supported clients who have roamed to a different radio.• best-effort – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for normal (best-effort) supported clients who have roamed to a different radio.• video – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for video supported clients who have roamed to a different radio.• voice – Sets the roam utilization (in the form of a percentage of the radio’s bandwidth) allotted to admission control for voice supported clients who have roamed to a different radio.The following keyword is common to all of the above traffic types:• <0-150> – Specify a value from 0 - 150. This is the percentage of air time, includ-ing oversubscription, allocated exclusively for roaming clients associated with theselected access category. The default is 10%.

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 9Related Commandsno Reverts or resets admission control settings to their default

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 1017.1.3 noradio-qos-policyNegates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accelerated-multicast|admission-control|smart-aggregation|wmm|service]no accelerated-multicast [client-timeout|max-client-streams|max-streams|overflow-policy|stream-threshold]no admission-control [firewall-detected-traffic|implicit-tspec|background|best-effort|video|voice]no admission-control [firewall-detected-traffic|implicit-tspec]no admission-control [background|best-effort|video|voice] {max-airtime-percent|max-clients|max-roamed-clients|reserved-for-roam-percent}no smart-aggregation {delay|max-mesh-hops|min-aggregation-limit}no smart-aggregation {delay [background|best-effort|streaming-video|video-conferencing|voice]|max-mesh-hops|min-aggregation-limit}no wmm [background|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit]no service admission-control across-reassocParameters• no <PARAMETERS>ExampleThe following example shows the Radio-qos-policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500rfs6000-37FABE(config-radio-qos-test)#rfs6000-37FABE(config-radio-qos-test)#no admission-control best-effort max-clientsrfs6000-37FABE(config-radio-qos-test)#no accelerated-multicast client-timeoutno <PARAMETERS> Negates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters.

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 11The following example shows the Radio-qos-policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 accelerated-multicast stream-threshold 15rfs6000-37FABE(config-radio-qos-test)#rfs4000-229D58(config-radio-qos-test)#show contextradio-qos-policy test service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#rfs4000-229D58(config-radio-qos-test)#no service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#show contextradio-qos-policy testrfs4000-229D58(config-radio-qos-test)#

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 1217.1.4 smart-aggregationradio-qos-policyConfigures smart aggregation parameters on this Radio QoS policy. Smart aggregation is disabled by default.Smart aggregation enhances frame aggregation by dynamically selecting the time when the aggregated frame is transmitted. In a frame’s typical aggregation, an aggregated frame is sent when:• A pre-configured number of aggregated frames is reached• An administrator-defined interval has elapsed since the first frame (of a set of frames to be aggregated) was received• An administrator-defined interval has elapsed since the last frame (not necessarily the final frame) of a set of frames to be aggregated was receivedWith this enhancement, an aggregation delay is set uniquely for each traffic class. For example, voice traffic might not be aggregated, but sent immediately. Whereas, background data traffic is set a delay for aggregating frames, and these aggregated frames are sent.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsmart-aggregation {delay|max-mesh-hops|min-aggregation-limit}smart-aggregation {delay [background|best-effort|streaming-video|video-conferencing|voice] <0-1000>}smart-aggregation {max-mesh-hops <1-10>}smart-aggregation {min-aggregation-limit <0-64>}Parameters• smart-aggregation {delay [background|best-effort|streaming-video|video-conferencing|voice] <0-1000>}delay Optional. Configures the maximum delay parameter for each traffic typeThis is the maximum delay, in milliseconds, in the transmission of the first frame received.background Configures the maximum delay parameter, in milliseconds, for background traffic (250 msec)best-effort Configures the maximum delay parameter, in milliseconds, for best effort traffic (150 msec)streaming-video Configures the maximum delay parameter, in milliseconds, for streaming video traffic (150 msec)video-conferencing Configures the maximum delay parameter, in milliseconds, for video conference traffic (40 msec)

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 13• smart-aggregation {max-mesh-hops <1-10>}• smart-aggregation {min-aggregation-limit <0-64>}Examplerfs6000-37FABE(config-radio-qos-test)#smart-aggregation delay voice 50rfs6000-37FABE(config-radio-qos-test)#smart-aggregation delay background 100rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test smart-aggregation delay voice 50 smart-aggregation delay background 100rfs6000-37FABE(config-radio-qos-test)#Related Commandsvoice Configures the maximum delay parameter, in milliseconds, for voice traffic (0 msec)<0-1000> This parameter is common to all of the above traffic types.• <0-1000> – Specify a value from 0 - 1000 msec.max-mesh-hops <1-10> Optional. Sets the maximum number of expected hops to the destination within a mesh• <1-10> – Specify a value from 1 - 10. The default is 3 hops.min-aggregation-limit<0-64>Optional. Sets the minimum number of aggregates buffered before an aggregate is sent• <0-64> – Specify a value from 0 - 64. The default is 8 frames.no Resets the minimum aggregation limit

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 1417.1.5 serviceradio-qos-policyInvokes service commands in the radio QoS configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [admission-control|show]service admission-control across-reassocservice show cliParameters• service admission-control across-reassoc• service show cliExamplerfs4000-229D58(config-radio-qos-test)#service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#show contextradio-qos-policy test service admission-control across-reassocrfs4000-229D58(config-radio-qos-test)#rfs4000-229D58(config-radio-qos-test)#service show cliRadio QoS Mode mode:+-help [help] +-search +-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)] +-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)] +-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)] +-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)] +-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]+-show +-commands [show commands] +-adoption +-log --More--]service Invokes service commandsadmission-control across-reassocRetains previously negotiated TSPEC parameters across re-associations on the radioFor more information on admission-control parameters, see admission-control.service show cli Displays running system information• cli – Displays the Radio QoS mode’s CLI tree

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 15Related Commandsno Disables retention of previously negotiated TSPEC parameters across re-associations on the radio

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 1617.1.6 wmmradio-qos-policyConfigures 802.11e wireless multimedia (wmm) parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwmm [background|best-effort|video|voice]wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]Parameters• wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]wmm background Configures background access category wireless multimedia settingswmm best-effort Configures best effort access category wireless multimedia settingswmm video Configures video access category wireless multimedia settingswmm voice Configures voice access category wireless multimedia settingsaifsn <1-15> Configures Arbitrary Inter-Frame Space Number (AIFSN) as the wait time between data frames derived from the AIFSN and slot time• background – Sets the current AIFSN for low (background) traffic. The default is 7.• best-effort – Sets the current AIFSN for normal (best-effort) traffic. The default is 3.• video – Set the current AIFSN for video traffic. Higher-priority traffic video categories should have lower AIFSNs than lower-priority traffic categories. This causes lower-priority traffic to wait longer before attempting access. The default is 1.• voice – Sets the current AIFSN for voice traffic. Higher-priority traffic voice categories should have lower AIFSNs than lower-priority traffic categories. This causes lower-priority traffic to wait longer before attempting access. The default is 1.The following keyword is common to all of the above traffic types:• <1-15> – Sets a value from 1 - 15cw-max <0-15> Clients pick a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window.• background – Sets CW Max for low (background) traffic. The default is 10.• best-effort – Sets CW Max for normal (best effort) traffic. The default is 6.Contd..

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 17Usage GuidelinesBefore defining a radio QoS policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:• To support QoS, each multimedia application, wireless client, and WLAN is required to support WMM.• WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category.• Default WMM values are recommended for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose.• Overloading an access point radio with too much high priority traffic (especially voice) degrades overall service quality for all users.• TSPEC admission control is only available with newer voice over WLAN phones. Many legacy voice devices do not support TSPEC or even support WMM traffic prioritization.• voice – Sets CW Max for voice traffic. The default is 3.• video – Sets CW Max for video traffic. The default is 4The following keyword is common to all of the above traffic types:• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1).Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort).cw-min <0-15> Clients select a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window.• background – Sets CW Min for low (background) traffic. The default is 4.• best-effort – Sets CW Min for normal (best effort) traffic. The default is 4.• voice – Sets CW Min for voice traffic. The default is 2.• video – Sets CW Min for video traffic. The default is 3.The following keyword is common to all of the above traffic types:• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1).Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort).txop-limit <0-65535>Set the interval, in microseconds, during which a particular client has the right to initiate transmissions• background – Sets TXOP for low (background) traffic. The default is 0.• best-effort – Sets TXOP for normal (best effort) traffic. The default is 4.• voice – Sets TXOP for voice traffic. The default is 47.• video – Sets TXOP for video traffic. The default is 94.The following keyword is common to all of the above traffic types:• <0-65535> – Specify a value from 0 - 65535 to configure the transmit opportu-nity limit in 32 microsecond units.Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort).

RADIO-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 18Examplerfs6000-37FABE(config-radio-qos-test)#wmm best-effort aifsn 7rfs6000-37FABE(config-radio-qos-test)#wmm voice txop-limit 1rfs6000-37FABE(config-radio-qos-test)#show contextradio-qos-policy test wmm best-effort aifsn 7 wmm voice txop-limit 1 admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 accelerated-multicast stream-threshold 15rfs6000-37FABE(config-radio-qos-test)#Related Commandsno Reverts or resets 802.11e/wireless multimedia settings to their default

18 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide18ROLE-POLICYThis chapter summarizes the role policy commands in the CLI command structure.A well defined role policy simplifies user management, and is a significant aspect of WLAN management. It acts as a role based firewall (much like ACLs) consisting of user-defined roles. Each role has a set of match criteria (filters) used to filter wireless clients. The action taken when a client matches the defined filters, is determined by the IP or MAC ACL associated with the user-defined role. Based on the conditions specified in the IP and/or MAC ACL, clients are granted or denied access to the controller managed network. The role policy also defines the VLAN and data rates assigned to clients provided network access. A role policy also enables LDAP service, allowing controllers and access points to retrieve user information from the LDAP server. This information is matched with the user-defined role filters to determine if a client matches the role or not, and should be allowed or denied access to the controller managed network.Use the (config-role-policy) instance to configure role policy related configuration commands. To navigate to the config-role instance, use the following commands:<DEVICE>(config)#role-policy <POLICY-NAME>rfs6000-37FABE(config)#role-policy testrfs6000-37FABE(config-role-policy-test)#?Role Policy Mode commands: default-role Configuration for Wireless Clients not matching any role ldap-deadperiod Ldap dead period interval ldap-query Set the ldap query mode ldap-server Add a ldap server ldap-timeout Ldap query timeout interval no Negate a command or set its defaults user-role Create a role clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-role-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 218.1 role-policyROLE-POLICYThe following table summarizes role policy configuration commands:Table 18.1 Role-Policy-Config CommandsCommand Description Referencedefault-role Assigns the default role to clients not matching any of the user-defined roles defined in the role policypage 18-3ldap-deadperiod Configures the Lightweight Directory Access Protocol (LDAP) deadperiod intervalpage 18-5ldap-query Enables LDAP service and specifies the LDAP server query mode page 18-6ldap-server Configures the LDAP server settings page 18-7ldap-timeout Configures the LDAP query timeout interval page 18-9no Negates a command or reverts settings to their default page 18-10user-role Creates a role and associates it to the newly created role policy page 18-11NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 318.1.1 default-rolerole-policyAssigns a default role to a wireless client that fails to match any of the user-defined rolesWhen a wireless client accesses a network, the client’s details, retrieved from the LDAP server, are matched against all user-defined roles within the role policy. If the client fails to match any of these user-defined role filters, the client is assigned the default role. The action taken (permit or deny access) is determined by the IP and/or MAC ACL associated with the default role.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-role use [ip-access-list|ipv6-access-list|mac-access-list]default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>Parameters• default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>default-role use Enables default role configuration. This role is applied to a wireless client not matching any of the user-defined roles.• Use – Associates an IP, IPv6, or MAC access list with the default role[ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME>Associates an IP access list, IPv6 access list, or a MAC access list with this default role• in – Applies the rule (IP, IPv6, or MAC) to incoming packets• out – Applies the rule (IP, IPv6, or MAC) to outgoing packetsIP and MAC access control lists (ACLs) act as firewalls by blocking and/or permitting data traffic in both directions (inbound and outbound) within a managed network. IP ACLs use IP addresses for matching operations. Whereas, MAC ACLs use MAC addresses for matching operations, In case of a match (i.e. if a packet is received from or is destined for a specified IP or MAC address), an action is taken. This action is a typical allow, deny or mark designation to controller packet traffic. For more information on ACLs, see AAA-POLICY.• <IP/IPv6/MAC-ACCESS-LIST-NAME> – Specify the access list name.The ACL applied determines the action applied to a client assigned the default role.precedence <1-100>The following keyword is common to the all of the above parameters:• precedence – Assigns a precedence value to the ACL identified in the previous step.• <1-100> – Specify a precedence from 1 - 100.ACLs are applied in increasing order of their precedence. Rules with lower precedence are given priority.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4Examplerfs6000-37FABE(config-role-policy-test)#default-role use ip-access-list in test precedence 1rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1rfs6000-37FABE(config-role-policy-test)#Related Commandsno Removes or resets the default role configuration

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 518.1.2 ldap-deadperiodrole-policyConfigures the LDAP deadperiod intervalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-deadperiod <60-300>Parameters• ldap-deadperiod <60-300>Examplerfs6000-37FABE(config-role-policy-test)#ldap-deadperiod 100rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-deadperiod 100rfs6000-37FABE(config-role-policy-test)#Related Commandsldap-deadperiod <60-300>Configures a LDAP dead period. When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details to match with user-defined role filters. The LDAP deadperiod is the interval between two consecutive attempts to bind with the LDAP server. To enable LDAP service, use the ldap-query command.• <60-300> – Specify the interval from 60 - 300 seconds. The default is 120 seconds.no Removes or resets the LDAP deadperiod interval

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 618.1.3 ldap-queryrole-policyEnables LDAP service and specifies the LDAP server query modeConfiguring the LDAP server query mode automatically enables LDAP service on this role policy. By default LDAP service is disabled.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-query [self|through-controller]Parameters• ldap-query [self|through-controller]Examplerfs6000-37FABE(config-role-policy-test)#ldap-query selfrfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-deadperiod 100rfs6000-37FABE(config-role-policy-test)#Related Commandsself Configures LDAP query mode as self. The AP directly queries the LDAP server for user information. Select ‘self’ to use local LDAP server resources configured using the ldap-server command.through-controller Configures LDAP query mode as through-controller. The AP queries the LDAP server, for user information, through the controller.Use this option when the AP is layer 2 adopted to the controller.no Disables LDAP service on this role policy

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 718.1.4 ldap-serverrole-policyAssociates a specified LDAP server with this role policy. Use this command to configure the credentials needed to bind with the LDAP server.When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details. This information is matched with the user-defined roles within the role policy. If a match is made, the user is assigned the role and allowed or denied access to the controller managed network.You can associate two LDAP servers with a role policy, allowing failover in case the primary server is unreachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-server <1-2> host [<IP>|<FQDN>] bind-dn <BIND-DN> base-dn <BASE-DN> bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|openldap])}Parameters• ldap-server <1-2> host [<IP>|<HOSTNAME>] bind-dn <BIND-DN> base-dn <BASE-DN> bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|openldap])}Usage GuidelinesUse the ldap-query command to enable LDAP service on a role policy.Use the show > role > ldap-stats command to view LDAP server status and state.ldap-server <1-2> Specify the LDAP server ID from 1 - 2.The primary LDAP server (ID 1) is used to bind and query. The secondary LDAP server (ID 2) is for failover.host [<IP>|<FQDN>] Specify the LDAP server’s IP address or Fully Qualified Domain Name (FQDN).bind-dn <BIND-DN> Specify the bind distinguished name (used for binding with the server).base-dn <BASE-DN> Specify the base distinguished name (used for searching). This should not exceed 127 characters.bind-password <PASSWORD>Specify the LDAP server password associated with the bind DN.port <1-65535> Optional. Specify the LDAP server port from 1 - 65535. (default is 389).server-type [active-directory|openldap]The following keywords are common to the ‘port’ parameter:• server-type – Optional. Specifies the LDAP server type• active-directory – Enables support for active directory attribute search. This is thedefault setting.• openldap – Enables support for openLDAP attribute search

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 8Examplerfs6000-37FABE(config-role-policy-test)#ldap-server 1 host 192.168.13.7 bind-dn"CN=Administrator,CN=Users,DC=TechPub,DC=com" base-dn "CN=Administrator,CN=Users,DC=TechPub,DC=com" bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Administrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#Related Commandsno Removes or resets the LDAP server settings

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 918.1.5 ldap-timeoutrole-policyConfigures the LDAP timeout interval. This is the interval after which a LDAP query is timed out.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxldap-timeout <1-5>Parameters• ldap-timeout <1-5>Examplerfs6000-37FABE(config-role-policy-test)#ldap-timeout 1rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-timeout 1 ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Adminstrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#Related Commandsldap-timeout <1-5> Configures the LDAP query timeout interval from 1 - 5 seconds (default is 2 seconds)When enabled, LDAP service allows the AP or controller to bind with the LDAP server and query it for user details. The LDAP query timeout is the interval between a request to and the response from the LDAP server. Once this interval is exceeded, the LDAP bind and query is timed out.no Removes or resets the LDAP query timeout to default (2 seconds)

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1018.1.6 norole-policyNegates a command or resets settings to their default. When used in the config role policy mode, the no command removes or resets the role policy settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [default-role|ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout|user-role]no [ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout]no default-role use [ip-access-list|ipv6-access-list|mac-access-list]no default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>no user-role <ROLE-NAME>Parameters• no <PARAMETERS>ExampleThe following example shows the role policy ‘test’ setting before the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-timeout 1 ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Adminstrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2rfs6000-37FABE(config-role-policy-test)#rfs6000-37FABE(config-role-policy-test)#no ldap-deadperiodrfs6000-37FABE(config-role-policy-test)#no ldap-timeoutrfs6000-37FABE(config-role-policy-test)#no ldap-server 1The following example shows the role policy ‘test’ setting after the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test default-role use ip-access-list in test precedence 1 ldap-query selfrfs6000-37FABE(config-role-policy-test)#no <PARAMETERS> Negates a command or resets settings to their default. When used in the config role policy mode, the no command removes or resets the role policy settings.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1118.1.7 user-rolerole-policyThis command creates a user-defined role. Each user-defined role has a set of Active Directory attributes. Each attribute is matched against the information returned by the LDAP server, until a complete match of role is found.The following table summarizes user role configuration commands:Table 18.2 User-Role-Config Commandsuser-role Creates a new user role and enters its configuration mode page 18-12user-role commandsSummarizes user role configuration mode commands page 18-14

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1218.1.7.1 user-roleuser-roleCreates a user-defined role. Each role consists of a set of filters and action. The filters are match criteria used to filter wireless clients. And the action defines the action taken when a client matches the specified filters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser-role <ROLE-NAME> precedence <1-10000>Parameters• user-role <ROLE-NAME> precedence <1-10000>Examplerfs6000-37FABE(config-role-policy-test)#user-role testing precedence 10rfs6000-37FABE(config-role-policy-test)#show contextrole-policy test user-role testing precedence 10 default-role use ip-access-list in test precedence 1rfs6000-37FABE(config-role-policy-test)#rfs6000-37FABE(config-role-policy-test-user-role-testing)#?Role Mode commands: ap-location AP Location configuration assign Assign parameters to the role authentication-type Type of Authentication captive-portal Captive-portal based Role Filter city City configuration client-identity Client identity company Company configuration country Country configuration department Department configuration emailid Emailid configuration employee-type Employee-type configuration employeeid Employeeid configuration encryption-type Type of encryption group Group configuration memberOf MemberOf configuration mu-mac MU MAC address configuration no Negate a command or set its defaults radius-user Radius-user configuration ssid SSID configurationuser-role <ROLE-NAME> Configures the user role name• <ROLE-NAME> – Specify a name for this user role.precedence <1-10000> Sets the precedence for this roleLower the precedence, higher is the role priority. Precedence determines the order in which a role is applied. If a wireless client matches multiple roles, the role with the lower precedence is applied before those with higher precedence. While there is no default precedence for a role, two or more roles can share the same precedence.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 13 state State configuration title Title configuration use Set setting to use user-defined User-defined configuration clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes an existing user role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1418.1.7.2 user-role commandsuser-roleThe following table summarizes user role configuration mode commands:Table 18.3 User-Role-Mode CommandsCommands Description Referenceap-location Configures an AP deployment location based filter page 18-15assign Configures upstream/downstream rate limits and VLAN ID assigned to clients matching the filters defined in the user-defined rolepage 18-16authentication-typeConfigures an authentication type based filter page 18-18captive-portal Configures a captive portal based filter page 18-20city Configures a city name based filter page 18-21client-identity Associates a client-identity (device fingerprinting) based filter page 18-22company Configures a company name based filter page 18-23country Configures a country name based filter page 18-25department Configures a department name based filter page 18-27emailid Configures a e-mail ID based filter page 18-29employee-type Configures a employee type ID based filter page 18-31employeeid Configures a employee ID based filter page 18-32encryption-typeConfigures an encryption type filter page 18-34group Configures a RADIUS group based filter page 18-36memberOf Assigns an Active Directory (AD) group to this user-defined role page 18-38mu-mac Configures MAC address and mask based filter page 18-39no Removes or resets the filters configured on this user-defined role page 18-40radius-user Configures a wireless client filter based on the RADIUS user name page 18-42ssid Configures a SSID based filter page 18-44state Configures a user role state to match page 18-46title Configures a ‘title’ string to match page 18-48use Associates a IP and/or MAC ACL with this role. These ACLs specify the action taken when a client matches this user-defined role.page 18-49user-defined Defines a filter based on an attribute defined in the Active Directory or the OpenLDAP serverpage 18-52

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1518.1.7.2.1 ap-locationuser-role commandsConfigures an AP’s deployment location based filter for this user-defined roleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap-location [any|contains|exact|not-contains]ap-location anyap-location [contains|exact|not-contains] <WORD>Parameters• ap-location any• ap-location [contains|exact|not-contains] <WORD>Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#ap-location contains officerfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ap-location contains officerfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsap-location any Specifies the AP location to match (in a RF Domain) or the AP’s resident configuration• any – Defines an AP’s location as anyap-location Specifies the AP location to match (in a RF Domain) or the AP’s resident configuration. Select one of the following filter options: contains, exact, or not-contains.contains <WORD> Applies role if the associating AP’s location contains the location string specified in the role.• <WORD> – Specify the location string to match.exact <WORD> Applies role if the associating AP’s location exactly matches the string specified in the role.• <WORD> – Specify the exact location string to match.not-contains <WORD> Applies role if the associating AP’s location does not contain the location string specified in the role.• <WORD> – Specify the location string not to match.no Removes an AP’s deployment location string from this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1618.1.7.2.2 assignuser-role commandsConfigures upstream/downstream rate limits and VLAN ID. Clients matching this user-defined role filters are associated with the specified VLAN, and assigned the specified data rates.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassign [rate-limit|VLAN]assign rate-limit [from-client|to-client] <1-65536>assign vlan <1-4094>Parameters• assign rate-limit [from-client|to-client] <1-65536>• assign vlan <1-4094>Usage GuidelinesACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes.In case of bridge VLAN, the default bridging mode is ‘auto’. Change the bridging mode to ‘tunnel’. This extends the controller’s existing VLAN onto the AP and ensures that wireless clients are served IP addresses.assign rate-limit [from-client|to-client] <1-65536>Assigns an upstream and downstream traffic rate limit• from-client – Assigns a rate limit, in Kbps, for the upstream (from client) traffic• to-client – Assigns a rate limit, in Kbps, for the downstream (to client) traffic• <1-65536> – Specify upstream and/or downstream rate limits from 1 - 65536 Kbps.Wireless clients matching this user-defined role are assigned the configured rate limits.assign vlan <1-4094> Assigns a VLAN (identified by VLAN’s ID). Clients matching this user-defined role are associated with the specified VLAN. The VLAN ID represents the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server).This feature is disabled by default.• <1-4094> – Specify the VLAN ID from 1 - 4094.A wireless client that fails to match any user-defined role is assigned to the default role (configured as a role policy setting) and is mapped to the default VLAN under the WLAN.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 17The VLAN configured under the user-defined role need not exist under the WLAN. But, when using tunneled VLAN bridges, configure an additional bridge VLAN. If the VLAN bridging mode is ‘local’, no additional VLAN configuration is required.Examplerfs4000-229D58(config-role-policy-test-user-role-test)#assign rate-limit to-client 200rfs4000-229D58(config-role-policy-test-user-role-test)#commitrfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1 assign vlan 1 assign rate-limit to-client 200rfs4000-229D58(config-role-policy-test-user-role-test)#The following examples define a role used to forward the IP traffic from all engineers in Test_Company, Santa Clara, USA onto VLAN 2.1 Create a new role policy with name ‘test-policy’.<DEVICE>(config)#role-policy test-policy2Specify the LDAP server used for this role policy.<DEVICE>(config-role-policy-test-policy)#ldap-query self<DEVICE>(config-role-policy-test-policy)#ldap-server 1 host 192.160.1.1 bind-dn CN=Administrator,CN=Users,DC=testtest,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 test port 389<DEVICE>(config-role-policy-test-policy)#ldap-timeout 23 Create a user defined role.<DEVICE>(config-role-policy-test-policy)#user-role SCEngineer precedence 1004 Define the role by adding appropriate values and match operators.<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#city exact santa-clara<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#company exact ExampleCompany<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#country exact usa<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#title contains engineer<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#assign vlan-id 25 Apply role policy to an access point.ap7131-99BFA8(config-device-ap7131)# use role-policy test-policyRelated Commandsno Removes the upstream and/or downstream rate limits applied to this user-defined role. Also removes the VLAN ID.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1818.1.7.2.3 authentication-typeuser-role commandsConfigures the authentication type based filter for this user-defined roleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication-type [any|eq|neq]authentication-type anyauthentication-type [eq|neq] [eap|kerberos|mac-auth|none]{(eap|kerberos|mac-auth|none)}Parameters• authentication-type any• authentication-type [eq|neq] [eap|kerberos|mac-auth|none] {(eap|kerberos|mac-auth|none)}Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#authentication-type eq kerberosrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains officerfs6000-37FABE(config-role-policy-test-user-role-testing)#any The authentication type is any (eq or neq). This is the default setting.eq [eap|kerberos|mac-auth|none]The role is applied only when the authentication type matches (equals) one or more than one of the following types:• eap – Extensible authentication protocol• kerberos – Kerberos authentication• mac-auth – MAC authentication protocol• none – no authentication usedThese parameters are recursive, and you can configure more than one unique authentication type for this user-defined role.neq [eap|kerberos|mac-auth|none]The role is applied only when the authentication type does not match (not equals) any of the following types:• eap – Extensible authentication protocol• kerberos – Kerberos authentication• mac-auth – MAC authentication protocol• none – no authentication usedThese parameters are recursive, and you can configure more than one unique ‘not equal to’ authentication type for this user-defined role.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 19Related Commandsno Removes the authentication type filter configured for this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2018.1.7.2.4 captive-portaluser-role commandsConfigures a captive portal based filter for this user-defined role. A captive portal is a guest access policy that provides temporary and restrictive access to the wireless network. When applied to a WLAN, a captive portal policy ensures secure guest access.This command defines user-defined role filters based on a wireless client’s state of authentication.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal authentication-state [any|post-login|pre-login]Parameters• captive-portal authentication-state [any|post-login|pre-login]Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#captive-portal authentication-state pre-loginrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-loginrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsauthentication-state Defines the authentication state of a client connecting to a captive portalany Specifies any authentication state (authenticated and pending authentication). This is the default setting.This option makes no distinction on whether authentication is conducted before or after the wireless client has logged in.post-login Specifies authentication is completed successfullyThis option requires the wireless client to share authentication credentials after logging into the managed network.pre-login Specifies authentication is pendingThis option enables captive portal client authentication before the client is logged into the controller.no Removes the captive portal based role filter settings

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2118.1.7.2.5 cityuser-role commandsConfigures a wireless client filter based on the city nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcity [any|contains|exact|not-contains]city [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• city [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#city exact SanJoserfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJoserfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandscity Specifies a wireless client filter based on how the ‘city’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contain.any No specific city associated with this user-defined role. This role can be applied to any wireless client from any city.contains <WORD> The role is applied only when the city name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the city name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the city name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should not contain the provided expression.no Removes the city name configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2318.1.7.2.7 companyuser-role commandsConfigures a wireless client filter based on the company nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcompany [any|contains|exact|not-contains]company [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• company [any|exact <WORD>|contains <WORD>|not-contains <WORD>]company Specifies a wireless client filter based on how the ‘company’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific company associated with this user-defined role. This role is applied to any wireless client from any company (no strings to match). This is the default setting.contains <WORD> The role is applied only when the company name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the company name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the company name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 24Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#company exact ExampleCompanyrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompanyrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the company name configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2518.1.7.2.8 countryuser-role commandsConfigures a wireless client filter based on the country nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcountry [any|contains|exact|not-contains]country [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• country [any|exact <WORD>|contains <WORD>|not-contains <WORD>]country Specifies a wireless client filter based on how the ‘country’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific country associated with this user-defined role. This role is applied to any wireless client from any country (no strings to match). This is the default setting.contains <WORD> The role is applied only when the country name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the country name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the country name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 26Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#country exact Americarfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact Examplecompany country exact Americarfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the country name configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2718.1.7.2.9 departmentuser-role commandsConfigures a wireless client filter based on the department nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdepartment [any|contains|exact|not-contains]department [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• department [any|exact <WORD>|contains <WORD>|not-contains <WORD>]department Specifies a wireless client filter based on how the ‘department’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific department associated with this user-defined role. This role can be applied to any wireless client from any department (no strings to match). This is the default setting.contains <WORD> The role is applied only when the department name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the department name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the department name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 28Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#department exact TnVrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnVrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the department name configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2918.1.7.2.10 emailiduser-role commandsConfigures a wireless client filter based on the e-mail IDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemailid [any|contains|exact|not-contains]emailid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• emailid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]emailid Specifies a wireless client filter based on how the ‘e-mail ID’, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany No specific e-mail ID associated with this user-defined role. This role can be applied to any wireless client having any e-mail ID (no strings to match). This is the default setting.contains <WORD> The role is applied only when the e-mail ID, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the e-mail ID, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the e-mail ID, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 30Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the e-mail ID configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3118.1.7.2.11 employee-typeuser-role commandsConfigures a wireless client filter based on the employee typeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemployee-type [any|contains|exact|not-contains]employee-type [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• employee-type [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Examplerfs4000-229D58(config-role-policy-test-user-role-test1)#employee-type exact consultantrfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1 employee-type exact consultantrfs4000-229D58(config-role-policy-test-user-role-user1)#Related Commandsemployee-type Specifies a wireless client filter based on how the ‘employee type’, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any No specific employee type associated with this user-defined role. This role can be applied to any wireless client having any employee type (no strings to match). This is the default setting.contains <WORD> The role is applied only when the employee type, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the employee type, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the employee type, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should not contain the provided expression.no Removes the employee type filter configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3218.1.7.2.12 employeeiduser-role commandsConfigures a wireless client filter based on the employee IDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemployeeid [any|contains|exact|not-contains]employeeid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]Parameters• employeeid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]employeeid Specifies a wireless client filter based on how the ‘employee ID’, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any No specific employee ID associated with this user-defined role. This role can be applied to any wireless client having any employee ID (no strings to match). This is the default setting.contains <WORD> The role is applied only when the employee ID, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should contain the provided expression.exact The role is applied only when the employee ID, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the employee ID, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 33Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the employee ID configured with this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3418.1.7.2.13 encryption-typeuser-role commandsSelects the encryption type for this user-defined role. Encryption ensures privacy between access points and wireless clients. There are various modes of encrypting communication on a WLAN, such as Counter-model CBC-MAC Protocol (CCMP), Wired Equivalent Privacy (WEP), keyguard, Temporal Key Integrity Protocol (TKIP), etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxencryption-type [any|eq|neq]encryption-type anyencryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64] (ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)}Parameters• encryption-type any• encryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64] {(ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)}any The encryption type can be any one of the listed options (ccmp|keyguard|tkip|wep128|wep64). This is the default setting.eq [ccmp|keyguard|none|tkip|wep128|wep64]The role is applied only if the encryption type equals to one of the following options:• ccmp – Encryption mode is CCMP• keyguard – Encryption mode is keyguard. Keyguard encryption shields the master encryption keys from being discovered.• none – No encryption mode specified• tkip – Encryption mode is TKIP• wep128 – Encryption mode is WEP128• wep64 – Encryption mode is WEP64These parameters are recursive, and you can configure more than one encryption type for this user-defined role.neq [ccmp|keyguard|none|tkip|wep128|wep64]The role is applied only if encryption type is not equal to any of the following options:• ccmp – Encryption mode is not equal to CCMP• keyguard – Encryption mode is not equal to keyguard• none: Encryption mode is not equal to none• tkip – Encryption mode is not equal to TKIPContd..

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 35Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#encryption-type eq wep128rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commands• wep128 – Encryption mode is not equal to WEP128• wep64 – Encryption mode is not equal to WEP64These parameters are recursive, and you can configure more than one ‘not equal to’ encryption type for this user-defined role.no Removes the encryption type configured for this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3618.1.7.2.14 groupuser-role commandsConfigures a wireless client filter based on the RADIUS group nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgroup [any|contains|exact|not-contains]group [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• group [any|contains <WORD>|exact <WORD>|not-contains <WORD>]group Specifies a wireless client filter based on how the RADIUS group name matches the provided expression. Select one of the following options: any, contains, exact, or not-containsany This user-defined role can fit into any group (no strings to match). This is the default setting.contains <WORD> The role is applied only when the RADIUS group name contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the RADIUS group name exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should be an exact match.not-contains <WORD>The role is applied only when the RADIUS group name does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 37Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#group contains testgrouprfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office group contains testgroup captive-portal authentication-state pre-login city exact SanJose company exact Example_company country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the group configured for this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3818.1.7.2.15 memberOfuser-role commandsApplies an Active Directory (AD) group filter to this user-defined role. A wireless client can be a member of more than one group within the AD database. This command applies a AD group based firewall, which applies a role to a wireless client only if it belongs to the specified AD group.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxmemberOf <AD-GROUP-NAME>Parameters• memberOf <AD-GROUP-NAME>Examplerfs4000-229D58(config-role-policy-test-user-role-test)#memberOf ADTestgrouprfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1 assign vlan 1 assign rate-limit to-client 200 memberOf ADTestgrouprfs4000-229D58(config-role-policy-test-user-role-test)#Related CommandsmemberOf <AD-GROUP-NAME>Applies this user-defined role to a client only if the client belongs to the specified AD group• <AD-GROUP-NAME> – Specify the AD group name.no Removes the AD group assigned to this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3918.1.7.2.16 mu-macuser-role commandsConfigures a MAC address and mask based filter for this role policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmu-mac [<MAC>|any]mu-mac anymu-mac <MAC> {mask <MAC>}Parameters• mu-mac any• mu-mac <MAC> {mask <MAC>}Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#mu-mac 11-22-33-44-55-66rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office mu-mac 11-22-33-44-55-66 group contains testgroup captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsany Applies role to any wireless client (no MAC address to match). This is the default setting.<MAC> Applies role to the wireless client having specified MAC address• <MAC> – Sets the MAC address in the AA-BB-CC-DD-EE-FF formatmask <MAC> Optional. After specifying the client’s MAC address, specify the mask in the AA-BB-CC-DD-EE-FF format. The role is applied to the wireless client exactly matching the specified MAC address and MAC mask.no Removes the MAC address and mask for this user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4018.1.7.2.17 nouser-role commandsNegates a command or resets configured settings to their default. When used in the config role policy user-defined role mode, the no command removes or resets settings, such as AP location, authentication type, encryption type, captive portal, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ap-location|assign|authentication-type|captive-portal|city|client-identity|company|country|department|emailid|employee-type|employeeid|encryption-type|group|memberOf|mu-mac|radius-user|ssid|state|title|use|user-defined]no [ap-location|assign|authentication-type|city|client-identity|company|country|department|emailid|employee-type|employeeid|encryption-type|group|mu-mac|memberOf|ssid|radius-user|state|title|user-defined]no captive-portal authentication-stateno use [application-policy|bonjour-gw-discovery-policy|ip-access-list|ipv6-access-list|mac-access-list|url-filter]no use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>no use [application-policy|bonjour-gw-discovery-policy|url-filter]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.no <PARAMETERS> Negates a command or resets configured settings to their default. When used in the config role policy user-defined role mode, the no command removes or resets settings, such as AP location, authentication type, encryption type, captive portal, etc.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 41ExampleThe following example shows the Role Policy ‘test’ User Role ‘testing’ configuration before the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office mu-mac 11-22-33-44-55-66 group contains testgroup captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1rfs6000-37FABE(config-role-policy-test-user-role-testing)#rfs6000-37FABE(config-role-policy-test-user-role-testing)#no authentication-typerfs6000-37FABE(config-role-policy-test-user-role-testing)#no encryption-typerfs6000-37FABE(config-role-policy-test-user-role-testing)#no grouprfs6000-37FABE(config-role-policy-test-user-role-testing)#no mu-macrfs6000-37FABE(config-role-policy-test-user-role-testing)#no ap-locationrfs6000-37FABE(config-role-policy-test-user-role-testing)#no employeeidThe following example shows the Role Policy ‘test’ User Role ‘testing’ configuration after the ‘no’ commands are executed:rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4218.1.7.2.18 radius-useruser-role commandsConfigures a wireless client filter based on the RADIUS user nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius-user [any|contains|ends-with|exact|not-contains|starts-with]Parameters• radius-user [any|contains|ends-with|exact|not-contains|starts-with]radius-user Specifies a wireless client filter based on how the ‘radius-user’ name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any No specific RADIUS user name associated with this user-defined role. This role can be applied to any wireless client (no strings to match). This is the default setting.contains <WORD> The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the ‘radius-user’ name returned by the RADIUS server). It should contain the provided expression.You can use the realm or any sub-string of the user name.ends-with <WORD> Enables role assignment on the basis of the wireless client’s “department” and/or “group”• <WORD> – Specify the string (could be department/group code). For example: 1005000002. In this the last three digits represent the department/group code. The remaining digits represent user’s badge number.The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, ends with the string specified here.exact <WORD> The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the ‘radius-user’ name returned by the RADIUS server). It should be an exact match.Provide the complete user name along with the realm.not-contains <WORD> The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the ‘radius-user’ name returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 43Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#radius-user contains test.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 1 radius-user contains test.com company exact ExampleCompany emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsstarts-with <WORD> Enables role assignment on the basis of the wireless client’s “department” and/or “group” code• <WORD> – Specify the string (could be department/group code). For example: 0026100573. The first three digits represent the department/group code. The remaining digits represent user’s badge number.The role is applied only when the ‘radius-user’ name, returned by the RADIUS server, starts with the string specified here.no Removes the radius-user filter

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4418.1.7.2.19 ssiduser-role commandsConfigures a SSID based filterSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssid [any|exact|contains|not-contains]ssid anyssid [exact|contains|not-contains] <WORD>Parameters• ssid any• ssid [exact|contains|not-contains] <WORD>ssid any Specifies a wireless client filter based on how the SSID is specified in a WLAN• any – The role is applied to any SSID location. This is the default setting.ssid Specifies a wireless client filter based on how the SSID is specified in a WLAN. This options are: contains, exact, or not-containsexact <WORD> The role is applied only when the SSID, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the SSID string to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN.contains <WORD> The role is applied only when the SSID, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the SSID string to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN.not-contains <WORD> The role is applied only when the SSID, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the SSID string not to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 45Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#ssid not-contains DevUserrfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ssid not-contains DevUser captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.comrfs6000-37FABE(config-role-policy-test-user-role-testing)#]Related Commandsno Removes the SSID configured for a user-defined role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4618.1.7.2.20 stateuser-role commandsConfigures a user role state to match with this user-defined roleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstate [any|contains|exact|not-contains]state [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• state [any|contains <WORD>|exact <WORD>|not-contains <WORD>]state Specifies a wireless client filter option based on how the RADIUS state matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any This user role can fit any wireless client irrespective of the state (no strings to match).contains <WORD> The user role is applied only when the RADIUS state contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the RADIUS state exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the RADIUS state does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 47Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#state exact activerfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ssid not-contains DevUser captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com state exact activerfs6000-37FABE(config-role-policy-test-user-role-testing)#Related Commandsno Removes the ‘state’ filter string associated with a user role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4818.1.7.2.21 titleuser-role commandsConfigures a ‘title’ string to matchSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtitle [any|contains|exact|not-contains]title [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• title [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#title anyRelated Commandstitle Specifies a wireless client filter based on how the title string, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains.any This user role can fit any wireless client irrespective of the title (no strings to match).contains <WORD> The user role is applied only when the title string, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the title string, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the title string, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should not contain the provided expression.no Removes the ‘title’ filter string configured with a user role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4918.1.7.2.22 useuser-role commandsConfigures an access list based firewall with this user roleA firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, firewalls are mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules.IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [application-policy|bonjour-gw-discovery-policy|ip-access-list|ipv6-access-list|mac-access-list|url-filter]use bonjour-gw-discovery-policy <POLICY-NAME>use [ip-access-list|ipv6-access-list] [in|out] <IP/ipv6-ACCESS-LIST-NAME> precedence <1-100>use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>use url-filter <URL-FILTER-NAME>Parameters• use application-policy|bonjour-gw-discovery-policy] <POLICY-NAME>application-policy <POLICY-NAME>Uses an existing Application policy with a user role. When associated, the Application policy enforces application assurance for all users using this role.• <POLICY-NAME> – Specify the Application policy name (should be existing and configured).For more information on Application policy, see application-policy.bonjour-gw-discovery-policy <POLICY-NAME>Uses an existing Bonjour GW Discovery policy with a user role. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming from this specific user roles.• <POLICY-NAME> – Specify the Bonjour GW Discovery policy name (should be existing and configured).For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-policy.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 50• use [ip-access-list|ipv6-access-list] [in|out] <IP/IPv6-ACCESS-LIST-NAME> precedence <1-100>• use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>• use url-filter <URL-FILTER-NAME>Examplerfs6000-37FABE(config-role-policy-test-user-role-testing)#use ip-access-list intest precedence 9rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ssid not-contains DevUser captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com state exact active use ip-access-list in test precedence 9rfs6000-37FABE(config-role-policy-test-user-role-testing)#rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#use bonjour-gw-discovery-policy role2rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#show context user-role bonjour_user1 precedence 2 use bonjour-gw-discovery-policy role2rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#ip-access-list [in|out] Uses an IPv4 or IPv6 ACL with this user role• in – Applies the rule to incoming packets• out – Applies the rule to outgoing packets<IPv4/IPv6-ACCESS-LIST-NAME>Specify the IPv4/IPv6 access list name.precedence <1-100> After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first.• <1-100> – Sets a precedence from 1 - 100mac-access-list [in|out] Uses a MAC access list with this user role• in – Applies the rule to incoming packets• out – Applies the rule to outgoing packets<MAC-ACCESS-LIST-NAME>Specify the MAC access list name.precedence <1-100> After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first• <1-100> – Sets a precedence from 1 - 100use url-filter <URL-FILTER-NAME>Uses an existing URL filter that acts as a Web content filter firewall rule.• <POLICY-NAME> – Specify the URL filter name (should be existing and configured).

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 51rfs6000-37FABE(config-role-policy-bonjour_test)#show contextrole-policy bonjour_test user-role bonjour_user precedence 1 mu-mac A4-D1-D2-BF-3D-19 use bonjour-gw-discovery-policy role1 user-role bonjour_user1 precedence 2 mu-mac B0-65-BD-4B-BC-09 use bonjour-gw-discovery-policy role2................................................rfs6000-37FABE(config-role-policy-bonjour_test)#Related Commandsno Removes an IP, MAC access list, or a Bonjour GW Discovery policy from use with a user role

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 5218.1.7.2.23 user-defineduser-role commandsEnables you to define a filter based on an attribute defined in the Active Directory or the OpenLDAP serverSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuser-defined <ATTR-STRING> [any|contains|exact|not-contains]user-defined <ATTR-STRING> [any|contains <WORD>|exact <WORD>|not-contains <WORD>]Parameters• user-defined <ATTR-STRING> [any|exact <WORD>|contains <WORD>|not-contains <WORD>]user-defined <ATTR-STRING>Specify a filter based on an attribute defined in the AD or OpenLDAP server.• <ATTR-NAME> – Specify the attribute string.After specifying the attribute name, specify the match type.any No specific string to match. This role can be applied to any wireless client. This is the default setting.contains <WORD> The role is applied only when the user-defined attribute value, returned by the RADIUS server, contains the string specified in the role.• <WORD> – Specify the string to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should contain the provided expression.exact <WORD> The role is applied only when the user-defined attribute value, returned by the RADIUS server, exactly matches the string specified in the role.• <WORD> – Specify the exact string to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should be an exact match.not-contains <WORD> The role is applied only when the user-defined attribute value, returned by the RADIUS server, does not contain the string specified in the role.• <WORD> – Specify the string not to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should not contain the provided expression.

ROLE-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 53Examplerfs4000-229D58(config-role-policy-test-user-role-user1)#user-defined office-location exact EcoSpacerfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1 employee-type exact consultant user-defined office-location exact EcoSpacerfs4000-229D58(config-role-policy-test-user-role-user1)#Related Commandsno Removes the user-defined filter configured with this user role

19 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide19SMART-RF-POLICYThis chapter summarizes Self Monitoring at Run Time RF (Smart RF) management policy commands in the CLI command structure.A Smart RF management policy defines operating and recovery parameters that can be assigned to groups of access points. A Smart RF policy is designed to scan the network to identify the best channel and transmit power for each access point radio.A Smart RF policy reduces deployment costs by scanning the RF environment to determine the best channel and transmit power configuration for each managed radio. Smart RF policies when applied to specific RF Domains, apply site specific deployment configurations and self-healing values to groups of devices within pre-defined physical RF coverage areas.Smart RF centralizes the decision process and makes intelligent RF configuration decisions using information obtained from the RF environment. Smart RF helps reduce ongoing management and maintenance costs through the periodic re-calibration of the network. Re-calibration can be initiated manually or can be automatically scheduled to ensure the RF configuration is optimized to factor for RF environment changes (such as new sources of interference, or neighboring access points).Smart RF also provides self-healing functions by monitoring the network in real-time, and provides automatic mitigation from potentially problematic events such as radio interference, coverage holes and radio failures. Smart RF employs self-healing to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual re-configuration to resolve.Smart RF is supported on any RF Domain manager. In standalone environments, an individual wireless controller manages the calibration and monitoring phases. In clustered environments, a single wireless controller is elected a Smart RF master and the remaining cluster members operate as Smart RF clients. In cluster operation, the Smart RF master co-ordinates the calibration and configuration and during the monitoring phase receives information from the Smart RF clients.Before defining a Smart RF policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:• The Smart RF calibration process impacts associated users and should not be run during business or production hours. The calibration process should be performed during scheduled maintenance intervals or non-business hours.• For Smart RF to provide effective recovery, RF planning must be performed to ensure overlapping coverage exists at the deployment site. Smart RF can only provide recovery when access points are deployed appropriately. Smart RF is not a solution, it's a temporary measure. Administrators need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist.Keep in mind that if a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS, it will switch channels if radar is detected.• If Smart RF is enabled, the radio picks a channel defined in the Smart RF policy.• If Smart RF is disabled, but a Smart RF policy is mapped, the radio picks channels specified in the Smart RF policy• If no SMART RF policy is mapped, the radio selects a random channel

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 2If the radio is a dedicated sensor, it stops termination on that channel if a neighboring access point detect radar. The access point attempts to come back to its original channel (statically configured or selected by Smart RF) after the channel evacuation period has expired.Change this behavior using the dfs-rehome command from the controller or service platform CLI. This keeps the radio on the newly selected channel and prevents the radio from coming back to the original channel, even after the channel evacuation period.Use the (config) instance to configure Smart RF Policy related configuration commands. To navigate to the Smart RF policy instance, use the following commands:<DEVICE>(config)#smart-rf-policy <POLICY-NAME>rfs6000-37FABE(config)#smart-rf-policy testrfs6000-37FABE(config-smart-rf-policy-test)#?Smart RF Mode commands: area Specify channel list/ power for an area assignable-power Specify the assignable power during power-assignment avoidance-time Time to avoid a channel once dfs/adaptivity avoidance is necessary channel-list Select channel list for smart-rf channel-width Select channel width for smart-rf coverage-hole-recovery Recover from coverage hole enable Enable this smart-rf policy group-by Configure grouping parameters interference-recovery Recover issues due to excessive noise and interference neighbor-recovery Recover issues due to faulty neighbor radios no Negate a command or set its defaults sensitivity Configure smart-rf sensitivity (Modifies various other smart-rf configuration items) smart-ocs-monitoring Smart off channel scanning clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-smart-rf-policy-test)#NOTE: Perform RF planning to ensure overlapping coverage exists at a deployment site, for Smart RF to be a viable network performance tool. Smart RF can only provide recovery when access points are deployed appropriately. Smart RF is not a solution, it is a temporary measure. You need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist in trouble shooting.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 319.1 smart-rf-policySMART-RF-POLICYThe following table summarizes Smart RF policy configuration commands:Table 19.1 Smart-RF-Policy-Config CommandsCommand Description Referencearea Configures the channel list and power for a specified area page 19-4assignable-powerSpecifies the power range during power assignment page 19-5avoidance-time Allows Smart RF-enabled radios to avoid Dynamic Frequency Selection (DFS) and/or adaptivity regulated channels on detection of interference or radar. This command configures the period for which the channel is avoided.page 19-5channel-list Assigns the channel list for the selected frequency page 19-8channel-width Selects the channel width for Smart RF configuration page 19-9coverage-hole-recoveryEnables recovery from errors page 19-11enable Enables a Smart RF policy page 19-13group-by Configures grouping parameters page 19-14interference-recoveryRecovers issues due to excessive noise and interference page 19-15neighbor-recoveryEnables recovery from errors due to faulty neighbor radios page 19-17no Negates a command or reverts settings to their default page 19-19sensitivity Configures Smart RF sensitivity page 19-21smart-ocs-monitoringApplies smart off-channel scanning instead of dedicated detectors page 19-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 419.1.1 areasmart-rf-policyConfigures the channel list and power for a specified areaSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxarea <AREA-NAME/STRING-ALIAS> channel-list [2.4GHz|5GHz] <CHANNEL-LIST>Parameters• area <AREA-NAME/STRING-ALIAS> channel-list [2.4GHz|5GHz] <CHANNEL-LIST>Examplerfs6000-37FABE(config-smart-rf-policy-test)#area test channel-list 2.4GHz 1,2,3rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3rfs6000-37FABE(config-smart-rf-policy-test)#nx9500-6C8809(config)#alias string $AREA Ecospacenx9500-6C8809(config)#commitnx9500-6C8809(config-smart-rf-policy-test)#exitnx9500-6C8809(config-smart-rf-policy-Ecospace)#area $AREA channel-list 5GHz 36,44nx9500-6C8809(config-smart-rf-policy-Ecospace)#show contextsmart-rf-policy Ecospace area $AREA channel-list 5GHz 36,44nx9500-6C8809(config-smart-rf-policy-Ecospace)#Related Commandsarea <AREA-NAME/STRING-ALIAS>Specifies the area name• <AREA-NAME/STRING-ALIAS> – Specify the area name as clear text. Alternately, use a string-alias to specify the area name. If using a string-alias, ensure that the string-alias is existing and configured.channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>Selects the channels for the specified area in the 2.4 GHz or 5.0 GHz band• 2.4GHz – Selects the channels for the specified area in the 2.4 GHz band• 5GHz – Selects the channels for the specified area in the 5.0 GHz bandThe following keyword is common to the 2.4 GHz and 5.0 GHz bands:• <CHANNEL-LIST> – Enter a comma-separated list of channels for the selectedband.no Removes channel list/power configuration for an area

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 519.1.2 assignable-powersmart-rf-policyConfigures the Smart RF power settings over both 2.4 GHZ and 5.0 GHZ radiosSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassignable-power [2.4GHz|5GHz] [max|min] <1-20>Parameters• assignable-power [2.4GHz|5GHz] [max|min] <1-20>Examplerfs6000-37FABE(config-smart-rf-policy-test)#assignable-power 5GHz max 20rfs6000-37FABE(config-smart-rf-policy-test)#assignable-power 5GHz min 8rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz [max|min] <1-20>Assigns a power range on the 2.4 GHz band• max <1-20> – Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 dBm)• min <1-20> – Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm)5GHz [max|min] <1-20>Assigns a power range on the 5.0 GHz band• max <1-20> – Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 dBm)• min <1-20> – Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm)no Resets assignable power to its default

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 7Parameters• avoidance-time [adaptivity|dfs] <30-3600>Examplenx4500-5CFA2B(config-smart-rf-policy-test)#avoidance-time adaptivity 200nx4500-5CFA2B(config-smart-rf-policy-test)#avoidance-time dfs 300nx4500-5CFA2B(config-smart-rf-policy-test)#show contextsmart-rf-policy test avoidance-time dfs 300 avoidance-time adaptivity 200nx4500-5CFA2B(config-smart-rf-policy-test)#nx4500-5CFA2B(config-smart-rf-policy-test)#no avoidance-time adaptivitynx4500-5CFA2B(config-smart-rf-policy-test)#show context include-factory | include avoidance-time avoidance-time dfs 300 avoidance-time adaptivity 90nx4500-5CFA2B(config-smart-rf-policy-test)#Related Commandsavoidance-time [adaptivity|dfs]Configures the time for which a channel is avoided after dfs or adaptivity is triggered• adaptivity – Sets the time, in minutes, for which a radio avoids an adaptivity-regulated channel detected with interference• dfs – Sets the time, in minutes, for which a radio avoids a DFS-regulated channel detected with radar• <30-3600> – Specify a value from 30 - 3600 minutes. The default for both parameters is 90 minutes.no Reverts the DFS/adaptivity regulated channel avoidance time to default (90 minutes)

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 819.1.4 channel-listsmart-rf-policyAssigns a list of channels, for the selected frequency, used in Smart RF scansSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-list [2.4GHz|5GHz] <WORD>Parameters• channel-list [2.4GHz|5GHz] <WORD>Examplerfs6000-37FABE(config-smart-rf-policy-test)#channel-list 2.4GHz 1,12rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz <WORD> Assigns a channel list for the 2.4 GHz band• <WORD> – Specify a comma separated list of channels5GHz <WORD> Assigns a channel list for the 5.0 GHz band• <WORD> – Specify a comma separated list of channelsno Removes the channel list for the selected frequency

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 919.1.5 channel-widthsmart-rf-policySelects the channel width for Smart RF configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-width [2.4GHz|5GHz]channel-width 2.4GHz [20MHz|40MHz|auto]channel-width 5GHz [20MHz|40MHz|80MHz|auto]Parameters• channel-width 2.4GHz [20MHz|40MHz|auto]• channel-width 5GHz [20MHz|40MHz|auto]Usage GuidelinesThe 20/40 MHz operation allows the access point to receive packets from clients using 20 MHz, and transmit using 40 MHz. This mode is supported for 802.11n users on both the 2.4 GHz and 5.0 GHz radios. If an 802.11n user selects two channels (a primary and secondary channel), the system is configured for dynamic 20/40 operation. When 20/40 is selected, clients can take advantage of wider channels. 802.11n clients experience improved throughput using 40 MHz while legacy clients (either 802.11a or 802.11b/g depending on the radio selected) can still be serviced without interruption using 20 MHz. Select auto to enable automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources.NOTE: In addition to 20 MHz and 40 MHz, AP82XX also provides support for 80 MHz channels.2.4GHz [20MHz|40MHz|auto]Assigns the channel width for the 2.4 GHz band• 20MHz – Assigns the 20 MHz channel width. This is the default setting.• 40MHz – Assigns the 40 MHz channel width• auto – Assigns the best possible channel in the 20 MHz or 40 MHz channel width5GHz [20MHz|40MHz|80MHz|auto]Assigns the channel width for the 5.0 GHz band• 20MHz – Assigns the 20 MHz channel width• 40MHz – Assigns the 40 MHz channel width. This is the default setting.• 80MHz – Assigns the 80 MHz channel width (supported only on AP8232)• auto – Assigns the best possible channel in the 20 MHz, 40 MHz, or 80 MHz channel width

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 10Examplerfs6000-37FABE(config-smart-rf-policy-test)#channel-width 5GHz autorfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz autorfs6000-37FABE(config-smart-rf-policy-test)#Related Commandsno Resets channel width for the selected frequency to its default

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1119.1.6 coverage-hole-recoverysmart-rf-policyEnables recovery from coverage hole errors detected by Smart RF. Use this command to configure the coverage hole recovery settings.When coverage hole recovery is enabled, on detection of a coverage hole, Smart RF first determines the power increase needed based on the signal-to-noise ratio (SNR) for a client as seen by the access point radio. If a client’s SNR is above the specified threshold, the transmit power is increased until the SNR falls below the threshold.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcoverage-hole-recovery {client-threshold|coverage-interval|interval|snr-threshold}coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>}coverage-hole-recovery {coverage-interval|interval} [2.4GHz|5GHz] <1-120>coverage-hole-recovery {snr-threshold [2.4Ghz|5Ghz] <1-75>}Parameters• coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>}• coverage-hole-recovery {coverage-interval|interval} [2.4GHz|5GHz] <1-120>NOTE: The coverage-hole-recovery parameters can be modified only if the sensitivity level is set to ‘custom’. For more information, see sensitivity.client-threshold Optional. Specifies the minimum number of clients associated to a radio in order to trigger coverage hole recovery.2.4GHz <1-255> Specifies the minimum number of clients on the 2.4 GHz band• <1-255> – Sets a value from 1 - 255. The default is 1.5GHz <1-255> Specifies the minimum number of clients on the 5.0 GHz band• <1-255> – Sets a value from 1 - 255. The default is 1.coverage-interval Optional. Specifies the interval between the discovery of a coverage hole and the initiation of coverage hole recoveryinterval Optional. Specifies the interval at which coverage hole recovery is performed even before a coverage hole is detected

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 12• coverage-hole-recovery {snr-threshold} [2.4Ghz|5Ghz] <1-75>Examplerfs6000-37FABE(config-smart-rf-policy-test)#coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz <1-120> The following keywords are common to the ‘coverage-interval’ and ‘interval’ parameters:• 2.4GHz <1-120> – Specifies the coverage hole recovery interval on the 2.4 GHz band• <1-120> – Specify a value from 1 - 120 seconds.Note: coverage-interval – The default is 10 seconds.Note: interval – The default is 30 seconds.5GHz <1-120> The following keywords are common to the ‘coverage-interval’ and ‘interval’ parameters:• 5GHz <1-120> – Specifies a coverage hole recovery interval on the 5.0 GHz band• <1-120> – Specify a value from 1 - 120 seconds.Note: coverage-interval – The default is 10 seconds.Note: interval – The default is 30 seconds.snr-threshold Optional. Specifies the SNR threshold. This value is the SNR threshold for an associated client as seen by its associated AP radio. When the SNR threshold is exceeded, the radio increases its transmit power to increase coverage for the associated client.2.4GHz <1-75> Specifies SNR threshold on the 2.4 GHz band• <1-75> – Sets a value from 1 dB - 75 dB. The default is 20 dB.5GHz <1-75> Specifies SNR threshold on the 5.0 GHz band• <1-75> – Sets a value from 1 - 75. The default is 20 dB.no Disables recovery from coverage hole errors

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1319.1.7 enablesmart-rf-policyEnables a Smart RF policyUse this command to enable this Smart RF policy. Once enabled, the policy can be assigned to a RF Domain supporting a network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplerfs6000-37FABE(config-smart-rf-policy-test)#enableRelated Commandsno Disables a Smart RF policy

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1419.1.8 group-bysmart-rf-policyEnables grouping of APs on the basis of their location in a building (floor) or an areaWithin a large RD Domain, grouping of APs (within an area or on the same floor in a building) facilitates statistics gathering and troubleshooting.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgroup-by [area|floor]Parameters• group-by [area|floor]Examplerfs6000-37FABE(config-smart-rf-policy-test)#group-by floorrfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commandsarea Groups radios based on their area of locationfloor Groups radios based on their floor locationBoth options are disabled by default.no Removes Smart RF group settings

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1519.1.9 interference-recoverysmart-rf-policyEnables interference recovery from neighboring radios and other sources of WiFi and non-WiFi interference. Interference is the excess noise detected within the Smart RF supported radio coverage area. Smart RF provides mitigation from interfering sources by monitoring the noise levels and other RF parameters on an access point radio’s current channel. When a noise threshold is exceeded, Smart RF selects an alternative channel with less interference. To avoid channel flapping a hold timer is defined, which disables interference avoidance for a specific period of time upon detection. Interference recovery is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinterference-recovery {channel-hold-time|channel-switch-delta|client-threshold|interference|neighbor-offset|noise|noise-factor}interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>}interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>|interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>}Parameters• interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>}• interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>|interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>}NOTE: The interference-recovery parameters can be modified only if the sensitivity level is set to ‘custom’. For more information, see sensitivity.channel-switch-delta Optional. Configures a threshold value for the difference between interference levels on the current channel and the prospective channel needed to trigger a channel change. If the difference in noise levels on the current channel and the prospective channel is below the configured threshold, the channel is not changed.[2.4GHz|5GHz] Selects the band• 2.4GHz – Selects the 2.4 GHz band• 5GHz – Selects the 5.0 GHz band<5-35> Specifies the threshold value for the difference between the current and prospective channel interference levels• <5-35> – Sets a value from 5 dBm - 35 dBm. The default setting is 20 dBm for both 2.4 GHz and 5.0 GHz bands.channel-hold-time <0-86400> Optional. Defines the minimum time between two channel change recoveries• <0-86400> – Sets the time, in seconds, between channel change assignments based on interference or noise. The default is 7,200 seconds.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 16Examplerfs6000-37FABE(config-smart-rf-policy-test)#interference-recovery channel-switch-delta 5GHz 5rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commandsclient-threshold <1-255> Optional. Specifies client thresholds needed to avoid channel change. If the specified threshold number of clients are connected to a radio, the radio avoids changing channels even if the Smart RF master determines that a channel change is required.• <1-255> – Sets the number of clients from 1 - 255. The default is 50.interference Optional. Considers external interference values to perform interference recovery. This feature allows the Smart RF policy to scan for excess interference from supported radio devices. WLANs are susceptible to sources of interference, such as neighboring radios, cordless phones, microwave ovens and Bluetooth devices. When interference for WiFi sources is detected, Smart RF supported devices can change the channel and move to a cleaner channel. This feature is enabled by default.neighbor-offset <3-10> Optional. Configures a noise factor value, which is taken into consideration when switching channels to avoid interference from neighboring access points. Smart RF enabled access points consider the difference in noise between candidate channels.• <3-10> – Specify a noise factor value from 3 - 10.noise Optional. Considers noise values to perform interference recovery. This feature allows the Smart RF policy to scan for excess noise from WiFi devices. When detected, Smart RF supported devices can change their channel and move to a cleaner channel. This feature is enabled by default.noise-factor <1.0-3.0>Optional. Configures additional noise factor (the level of network interference detected) for non WiFi interference• <1.0-3.0> – Specify the noise factor from 1.0 - 3.0. The default is 1.50.no Disables recovery from excessive noise and interference

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1719.1.10 neighbor-recoverysmart-rf-policyEnables recovery from errors due to faulty neighboring radios. Enabling neighbor recovery ensures automatic recovery from failed radios within the radio coverage area. Smart RF instructs neighboring access points to increase their transmit power to compensate for the failed radio. Neighbor recovery is enabled by default when the sensitivity setting is medium.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxneighbor-recovery {dynamic-sampling|power-hold-time|power-threshold}neighbor-recovery {dynamic-sampling} {retries <1-10>|threshold <1-30>}neighbor-recovery {power-hold-time <0-3600>}neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>}Parameters• neighbor-recovery {dynamic-sampling} {retries <1-10>|threshold <1-30>}• neighbor-recovery {power-hold-time <0-3600>}NOTE: The neighbor-recovery parameters can be modified only if the sensitivity level is set to ‘custom’. For more information, see sensitivity.dynamic-sampling Optional. Enables dynamic sampling on this Smart RF policy. Dynamic sampling allows you to define how Smart RF adjustments are triggered by locking the ‘retry’ and ‘threshold’ values. Dynamic sampling is disabled by default.retries <1-10> Optional. Specifies the number of retries before allowing a power level adjustments to compensate for a potential coverage hole.• <1-10> – Sets the number of retries from 1 - 10. The default is 3.threshold <1-30> Optional. Specifies the minimum number of sample reports before which a power change requires dynamic sampling• <1-30> – Sets the minimum number of reports from 1 - 30. The default is 5.power-hold-time Optional. Specifies the minimum time, in seconds, between two power changes on a radio during neighbor-recovery<0-3600> Sets the time from 0 - 3600 sec. The default is 0 seconds.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 18• neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>}Examplerfs6000-37FABE(config-smart-rf-policy-test)#neighbor-recovery power-threshold 2.4GHz -82rfs6000-37FABE(config-smart-rf-policy-test)#neighbor-recovery power-threshold 5GHz -65rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 neighbor-recovery power-threshold 5GHz -65 neighbor-recovery power-threshold 2.4GHz -82 coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#Related Commandspower-threshold Optional. Specifies the power threshold based on which recovery is performedThe 2.4 GHz/5.0 GHz radio uses the value specified here as the maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within its coverage area.[2.4GHz|5GHz] Selects the band• 2.4GHz – Selects the 2.4 GHz band• 5GHz – Selects the 5.0 GHz band<-85--55> Specify the threshold value• <-85--55> – Sets the power threshold from -85 dBm - -55 dBm. The default is -70 dBm for both the 2.4 GHz and 5.0 GHz bands.no Disables recovery from faulty neighbor radios

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1919.1.11 nosmart-rf-policyNegates a command or sets its default. When used in the config Smart RF policy mode, the no command disables or resets Smart RF settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [area|assignable-power|avoidance-time|channel-list|channel-width|coverage-hole-recovery|enable|group-by|interference-recovery|neighbor-recovery|smart-ocs-monitoring]no area <AREA-NAME> channel-list [2.4GHZ|5GHZ]no assignable-power [2.4GHZ|5GHZ] [max|min]no [channel-list|channel-width] [2.4GHZ|5GHZ]no coverage-hole-recovery [client-threshold|coverage-interval|interval|snr-threshold] [2.4GHZ|5GHZ]no avoidance-time [adaptivity|dfs]no enableno group-by [area|floor]no interference-recovery {channel-hold-time|channel-switch-delta [2.4GHZ|5GHZ]|client-threshold|interference|neighbor-offset|noise|noise-factor}no neighbor-recovery {dynamic-sampling {retries|threshold}|power-hold-time|power-threshold [2.4GHZ|5GHZ]}no smart-rf-monitoring {awareness-override [schedule <1-3>|threshold]|client-aware [2.4GHZ|5GHZ]|extended-scan-frequency [2.4GHZ|5GHZ]|frequency [2.4GHZ|5GHZ]|off-channel-duration [2.4GHZ|5GHZ]|power-save-aware [2.4GHZ|5GHZ]|sample-count [2.4GHZ|5GHZ]|voice-aware [2.4GHZ|5GHZ]}Parameters• no <PARAMETERS>no <PARAMETERS> Negates a command or sets its default. When used in the config Smart RF policy mode, the no command disables or resets the Smart RF policy settings.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 20ExampleThe following example shows the Smart RF policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 neighbor-recovery power-threshold 5GHz -65 neighbor-recovery power-threshold 2.4GHz -82 coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#rfs6000-37FABE(config-smart-rf-policy-test)#no interference-recovery channel-switch-delta 5GHzrfs6000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 2.4GHzrfs6000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 5GHzrfs6000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz minrfs6000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz maxThe following example shows the Smart RF policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1rfs6000-37FABE(config-smart-rf-policy-test)#

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 2119.1.12 sensitivitysmart-rf-policyConfigures Smart RF sensitivity level. The sensitivity level determines Smart RF scanning and sampling aggressiveness. For example, a low sensitivity level indicates a less aggressive Smart-RF policy. This translates to fewer samples taken during off-channel scanning and short off-channel durations. When the sensitivity level is set to high, Smart-RF collects more samples, and remains off-channel longer.The Smart RF sensitivity level options include low, medium, high, and custom. Medium, is the default setting. The custom option allows an administrator to adjust the parameters and thresholds for interference recovery, coverage hole recovery, and neighbor recovery. However, the low, medium, and high settings still allow utilization of these features.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsensitivity [custom|high|low|medium]Parameters• sensitivity [custom|high|low|medium]Usage GuidelinesTo enable the power and channel setting parameters, set sensitivity to custom or medium.To enable the monitoring and scanning parameters, set sensitivity to custom.To enable the neighbor recovery, interference and coverage hole recovery parameters, set sensitivity to custom.sensitivity Configures Smart RF sensitivity levels. The options available are: custom, high, low, and medium.custom Enables custom interference recovery, coverage hole recovery, and neighbor recovery as additional Smart RF optionshigh High sensitivitylow Low sensitivitymedium Medium sensitivity. This is the default setting.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 22Examplerfs6000-37FABE(config-smart-rf-policy-test)#sensitivity highrfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity high channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3 --More--rfs6000-37FABE(config-smart-rf-policy-test)#

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 2319.1.13 smart-ocs-monitoringsmart-rf-policyApplies smart Off Channel Scanning (OCS) instead of dedicated detectorsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsmart-ocs-monitoring {awareness-override|client-aware|extended-scan-frequency|frequency|off-channel-duration|power-save-aware|sample-count|tx-load-aware|voice-aware}smart-ocs-monitoring {awareness-override [schedule|threshold]}smart-ocs-monitoring {awareness-override schedule <1-3> <START-TIME> <END-TIME> <DAY>}smart-ocs-monitoring {awareness-override threshold <10-10000>}smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>}smart-ocs-monitoring {extended-scan-frequency [2.4GHz|5GHz] <0-50>}smart-ocs-monitoring {frequency [2.4GHz|5GHz] <1-120>}smart-ocs-monitoring {off-channel-duration [2.4GHz|5GHz] <20-150>}smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]}smart-ocs-monitoring {sample-count [2.4GHz|5GHz] <1-15>}smart-ocs-monitoring {tx-load-aware [2.4GHz|5GHz] <1-100>}smart-ocs-monitoring {voice-aware [2.4GHz|5GHz] [disable|dynamic|strict]}Parameters• smart-ocs-monitoring {awareness-override schedule <1-3> <START-TIME> <END-TIME> <DAY>}awareness-override Optional. Use this parameter to configure client awareness settings overridesschedule <1-3> <START-TIME> <END-TIME> {<DAY>}Configures a time and day schedule when awareness settings are overridden• <1-3> – Sets the awareness override schedule index. A maximum of three overrides can be configured.• <START-TIME> – Sets the override start time in HH:MM format• <END-TIME> – Sets the override end time in HH:MM format• DAY – Optional. Set the day when the override is active. Use one of the follow-ing formats:• all – Override is active on all days• sun – Override is active only on Sundays• mon – Override is active only on MondaysContd..

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 24• smart-ocs-monitoring {awareness-override threshold <10-10000>}• smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>}• smart-ocs-monitoring {extended-scan-frequency [2.4GHz|5GHz] <0-50>}• smart-ocs-monitoring {frequency [2.4GHz|5GHz] <1-120>}• tue – Override is active only on Tuesdays• wed – Override is active only on Wednesdays• thu – Override is active only on Thursdays• fri – Override is active only on Fridays• sat – Override is active only on Saturdaysawareness-override threshold <10-10000>Optional. Use this parameter to configure client awareness settings overrides• threshold – Specifies the threshold after which client awareness settings are overridden. When the specified threshold is reached, awareness settings are overridden.• <10-10000> – Specify a threshold value from 10 -10000. The default is 10.client-aware Optional. Enables client aware scanning on this Smart RF policyUse this parameter to configure a client threshold number. When the number of clients connected to a radio equals this threshold number, the radio avoids channel scanning.This feature is disabled by default.2.4GHz <1-255> Enables client aware scanning on the 2.4 GHz bandAvoids radio scanning when a specified minimum number of clients are present• <1-255> – Sets the minimum number of clients from 1 - 255. The default is 1 client.5GHz <1-255> Enables client aware scanning on the 5.0 GHz bandAvoids radio scanning when a specified minimum number of clients are present• <1-255> – Sets the minimum number of clients from 1 - 255. The default is 1 client.extended-scan-frequencyOptional. Enables an extended scan, as opposed to a neighbor only scan, on this Smart RF policy. This is the frequency radios use to scan for non-peer radios.2.4GHz <0-50> Enables extended scan on the 2.4 GHz band• <0-50> – Sets the number of trails from 0 - 50. The default is 5.5GHz <0-50> Enables extended scan on the 5.0 GHz band• <0-50> – Sets the number of trails from 0 - 50. The default is 5.frequency Optional. Specifies the scan frequency. This is the frequency, in seconds, in which smart-ocs-monitoring changes channels for an off channel scan.2.4GHz <1-120> Selects the 2.4 GHz band• <1-120> – Sets a scan frequency from 1 - 120 sec. The default is 6 seconds.5GHz <1-120> Selects the 5.0 GHz band• <1-120> – Sets a scan frequency from 1 - 120 sec. The default is 6 seconds.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 25• smart-ocs-monitoring {off-channel-duration [2.4GHz|5GHz] <20-150>}• smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]}• smart-ocs-monitoring {sample-count [2.4GHz|5GHz] <1-15>}• smart-ocs-monitoring {tx-load-aware [2.4GHz|5GHz] <1-100>}off-channel-duration Optional. Specifies the duration to scan off channelThis is the duration access point radios use to monitor devices within the network and, if necessary, perform self healing and neighbor recovery to compensate for coverage area losses within a RF Domain.2.4GHz <20-150> Selects the 2.4 GHz band (in milliseconds)• <20-150> – Sets the off channel duration from 20 - 150 msec. The default is 50 milliseconds.5GHz <20-150> Selects the 5.0 GHz band (in milliseconds)• <20-150> – Sets the off channel duration from 20 - 150 msec. The default is 50 milliseconds.power-save-aware Optional. Enables power save awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict.This setting allows Smart RF to detect power save clients and take them into consideration when performing off channel scans.Strict disables smart monitoring as long as a power save capable client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a power save client at the radio.2.4GHz [disable|dynamic|strict]Sets power save awareness scanning mode on the 2.4 GHz band• disable – Disables power save awareness scanning• dynamic – Dynamically avoids scanning based on traffic for power save (PSP) clients• strict – Strictly avoids scanning when PSP clients are presentThe default is dynamic.5GHz [disable|dynamic|strict]Sets power save awareness scanning mode on the 5.0 GHz band• disable – Disables power save awareness scanning• dynamic – Dynamically avoids scanning based on traffic for PSP clients• strict – Strictly avoids scanning when PSP clients are presentThe default is dynamic.sample-count Optional. Specifies the number of samples to collect before reporting an issue to the Smart RF master2.4GHz <1-15> Selects the 2.4 GHz band• <1-15> – Specifies the number of samples to collect from 1 - 15. The default is 10.5GHz <1-15> Selects the 5.0 GHz band• <1-15> – Specifies the number of samples to collect from 1 - 15. The default is 5.tx-load-aware Optional. Specifies a transmit load percentage that serves as a threshold before scanning is avoided for an access point’s 2.4 GHz or 5.0 GHz band. This option is disabled for both 2.4 GHz and 5.0 GHz bands.

SMART-RF-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 26• smart-ocs-monitoring {voice-aware [2.4GHz|5GHz] [disable|dynamic|strict]}Examplerfs6000-37FABE(config-smart-rf-policy-test)#smart-ocs-monitoring extended-scan-frequency 2.4GHz 9rfs6000-37FABE(config-smart-rf-policy-test)#smart-ocs-monitoring sample-count 2.4GHz 3rfs6000-37FABE(config-smart-rf-policy-test)#show contextsmart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring off-channel-duration 2.4GHz 25 smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3 smart-ocs-monitoring extended-scan-frequency 5GHz 0 smart-ocs-monitoring extended-scan-frequency 2.4GHz 9 root-recovery root-path-metric-threshold 800--More--rfs6000-37FABE(config-smart-rf-policy-test)#Related Commands2.4GHz <1-100> Selects the 2.4 GHz band• <1-100> – Specify a transmit load percentage from 1 - 100%. When enabled, the default is 1%.5GHz <1-100> Selects the 5.0 GHz band• <1-100> – Specify a transmit load percentage from 1 - 100%. When enabled, the default is 1%.voice-aware Optional. Enables voice awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict.Strict disables smart monitoring as long as a voice client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a voice client at the radio.2.4GHz [disable|dynamic|strict]Specifies the scanning mode on the 2.4 GHz band• disable – Disables voice awareness scanning• dynamic – Dynamically avoids scanning based on traffic for voice clients• strict – Strictly avoids scanning when voice clients are presentNote: The default is dynamic.5GHz [disable|dynamic|strict]Specifies the scanning mode on the 5.0 GHz band• disable – Disables voice awareness scanning• dynamic – Dynamically avoids scanning based on traffic for voice clients• strict – Strictly avoids scanning when voice clients are present.Note: The default is dynamic.no Disables off channel monitoring

20 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide20WIPS-POLICYThis chapter summarizes the Wireless Intrusion Protection Systems (WIPS) policy commands in the CLI command structure.WIPS is an additional measure of security designed to continuously monitor the network for threats and intrusions. Along with wireless VPNs, encryptions, and authentication policies WIPS enhances the security of a WLAN.The WIPS policy enables detection of intrusions and threats that a managed network is likely to encounter. However, the WIPS policy does not include threat mitigation configurations. These intrusions and threats are available within the WIPS policy configuration mode as pre configured, fixed events. Each event consists of a set of frames or anomalies that may be harmful to the managed network. You can enable/disable various aspects of each individual event.Events are broadly grouped into the following three categories:• Excessive/Thresholdable events: These events detect DOS attacks, like excessive deauths, EAP floods, etc. Threshold limits for such events can be configured for mobile units (MU) and radios. Once these threshold limits are exceeded, an event is triggered. Stations triggering an event are usually filtered. You can configure a filter ageout specifying the time for which the station, triggering the event, is filtered. However, the filter ageout only applies when the MU-threshold is exceeded. When radio threshold is reached, the system raises a warning about the same and updates event history with event details.• Station/MU anomalies: These events are triggered when a MU performs suspicious activities that can compromise the security and stability of the managed network. You can configure a filter ageout, similar to the above class of events, to filter the station triggering such events.• AP/neighbor anomalies: These events are triggered when an AP or neighbor sends suspicious frames. The system cannot filter APs or neighbors triggering such events. However, the system warns you about such attacks, allowing you to take further actions against such APs and neighbors.In addition to event monitoring configuration, the WIPS policy allows you to configure a list of signatures. Unlike events, signatures are not fixed. You are free to define your own signatures based on a specific set of parameters. A signature is a rule, consisting of a set of fields to match and a corresponding set of actions in case of a match. By default, whenever a signature is matched an event log is triggered. This event log is similar to the one triggered upon an event. In addition to an event log, you can also configure other actions. Signatures have all the features supported by events. In fact most events are internally implemented as signatures.Signature rules are of the following three types:• ssid, ssid length rule: This signature matches a specified SSID or SSID length. It is mandatory to configure the frame type to match for this signature. When configured, only frame types allowed are beacons, probe requests, and probe responses. Example rule: ssid : AirJack and frame type beacon : Signature for AirJack attack.• payload rule: This signature matches a particular payload at a particular frame offset. You can restrict these matches based on frame type. Example rule: Payload : 0x00601d Offset 3 : Netstumbler• address-match rule: This signature matches one or more address fields. The address fields supported are BSSID, source-MAC, and destination-MAC. You can also specify frame types to

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2match. The frame types supported are assoc, auth, beacon, data, deauth, disassoc, mgmt, probe-request, and probe-response.A WIPS policy, once configured, has to be attached to a RF Domain to take effect. Multiple WIPS policies can be configured at the same time, but only one policy can be attached to a given RF Domain at any time.Use the (config) instance to configure WIPS policy commands. To navigate to the WIPS policy instance, use the following commands:<DEVICE>(config)#wips-policy <POLICY-NAME>rfs6000-37FABE(config)#wips-policy testrfs6000-37FABE(config-wips-policy-test)#?Wips Policy Mode commands: ap-detection Rogue AP detection enable Enable this wips policy event Configure an event history-throttle-duration Configure the duration for which event duplicates are not stored in history interference-event Specify events which will contribute to smart-rf wifi interference calculations no Negate a command or set its defaults signature Signature to configure use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalNOTE: To attach a WIPS policy to a RF Domain, in the RF Domain configuration mode, execute the use > wips-policy <WIPS-POLICY-NAME> command. For more information, see use.NOTE: With this most recent release, AP7522 and AP7532 model Access Points can provide enhanced sensor support. AP7522 and AP7532 sensors can send data from off-channel-scans while in radio-share promiscuous/inline mode, in addition to the on-channel data captured in radio-share mode. ADSP uses the off-channel-scan data (in addition to the on-channel data) to monitor for rogue intrusions and trigger alarms. OTA Termination is triggered from ADSP to the appropriate radio-share AP to initiate termination.NOTE: AP7522 and AP7532 models also support shared part-time scanning using WIPS in WiNG (using off-channel-scans) and no ADSP. WIPS on WiNG was enhanced to add rogue detection/classification (wired side detection based of MAC Address Offset) and over-the-air (OTA) termination for AP7522 and AP7532 deployments.

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3rfs6000-37FABE(config-wips-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 420.1 wips-policyWIPS-POLICYThe following table summarizes WIPS policy configuration commands:Table 20.1 WIPS-Policy-Config CommandsCommand Description Referenceap-detection Defines the WIPS AP detection configuration page 20-5enable Enables a WIPS policy page 20-7event Configures events page 20-8history-throttle-durationConfigures the duration event duplicates are omitted from the event historypage 20-12interference-eventSpecifies events contributing to the Smart RF WiFi interference calculationspage 20-13no Negates a command or sets its default page 20-14signature Configures a WIPS policy signature and enters its configuration mode page 20-16use Defines a WIPS policy settings page 20-33NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 520.1.1 ap-detectionwips-policyEnables the detection of unauthorized or unsanctioned APs. Unauthorized APs are untrusted access points connected to an access point managed network. These untrusted APs accept wireless client associations. It is important to detect such rogue APs and declare them unauthorized. Rogue AP detection is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap-detection {ageout|air-termination|interferer-threshold|recurring-event-interval|wait-time}ap-detection {ageout <30-86400>|interferer-threshold <-100--10>|recurring-event-interval <0-10000>|wait-time <10-600>}ap-detection air-termination {allow-channel-switch|mode [auto|manual]}Parameters• ap-detection {ageout <30-86400>|interferer-threshold <-100--10>|recurring-event-interval <0-10000>|wait-time <10-600>}ap-detection Enables detection of unauthorized or unsanctioned APsageout <30-86400>Optional. Configures the unauthorized AP ageout interval. The WIPS policy uses this value to ageout unauthorized APs.• <30-86400> – Sets an ageout interval from 30 - 86400 seconds. The default is 5 minutes (300 seconds).recurring-event-interval <0-10000>Configures recurring event interval help of unauthorized APs• <0-10000> – Configures the recurring interval between 0 - 10000 seconds. The default is 300 seconds.interferer-threshold <-100--10>Configures RSSI threshold value to determine if an unsanctioned ap is an interferer or not• <-100--10> – Configures the rssi threshold between -100 - -10 dBm. The default is -75 dBm.wait-time <10-600>Optional. Configures the wait time before a detected AP is declared as unauthorized and potentially removed• <10-600> – Sets a wait time from 10 - 600 seconds. The default is 1 minute (60 seconds).

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 6• ap-detection air-termination {allow-channel-switch|mode [auto|manual]}Examplerfs6000-37FABE(config-wips-policy-test)#ap-detection wait-time 15rfs6000-37FABE(config-wips-policy-test)#ap-detection age-out 50rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test ap-detection-age-out 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#nx9500-6C8809(config-wips-policy-test)#ap-detection recurring-event-interval 10nx9500-6C8809(config-wips-policy-test)#show contextwips-policy test ap-detection recurring-event-interval 10nx9500-6C8809(config-wips-policy-test)#Related Commandsap-detection Enables detection of unauthorized or unsanctioned APsair-termination {allow-channel-switch|mode [auto|manual]}Enables air termination of unauthorized APs. This option is disabled by default.• allow-channel-switch – Optional. Allows channel switch of unauthorized APs based on the channel mode. This option is disabled by default.• mode [auto|manual] – Optional. Select the mode as auto or manual to configure. The default setting is manual.no Resets unauthorized or unsanctioned AP detection settings to default

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 720.1.2 enablewips-policyEnables this WIPS policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplerfs6000-37FABE(config-wips-policy-test)#enablerfs6000-37FABE(config-wips-policy-test)#Related Commandsno Disables a WIPS policy

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 820.1.3 eventwips-policyConfigures events, filters and threshold values for this WIPS policy. Events are grouped into three categories, AP anomaly, client anomaly, and excessive. WLANs are baselined for matching criteria. Any deviation from this baseline is considered an anomaly and logged as an event.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevent [ap-anomaly|client-anomaly|enable-all-events|excessive]event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|unencrypted-wired-leakage|wireless-bridge]event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}event enable-all-eventsevent excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout <0-86400>|threshold-client <0-65535>|threshold-radio <0-65535>}Parameters• event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|unencrypted-wired-leakage|wireless-bridge]NOTE: By default all event monitoring is disabled.ap-anomaly Enables AP anomaly event trackingAn AP anomaly event refers to suspicious frames sent by neighboring APs. An administrator enables the filtering of each listed event and sets the thresholds for the generation of event notification and filtering.ad-hoc-violation Tracks ad-hoc network violationsairjack Tracks AirJack attacksap-ssid-broadcast-in-beaconTracks AP SSID broadcasts in beacon eventsasleap Tracks ASLEAP attacks. These attacks break Lightweight Extensible Authentication Protocol (LEAP) passwordsimpersonation-attack Tracks impersonation attacks. These are also referred to as spoofing attacks, where the attacker assumes the address of an authorized device.

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 9• event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}• event enable-all-eventsnull-probe-response Tracks null probe response attackstransmitting-device-using-invalid-macTracks the transmitting device using an invalid MAC attacksunencrypted-wired-leakageTracks unencrypted wired leakagewireless-bridge Tracks wireless bridge (WDS) framesclient-anomaly Enables client anomaly event trackingThese are suspicious events performed by wireless clients compromising the security of the network. An administrator can enable or disable filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action applied.dos-broadcast-deauth Tracks DoS broadcast deauthentication eventsfuzzing-all-zero-macs Tracks Fuzzing: All zero MAC addresses observedfuzzing-invalid-frame-typeTracks Fuzzing: Invalid frame type detectedfuzzing-invalid-mgmt-framesTracks Fuzzing: Invalid management frame detectedfuzzing-invalid-seq-num Tracks Fuzzing: Invalid sequence number detectedidentical-src-and-dest-addrTracks identical source and destination addresses detectioninvalid-8021x-frames Tracks Fuzzing: Invalid 802.1x frames detectednetstumbler-generic Tracks Netstumbler (v3.2.0, 3.2.3, 3.3.0) eventsnon-conforming-data Tracks non conforming data packetswellenreiter Tracks Wellenreiter eventsfilter-ageout <0-86400> The following keywords are common to all of the above client anomaly events:• filter-ageout <0-86400> – Optional. Configures the filter expiration interval in seconds• <0-86400> – Sets the filter ageout interval from 0 - 86400 seconds. The defaultis 0 seconds.Note: For each violation define a filter time in seconds, which determines how long the packets (received from an attacking device) are ignored once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed.The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is detected performing an attack and is filtered by one of the APs, the information is passed on to all APs and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for the specified period of time, across all devices.enable-all-events Enables tracking of all intrusion events (client anomaly and excessive events)

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 10• event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout [<0-86400>]|threshold-client [<0-5535>]|threshold-radio <0-65535>}excessive Enables the tracking of excessive events. Excessive events are actions performed continuously and repetitively. These events can impact the performance of the controller managed network. DoS attacks come under this category.80211-replay-check-failureTracks 802.11replay check failureaggressive-scanning Tracks aggressive scanning eventsauth-server-failures Tracks failures reported by authentication serversdecryption-failures Tracks decryption failuresdos-assoc-or-auth-flood Tracks DoS association or authentication floodsdos-eapol-start-storm Tracks DoS EAPOL start stormsdos-unicast-deauth-or-disassocTracks DoS dissociation or deauthentication floodseap-flood Tracks EAP floodseap-nak-flood Tracks EAP NAK floodsframes-from-unassoc-stationTracks frames from unassociated clientsfilter-ageout <0-86400> The following keywords are common to all excessive events:• filter-ageout <0-86400> – Optional. Configures a filter expiration interval in seconds. It sets the duration for which the client is filtered. The client is added to a ACL as a special entry and frames received from this client are dropped.• <0-86400> – Sets a filter ageout interval from 0 - 86400 seconds. The default is 0 seconds.Note: This value is applicable across the RF Domain. If a client is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller. The domain controller then propagates this information to all APs and wireless controllers in the RF Domain.threshold-client <0-65535>The following keywords are common to all excessive events:• threshold-client <0-65535> – Optional. Configures a client threshold value after which the filter is triggered and an event is recorded• <0-65535> – Sets a wireless client threshold value from 0 - 65535 secondsthreshold-radio <0-65535>The following keywords are common to all excessive events:• threshold-radio <0-65535> – Optional. Configures a radio threshold value after which the filter is triggered and an event is recorded• <0-65535> – Sets a radio threshold value from 0 - 65535 seconds

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 11Examplerfs6000-37FABE(config-wips-policy-test)#event excessive 80211-replay-check-failure filter-ageout 9 threshold-client 8 threshold-radio 99rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandsno Disables WIPS policy events tracking

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1220.1.4 history-throttle-durationwips-policyConfigures the duration event duplicates are omitted from the event historyThe system maintains a history of all events that have occurred, on each device, within a RF Domain. Sometimes an event occurs for a prolonged period of time and tends to fill up the event history list. In such a scenario, duplicate information added to the event history list can be throttled for a specified period of time. Once this period is over, duplicate entries are once again allowed.Event history statistics are periodically sent to the domain manager, which can be queried to ascertain the general health of the domain.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhistory-throttle-duration <30-86400>Parameters• history-throttle-duration <30-86400>Examplerfs6000-37FABE(config-wips-policy-test)#history-throttle-duration 77rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandshistory-throttle-duration <30-86400>Configures the duration event duplicates are omitted from the event history• <30-86400> – Sets a value from 30 - 86400 seconds. The default is 120 seconds.no Resets the history throttle duration to its default (120 seconds)

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1320.1.5 interference-eventwips-policySpecifies events contributing to the Smart RF WiFi interference calculationsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinterference-event [non-conforming-data|wireless-bridge]Parameters• interference-event [non-conforming-data|wireless-bridge]Examplerfs6000-37FABE(config-wips-policy-test)#interference-event non-conforming-datarfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandsnon-conforming-data Considers non conforming data packets when calculating Smart RF interferencewireless-bridge Considers Wireless Bridge (WDS) frames when calculating Smart RF interferenceno Disables this WIPS policy signature as a Smart RF interference source

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1420.1.6 nowips-policyNegates a command or resets configured settings to their default. When used in the config WIPS policy mode, the no command negates or resets filters and thresholds.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ap-detection|enable|event|history-throttle-duration|interference-event|signature|use]no [enable|history-throttle-duration]no ap-detection {ageout {<LINE-SINK>}|air-termination|interferer-threshold <-100--10>|recurring-event-interval <0-10000>wait-time {<LINE-SINK>}} no event [ap-anomaly|client-anomaly|enable-all-events|excessive]no event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|impersonation-attack|null-porbe-response|transmitting-device-using-invalid-mac|unencrypted-wired-leakage|wireless-bridge]no event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-conforming-data|wellenreiter] {filter-ageout <0-86400>}no event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station] {filter-ageout <0-86400>|threshold-client <0-65535>|threshold-radio <0-65535>}no interference-event [non-conforming-data|wireless-bridge]no signature <WIPS-SIGNATURE>no use device-categorizationParameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.no <PARAMETERS> Negates a command or resets configured settings to their default. When used in the config WIPS policy mode, the no command negates or resets filters and thresholds.

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 15ExampleThe following example shows the WIPS Policy ‘test’ settings before the ‘no’ commands are executed:rrfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#rfs6000-37FABE(config-wips-policy-test)#no event client-anomaly wellenreiter filter-ageout 99rfs6000-37FABE(config-wips-policy-test)#no interference-event non-conforming-datarfs6000-37FABE(config-wips-policy-test)#no history-throttle-durationThe following example shows the WIPS Policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1620.1.7 signaturewips-policyAttack and intrusion patterns are identified and configured as signatures in a WIPS policy. The WIPS policy compares packets in the network with pre configured signatures to identify threats.The following table summarizes WIPS policy signature configuration commands:Table 20.2 WIPS-Policy-Signature-Config Commandssignature Configures a WIPS policy signature and enters its configuration mode page 20-17signature mode commandsSummarizes WIPS signature configuration mode commands page 20-19

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1720.1.7.1 signaturesignatureConfigures a WIPS policy signature. A WIPS signature is the set of parameters or patterns used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsignature <SIGNATURE-NAME>Parameters• signature <SIGNATURE-NAME>Examplerfs6000-37FABE(config-wips-policy-test)#signature testrfs6000-37FABE(config-test-signature-test)#rfs6000-37FABE(config-test-signature-test)#?Wips Signature Mode commands: bssid Bssid mac address dst-mac Destination mac address filter-ageout Configure filter ageout frame-type Configure frame-type to match interference-event Signature is a smart-rf interference source mode Enable/Disable signature no Negate a command or set its defaults payload Configure a payload src-mac Source mac address ssid-match Match based on ssid threshold-client Configure client threshold limit threshold-radio Configure radio threshold limit clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-test-signature-test)#signature <SIGNATURE-NAME>Configures a WIPS policy signature• <SIGNATURE-NAME> – Enter a name for the WIPS policy signature. The name should not exceed 64 characters.

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 18rfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 threshold-client 88 payload 1 pattern test offset 1 ap-detection-ageout 50 ap-detection-wait-time 15rfs6000-37FABE(config-wips-policy-test)#Related Commandsno Deletes a WIPS policy signature

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1920.1.7.2 signature mode commandssignatureThe following table summarizes WIPS policy signature configuration mode commands:Table 20.3 WIPS-Policy-Signature-Mode CommandsCommands Description Referencebssid Configures the BSSID MAC address page 20-20dst-mac Configures the destination MAC address page 20-21filter-ageout Configures the filter ageout interval page 20-22frame-type Configures the frame type used for matching page 20-23interference-eventConfigures this WIPS policy signature as the Smart RF interference source page 20-24mode Enables the signature mode page 20-25payload Configures payload settings page 20-26src-mac Configures the source MAC address page 20-27ssid-match Configures a match based on SSID page 20-28threshold-client Configures the wireless client threshold limit page 20-29threshold-radio Configures the radio threshold limit page 20-30no Negates a command or sets its default page 20-31

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2020.1.7.2.1 bssidsignature mode commandsConfigures a BSSID MAC address with this WIPS signature for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbssid <MAC>Parameters• bssid <MAC>Examplerfs6000-37FABE(config-test-signature-test)#bssid 11-22-33-44-55-66rfs6000-37FABE(config-test-signature-test)#show contextsignature testbssid 11-22-33-44-55-66rfs6000-37FABE(config-test-signature-test)#Related Commandsbssid <MAC> Configures a BSSID MAC address to match• <MAC> – Specify the MAC address.no Disables a WIPS signature BSS ID

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2120.1.7.2.2 dst-macsignature mode commandsConfigures a destination MAC address for the packet examined for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdst-mac <MAC>Parameters• dst-mac <MAC>Examplerfs6000-37FABE(config-test-signature-test)#dst-mac 55-66-77-88-99-00rfs6000-37FABE(config-test-signature-test)#show contextsignature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00rfs6000-37FABE(config-test-signature-test)#Related Commandsdst-mac <MAC> Configures a destination MAC address to match• <MAC> – Specify the destination MAC address.no Disables a WIPS signature destination MAC address

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2220.1.7.2.3 filter-ageoutsignature mode commandsConfigures the filter ageout interval in seconds. This is the duration a client, triggering a WIPS event, is excluded from RF Domain manager radio association.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfilter-ageout <1-86400>Parameters• filter-ageout <1-86400>Examplerfs6000-37FABE(config-test-signature-test)#filter-ageout 8rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 filter-ageout 8rfs6000-37FABE(config-test-signature-test)#Related Commandsfilter-ageout <1-86400>Configures the filter ageout interval from 1 - 86400 secondsno Removes the configured filter ageout interval

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2320.1.7.2.4 frame-typesignature mode commandsConfigures the frame type used for matching with this WIPS policy signatureSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxframe-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp|reassoc]Parameters• frame-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp|reassoc]Usage GuidelinesThe frame type configured determines the SSID match type configured. To configure the SSID match type as SSID, the frame type must be beacon, probe-req or probe-resp.Examplerfs6000-37FABE(config-test-signature-test)#frame-type reassocrfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8rfs6000-37FABE(config-test-signature-test)#Related Commandsframe-type Configures the frame type used for matchingall Configures all frame type matchingassoc Configures association frame matchingauth Configures authentication frame matchingbeacon Configures beacon frame matchingdata Configures data frame matchingdeauth Configures deauthentication frame matchingdisassoc Configures disassociation frame matchingmgmt Configures management frame matchingprobe-req Configures probe request frame matchingprobe-resp Configures probe response frame matchingreassoc Configures re-association frame matchingno Resets a WIPS signature frame type

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2420.1.7.2.5 interference-eventsignature mode commandsConfigures this WIPS policy signature as Smart RF interference sourceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinterference-eventParametersNoneExamplerfs6000-37FABE(config-test-signature-test)#interference-eventrfs6000-37FABE(config-test-signature-test)#show context signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8rfs6000-37FABE(config-test-signature-test)#Related Commandsno Disables this WIPS policy signature as Smart RF interference source

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2520.1.7.2.6 modesignature mode commandsEnables a WIPS policy signatureSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmode enableParameters• mode enableExamplerfs6000-37FABE(config-test-signature-test)#mode enablerfs6000-37FABE(config-test-signature-test)#Related Commandsmode enable Enables this WIPS signatureno Disables a WIPS signature

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2620.1.7.2.7 payloadsignature mode commandsConfigures payload settings. The payload command sets a numerical index pattern and offset for this WIPS signature.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpayload <1-3> pattern <WORD> offset <0-255>Parameterspayload <1-3> pattern <WORD> offset <0-255>Examplerfs6000-37FABE(config-test-signature-test)#payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type assoc filter-ageout 8 payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandspayload <1-3> Configures payload settings• <1-3> – Sets the payload index from 1 - 3.pattern <WORD>Specifies the pattern to match: hex or string• <WORD> – Sets the pattern nameoffset <0-255> Specifies the payload offset to start the pattern match• <0-255> – Sets the offset value from 0 - 255no Removes payload and associated settings

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2720.1.7.2.8 src-macsignature mode commandsConfigures a source MAC address for a packet examined for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsrc-mac <MAC>Parameters• src-mac <MAC>Examplerfs6000-37FABE(config-test-signature-test)#src-mac 00-1E-E5-EA-1D-60rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type assoc filter-ageout 8 payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandssrc-mac <MAC> Configures the source MAC address to match• <MAC> – Specify the source MAC address.no Removes a WIPS signature source MAC address

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2820.1.7.2.9 ssid-matchsignature mode commandsConfigures the SSID (and its character length) used for matchingSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssid-match [ssid|ssid-len]ssid-match [ssid <SSID>|ssid-len <0-32>]Parameters• ssid-match [ssid <SSID>|ssid-len <0-32>]Examplerfs6000-37FABE(config-test-signature-test)#ssid-match ssid PrinterLanrfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandsssid <SSID> Specifies the SSID match string• <SSID> – Specify the SSID string.Note: Specify the correct SSID to ensure proper filtering.ssid-len <0-32> Specifies the length of the SSID• <0-32> – Specify the SSID length from 0 - 32 characters.no Removes the configured SSID

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2920.1.7.2.10 threshold-clientsignature mode commandsConfigures the wireless client threshold limit. When the wireless client exceeds the specified limit, an event is triggered.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxthreshold-client <1-65535>Parameters• threshold-client <1-65535>Examplerfs6000-37FABE(config-test-signature-test)#threshold-client 88rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandsthreshold-client <1-65535>Configures the wireless client threshold limit• <1-65535> – Sets the threshold limit for a 60 second window from 1 - 65535no Removes the wireless client threshold limit configured with a WIPS policy signature

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3020.1.7.2.11 threshold-radiosignature mode commandsConfigures the radio’s threshold limit. When the radio exceeds the specified limit, an event is triggered.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxthreshold-radio <1-65535>Parameters• threshold-radio <1-65535>Examplerfs6000-37FABE(config-test-signature-test)#threshold-radio 88rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 threshold-radio 88 payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#Related Commandsthreshold-radio <1-65535>Configures the radio’s threshold limit• <1-65535> – Specify the threshold limit for a 60 second window from 1 - 65535.no Removes the radio’s threshold limit configured with a WIPS policy signature

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3120.1.7.2.12 nosignature mode commandsNegates a command or resets settings to their default. When used in the config WIPS policy signature mode, the no command resets or removes WIPS signature settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bssid|dst-mac|filter-ageout|frame-type|interference-event|mode|payload|src-mac|ssid-match|threshold-client|threshold-radio]no [bssid|dts-mac|filter-ageout|frame-type|interference-event|mode enable|payload <1-3>|src-mac|ssid-match [ssid|ssid-len]|threshold-client|threshold-radio]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleThe following is the WIPS signature ‘test’ settings before the execution of the ‘no’ command:rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 threshold-radio 88 payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)#no <PARAMETERS> Negates a command or resets settings to their default

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 32The following is the WIPS signature ‘test’ settings after the execution of the ‘no’ command:rfs6000-37FABE(config-test-signature-test)#no mode enablerfs6000-37FABE(config-test-signature-test)#no bssidrfs6000-37FABE(config-test-signature-test)#no dst-macrfs6000-37FABE(config-test-signature-test)#no src-macrfs6000-37FABE(config-test-signature-test)#no filter-ageoutrfs6000-37FABE(config-test-signature-test)#no threshold-clientrfs6000-37FABE(config-test-signature-test)#no threshold-radiorfs6000-37FABE(config-test-signature-test)# signature test no mode enable frame-type beacon payload 1 pattern test offset 1rfs6000-37FABE(config-test-signature-test)

WIPS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3320.1.8 usewips-policyEnables device categorization on this WIPS policy. This command uses an existing device categorization list. The list categorizes devices as authorized or unauthorized.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse device-categorization <DEVICE-CATEGORIZATION>Parameters• use device-categorization <DEVICE-CATEGORIZATION>Examplerfs6000-37FABE(config-wips-policy-test)#use device-categorization testrfs6000-37FABE(config-wips-policy-test)#show contextwips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 threshold-client 88 payload 1 pattern test offset 1 ap-detection-ageout 50 ap-detection-wait-time 15 use device-categorization testrfs6000-37FABE(config-wips-policy-test)#Related Commandsdevice-categorization <DEVICE-CATEGORIZATION>Configures a device categorization list• <DEVICE-CATEGORIZATION> – Specify the device categorization object name to associate with this profileno Disables the use of a device categorization policy with a WIPS policy

21 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide21WLAN-QOS-POLICYThis chapter summarizes the WLAN QoS policy in the CLI command structure.A WLAN QoS policy increases network efficiency by prioritizing data traffic. Prioritization reduces congestion. This is essential because of the lack of bandwidth for all users and applications. QoS helps ensure each WLAN on the wireless controller receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as Video, Voice and Data. Packets within each category are processed based on the weights defined for each WLANEach WLAN QoS policy has a set of parameters which it groups into categories, such as management, voice and data. Packets within each category are processed based on the weights defined for each WLAN.Use the (config) instance to configure WLAN QoS policy commands. To navigate to the WLAN QoS policy instance, use the following commands:<DEVICE>(config)#wlan-qos-policy <POLICY-NAME>rfs6000-37FABE(config)#wlan-qos-policy testrfs6000-37FABE(config-wlan-qos-test)#?WLAN QoS Mode commands: accelerated-multicast Configure accelerated multicast streams address and forwarding QoS classification classification Select how traffic on this WLAN must be classified (relative prioritization on the radio) multicast-mask Egress multicast mask (frames that match bypass the PSPqueue. This permits intercom mode operation without delay even in the presence of PSP clients) no Negate a command or set its defaults qos Quality of service rate-limit Configure traffic rate-limiting parameters on a per-wlan/per-client basis svp-prioritization Enable spectralink voice protocol support on this wlan voice-prioritization Prioritize voice client over other client (for non-WMM clients) wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-wlan-qos-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 221.1 wlan-qos-policyWLAN-QOS-POLICYWLAN QoS configurations differ significantly from QoS policies configured for radios. WLAN QoS configurations are designed to support the data requirements of wireless clients, including the data types they support and their network permissions. Radio QoS policies are specific to the transmit and receive characteristics of the connected radio’s themselves, independent from the wireless clients these access point radios support.The following table summarizes WLAN QoS policy configuration commands:Table 21.1 WLAN-QoS-Policy-Config CommandsCommand Description Referenceaccelerated-multicastConfigures accelerated multicast stream addresses and forwards QoS classificationspage 21-3classification Classifies WLAN traffic based on priority page 21-5multicast-mask Configures the egress prioritization multicast mask page 21-7no Negates a command or sets its default page 21-8qos Defines the QoS configuration page 21-9rate-limit Configures the WLAN traffic rate limit using a WLAN QoS policy page 21-10svp-prioritization Enables Spectralink voice protocol support on a WLAN page 21-13voice-prioritizationPrioritizes voice client over other clients page 21-14wmm Configures 802.11e/wireless multimedia parameters page 21-15NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 321.1.1 accelerated-multicastwlan-qos-policyConfigures the accelerated multicast stream address and forwarding QoS classification settingsEnabling this option allows the system to automatically detect and convert multicast streams to unicast streams. When a stream is converted and queued up for transmission, there are a number of classification mechanisms that can be applied to the stream. Use the classification options to specify the traffic type to prioritize.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccelerated-multicast [<IP>|autodetect]accelerated-multicast [<IP>|autodetect] {classification [background|best-effort|trust|video|voice]}Parameters• accelerated-multicast [<IP>|autodetect] {classification [background|best-effort|trust|video|voice]}accelerated-multicast Configures the accelerated multicast stream address and forwarding QoS classification<IP> Configures a multicast IP address in the A.B.C.D format. The system can configure up to 32 IP addresses for each WLAN QoS policyautodetect Allows the system to automatically detect multicast streams to be accelerated. This parameter allows the system to convert multicast streams to unicast, or to specify multicast streams converted to unicast.classification Optional. Configures the QoS classification (traffic class) settings. When the stream is converted and queued for transmission, specify the type of classification applied to the stream. The options are: background, best-effort, trust, voice, and video.background Forwards streams with background (low) priority. This parameter is common to both <IP> and auto detect.best-effort Forwards streams with best effort (normal) priority. This parameter is common to both <IP> and autodetect.trust No change to the streams forwarding traffic class. This parameter is common to both <IP> and autodetect.video Forwards streams with video traffic priority. This parameter is common to both <IP> and autodetect.voice Forwards streams with voice traffic priority. This parameter is common to both <IP> and autodetect.

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 4Examplerfs6000-37FABE(config-wlan-qos-test)#accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 521.1.2 classificationwlan-qos-policySpecifies how traffic on this WLAN is classified. This classification is based on relative prioritization on the radio.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclassification [low|non-unicast|non-wmm|normal|video|voice|wmm]classification [low|normal|video|voice|wmm]classification non-unicast [voice|video|normal|low|default]classification non-wmm [voice|video|normal|low]Parameters• classification [low|normal|video|voice|wmm]• classification non-unicast [voice|video|normal|low|default]low Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radionormal Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radiovideo Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radiovoice Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radiowmm Uses WMM based classification, using DSCP or 802.1p tags, to classify traffic into different queuesImplies WiFi Multimedia QoS extensions are enabled on this radio. This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic (voice, video etc). The WMM classification supports high throughput data rates required for 802.11n device support. This is the default setting.non-unicast Optimized for non-unicast traffic. Implies all traffic on this WLAN is designed for broadcast or multiple destinationsvideo Optimized for non-unicast video traffic. Implies all WLAN non-unicast traffic is classified and treated as video packetsvoice Optimized for non-unicast voice traffic. Implies all WLAN non-unicast traffic is classified and treated as voice packetsnormal Optimized for non-unicast best effort traffic. Implies all WLAN non-unicast traffic is classified and treated as normal priority packets (best effort).

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 6• classification non-wmm [voice|video|normal|low]Examplerfs6000-37FABE(config-wlan-qos-test)#classification wmmrfs6000-37FABE(config-wlan-qos-test)#classification non-wmm videorfs6000-37FABE(config-wlan-qos-test)#classification non-unicast normalrfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#low Optimized for non-unicast background traffic. Implies all WLAN non-unicast traffic is classified and treated as low priority packets (background)default Uses the default classification mode (same as unicast classification if WMM is disabled, normal if unicast classification is WMM). This is the default setting.non-wmm Specifies how traffic from non-WMM clients is classifiedvoice Optimized for non-WMM voice traffic. Implies all WLAN non-WMM client traffic is classified and treated as voice packetsvideo Optimized for non-WMM video traffic. Implies all WLAN non-WMM client traffic is classified and treated as video packetsnormal Optimized for non-WMM best effort traffic. Implies all WLAN non-WMM client traffic is classified and treated as normal priority packets (best effort). This is the default setting.low Optimized for non-WMM background traffic. Implies all WLAN non-WMM client traffic is classified and treated as low priority packets (background)

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 721.1.3 multicast-maskwlan-qos-policyConfigures an egress prioritization multicast mask for this WLAN QoS policyNormally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames. However, for certain applications and traffic types, the administrator may want the frames transmitted immediately, without waiting for the DTIM interval. By configuring a primary or secondary prioritization multicast mask, the network administrator can indicate which packets are transmitted immediately.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmulticast-mask [primary|secondary] <MAC/MASK>Parameters• multicast-mask [primary|secondary] <MAC/MASK>Examplerfs6000-37FABE(config-wlan-qos-test)#multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#primary <MAC/MASK> Configures the primary egress prioritization multicast mask• <MAC/MASK> – Provide the MAC address and the mask in the AA-BB-CC-DD-EE-FF /XX-XX-XX-XX-XX-XX-XX format. The default value is 00-00-00-00-00-00/FF-FF-FF-FF-FF-FF.Note: Setting masks is optional and only needed if there are traffic types requiring special handling.secondary <MAC/MASK>Configures the secondary egress prioritization multicast mask• <MAC/MASK> – Provide the MAC address and the mask in the AA-BB-CC-DD-EE-FF /XX-XX-XX-XX-XX-XX-XX format. The default value is 00-00-00-00-00-00/FF-FF-FF-FF-FF-FF.

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 821.1.4 nowlan-qos-policyNegates a command or resets settings to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accelerated-multicast|classification|multicast-mask|qos|rate-limit|svp-prioritization|voice-prioritization|wmm]no [accelerated-multicast [<IP>|autodetect]|classification {non-unicast|non-wmm}|multicast-mask [primary|secondary]|qos trust [dscp|wmm]|svp-prioritization|voice-prioritization]no rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold}no rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold [background|best-effort|video|voice]}no wmm [background|best-effort|power-save|qbss-load-element|video|voice]no wmm [power-save|qbss-load-element]no wmm [backgorund|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit]Parameters• no <PARAMETERS>ExampleThe following example shows the WLAN QoS Policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#rfs6000-37FABE(config-wlan-qos-test)#no classification non-wmmrfs6000-37FABE(config-wlan-qos-test)#no multicast-mask primaryrfs6000-37FABE(config-wlan-qos-test)#no qos trust dscpThe following example shows the WLAN QoS Policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-unicast normal no qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#no <PARAMETERS> Negates a command or resets settings to their default

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 921.1.5 qoswlan-qos-policyEnables QoS on this WLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxqos trust [dscp|wmm]Parameters• qos trust [dscp|wmm]Examplerfs6000-37FABE(config-wlan-qos-test)#qos trust wmmrfs6000-37FABE(config-wlan-qos-test)#qos trust dscprfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#trust [dscp|wmm] Trusts the QoS values of ingressing packets. Both these options are enabled by default.• dscp – Trusts the IP DSCP values of ingressing packets• wmm – Trusts the 802.11 WMM QoS values of ingressing packets

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1021.1.6 rate-limitwlan-qos-policyConfigures the WLAN traffic rate limits using the WLAN QoS policyExcessive traffic causes performance issues or brings down the network entirely. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that has infected one or more devices at the branch. Rate limiting limits the maximum rate sent to or received from the wireless network (and WLAN) per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. The uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS server’s response. When such attributes are not present, settings defined on the controller (access point, wireless controller, or service platform) are applied. An administrator can set separate QoS rate limits for upstream (data transmitted from the managed network) and downstream (data transmitted to the managed network).Before defining rate limit thresholds for WLAN upstream and downstream traffic, it is recommended that you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) are dropped resulting in intermittent outages and performance problems.Connected wireless clients can also have QoS rate limit settings defined in both the upstream and downstream direction.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold}rate-limit [client|wlan] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}Parameters• rate-limit [client|wlan] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}rate-limit Configures traffic rate limit parametersclient Configures traffic rate limiting parameters on a per-client basiswlan Configures traffic rate limiting parameters on a per-WLAN basisfrom-air Configures traffic rate limiting from a wireless client to the networkto-air Configures the traffic rate limit from the network to a wireless client

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 11• rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}max-burst-size <2-1024>Optional. Sets the maximum burst size from 2 - 1024 kbytes. The chances of the upstream or downstream packet transmission getting congested for the WLAN’s client destination are reduced for smaller burst sizes. The default values are:- WLAN ‘to-air’ and ‘from-air’: 320 kbytes- Client ‘to-air’ and ‘from-air’: 64 kbytesSmaller the burst, lesser are the chances of upstream packet transmission resulting in congestion for the WLAN’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site.rate <50-1000000> Optional. Sets the traffic rate from 50 - 1000000 Kbps. This limit is the threshold value for the maximum number of packets received or transmitted over the WLAN from all access categories. Any traffic that exceeds the specified rate is dropped and a log message is generated. The default values are:- WLAN ‘to-air’ and ‘from-air’: 5000 kbytes- Client ‘to-air’ and ‘from-air’: 1000 kbytesrate-limit Configures traffic rate limit parametersclient Configures traffic rate limiting parameters on a per-client basiswlan Configures traffic rate limiting parameters on a per-WLAN basisfrom-air Configures traffic rate limiting from a wireless client to the networkto-air Configures the traffic rate limit from the network to a wireless clientred-threshold Configures random early detection threshold values for a designated traffic classbackground <0-100> Optional. Sets the maximum burst size from 2 - 1024 kbytes. The chances of the upstream or downstream packet transmission getting congested for the WLAN’s client destination are reduced for smaller burst sizes. The default values are:- WLAN ‘to-air’ and ‘from-air’: 320 kbytes- Client ‘to-air’ and ‘from-air’: 64 kbytesSmaller the burst, lesser are the chances of upstream packet transmission resulting in congestion for the WLAN’s client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site.best-effort <0-100> The following is common to the ‘from-air’ and ‘to-air’ parameters:Optional. Sets a percentage value for best effort traffic in the upstream or downstream direction. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:- WLAN ‘to-air’ and ‘from-air’: 50%- Client ‘to-air’ and ‘from-air’: 50%

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 12Usage GuidelinesThe following information should be taken into account when configuring rate limits:• Background traffic consumes the least bandwidth, so this value can be set to a lower value once a general downstream rate is known by the network administrator (using a time trend analysis).• Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).• Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).• Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).Examplerfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air max-burst-size 6rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air rate 55rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air red-threshold best-effort 10rfs6000-37FABE(config-wlan-qos-test)#rate-limit client from-air red-threshold background 3rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#video <0-100> The following is common to the ‘from-air’ and ‘to-air’ parameters:Optional. Sets a percentage value for video traffic in the upstream or downstream direction. Video traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:- WLAN ‘to-air’ and ‘from-air’: 25%- Client ‘to-air’ and ‘from-air’: 25%voice <0-100> The following is common to the ‘from-air’ and ‘to-air’ parameters:Optional. Sets a percentage value for voice traffic in the upstream or downstream direction. Voice traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:.- WLAN ‘to-air’ and ‘from-air’: 0%- Client ‘to-air’ and ‘from-air’: 0%Note: A value of 0% means no early random drops.

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1321.1.7 svp-prioritizationwlan-qos-policyEnables WLAN SVP support on this WLAN QoS policy. SVP support enables the identification and prioritization of traffic from Spectralink/Ploycomm phones. This gives priority to voice, with voice management packets supported only on certain legacy VOIP phones. If the wireless client classification is WMM, non-WMM devices recognized as voice devices have all their traffic transmitted at voice priority. Devices are classified as voice, when they emit SIP, SCCP, or H323 traffic. Thus, selecting this option has no effect on devices supporting WMM.This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsvp-prioritizationParametersNoneExamplerfs6000-37FABE(config-wlan-qos-test)#svp-prioritizationrfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video svp-prioritization multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1421.1.8 voice-prioritizationwlan-qos-policyPrioritizes voice clients over other clients (for non-WMM clients). This gives priority to voice and voice management packets and is supported only on certain legacy VOIP phones. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvoice-prioritizationParametersNoneExamplerfs6000-37FABE(config-wlan-qos-test)#voice-prioritizationrfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video svp-prioritization voice-prioritization multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1521.1.9 wmmwlan-qos-policyConfigures 802.11e/Wireless Multimedia (WMM) parameters for this WLAN QoS policyWMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher traffic priority.WMM’s prioritization capabilities are based on the four access categories (background, best-effort, video, and voice). Higher the Access Category (AC) higher is the transmission probability over the controller managed WLAN. ACs correspond to the 802.1d priorities, facilitating interoperability with QoS policy management mechanisms. WMM enabled controllers coexist with legacy devices (not WMM-enabled).Packets not assigned to a specific access category are categorized as best effort by default. Applications assign each data packet to a given access category. Categorized packets are added to one of four independent transmit queues (one per access category). The client has an internal collision resolution mechanism to address collision among different queues, which selects the frames with the highest priority to transmit.The same mechanism deals with external collision, to determine which client should be granted the Opportunity to Transmit (TXOP). The collision resolution algorithm responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each access category. These parameters are:• The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN)• The contention window, sometimes referred to as the random back off waitBoth values are smaller for high-priority traffic. The value of the contention window varies through time. Initially the contention window is set to a value that depends on the AC. As frames with the highest AC tend to have the lowest back off values, they are more likely to get a TXOP.After each collision the contention window is doubled until a maximum value (also dependent on the AC) is reached. After successful transmission, the contention window is reset to its initial, AC dependant value. The AC with the lowest back off value gets the TXOP.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwmm [background|best-effort|power-save|qbss-load-element|video|voice]wmm [power-save|qbss-load-element]wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]Parameters• wmm [power-save|qbss-load-element]wmm Configures 802.11e/wireless multimedia parameters

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 16• wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>|cw-min <0-15>|txop-limit <0-65535>]power-save Enables support for the WMM-Powersave mechanism. This mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD), is specifically designed for WMM voice devices. This feature is enabled by default.qbss-load-element Enables support for the QOS Basic Service Set (QBSS) load information element in beacons and probe response packets advertised by access packets. This feature is enabled by default.wmm Configures 802.11e/wireless multimedia parameters. This parameter enables the configuration of four access categories. Applications assign each data packet to one of these four access categories and queues them for transmission.background Configures background access category parametersbest-effort Configures best effort access category parameters. Packets not assigned to any particular access category are categorized by default as having best effort priorityvideo Configures video access category parametersvoice Configures voice access category parametersaifsn <2-15> Configures Arbitrary Inter-Frame Space Number (AIFSN) from 2 - 15. AIFSN is the wait time between data frames. This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 2The default for traffic video categories is 2The default for traffic best effort (normal) categories is 3The default for traffic background (low) categories is 7• <2-15> – Sets a value from 2 - 15cw-max <0-15> Configures the maximum contention window. Wireless clients pick a number between 0 and the minimum contention window to wait before retransmission. Wireless clients then double their wait time on a collision, until it reaches the maximum contention window. This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 3The default for traffic video categories is 4The default for traffic best effort (normal) categories 10The default for traffic background (low) categories is 10• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1). Set a value from 0 - 15.

WLAN-QOS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 17Examplerfs6000-37FABE(config-wlan-qos-test)#wmm video txop-limit 9rfs6000-37FABE(config-wlan-qos-test)#wmm voice cw-min 6rfs6000-37FABE(config-wlan-qos-test)#show contextwlan-qos-policy test classification non-wmm video svp-prioritization voice-prioritization wmm video txop-limit 9 wmm voice cw-min 6 multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voicerfs6000-37FABE(config-wlan-qos-test)#cw-min <0-15> Configures the minimum contention window. Wireless clients pick a number between 0 and the min contention window to wait before retransmission. Wireless clients then double their wait time on a collision, until it reaches the maximum contention window. This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 2The default for traffic video categories is 3The default for traffic best effort (normal) categories is 4The default for traffic background (low) categories is 4• <0-15> – ECW: the contention window. The actual value used is (2^ECW - 1). Set a value from 0 - 15.txop-limit <0-65535> Configures the transmit-opportunity (the interval of time during which a particular client has the right to initiate transmissions). This parameter is common to background, best effort, video and voice.The default for traffic voice categories is 47The default for traffic video categories is 94The default for traffic best effort (normal) categories is 0The default for traffic background (low) categories is 0• <0-65535> – Set a value from 0 - 65535 to configure the transmit-opportunity in 32 microsecond units.

22 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide22L2TPV3-POLICYThis chapter summarizes Layer 2 Tunnel Protocol Version 3 (L2TPv3) policy commands in the CLI command structure.L2TPv3 is an IETF standard used for transporting different types of layer 2 frames over an intermediate IP network. L2TPv3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TPv3 to create tunnels for transporting layer 2 frames. L2TPv3 enables WING supported controllers and access points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TPv3 tunnels can be defined between WING devices and other vendor devices supporting the L2TPv3 protocol.Multiple pseudowires can be created within an L2TPv3 tunnel. WING supported devices support an Ethernet VLAN pseudowire type exclusively. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TPv3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TPv3 sessions. Each tunnel session corresponds to one pseudowire. An L2TPv3 control connection (an L2TPv3 tunnel) needs to be established between the tunneling entities before creating a session.Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TPv3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TPv3 sessions. Each tunnel session corresponds to one pseudowire. An L2TPv3 control connection (a L2TPv3 tunnel) needs to be established between the tunneling entities before creating a session.For optimal pseudowire operation, both the L2TPv3 session originator and responder need to know the psuedowire type and identifier. These two parameters are communicated during L2TPv3 session establishment. An L2TPv3 session created within an L2TPv3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID.The working status of a pseudowire is reflected by the state of the L2TPv3 session. If a L2TPv3 session is down, the pseudowire associated with it must be shut down. The L2TPv3 control connection keep-alive mechanism can serve as a monitoring mechanism for the pseudowires associated with a control connection.NOTE: A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network.NOTE: If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2This chapter is organized into the following sections:•l2tpv3-policy-commands•l2tpv3-tunnel-commands•l2tpv3-manual-session-commandsNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 322.1 l2tpv3-policy-commandsL2TPV3-POLICYUse the (config) instance to configure L2TPv3 policy parameters. To navigate to the L2TPv3 policy instance, use the following commands:<DEVICE>(config)#l2tpv3 policy <L2TPV3-POLICY-NAME>rfs6000-37FABE(config)#l2tpv3 policy L2TPV3Policy1rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#?L2tpv3 Policy Mode commands: cookie-size Size of the cookie field present in each l2tpv3 data message failover-delay Time interval for re-establishing the tunnel after the failover (RF-Domain manager/VRRP-master/Cluster-master failover) force-l2-path-recovery Enables force learning of servers, gateways etc., behind the l2tpv3 tunnel when the tunnel is established hello-interval Configure the time interval (in seconds) between l2tpv3 Hello keep-alive messages exchanged in l2tpv3 control connection no Negate a command or set its defaults reconnect-attempts Maximum number of attempts to reestablish the tunnel. reconnect-interval Time interval between the successive attempts to reestablish the l2tpv3 tunnel retry-attempts Configure the maximum number of retransmissions for signaling message retry-interval Time interval (in seconds) before the initiating a retransmission of any l2tpv3 signaling message rx-window-size Number of signaling messages that can be received without sending the acknowledgment tx-window-size Number of signaling messages that can be sent without receiving the acknowledgment clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#The following table summarizes L2TPv3 policy configuration commands:Table 22.1 L2TPV3-Tunnel-Policy-Config CommandsCommand Description Referencecookie-size Configures the cookie field size for each L2TPv3 data packet page 22-5failover-delay Configures the L2TPv3 tunnel failover delay in seconds page 22-6force-l2-path-recoveryEnables the forced detection of servers and gateways behind the L2TPv3 tunnelpage 22-7hello-interval Configures the interval, in seconds, between L2TPv3 “Hello” keep-alive messages exchanged in the L2TPv3 control connectionpage 22-8

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 4no Negates or reverts L2TPv3 tunnel commands page 22-9reconnect-attemptsConfigures the maximum number of retransmissions for signalling messagespage 22-10reconnect-intervalConfigures the interval, in seconds, between successive attempts to re-establish a failed tunnel connectionpage 22-11retry-attempts Configures the maximum number of retransmissions of signalling messagespage 22-12retry-interval Configures the interval, in seconds, before initiating a retransmission of any L2TPv3 signalling messagepage 22-13rx-window-size Configures the number of signalling messages received without sending an acknowledgmentpage 22-14tx-window-size Configures the number of signalling messages transmitted without receiving an acknowledgmentpage 22-15Table 22.1 L2TPV3-Tunnel-Policy-Config CommandsCommand Description ReferenceNOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 522.1.1 cookie-sizel2tpv3-policy-commandsConfigures the size of the cookie field present in each L2TPv3 data packet. L2TPv3 data packets contain a session cookie that identifies the session (pseudowire) corresponding to it. In a tunnel, the cookie is a 4-byte or 8-byte signature shared between the two tunnel endpoints. This signature is configured at both the source and destination routers. If the signature at both ends do not match, the data is dropped. All sessions within a tunnel have the same session cookie size.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcookie-size [0|4|8]Parameters• cookie-size [0|4|8]Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#cookie-size 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 cookie-size 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandscookie-size [0|4|8] Configures the cookie-field size for each data packet. Select one of the following options:• 0 – No cookie field present in each L2TPv3 data message (this is the default setting)• 4 – 4 byte cookie field present in each L2TPv3 data message• 8 – 8 byte cookie field present in each L2TPv3 data messageno Resets the cookie-field size to its default (0 - no cookie field present in each L2TPv3 data packet)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 622.1.2 failover-delayl2tpv3-policy-commandsConfigures the L2TPv3 tunnel failover delay in seconds. This is the interval after which a failed over tunnel is re-established.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfailover-delay <5-60>Parameters• failover-delay <5-60>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#failover-delay 30rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 failover-delay 30 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsfailover-delay <5-60> Sets the delay interval to re-establish a failed L2TPv3 tunnel (RF-Domain manager/VRRP-master/Cluster-master failover)• <5-60> – Specify a failover delay from 5 - 60 seconds. The default is 5 seconds.no Resets the failover interval to its default (5 seconds)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 722.1.3 force-l2-path-recoveryl2tpv3-policy-commandsEnables the forced detection of servers and gateways behind the L2TPv3 tunnel. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxforce-l2-path-recoveryParametersNoneExamplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#force-l2-path-recoveryrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 failover-delay 30 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 force-l2-path-recoveryrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsno Disables the forced detection of servers and gateways behind the L2TPv3 tunnel

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 822.1.4 hello-intervall2tpv3-policy-commandsConfigures the interval, in seconds, between L2TPv3 “Hello” keep-alive messages exchanged in a L2TPv3 control connection.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhello-interval <1-3600>Parameters• hello-interval <1-3600>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#hello-interval 200rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandshello-interval <1-3600> Configures the interval for L2TPv3 “Hello” keep-alive messages• <1-3600> – Specify a value from 1 - 3600 seconds (default is 60 seconds).no Resets the “Hello” keep-alive message interval to its default of 60 seconds

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 922.1.5 nol2tpv3-policy-commandsNegates or reverts L2TPv3 policy settings to defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [cookie-size|failover-delay|force-l2-path-recovery|hello-interval|reconnect-attempts|reconnect-interval|retry-attempts|retry-interval|rx-window-size|tx-window-size]Parameters• no <PARAMETERS>ExampleThe following example shows the l2tpv3 policy ‘L2TPV3Policy1’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 reconnect-interval 100 reconnect-attempts 50rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no hello-intervalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-attemptsrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-intervalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-attemptsrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-intervalrfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no cookie-sizeThe following example shows the l2tpv3 policy ‘L2TPV3Policy1’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no <PARAMETERS> Negates or reverts L2TPv3 policy settings to default

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1022.1.6 reconnect-attemptsl2tpv3-policy-commandsConfigures the maximum number of attempts made to re-establish a tunnel connectionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreconnect-attempts <0-8>Parameters• reconnect-attempts <0-8>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsreconnect-attempts <0-8>Configures the maximum number of attempts made to re-establish a tunnel connection• <0-8> – Specify a value from 0 - 8 (default is 0: configures infinite reconnect attempts).no Resets the maximum number of reconnect attempts to default (0: configures infinite reconnect attempts)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1122.1.7 reconnect-intervall2tpv3-policy-commandsConfigures the interval, in seconds, between two successive attempts to re-establish a failed tunnel connectionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreconnect-interval <1-3600>Parameters• reconnect-interval <1-3600>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-interval 100l2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsreconnect-interval <1-3600>Configures the interval between successive attempts to re-establish a failed tunnel connection• <1-3600> – Specify a value from 1 - 3600 seconds (default is 120 seconds).no Resets the interval between successive attempts to re-establish a failed tunnel connection to default (120 seconds)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1222.1.8 retry-attemptsl2tpv3-policy-commandsConfigures the maximum number of attempts made to retransmit signalling messages. Use this command to specify how many retransmission cycles occur before determining the target tunnel peer is not reachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxretry-attempts <1-10>Parameters• retry-attempts <1-10>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#retry-attempts 10rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 cookie-size 8 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsretry-attempts <1-10> Configures the maximum number of attempts made to retransmit signalling messages• <1-10> – Specify a value from 1 - 10 (default is 5 attempts).no Resets the maximum number of retransmissions of signalling messages to default (5 attempts)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1322.1.9 retry-intervall2tpv3-policy-commandsConfigures the interval, in seconds, between two successive attempts at retransmitting a L2TPv3 signalling messageSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxretry-interval <1-250>Parameters• retry-interval <1-250>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#retry-interval 30rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsretry-interval <1-250> Configures the interval, in seconds, between two successive retransmission attempts• <1-250> – Specify a value from 1 - 250 seconds (default is 5 seconds).no Resets the retry interval to default (5 seconds)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1422.1.10 rx-window-sizel2tpv3-policy-commandsConfigures the number of signalling packets received without sending an acknowledgmentSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrx-window-size <1-15>Parameters• rx-window-size <1-15>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rx-window-size 9rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsrx-window-size <1-15> Configures the number of packets received without sending an acknowledgment• <1-15> – Specify a value from 1 - 15 (default is 10 packets).no Resets the number of packets received without sending an acknowledgment to default (10 packets)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1522.1.11 tx-window-sizel2tpv3-policy-commandsConfigures the number of signalling packets transmitted without receiving an acknowledgmentSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtx-window-size <1-15>Parameters• tx-window-size <1-15>Examplerfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#tx-window-size 9rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show contextl2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandstx-window-size <1-15> Configures the number of packets transmitted without receiving an acknowledgment• <1-15> – Specify a value from 1 - 15 (default is 10 packets).no Resets the number of packets transmitted without receiving an acknowledgment to default (10 packets)

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1722.2.1 establishment-criterial2tpv3-tunnel-commandsConfigures L2TPv3 tunnel establishment criteriaA L2TPv3 tunnel is established from the current device to the NOC controller when the current device becomes the VRRP master, cluster master, or RF Domain manager. Similarly, the L2TPv3 tunnel is closed when the current device switches to standby or backup mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxestablishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]Parameters• establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]always Always establishes a L2TPv3 tunnel from the current device to the NOC controller. This is the default setting.The ‘always’ option indicates the device need not be a cluster-master, rf-domain-manager, or vrrp-master to establish a tunnel.cluster-master Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the cluster masterNote: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.rf-domain-manager Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the RF Domain managerNote: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.vrrp-master <1-255> Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the VRRP master• <1-255> – Specify the VRRP group number from 1 - 255.Note: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2422.2.7 peerl2tpv3-tunnel-commandsConfigures the L2TPv3 tunnel’s peers. At least one peer must be specified.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer <1-2> {hostname|ip-address|ipsec-secure|router-id|udp}peer <1-2> {hostname [<HOSTNAME>|any]} {ipsec-secure|router-id|udp}peer <1-2> {ip-address <IP>} {hostname|ipsec-secure|router-id|udp}peer <1-2> {ipsec-secure} {gw [<IP>|<WORD>]}peer <1-2> {router-id [<IP>|<WORD>|any]} {ipsec-secure|udp}peer <1-2> {udp} {ipsec-secure|port <1-65535>}Parameters• peer <1-2> {hostname [<HOSTNAME>|any]} {ipsec-secure|router-id|udp}peer <1-2> Configures the tunnel’s peer ID• <1-2> – Specify the ID from 1 - 2. The peer ID identifies the primary (ID 1) secondary (ID 2) peers. The L2TPv3 tunnel is established with the primary peer. The secondary peer is used for tunnel failover. If the peer is not specified, tunnel establishment does not occur.Note: At any time the tunnel is established with only one peer, unless fast-failover support is configured on the L2TPv3 tunnel. For more information, see fast-failover.hostname [<HOSTNAME>|any]Optional. Configures the peers’ hostname. The hostname options are:• <HOSTNAME> – Specifies the hostname as Fully Qualified Domain Name (FQDN) or partial DN or any other name• any – Peer name is not specified. If the hostname is ‘any’ this tunnel is considered as responder only and will allow incoming connection from any host.ipsec-secure {gw [<IP>|<WORD>]}After specifying the peer hostname, optionally specify the IPSec settings:• ipsec-secure – Optional. Enables auto IPSec on the L2TPv3 tunnel• gw – Optional. Configures the IPSec gateway. Use one of the following options toconfigure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnamerouter-id [<IP>|<WORD>|any]After specifying the peer hostname, optionally specify router ID settings:• router-id – Optional. Configures the peer’s router ID in one of the following formats:• <IP> – Peer router ID in the IP address (A.B.C.D) format• <WORD> – Peer router ID range (for example, 100-120)• any – Peer router ID is not specified. This allows incoming connection from anyrouter ID.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 25• peer <1-2> {ip-address <IP>} {hostname|ipsec-secure|router-id|udp}• peer <1-2> {ipsec-secure} {gw [<IP>|<WORD>]}udp {ipsec-secure gw|port <1-65535> {ipsec-secure}}After specifying the peer hostname, optionally specify UDP settings:The UDP option configures the encapsulation mode for this tunnel.• UDP – Optional. Configures UDP encapsulation (default encapsulation is IP)• ipsec-secure gw – Optional. Enables auto IPSec• port <1-65535> {ipsec-secure} – Optional. Configures the peer’s UDP port run-ning the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, option-ally configure the IPSec settings.peer <1-2> Configures the tunnel’s peer ID from 1 - 2. At any time the tunnel is established with only one peer.ip-address <IP> Optional. Configures the peer’s IP address in the A.B.C.D format• <IP> – Specify the peer’s IP address.hostname [<FQDN>|any]After specifying the peer IP address, optionally specify the peer’s hostname:• hostname – Optional. Configures the peers’ hostname. The hostname options are:• <FQDN> – Specifies the hostname as FQDN or partial DN• any – Peer name is not specified. If the hostname is ‘any’ this tunnel is consideredas responder only and will allow incoming connection from any host.ipsec-secure {gw [<IP>|<WORD>]}After specifying the peer IP address, optionally specify the IPSec settings:• ipsec-secure – Optional. Enables auto IPSec• gw – Optional. Configures the IPSec gateway. Use one of the following options toconfigure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnamerouter-id [<A.B.C.D>|<WORD>|any]After specifying the peer IP address, optionally specify the router ID using one of the following options:• router-id – Optional. Configures the peer’s router-id in one of the following formats:• <A.B.C.D> – Peer router ID in the IP address (A.B.C.D) format• <WORD> – Peer router ID range (for example, 100-120)• any – Peer router ID is not specified. This allows incoming connection from anyrouter ID.udp {ipsec-secure gw|port <1-65535> {ipsec-secure}}After specifying the peer IP address, optionally specify the peer’s UDP port settings:The UDP option configures the encapsulation mode for this tunnel.• UDP – Optional. Configures UDP encapsulation (default encapsulation is IP)• ipsec-secure gw – Optional. Enables auto IPSec• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3service from 1 - 65535. After specifying the peer UDP port, optionally configure theIPSec settings.peer <1-2> Configures the tunnel’s peer ID from 1 - 2. At any time the tunnel is established with only one peer.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 26• peer <1-2> {router-id [<IP>|<WORD>|any]} {ipsec-secure|udp}• peer <1-2> {udp} {ipsec-secure|port <1-65535>}ipsec-secure {gw [<IP>|<WORD>]}Optional. Enables auto IPSec for this peer• gw – Optional. Configures the IPSec gateway. Use one of the following options to configure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnamepeer <1-2> Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer.router-id [<A.B.C.D>|<WORD>|any]Optional. Configures the peer’s router-id in one of the following formats:• <A.B.C.D> – Peer router ID in the IP address (A.B.C.D) format• <WORD> – Peer router ID range (for example, 100-120)• any – Peer router ID is not specified. This allows incoming connection from any router ID.ipsec-secure {gw [<IP>|<WORD>]}After specifying the peer’s router ID, optionally specify the IPSec settings.• ipsec-secure – Optional. Enables auto IPSec• gw – Optional. Configures the IPSec gateway. Use one of the following optionsto configure the IPSec gateway:• <IP> – Configures IPSec gateway’s IP address• <WORD> – Configures IPSec gateway’s hostnameudp {ipsec-secure gw|port <1-65535> {ipsec-secure}}After specifying the peer’s router ID, optionally specify the IPSec settings.The UDP option configures the encapsulation mode for this tunnel.• UDP – Optional. Configures UDP encapsulation (default encapsulation is IP)• ipsec-secure gw – Optional. Enables auto IPSec• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3service from 1 - 65535. After specifying the peer UDP port, optionally configure theIPSec settings.peer <1-2> Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer.udp {ipsec-secure|port <1-65535> {ipsec-secure}}Optional. Configures UDP encapsulation for this tunnel’s pee (default encapsulation is IP)• ipsec-secure – Optional. Configures IPSec gateway on this peer UDP port• port <1-65535> – Optional. Configures the peer’s UDP port running the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, optionally configure the IPSec settings.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2922.2.9 sessionl2tpv3-tunnel-commandsConfigures a session’s pseudowire ID, which describes the session’s purpose. The session established message sends this pseudowire ID to the L2TPv3 peer.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsession <L2TPV3-SESSION-NAME> [pseudowire-id|rate-limit]session <L2TPV3-SESSION-NAME> pseudowire-id <1-4294967295> traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}session <L2TPV3-SESSION-NAME> rate-limit [egress|ingress] rate <50-1000000> max-burst-size <2-1024>Parameters• session <L2TPV3-SESSION-NAME> pseudowire-id <1-4294967295> traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}• session <L2TPV3-SESSION-NAME> rate-limit [egress|ingress] rate <50-1000000> max-burst-size <2-1024>session <L2TPV3-SESSION-NAME>Configures this session’s name• <L2TPV3-SESSION-NAME> – Specify the L2TPV3 session name (should not exceed 31 characters in length). A tunnel is usable only if it has one or more session(s) (having specific session names) configured. The L2TPv3 tunnel has no idle timeout, it closes when the last tunnel session is closed.pseudowire-id <1-4294967295>Configures the pseudowire ID for this session from 1- 4204067295A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire is needed to encapsulate and tunnel layer 2 protocols across a layer 3 network.traffic-source vlan <VLAN-ID-RANGE>Configures VLAN as the traffic source for this tunnel• <VLAN-ID-RANGE> – Configures VLAN range list of traffic source. Specify the VLAN IDs as a range (for example, 10-20, 25, 30-35).native-vlan <1-4094> Optional – Configures the native VLAN ID for this session, which is not tagged• <1-4094> – Specify the native VLAN ID from 1- 4094.session <L2TPV3-SESSION-NAME>Configures this session’s name• <L2TPV3-SESSION-NAME> – Specify the L2TPV3 session name (should not exceed 31 characters in length). A tunnel is usable only if it has one or more session(s) (having specific session names) configured. The L2TPv3 tunnel has no idle timeout, it closes when the last tunnel session is closed.

L2TPV3-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 33remote-session-idConfigures the manual session’s remote session ID page 22-41traffic-source Configures the traffic source tunneled by the manual session page 22-42Table 22.3 L2TPV3-Manual-Session-Config CommandsCommand Description Reference

ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 223.1 router-modeROUTER-MODE COMMANDSThe following table summarizes router configuration commands:Table 23.1 OSPF-Router Config CommandsCommand Description Referencearea Specifies OSPF enabled interfaces page 23-3auto-cost Specifies the reference bandwidth in terms of Mbits per second page 23-12default-informationControls the distribution of default information page 23-13ip Configures Internet Protocol (IP) default gateway priority page 23-14network Defines OSPF network settings page 23-15ospf Enables OSPF page 23-16passive Specifies the configured OSPF interface as passive interface page 23-17redistribute Specifies the route types redistributed by OSPF page 23-18route-limit Specifies the limit for the number of routes managed by OSPF page 23-19router-id Specifies the router ID for OSPF page 23-21no Negates a command or sets its defaults page 23-22NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 323.1.1 arearouter-modeConfigures OSPF network area (OSPF enabled interfaces) settingsThe following table lists the OSPF Area configuration mode commands:Table 23.2 OSPF Area Config CommandsCommand Description Referencearea Creates a new OSPF area and enters its configuration mode page 23-4OSPF-area-modeSummarizes OSPF area configuration commands page 23-6

ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 623.1.1.2 OSPF-area-modeareaThe following table summarizes OSPF area mode configuration commands:Table 23.3 OSPF-Area-Mode CommandsCommand Description Referencearea-type Configures a particular OSPF area as STUB or NSSA page 23-7authentication Specifies the authentication scheme used for the OSPF area page 23-9range Specifies the routes matching address/mask for summarization page 23-10no Negates a command or sets its defaults page 23-11

ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 723.1.1.2.1 area-typeOSPF-area-modeConfigures a particular OSPF area type as STUB, Totally STUB, NSSA or Totally NSSAAreas can be defined as:• stub area - Is an area that does not receive route advertisements external to the autonomous system (AS), and routing from within the area is based entirely on a default route.• totally-stub - Is an area that does not allow summary routes and external routes. A default route is the only way to route traffic outside of the area. When there is only one route out of the area, fewer routing decisions are needed, lowering system resource utilization.• non-stub - Is an area that imports autonomous system external routes and forwards to other areas. However. it still cannot receive external routes from other areas.• nssa - A Not-So-Stubby Area (NSSA) is an extension of a stub that allows the injection of limited external routes into a stub area. If selecting NSSA, no external routes, except a default route, enter the area.• totally-nssa - Is a NSSA using 3 and 4 summary routes are not flooded into this type of area. It is also possible to declare an area both totally stubby and not-so-stubby, which means that the area will receive only the default route from area 0.0.0.0, but can also contain an Autonomous System Boundary Router (ASBR) that accepts external routing information and injects it into the local area, and from the local area into area 0.0.0.0.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000Syntaxarea-type [nssa|stub]area-type nssa {default-cost|no-summary|translate-always|translate-candidate|translate-never}area-type nssa {default-cost <0-16777215> {no-summary}|no-summary {default-cost <0-16777215>}}area-type nssa {translate-always|translate-candidate|translate-never} {(default-cost <0-16777215>|no-summary)}area-type stub {default-cost <0-16777215> {no-summary}|no-summary {default-cost <0-16777215>}}Parameters• area-type [nssa|stub]{default-cost|no-summary|translate-always|translate-candidate|translate-never}area-type Configures a particular OSPF area type as STUB, Totally STUB, NSSA or Totally NSSAnssa Configures the OSPF area as NSSAstub Configures the OSPF area as Stubby Area (STUB)default-cost <0-16777215>Specifies the default summary cost that will be advertised, if the OSPF area is a STUB or NSSA• <0-16777215> – Specify the default summary cost value from 0 - 16777215.

ROUTER-MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 20Related Commandsno Removes the limit on the number of routes managed by OSPF

24 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide24ROUTING-POLICYThis chapter summarizes routing-policy commands in the CLI command structure.Routing policies enable network administrators to control data packet routing and forwarding. Policy-based routing (PBR) always overrides protocol-based routing. Network administrators can define routing policies based on parameters, such as access lists, packet size, etc. For example, a routing policy can be configured to route packets along user-defined routes.In addition to the above, PBR facilitates the provisioning of preferential service to specific traffic. PBR minimally provides the following:• A means to use source address, protocol, application, and traffic class as traffic routing criteria• A means to load balance multiple WAN uplinks• A means to selectively mark traffic for Quality of Service (QoS) optimizationUse the (config) instance to configure router-policy commands. To navigate to the (config-routing-policy mode) instance, use the following commands:<DEVICE>(config)#routing-policy <ROUTING-POLICY-NAME>rfs6000-37FABE(config)#routing-policy testpolicyrfs6000-37FABE(config-routing-policy-testpolicy)#?Routing Policy Mode commands: apply-to-local-packets Use Policy Based Routing for packets generated by the device logging Enable logging for this Route Map no Negate a command or set its defaults route-map Create a Route Map use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-routing-policy-testpolicy)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 224.1 routing-policy-commandsROUTING-POLICYThe following table summarizes routing policy configuration commands:Table 24.1 Routing-Policy-Config CommandsCommand Description Referenceapply-to-local-packetsEnables PBR for locally generated packets page 24-3logging Enables logging for a specified route map page 24-4route-map Creates a route map entry page 24-5use Defines default settings to use page 24-18no Negates a command or sets its defaults page 24-19NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 324.1.1 apply-to-local-packetsrouting-policy-commandsEnables PBR for locally generated packets (packets generated by the device). When enabled, this option implements the match and action clauses defined within route maps. This option is enabled by default.To disable PBR, use the no > apply-to-local-packets command.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxapply-to-local-packetsParametersNoneExamplerfs6000-37FABE(config-routing-policy-testpolicy)#apply-to-local-packetsrfs6000-37FABE(config-routing-policy-testpolicy)#Related Commandsno Disables PBR for locally generated packets

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 424.1.2 loggingrouting-policy-commandsEnables logging for a specified route map. When enabled, this option logs events generated by the enforcement of route-maps. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxloggingParametersNoneExamplerfs6000-37FABE(config-routing-policy-testpolicy)#loggingrfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy loggingrfs6000-37FABE(config-routing-policy-testpolicy)#Related Commandsno Disables route map logging

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 524.1.3 route-maprouting-policy-commandsCreates a route map entry and enters the route map configuration modeIn policy-based routing (PBR), route maps control the flow of traffic within the network. They override route tables and direct traffic along a specific path.Route-maps contain a set of filters that select traffic (match clauses) and associated actions (mark clauses) for routing. Every route-map entry has a precedence value. Lower the precedence, higher is the route-map’s priority. All incoming packets are matched against these route-maps entries. The route-map entry with highest precedence (lowest numerical value) is applied first. In case of a match, action is taken based on the mark clause specified in the route-map. In case of no match, the route-map entry with the next highest precedence is applied. If the incoming packet does not match any of the route-map entries, it is subjected to typical destination-based routing. Each route-map entry can optionally enable/disable logging.The following criteria can optionally be used as traffic selection segregation criteria:•IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry.ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.-IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP Differentiated Services Code Point (DSCP) field. One DSCP value can be configured per route map entry. If IP ACLs on a WLAN, ports or SVI mark packets, the new/marked DSCP value is used for matching.-Incoming WLAN - Packets can be filtered on the basis of the incoming WLAN. Depending on whether the receiving device has an onboard radio or not, the following two scenarios are possible:•Device with an onboard radio: If a device having an onboard radio and capable of PBR receives a packet on a local WLAN, this WLAN is used for selection.•Device without an onboard radio: If a device, without an onboard radio, capable of PBR receives a packet from an extended VLAN, it passes the WLAN information in the MiNT packet to the PBR router. The PBR router uses this information as match criteria.-Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree on a unique identifier for role definition and pass the same MINT tunneled packets.-Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the source host (where the packet originates) is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing PBR, and not to the source device.Mark (or action) clauses determine the routing function when a packet satisfies match criteria. If no mark clauses are defined, the default is to fallback to destination-based routing for packets satisfying the match criteria. If no mark clause is configured and fallback to destination-based routing is disabled, then the packet is dropped. The mark clause defines one of following actions:•Next hop - The IP address of the next hop or the outgoing interface through which the packet should be routed. Up to two next hops can be specified. The outgoing interface should be a PPP, a tunnel interface or a SVI which has DHCP client configured. The first reachable hop should be used. But if all next hops are unreachable, typical destination-based route lookup is performed.

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 6•Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is: in case of the former, PBR occurs first, then destination-based routing. In case of the latter, the order is reversed. In both cases:a If a defined next hop is reachable, it is used. If fallback is configured refer to (b).b Perform normal destination-based route lookup. If a next hop is found, it is used, if not refer to (c).c If default next hop is configured and reachable, it is used, if not, packet is dropped.-Fallback - Enables fallback to destination-based routing if none of the configured next hops are reachable (or not configured). This is enabled by default.-Mark IP DSCP - Configures IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxroute-map <1-100>Parameters• route-map <1-100>Examplerfs6000-37FABE(config-routing-policy-testpolicy)#route-map 1rfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy logging route-map 1rfs6000-37FABE(config-routing-policy-testpolicy)#rfs6000-37FABE(config-routing-policy-testpolicy)#route-map 1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#?Route Map Mode commands: default-next-hop Default next-hop configuration (aka gateway-of-last-resort) fallback Fallback to destination based routing if no next-hop is configured or all are unreachable mark Mark action for route map match Match clause configuration for Route Map next-hop Next-hop configuration no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help systemroute-map <1-100> Creates a route map entry, sets a precedence value for the route map, and enters the route map configuration mode• <1-100> – Specify a precedence value from 1 - 100.Note: Lower the sequence number, higher is the precedence.

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 7 revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsno Removes a route map

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 824.1.4 route-map-moderoute-mapThe following table summarizes route-map configuration commands:Table 24.2 Route-Map-Config CommandsCommand Description Referencedefault-next-hop Sets the default next hop for packets satisfying match criteria page 24-9fallback Configures a fallback to the next destination page 24-10mark Marks action clause for packets satisfying match criteria page 24-11match Sets match clauses for the route map page 24-12next-hop Sets the next hop for packets satisfying match criteria page 24-15no Negates a command or sets its default page 24-17

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 924.1.4.1 default-next-hoproute-map-modeSets the default next hop for packets satisfying match criteriaIf a packet, subjected to PBR, does not have an explicit route to the destination, the configured default next hop is used. This value is set as either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is: in case of the former, PBR occurs first, then destination-based routing. In case of the latter, the order is reverse. Use this command to set either the default next hop IP address or define either a WWAN1, PPPoE1, or VLAN interface.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7562, AP7602, AP7612, AP7622, AP7632, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdefault-next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]Parameters• default-next-hop [<IP>|<ROUTER-IF-NAME>|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|pppoe1|vlan <1-4094>|wwan1]Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#default-next-hop wwan1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 default-next-hop wwan1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsdefault-next-hop Sets the next hop router to which packets are sent in case the next hop is not the adjacent router<IP> Specifies next hop router’s IP address<ROUTER-IF-NAME> Specifies the outgoing interface name (router interface name)pppoe1 Specifies the PPPoE interfaceserial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>Specifies the serial interface’s slot, port, and channel group IDsvlan <1-4094> Specifies a VLAN interface ID • <1-4094> – Specify a value from 1 - 4094.wwan1 Specifies the WAN interfaceno Removes default next hop router settings

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1024.1.4.2 fallbackroute-map-modeEnables fallback to destination-based routing. This option is enabled by default. To disable fallback, use the no > fallback command.The action taken for packets satisfying the match criteria is determined by the mark (action) clauses. If no action is defined, the default is to fallback to destination-based routing.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxfallbackParametersNoneExamplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#fallbackrfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related CommandsNOTE: If no mark clause is configured and fallback to destination-based routing is disabled, then the packet is dropped.no Disables fallback to destination-based routing, if no next hop is configured or are unreachable

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1124.1.4.3 markroute-map-modeEnables the marking of the DSCP field in the IP headerUse this command to set the IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.The DSCP field in an IP header enables packet classification. Packet filtering can be done based on traffic class, determined from the IP DSCP field. One DSCP value can be configured per route map entry.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmark ip dscp <0-63>Parameters• mark ip dscp <0-63>Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 default-next-hop wwan1 mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsip dscp <0-63> Marks the DSCP field in the IP header• <0-63> – Specify a DSCP value from 0 - 63.no Disables marking of IP packets

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1224.1.4.4 matchroute-map-modeSets the match clausesEach route map entry has a set of match clauses used to segregate and filter packets. Packets can be segregated using any one of the following criteria:•IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry.ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.-IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP Differentiated Services Code Point (DSCP) field. One DSCP value can be configured per route map entry. If IP ACLs on a WLAN, ports or SVI mark packets, the new/marked DSCP value is used for matching.-Incoming WLAN - Packets can be filtered on the basis of the incoming WLAN. Depending on whether the receiving device has an onboard radio or not, the following two scenarios are possible:•Device with an onboard radio: If a device having an onboard radio and capable of PBR receives a packet on a local WLAN, this WLAN is used for selection.•Device without an onboard radio: If a device, without an onboard radio, capable of PBR receives a packet from an extended VLAN, it passes the WLAN information in the MiNT packet to the PBR router. The PBR router uses this information as match criteria.-Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree on a unique identifier for role definition and pass the same MINT tunneled packets.-Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the source host (where the packet originates) is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing PBR, and not to the source device.The action taken for filtered packets is determined by the mark (action) clauses. If no action is defined, the default is to fallback to destination-based routing for packets satisfying the match criteria. For more information on configuring mark clauses, see mark. And for more information on fallback action, see fallback.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmatch [incoming-interface|ip|ip-access-list|wireless-client-role|wlan]match incoming-interface [<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]match ip dscp <0-63>

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 13match ip-access-list <IP-ACCESS-LIST-NAME>match wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>match wlan <WLAN-NAME>Parameters• match incoming-interface [<ROUTER-IF-NAME>|pppoe1|serial<SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]• match ip dscp <0-63>• match ip-access-list <IP-ACCESS-LIST-NAME>• match wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>• match wlan <WLAN-NAME>incoming-interface Sets the incoming SVI match clause. Specify an interface name.<ROUTER-IF-NAME> Specifies the layer 3 interface name (route interface)pppoe1 Specifies the PPP over Ethernet interfaceserial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>Specifies the serial interface’s slot, port, and channel group IDs.vlan <1-4094> Specifies the VLAN interface ID• <1-4094> – Specify a VLAN ID from 1 - 4094.wwan1 Specifies the WAN interface nameip dscp <0-63> Sets the DSCP match clause• <0-63> – Specify a value from 0 - 63. The defined DSCP value is used as a matching clause for this route map.ip-access-list <IP-ACCESS-LIST-NAME>Sets the match clause using a pre-configured IP access list• <IP-ACCESS-LIST-NAME> – Specify a pre-configured IP access list name.wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>Sets the wireless client role match clause• <ROLE-POLICY-NAME> – Specify a pre-configured role policy.• <ROLE-NAME> – Specify a pre-configured role within it.wlan <WLAN-NAME> Sets the incoming WLAN match clause• <WLAN-NAME> – Specify a WLAN name.

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 14Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#match incoming-interface pppoe1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 default-next-hop wwan1 mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsno Disables match clause settings for this route map

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1524.1.4.5 next-hoproute-map-modeSets the next hop for packets satisfying match criteriaThis command allows you to configure the primary and secondary hop priority requests.Define the primary and secondary hop settings. When defined, the primary hop resource is used with no additional considerations when ever it is available.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnext-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1] {<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1}Parameters• next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1] {<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1}next-hop Sets the next hop (primary and secondary) for packets satisfying match criteriaIt is not mandatory to define the secondary hop interface. The secondary hop is used in case the primary hop is unavailable.<IP> Specifies the primary and secondary next hop router’s IP address<WORD> Specifies the layer 3 Interface name (router interface)pppoe1 Specifies the PPP over Ethernet interfaceserial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-ID>Specifies the serial interface’s slot, port, and channel group IDs.vlan <1-4094> Specifies the VLAN interface ID• <1-4094> – Specify a VLAN ID from 1 - 4094. The VLAN interface should be a DHCP client.wwan1 Specifies the WAN interface

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 16Examplerfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#next-hop vlan 1rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 next-hop vlan1 default-next-hop wwan1 mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#Related Commandsno Disables the next hop router settings

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1724.1.4.6 noroute-map-modeNegates a command or sets its defaultsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [default-next-hop|fallback|mark|match|next-hop]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleThe following example shows the route-map ‘1’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 next-hop vlan1 default-next-hop wwan1 mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no default-next-hoprfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no next-hopThe following example shows the route-map ‘1’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no <PARAMETERS> Negates a command or set its defaults

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1824.1.5 userouting-policy-commandsUses Critical Resource Management (CRM) to monitor link statusSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse critical-resource-monitoringParameters• use critical-resource-monitoringExamplerfs6000-37FABE(config-routing-policy-testpolicy)#use critical-resource-monitoringrfs6000-37FABE(config-routing-policy-testpolicy)#Related Commandsuse critical-resource-monitoringUses CRM to monitor the status of a link. Selecting this option determines the disposition of the route-map next hop via monitored critical resources. Link monitoring is the function used to determine a potential fail over to the secondary next hop. This option is enabled by default.no Disables CRM link status monitoring

ROUTING-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1924.1.6 norouting-policy-commandsNegates a command or sets its defaultsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [apply-to-local-packets|logging|route-map|use]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. ExampleThe following example shows the routing policy ‘testpolicy’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy logging route-map 1 match incoming-interface pppoe1 default-next-hop wwan1 mark ip dscp 7rfs6000-37FABE(config-routing-policy-testpolicy)#rfs6000-37FABE(config-routing-policy-testpolicy)#no loggingrfs6000-37FABE(config-routing-policy-testpolicy)#no route-map 1rfs6000-37FABE(config-routing-policy-testpolicy)#no apply-to-local-packetsThe following example shows the routing policy ‘testpolicy’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-routing-policy-testpolicy)#show contextrouting-policy testpolicy no apply-to-local-packetsrfs6000-37FABE(config-routing-policy-testpolicy)#no <PARAMETERS> Negates a command or set its defaults

25 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide25AAA-TACACS-POLICYThis chapter summarizes the accounting, authentication, and authorization (AAA) Terminal Access Control Access-Control System (TACACS) policy commands in the CLI command structure.TACACS is a network security application that provides additional network security by providing a centralized authentication, authorization, and accounting platform. TACACS implementation requires configuration of the TACACS authentication server and database.Use the (config) instance to configure AAA-TACACS policy commands. To navigate to the config-aaa-tacacs-policy instance, use the following commands:<DEVICE>(config)#aaa-tacacs-policy <POLICY-NAME>rfs6000-37FABE(config)#aaa-tacacs-policy testrfs6000-37FABE(config-aaa-tacacs-policy-test)#?AAA TACACS Policy Mode commands: accounting Configure accounting parameters authentication Configure authentication parameters authorization Configure authorization parameters no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-aaa-tacacs-policy-test)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 225.1 aaa-tacacs-policyAAA-TACACS-POLICY The following table summarizes AAA-TACACS policy configuration commands:Table 25.1 AAA-TACACS-Policy-Config CommandsCommand Description Referenceaccounting Configures TACACS accounting parameters page 25-3authentication Configures TACACS authentication parameters page 25-6authorization Configures TACACS authorization parameters page 25-9no Negates a command or sets its default page 25-12NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 325.1.1 accountingaaa-tacacs-policyConfigures the server type and interval at which interim accounting updates are sent to the server. Up to 2 accounting servers can be configured.This feature tracks user activities on the network, and provides information such as, resources used and usage time. This information can be used for audit and billing purposes.TACACS accounting tracks user activity and is useful for security audit purposes.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccounting [access-method|auth-fail|commands|server|session]accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}accounting [auth-fail|commands|session]accounting server [<1-2>|preference]accounting server preference [authenticated-server-host|authenticated-server-number|authorized-server-host|authorized-server-number|none]accounting server <1-2> [host|retry-timeout-factor <50-200>|timeout]accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}accounting server <1-2> timeout <3-5> {attempts <1-3>}Parameters• accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}• accounting [auth-fail|commands|session]access-method Configures TACACS accounting access mode. The options are: console, SSH, Telnet, and all.all Configures TACACS accounting for all access modesconsole Configures TACACS accounting for console access onlyssh Configures TACACS accounting for SSH access onlytelnet Configures TACACS accounting for Telnet access onlyauth-fail Enables accounting for authentication fail details. This option is disabled by default.commands Enables accounting of commands executed. This option is disabled by default.session Enables accounting for session start and stop details. This option is disabled by default.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 4• accounting server preference [authenticated-server-host|authenticated-server-number|authorized-server-host|authorized-server-number|none]• accounting server <1-2> retry-timeout-factor <50-200>• accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}server Configures a TACACS accounting serverpreference Configures the accounting server preference (specifies the method of selecting a server, from the pool, to send the request)authenticated-server-hostSets the authentication server as the accounting server. This is the default setting.This parameter indicates the same server is used for authentication and accounting. The server is referred to by its hostname.authenticated-server-numberSets the authentication server as the accounting serverThis parameter indicates the same server is used for authentication and accounting. The server is referred to by its index or number.authorized-server-host Sets the authorization server as the accounting serverThis parameter indicates the same server is used for authorization and accounting. The server is referred to by its hostname.authorized-server-numberSets the authorized server as the accounting serverThis parameter indicates the same server is used for authorization and accounting. The server is referred to by its index number.none Indicates the accounting server is independent of the authentication and authorization serversserver <1-2> Configures an accounting server. Up to 2 accounting servers can be configuredretry-timeout-factor <50-200>Sets the scaling factor for retry timeouts• <50-200> – Specify a value from 50 - 200. The default is 100.A value of 100 indicates the time gap between two consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the time gap between two consecutive retries reduces with each successive retry.A value greater than 100 indicates the time gap between two consecutive retries increases with each successive retry.server <1-2> Configures an accounting server. Up to 2 accounting servers can be configuredhost <IP/HOSTNAME> Configures the accounting server’s IP address or hostnamesecret [0 <SECRET>|2 <SECRET>|<SECRET>]Optional. Configures a common secret key used to authenticate with the accounting server• 0 <SECRET> – Configures a clear text secret key• 2 <SECRET> – Configures an encrypted secret key• <SECRET> – Specify the secret key. This shared secret should not exceed 127 characters.port <1-65535> Optional. Configures the accounting server port (the port used to connect to the accounting server)• <1-65535> – Specify the TCP accounting port number from 1 - 65535. The default port is 49.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 5• accounting server <1-2> timeout <3-5> {attempts <1-3>}Examplerfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting auth-failrfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting server preference authorized-server-numberrfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test accounting server preference authorized-server-number accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsserver <1-2> Configures an accounting server. Up to 2 accounting servers can be configuredtimeout <3-5> Configures the timeout for each request sent to the TACACS accounting server. This is the time allowed to elapse before another request is sent to the TACACS accounting server. If a response is received from the server within this time, no retry is attempted.• <3-5> – Specify a value from 3 - 5 seconds. The default is 3 seconds.attempts <1-3> Optional. Specifies the number of times a transmission request is attempted. This is the maximum number of times a request is sent to the TACACS accounting server before getting discarded.• <1-3> – Specify a value from 1 - 3. The default is 3.no Resets values or disables commands

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 625.1.2 authenticationaaa-tacacs-policyConfigures user authentication parameters. Users are allowed or denied access to the network based on the authentication parameters set.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [access-method|directed-request|server|service]authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|web)}authentication directed-requestauthentication server <1-2> [host|retry-timeout-factor|timeout]authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}authentication server <1-2> retry-timeout-factor <50-200>authentication server <1-2> timeout <3-60> {attempts <1-10>}authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}Parameters• authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet)}• authentication directed-request• authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}access-method Configures access modes for TACACS authentication. The options are: console, SSH, Telnet, Web, and all.all Authenticates users using all access modes (console, SSH, and Telnet)console Authenticates users using console access onlyssh Authenticates users using SSH access onlytelnet Authenticates users using Telnet access onlyweb Authenticates users using Web interface onlydirected-request Enables user to specify TACACS server to use with `@server'. This option is disabled by default.The specified server should be present in the configured servers list.server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 7• authentication server <1-2> retry-timeout-factor <50-200>• authentication server <1-2> timeout <3-60> {attempts <1-10>}• authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}host <IP/HOSTNAME> Sets the TACACS server’s IP address or hostnamesecret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures the secret key used to authenticate with the TACACS server• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.port <1-65535> Optional. Specifies the port used to connect to the TACACS server• <1-65535> – Specify a value for the TCP authentication port from 1 - 65535. The default port is 49.server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.retry-timeout-factor <50-200>Configures timeout scaling between two consecutive TACACS authentication retries• <50-200> – Specify the scaling factor from 50 - 200. The default is 100.A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between consecutive retries increases with each successive retry.server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1- 2.timeout <3-60> Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.• <3-60> – Specify a value from 3- 60 seconds. The default is 3 seconds.attempts <1-10> Optional. Indicates the number of retry attempts to make before giving up• <1-10> – Specify a value from 1 -10. The default is 3.service <SERVICE-NAME>Configures the TACACS authentication service nameprotocol <AUTHENTICATION-PROTO-NAME>Optional. Specify the authentication protocol used with this TACACS policy.A maximum of five entries is allowed.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 8Examplerfs6000-37FABE(config-aaa-tacacs-policy-test)#authentication directed-requestrfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsno Resets values or disables commands

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 925.1.3 authorizationaaa-tacacs-policyConfigures authorization parametersThis feature allows network administrators to limit user accessibility and configure varying levels of accessibility for different users.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthorization [access-method|allow-privileged-commands|server]authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}authorization server [<1-2>|preference]authorization server <1-2> [host|retry-timeout-factor|timeout]authorizationserver <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}authorization server <1-2> retry-timeout-factor <50-200>authorization server <1-2> timeout <3-5> {attempts <1-3>}authorization server preference [authenticated-server-host|authenticated-server-number|none]Parameters• authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}• authorization allow-privileged-commands• authorization server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|<SECRET>]} {port <1-65535>}access-method Configures the access method for command authorizationall Authorizes commands from all access methodsconsole Authorizes commands from the console onlytelnet Authorizes commands from Telnet onlyssh Authorizes commands from SSH only{console|ssh|telnet} Optional. Configures more than one access method for command authorizationallow-privileged-commandsAllows privileged commands execution without command authorization. This option is disabled by default.server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 10• authorization server <1-2> retry-timeout-factor <50-200>• authorization server <1-2> timeout <3-5> {attempts <1-3>}• authorization server preference [authenticated-server-host|authenticated-server-number|none]host <IP/HOSTNAME> Sets the TACACS server’s IP address or hostnamesecret [0 <SECRET>|2 <SECRET>|<SECRET>]Optional. Configures the secret used to authorize with the TACACS server• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.port <1-65535> Optional. Specifies the port used to connect to the TACACS server• <1-65535> – Specify a value for the TCP authorization port from 1 - 65535. The default port is 49.server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server index from 1 - 2.retry-timeout-factor <50-200>Configures the scaling of timeouts between consecutive TACACS authorization retries• <50-200> – Specify the scaling factor from 50 - 200. The default is 100.A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries.A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry.A value greater than 100 indicates the interval between consecutive retries increases with each successive retry.server <1-2> Configures a TACACS authorization server. Up to 2 TACACS servers can be configured• <1-2> – Specify the TACACS server’s index from 1- 2.timeout <3-5> Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.• <3-5> – Specify a value from 3 - 5 seconds. The default is 3 seconds.attempts <1-3> Optional. Indicates the number of retry attempts to make before giving up• <1-3> – Specify a value from 1 - 3. The default is 3.preference Configures the authorization server preferenceauthenticated-server-hostSets the authentication server as the authorization serverThis parameter indicates the same server is used for authentication and authorization. The server is referred to by its hostname.

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 11Examplerfs6000-37FABE(config-aaa-tacacs-policy-test)#authorization allow-privileged-commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number authorization allow-privileged-commands accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsauthenticated-server-numberSets the authentication server as the authorization serverThis parameter indicates the same server is used for authentication and authorization. The server is referred to by its index or number.none Indicates the authorization server is independent of the authenticationno Resets values or disables commands

AAA-TACACS-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 1225.1.4 noaaa-tacacs-policyNegates a AAA TACACS policy command or sets its defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accounting|authentication|authorization]Parameters• no <PARAMETERS>ExampleThe following example shows the AAA-TACACS policy ‘test’ settings before the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number authorization allow-privileged-commands accounting auth-fail accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#rfs6000-37FABE(config-aaa-tacacs-policy-test)#no authentication directed-requestrfs6000-37FABE(config-aaa-tacacs-policy-test)#no accounting auth-failrfs6000-37FABE(config-aaa-tacacs-policy-test)#no authorization allow-privileged-commandsThe following example shows the AAA-TACACS policy ‘test’ settings after the ‘no’ commands are executed:rfs6000-37FABE(config-aaa-tacacs-policy-test)#show contextaaa-tacacs-policy test accounting server preference authorized-server-number accounting commandsrfs6000-37FABE(config-aaa-tacacs-policy-test)#Related Commandsno <PARAMETERS> Provide the parameters needed to reset or disable the desired AAA-TACACS policy setting.accounting Configures TACACS accounting parametersauthentication Configures TACACS authentication parametersauthorization Configures TACACS authorization parameters

26 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide26MESHPOINTThis chapter summarizes the Meshpoint commands in the CLI command structure.Meshpoints are detector radios that monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation.This chapter is organized as follows:•meshpoint-config-instance•meshpoint-qos-policy-config-instance•meshpoint-device-config-instanceNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 226.1 meshpoint-config-instanceMESHPOINTMeshConnex (MCX) is a mesh networking technology that is comparable to the 802.11s mesh networking specification. MCX meshing uses a hybrid proactive/on-demand path selection protocol, similar to Ad hoc On Demand Distance Vector (AODV) routing protocols. This allows it to form efficient paths using multiple attachment points to a distribution WAN, or form purely ad-hoc peer-to-peer mesh networks in the absence of a WAN. Each device in the MCX mesh proactively manages its own path to the distribution WAN, but can also form peer-to-peer paths on demand to improve forwarding efficiency.MCX is not compatible with MiNT Based meshing, though the two technologies can be enabled simultaneously in certain circumstances.MCX is designed for large-scale, high-mobility outdoor mesh deployments. MCX continually gathers data from beacons and transmission attempts to estimate the efficiency and throughput of each MP-to-MP link. MCX uses this data to dynamically form and continually maintain paths for forwarding network frames.In MCX systems, a meshpoint (MP) is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 MPs can be created and 2 can be created per radio. MPs can be configured to use one or both radios in the device. If the MP is configured to use both radios, the path selection protocols will continually select the best radio to reach each destination. Each MP participates in a single Mesh Network, defined by the MeshID. The MeshID is typically a descriptive network name, similar to the SSID of a WLAN. All MPs configured to use the same MeshID attempt to form a mesh and interoperate. The MeshID allows overlapping mesh networks to discriminate and disregard MPs belonging to different networks.Use the (config) instance to configure a meshpoint. To navigate to the meshpoint configuration instance, use the following command:<DEVICE>(config)#meshpoint <MESHPOINT-NAME>rfs6000-37FABE(config)#meshpoint testrfs6000-37FABE(config-meshpoint-test)#?Mesh Point Mode commands: allowed-vlans Set the allowed VLANs beacon-format The beacon format of this meshpoint control-vlan VLAN for meshpoint control traffic data-rates Specify the 802.11 rates to be supported on this meshpoint description Configure a description of the usage of this meshpoint force Force suboptimal paths meshid Configure the Service Set Identifier for this meshpoint neighbor Configure neighbor specific parameters no Negate a command or set its defaults root Set this meshpoint as root security-mode The security mode of this meshpoint shutdown Shutdown this meshpoint use Set setting to use wpa2 Modify ccmp wpa2 related parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3 write Write running configuration to memory or terminalrfs6000-37FABE(config-meshpoint-test)#The following table summarizes meshpoint configuration commands:Table 26.1 Meshpoint-Config commandsCommand Description Referenceallowed-vlans Configures VLANs allowed on the meshpoint page 26-4beacon-format Configures the beacon format for the meshpoint AP page 26-5control-vlan Configures the VLAN where meshpoint control traffic traverses page 26-6data-rates Configures the data rates supported per frequency band page 26-7description Configures a human friendly description for this meshpoint page 26-11force Forces formation of sub-optimal paths through the meshpoint’s root nodepage 26-12meshid Configures a unique ID for this meshpoint page 26-13neighbor Configures the neighbor inactivity time out for this meshpoint page 26-14no Negates a command or reverts settings to their default page 26-15root Configures a meshpoint as the root meshpoint page 26-17security-mode Configures the security mode on the meshpoint. page 26-19service Allows only 802.11n capable neighbors to create a mesh connection page 26-20shutdown Shuts down the meshpoint page 26-21use Configures a QoS policy for use with this meshpoint page 26-22wpa2 Configures WPA2 encryption settings page 26-23NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 426.1.1 allowed-vlansmeshpoint-config-instanceDefines VLANs allowed to pass traffic on the mesh network. Use this command to add and remove VLANs from the list of allowed VLANs.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxallowed-vlans [<VLAN-ID>|add <VLAN-ID>|remove <VLAN-ID>]Parameters• allowed-vlans [<VLAN-ID>|add <VLAN-ID>|remove <VLAN-ID>]Examplerfs6000-37FABE(config-meshpoint-test)#allowed-vlans 1rfs6000-37FABE(config-meshpoint-test)#allowed-vlans add 10-23rfs6000-37FABE(config-meshpoint-test)#allowed-vlans remove 17rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsallowed-vlans Defines VLANs allowed access on the mesh network<VLAN-ID> The VLAN ID or the range of IDs to be managed.A single VLAN or multiple VLANs can be added to the list of allowed VLANs. When adding multiple VLANs, specify the range (for example, 10-20, 25, 30-35). Use this command to create a VLAN list on a new meshpoint.add <VLAN-ID> Adds a single VLAN or a range of VLANs to the list of allowed VLANs. To specify a range of VLANs, specify the first and last VLAN ID in the range separated by a hyphen (for example, 1-10).• <VLAN-ID> – Specify the VLAN ID or the range of IDs to add.remove <VLAN-ID> Removes a single VLAN or a range of VLANs from the list of allowed VLANs• <VLAN-ID> – Specify the VLAN ID or the range of IDs to remove.no Clears the list of VLANs allowed access to the mesh network

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 526.1.2 beacon-formatmeshpoint-config-instanceConfigures the beacon transmission format for this meshpoint. Beacons are transmitted periodically to advertise that a wireless network is available. It contains all the required information for a device to connect to the network.The beacon format advertises how a mesh capable AP7161 acts. APs can act either as an access point or a meshpoint.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbeacon-format [access-point|mesh-point]Parameters• beacon-format [access-point|mesh-point]Examplerfs6000-37FABE(config-meshpoint-test)#beacon-format mesh-pointrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsbeacon-format Configures how a mesh capable AP71XX acts in a mesh networkaccess-point Uses access point style beaconsmesh-point Uses meshpoint style beacons (this is the default setting)no Resets the beacon format for this meshpoint to its default (mesh-point)

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 626.1.3 control-vlanmeshpoint-config-instanceConfigures a VLAN as the dedicated control VLANMesh management traffic can be sent over a dedicated VLAN. This dedicated VLAN is known as the control VLAN, and should be configured in the backhaul port of all the access points configured as meshpont roots. Once configured, the control VLAN enables communication between meshpoint’s root APs.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontrol-vlan [<1-4094>|<VLAN-ALIAS-NAME>]Parameters• control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]Examplerfs6000-37FABE(config-meshpoint-test)#control-vlan 1rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandscontrol-vlan Configures a VLAN as a dedicated carrier of mesh management traffic[<1-4094>|<VLAN-ALIAS-NAME>]Configures the control VLAN• <1-4094> – Specify the control VLAN from 1 - 4094. The default is VLAN 1.• <VLAN-ALIAS-NAME> – Uses a vlan-alias to specify the control vlan. If using a vlan-alias, ensure that it is existing and configured.If VLAN 1 is configured as the control VLAN, ensure that the VLAN is configured in the wired port of all access points belonging to same meshpoint.Note: Control VLAN need not necessarily be added in the allowed VLAN list.no Resets the control VLAN for this meshpoint to its default of 1

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 726.1.4 data-ratesmeshpoint-config-instanceConfigures individual data rates for the 2.4 GHz and 5.0 GHz frequency bands. In Mesh network, a mesh point is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 mesh points can be created and 2 can be created per radio. Each mesh point radio can have carefully administrated radio rates specific to the 2.4 or 5 GHz band. Use this command to configure these radio rates.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdata-rates [2.4GHz|5GHz]data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)data-rates 5GHz [a-only|an|default]data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)Parameters• data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]• data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)NOTE: Ensure that the basic data rates configured on a meshpoint’s root and non-root access points is the same.data-rates 2.4GHz Configures preset data rates for the 2.4 GHz frequency.b-only Configures data rate for the meshpoint using 802.11b only rates.bg Configures data rate for the meshpoint using 802.11b and 802.11g rates.default Configures data rate for the meshpoint at a pre-configured default rate for this frequency.g-only Configures data rate for the meshpoint using 802.11g only rates.gn Configures data rate for the meshpoint using 802.11g and 802.11n rates.data-rates 2.4GHz Configures the preset data rates for the 2.4 GHz frequencyDefine both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band. Contd..

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 8• data-rates 5GHz [a-only|an|default]These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a supported MCS index.Set a Modulation and Coding Scheme (MCS) in respect to the radio's channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types.Meshpoints can communicate as long as they support the same basic MCS (as well as non-802.11n basic rates). The selected rates apply to associated client traffic within this mesh point only.custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)Configures custom rates• 1 – Configures the available rate at 1 Mbps• 2 – Configures the available rate at 2 Mbps• 5.5 – Configures the available rate at 5.5 Mbps• 6 – Configures the available rate at 6 Mbps• 9 – Configures the available rate at 9 Mbps• 11 – Configures the available rate at 11 Mbps• 12 – Configures the available rate at 12 Mbps• 18 – Configures the available rate at 18 Mbps• 24 – Configures the available rate at 24 Mbps• 36 – Configures the available rate at 36 Mbps• 48 – Configures the available rate at 48 Mbps• 54 – Configures the available rate at 54 Mbps• basic-1 – Configures the available rate at a basic rate of 1 Mbps• basic-2 – Configures the available rate at a basic rate of 2 Mbps• basic-5.5 – Configures the available rate at a basic rate of 5.5 Mbps• basic-6 – Configures the available rate at a basic rate of 6 Mbps• basic-9 – Configures the available rate at a basic rate of 9 Mbps• basic-11 – Configures the available rate at a basic rate of 11 Mbps• basic-12 – Configures the available rate at a basic rate of 12 Mbps• basic-18 – Configures the available rate at a basic rate of 18 Mbps• basic-24 – Configures the available rate at a basic rate of 24 Mbps• basic-36 – Configures the available rate at a basic rate of 36 Mbps• basic-48 – Configures the available rate at a basic rate of 48 Mbps• basic-54 – Configures the available rate at a basic rate of 54 Mbps• basic-mcs0-7 – Configures the MCS index range of 0 - 7 for basic rate• mcs0-7 – Configures the MCS index range of 0-7 as the data rate• mcs0-15 – Configures the MCS index range of 0-15 as the data rate• msc8-15 – Configures the MCS index range of 8-15 as the data rateMultiple choices can be made from the above list of rates.data-rates 5GHz Configures the preset data rates for the 5.0 GHz frequencya-only Configures the data rate for the meshpoint using 802.11a only ratesbn Configures the data rate for the meshpoint using 802.11a and 802.11n rates

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 9• data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)default Configures the data rate for the meshpoint at a pre-configured default rate for this frequencyg-only Configures the data rate for the meshpoint using 802.11g only ratesgn Configures the data rate for the meshpoint using 802.11g and 802.11n ratesdata-rates 5GHz Configures the preset data rates for the 5.0 GHz frequencyDefine both minimum Basic and optimal Supported rates as required for 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point.If supporting 802.11n, select a supported MCS index. Set a MCS in respect to the radio's channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Mesh points can communicate as long as they support the same basic MCS (as well as non-802.11n basic rates). The selected rates apply to associated client traffic within this mesh point only.custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7)Configures custom rates• 6 – Configures the available rate at 6 Mbps• 9 – Configures the available rate at 9 Mbps• 12 – Configures the available rate at 12 Mbps• 18 – Configures the available rate at 18 Mbps• 24 – Configures the available rate at 24 Mbps• 36 – Configures the available rate at 36 Mbps• 48 – Configures the available rate at 48 Mbps• 54 – Configures the available rate at 54 Mbps• basic-1 – Configures the available rate at a basic rate of 1 Mbps• basic-2 – Configures the available rate at a basic rate of 2 Mbps• basic-5.5 – Configures the available rate at a basic rate of 5.5 Mbps• basic-6 – Configures the available rate at a basic rate of 6 Mbps• basic-9 – Configures the available rate at a basic rate of 9 Mbps• basic-11 – Configures the available rate at a basic rate of 11 Mbps• basic-12 – Configures the available rate at a basic rate of 12 Mbps• basic-18 – Configures the available rate at a basic rate of 18 Mbps• basic-24 – Configures the available rate at a basic rate of 24 Mbps• basic-36 – Configures the available rate at a basic rate of 36 Mbps• basic-48 – Configures the available rate at a basic rate of 48 Mbps• basic-54 – Configures the available rate at a basic rate of 54 MbpsCotnd..

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 10Examplerfs6000-37FABE(config-meshpoint-test)#data-rates 2.4GHz bgnrfs6000-37FABE(config-meshpoint-test)#data-rates 5GHz anrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commands• basic-mcs0-7 – Configures the MCS index range of 0-7 for basic rate• mcs0-7 – Configures the MCS index range of 0-7 as the data rate• mcs0-15 – Configures the MCS index range of 0-15 as the data rate• msc8-15 – Configures the MCS index range of 8-15 as the data rateMultiple choices can be made from the above list of rates.no Resets data rates for each frequency band for this meshpoint

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1126.1.5 descriptionmeshpoint-config-instanceConfigures a brief description for this meshpoint. Use this command to describe this meshpoint and its features.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <DESCRIPTION>Parameters• description <DESCRIPTION>Examplerfs6000-37FABE(config-meshpoint-test)#description "This is an example of a meshpoint description"rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsdescription Configures a description for this meshpoint<DESCRIPTION> The text describing this meshpointno Removes the human friendly description provided for this meshpoint

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1226.1.6 forcemeshpoint-config-instanceForces formation of sub-optimal paths through the meshpoint’s root node. As per legacy behavior, non-root devices under the same root, communicated by forming direct paths through the network. This option allows non-root devices, within the meshpoint, to communicate by forming paths through the root node.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxforce peer-paths-through-rootParameters• force peer-paths-through-rootExamplenx9500-6C8809(config-meshpoint-test)#force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#Related Commandsforce Enables formation of sub-optimal paths through the meshpoint root node. This option is disabled by defaultpeer-paths-through-rootEnables non-root devices to communicate by forming sub-optimal paths through the root nodeno Disables formation of sub-optimal paths through the meshpoint’s root node

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1326.1.7 meshidmeshpoint-config-instanceConfigures a unique Service Set Identifier (SSID) for this meshpoint. This ID is used to uniquely identify this meshpoint.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmeshid <MESH-SSID>Parameters• meshid <MESH-SSID>Examplerfs6000-37FABE(config-meshpoint-test)#meshid TestingMeshPointrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsmeshid Configures a unique SSID for the meshpoint<MESH-SSID> The unique SSID configured for this meshpointNote: The mesh SSID is case sensitive and should not exceed 32 characters.no Removes the SSID configured for this meshpoint

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1426.1.8 neighbormeshpoint-config-instanceThis command configures the inactivity time out value for neighboring devices. If a frame is not received from the neighbor device for the configured time, then client resources are removed.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxneighbor inactivity-timeout <60-86400>Parameters• neighbor inactivity-timeout <60-86400>Examplerfs6000-37FABE(config-meshpoint-test)#neighbor inactivity-timeout 300rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no rootrfs6000-37FABE(config-meshpoint-test)#Related Commandsneighbor inactivity-timeout <60-86400>Configures the neighbor inactivity timeout in seconds. This represents the allowed interval between frames received from a neighbor before their client privileges are revoked.• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 120 seconds.no Removes the configured neighbor inactivity time out value for this meshpoint

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1526.1.9 nomeshpoint-config-instanceNegates meshpoint commands or resets their values to defaultSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [allowed-vlans|beacon-format|control-vlan|description|force|meshid|root|security-mode|shutdown]no data-rates [2.4GHz|5GHz]no force peer-paths-through-rootno neighbor inactivity-timeoutno use [aaa-policy|meshpoint-qos-policy]no wpa2 [eap|key-rotation|psk]no wpa2 eap [auth-type|identity|peap-mschapv2|tls trustpoint]no wpa2 key-rotation [broadcast|unicast]no wpa2 pskno service allow-ht-onlyParameters• no <PARAMETERS>Examplerfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 rootrfs6000-37FABE(config-meshpoint-test)#rfs6000-37FABE(config-meshpoint-test)#no allowed-vlansrfs6000-37FABE(config-meshpoint-test)#no beacon-formatrfs6000-37FABE(config-meshpoint-test)#no control-vlanrfs6000-37FABE(config-meshpoint-test)#no descriptionrfs6000-37FABE(config-meshpoint-test)#no meshidrfs6000-37FABE(config-meshpoint-test)#no rootrfs6000-37FABE(config-meshpoint-test)#no security-modeno <PARAMETERS> Removes or reverts this meshpoint settings to default based on the parameters passed

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 16rfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test beacon-format mesh-point control-vlan 1 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 no rootrfs6000-37FABE(config-meshpoint-test)#no data-rates 2.4GHzrfs6000-37FABE(config-meshpoint-test)#no data-rates 5GHzrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test beacon-format mesh-point control-vlan 1 neighbor inactivity-timeout 300 security-mode none wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 no rootrfs6000-37FABE(config-meshpoint-test)#nx9500-6C8809(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#nx9500-6C8809(config-meshpoint-test)#no force peer-paths-through-rootnx9500-6C8809(config-meshpoint-test)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no rootnx9500-6C8809(config-meshpoint-test)#

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1726.1.10 rootmeshpoint-config-instanceConfigures this meshpoint as the root meshpoint. Root meshpoints are generally tied to an Ethernet backhaul for wired connectivity. By default this option is disabled.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxrootParametersNoneExampleThere are two ways of configuring root access points within a meshpoint.1First method:• Configure two meshpoints, having the same meshid, one with the root option enabled and the other configured as no root:• Apply the root meshpoint to the root access point and the no-root meshpoint to the non-root access points.The following examples show the configuration of a meshpoint for the root access point:rfs6000-37FABE(config)#meshpoint rootrfs6000-37FABE(config-meshpoint-root)#rfs6000-37FABE(config-meshpoint-root)#meshid testrfs6000-37FABE(config-meshpoint-root)#rootrfs6000-37FABE(config-meshpoint-root)#security-mode eaprfs6000-37FABE(config-meshpoint-root)#commitrfs6000-37FABE(config-meshpoint-root)#show contextmeshpoint test-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap rootrfs6000-37FABE(config-meshpoint-root)#The following examples show the configuration of a meshpoint for non-root access points:rfs6000-37FABE(config)#meshpoint no-rootrfs6000-37FABE(config-meshpoint-no-root)#rfs6000-37FABE(config-meshpoint-no-root)#meshid testrfs6000-37FABE(config-meshpoint-no-root)#security-mode eaprfs6000-37FABE(config-meshpoint-no-root)#show contextmeshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no rootrfs6000-37FABE(config-meshpoint-no-root)#

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 182 Second method:•Configure a no-root meshpoint and apply to all access points in the meshpoint.•Log into the meshpoint-device > no-root configuration mode of the root access point and enable root.rfs6000-37FABE(config-meshpoint-no-root)#show contextmeshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no rootrfs6000-37FABE(config-meshpoint-no-root)#rfs6000-37FABE(config)#ap81xx B4-C7-99-71-17-28rfs6000-37FABE(config-device-B4-C7-99-71-17-28)#meshpoint-device no-rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap rootrfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#Related Commandsno Removes the configuration of this meshpoint as a root meshpoint

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1926.1.11 security-modemeshpoint-config-instanceConfigures the security mode for this meshpointSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsecurity-mode [eap|none|psk]Parameters• security-mode [eap|none|psk]ExampleThe following example shows root meshpoint configuration with PSK authentication enabled:rfs6000-37FABE(config-meshpoint-test)#security-mode pskrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk rootrfs6000-37FABE(config-meshpoint-test)#The following example shows root meshpoint configuration with EAP authentication enabled:rfs6000-37FABE(config-meshpoint-root)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 use aaa-policy test security-mode eap rootrfs6000-37FABE(config-meshpoint-test)#Related Commandssecurity-mode Configures the security mode for this meshpointeap Uses 802.1X/EAP as the security mode. When using this option, use the wpa2 command to specify the EAP authentication type and related parameters.none No security is configured for this meshpointpsk Uses Pre Shared Key (PSK) as the security mode. When using this option, use the wpa2 command to enter a 64 character HEX or an 8-63 ASCII character passphrase used for authentication on the mesh point.no Resets the security configuration for this meshpoint to “none”. This indicates that no security is configured for this meshpoint.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2026.1.12 servicemeshpoint-config-instanceUse this command to allow only those neighbors who are capable of 802.11n data rates to associate with this meshpoint.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [allow-ht-only|show cli]Parameters• service [allow-ht-only|show cli]Examplerfs6000-37FABE(config-meshpoint-test)#service allow-ht-onlyrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 root service allow-ht-onlyrfs6000-37FABE(config-meshpoint-test)#Related Commandsservice allow-ht-only Allows only those neighbors who are capable of high throughput data rates (802.11n data rates) to associate with the meshpointservice show cli Displays running system configurationno Removes the restriction that only 802.11n capable neighbor devices can associate with this meshpointservice Invokes service commands to troubleshoot or debug

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2126.1.13 shutdownmeshpoint-config-instanceShuts down this meshpoint. Use this command to prevent an AP from participating in a mesh network.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxshutdownParametersNoneExamplerfs6000-37FABE(config-meshpoint-test)#shutdownrfs6000-37FABE(config)Related Commandsno Enables an AP as a meshpoint

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2226.1.14 usemeshpoint-config-instanceUses a Quality of Service (QoS) policy defined specifically for meshpoints. To use this QoS policy, it must be defined. To define a meshpoint QoS policy, see meshpoint-qos-policy-config-instance.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [aaa-policy <AAA-POLICY-NAME>|meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>]Parameters• use [aaa-policy <AAA-POLICY-NAME>|meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>]Examplerfs6000-37FABE(config-meshpoint-test)#use meshpoint-qos-policy testrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk root use meshpoint-qos-policy testrfs6000-37FABE(config-meshpoint-test)#Related Commandsuse meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>Configures this meshpoint to use a predefined meshpoint QoS policy• <MESHPOINT-QOS-POLICY-NAME> – Specify the meshpoint QoS policy name (should be existing and configured).use aaa-policy <AAA-POLICY-NAME>Configures this meshpoint to use a predefined aaa-policy• <AAA-POLICY-NAME> – Specify the aaa-policy name (should be existing and configured).no Removes the meshpoint QoS policy associated with this meshpointmeshpoint-qos-policy-config-instanceCreates and configures a meshpoint QoS policy

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2326.1.15 wpa2meshpoint-config-instanceUse this command to configure the parameters of authentication mode specified using the ‘security-mode’ keyword. This command also allows you to set a unicast and broadcast key rotation interval.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwpa2 [eap|psk|key-rotation]wpa2 key-rotation [broadcast|unicast] <30-86400>wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]wpa2 eap [auth-type|identity|peap-mschapv2|tls]wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] {trustpoint <TRUSTPOINT-NAME>}wpa2 eap tls trustpoint <TRUSTPOINT-NAME>Parameters• wpa2 key-rotation [broadcast|unicast] <30-86400>• wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]wpa2 key-rotation Enables periodic rotation of encryption keys used for broadcast and unicast trafficbroadcast Configures key rotation interval for broadcast and multicast traffic. This option is disabled by default.When enabled, the key indices used for encrypting/decrypting broadcast traffic is alternatively rotated based on the defined interval. Key rotation enhances the broadcast traffic security on the WLAN.unicast Configures key rotation interval for unicast traffic. This option is disabled by default.<30-86400> Configures key rotation interval from 30 - 86400 seconds for unicast or broadcast transmissionwpa2 psk Configures the shared key for authentication mode PSK. If the security mode is set as ‘psk’ using the ‘security-mode’ keyword, use this command to configure the pre-shared key.secret [0 <SECRET>|2 <SECRET>|<SECRET>]Configures the PSK used to authenticate this meshpoint with other meshpoints in the network• 0 <SECRET> – Configures a clear text secret• 2 <SECRET> – Configures an encrypted secret• <SECRET> – Specify the secret key. The pre-shared key can be in ASCII (8 to 63 characters in length) or Hexadecimal (not exceeding 64 characters in length) formats.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 24• wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]• wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>] {trustpoint <TRUSTPOINT-NAME>}• wpa2 eap tls trustpoint <TRUSTPOINT-NAME>Examplerfs6000-37FABE(config-meshpoint-test)#wpa2 key-rotation broadcast 600rfs6000-37FABE(config-meshpoint-test)#wpa2 key-rotation unicast 1200rfs6000-37FABE(config-meshpoint-test)#wpa2 psk Test Companyrfs6000-37FABE(config-meshpoint-test)#show contextmeshpoint test description "This is an example of a meshpoint description" meshid TestingMeshPointwpa2 eap Configures the 802.1X/EAP based authentication type for this meshpoint. If the security mode is set as ‘eap’ using the ‘security-mode’ keyword, use this command to specify the EAP type. The options are: peap-mschapv2 and tls.auth-type [peap-mschapv2|tls]Specifies the EAP authentication type. The options are:• peap-mschapv2 – Configures EAP authentication type as Protected Extensible Authentication Protocol (PEAP) with default auth type MSCHAPv2. This is the default setting. If using auth-type as ‘peap-mschapv2’, use the ‘peap-mschapv2’ keyword to configure user credentials and trustpoint details.• tls – Configures EAP authentication type as Transport Layer Security (TLS)If using auth-type as ‘tls’, use the ‘tls’ keyword to configure trustpoint details.Note: The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials.identity <WORD> Configures identity to be used during phase1 authentication• <WORD> – Enter a string up to 256 characters in length (this should not be actual identity of user but some anonymous/bogus username)wpa2 eap peap-mschapv2 Configures PEAP-related user credentials and trustpoint detailsuser <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>]Specify the user credentials used for authentication• user <USER-NAME> – Specify the user name.• password [0 <WORD>|2 <WORD>|<WORD>] – Specify the password associated with the specified user.trustpoint <TRUSTPOINT-NAME>Optional. Associates a trustpoint used for installing CA certificate and verifying server certificate• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be existing and configured).wpa2 eap tls Configures TLS client related parameterstrustpoint <TRUSTPOINT-NAME>Configures trustpoint details• trustpoint <TRUSTPOINT-NAME> – Assigns a trustpoint to be used for installing TLS client certificate, client private key, and CA certificate• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be existing and configured)

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 25 shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 rootrfs6000-37FABE(config-meshpoint-test)#The following example shows root meshpoint configuration with EAP authentication enabled:rfs6000-37FABE(config-meshpoint-root)#show contextmeshpoint test meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 use aaa-policy test security-mode eap rootrfs6000-37FABE(config-meshpoint-test)#The following example shows non-root meshpoint configuration with EAP PEAP-MSCHAPv2 authentication:rfs6000-37FABE(config-meshpoint-testNoRoot)#show contextmeshpoint testNoRoot meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 security-mode eap wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1 wpa2 eap identity tester123 no rootrfs6000-37FABE(config-meshpoint-testNoRoot)#The following example shows non-root meshpoint configuration with EAP TLS authentication:rfs6000-37FABE(config-meshpoint-testNoRoot)#show contextmeshpoint testNoRoot meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 security-mode eap wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1 wpa2 eap tls trustpoint mesh1 wpa2 eap identity tester123 no rootrfs6000-37FABE(config-meshpoint-testNoRoot)#Related Commandsno Resets PSK configuration and key rotation duration

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2626.2 meshpoint-qos-policy-config-instanceMESHPOINTMesh QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements when bandwidth is shared by different users and applications.Mesh QoS helps ensure each mesh point on the mesh network receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as video, voice and data.packets within each category are processed based on the weights defined for each mesh point.To create a meshpoint, see meshpoint-config-instance. A meshpoint QoS policy is created from the (config) instance. To create a meshpoint QoS policy use the following command:<DEVICE>(config)#meshpoint-qos-policy <POLICYNAME>rfs6000-37FABE(config)#meshpoint-qos-policy testrfs6000-37FABE(config-meshpoint-qos-test)#rfs6000-37FABE(config-meshpoint-qos-test)#?Mesh Point QoS Mode commands: accelerated-multicast Configure accelerated multicast streams address and forwarding QoS classification no Negate a command or set its defaults rate-limit Configure traffic rate-limiting parameters on a per-meshpoint/per-neighbor basis clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs6000-37FABE(config-meshpoint-qos-test)#The following table summarizes the meshpoint-qos-policy configuration commands:Table 26.2 Meshpoint-QoS-Policy Config CommandsCommand Description Referenceaccelerated-multicastConfigures accelerated multicast parameters page 26-27no Negates a command or reverts settings to their default page 26-29rate-limit Configures the rate limits for this QoS policy page 26-30

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2726.2.1 accelerated-multicastmeshpoint-qos-policy-config-instanceConfigures the accelerated multicast stream’s address and forwarding QoS classificationSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccelerated-multicast [<MULTICAST-IP>|autodetect] {classification [background|best-effort|trust|video|voice]}Parameters• accelerated-multicast [<MULTICAST-IP>|autodetect] {classification [background|best-effort|trust|video|voice]}NOTE: For accelerated multicast feature to work, IGMP querier must be enabled. When a user joins a multicast stream, an entry is created in the device’s (AP or wireless controller) snoop table and the entry is set to expire after a set time period. Multicast packets are forwarded to the appropriate wireless LAN or mesh until this entry is available in the snoop table. Snoop querier keeps the snoop table current by updating entries that are set to expire. It also keeps an entry for each multicast stream till there are users registered for the stream.accelerated-multicast Configures the accelerated multicast stream address and forwarding QoS classification<MULTICAST-IP> Specify a list of multicast addresses and classifications. Packets are accelerated when the destination address matches.autodetect Lets the system to automatically detect multicast streams to be acceleratedThis option allows the administrator to convert multicast packets to unicast in order to provide better overall airtime utilization and performance. The system can be configured to automatically detect multicast streams and convert them to unicast, or specify which multicast streams are to be converted to unicast. When the stream is converted and being queued up for transmission, there are a number of classification mechanisms applied to the stream and the administrator can select what type of classification they would want. Classification types are trust, voice, video, best effort, and background.classification Optional. Defines the QoS classification to apply to a multicast stream. The following options are available:•background• best effort•trust•video•voice

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 28Examplerfs6000-37FABE(config-meshpoint-qos-test)#accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#Related Commandsno Resets accelerated multicast configurations for this meshpoint QoS policy

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2926.2.2 nomeshpoint-qos-policy-config-instanceNegates the commands for meshpoint QoS policy or resets their values to their defaultSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accelerated-multicast|rate-limit]no accelerated-multicast [<MULTICAST-IP>|autodetect]no rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size|rate}no rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background|best-effort|video|voice]}Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test rate-limit meshpoint from-air rate 80000 rate-limit meshpoint from-air red-threshold video 80 rate-limit meshpoint from-air red-threshold voice 70 accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air raterfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air red-threshold video 80rfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air red-threshold voice 70rfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#no <PARAMETERS> Removes or reverts this meshpoint QoS policy settings to default based on the parameters passed

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3026.2.3 rate-limitmeshpoint-qos-policy-config-instanceConfigures the rate limiting of traffic on a per meshpoint or per neighbor basisExcessive traffic can cause performance issues or bring down the network entirely. Excessive traffic, bombardments and interference are caused by numerous sources, such as network loops, faulty devices, or malicious software (such as a worm or virus) that has infected one or more branch-level devices. Rate limiting limits the maximum rate sent to or received from the wireless network (and meshpoint) per neighbor. It prevents any single user from overwhelming the wireless network. It also provides differential service for service providers. An administrator can set separate QoS rate limit configurations for data transmitted from the network and data transmitted from a mesh point's neighbor.Before defining rate limit thresholds for meshpoint transmit and receive traffic, it is recommended that you define the normal number of ARP, broadcast, multicast, and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) is dropped, resulting in intermittent outages and performance problems.A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS6000• Service Platforms — NX6524, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [meshpoint|neighbor]rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}Parameters• rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size <2-1024>|rate <50-1000000>}meshpoint Configures rate limit parameters for all data received from any meshpoint in the mesh network. This option is disabled by default.neighbor Configures rate limit parameters for neighboring meshpoint devices. Enables rate limiting for data transmitted from the client to its associated access point radio and connected controller. This option is disabled by default.from-air Configures rate limits for traffic from the wireless neighbor to the network.to-air Configures rate limits for traffic from the network to the wireless neighbor.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 31• rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}max-burst-size <2-1024> Optional. Configures the maximum burst size in kilobytes.• <2-1024> – Set a value from 2 - 1024 kbytes.For a meshpoint: The smaller the burst, the less likely that the transmit packet transmission results in congestion for the meshpoint's client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site. The default burst size is 320 kbytes.For a neighbor: The smaller the burst, the less likely the transmit packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes.rate <50-1000000> Optional. Defines a receive or transmit rate limit in kilobytes per second• <50-1000000> – Set a value from 50 - 1000000 kbps.For a meshpoint: This limit constitutes a threshold for the maximum number of packets transmitted or received over the meshpoint (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps.For a neighbor: This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped by the client and a log message is generated. The default rate is 1,000 kbps.meshpoint Configures rate limit parameters for a meshpointneighbor Configures rate limit parameters for neighboring meshpoint devicesfrom-air Configures rate limits for traffic from the wireless neighbor to the networkto-air Configures rate limit value for traffic from the network to the wireless neighborred-threshold Optional. Configures random early detection threshold (RED threshold) for traffic classbackground <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• background <0-100> – Configures the threshold for low priority (background) traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%.For a neighbor: This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 32Examplerfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air max-burst-size 800rfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test rate-limit meshpoint from-air max-burst-size 800 accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air rate 80000rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air red-threshold video 80rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air red-threshold voice 70best-effort <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• best-effort <0-100> – Configures the threshold for best effort traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for normal priority traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%.For a neighbor: This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%.video <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• video <0-100> – Configures the threshold for video traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 25%.For a neighbor: This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 25%.voice <0-100> The following keyword is applicable to the ‘from-air’ and ‘to-air’ traffics.• voice <0-100> – Configures the threshold for voice traffic• <0-100> – Specify a value from 0 - 100.For a meshpoint: This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 0%.For a neighbor: This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0% and implies no early random drops will occur.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 33rfs6000-37FABE(config-meshpoint-qos-test)#show contextmeshpoint-qos-policy test rate-limit meshpoint from-air rate 80000 rate-limit meshpoint from-air max-burst-size 800 rate-limit meshpoint from-air red-threshold video 80 rate-limit meshpoint from-air red-threshold voice 70 accelerated-multicast 224.0.0.1 classification videorfs6000-37FABE(config-meshpoint-qos-test)#Related Commandsno Resets traffic rate limit settings for this meshpoint QoS policy

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3426.3 meshpoint-device-config-instanceMESHPOINTThe following table lists the meshpoint device configuration commands:Table 26.3 Other meshpoint-related commandsCommand Description Referencemeshpoint-device Configures an access point as a meshpoint device and enters its configuration modepage 26-35meshpoint-device-commandsInvokes the meshpoint-device configuration commands page 26-37

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 36ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#meshpoint-device testap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#?Mesh Point Device Mode commands: acs Configure auto channel selection parameters exclude Exclude neighboring Mesh Devices hysteresis Configure path selection SNR hysteresis values monitor Event Monitoring no Negate a command or set its defaults path-method Path selection method used to find a root node preferred Configure preferred path parameters root Set this meshpoint as root root-select Root selection method parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#?

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3726.3.2 meshpoint-device-commandsmeshpoint-device-config-instanceThe following table lists the meshpoint-device configuration mode commands:Table 26.4 Meshpoint-Device Config CommandsCommand Description Referenceacs Enables Automatic Channel Selection (ACS) on this meshpoint device (access point)page 26-38exclude Excludes neighboring mesh devices page 26-43hysteresis Configures path selection SNR hysteresis values on this meshpoint-device (access point)page 26-44monitor Enables monitoring of critical resource and primary port links on a meshpoint devicepage 26-46path-method Configures the method used to select the path to the root node in a mesh networkpage 26-47preferred Configures the preferred path parameters for a meshpoint device page 26-48root Configures a meshpoint device as the root meshpoint page 26-49root-select Configures this meshpoint device as the cost root page 26-51no Negates the commands for a meshpoint device or resets values to defaultpage 26-52

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3826.3.2.1 acsmeshpoint-device-commandsEnables Automatic Channel Selection (ACS) on this meshpoint device (access point). When enabled, this feature automatically selects the best channel for a meshpoint-device radio based on the device configuration, channel conditions, and network layout.In a wireless network deployment, it is advantageous for network devices to have the ability to operate in multiple channels and not be limited to only a single channel. Multiple channels increase the bandwidth and throughput of the wireless network. In such a scenario, each network device must have a mechanism to dynamically select a suitable channel of operation. ACS provides the required mechanism for a MCX enabled device.Use this command to configure the ACS settings and override the default meshpoint configurations.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxacs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration|ocs-frequency|path-min|path-threshold|preferred-interface-tolerance-period|preferred-radio-interface|priority-meshpoint|sample-count|snr-delta|signal-threshold|tolerance-period]acs channel-hold-time [2.4GHz|5GHz] <0-86400>acs channel-switch-delta [2.4GHz|5GHz] <5-35>acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]acs ocs-duration [2.4GHz|5GHz] <20-250>acs ocs-frequency [2.4GHz|5GHz] <1-60>acs path-min [2.4GHz|5GHz] <100-20000>acs path-threshold [2.4GHz|5GHz] <800-65535>acs preferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>acs preferred-radio-interface [2.4GHz|5GHz] <0-2>acs priority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>acs sample-count [2.4GHz|5GHz] <1-10>acs snr-delta [2.4GHz|5GHz] <1-100>acs signal-threshold [2.4GHz|5GHz] <-100-0>acs tolerance-period [2.4GHz|5GHz] <10-600>Parameters• acs channel-hold-time [2.4GHz|5GHz] <0-86400>acs Configures ACS settings and overrides on the selected meshpoint-device

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 39• acs channel-switch-delta [2.4GHz|5GHz] <5-35>• acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]• acs ocs-duration [2.4GHz|5GHz] <20-250>• acs ocs-frequency [2.4GHz|5GHz] <1-60>channel-hold-time [2.4GHz|5GHz] <0-86400>Configures the minimum time, in seconds, before a periodic scan, to assess channel conditions for a meshpoint root, is triggered.• 2.4GHz – Configures the channel hold interval for the 2.4GHz radio band• 5.0GHz – Configures the channel hold interval for the 5.0GHz radio bandThe following keyword is common to the ‘2.4GHz’ and ‘5.0GHz’ bands:• <0-86400> – Specify a value from 0 - 86400 seconds. The default is 1800seconds.A value of ‘0’ disables periodic channel assessment.acs Configures ACS settings and overrides on the selected meshpoint-devicechannel-switch-delta [2.4GHz|5GHz] <5-35>Configures the difference in interference between the current and best channel needed to trigger a channel change. Once the difference in the current channel and the best channel interference equals the configured value, a channel change is triggered.• 2.4GHz – Configures the channel switch delta for the 2.4GHz radio band• 5.0GHz – Configures the channel switch delta for the 5.0GHz radio bandThe following keyword is common to the ‘2.4GHz’ and ‘5.0GHz’ bands:• <5-35> – Specify a value from 5 - 35 dBm. The default is 10 dBm.acs Configures ACS settings and overrides on the selected meshpoint-devicechannel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]Configures the channel width that meshpoint auto channel selection assigns to the radio• 2.4 GHz – Configures the operating channel width for the 2.4 GHz radio band• 5.0 GHz – Configures the operating channel width for the 5.0 GHz radio bandThe following keywords are common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• 20 MHz – Assigns the 20 MHz channel width to the radio• 40 MHz – Assigns the 40 MHz channel width to the radio• 80 MHz – Assigns the 80 MHz channel width to the radio• auto – Selects and assigns the best possible channel from the 20/40/80 MHzwidth. This is the default setting.acs Configures ACS settings and overrides on the selected meshpoint-deviceocs-duration [2.4GHz|5GHz] <20-250>Configures the duration, in milliseconds, of off -channel scans (OCSs) • 2.4 GHz – Configures the ocs-duration for the 2.4 GHz radio band• 5.0 GHz – Configures the ocs-duration for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <20-250> – Specify a value from 20 - 250 milliseconds. The default value is50 milliseconds.acs Configures ACS settings and overrides on the selected meshpoint-device

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 40• acs path-min [2.4GHz|5GHz] <100-20000>• acs path-threshold [2.4GHz|5GHz] <800-65535>• acs preferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>• acs preferred-radio-interface [2.4GHz|5GHz] <0-2>ocs-frequency [2.4GHz|5GHz] <1-60>Configures the interval, in seconds, at which off-channel scan is performed. An ocs-frequency of 10 seconds means that an off-channel scan will be performed once every 10 seconds.• 2.4 GHz – Configures the ocs-frequency for the 2.4 GHz radio band• 5.0 GHz – Configures the ocs-frequency for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <1-60> – Specify a value form 1 - 60 seconds. The default is 6 seconds.acs Configures ACS settings and overrides on the selected meshpoint-devicepath-min [2.4GHz|5GHz] <100-20000>Configures the minimum root path metric needed for auto channel selection. This is the acceptance root path metric value to consider a root as a possible candidate mesh node.• 2.4 GHz – Configures the minimum root path metric for the 2.4 GHz radio band• 5.0 GHz – Configures the minimum root path metric for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <100-20000> – Specify a value from 100 - 20000. The default is 1000.acs Configures ACS settings and overrides on the selected meshpoint-devicepath-threshold [2.4GHz|5GHz] <800-65535>Configures the root path metric threshold for auto channel selection. This is the acceptance root path metric threshold beyond which the root bound to is considered as bad.• 2.4 GHz – Configures the root path metric threshold for the 2.4 GHz radio band• 5.0 GHz – Configures the root path metric threshold for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <800-65535> – Specify a value from 800 - 65535. The default is 1500.acs Configures ACS settings and overrides on the selected meshpoint-devicepreferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>Configures the maximum tolerance period, in seconds, for low root metrics on the preferred interface. This is the duration to wait before triggering an automatic channel selection for the next mesh-hop on the preferred interface.• 2.4 GHz – Configures the maximum tolerance period for the 2.4 GHz radio band• 5.0 GHz – Configures the maximum tolerance period for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <800-65535> – Specify a value from 10 - 600 seconds.acs Configures ACS settings and overrides on the selected meshpoint-device

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 41• acs priority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>• acs sample-count [2.4GHz|5GHz] <1-10>• acs snr-delta [2.4GHz|5GHz] <1-100>• acs signal-threshold [2.4GHz|5GHz] <-100-0>preferred-radio-interface [2.4GHz|5GHz] <0-2>Configures the preferred radio interface on dual band APs• 2.4 GHz – Configures the preferred radio interface for the 2.4 GHz radio band• 5.0 GHz – Configures the preferred radio interface for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <0-2> – Specify a value form 0 - 2. A value of 0 (zero) indicates no preferred radio.acs Configures ACS settings and overrides on the selected meshpoint-devicepriority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>Configures the priority meshpoint. Configuring a priority meshpoint overrides automatic meshpoint configuration.• 2.4 GHz – Configures the priority meshpoint for the 2.4 GHz radio band• 5.0 GHz – Configures the priority meshpoint for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <MESHPOINT-NAME> – Specify the meshpoint name for the selected radioband.acs Configures ACS settings and overrides on the selected meshpoint-devicesample-count [2.4GHz|5GHz] <1-10>Configures the minimum number of scan cycle samples to consider for auto channel selection• 2.4 GHz – Configures the sample count for the 2.4 GHz radio band• 5.0 GHz – Configures the sample count for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <1-10> – Specify a value from 1 -10. The default is 5 samples.acs Configures ACS settings and overrides on the selected meshpoint-devicesnr-delta [2.4GHz|5GHz] <1-100>Configures the channel SNR delta. A meshpoint on a candidate channel must have a SNR of a greater delta than the next hop on the current channel.• 2.4 GHz – Configures the snr-delta for the 2.4 GHz radio band• 5.0 GHz – Configures the snr-delta for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <1-100> – Specify a value from 1 - 100 dB. The default is 5 dB.acs Configures ACS settings and overrides on the selected meshpoint-devicesignal-threshold [2.4GHz|5GHz] <-100-0>Configures the signal strength threshold. If the signal strength of the next hop drops below the configured signal-threshold, a scan is triggered.• 2.4 GHz – Configures the signal-threshold for the 2.4 GHz radio band• 5.0 GHz – Configures the signal-threshold for the 5.0 GHz radio bandThe following keyword is common to the ‘2.4 GHz’ and ‘5.0 GHz’ bands:• <-100-0> – Specify a value from -100 - 0 dB. The default is -65 dB.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 45Related Commandsno Removes the configured path selection SNR hysteresis values

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 4926.3.2.7 rootmeshpoint-device-commandsConfigures this meshpoint device as the root meshpointYou can optionally use the select-method option to enable dynamic mesh selection. When enabled, this option overrides root or no-root configuration and uses the selection method.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxroot {select-method [auto-mint|auto-proximity]}Parameters• root {select-method [auto-mint|auto-proximity]}root Configures this meshpoint device as the root meshpointselect-method auto-mintOptional. Enables dynamic mesh selection. When enabled, this option overrides root or no-root configuration and chooses the selection method.• auto-mint – Enables dynamic root selection using Auto-MiNT (based on path cost)The Auto-Mint or Cost Method dynamically determines the root/non-root configuration of a meshpoint by:• Monitoring and ranking the signal strength and path cost of neighboring meshpoints.• Setting the configuration to:• non-root: If the link with the shortest path to the cost-root mesh device is a MCXmeshpoint link• root: If the link with the shortest path to the cost-root mesh device is a non MCXmeshpoint link (wired link).• This requires that the meshpoint device, in the brain car, be configured as the‘cost root’ and the ‘cost root’ meshpoint-device be the l2 gateway to the controller.Use the root-select > cost-root command to configure a meshpoint-device as ‘cost-root’.• Using signal strength of neighboring meshpoint as the sole metric to determinethe next mesh hop to the root.• Loop detection with both meshpoints in a car select non-root and form a meshlink with the same root• auto-proximity – Enables dynamic root selection using meshpoint proximity. When auto-proximity is selected, root selection is based on signal strength of candidate roots.

MESHPOINTAccess Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 5126.3.2.8 root-selectmeshpoint-device-commandsConfigures this meshpoint device as the cost rootSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XXSyntaxroot-select cost-rootParameters• root-select cost-rootExampleap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#root-select cost-rootap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#show context meshpoint-device test root select-method auto-mint root-select cost-rootap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#Related Commandsroot-select cost-root Configures this meshpoint device as the cost root. This is necessary for dynamic root selection process. Select this option to set the meshpoint as the cost root for meshpoint root selection. This setting is disabled by default.no Removes this meshpoint-device as the cost-root

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 327.1.1 3gpppasspoint-policyConfigures a 3rd Generation Partnership Project (3GPP) Public Land Mobile Network (PLMN) information. The 3GPP PLMN information is a combination of the Mobile Country Code (MCC) and Mobile Network Code (MNC). This MCC and MNC combination uniquely identifies a cellular operator. For example, Telstar Corporation Ltd. in Australia is identified by MCC 505 and MNC 001.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntax3gpp mcc <MOBILE-COUNTRY-CODE> mnc <MOBILE-NETWORK-CODE> {description <LINE>}Parameters• 3gpp mcc <MOBILE-COUNTRY-CODE> mnc <MOBILE-NETWORK-CODE> {description <LINE>}Examplerfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 310 mnc 970rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commands3gpp Configures the 3GPP PLMN information that is returned in response to an ANQP querymcc <MOBILE-COUNTRY-CODE>Specifies the MCC. The MCC is a two or three digit decimal value. For example, the MCC for Australia is 505.mnc <MOBILE-NETWORK-CODE>Specifies the MNC. The MNC is a two or three decimal value used in combination with the MCC to uniquely identify a mobile network operator. The MNC and MCC combination (also known as the MCC/MNC tuple) forms the first five or six digits of the International Mobile Subscriber’s Identity (IMSI).If the MCC and MNC values are not configured, the hotspot will not return the element in an ANQP capability request and ignores any ANQP query for the element.description <LINE> Optional. Configures a description that uniquely identifies this PLMN. Provide a description not exceeding 64 characters in length.no Removes the specified 3gpp PLMN information and its corresponding MCC/MNC settings

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 427.1.2 access-network-typepasspoint-policyConfigures the access network type for this hotspot. The beacons and probe responses communicate the type of hotspot (public, private, guest-use, emergency, etc.) to clients seeking access.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxaccess-network-type [chargeable-public|emergency-services|experimental|free-public|personal-device|private|private-guest|wildcard]Parameters• access-network-type [chargeable-public|emergency-services|experimental|free-public|personal-device|private|private-guest|wildcard]Examplerfs4000-229D58(config-passpoint-policy-test)#access-network-type chargeable-publicrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsaccess-network-type Select the access network type for this hotspot. The options are:• chargeable-public – The network type is a chargeable public network• emergency-services – The network is used to provide emergency services only• experimental – The network is used for test or experimental purposes only• free-public – The network type is a free public• personal-device – The network is used for personal devices only• private – The network is a private network • private-guest – The network is a private network with guest access (default setting)• wildcard – Includes all access network typesIf the network type is set to chargeable-public, probe responses advertise this hotspot as a chargeable-public hotspot.no Reverts to the default access network type setting (private)

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 527.1.3 connection-capabilitypasspoint-policyConfigures the connection capability element in this passpoint policy. When configured, it communicates which ports are open or closed on the Hotspot, in response to an ANQP query.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxconnection-capability [ftp|http|icmp|ip-protocol|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn]connection-capability [ftp|http|icmp|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn] [closed|open|unknown]connection-capability ip-protocol <0-255> port <0-65535> [closed|open|unknown]Parameters• connection-capability [ftp|http|icmp|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn] [closed|open|unknown]• connection-capability ip-protocol <0-255> port <0-65535> [closed|open|unknown]connection-capability Configures the connection capability element in this passpoint policyftp Specifies the protocol type as FTP. Configures TCP port 20.http Specifies the protocol type as HTTP. Configures TCP port 80.icmp Specifies the protocol type as ICMPipsec-vpn Specifies the protocol type as IPSEC VPN. Configures ESP and UDP ports 500 and 4500.pptp-vpn Specifies the protocol type as PPTP VPN. Configures TCP port 1723.sip Specifies the protocol type as SIP. Configures TCP port 5060 and UDP port 5060.ssh Specifies the protocol type as SSH. Configures TCP port 20tls-vpn Specifies the protocol type as TLS VPN. Configures TCP port 443.port <0-65535> [closed|open|unknownAfter specifying the protocol type, specify the port (associated with the selected protocol) and its status.• closed – Specifies that the port(s) is/are closed• open – Specifies that the port(s) is/are open• unknown – Specifies that the port(s) status is not knownWhen the connection capability element is not configured, the hotspot does not return the element in an ANQP capability request and ignores any ANQP query for the element.connection-capability Configures the connection capability element in this passpoint policyip-protocol <0-255> Identifies the IP protocol by the protocol’s number. For example, for simple message protocol (SMP) specify 121.

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 6Examplerfs4000-229D58(config-passpoint-policy-test)#connection-capability 1 ip-protocol 2 port 10 closedrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsport <0-65535> [closed|open|unknownAfter specifying the IP protocol type, specify the port number.• port <0-65535> – Select a port for the IP protocol identified.After specifying the port number, specify the port status.• closed – Specifies that the port(s) is/are closed• open – Specifies that the port(s) is/are open• unknown – Specifies that the port(s) status is not knownWhen the connection capability element is not configured, the hotspot does not return the element in an ANQP capability request and ignores any ANQP query for the element.no Removes the configured connection capability element on the passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 727.1.4 domain-namepasspoint-policyConfigures the RF Domain(s) that are returned in response to an ANQP querySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxdomain-name <DOMAIN-NAME>Parameters• domain-name <DOMAIN-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#domain-name TechPubsrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsdomain-name <DOMAIN-NAME>Specify the RF Domain nameAn hotspot can be applied across multiple RF Domains. no Removes the RF Domain mapped to this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 827.1.5 hessidpasspoint-policyConfigures the Homogeneous Extended Service Set Identifier (HESSID) for the hotspot. The HESSID uniquely identifies a hotspot provider within a zone. This is essential in zones (such as an airport or shopping mall) having multiple hotspot service providers with overlapping coverage.An HESSID is a 6 (six) byte identifier that uniquely identifies a set of APs belonging to the same network and exhibiting same network behavior. It is the BSSID (MAC address) of one of the devices (AP) in the zone. When not configured, the radio’s BSSID is used as the HESSID.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxhessid <MAC>Parameters• hessid <MAC>Examplerfs4000-229D58(config-passpoint-policy-test)#hessid 00-23-68-88-0D-A7rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandshessid <MAC> Specify a unique 6 (six) byte identifier for this passpoint policy.no Removes the HESSID configured with this passpoint policy and reverts back to using the radio’s BSSID

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 927.1.6 internetpasspoint-policyAdvertises the availability of Internet access on this hotspot. The Internet bit in the hotspot’s beacon and probe responses indicates if Internet access is available or not. By default this feature is enabled.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000SyntaxinternetParametersNoneExamplerfs4000-229D58(config-passpoint-policy-test)#internetrfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes Internet access on this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1027.1.7 ip-address-typepasspoint-policyAdvertises the IP address type used in this hotspot. This information is returned in response to ANQP queries.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxip-address-type [ipv4|ipv6]ip-address-type ipv4 [double-nat|not-available|port-restricted|port-restricted-double-nat|port-restricted-single-nat|public|single-nat|unknown]ip-address-type ipv6 [available|not-available|unknown]Parameters• ip-address-type ipv4 [double-nat|not-available|port-restricted|port-restricted-double-nat|port-restricted-single-nat|public|single-nat|unknown]• ip-address-type ipv6 [available|not-available|unknown]ip-address-type ipv4 Configures the as IPv4 address type availability informationdouble-nat Specifies double NATed private IPv4 address is availablenot-available Specifies IPv4 address is not availableport-restricted Specifies port-restricted IPV4 address is availableport-restricted-double-natSpecifies port-restricted IPv4 address and double NATed IPv4 address is availableport-restricted-single-natSpecifies port-restricted IPv4 address and single NATed IPv4 address is availablepublic Specifies public IPv4 address is availablesingle-nat Specifies single NATed IPv4 address is availableunknown Specifies no information configured regarding the IPv4 address availabilityip-address-type ipv6 Configures the IPv6 address type availability informationavailable Specifies IPv6 address is availablenot-available Specifies IPv6 address is not availableunknown Specifies no information configured regarding the IPv6 address availability

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 11Examplerfs4000-229D58(config-passpoint-policy-test)#ip-address-type ipv6 availablerfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes the IP address type configured for this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1227.1.8 nai-realmpasspoint-policyA Network Access Identifier (NAI) realm element in the passpoint policy identifies a hotspot service provider by the unique NAI realm name.The following table lists NAI realm configuration mode commands:Table 27.2 NAI-Realm-Config CommandsCommand Description Referencenai-realm Creates a NAI realm name for this hotspot and enters its configuration modepage 27-13nai-realm-config-mode commandsInvokes the NAI realm configuration mode commands page 27-15

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1327.1.8.1 nai-realmnai-realmConfigures a NAI realm name and enters its configuration mode. The NAI realm name identifies the accessible hotspot service providers. You can configure a list of NAI realm names of service providers operating within a specific hotpsot zone.This NAI realm name list is presented in ANQP response to a NAI realm and NAI home realm query. The configured NAI realm name list is presented in ANQP response to a NAI realm and NAI home realm query.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxnai-realm <HOTSPOT2-NAI-REALM-NAME>Parameters• nai-realm <HOTSPOT2-NAI-REALM-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#nai-realm mail.example.comrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#?Hotspot2 NAI Realm Mode commands: eap-method Set an eap method no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#exitnai-realm <HOTSPOT2-NAI-REALM-NAME>Configures the NAI realm name for this passpoint policy• <HOTSPOT2-NAI-REALM-NAME> – Specify the NAI realm name for this passpoint policy.

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 14rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com nai-realm mail.testrealm.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes the NAI realm name configured for this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1527.1.8.2 nai-realm-config-mode commandsnai-realmThe following table summarizes NAI realm configuration mode commands:Table 27.3 NAI-Realm-Config-Mode CommandsCommand Description Referenceeap-method Specifies the Extensible Authentication Protocol (EAP) authentication mechanisms supported by each of the service providers associated with this passpoint policypage 27-16

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1627.1.8.2.1 eap-methodnai-realm-config-mode commandsSpecifies the EAP authentication mechanisms supported by each of the service providers associated with this passpoint policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxeap-method <1-10> [<1-255>|fast|gtc|identity|ikev2|ms-auth|mschapv2|otp|peap|psk|rsa-public-key|sim|tls|ttls] auth-param [credential|expanded-eap|expanded-inner-eap|inner-eap|non-eap-inner|tunn-eap-credential|vendor] [cert|hw-token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]Parameters• eap-method <1-10> [<1-255>|fast|gtc|identity|ikev2|ms-auth|mschapv2|otp|peap|psk|rsa-public-key|sim|tls|ttls] auth-param [credential|expanded-eap|expanded-inner-eap|inner-eap|non-eap-inner|tunn-eap-credential|vendor][cert|hw-token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]eap-method <1-10> Creates an EAP authentication method and assigns it an index number• <1-10> – Specify a identifier for this EAP method from 1 - 10.A maximum of 10 (ten) authentication methods can be specified for every NAI realm. After creating the EAP authentication method, specify the associated authentication mechanisms (method types).<1-255> Identifies the EAP authentication method type from the corresponding Internet Assigned Numbers Authority (IANA) number<1-255> – Specify the IANA identity number for the authentication protocol from 1 -255.fast Specifies the EAP authentication method type as Flexible Authentication via Secure Tunneling (FAST)gtc Specifies the EAP authentication method type as Generic Token Card (GTC)identity Specifies the EAP authentication method type as Identificationikev2 Specifies the EAP authentication method type as Internet Key Exchange Protocol version 2 (IKEv2)ms-auth Specifies the EAP authentication method type as Microsoft Authentication (MS-Auth)mschapv2 Specifies the EAP authentication method type as Microsoft Challenge Handshake Authentication Protocol version 2(MSCHAPv2)opt Specifies the EAP authentication method type as One Time Password (OTP)peap Specifies the EAP authentication method type as Protected Extensible Authentication Protocol (PEAP)psk Specifies the EAP authentication method type as Pre-shared Key (PSK)rsa-public-key Specifies the EAP authentication method type as RSA public key protocolsim Specifies the EAP authentication method type as GSM Subscriber Identity Module (SIM)

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 17ExampleThe following examples show four EAP authentication methods associated with the NAI realm ‘mail.example.com’. Each method supports a different EAP authentication mechanism:rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-method 1 ttls auth-param vendor hex 00001Erfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-method 2 rsa-public-key auth-param credential certrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-method 4 peap auth-param credential certrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#show context nai-realm mail.example.com eap-method 1 ttls auth-param vendor hex 00121F eap-method 2 rsa-public-key auth-param credential cert eap-method 3 otp auth-param credential username-password eap-method 4 peap auth-param credential certrfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#tls Specifies the EAP authentication method type as Transport Layer Security (TLS)ttls Specifies the EAP authentication method type as Tunneled Transport Layer Security (TTLS)auth-param After specifying the EAP authentication method type, specify the authentication parameters. These parameters depend on the EAP authentication mechanism selected.[cert|hw-token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]The following parameters are common to all the above authentication parameters:• cert – Certificate• hw-token – Hardware token• nfc-secure-elem – NFC secure element• none – No credential• sim – Subscriber identity module• soft-token – Soft token• username-password – Username and password• usim – Universal subscriber identity module• vendor – Vendor specific credential

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1827.1.9 net-auth-typepasspoint-policyConfigures the network authentication type used in this hotspot. The details configured are returned in response to an ANQP query.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxnet-auth-type [accept-terms|dns-redirect|http-redirect|online-enroll] {url <URL>}Parameters• net-authtype [accept-terms|dns-redirect|http-redirect|online-enroll] {url <URL>}Examplerfs4000-229D58(config-passpoint-policy-test)#net-auth-type accept-terms url "www.test.com"rfs4000-229D58(config-passpoint-policy-test)#rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com eap-method 1 ttls auth-param vendor hex 00001E eap-method 2 rsa-public-key auth-param credential cert eap-method 3 otp auth-param credential username-password eap-method 4 peap auth-param credential cert nai-realm mail.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsnet-auth-type Specifies the network authentication type used with this passpoint policy. The options are: accept-terms, dns-redirect, http-redirect, and online-enrollaccept-terms Enables user acceptance of terms and conditionsdns-redirect Enables DNS redirection of userhttp-redirect Enables HTTP redirection of useronline-enroll Enables online user enrolmenturl <URL> Optional. Specify the location for each of above network authentication types.no Removes the network authentication type configured with this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1927.1.10 nopasspoint-policyRemoves or reverts the passpoint policy settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxno [3gpp|access-network-type|connection-capability|domain-name|hessid|internet|ip-address-type|nai-realm|net-auth-type|operator|osu|roam-consortium|venue|wan-metrics]Parameters• no <PARAMETERS>ExampleThe following example shows the passpoint policy ‘test’ settings before the ‘no’ commands are executed:rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com eap-method 1 ttls auth-param vendor hex 00001E eap-method 2 rsa-public-key auth-param credential cert eap-method 3 otp auth-param credential username-password eap-method 4 peap auth-param credential cert nai-realm mail.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#rfs4000-229D58(config-passpoint-policy-test)#no access-network-typerfs4000-229D58(config-passpoint-policy-test)#no hessidrfs4000-229D58(config-passpoint-policy-test)#no nai-realm mail.example.comrfs4000-229D58(config-passpoint-policy-test)#no 3gpp mcc 310 mnc 970rfs4000-229D58(config-passpoint-policy-test)#no internetrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#no <PARAMETERS> Removes or reverts the passpoint policy settings

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2027.1.11 operatorpasspoint-policyConfigures the operator friendly name for this hotspot. The name can be configured in English or in any language other than English. When the name is specified in English, the system allows an ASCII input. If you are using a language other than English, first specify the ISO-639 language code, and then specify the name as an hexadecimal code.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxoperator name <OPERATOR-NAME>Parameters• operator name <OPERATOR-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#operator name emergencyservicesrfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsname <OPERATOR-NAME>Configures the operator’s name in English• <OPERATOR-NAME> – Specify the operator friendly name in ASCII format.no Removes the operator friendly name configured for this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2427.1.12.2.2 descriptionosu-config-mode commandsConfigures the OSU SSID/provider’s description. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxdescription [<DESCRIPTION>|iso-lang <ISO-LANG-CODE>]Parameters• description [<DESCRIPTION>|iso-lang <ISO-LANG-CODE>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#description "Provides free service for testing purposes"nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes"nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commands<DESCRIPTION> Provides a description for the OSU provider. It should not exceed 253 characters in length.• <DESCRIPTION> – Specify the description in one or more languages. By default the system configures the name in English.iso-lang <ISO-LANG-CODE>Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’). By default the language is set to English. If specifying the description in any language other than English, specify the ISO language code.no Removes this OSU provider’s description

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2527.1.12.2.3 iconosu-config-mode commandsAdds the OSU provider’s icon. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxicon iso-lang <ISO-LANG-CODE> width <0-65535> height <0-65535> mime-type <FILE-MIME-TYPE> file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]Parameters• icon iso-lang <ISO-LANG-CODE> width <0-65535> height <0-65535> mime-type <FILE-MIME-TYPE> file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#icon iso-lang engwidth 128 height 128 mime-type image/png file flash:/wifi_iconnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes" icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_iconnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsicon iso-lang <ISO-LANG-CODE>Configures an icon representing the OSU provider• iso-lang <ISO-LANG-CODE> – Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’). By default the language is set to English. If specifying the image file name and path in any language other than English, specify the ISO language code.width <0-65535> Configures the icon’s width in pixels• <0-65535> – Specify a value from 0 - 65535 pixels.height <0-65535> Configures the icon’s height in pixels• <0-65535> – Specify a value from 0 - 65535 pixels.mime-type <FILE-MIME-TYPE>Configures a string describing the icon’s standard mime type. For example, image/png• <FILE-MIME-TYPE> – Specify the icon’s mime type.file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]Configures the location and name of the image file• <IMAGE-FILE-NAME/PATH> – Specify the path and filename. For example, flash:/icon.png• <FILE-NAME> – Use this option to specify the filename in the flash:/ directoryno Removes this OSU provider’s icon

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2727.1.12.2.5 naiosu-config-mode commandsConfigures the OSU provider’s NAI. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxnai <WORD>Parameters• nai <WORD>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#nai wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes" icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsnai <WORD> Configures the OSU provider’s NAI• <WORD> – Specify the NAI.no Removes this OSU provider’s NAI

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2827.1.12.2.6 nameosu-config-mode commandsConfigures the OSU provider’s name. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxname [<NAME>|iso-lang <ISO-LANG-CODE>]Parameters• name [<NAME>|iso-lang <ISO-LANG-CODE>]Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#name "WIFI Alliance OSU"nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFI name "WIFI Alliance OSU" description "Provides free service for testing purposes" icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commands<NAME> Configures the OSU provider’s name. It should not exceed 253 characters in length.• <NAME> – Specify the name in one or more languages. By default the system configures the name in English.iso-lang <ISO-LANG-CODE>Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’). By default the language is set to English. If specifying the name in any language other than English, specify the ISO language code.no Removes this OSU provider’s name

$PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2927.1.12.2.7 noosu-config-mode commandsRemoves the settings configured for this OSU provider. Once removed the information is not included in the ANQP providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxno [description|icon|method|nai|name|server-url]no [description|icon|name] {iso-lang <ISO-LANG-CODE>}no [nai|server-url]no method [oma-dm|soap-xml-spp]Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi name "WIFI Alliance OSU" description "Provides free service for testing purposes" icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.org server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no descriptionnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no icon iso-lang engnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no namenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi method soap-xml-spp priority 1 nai wifi.org server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no <PARAMETERS> Removes the settings configured for this OSU provider$

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 3027.1.12.2.8 server-urlosu-config-mode commandsConfigures the OSU provider server’s URL. This value is returned in the ANQP OSU providers list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxserver-url <URL>Parameters• server-url <URL>Examplenx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi name "WIFI Alliance OSU" description "Provides free service for testing purposes" icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.org server-url osu-server.wifi.orgnx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#Related Commandsserver-url <URL> Configures the OSU provider server’s URL• <URL> – Specify the server’s url.no Removes this OSU provider’s server’s URL

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 3127.1.13 roam-consortiumpasspoint-policyConfigures a list of Roaming Consortium (RC) Organization Identifiers (OIs) supported on this hotspot. The beacons and probe responses communicate this Roaming Consortium list to devices. This information enables a device to identify the networks available through this AP.Each OI identifies a either a group of Subscription Service Providers (SSPs) or a single SSP.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxroam-consortium hex <WORD>Parameters• roam-consortium hex <WORD>Examplerfs4000-229D58(config-passpoint-policy-test)#roam-consortium hex 223344rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsroam-consortium hex <WORD>Adds a Roaming Consortium OI to this hotspot in hexadecimal format• <WORD> – Specify the Roaming Consortium OI in hexadecimal format (should not exceed 128 characters)hex <WORD> Configures a hexadecimal input• <WORD> – Specify the Roaming Consortium OI in hexadecimal format (should not exceed 128 characters)no Removes the Roaming Consortium OIs supported on this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 3227.1.14 venuepasspoint-policyConfigures the venue where this hotspot is located. The hotspot venue configuration informs prospective clients about the hotspot’s nature of activity, such as educational, institutional, residential, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxvenue [group|name]venue group [assembly|business|educational|industrial|institutional|mercantile|outdoor|residential|storage|unspecified|utility-and-misc|vehicular] typevenue name [<VENUE-NAME>|iso-lang]venue name <VENUE-NAME>venue name iso-lang <ISO-LANG-CODE> <VENUE-NAME>Parameters• venue group [assembly|business|educational|industrial|institutional|mercantile|outdoor|residential|storageunspecified|utility-and-misc|vehicular] typevenue group Configures the venue group associated with this hotspotassembly type Configures the venue group as assembly (1). This hotspot type is applicable to public assembly venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• amphitheater – Specifies the venue type as amphitheater (4)• amusement-park – Specifies the venue type as amusement park (5)• arena – Specifies the venue type as arena (1)• bar – Specifies the venue type as bar (12)• coffee-shop – Specifies the venue type as a coffee shop (13)• convention-centre – Specifies the venue type as a convention center (7)• emergency-coordination-center – Specifies the venue type as a emergency coordination center (15)• library – Specifies the venue type as a library (8)• museum – Specifies the venue type as a museum (9)• passenger-terminal – Specifies the venue type as a passenger terminal (3)• place-of-worship – Specifies the venue type as a place of worship (6)• restaurant – Specifies the venue type as a restaurant (10)• stadium – Specifies the venue type as a stadium (2)• theater – Specifies the venue type as a theater (11)• unspecified – Specifies the venue type as not specified (0)• zoo – Specifies the venue type as a zoo (14)

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 33business type Configures the venue group as business (2). This hotspot type is applicable to business venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• attorney – Specifies the venue type as the attorney’s office (9)• bank – Specifies the venue type as a bank (2)• doctor – Specifies the venue type as a doctor or dentist’s office (1)• fire-station – Specifies the venue type as a fire station (3)• police-station – Specifies the venue type as a police station (4)• post-office – Specifies the venue type as a post office (5)• professional-office – Specifies the venue type as a professional office (7)• research-and-development-facility – Specifies the venue type as a research facility (8)• unspecified – Specifies the venue type as not specified (0)educational Configures the venue group as educational (3). This hotspot type is applicable to educational institutions.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• school-primary – Specifies the venue type as a primary school (1)• school-secondary – Specifies the venue type as a secondary school (2)• university – Specifies the venue type as a university or college (3)• unspecified – Specifies the venue type as not specified (0)industrial Configures the venue group as industrial (4). This hotspot type is applicable to industrial venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• factory – Specifies the venue type as a factory (1)• unspecified – Specifies the venue type as not specified (0)institutional Configures the venue group as institutional (4). This hotspot type is applicable to public health and other institutions.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• group-home – Specifies the venue type as a group-home (4)• hospital – Specifies the venue type as a hospital (1)• long-term-care – Specifies the venue type as a long term care facility (2)• prison – Specifies the venue type as a prison or jail (5)• rehab – Specifies the venue type as a rehabilitation facility (3)• unspecified – Specifies the venue type as not specified (0)mercantile Configures the venue group as mercantile (6). This hotspot type is applicable to public mercantile venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• automotive – Specifies the venue type as a automotive service center (3)• gas-station – Specifies the venue type as a gas station (5)• grocery – Specifies the venue type as a grocery store (2)• mall – Specifies the venue type as a shopping mall (4)• retail – Specifies the venue type as a retail store (1)• unspecified – Specifies the venue type as not specified (0)

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 34outdoor Configures the venue group as outdoor (11). This hotspot type is applicable to public outdoor venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• bus-stop – Specifies the venue type as a bus stop (5)• city-park – Specifies the venue type as a city park (2)• kiosk – Specifies the venue type as a kiosk (6)• muni-mesh – Specifies the venue type as a muni-mesh (municipal wireless Wi-Fi) (1)• rest-area – Specifies the venue type as a rest area (3)• traffic-control – Specifies the venue type as a traffic control area (4)• unspecified – Specifies the venue type as not specified (0)residential Configures the venue group as residential (7). This hotspot type is applicable to residential complexes.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• boarding-house – Specifies the venue type as a boarding-house (4)• dorm – Specifies the venue type as a dormitory (3)• hotel – Specifies the venue type as a hotel or motel (2)• private – Specifies the venue type as a private residence (1)• unspecified – Specifies the venue type as not specified (0)storage Configures the venue group as storage (8). This hotspot type is applicable to storage groups.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• unspecified – Specifies the venue type as not specified (0)unspecified Configures the venue group as unspecified (0)• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• unspecified – Specifies the venue type as not specified (0)utility-and-misc Configures the venue group as utility and miscellaneous (8)• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• unspecified – Specifies the venue type as not specified (0)vehicular Configures the venue group as vehicular (7). This hotspot type is applicable to mobile venues.• type – Specifies the venue type for this group. The options are:• <0-255> – Specifies an unlisted venue type number from 0 -255• airplane – Specifies the venue type as an airplane (2)• auto – Specifies the venue type as an automobile or truck (1)• bus – Specifies the venue type as a bus (3)• ferry – Specifies the venue type as a ferry (5)• motor-bike – Specifies the venue type as a motor bike (7)• ship – Specifies the venue type as a ship or boat (5)• train – Specifies the venue type as a train (6)• unspecified – Specifies the venue type as not specified (0)

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 35• operator name <VENUE-NAME>• operator name iso-lang <ISO-LANG-CODE> <VENUE-NAME>Examplerfs4000-229D58(config-passpoint-policy-test)#venue name PublicSchoolrfs4000-229D58(config-passpoint-policy-test)#venue group assembly type coffee-shoprfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 venue group assembly type coffee-shop venue name PublicSchool 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandsname <WORD> Configures the venue name in English• <WORD> – Specify the venue name in ASCII format.name iso-lang <ISO-LANG-CODE> <VENUE-NAME>Configures a non-English venue name• iso-lang <ISO-LANG-CODE> – Identifies the language by its ISO 639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’).• <ISO-LANG-CODE> – Specify the 3 character iso-639 language code (for example, ‘chi-chinese’ or ‘spa-spanish’).• <VENUE-NAME> – Specifies the venue name as a hexadecimal codeno Removes the venue group and type configured with this passpoint policy

PASSPOINT POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 3627.1.15 wan-metricspasspoint-policyConfigures the WAN performance metrics for this hotspot. This command configures the upstream and downstream speeds associated with this hotspot. The upstream and downstream speed values (in Kbps) are estimates of the bandwidth available on the WAN. This information is returned in response to client ANQP query, and is useful for clients having a minimum and/or large bandwidth requirement.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms —NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000Syntaxwan-metrics down-speed <0-4294967295> up-speed <0-4294967295>Parameters• wan-metrics down-speed <0-4294967295> up-speed <0-4294967295>Examplerfs4000-229D58(config-passpoint-policy-test)#wan-metrics down-speed 2000 up-speed 2000rfs4000-229D58(config-passpoint-policy-test)#show contexthotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 venue group assembly type coffee-shop venue name PublicSchool wan-metrics down-speed 2000 up-speed 2000 3gpp mcc 505 mnc 14rfs4000-229D58(config-passpoint-policy-test)#Related Commandswan-metrics Specifies the WAN metrics for the up and down trafficdown-speed <0-4294967295>Configures the down stream traffic speed• <0-4294967295> – Specify a value from 0 - 4294967295 Kbps.up-speed <0-4294967295>Configures the up stream traffic speed• <0-4294967295> – Specify a value from 0 - 4294967295 Kbps.no Removes the WAN metrics configuration on this passpoint policy

28 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide28BORDER GATEWAY PROTOCOLThis chapter summarizes the Border Gateway Protocol (BGP) related configuration commands in the CLI command structure.BGP is a routing protocol, which establishes routing between ISPs. ISPs use BGP to exchange routing information between Autonomous Systems (ASs) on the Internet. The routing information shared includes details, such as ASs traversed to a particular destination, reachable ASs, best paths available, network policies and rules applied on a route, etc. These details appear as BGP attributes carried in routing update packets. BGP uses this information to make routing decisions. Therefore, the primary role of a BGP system is to exchange routing information with other BGP peers.BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). Routing information exchanged through BGP supports only destination-based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet).An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. There are two types of BGP systems: external BGP (eBGP) and internal BGP (iBGP). iBGP represents the exchange of routing information between BGP peers within an AS. Whereas, when two BGP peers, belonging to different ASs, are connected you have an eBGP setup.BGP peers (also referred to as neighbors) are BGP enabled devices that are directly connected through an established TCP connection. When two BGP enabled peers establish a TCP connection the first time, they exchange their BGP routing tables. All subsequent route table modifications are exchanged as route updates. BGP tracks these route updates by maintaining route table version numbers. With every update the version number changes. At any given point in time, all BGP peers should have the same route table version. The peer-to-peer TCP connections are kept alive through keepalive packets exchanged at specified intervals. Errors and special events are communicated between peers as notification packets.This chapter is organized as follows:•bgp-ip-prefix-list-config commands•bgp-ip-access-list-config commands•bgp-as-path-list-config commands•bgp-community-list-config commands•bgp-extcommunity-list-config commands•bgp-route-map-config commands•bgp-router-config commands•bgp-neighbor-config commandsNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 228.1 bgp-ip-prefix-list-config commandsBORDER GATEWAY PROTOCOLIP prefix lists are a convenient way to filter prefixes (contained in route update packets) transmitted to (or received from) other BGP supported routers. IP prefix lists are similar to access lists. They contain ordered entries (deny or permit prefix rules), identified by their sequence numbers. Each rule specifies match criteria (network and subnet prefixes and prefix masks) to match. When a prefix (received or transmitted) matches the prefix specified in one of the rules, it is filtered and an action is applied depending on where the IP prefix list is used. For example, when used in the BGP neighbor context, the prefixes received from the neighbor are filtered and the filtered prefixes are either rejected or accepted depending on the rule type (deny or permit).IP prefix lists are also used in the BGP route map context to filter prefixes. The action applied, on filtered prefixes is set within the route map. Another use case for IP prefix lists is to filter prefixes before redistribution of local OSPF routes to eBGP enabled ASs.Like in access lists, these deny and permit prefix rules are processed sequentially, in ascending order of their sequence number. Once a match is made, the BGP enabled router stops processing all subsequent rules in the ip-prefix-list.IP prefix lists are used as match criteria in the following contexts:• BGP neighbor. For more information, see use.• BGP route-map context. For more information, see match.To navigate to the ip-prefix-list configuration instance, use the following command:<DEVICE>(config)#bgp ip-prefix-list <IP-PREFIX-LIST-NAME><DEVICE>(config-bgp-ip-prefix-list-test)#?BGP IP Prefix List Mode commands: deny IP Prefix deny rule to specify packets to reject no Negate a command or set its defaults permit IP Prefix permit rule to specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-bgp-ip-prefix-list-test)#

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3The following table summarizes the BGP IP prefix list configuration commands:Table 28.1 BGP-IP-Prefix-List-Config CommandsCommand Description Referencedeny Creates and configures a deny prefix-list rule page 28-4permit Creates and configures a permit prefix-list rule page 28-5no Removes the specified deny or permit prefix-list rule from this IP prefix listpage 28-6

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 428.1.1 denybgp-ip-prefix-list-config commandsCreates and configures a deny prefix-list rule. The deny rule specifies match criteria based on which prefixes received from (or transmitted to) a BGP neighbor are filtered. A deny action is applied on these filtered prefixes. For example, in the BGP router neighbor context a filter is applied using a IP prefix list. The list contains a deny rule with a prefix to match as 192.168.13.0/24. All prefixes received from the neighbor matching this prefix are denied.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK>|any]deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK> {ge <0-32>|le <0-32>}|any]Parameters• deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK> {ge <0-32>|le <0-32>}|any]Examplenx9500-6C8809(config-bgp-ip-prefix-list-test)#deny prefix-list 1 168.192.13.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#Related Commandsdeny prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Creates and configures a deny prefix-list rule• <1-4294967295> – Configures a sequence number for this deny rule. Specify a value from 1 - 4294967295. Within a prefix list, rules are applied in an ascending order of their sequence number. Rules with lower sequence number are applied first.• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match. For example 10.0.0.0/8or 192.168.13.0/24. Routes matching the specified prefix are filtered.• ge <0-32> – Optional. Specifies a greater than or equal to value for the IP prefixlength (subnet mask)• le <0-32> – Optional. Specifies a less than or equal to value for the IP prefix lengthThe ‘ge’ and ‘le’ options specify a IP prefix length range. Use these options to specify a more specific (granular) prefix match criteria.• any – Sets the prefix match criteria to any. When selected, all routes are filtered, andthe action applied is deny. At the backend, this option sets the match criteria to0.0.0.0/0 le 32.no Removes a deny prefix-list rule from this IP prefix list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 528.1.2 permitbgp-ip-prefix-list-config commandsCreates and configures a permit prefix-list rule. The permit rule specifies match criteria based on which prefixes received from (or transmitted to) a BGP neighbor are filtered. A permit action is applied on these filtered prefixes. For example, in the BGP router neighbor context a filter is applied using a IP prefix list. The list contains a permit rule with a prefix to match as 172.168.10.0/24. All prefixes received from the neighbor matching this prefix are permitted.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Parameters• permit prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Examplenx9500-6C8809(config-bgp-ip-prefix-list-test)#permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#Related Commandsdeny prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]Creates and configures a permit prefix-list rule• <1-4294967295> – Configures a sequence number for this permit rule. Specify a value from 1 - 4294967295. Within a prefix list, rules are applied in an ascending order of their sequence number. Rules with lower sequence number are applied first.• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match. For example 10.0.0.0/8or 192.168.13.0/24. Routes matching the specified prefix are filtered.• ge – Optional. Specifies a greater than or equal to value for the IP prefix length(subnet mask)• le – Optional. Specifies a less than or equal to value for the IP prefix lengthUse the ‘ge’ and ‘le’ options to specify a IP prefix length range. Use these options to specify a more specific (granular) prefix match criteria.• any – Sets the prefix match criteria to any. When selected, all routes are filtered, andthe action applied is permit. At the backend, this option sets the match criteria to0.0.0.0/0 le 32.no Removes a permit prefix rule from this IP prefix list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 628.1.3 nobgp-ip-prefix-list-config commandsRemoves the specified deny or permit prefix-list rule from this IP prefix listSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit]no [deny|permit] prefix-list <1-4294967295> {<PREFIX-TO-MATCH/MASK>|any}Parameters• no <PARATMETERS>ExampleThe following example shows the IP prefix list ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#The following example shows the IP prefix list ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-prefix-list-test)#no deny prefix-list 1 168.192.13.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#show contextbgp ip-prefix-list test permit prefix-list 2 172.122.10.0/24nx9500-6C8809(config-bgp-ip-prefix-list-test)#no <PARAMETERS> Removes a deny or permit rule from this IP prefix list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 728.2 bgp-ip-access-list-config commandsBORDER GATEWAY PROTOCOLBGP peers and route maps can reference a single IP based access control list (ACL). Apply IP ACLs to both inbound and outbound route updates. When applied to a BGP enabled router, every route update is passed through the ACL. Each ACL contains deny and permit entries that are applied sequentially, in the order they appear within the list. When a route matches an entry, the decision to permit or deny the route is applied. Once a match is made the remaining entries in the ACL are not processed.BGP IP ACLs are used as match criteria in the following contexts:• BGP neighbor. For more information, see use.• BGP route-map context. For more information, see match.To navigate to the BGP IP ACL configuration instance, use the following command:<DEVICE>(config)#bgp ip-access-list <IP-ACL-NAME><DEVICE>(config-bgp-ip-access-list-<IP-ACL-NAME>)#?BGP IP Access List Mode commands: deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-bgp-ip-access-list-<IP-ACL-NAME>)#The following table summarizes the BGP IP access list configuration commands:Table 28.2 BGP-IP-ACL-Config CommandsCommand Description Referencedeny Creates and configures a deny entry rule for this BGP IP ACL page 28-8permit Creates and configures a permit entry for this BGP IP ACL page 28-9no Removes a deny or permit entry from this BGP IP ACL page 28-10

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 828.2.1 denybgp-ip-access-list-config commandsCreates and configures a deny entry for this BGP IP ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Parameters• deny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Examplenx9500-6C8809(config-bgp-ip-access-list-test)#deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#Related Commandsdeny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Creates and configures a deny entry for this BGP IP ACL• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match.• exact-match – Optional. Enables an exact match of the prefix provided in the pre-vious step. When configured, the route is denied only in case of an exact match.• any – Specifies the prefix to match as ‘any’. no Removes the specified the deny entry in this IP BGP ACL

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 928.2.2 permitbgp-ip-access-list-config commandsCreates and configures a permit entry for this BGP IP ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Parameters• permit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Examplenx9500-6C8809(config-bgp-ip-access-list-test)#permit access-list 172.168.10.0/24nx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test permit access-list 172.168.10.0/24 deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#Related Commandspermit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]Creates and configures a permit entry for this BGP IP ACL• <PREFIX-TO-MATCH/MASK> – Specify the prefix to match.• exact-match – Optional. Enables an exact match of the prefix provided in the pre-vious step. When configured, the route is permitted only in case of an exact match.• any – Specifies the prefix to match as ‘any’. no Removes the specified the permit entry in this IP BGP ACL

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1028.2.3 nobgp-ip-access-list-config commandsRemoves a deny or permit entry from this BGP IP ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit]no [deny|permit] access-list [<PREFIX-TO-MATCH/MASK>|any]Parameters• no <PARAMETERS>ExampleThe following example shows the BGP IP ACL ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test permit access-list 172.168.10.0/24 deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#nx9500-6C8809(config-bgp-ip-access-list-test)#no permit access-list 172.168.10.0/24The following example shows the BGP IP ACL ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-bgp-ip-access-list-test)#show contextbgp ip-access-list test deny access-list 192.168.13.0/24 exact-matchnx9500-6C8809(config-bgp-ip-access-list-test)#no <PARAMETERS> Removes a deny or permit entry from this BGP IP ACL

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1128.3 bgp-as-path-list-config commandsBORDER GATEWAY PROTOCOLBGP enabled devices use routing updates to exchange network routing information with each other. This information includes route details, such as the network number, path specific attributes, and the list of Autonomous System Numbers (ASNs) that a route traverses to reach a destination. This list is contained in the AS path.An AS path access control list (ACL) filters AS paths (routes) included in routing updates. Each AS path access list consists of deny and/or permit rules that define regular expressions (match criteria). When configured and applied on inbound and outbound routing updates, the BGP AS path attributes are matched against the regular expressions specified in the AS path ACL. In case of a match, the route is filtered and an action (deny or permit) is applied. Once a match is made subsequent rules in the AS path access list are not processed.AS path access lists also help prevent looping within an AS. Routing loops are prevented by rejecting routing updates containing local ASNs. Since local ASNs indicate that the route has already traveled through that autonomous system, by rejecting them looping is avoided.AS path access lists are used as match criteria in the following contexts:• BGP neighbor. For more information, see use.• BGP route map context. For more information, see match.To navigate to the AS path configuration instance, use the following command:<DEVICE>(config)#bgp as-path <AS-PATH-LIST-NAME><DEVICE>(config-bgp-as-path-list-<AS-PATH-LIST-NAME>)#?BGP AS Path List Mode commands: deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-bgp-as-path-list-<AS-PATH-LIST-NAME>)#The following table summarizes the BGP AS path list configuration commands:Table 28.3 BGP-AS-Path-List-Config CommandsCommand Description Referencedeny Creates and configures a deny as-path-list rule page 28-12permit Creates and configures a permit as-path-list rule page 28-13no Removes a deny or permit rule from this AS path ACL page 28-14

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1228.3.1 denybgp-as-path-list-config commandsCreates and configures a deny as-path-list rule. The deny rule specifies a regular expression to match. This regular expression, a string against the BGP AS paths contained in routing updates. AS paths matching the provided string are filtered and a deny action is applied.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny as-path <REG-EXP>Parameters• deny as-path <REG-EXP>Usage GuidelinesThe following table lists some of the characters used in forming regular expressions:Examplenx9500-6C8809(config-bgp-as-path-list-test)#deny as-path ^100$nx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$nx9500-6C8809(config-bgp-as-path-list-test)#Related Commandsdeny as-path <REG-EXP>Configures a match criteria (regular expression).• <REG-EXP> – Specify the regular expression to match (should not exceed 64 characters and should be unique to the AS path list rule)Regular expressions are treated as a ‘ASCII string’ and not as a sequence of numbers. Create a regular expression ideally suited to filter the required AS paths.Character to use Description^ Indicates the start of a string$ Indicates the end of a string_ (underscore) Indicates a comma, left brace, right brace, start and end of an input string, or a space. For example, “_ _”.no Removes the specified deny as-path ACL rule

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1328.3.2 permitbgp-as-path-list-config commandsCreates and configures a permit as-path-list rule. The permit rule specifies a regular expression to match. This regular expression is matched against the BGP AS paths contained in routing updates. AS paths matching the provided string are filtered and a permit action is applied.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit as-path <REG-EXP>Parameters• permit as-path <REG-EXP>Usage GuidelinesThe following table lists some of the characters used in forming regular expressions:Examplenx9500-6C8809(config-bgp-as-path-list-test)#permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#permit as-path _323_nx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$ permit as-path _323_ permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#Related Commandspermit as-path <REG-EXP>Configures a match criteria (regular expression).• <REG-EXP> – Specify the regular expression to match (should not exceed 64 characters and should be unique to the AS path list rule)Regular expressions are treated as a ‘ASCII string’ and not as a sequence of numbers. Create a regular expression which is ideally suited to filter the required AS paths.Character to use Description^ Indicates the start of a string$ Indicates the end of a string_ (underscore) Indicates a comma, left brace, right brace, start and end of an input string, or a space. For example, “_ _”.no Removes the specified permit as-path ACL rule

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1428.3.3 nobgp-as-path-list-config commandsRemoves a deny or permit rule from this AS path ACLSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno as-path-list [deny|permit] <REG-EXP>Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$ permit as-path _323_ permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#nx9500-6C8809(config-bgp-as-path-list-test)#no permit as-path _323_nx9500-6C8809(config-bgp-as-path-list-test)#show contextbgp as-path-list test deny as-path ^100$ permit as-path _200_nx9500-6C8809(config-bgp-as-path-list-test)#no <PARAMETERS> Removes a deny or permit rule from this AS path ACL

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1528.4 bgp-community-list-config commandsBORDER GATEWAY PROTOCOLCreates and configures a named community listIP BGP routes have a set of attributes, mandatory and optional. The community and extended community attributes are optional. Optional attributes are specified by network administrators to mark (color) routes received in updates containing these attributes. These marked routes are filtered and special actions applied (accepted, preferred, distributed, or advertised). For example, the NO_EXPORT community, indicates that routes attached to it are local and not to be advertised to external ASs. Similarly, a set of routes using a common routing policy can be tagged to a community, and the policy applied to the community.A BGP community is a group of routes sharing common attributes. Route updates contain community information in the form of path attributes. These attributes help identify community members.A BGP community list is a list of deny or permit entries. It is either assigned a name (regular expressions, predefined community names) or a number. Assigning names to communities increases the number of configurable community lists. All rules applicable to numbered communities apply to named communities too. The only difference being in the number of attributes configurable for a named community list.Since the community attribute is optional, it is shared only between devices that understand communities and are configured to handle communities. By default the community attribute is not sent to neighbors unless the send-community command option is enabled in the BGP neighbor context. For more information, see send-community.Some of the predefined, globally used communities are:• no-export – Routes tagged to this community are not advertised to external BGP peers• no-advertise – Routes tagged to this community are not advertised to any BGP peers• local-as – Routes tagged to this community are not advertised outside the local AS• internet – Routes tagged to this community are advertised to the internet community. By default all BGP enabled devices belong to this community.BGP community lists are used in the following context as match clauses:• BGP route map context. For more information, see match.To navigate to the BGP community configuration instance, use the following command:<DEVICE>(config)#bgp community-list <COMMUNITY-LIST-NAME><DEVICE>(config-bgp-community-list-<COMMUNITY-LIST-NAME>)#?BGP Community List Mode commands: deny Add a BGP Community List deny rule to Specify community to reject no Negate a command or set its defaults permit Add a BGP Community List permit rule to Specify community to accept clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 16 show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-bgp-community-list-<COMMUNITY-LIST-NAME>)#The following table summarizes the BGP community list configuration commands:Table 28.4 BGP-Community-List-Config CommandsCommand Description Referencedeny Creates and configures a deny community (expanded or standard) rule page 28-17permit Creates and configures a permit community (expanded or standard) rulepage 28-19no Removes an existing deny or permit community rule from this community listpage 28-21

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1728.4.1 denybgp-community-list-config commandsCreates and configures a deny community (expanded or standard) ruleStandard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny community [expanded|standard]deny community expanded <LINE>deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]Parameters• deny community expanded <LINE>• deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]deny community expanded <LINE>Configures a deny expanded community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the community attributes.• <LINE> – Provide the regular expression.deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]Configures a deny standard community list entry and associates it with a predefined, globally used, known community or community number. The options are:• aa:nn - Configures the community number. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number.• internet – Advertises this route to the internet community• local-AS – Prevents transmission of this route outside the local AS• no-advertise – Prevents advertisement of this route to any peer (internal or external• no-export – Prevents advertisement of this route to external BGP peers (keeping this route within an AS)

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 18Examplenx9500-6C8809(config-bgp-community-list-test)#deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#show contextbgp community-list test deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.0.0-029R!!version 2.5!!.......................................................!bgp ip-prefix-list PrefixList_01 deny prefix-list 1 192.163.0.0/16 ge 17 le 17!bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24!bgp community-list test deny community expanded 100!--More--nx9500-6C8809(config)#Related Commandsno Removes the specified deny community rule from this community list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1928.4.2 permitbgp-community-list-config commandsCreates and configures a permit community (expanded or standard) ruleStandard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit community [expanded|standard]permit community expanded <LINE>permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]Parameters• permit community expanded <LINE>• permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]Examplenx9500-6C8809(config-bgp-community-list-test)#permit community expanded 300nx9500-6C8809(config-bgp-community-list-test)# show contextbgp community-list test permit community expanded 300 deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#nx9500-6C8809(config-bgp-community-list-test1)#permit community standard no-exportnx9500-6C8809(config-bgp-community-list-test1)#show contextbgp community-list test1 permit community standard no-exportnx9500-6C8809(config-bgp-community-list-test1)#permit community expanded <LINE>Configures a permit expanded community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the community attributes.• <LINE> – Provide the regular expression.permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]Configures a permit standard community list entry and associates it with a predefined, globally used, known community or community number. The options are:• aa:nn – Configures the community number. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number.• internet – Advertises this route to the internet community• local-AS – Prevents transmission of this route outside the local AS• no-advertise – Prevents advertisement of this route to any peer (internal or external• no-export – Prevents advertisement of this route to external BGP peers (keeping this route within an AS)

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 20nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-026R!version 2.5!!........................................................!bgp ip-prefix-list PrefixList_01 deny prefix-list 1 192.163.0.0/16 ge 17 le 17!bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24!bgp community-list test permit community expanded 300 deny community expanded 100!bgp community-list test1 permit community standard no-export!--More--nx9500-6C8809(config)#Related Commandsno Removes the specified permit community rule from this community list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2128.4.3 nobgp-community-list-config commandsRemoves a deny or permit community rule from this community listSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit] community expanded <LINE>no [deny|permit] community standard [AA:NN|internet|local-AS|no-advertise|no-export]Parameters• no <PARAMETERS>ExampleThe following example shows the settings of the community list ‘test’ before the ‘no’ command is executed:nx9500-6C8809(config-bgp-community-list-test)#show contextbgp community-list test permit community expanded 300 deny community expanded 100nx9500-6C8809(config-bgp-community-list-test)#nx9500-6C8809(config-bgp-community-list-test)#no deny community expanded 100The following example shows the settings of the community list ‘test’ after the ‘no’ command is executed:nx9500-6C8809(config-bgp-community-list-test)#show contextbgp community-list test permit community expanded 300nx9500-6C8809(config-bgp-community-list-test)#no <PARAMETERS> Removes a deny or permit expanded community rule from this community list• <LINE> – Specify the regular expression associated with the rule.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2228.5 bgp-extcommunity-list-config commandsBORDER GATEWAY PROTOCOLCreates an configures a named extended community listA BGP extended community is a group of routes sharing a common attribute, regardless of their network or physical boundary. By using a BGP extended community attribute, routing policies can implement inbound or outbound route filters based on the extended community tag, rather than a long list of individual permit or deny rules. A BGP extended community list is used to create groups of communities to use in a match clause of a route map. An extended community list is used to control which routes are accepted, preferred, distributed, or advertised.The BGP extended community and standard community attributes are identical in function and structure, except that the former is an eight octet and the latter is a four octet attribute.BGP extended community lists are used as match clauses in the following context:• BGP route map context. For more information, see match.To navigate to the extended community configuration instance, use the following command:<DEVICE>(config)#bgp extcommunity-list <EXTCOMMUNITY-LIST-NAME><DEVICE>(config-bgp-extcommunity-list-<EXTCOMMUNITY-LIST-NAME>)#?BGP Extcommunity List Mode commands: deny Add a BGP Community List deny rule to specify extcommunity to reject no Negate a command or set its defaults permit Add a BGP Community List permit rule to specify extcommunity to accept clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-bgp-excommunity-list-<EXTCOMMUNITY-LIST-NAME>)#The following table summarizes the BGP extended community list configuration commands:Table 28.5 BGP-Extcommunity-List-Config CommandsCommand Description Referencedeny Creates and configures a deny extended community (expanded or standard) rulepage 28-23permit Creates and configures a permit extended community (expanded or standard) rulepage 28-25no Removes an existing deny or permit extended community rule from this extcommunity listpage 28-27

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2328.5.1 denybgp-extcommunity-list-config commandsCreates and configures a deny extended community (expanded or standard) ruleSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdeny extcommunity [expanded|standard]deny extcommunity expanded <LINE>deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Parameters• deny extcommunity expanded <LINE>• deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Examplenx9500-6C8809(config-bgp-extcommunity-list-test)#deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-026R!!version 2.5!......................................................!bgp community-list test1 permit community standard no-export!bgp extcommunity-list test deny extcommunity standard rt 200:12!--More--nx9500-6C8809(config)#deny extcommunity expanded <LINE>Configures a deny expanded named extended community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the extended community attributes.• <LINE> – Provide the regular expression.deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Configures a deny standard named extended community list entry. and associates it with the target or origin community attributes.• rt – Configures the route target (RT) extended community attribute• soo – Configures the site-of-origin (SOO) extended community attribute• <COMMUNITY-NUMBER> – Specify the community number in one of the followingformats: AA:NN or A.B.C.D:NN

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 24Related Commandsno Removes the specified deny extended community rule from this extcommunity list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2528.5.2 permitbgp-extcommunity-list-config commandsCreates and configures a permit extended community (expanded or standard) ruleSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxpermit extcommunity [expanded|standard]permit extcommunity expanded <LINE>permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Parameters• permit extcommunity expanded <LINE>• permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Examplenx9500-6C8809(config-bgp-extcommunity-list-test)#permit extcommunity standard rt 192.168.13.13:12nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-026R!!version 2.5!......................................................!bgp community-list test1 permit community standard no-export!bgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12!permit extcommunity expanded <LINE>Configures a permit expanded named extended community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the extended community attributes.• <LINE> – Provide the regular expression.permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Configures a permit standard named extended community list entry. and associates it with the target or origin community attributes.• rt – Configures the RT extended community attribute• soo – Configures the SOO extended community attribute• <COMMUNITY-NUMBER> – Specify the community number in one of the followingformats: AA:NN or A.B.C.D:NN

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 26--More--nx9500-6C8809(config)#Related Commandsno Removes the specified permit extended community rule from this extcommunity list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2728.5.3 nobgp-extcommunity-list-config commandsRemoves an existing deny or permit extended community rule from this extcommunity listSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [deny|permit] extcommunity expanded <LINE>no [deny|permit] extcommunity standard [rt|soo] <COMMUNITY-NUMBER>Parameters• no <PARAMETERS>ExampleThe following example shows the extended community ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#nx9500-6C8809(config-bgp-extcommunity-list-test)#no permit extcommunity standard 192.168.13.13:12The following example shows the extended community ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-bgp-extcommunity-list-test)#show contextbgp extcommunity-list test deny extcommunity standard rt 200:12nx9500-6C8809(config-bgp-extcommunity-list-test)#no <PARAMETERS> Removes a deny or permit expanded extended community rule from this community list

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2828.6 bgp-route-map-config commandsBORDER GATEWAY PROTOCOLBGP route maps are used to control and modify routing information. A BGP route map is a collection of deny and/or permit route rules that define and control redistribution of routes between routers and routing processes. Each rule consists of match criteria and set lines. If a route matches a criteria, the corresponding set line is applied, and the route is passed to the BGP table or to the neighbor, depending on whether the route map is set for incoming or outgoing route updates.Use the (config) instance to configure BGP route map related parameters.To navigate to this instance, use the following command:<DEVICE>(config)#route-map <ROUTE-MAP-NAME><DEVICE>(config)#route-map test<DEVICE>(config-dr-route-map-test)#?Route Map Mode commands: deny Add a deny route map rule to deny set operations no Negate a command or set its defaults permit Add a permit route map rule to permit set operations clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-dr-route-map-test)#In the route-map configuration mode, use the following commands to create and configure a deny or permit route map rule:<DEVICE>(config-dr-route-map-test)#deny route-map <1-65535><DEVICE>(config-dr-route-map-test)#permit route-map <1-65535>For example:<DEVICE>(config-dr-route-map-test)#permit route-map 1<DEVICE>(config-dr-route-map-test)#deny route-map 2<DEVICE>(config-dr-route-map-test)#show contextroute-map test permit route-map 1 deny route-map 2<DEVICE>(config-dr-route-map-test)#

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 29<DEVICE>(config-dr-route-map-test-dr-route-map-rule-1)#?Route Map Rule Mode commands: description Configure comment for this route map match Match values from routing table no Negate a command or set its defaults set Set values in destination routing protocol clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal<DEVICE>(config-dr-route-map-test-dr-route-map-rule-1)#The following table summarizes BGP deny/permit route map rules configuration mode commands:Table 28.6 BGP-Route-Map-Config-Mode CommandsCommand Description Referencedescription Configures a description for this route-map rule (deny or permit) that uniquely distinguishes it from others with similar access permissionspage 28-30match Configures the match criteria associated with this deny or permit BGP route mappage 28-31no Removes or reverts the settings defined for a deny or permit route-map rulepage 28-34set Configures the values attributed to a route matching the match criteria specified in the BGP deny or permit route-map rulespage 28-35

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3028.6.1 descriptionbgp-route-map-config commandsConfigures a description for this route map rule (deny or permit) that uniquely distinguishes it from others with similar access permissionsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#description "This is a deny route map rule"nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule"nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#Related Commandsdescription <LINE> Provide a description for the route map rule (should not exceed 64 characters in length)no Removes this deny/permit route-map rule’s description

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3128.6.2 matchbgp-route-map-config commandsConfigures the match criteria associated with this deny or permit BGP route mapSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxmatch [as-path|community|extcommunity|ip-address|ip-next-hop|ip-route-source|metric|origin|tag]match [as-path <AS-PATH-LIST-NAME>|community <COMMUNITY-LIST-NAME> {exact-match}|extcommunity <EXTCOMMUNITY-LIST-NAME>]match [ip-address|ip-next-hop|ip-route-source] [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]match metric <0-4294967295>match origin [egp|igp|incomplete]match tag <0-65535>Parameters• match [as-path <AS-PATH-LIST-NAME>|community <COMMUNITY-LIST-NAME> {exact-match}|extcommunity <EXTCOMMUNITY-LIST-NAME>]• match [ip-address|ip-next-hop|ip-route-source] [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]as-path <AS-PATH-LIST-NAME>Configures a BGP AS path list to matchAn AS path is a list of ASs a packet traverses to reach its destination.• <AS-PATH-LIST-NAME> – Specify the AS path list name (should be existing and configured)community <COMMUNITY-LIST-NAME> {exact-match}Configures the AS community list string to match• <COMMUNITY-LIST-NAME> – Specify the AS community list name (should be existing and configured).• exact-match – Optional. Does an exact match when matching the specified AScommunity string. This option is disabled by default.extcommunity <EXTCOMMUNITY-LIST-NAME>Configures the external community list string to match• <EXTCOMMUNITY-LIST-NAME> – Specify the external community list name (should be existing and configured).match Configures match criteria used to filter BGP routes when forwarding packetsip-address [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]Configures a string of IP addresses, in the route, to matchThe IP Address is a list of IP addresses in the route used to filter the route. Use one of the following options to provide a list of IP addresses:• BGP-IP-ACCESS-LIST <BGP-ACL-NAME> – Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured).• prefix-list <PREFIX-LIST-NAME> – Associates an existing IP address prefix list with this BGP route map. The IP Address Prefix List is a list of prefixes in the route used to filter route. Specify the prefix list name (should be existing and configured).

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 32• match metric <0-4294967295>• match origin [egp|igp|incomplete]• match tag <0-65535>ip-next-hop [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]Configures the next-hop’s IP address to matchThe IP Next Hop is a list of IP addresses used to filter routes based on the IP address of the next-hop in the route. Use one of the following options to provide next-hop’s IP addresses:• BGP-IP-ACCESS-LIST <BGP-ACL-NAME> – Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured).• prefix-list <PREFIX-LIST-NAME> – Associates an existing IP next-hop prefix list with this BGP route map. The IP Next Hop Prefix List is a list of prefixes for the route’s next-hop determining how the route is filtered. Specify the prefix list name (should be existing and configured).ip-route-source [BGP-IP-ACCESS-LIST <BGP-ACL-NAME>|prefix-list <PREFIX-LIST-NAME>]Configures the advertised route source IP address to matchThe IP Route Source is a list of IP addresses used to filter routes based on the advertised IP address of the source. Use one of the following options to provide route-source IP addresses:• BGP-IP-ACCESS-LIST <BGP-ACL-NAME> – Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured).• prefix-list <PREFIX-LIST-NAME> – Associates an existing IP route source prefix list with this BGP route map. The IP Route Source Prefix List is a list of prefixes used to filter routes based on the prefix list used for the source. Specify the prefix list name (should be existing and configured).match metric <0-4294967295>Defines the exterior metric, used for route map distribution, to matchBGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost.• <0-4294967295> – Specify the external metric value from 0 - 4294967295.match origin [gp|igp|incomplete]Configures the source of the BGP route to match. Options include:• egp – Matches if the origin of the route is from the exterior gateway protocol (eBGP). eBGP exchanges routing table information between hosts outside an autonomous system.• igp – Matches if the origin of the route is from the interior gateway protocol (iBGP). iBGP exchanges routing table information between routers within an autonomous system.• incomplete – Matches if the origin of the route is not identifiablematch tag <0-65535> Configures the BGP route tag to matchThe Tag is a way to preserve a route’s AS path information for routers in iBGP. This option is disabled by default.• <0-65535> – Specify the iBGP route’s tag from 0 - 65535.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 33ExampleThe following examples show the configuration of match criteria for the deny route-map rule 1:nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#match as-path FilterList_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#match ip-route-source prefix-list PrefixList_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule" match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#A permit route-map rule 2 is added to the BGP route-map “test”.nx9500-6C8809(config-dr-route-map-test)#permit route-map 2A match criteria is added for the permit route-map rule 2.nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#show context permit route-map 2 match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#The following example displays the BGP route-map “test” settings:nx9500-6C8809(config-dr-route-map-test)#show contextroute-map test deny route-map 1 description "This is a deny route map rule" match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 permit route-map 2 match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test)#Related Commandsno Removes match criteria associated with a deny or permit route-map rule

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3428.6.3 nobgp-route-map-config commandsRemoves or reverts the settings defined for a deny or permit route-map ruleSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [description|match <PARAMETERS>|set <PARAMETERS>]Parameters• no <PARAMETERS>ExampleThe following example shows the ‘deny route-map rule-1’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule" match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 set aggregator-as 1 192.168.13.7 set as-path exclude 20 set ip next-hop peer-address set metric 300 set local-preference 30 set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no match as-pathnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no set aggregator-asnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no set metricThe following example shows the ‘deny route-map rule-1’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule" match ip-route-source prefix-list PrefixList_01 set as-path exclude 20 set ip next-hop peer-address set local-preference 30 set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#The following example shows the route-map ‘test’ settings:nx9500-6C8809(config-dr-route-map-test)#show contextroute-map test deny route-map 1 description "This is a deny route map rule" match ip-route-source prefix-list PrefixList_01 set as-path exclude 20 set ip next-hop peer-address set local-preference 30 set community internet permit route-map 2 match ip-next-hop DL_01nx9500-6C8809(config-dr-route-map-test)#no <PARAMETERS> Removes the description configured for a deny or permit route-map rule

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3528.6.4 setbgp-route-map-config commandsConfigures the values attributed to a route matching the match criteria specified in the BGP deny or permit route-map rules. These attributes are applied before the route is sent out.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxset [aggregator-as|as-path|atomic-aggregate|comm-list|community|extcommunity|ip|local-preference|metric|origin|originator-id|source-ip|tag|weight]set aggregator-as <1-4294967295> <IP>set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}set atomic-aggregateset comm-list delete <COMMUNITY-LIST-NAME>set community [<COMMUNITY-NUMBER>|none]set extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>set ip next-hop [<IP>|peer-address]set local-preference <0-4294967295>set metric <0-4294967295>set origin [egp|igp|incomplete]set originatorid <IP>set source-ip <IP>set tag <0-65535>set weight <0-4294967295>Parameters• set aggregator-as <1-4294967295> <IP>set aggregator-as <1-4294967295> <IP>Configures the BGP aggregator’s ASN and IP address. Aggregates minimize the size of routing tables. Aggregation combines the characteristics of multiple routes and advertises them as a single route. The configured BGP aggregator settings are applied to filtered routes.• <1-4294967295> – Specify the route aggregator’s ASN from 1- 4294967295. This option is disabled by default.• <IP> – Specify the route aggregator’s IP address. BGP allows the aggregation ofspecific routes into one route using an aggregate IP address.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 36• set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}• set atomic-aggregate• set comm-list delete <COMMUNITY-LIST-NAME>• set community [<COMMUNITY-NUMBER>|none]• set extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}Configures the BGP transform AS path attribute to be applied to filtered routes• exclude – Configures a single AS, or a list of ASs, excluded from the AS path• prepend – Configures a single AS, or a list of ASs, prepended to the AS path• <1-4294967295> – This keyword is common to the ‘exclude’ and ‘prepend’ param-eters. Use it to specify the AS number. The ASs identified here are excluded or pre-pended depending on the option selected.You can configure multiple ASNs.set atomic-aggregate Enables BGP atomic aggregate attributesWhen a BGP enabled wireless controller or service platform receives a set of overlapping routes from a peer, or if the set of routes selects a less specific route, then the local device must set this value when propagating the route to its neighbors. This option is disabled by default.set comm-list delete <COMMUNITY-LIST-NAME>Deletes specified BGP communities. All communities matching the community list name string are deleted from the route.A BGP community is a group of routes sharing a common attribute.• <COMMUNITY-LIST-NAME> – Specify the community list name.set community [<COMMUNITY-NUMBER>|none]Configures a community attribute for this route• <COMMUNITY-NUMBER> – Specify a community attribute. Use one of the following formats:• internet - Advertises this route to the Internet. This is a global community.• local-AS - Prevents the transmit of packets outside the local AS• no-advertise - Prevents advertisement of this route to any peer, either internal orexternal• no-export - Prevents advertisement of this route to BGP peers, keeping this routewithin an AS.• aa:nn - Configures the first part (aa) representing the AS number. The second part(nn) represents a 2-byte number.• none – Specifies community attribute as noneset extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>Configures a extended community attribute for this route• rt – Identifies the route target (rt) extended community• soo – Identifies the site-of-origin (soo) community. This is the origin community associated with the route reflector.• <EXTCOMMUNITY-NUMBER> – This keyword is common to the ‘rt’ and ‘soo’ param-eters. Use it to specify the extended community number.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 37• set ip next-hop [<IP>|peer-address]• set local-preference <0-4294967295>• set metric <0-4294967295>• set origin [egp|igp|incomplete]• set originatorid <IP>• set source-ip <IP>• set tag <0-65535>• set weight <0-4294967295>set ip next-hop [<IP>|peer-address]Configures the next hop for this route. Use one of the following options to identify the next hop:• <IP> – Specify the nest hop’s IP address• peer-address – Enables the identification of the next-hop address for peer devices. This option is disabled by default set local-preference <0-4294967295>Configures the BGP local preference path attribute for this route map. When configured, enables the communication of preferred routes out of the AS between peers. This option is disabled by default• <0-4294967295> – Specify the preference value from 0 - 4294967295.set metric <0-4294967295>Configures a metric for the routeBGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost.• <0-4294967295> – Specify the metric from 0 - 4294967295.set origin [egp|igp|incomplete]Configures the origin code for this BGP route map• egp - Sets the origin of the route to eBGP• igp - Sets the origin of the route to iBGP• incomplete - Sets the origin of the route as not identifiable. Use this option if the route is from a source other than eBGP or iBGP.set originatorid <IP> Configures this route map’s originator IP addressset source-ip <IP> Configures this route map’s source IP address• <IP> – Specify the IP address in the A.B.C.D format.set tag <0-65535> Configures this route map’s tag valueThe Tag is a way to preserve a route’s AS path information for routers in iBGP. • <0-65335> – Specify a tag value from 0 - 65535.set weight <0-4294967295>Enables assignment of a weighted priority to the aggregate route• <0-4292967295> – Specify a value from 0 - 4294967295.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 38Examplenx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set aggregator-as 1192.168.13.7nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set as-path exclude 20nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set ip next-hop peer-addressnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set local-preference 30nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set metric 300nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule" match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 set aggregator-as 1 192.168.13.7 set as-path exclude 20 set ip next-hop peer-address set metric 300 set local-preference 30 set community internetnx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#Related Commandsno Removes the attributes configured for this route map

$BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 4128.7.1 aggregate-addressbgp-router-config commandsCreates and configures an aggregate address entry in the BGP databaseSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxaggregate-address <IP/M> {as-set {summary-only}|summary-only}Parameters• aggregate-address <IP/M> {as-set {summary-only}|summary-only}Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#aggregate-address 192.168.13.10/32 as-set summary-onlynx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 192.168.13.10/32 as-set summary-only bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in bgp neighbor 192.168.13.99 remote-as 199 timers connect 10 timers 20 40 maximum-prefix 9999 80 restart 50 bgp neighbor 1.1.1.1 remote-as 2 timers connect 10 timers 20 40 maximum-prefix 1000000 bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#Related Commandsaggregate-address <IP/M>Specify the aggregate IP address and maskas-set {summary-only}Optional. Summarizes the AS_PATH attributes of the individual routes aggregated• summary-only – Optional. Filters more specific routes from updatesno Removes the aggregate address entry$

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 4328.7.3 bgpbgp-router-config commandsConfigures BGP router parametersSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxbgp [always-compare-med|bestpath|client-to-client|cluster-id|confederation|dampening|default|deterministic-med|enable|enforce-first-as|fast-external-failover|graceful-restart|log-neighbor-changes|neighbor|network|router-id|scan-time]bgp [always-compare-med|deterministic-med|enable|enforce-first-as|fast-external-failover|log-neighbor-changes]bgp best-path [as-path [confed|ignore]|compare-router-id|med {confed {missing-as-worst}|missing-as-worst}]bgp client-to-client reflectionbgp cluster <IP>bgp confederation [identifier|peers] <1-4294967295>bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>bgp default [ipv4-unicast|local-preference <0-4294967295>]bgp graceful-restart {stalepath-time <1-3600>}bgp neighbor <IP>bgp network import-checkbgp router-id <IP>bgp scan-time <5-60>Parameters• bgp [always-compare-med|deterministic-med|enable|enforce-first-as|fast-external-failover|log-neighbor-changes]always-compare-med Enables comparison of Multi-exit Discriminators (MEDs) received from neighbors. This option is disabled by default.MED is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared when selecting the best route to the host network. A route with a lower MED value is preferred over a route with a higher MED value. BGP does not discriminate between iBGP and eBGP when using MED for route selection. This option is mutually exclusive to the deterministic-med option.deterministic-med Enables selection of the best MED path from amongst all paths advertised by neighboring ASs. This option is disabled by default.MED is used by BGP peers to select the best route among multiple routes. When enabled, MED route values (from the same AS) are compared to select the best route. This best route is then compared with other routes in the BGP route table to select the best overall route. This option is mutually exclusive to the always-compare-med option.enable Starts the BGP daemon on the device (wireless controller or service platform). BGP is disabled by default.enforce-first-as Enforces the first AS for all BGP routes. This option is disabled by default.When enforced, devices deny updates received from an external neighbor that does not have the neighbor’s configured AS at the beginning of the received AS path parameter. This enhances security by not allowing traffic from an unauthorized AS.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 44• bgp best-path [as-path [confed|ignore]|compare-router-id|med {confed {missing-as-worst}|missing-as-worst}]• bgp client-to-client reflectionfast-external-failover Enables immediate resetting of BGP session on the interface once the BGP connection goes down. This option is enabled by default.When enabled, a session is reset as soon as the direct link to an external peer goes down. Normally, when a BGP connection goes down, the device waits for the expiry of the duration specified in holdtime parameter before bringing down the interface.To configure the ‘holdtime’, use the timers > bgp > <keepalive-time> > <holdtime> command in this (BGP router) configuration mode.log-neighbor-changes Enables logging of a BGP neighbor’s status change (active or not active) events. It also enables the logging of the reason for such change in status.best-path Modifies the bestpath selection algorithm. The route selection algorithm uses the following criteria when selecting the preferred route: as-path, router-id, and med.as-path [confed|ignore]Enables an AS path from being considered as a criteria for selecting the preferred route• confed – Enables comparison of path lengths (including confederation sets and sequences) when selecting a route (EXPERIMENTAL). This option is disabled by default.• ignores – Disables an AS path length from being considered as a criteria for selecting a preferred route. When, disabled the AS path length is ignored. This option is disabled by default.compare-router-id Enables the use of router ID as a selection criteria when selecting the preferred route. When enabled, the router ID is used to select the best path between two identical BGP routes. The route with the lower router ID is selected over a route with a higher router ID. This option is disabled by default.med {confed {missing-as-worst}|missing-as-worst}Enables comparison of AS path MED value when selecting the preferred routeMED is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared to determine the best route to the host network. A route with a lower MED value is preferred over a route with a higher MED value.• confed – Optional. Enables comparison of MED value among confederation paths (EXPERIMENTAL). When enabled, you can optionally enable the treatment of AS paths without the MED value as the least preferable route. This option is disabled by default.• missing-as-worst – Optional. Enables the treatment of AS paths without the MED value as the least preferable route. This option is disabled by default.client-to-client reflectionEnables client-to-client route reflection (EXPERIMENTAL)Route reflectors are used when all iBGP speakers are not fully meshed. If the clients are fully meshed, the route-reflectors are not required. This option is enabled by default.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 45• bgp cluster <IP>• bgp confederation [identifier|peers] <1-4294967295>• bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>• bgp default [ipv4-unicast|local-preference <0-4294967295>]cluster <IP> Enables and sets a cluster ID, in case the BGP cluster has more than one route-reflectorA cluster generally consists of a single route-reflector and its clients. The cluster is usually identified by the router ID of this single route-reflector. Sometimes, to increase redundancy, a cluster might have more than one route-reflector configured. In this case, all route-reflectors in the cluster are identified by the cluster ID (configured in the IP format).confederation [identifier|peers] <1-4294967295>Configures AS confederation (group of ASs) parameters (identifier and peers)• identifier – Enables and sets a BGP confederation identifier to allow an AS to be divided into several ASs. In other words an AS is divided into multiple ASs, and together they form a confederation. This confederation is visible to external routers as a single AS. The ASN is usually the confederation ID. Specify a value from 1 - 4294967295.Forming AS confederation reduces iBGP mesh inside an AS.• peers – Configures the maximum number of the ASs constituting this BGP confederation. Specify the AS number from 1 - 4294967295. Multiple ASs can be added to the list of confederation members.bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>Enables dampening and configures dampening parameters. This option is disabled by default.Dampening minimizes the instability caused by route flapping. A penalty is added for every flap in the flapping route. As soon as the total penalty reaches the specified Route Suppress Limit value, the advertisement of this route is suppressed. This penalty is delayed when the time specified in Half Lifetime occurs. Once the penalty becomes lower than the value specified in Start Route Reuse, the advertisement of the route is un-suppressed.• <1-45> – Optional. Configures the half lifetime (in minutes). A penalty is imposed on a route that flaps. This is the time for the penalty to decrease to half its current value. Specify a value from 1 - 45 minutes. The default is 1 minute.• <1-20000> – Optional. Configures the route reuse value. When the penalty for a suppressed route decays below the value specified here, the route is un-suppressed (reused). Specify a value from 1 - 20000.• <1-20000> – Configures the route suppress value. When a route flaps, a penalty is added to the route. When the penalty reaches or exceeds the value specified as the ‘maximum duration to suppress a stable route’. Specify a value from 1 - 20000.The maximum duration to suppress a stable route, is the next set of value configured in this command from 1 - 255.• <1-255> – Configures the maximum duration, in minutes, a suppressed route is suppressed. This is the maximum duration for which a route remains suppressed before it is reused. Specify a value from 1 - 255 minutes.default Configures the following defaults for BGP neighbor-related parameters: IPv4 unicast and local preference

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 47Related Commandsno Removes the BGP router parameters. The no > bgp > enable command disabled BGP.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5228.7.8 nobgp-router-config commandsRemoves the BGP router settingsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxno [aggregate-address|bgp|bgp-route-limit|distance|ip|network|route-redistribute|timers]Parameters• no <PARAMETERS>ExampleThe following example shows the BGP router settings before the ‘no’ commands have been executed:nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no bgp neighbor 192.168.13.99nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no aggregate-address 116.117.118.0/24nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no bgp-route-limit The following example shows the BGP router settings after the ‘no’ commands have been executed:nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 innx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no <PARAMETERS> Removes the BGP router settings

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5328.7.9 route-redistributebgp-router-config commandsEnables redistribution of routes learnt from other routing protocols into BGPLarge ISP networks using multiple routing protocols, need to enable redistribution of routes across routing protocols. Routing protocols differ in their basic characteristics, such as metrics, administrative distance, classful and classless capabilities, etc. When enabling redistribution, these differences have to be taken into consideration.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxroute-redistribute [connected|kernel|ospf|static] {metric <0-4294967295>|route-map <ROUTE-MAP-NAME>}Parameters• route-redistribute [connected|kernel|ospf|static] {metric <0-4294967295>|route-map <ROUTE-MAP-NAME>}route-redistribute Redistributes routes learnt from other protocolsconnected Redistributes directly connected routes• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.kernel Redistributes kernel routes. These are routes that are neither connected, nor static, nor dynamic.• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.ospf Redistributes OSPF routes• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.static Redistributes static routes• metric <0-4294967295> – Optional. Specify the metric for the redistributed routes.• route-map <ROUTE-MAP-NAME> – Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match.

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 54Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#route-redistribute connected metric 200nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in route-redistribute connected metric 200 bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#Related Commandsno Disables redistribution of routes learnt from other routing protocols into BGP

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5528.7.10 timersbgp-router-config commandsEnables adjustment of keepalive and holdtime intervalsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxtimers bgp <0-65535> <0-65535>Parameters• timers bgp <0-65535> <0-65535>Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#timers bgp 100 100nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 timers bgp 100 100 bgp-route-limit num-routes 10 reset-time 360nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#Related Commandstimers bgp <0-65535> <0-65535>Configures the keepalive and holdtime interval in seconds• <0-65535> – Specify a keepalive interval from 0 - 65535 seconds. It is the interval, in seconds, between two successive keepalive packets exchanged with this router and its neighbor to keep the TCP connection alive.• <0-65535> – Specify a holdtime value from 0 - 65535 seconds. This is the time thisrouter will wait without receiving a keepalive packet from its neighbor before declaringit dead. If the time since the last keepalive packet received (from its neighbor) exceedsthe value set here, the neighbor is declared dead.no Reverts BGP timers to default

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 8828.8.29 unsuppress-mapbgp-neighbor-config commandsUnsuppresses map to selectively advertise routes that have been suppressed using the aggregate-address commandThe aggregate-address command creates a route map with a IP/mask address that consolidates subnets under it. This reduces the number of route maps on the BGP device to one consolidated entry. Use unsuppress-map to selectively allow/deny a subnet or a set of subnets from this consolidated entry.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxunsuppress-map <ROUTE-MAP-NAME>Parameters• unsuppress-map <ROUTE-MAP-NAME>Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99# unsuppress-map testnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99#show context bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 unsuppress-map testnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99#Related Commandsunsuppress-map <ROUTE-MAP-NAME>Unsuppresses the specified route map• <ROUTE-MAP-NAME> – Specify the route map name.no Removes the unsuppress flag applied on the specified route map

BORDER GATEWAY PROTOCOLAccess Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 9028.8.31 usebgp-neighbor-config commandsConfigures filters for this neighbor. These filters are BGP IP ACL, IP prefix list, AS path list, and route map. Based on the filters used, updates received from this neighbor are filtered.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510, NX9600Syntaxuse [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]Parameters• use [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]Examplenx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#use filter-list FilterList_01 innx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#use route-map testBGPRouteMap outnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 199 use filter-list FilterList_01 in maximum-prefix 9999 80 restart 50 use route-map testBGPRouteMap out unsuppress-map testnx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#Related Commandsuse [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]Uses predefined and configured filters with this neighbor• distribute-list <BGP-IP-ACL-NAME> – Uses a BGP IP ACL• <BGP-IP-ACL-NAME> – Specify the BGP IP ACL name.• filter-list <AS-PATH-LIST-NAME> – Uses an AS path list• <AS-PATH-LIST-NAME> – Specify the AS path list name.• prefix-list <IP-PREFIX-LIST-NAME> – Uses a IP prefix list• <IP-PREFIX-LIST-NAME> – Specify the IP prefix list name.• route-map <BGP-ROUTE-MAP-NAME> – Uses a route map• <BGP-ROUTE-MAP-NAME> – Specify the route map name.no Removes the filters used to filter updates received from this neighbor

29 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide29CRYPTO-CMP-POLICYThis chapter summarizes the crypto certificate management protocol (CMP) policy commands in the CLI command structure.CMP is an Internet protocol designed to enable devices (access point, wireless controller, or service platform) to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP.WiNG CMP implementation allows you to configure a crypto CMP policy that enables auto installation and auto management of device certificates. When configured and implemented on a device, the crypto CMP policy allows the device to automatically trigger a certification request to a configured, CMP supported CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. You can use a manually created trustpoint for one service (like HTTPS) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication.Use the (config) instance to configure a crypto CMP policy. To navigate to the crypto CMP policy configuration instance, use the following commands:<DEVICE>(config)#crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>ap6522-D8273A(config)#crypto-cmp-policy CMPap6522-D8273A(config-cmp-policy-CMP)#ap6522-D8273A(config-cmp-policy-CMP)#?CMP Policy Mode commands: ca-server CMP CA Server configuration commands cert-key-size Set key size for certificate request cert-renewal-timeout Trigger a cert renewal request on timeout cross-cert-validate Validate cross-cert using factory-cert no Negate a command or set its defaults subjectAltName Configure subjectAltName value trustpoint Trustpoint for CMP use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminalap6522-D8273A(config-cmp-policy-CMP)#This chapter is organized as follows:•crypto-cmp-policy-instance•other-cmp-related-commandsNOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 229.1 crypto-cmp-policy-instanceCRYPTO-CMP-POLICYThe following table summarizes crypto CMP policy configuration commands:Table 29.1 Crypto-CMP-Policy CommandsCommand Description Referenceca-server Configures the CA server details page 29-3cert-key-size Configures the size of the key associated with a certificate request page 29-5cert-renewal-timeoutConfigures a certificate renewal timeout in days page 29-6cross-cert-validateEnables validation of the cross certificate with the factory certificate page 29-7subjectAltName Configures an alternate subject name for this CMP policy page 29-8trustpoint Configures a trustpoint and its associated information, such as the subject name, the sender’s (device requesting certification) details, and the recipient's (CA) detailspage 29-9use Associates a device’s autogen-uniqueid with this crypto CMP policy page 29-11no Removes the crypto CMP policy settings page 29-12NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 329.1.1 ca-servercrypto-cmp-policy-instanceConfigures the primary and secondary CMP CA server details.The CA is an external network authority (usually a trusted third-party server) that generates and issues digital certificates in response to requests received from network devices. Use this command to configure the primary and secondary CA server details, such as name of the device hosting the CA server, the port used to access the CA server, and the path where the certificate is stored. Once defined, devices using this CMP policy automatically send requests to the specified primary CA server, and retrieve the certificate from the specified location. If the primary CA server is not reachable, the requests are sent to the secondary CA server.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxca-server [primary|secondary] host <IP> port <1-65535> path <PATH>Parameters• ca-server [primary|secondary] host <IP> port <1-65535> path <PATH>ca-server [primary|secondary]Configures the primary and secondary CMP CA server details (IPv4 address, port, and path)• primary – Configures the primary CMP CA server’s details• secondary – Configures the secondary CMP CA server’s detailsThe secondary CMP CA is used in case the primary CA server is not reachable. CA server settings are required to complete CMP requests.host <IP> Configures IPv4 address of the device hosting the primary/secondary CA server• <IP/HOSTNAME> – Specify the server’s IPv4 address.port <1-65535> Configures the port on which the primary/secondary CA server can be reached• <1-65535> – Specify the port number from 1 - 65535.path <PATH> Configures the path or filename of the primary/secondary CMP CA certificate. Enter the complete relative path to the file on the server.• <PATH> – Specify the path. Once specified, the certificate is downloaded from this location and installed on the device.

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 4Exampleap6522-D8273A(config-cmp-policy-CMP)#ca-server primary host 192.168.8.74 port 8 path cmpap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMPca-server primary host 192.168.8.74 port 80 path cmpap6522-D8273A(config-cmp-policy-CMP)#Related Commandsno Removes the configured primary/secondary CA server details

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 529.1.2 cert-key-sizecrypto-cmp-policy-instanceConfigures the size of the key associated with a certificate requestSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcert-key-size [2048|3072|4096]Parameters• cert-key-size [2048|3072|4096]Examplenx9500-6C8809(config-cmp-policy-test)#cert-key-size 3072nx9500-6C8809(config-cmp-policy-test)#show contextcrypto-cmp-policy test cert-key-size 3072 trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 2 osr2bwjR+0L+G64ny3wfuAAAAAtTFjeFnvOIixTHLDfgt7Bu reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"nx9500-6C8809(config-cmp-policy-test)#Related Commandscert-key-size [2048|3072|4096]Configures the certificate request key size. The options are:• 2048 – Sets the key size to 2048 bits. This is the default setting.• 3072 – Sets the key size to 3072 bits• 4096 – Sets the key size to 4096 bitsno Reverts the certificate request key size to default (2048 bits)

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 629.1.3 cert-renewal-timeoutcrypto-cmp-policy-instanceConfigures a certificate renewal timeout in days. This is the number of days, before the expiration of the device’s certificate, that a certificate renewal is triggered.The expiration of device’s certificate is checked once a day. When a certificate is about to expire a certificate renewal is initiated with the dedicated CMP CA server resource through an existing IPSec tunnel. If the tunnel is not established, the CMP renewal request is not sent. If a renewal succeeds the newly obtained certificate overwrites an existing certificate. If the renewal fails, an error is logged.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcert-renewal-timeout <1-60>Parameters• cert-renewal-timeout <1-60>Exampleap6522-D8273A(config-cmp-policy-CMP)#cert-renewal-timeout 60ap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmpap6522-D8273A(config-cmp-policy-CMP)#Related Commandscert-renewal-timeout <1-60>Configures the certificate renewal timeout in days. This is the number of days, before the expiration of the device’s certificate, that a certificate renewal is triggered. Once the configured time is completed, the device triggers a certificate renewal request.• <1-60> – Specify a value from 1 - 60 days. The default is fourteen (14) days. Therefore, by default a device triggers certificate renewal request 14 days before its certificate expires.no Reverts the certificate renewal timeout to default (14 days)

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 729.1.4 cross-cert-validatecrypto-cmp-policy-instanceEnables validation of the cross certificate using the factory certificate. When enabled, the obtained cross-certificate is validated against the operator’s certificate configured using the trustpoint > cmp-auth-operator command. An error message is displayed in case the cross-certificate is not obtained or if the cross-certificate is found to be invalid. This option is disabled by default.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcross-cert-validateParametersNoneExamplenx9500-6C8809(config-cmp-policy-test)#cross-cert-validatenx9500-6C8809(config-cmp-policy-test)#show contextcrypto-cmp-policy test cert-key-size 3072 cross-cert-validate trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 2 9piulK/GqvD+G64ny3wfuAAAAAuqCi8WJkNJwryMD9IAPk4T reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"nx9500-6C8809(config-cmp-policy-test)#Related CommandsNOTE: To the operator certificate, in the device configuration mode execute the trustpoint > cmp-auth-operator command. For more information, see trustpoint (device-config-mode).no Disables validation of the cross certificate with the factory certificate

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 829.1.5 subjectAltNamecrypto-cmp-policy-instanceConfigures the subjectAltName identity for this CMP policySupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxsubjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn <FQDN>|string <USER-DEFINED-STRING>]Parameters• subjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn <FQDN>|string <USER-DEFINED-STRING>]Exampleap6522-D8273A(config-cmp-policy-CMP)#subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-update cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#Related CommandssubjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn <FQDN>|string <USER-DEFINED-STRING>]Configures the subjectAltName identity using one of the following options:• address <IP> – Uses IP address as identity• <IP> – Specify the IP address.• dn <DISTINGUISHED-NAME> – Uses distinguished name as identity• <DISTINGUISHED-NAME> – Specify the DISTINGUISHED-NAME.• email <EMAIL-ID> – Uses e-mail address as identity• <EMAIL-ID> – Specify the e-mail address.• fqdn <FQDN> – Uses FQDN as identity• <FQDN> – Specify the FQDN.• string <USER-DEFINED-STRING> – Uses a user specified name as identity• <USER-DEFINED-STRING> – Specify the string to use as identity.no Removes the subjectAltName identity configured with this CMP policy

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 929.1.6 trustpointcrypto-cmp-policy-instanceConfigures a trustpoint and its associated information, such as the subject name, the sender’s (device requesting certification) details, and the recipient's (CA) details. This information is needed to obtain the certificate from the CA server using CMP.Each certificate is digitally signed by a trustpoint and contains device-specific information, such as device name, IP address, serial number. It helps to uniquely identify a device. Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtrustpoint <TRUSTPOINT-NAME> subject-name <WORD> secret [0 <WORD>|2 <WORD>] reference-id <WORD> sender-name <WORD> [recipient-name <WORD>|ca-psk <CERT-PATH>]Parameters• trustpoint <TRUSTPOINT-NAME> subject-name <WORD> secret [0 <WORD>|2 <WORD>] reference-id <WORD> sender-name <WORD> [recipient-name <WORD>|ca-psk <CERT-PATH>]trustpoint <TRUSTPOINT-NAME>Configures a trustpoint name (should not exceed 32 characters)• <TRUSTPOINT-NAME> – Specify the trustpoint’s name.subject-name <WORD>Configures a subject name for this trustpoint. The subject name should uniquely identify the certificate and should not exceed 512 characters in length.secret [0 <WORD>|2 <WORD>]Configures the secret used to encrypt the trustpoint. The secret should not exceed 128 characters in length.• 0 <WORD> – Configures a clear text password• 2 <WORD> – Configures an encrypted passwordreference-id <WORD>Configures the reference ID. The CA server uses this information to identify the shared secret key used.• <WORD> – Specify the reference ID.sender-name <WORD>Configures the sender’s name. The CA server uses this information to identify the shared secret key used. The sender’s name should not exceed 512 characters in length.• <WORD> – Specify the sender name.recipient-name Configures the recipient’s name. The CA server uses this information to validate the request. The recipient's name should not exceed 256 characters in length.ca-psk <CERT-PATH> Configures the certificate path for the server certificate• <CERT-PATH> – Specify the certificate path.

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 10Exampleap6522-D8273A(config-cmp-policy-CMP)#trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"ap6522-D8273A(config-cmp-policy-CMP)#ap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-update cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com" subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#Related Commandsno Removes the trustpoint associated with this crypto CMP policy

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1129.1.7 usecrypto-cmp-policy-instanceAssociates a device’s autogen-uniqueid with this crypto CMP policyA device’s autogen-uniqueid is a combination of a user-defined string (prefix or suffix) and a substitution token. The WiNG software implementation provides two built-in substitution tokens: $SN and $MiNT-ID that represent the device’s serial number and MiNT ID respectively. These substitution tokens are internally retrieved and combined with the user-defined string to auto generate a unique identity for a device.To auto generate the device’s unique ID, in the device configuration mode execute the following command:autogen-uniqueid <WORD>For more information on the autogen-uniqueid command, see autogen-uniqueid.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse autogen-uniqueidParameters• use autogen-uniqueidExampleap6522-D8273A(config-cmp-policy-CMP)#use autogen-uniqueidap6522-D8273A(config-cmp-policy-CMP)#show contextcrypto-cmp-policy CMP cert-update cert-renewal-timeout 60 use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com" subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#Related Commandsuse autogen-uniqueidAssociates a device’s autogen-uniqueid with this crypto CMP policy. The device’s autogen-uniqueid should be existing and configured.no Removes the device’s autogen-uniqueid associated with this crypto CMP policy

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1229.1.8 nocrypto-cmp-policy-instanceRemoves or reverts this crypto CMP policy settingsSupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ca-server <SERVER-NAME>|cert-key-size|cert-renewal-timeout|cross-cert-validate|subjectAltName|trustpoint <TRUSTPOINT-NAME>|use autogen-uniqueid]Parameters• no <PARAMETERS>Exampleap6522-D8273A(config-cmp-policy-CMP)#show context cert-update cert-renewal-timeout 60 use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com" subjectAltName dn TechPubsCAap6522-D8273A(config-cmp-policy-CMP)#ap6522-D8273A(config-cmp-policy-CMP)#no cert-renewal-timeoutap6522-D8273A(config-cmp-policy-CMP)#no subjectAltNameap6522-D8273A(config-cmp-policy-CMP)#show context cert-update use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"ap6522-D8273A(config-cmp-policy-CMP)#no <PARAMETERS> Removes or reverts this crypto CMP policy settings

CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1329.2 other-cmp-related-commandsCRYPTO-CMP-POLICYThe following table summarizes other commands associated with the implementation of the crypto CMP policy:Table 29.2 Other-CMP-Related CommandsCommand Description Referenceuse Associates a crypto CMP policy with a device page 29-14show Displays current status of CMP requests in progress. This command also displays trustpoint details (CMP and non-CMP trustpoints).page 29-15

$CRYPTO-CMP-POLICYAccess Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1529.2.2 showother-cmp-related-commandsDisplays current status of CMP requests in progress. This command also displays trustpoint details (CMP and non-CMP trustpoints).Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow crypto [cmp|pki]show crypto cmp request status {on <DEVICE-NAME>}show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {on <DEVICE-NAME>}Parameters• show crypto cmp request status {on <DEVICE-NAME>}• show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {on <DEVICE-NAME>}Exampleap6522-D8273A#show crypto pki trustpoints--------------------------------------------------------------------------------------- TRUSTPOINT KEY NAME VALID UNTIL--------------------------------------------------------------------------------------- cmp-test cmp-test-key Fri May 9 09:44:22 2014 GMT default-trustpoint default_rsa_key Fri Dec 30 00:00:40 2022 GMT---------------------------------------------------------------------------------------ap6522-D8273A#ap6522-D8273A(config)#show crypto cmp request statusCMP Request Status: cmp-completeap6522-D8273A#show crypto cmp request {on <DEVICE-NAME>}Displays the current status of all on-going CMP requests• on <DEVICE-NAME> – Optional. Optionally specify the name of the AP, wireless controller, or service platform to view CMP request status on a specified device.show pki trustpoints {<TRUSTPOINT-NAME>|all} on <DEVICE-NAME>Displays all trustpoints including CMP generated trustpoints• <TRUSTPOINT-NAME> – Optional. Specify a trustpoint name. Displays details of the trustpoint identified by the <TRUSTPOINT-NAME> parameter.• all – Optional. Displays details of all configured trustpoints• on <DEVICE-NAME> – Optional.Optionally specify the name of the AP, wireless con-troller, or service platform to view trustpoints configured on a specified device.$