3Com WX4400 3CRWX440095A Bedienungsanleitung
- Schauen Sie die Anleitung online durch oderladen Sie diese herunter
- 728 Seiten
- 6.24 mb
Zur Seite of
Ähnliche Gebrauchsanleitungen
-
Switch
3Com SuperStack II 3300 FX
26 Seiten 0.25 mb -
Switch
3Com 2924-PWR
248 Seiten 5.84 mb -
Switch
3Com 3C16951
60 Seiten 1.53 mb -
Switch
3Com 3CRWX120695A
190 Seiten 3.88 mb -
Switch
3Com SuperStack 4 3C16465B
8 Seiten 1.58 mb -
Switch
3Com 3900
36 Seiten 5.34 mb -
Switch
3Com WX1200
646 Seiten 4.48 mb -
Switch
3Com OfficeConnect 3C1670500C
18 Seiten 2.49 mb
Richtige Gebrauchsanleitung
Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung 3Com WX4400 3CRWX440095A an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von 3Com WX4400 3CRWX440095A, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.
Was ist eine Gebrauchsanleitung?
Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung 3Com WX4400 3CRWX440095A die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.
Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung 3Com WX4400 3CRWX440095A. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.
Was sollte also eine ideale Gebrauchsanleitung beinhalten?
Die Gebrauchsanleitung 3Com WX4400 3CRWX440095A sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts 3Com WX4400 3CRWX440095A
- Den Namen des Produzenten und das Produktionsjahr des Geräts 3Com WX4400 3CRWX440095A
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts 3Com WX4400 3CRWX440095A
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen
Warum lesen wir keine Gebrauchsanleitungen?
Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von 3Com WX4400 3CRWX440095A zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von 3Com WX4400 3CRWX440095A und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service 3Com finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von 3Com WX4400 3CRWX440095A zu überspringen, wie es bei der Papierform passiert.
Warum sollte man Gebrauchsanleitungen lesen?
In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts 3Com WX4400 3CRWX440095A, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.
Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von 3Com WX4400 3CRWX440095A widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.
Inhaltsverzeichnis der Gebrauchsanleitungen
-
Seite 1
http://www.3Com.com/ Part No. 10015909 Published June 2 007 Wir eless LAN Mobility System W ir eless LAN Switch and Contr oller Configuration Guide WX4400 3CRWX440095A WX2200 3CRWX220095A WX1200 3CRWX120695A WXR100 3CRWXR10095A[...]
-
Seite 2
3Com Corporati on 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2 007, 3Com Corporatio n. All rights reserved . No part of this documen tatio n may be repro duced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without writt en permission fr om 3Com Cor poration. 3C[...]
-
Seite 3
C ONTENTS A BOUT T HIS G UIDE Conventions 23 Documentation 24 Documentation Comments 25 1 U SING THE C OMMAND -L INE I NTERFACE Overview 27 CLI Conventions 27 Command Prompt s 28 Syntax Notation 28 T ext Entry Conventions and Allowed Characters 28 User Globs, MAC Address Globs, and VLAN Globs 30 Port Lists 32 Virtual LAN Identification 33 Command-L[...]
-
Seite 4
Web Quick Start Parameters 40 Web Quick Start Requir ements 41 Accessing the Web Quick Start 41 CLI quickstart Command 44 Quickstart Example 46 Remote WX Configuration 49 Opening the QuickStart Network Plan in 3Com W ireless Switch Manager 49 3 C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Overview 51 Before Y ou Start 54 About Administra[...]
-
Seite 5
Setting the Maximum Number of Login Att empts 67 Specifying Minimum Passwor d Length 68 Configuring Passwo rd Expiratio n T ime 69 Restoring Access to a Locked-Out User 70 Displaying Password Information 70 5 C ONFIGURING AND M ANAGING P ORTS AND VLAN S Configuring and Managing Ports 71 Setting the Port T ype 71 Configuring a Port Name 77 Configuri[...]
-
Seite 6
Configuring the System IP Address 108 Designating the System IP Address 108 Displaying the System IP Addr ess 108 Clearing the System IP Address 108 Configuring and Managing IP Routes 108 Displaying IP Routes 11 0 Adding a Static Route 111 Removing a Static Route 112 Managing the Mana gement Services 113 Managing SSH 113 Managing T elnet 116 Managi[...]
-
Seite 7
Adding an ARP Entry 131 Changing the Aging T imeout 131 Pinging Anothe r Device 132 Logging In to a Remote Device 132 T racing a Route 133 IP Interfaces and Services Configur ation Scenario 135 7 C ONFIGURING SNMP Overview 139 Configuring SNMP 139 Setting the System Location and Contact Strings 140 Enabling SNMP V ersions 140 Configuring Commun ity[...]
-
Seite 8
Configuring WX-WX Security 158 Monitoring the VLANs and T unne ls in a Mobility Domain 159 Displaying Roaming Stations 159 Displaying Roaming VLANs and Their Af finities 160 Displaying T unnel Informa tion 160 Understanding the Sessions of Roamin g Users 161 Requirements for R oaming to Succeed 161 Effects of Time rs on Roaming 162 Monitoring Ro am[...]
-
Seite 9
Configuring MAPs 213 Specifying the Country of Operation 213 Configuring an Auto-AP Pr ofile fo r Automatic MAP Config uration 218 Configuring MAP Port Parameters 224 Configuring MAP-WX Security 229 Configuring a Service Profile 233 Configuring a Radio Pr ofile 240 Configuring Radio-Specif ic Parameters 246 Mapping the Radio Pr ofile to Service Pro[...]
-
Seite 10
Setting Strictness for RF Load Balancin g 270 Exempting an SSID from RF Load Balancing 271 Displaying RF Load Ba lancing Information 271 12 C ONFIGURING WLAN M ESH S ER VICES WLAN Mesh Services Overview 273 Configuring WLAN Mesh Services 274 Configuring the Mesh AP 275 Configuring the Service Pr ofile for Mesh Services 276 Configuring Security 276 [...]
-
Seite 11
Enabling Dynamic WEP in a WP A Network 304 Configuring Encryption f or MAC Clients 306 14 C ONFIGURING RF A UTO -T UNING Overview 311 Initial Channel and Power Assignment 311 Channel and Power T uning 312 RF Auto-T uning Parameters 314 Changing RF Auto-T uning Settings 316 Selecting A vailable Channels on t he 802.11a Radio 316 Changing Channel T u[...]
-
Seite 12
Enabling U-APSD Support 342 Configuring Call Admission Contr ol 343 Configuring Static CoS 343 Changing CoS Mappings 344 Using the Client’ s DSCP V alue to Classify QoS Level 344 Enabling Br oadcast Control 345 Displaying QoS Information 345 Displaying a Radio Profile’ s QoS Settings 345 Displaying a Service Profile’ s QoS Settings 346 Displa[...]
-
Seite 13
18 C ONFIGURING AND M ANAGING IGMP S NOOPING Overview 369 Disabling or Reenabling IGMP Snooping 369 Disabling or Reenabling Pr oxy Reportin g 370 Enabling the Pseudo-Querier 370 Changing IGMP Timers 370 Changing the Query Interval 371 Changing the Other -Querier - Present Interval 371 Changing the Query Re sponse Interval 371 Changing the Last Memb[...]
-
Seite 14
Mapping Security ACLs 390 Mapping User -Based Se curity ACLs 390 Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed MAPs 392 Modifying a Security ACL 394 Adding Another ACE to a Security ACL 394 Placing One ACE before Anot her 395 Modifying an Existing Secur ity ACL 396 Clearing Security ACLs from the Edit Buffer 397 Using ACLs to[...]
-
Seite 15
Key and Certificate Configuration Scenarios 427 Creati ng Self-Signed Certificates 427 Installing CA-Signed Certificates from PKCS #12 Object Files 429 Installing CA-Signed Certificates Usin g a PKCS #10 Object File (CSR) and a PKCS #7 Object File 431 21 C ONFIGURING AAA FOR N ETWORK U SERS About AAA for Network Users 433 Authentication 433 Authori[...]
-
Seite 16
Configuring Last-R esort Access for Wired Authenticatio n Ports 481 Configuring AAA for Users of Third-Party APs 482 Authentication P r ocess for Us ers of a Third-Party AP 482 Requirements 483 Configuring Authenticatio n for 802.1X Users of a Thir d-Par ty AP with T agged SSIDs 484 Configuring Authenticatio n for Non-802.1X Users of a Thir d-Party[...]
-
Seite 17
22 C ONFIGURING C OMMUNICATION WITH RADIUS RADIUS Overview 519 Befor e Y ou Begin 521 Configuring RADIUS Servers 521 Configuring Global RADIUS Defaults 522 Setting the System IP Addr e ss as the Source Address 523 Configuring Individual RADIUS Ser vers 523 Deleting RADIUS Servers 524 Configuring RADIUS Server Gr oups 524 Creati ng Server Gr oups 52[...]
-
Seite 18
24 C ONFIGURING SODA E NDPOINT S ECURITY FOR A WX S WITCH About SODA Endpoint Security 543 SODA Endpoint Security Su pport on WX Switches 544 How SODA Functionality Works on WX Switches 545 Configuring SOD A Functionality 546 Configuring Web Portal W ebAAA for the Service Profile 547 Creati ng the SODA Agent with SODA Manager 547 Copying the SO DA [...]
-
Seite 19
26 R OGUE D ETECTION AND C OUNTERMEASURES Overview 567 About Rogues a nd RF Detection 567 Rogue Access Points and Clients 567 RF Detection Scans 571 Countermeasures 572 Mobility Domain Requirement 5 72 Summary of Rogue Detection Featur es 573 Configuring Rogue Detectio n Lists 574 Configuring a Permitted V endor List 574 Configuring a Permitted SSI[...]
-
Seite 20
27 M ANAGING S YSTEM F ILES About System Files 5 99 Displaying Software V ersion Information 599 Displaying Boot Information 601 Working wit h Files 602 Displaying a List of Files 602 Copying a File 604 Using an Image File’ s MD5 Checksum T o V erify Its Integrity 606 Deleting a File 607 Creati ng a Subdirectory 608 Removing a Subd irectory 608 M[...]
-
Seite 21
Displaying a T race 632 Stopping a T race 632 About T race Results 633 Displaying T race Results 633 Copying T race Results to a Server 634 Clearing the T race Log 634 List of T race Areas 634 Using display Commands 635 Viewing VLAN Interfaces 635 Viewing AAA Session Statistics 635 Viewing FDB Information 636 Viewing ARP Information 636 Port Mirror[...]
-
Seite 22
C S UPPORTED RADIUS A TTRIBUTES Attributes 651 Supported Standard and Extended Attributes 652 3Com V endor -Specific Attributes 659 D T RAFF IC P ORTS U SED BY MSS E DHCP S ERVER How the MSS DHCP Server Works 664 Configuring the DHCP Server 665 Displaying DHCP Serv er Information 666 F O BTAINING S UPPORT FOR Y OUR 3C OM P R ODUCTS Register Y our P[...]
-
Seite 23
A BOUT T HIS G UIDE This guide describes the configurat ion commands for the 3Com Wire less LAN Switch WXR100, WX1200, or 3Com W ir eless LAN Controller WX4400, WX2200. This guide is intended for System integr ators who ar e configuring the WXR100, WX1200, WX44 00, or WX2200. If release notes are shipped with your product and the information there [...]
-
Seite 24
24 A BOUT T HIS G UIDE This manual uses the follo wi ng text and syntax conventions: Documentation The MSS documentation set includ es the following documents. Wireless Switch Manager (3WXM) Rele ase Notes These notes provide information about the 3WXM sof twar e r elease, including new features and bug fixes. Wireless LAN Switch and Contro[...]
-
Seite 25
Documentation Comments 25 Wireless Switch Manager Ref erence Manual This manual shows you how to plan , configure, deploy , and manage a Mobility System wireless LAN (WLAN) using the 3Com Wireless Switch Manager (3WXM). Wireless Switch Manager User’ s Guide This manual shows you how to plan, con figure, deploy , and manage the entir e WLA[...]
-
Seite 26
26 A BOUT T HIS G UIDE Please note that we can only r esp ond to comments and questions about 3Com product documentation at this e-mail address. Qu estions related to technical support or sales should be dire cted in the first instance to your network supplier .[...]
-
Seite 27
1 U SING THE C OMMAND -L INE I NTERFACE Mobility System Software (MSS) op erates a 3Com Mobility System wireless LAN (WLAN) consisting of 3Com Wireless S witch Mana ger software, Wireless LAN Switches (WX1200 or WXR100), Wireless LAN Controllers (WX4400 or WX2200), and Managed Access Points (MAPs). MSS has a command-line interface (CLI) on a W X sw[...]
-
Seite 28
28 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE Command Prompts By default, the MSS CLI provides the following pr ompt for restricted users. The mmmm portion shows the WX model number (for example, 1200) and the nnnnnn portion shows the last 6 digits of the WX media access control (MAC) addr ess. WX mmmm > After you become enabled as an adm[...]
-
Seite 29
CLI Conventions 29 The CLI has specific notation requirements for MAC addresses, IP addresses, and masks, and allows you to g r oup usernames, MAC addresses, virtual LAN (VLAN) name s, and ports in a single command. 3Com recommends that you do not use the same name with differ ent capitalizations for VLANs or access co ntrol lists (ACLs). For examp[...]
-
Seite 30
30 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE Wildcard Masks Security access control lists (ACLs) use source and destination IP addresses and wildca rd masks to de termine whe ther the WX filters or forwards IP packets. Matching packets ar e either permitted or denied network access. The ACL ch ecks the bits in IP addresses that correspond t[...]
-
Seite 31
CLI Conventions 31 MAC Address Globs A media access control (MAC) address glob is a similar method for matching some authentication, aut horization, and accounting (AAA) and forwarding database (FDB) commands to one or more 6-byte MAC addresses. In a MAC addr ess glob, you can use a single asterisk (*) as a wildcard to match all MAC addr esses, or [...]
-
Seite 32
32 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE To m a t c h all VLANs, use the double-asterisk (**) wildcar d characters with no delimiters. T o match any numbe r of characters up to, but not including, a delimiter character in th e glob, use th e single-asterisk (*) wildcard. V alid VLAN glob delimiter characters are the at (@) sign and the [...]
-
Seite 33
Command-Line Editing 33 Virtual LAN Identification The names of virtual LANs (VLANs), whic h ar e used in Mobility Domain™ communications, are set by you and can be changed. In co ntrast, VLAN ID numbers , which the WX switch uses locally , are determined when the VLAN is first configured and cannot be changed. Unless otherwise indicated, you can[...]
-
Seite 34
34 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE History Buffer Th e history buffer stores the last 63 commands you entered during a terminal session . Y ou can use the Up Ar row and Down Arr ow ke ys to select a command that yo u want to repeat fr om the history buffer . Ta b s The MS S CLI uses the T a b key for command completion. Y ou can t[...]
-
Seite 35
Using CLI Help 35 rollback Remove changes to the edited ACL table save Save the running configuration to pers istent storage set Set, use 'set help' for more informati on telnet telnet IP address [server port ] traceroute Print the route packets take to networ k host For more information on help, see the help command description in the Wi[...]
-
Seite 36
36 C HAPTER 1: U SING THE C OMMAND -L INE I NTERFACE Understanding Command Descriptions Each command description in the Wireless LAN Switch and Controller Command Reference contains the following elements: A command name, which shows the keywords but not the variables. For example, the following command name appears at the top of a command desc[...]
-
Seite 37
2 WX S ETUP M ETHODS This chapter describes the methods you can use to configure a WX switch, and refers you to information for each method. Depending on your configuration needs, you can use one or a combination of these methods. For easy installation , use one of the q uick-start methods describ ed in this chapter instead of using the CLI instruc[...]
-
Seite 38
38 C HAPTER 2: WX S ETUP M ETHODS 3Com Wire less Switch Manager Y ou can use 3Com Wireless Swit ch Manage r to r emotely c onfigur e a switch using o ne of the fo llowing tech niques: Drop ship—On model WXR100 only , you can press the factory reset switch during power on until the right LED above por t 1 flashes for 3 seconds. Activating the [...]
-
Seite 39
How a WX Switch Gets its Configuration 39 How a WX Switch Gets its Configuration Figure 1 shows how a WX switch gets a configuration when you power it on. Figure 1 WX Switch Startup Algorithm Switch is powered on. Ye s No No Does switch have Is auto-config a configuration? Switch boots Ye s Model WXR100? Ye s No W as factory reset pressed during No[...]
-
Seite 40
Web Quick Start (WXR100, WX1 200 and WX2200 Only) 40 Web Quick Start (WXR100, WX1200 and WX2200 Only) Y ou can use the Web Quick Start to configure the switch to provide wireless access to up to ten network users. T o access the Web Quick S tart, attach a PC dir ectly to port 1 or port 2 on the switch and use a web browser on the PC to access IP ad[...]
-
Seite 41
Web Quick Start (WXR100, WX1 200 and WX2200 Only) 41 Web Quick Start Requirements T o use the Web Quick Start, you need the following: AC power source for the switch PC with an Ethernet po rt that you can connect directly to the switch Category 5 (Cat 5) or higher Ether net cable If the PC is connected to the networ k, power down the PC[...]
-
Seite 42
42 C HAPTER 2: WX S ETUP M ETHODS This is a temporary , well-known address assigned to the unconfigur ed switch when you power it on. Th e W eb Quick Start enables you to change this address. The first page of t he Quick Start Wizard appears. 6 Click Start to begin. The wizard scr eens guide you through the configuration steps. CAUTION: Use the wiz[...]
-
Seite 43
Web Quick Start (WXR100, WX1 200 and WX2200 Only) 43 Her e is an example: 8 Review the configuration settings, then click Finish to save the changes or click Back to change settings. If you wa nt to quit for now and start over later , click Cancel . If you click Finish , the wizard saves the configuration settings into the switch’ s configuration[...]
-
Seite 44
44 C HAPTER 2: WX S ETUP M ETHODS CLI quickstart Command The quickstart command runs a script that interactively helps you configure the following items: System name Country code (regulatory domain) System IP address Default route 802.1Q tagging for port s in the default VLAN Administrative users and passwords Enable pas[...]
-
Seite 45
CLI quickstart Command 45 The command automatically places all po rts that are not used for dir ectly connected MAPs into the default VLAN (VLAN 1). The quickstart command prompts you for an administrat ive username and password for managing t he switch over the network. The comman d automatically configu res the same password as the switch’ s en[...]
-
Seite 46
46 C HAPTER 2: WX S ETUP M ETHODS Quickstart Example Th is example configur es the following parameters: System name: WX1200-Corp Country code (regulatory domain): US System IP address: 172.16.0.21, on IP interface 172.16.0.21 255.255.255.0 The quickstart script asks for an IP addres s and subnet mask for the system IP address, and conv[...]
-
Seite 47
CLI quickstart Command 47 If you configure time and date parame ters, you will be r equired to enter a name for the timezone, and then ente r the value of the timez one (the offset fr om UTC) separately . Y ou can use a string of up to 32 alphabetic characters as the timezone name. Figur e 2 shows a n example . Users bob and alice can access encryp[...]
-
Seite 48
48 C HAPTER 2: WX S ETUP M ETHODS Specify the port number that needs t o be tagged [1-2, <CR> ends config]: Admin username [admin]: wxadmin Admin password [optional]: letmein Enable password [optional]: enable Do you wish to set the time? [y]: y Enter the date (dd/mm/yy) []: 31/03/07 Is daylight saving time (DST) in eff ect [n]: n Enter the t[...]
-
Seite 49
Remote WX Configuration 49 8 Save the configuration changes. WXR100-aabbcc# save config Remote WX Configuration Y ou can use 3Com W ir eless Switch Manager Services running in your corporate network to configure WX switches in remote of fices. The following remote configuration scenarios are supported: Drop ship—3Com Wireless Switch Manager S[...]
-
Seite 50
50 C HAPTER 2: WX S ETUP M ETHODS T o open the network plan: 1 Install 3WXM, if not already installed. (See the “Getting Started” chapter of the Wireless Switch Manager User’ s Guide or the “Installing 3WXM” chapter of the Wireless Switch Manager Ref erence Manual .) 2 Start 3WXM by doing one of the following : On W indows systems, se[...]
-
Seite 51
3 C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS 3Com Mobility System Softwa re (MSS) supports authentication, authorization, and accounting (AAA) for secure network connections. As administra tor , you must establish ad ministrative access for your self and optionally other local users before you can configure the WX for operation. Overvi[...]
-
Seite 52
52 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS 5 Customized authentication. Y ou can requir e authentication for all users or for only a subset of users. User name globbing (see “User Globs, MAC Address Globs, and VLAN Globs” on page 30) allows dif fer ent users or classes of user to be give n differ ent authentication t[...]
-
Seite 53
Overview 53 Figure 3 T ypical 3Com Mobility System WX switch Core router Layer 2 switches WX switches B uilding 1 D a t a ce n t e r F loo r 3 F loo r 2 Layer 2 or Layer 3 switches RADIUS or AAA Servers F loo r 1 WX switches MAP MAP MAP MAP MAP MAP[...]
-
Seite 54
54 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Before Y ou Start Before r eading more of this chapter , read the W ireless LAN Switch and Controller Quick Start Guide to set up a WX switch and the attached MAPs for basic service. About Administrative Access The authentication, author ization, and accounting (AAA) framework h[...]
-
Seite 55
First-Time Configurati on via the Console 55 First-Time Configuration via the Console Administrators must initially configur e the WX switch with a computer or terminal connected to the WX co nsole port thr ough a serial cable. T elnet access is not init ially enabled. T o configure a previously unconfigured WX switch via the console, yo u must com[...]
-
Seite 56
56 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Setting the WX Switch Enable Password There is one enable passwor d for the entire WX switch. Y ou can optionally change the enable password fr om the default. 3Com recommends that you change the enable password from the default (no password) to prevent unauthorized users from e[...]
-
Seite 57
First-Time Configurati on via the Console 57 3WXM Enable Password If you use 3WXM to continue config uring the switch, you will need to enter the switch’ s enable pas swor d when you upload the switch’ s configuration into 3WXM. (For 3WXM information, see the Wireless Switch Manager Reference Manual .) Authenticating at the Console Y ou can con[...]
-
Seite 58
58 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS The authentication method none you can specify for administrative access is different from the fallthru authentication type None, which applies only to network access. The authentication method none allows access to the WX switch by an administrator . The fallthru authentication[...]
-
Seite 59
Configuring Accounti ng for Administrative Users 59 Although MSS allows you to configure a user passw ord for the special “last-resort” guest user , the password has no effect. Last-resort users can never access a WX in administrative mode and never require a password. Adding and Clearing Local Users for Administrative Access Usernames and pass[...]
-
Seite 60
60 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Y ou can select either start-stop or stop-only accounting modes. The stop-only mode sends only stop records, wher eas start-stop sends both start and stop recor ds, ef fectively doubling the number of accounting recor ds. In most cases, stop-only is entir ely adequate for admini[...]
-
Seite 61
Displaying the AAA Configuration 61 Displaying the AAA Configuration T o display your AAA configuration, type the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ----------------------[...]
-
Seite 62
62 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Administrative AAA Configuration Scenarios The following scenario s illustrate typica l configurations for administrative and local authent ication. For all scen arios, the administ rator is Natasha with the password m@Jor . (For RADIUS server configuratio n details, see Chapter[...]
-
Seite 63
Administrative AAA Configuration Scenarios 63 Natasha also adds the RADIUS server ( r1 ) to the RADIUS server group sg1 , and configures T elnet administrative users for authenticati on thr ough the group. She types the following commands in this order: WX1200# set server group sg1 members r1 success: change accepted. WX1200# set user admin attr se[...]
-
Seite 64
64 C HAPTER 3: C ONFIGURING AAA FOR A DMINISTRATIVE AND L OCAL A CCESS Local Override and Backup Local Authentication This scenario illustrates how to enable local ove rride authentication for console users. Local override mean s that MSS attempts authentication first via the local d atabase. If it find s no match for the user in the local database[...]
-
Seite 65
4 M ANAGING U SER P ASSWOR DS This chapter describes how to manage user passwords, configure user passwords, and how to display password information. Overview 3COM r ecommends that all users create passwords that are memorable to themselves, difficul t for others to guess, and not subject to a dictionary attack. By default, user passwords ar e auto[...]
-
Seite 66
66 C HAPTER 4: M ANAGING U SER P ASSWOR DS Only one unsuccessful login a ttempt is allowed in a 10-second period for a user or session. All administrative logins, logouts, logouts due to idle timeout, and disconnects are logged. The audit log file on the WX switch ( command_audit.cur ) cannot be deleted, and attempts to delete log files[...]
-
Seite 67
Configuring Passwords 67 Enabling Password Restrictions T o activate password restrictions for network and administrative users, use the following command: set authentication password-restrict { enable | disabl e } When this command is enabled, the following password restrictions take effect: Passwords must be a minimum of 1 0 characters in len[...]
-
Seite 68
68 C HAPTER 4: M ANAGING U SER P ASSWOR DS Y ou can specify a number between 0 – 2147483647. Specifying 0 causes the number of allowable login attempts to reset to the default values. If a user is locked out of the system , you can r estore the user’ s access with the clear user lockout co mmand. (See “Restoring Access to a Locked-Out User”[...]
-
Seite 69
Configuring Passwords 69 Configuring Password Expiration Time T o specify how long a user’ s passwor d is valid be fore it must be r eset, use the following command: set user username expire-password-in time T o specify how lo ng the passwor ds are valid for users in a user group, use the following command: set usergroup group-name expire-passwor[...]
-
Seite 70
70 C HAPTER 4: M ANAGING U SER P ASSWOR DS Restoring Access to a Locked-Out Us er If a user’ s password has expired, or the user is unable to log in within the configured limit for logi n attempts, then the user is locked out of the system, and cannot gain access without the intervention of an administrator . T o restor e access to a user who had[...]
-
Seite 71
5 C ONFIGURING AND M ANAGING P ORTS AND VLAN S This chapter describes how to conf igure and manage ports and VLANs. Configuring and Managing Ports Y ou can configure and display information for the following port parameters: Port type Name Speed and autoneg otiation Port state Power over Eth ernet (PoE) state Load sharing Se[...]
-
Seite 72
72 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S All WX switch ports are network ports by default. Y ou must set th e port type for ports directly connected to MAP access ports and to wired user stations that must be authenticate d to access the network. When you change port type, MSS applies default sett ings appropriate for the port ty[...]
-
Seite 73
Configuring and Managing Ports 73 Setting a Port for a Dire ctly Connected MAP Before configuring a port as a MAP access port, you must use the set system countrycode command to set the IEEE 802.11 countr y-specific regulations on the WX switch. (See “Specifying the Countr y of Operation” on page 213.) Some MSS features that work with directly [...]
-
Seite 74
74 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Y ou cannot configure any gigabit Ethernet port, or port 7 or 8 on a WX1200 switch, or port 1 on a WXR100, as a MAP port. T o manage a MAP on a switch model that does not have 10/100 Ethernet ports, configure a Distributed MAP connecti on on the switch. (See “Configuring a MAP Connection[...]
-
Seite 75
Configuring and Managing Ports 75 For the serial- id paramete r , specify the serial ID of the MAP . The serial ID is listed on the MAP case. T o display the serial ID using the CLI, use the display version details command. The model and radiotype parameters have the same options as they do with the set port type ap command. Because the WX does not[...]
-
Seite 76
76 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S This command configures port 7 as a wired authentication port supporting one interface and one simultaneous user sessio n. For 802.1X clients, wired authentication works only if the clients are directly attached to the wire d authentication port, or are attached through a hub that does not[...]
-
Seite 77
Configuring and Managing Ports 77 A cleared port is not placed in any VLANs, not even the default VLAN (VLAN 1). T o clear a port, use the followin g command: clear port type port-list For example, to clear the port-relate d settings fr om port 5 and r eset the port as a network port, type the following command: WX1200# clear port type 5 This may d[...]
-
Seite 78
78 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Configuring Interface Prefer ence on a Dual-Interface Gigabit Ethernet Port (WX4400 only) The gigabit Ether net ports on a WX4400 have two physical interfaces: a 1000BASE-TX copper interface an d a 1000BASE-SX or 1000BASE- LX fiber interface. The copper interface is prov ided by a built-in[...]
-
Seite 79
Configuring and Managing Ports 79 Configuring Port Operating Parameters Autonegotiation is enabled by default on a WX switch’ s 10/100 Ether net ports and gigab it Ethernet ports. Y ou can configure the following port operating paramet ers: Speed Autonegotiation Port state PoE state All ports on the WX4400 switches support full-du[...]
-
Seite 80
80 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S T o set the port speed on ports 1 and 3 thr ough 5 to 10 Mbps, type the following command: WX1200# set port speed 1,3-5 10 Gigabit Ports — Autonegotiation and Flow Contr ol WX gigabit ports use autonegotiation by default to determine capabilities for 802.3z flow control parameters. Th e [...]
-
Seite 81
Configuring and Managing Ports 81 Resetting a Port Y ou can reset a port by togglin g its link state and PoE state. MSS disables the port’ s link and PoE (if applicable) for at least one second, then r eenables them. This featur e is useful for forcing a MAP t hat is connected to two WX switches to reboot using the port connected to the other swi[...]
-
Seite 82
82 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Displaying PoE State T o display the PoE stat e of a port, use the following command: display port poe [ port-list ] T o display PoE information for por ts 1 and 3, type the following command: WX1200# display port poe 1,3 Link Port PoE PoE Port Name Status Type config Draw ================[...]
-
Seite 83
Configuring and Managing Ports 83 Clearing Statistics Counters T o clear all po rt statistics counters, use the following command: clear port counters The counters begin incrementing again, starting from 0. Monitoring Port Statistics Y ou can display port statistics in a format that continually updates the counters. When you enable monitoring of po[...]
-
Seite 84
84 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Use the keys listed in T able 8 to control the monitor display . T o monitor port statistics b eginning with octet statistics (t he default), type the following command: WX1200# monitor port counters As soon as you press Enter , MSS clears the window an d displays statistics at the top of [...]
-
Seite 85
Configuring and Managing Ports 85 Configuring Load-Sharing Port Gr oups A port group is a set of physical ports that function together as a single link and provide load sharing and link r edundancy . Only network ports can participate in a port group. Y ou can configure up to 8 ports in a port gr oup, in any combination of ports. The port numbers d[...]
-
Seite 86
86 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S T o configure a port gr oup named ser ver1 containing ports 1 through 5 and enable the link, type the following command: WX1200# set port-group name server1 1-5 mode on success: change accepted. After you configure a port group, y ou can u se the port group name with commands that change L[...]
-
Seite 87
Configuring and Managing VLANs 87 Displaying Port Group Information T o display port group information, use the following co mmand: display port-group [ name group-name ] T o display the configu ration and status of port group server2 , type the following command: WX1200# display port-group name serv er2 Port group: server2 is up Ports: 2, 5 Intero[...]
-
Seite 88
88 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S VLANs are not configured on MAP access ports or wir ed authentication ports, because the VLAN membership of these types of ports is determined dynamically through the authentication and authorization process. Users who r equire authentication connect through WX switch ports that are config[...]
-
Seite 89
Configuring and Managing VLANs 89 Y ou assign a user to a VLAN b y settin g one of the following att ributes on the RADIUS servers or in the local user database: T unnel-Private-Group-ID — This attribute is described in RFC 2868, RADIUS Attributes for T unnel Prot ocol Support . VLAN-Name — This attribute is a 3Com vendor -s pecific att[...]
-
Seite 90
90 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Because the default VLAN (VLAN 1) might not be in the same subnet on each switch, 3Com reco mmends that you do not rename the default VLAN or use it for user traffic. Instead, configur e other VLANs for user traffic. T raffic Forwar ding A WX switch switches traf fic at La yer 2 among port[...]
-
Seite 91
Configuring and Managing VLANs 91 If the WX switch that is not in the user’ s VLAN has a choice of more than one other WX switch through which to tunnel the user’ s traffic, the switch selects the other switch based on an affi nity value. This is a numeric value that each WX switch wi thin a Mobility Do main advertises, for each of its VLANs, t[...]
-
Seite 92
92 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Y ou must assign a name to a VLAN before you can add ports to the VLAN. Y ou can configur e the name and add po rts with a single s et vlan command or separate set vlan commands. Once you assign a VLAN number to a VLAN, you cannot change the number . However , you can chang e a VLAN’ s n[...]
-
Seite 93
Configuring and Managing VLANs 93 Removing an Entire VLAN or a VLAN Port T o remove an entir e VLAN or a specific port and tag value fr om a VLAN, use the following command: clear vlan vlan-id [ port port-list [ tag tag-value ]] CAUTION: When you re move a VLAN, MSS completely removes the VLAN from the configuration and al so removes all configurat[...]
-
Seite 94
94 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Restricting Layer 2 Forwarding Among Clients By default, clients within a VLAN are able to communicate with one another directly at Layer 2. Y ou can enhance network security by restricting Layer 2 forwar ding among clients in the sa me VLAN. When you restrict Layer 2 forwar ding in a VLAN[...]
-
Seite 95
Configuring and Managing VLANs 95 The following commands restrict Layer 2 forwarding of client data in VLAN abc_air to the default routers with MAC addr ess aa:b b:cc:dd:ee:ff and 11:22:33:44:55:66, and display rest riction information and statistics: WX1200# set security l2-restrict vla n abc_air mode enable permit-mac aa:bb:cc:dd:ee:ff 11:22:3 3:[...]
-
Seite 96
96 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Managing the Layer 2 Forwarding Database A WX switch uses a Layer 2 forwar ding database (FDB) to forward traffic within a VLAN. The entries in the forwarding database map MAC addresses to the physical or virt ual ports connected to those MAC addresses within a particular VLAN. T o forward[...]
-
Seite 97
Managing the Layer 2 Forwarding Datab ase 97 Displaying Forwarding Database Information Y ou can display the forwarding database size and the entries contained in the database. Displaying the Size of the Forwarding Database T o display the number of entries cont ained in the forwarding database, use the following command: display fdb count { perm |[...]
-
Seite 98
98 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S T o display all entries that begin wi th 00 , type the following command: WX1200# display fdb 00:* * = Static Entry. + = Permanent Entr y. # = System Entry. VLAN TAG Dest MAC/Route Des [CoS] Destination Ports [Protocol Type] ---- ---- ------------------ ----- ------------------------------[...]
-
Seite 99
Managing the Layer 2 Forwarding Datab ase 99 Configuring the Aging Timeout Period The aging timeout period specifies how long a dynamic entry can r emain unused before the softwar e r emoves the entry from the database. Y ou can change the aging timeou t period on an individual VLAN basis. Y ou can change the time out period to a value fr om 0 thro[...]
-
Seite 100
100 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S Port and VLAN Configuration Scenario This scenario assigns names to por ts, and config ur es MAP access ports, wired authentication ports, a load -sharing port group, and VLANs. 1 Assign names to ports to identify their fu nctions, and verify the configuration change. T ype the following [...]
-
Seite 101
Port and VLAN Configuration Scenario 101 ==================================== ================================ =========== Boot Time: 2000-03-18 22:59:19 Uptime: 0 days 00:13:45 ==================================== ================================ =========== Fan status: fan1 OK fan2 OK fan3 O K Temperature: temp1 ok temp2 ok te mp3 ok PSU Status: [...]
-
Seite 102
102 C HAPTER 5: C ONFIGURING AND M ANAGING P ORTS AND VLAN S 4 Configure ports 5 and 6 as wir ed authentication ports and verify the configuration change. T ype the following commands: WX1200# set port type wired-auth 5,6 success: change accepted WX1200# display port status Port Name Admin Oper Config Actual Type Media =============================[...]
-
Seite 103
6 C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES This chapter describes how to conf igure IP interfaces and services. MTU Support Mobility System Software (MSS ) supports standard maximum transmission units (MTUs) of 1 514 byte s for standard Ethernet packets and 1518 bytes for Ether net packets with an 802.1Q tag. MSS does not support cha[...]
-
Seite 104
104 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring and Managing IP Interfaces Many features, including the following, require an IP interface on the WX switch: Management access through T elnet Access by 3Com Wireless Switch Manager Exchanging information and user data with other WX switch es in a Mobili[...]
-
Seite 105
Configuring and Managing IP Interfaces 105 The DHCP client is enabled b y default on an unconfigured WXR100 when the factory reset switch is pressed and held during p ower on. The DHCP client is disabled by default on all other switch models, and is disabled on a WXR100 if the switch is already configured or the factory reset switch is not pressed [...]
-
Seite 106
106 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES If the switch is powered down or restarted, MSS does not re tain the values received fr om the DHCP server . However , if the IP interface goes down but MSS is still running, MSS attempts to r euse the address when the interface comes back up. Configuring the DHCP Client T o co[...]
-
Seite 107
Configuring and Managing IP Interfaces 107 Displaying DHCP Client Information T o di splay DHCP client information, type the following command: WX1200# display dhcp-client Interface: corpvlan(4) Configuration Status: Enabled DHCP State: IF_UP Lease Allocation: 65535 seconds Lease Remaining: 65532 seconds IP Address: 10.3.1.110 Subnet Mask: 255.255.[...]
-
Seite 108
108 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring the System IP Address Y ou can designate one of the IP addre sses configur ed on a WX switch to be the system IP address of the switch. The system IP address determines the interface or sour ce IP a ddress MS S uses for system ta sks, including the following: Mo[...]
-
Seite 109
Configuring and Managing IP Routes 10 9 A destination ca n be a subnet or networ k. If two static r outes specify a destination, the mor e specific rout e is always chosen (longest prefix match). For example, if you have a static r oute with a destinat ion of 10.10.1.0/ 24, and a nother static r oute with a destinatio n of 10.10.0.0/16, th e first [...]
-
Seite 110
110 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Displaying IP Routes T o display IP routes, use the following command: display ip route [ destination ] The destination parameter specifies a de stination IP address. T o display the IP route table, type the following command: WX1200# display ip route Router table for IPv4 Dest[...]
-
Seite 111
Configuring and Managing IP Routes 11 1 If a VLAN is administratively disabled or all of the links in the VLAN go down or are disabled, MSS removes the VLAN’ s routes from the r oute table. If the direct r oute requir ed by a static route goes down, MSS changes the static route state to Down. If the route table contains other static routes to the[...]
-
Seite 112
112 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o add two default routes and configure MSS to always use the r oute through 10.2.4.69 when the WX interface to that default router is up, type the following commands: WX1200# set ip route default 10.2.4. 69 1 success: change accepted. WX1200# set ip route default 10.2.4. 17 2[...]
-
Seite 113
Managing the Management Services 113 Managing the Management Services MSS provides the following services for managing a WX switch over the network: Secure Shell (SSH) — SSH provides a secur e connection to the CLI through TCP port 22. Te l n e t — T elnet provides a nonsecure connection to the CLI through TCP port 23. HTTPS — HTT[...]
-
Seite 114
114 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES SSH requir es an SSH authentication ke y . Y ou can generate one or allow MSS to generate one. The first time an SSH client attempts to access the SSH server on a W X switch, the switch automatica lly generates a 1024-byte SSH key . If you want to use a 20 48-byte key instead, [...]
-
Seite 115
Managing the Management Services 115 T o add administrative user wxadmin with password letmein , and use RADIUS server group sg1 to authenticat e the user , type the following commands: WX1200# set user wxadmin password le tmein success: User wxadmin created WX1200# set authentication admin wxa dmin sg1 success: change accepted (For more informatio[...]
-
Seite 116
116 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o clear all SSH server sessions , type the followin g command: WX1200# clear sessions admin ssh This will terminate manager sessions , do you wish to continue? (y|n) [n] y Cleared ssh session on tty3 (T o manage T elnet client sessions, se e “Logging In to a Remote Device?[...]
-
Seite 117
Managing the Management Services 117 Displaying T elnet Status T o display the status of the T elnet server , use the following command: display ip telnet T o display the T elnet server status an d the TCP port number on which a WX switch listens for T elnet tra ffic, type the following command: WX1200> display ip telnet Server Status Port -----[...]
-
Seite 118
118 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o display the T elnet server sessions on a WX switch, type the following command: WX1200# display sessions admin Tty Username Time (s) Type ------- -------------------- -------- ---- tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH 3 admin sessions T o clear all T e[...]
-
Seite 119
Managing the Management Services 119 The command lists the TCP port number on which the switch listens for HTTPS connections. The command also lists the last 10 devices to establish HTTP S connection s with th e switch and when the connections were established. If a browser connects to a WX switch fr om behind a proxy , then only th e proxy IP addr[...]
-
Seite 120
120 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Setting a Message of the Day (MOTD) Banner Y ou can configure the WX switch to display a Message of the Day (MOTD) banner , which is a string of text that is displayed before the beginning of the login pr ompt for a user’ s CLI session. The MOTD banner can be a message to use[...]
-
Seite 121
Configuring and Managing DNS 121 After these commands are entered, when the user logs on, the MOTD banner is displayed, followed by the text Do you agree? If the user ent ers y , then the login proceeds; if not, then the user is disconnected. Configuring and Managing DNS Y ou can configure a WX switch to use a Domain Name Service (DNS) server to re[...]
-
Seite 122
122 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring a Default Domain Name Y ou can configure a single default domain name for DNS queries. The WX switch appends the d efault domai n name to hostnames you enter in commands. For example, you can configure the WX switch to automatically appen d the domain name example.c[...]
-
Seite 123
Configuring and Managing Aliases 12 3 Configuring and Managing Aliases An alias is a string that r epr esents an IP address. Y ou can use aliases as shortcuts in CLI commands. For ex ample, you can configure alias pubs1 for IP address 10.10.10.20, and enter ping pubs1 as a shortcut for ping 10.10.10.20 . Aliases take precedence over DNS. When you e[...]
-
Seite 124
124 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Configuring and Managing Time Parameters Y ou can configure the system time and date statically or by using Network T ime Protocol (NTP) servers. In each case, you can specify the offset fr om Coordinated Universal Ti me (UTC) by setting the time zone. Y ou also can configure M[...]
-
Seite 125
Configuring and Managing Time Parameters 125 Setting the Time Zone The time zone paramete r adjusts the system date, and optionally the time, by applying an offset to UTC. T o set the time zone, use the following command: set timezone zone-name {- hours [ minutes ]} The zone name can be up to 32 alph anumeric ch aracters long, with no spaces. The h[...]
-
Seite 126
126 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES The summer -name can be up to 32 alphanumeric characters long, with no spaces. The start and end dates and times are optional. If you do not specify a start and end time, MS S impl ements the time change starting at 2:00 a.m. on the first Sunday in April a nd ending at 2:00 a.m[...]
-
Seite 127
Configuring and Managing Time Parameters 127 Statically Configuring the System Time and Date T o statically configure the system time and date, use the following command: set timedate { date mmm dd yyyy [ time hh:mm:s s ]} The day of week is automat ically calculated from the day you set. T o set the date to February 29, 2004 and time to 23:58: WX1[...]
-
Seite 128
128 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES MSS adjusts the NTP reply according to the following time parameters configured on the WX switch: Offset fr om UTC (configured with the timezone command; see “Setting the T ime Zone” on page 125) Daylight savings time (configured with the set summertime command; see[...]
-
Seite 129
Configuring and Managing Time Parameters 129 Resetting the Update Interval to the Default T o reset the update interval to th e default value, use the following command: clear ntp update-interval Enabling the NTP Client The NTP client is disabled by def ault. T o enable the NTP client, use the following command: set ntp { enable | disable } Display[...]
-
Seite 130
130 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Managing the ARP Ta b l e The Address Resolution Protocol (ARP ) table maps IP addr esses to MAC addresses. An ARP entry en ters the table in one of the following ways: Added automatically by the WX switch. A switch adds an entry for its own MAC address and adds entries for[...]
-
Seite 131
Managing the ARP Table 131 Adding an ARP Entry MSS automatically adds a local entry for a WX switch and dynamic entries for addresses learned from traffic r eceived by the switch. Y ou can add th e following types of entries: Dynamic — Ages out based on the aging timeout. Static — Does not age out but is removed by a software r eboot. ?[...]
-
Seite 132
132 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES Pinging Another Device T o verify that another device in the network can receive IP packets sent by the WX switch, use the following command: ping host [ count num-packets ] [ dnf ] [ flood ] [ interval time ] [ size size ] [ source-ip ip-addr | vlan-name ] T o ping a device th[...]
-
Seite 133
Tracing a Route 133 When you press Ctrl+t or type exit to end the client session, the management session returns to the local WX pr ompt: WX1200-remote> Session 0 pty tty2.d terminate d tt name tty2.d WX1200# Use the following commands to manage T elnet client sessions: display sessions telnet client clear sessions telnet client [ sessio n-id ] [...]
-
Seite 134
134 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES T o identify the next hop, traceroute again sends a UDP packet, but this time with a TTL value of 2. The first r outer decrements the TTL field by 1 and sends the datagram to the next router . The seco nd r outer sees a TTL value of 1, discards the datagram, and returns the Tim[...]
-
Seite 135
IP Interfaces and Service s Configuration Scenario 135 IP Interfaces and Services Configuration Scenario This scenario con figur es IP interface s, assigns one of the interfaces to be the system IP addr ess, and configur es a default r oute, DNS parameters, and time and date parameters. 1 Configure IP interfaces on the mgmt and roaming VLANs, and v[...]
-
Seite 136
136 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES 3 Configure a default r oute through a de fault r outer attached to the WX switch and verify the conf igurat ion change. T ype the following commands: WX1200# set ip route default 10.20.1 0.1 1 success: change accepted. WX1200# display ip route Router table for IPv4 Destination[...]
-
Seite 137
IP Interfaces and Service s Configuration Scenario 137 WX1200# display summertime Summertime is enabled, and set to 'P DT'. Start : Sun Apr 04 2004, 02:00:00 End : Sun Oct 31 2004, 02:00:00 Offset : 60 minutes Recurring : yes, starting at 2:00 am of first Sunday of April and ending at 2:00 am on last Sunday of October. WX1200# set ntp ser[...]
-
Seite 138
138 C HAPTER 6: C ONFIGURING AND M ANAGING IP I NTERFACES AND S ERVICES[...]
-
Seite 139
7 C ONFIGURING SNMP MSS supports Simple Network Manageme nt Protocol (SNMP) versions 1, 2c, and 3. Overview The MSS SNMP engine (also called the SNMP server or agent ) can run any combination of the following SNMP versions: SNMPv1—SNMPv1 is the simplest a nd least secure SNMP version. Community strings are used for authentication. Communicati[...]
-
Seite 140
140 C HAPTER 7: C ONFIGURING SNMP Set the minimum level of security allowed for SNMP message exchanges. Configure a notification pr ofile or modify the default one, to enable sending of notifications to notif ication targets. By default, notifications of all types are dropped (not sent). Configure notification targets. Enable the M [...]
-
Seite 141
Configuring SNMP 141 The c omm-string can be u p to 32 alphanumeric characters long, wit h no spaces. Y ou can configure up to 10 community string s. The access level specifi es the r ead-write privileges of the community string: read-only —An SNMP management application using the string can get (read) object values on the switch but cannot s[...]
-
Seite 142
142 C HAPTER 7: C ONFIGURING SNMP The usm-username can be up to 32 alphanumeric ch aracters long, with no spaces. Y ou can co nfigur e up to 20 SNMPv3 u sers. The snmp-engine-id option sp ecifies a unique identifier for an instance of an SNMP engine. T o send informs, you must specify the engine ID of the inform receiver . T o send traps an d to al[...]
-
Seite 143
Configuring SNMP 143 3des —T riple DES encryption is used. aes —Advanced Encryption Stand ar d (AES) encryption is used. If the encryption type is des , 3des , or aes , you can specify a passphrase or a hexadecimal key . T o specify a passphrase, use the encrypt-pass-phrase string option. The string can be from 8 to 32 alphanumeric [...]
-
Seite 144
144 C HAPTER 7: C ONFIGURING SNMP T o set the minimum level of security MSS requires for SNMP , use the following command: set snmp security { unsecured | authe nticated | encrypted | auth-req-unsec-notify } Y ou can specify one of the following options: unsecured —SNMP message exchanges are not secure. This is the default, and is the only va[...]
-
Seite 145
Configuring SNMP 145 The profile-name can be up to 32 alphanumer ic characters long, with no spaces. T o modify the default notification profile, specify default . The notification- type can be one of the following: APBootT raps— Generated when a MAP boots. ApNonOperStatusT raps —Generated to indicate a MAP radio is nonoperational. [...]
-
Seite 146
146 C HAPTER 7: C ONFIGURING SNMP DAPConnectW arningT raps —generated whe n a Distributed MAP whose fingerprint has n ot been configured in MSS establishes a management session with the switch. DeviceFailT raps— Generated when an event with an Alert severity occurs. DeviceOkayT raps— Generated when a device returns to its normal s[...]
-
Seite 147
Configuring SNMP 147 RFDetectInterferingRogueDisappearT raps —Gene rated when an interfering device is no longer detected. RFDetectSpoofedMacAPT raps —Generated when MSS detects a wireless packet with the sour ce MAC address of a 3Com MAP , but without the spoofed MAP’ s signature (fingerprint). RFDetectSpoofedSsidAPT raps —Gene[...]
-
Seite 148
148 C HAPTER 7: C ONFIGURING SNMP WX1200# set snmp notify profile snmp prof_rfdetect send RFDetectInterferingRogueAPTraps success: change accepted. WX1200# set snmp notify profile snmp prof_rfdetect send RFDetectInterferingRogueDisappearTra ps success: change accepted. WX1200# set snmp notify profile snmp prof_rfdetect send RFDetectRogueAPTraps suc[...]
-
Seite 149
Configuring SNMP 149 T o configure a notification target for traps from SNMPv3, use the following command: set snmp notify target target-num ip -addr [ :udp-port-number ] usm trap user username [ profile profile-name ] [ security { unsecured | authenticated | encrypted }] T o configure a notification target for informs from SNMPv2c, use the followi[...]
-
Seite 150
150 C HAPTER 7: C ONFIGURING SNMP The inform or trap optio n specifies whether the MSS SNMP engine expects the tar get to ack nowledge notifications sent to the target by the WX switch. Use inform if you want acknowledgements. Use trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm only . The usernam[...]
-
Seite 151
151 C HAPTER 7: C ONFIGURING SNMP This command configures target 1 at IP addr ess 10.10.40.9. The target’ s SNMP engine ID is based on its addr ess. The MSS SNMP engine will send notifications based on the default pr ofile, and will requir e the target to acknowledge receiving them. The following command configures a notification target for unack[...]
-
Seite 152
152 C HAPTER 7: C ONFIGURING SNMP Displaying Notification Profiles T o display notification profile s, use the following command: display snmp notify profile The command lists settings separately for each notification pr ofile. The use count indicates how many notification targets use the profile. For each notification type, the comman d lists whet[...]
-
Seite 153
8 C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING A Mobility Domain is a system of WX switches an d managed access points (MAPs) working together to support roaming wireless users (clients). T unnels and virtual ports betw een the WX switches in a Mobility Domain allow users to roam without any disruption to network connectivity . About the M[...]
-
Seite 154
154 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Configuring a Mobility Domain The WX switches in a Mobility Domain use their system IP address for Mobility Domain communication. T o su pport the services of the Mobility Domain, the system IP addr ess of ev ery WX switch re quires basic IP connectivity to the system IP addre ss[...]
-
Seite 155
Configuring a Mobility Domain 155 Optionally , you can conf igur e a redu ndant seed WX switch, which takes over seed duties if the primary seed becomes unava ilable. See “Configuring Mobility Domain Seed Redundancy” on page 156. Configuring Member WX Switches on the Seed T o configure the list of m embers on the Mobility Domain seed for distri[...]
-
Seite 156
156 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Configuring Mobility Domain Seed Redundancy Y ou can optionally specify a secondar y seed in a Mobility Domain. The secondary seed provides redundancy for the primary seed switch in the Mobility Domain. If the primary seed becomes unavailab le, the secondary seed assumes the r ol[...]
-
Seite 157
Configuring a Mobility Domain 157 Displaying Mobility Domain Status T o view the status of the Mobility Dom ain for the WX switch, use the display mobility-domain command. For example: WX# display mobility-domain Mobility Domain name: pleasanton Member State Type (*:active) Model Version --------------- ------------- ------ --------- -------- -----[...]
-
Seite 158
158 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Configuring WX-WX Security Y ou can enhance security on your ne twork by en abling WX-WX security . WX-WX security encrypts management traffic exchanged by WX switches in a Mobility Domain. When WX-WX se curity is e nabled, ma nagement tr af fic among WX switches in the Mobility [...]
-
Seite 159
Monitoring the VLANs and Tunnels in a Mobility Domain 159 Monitoring the VLANs and T unnels in a Mobility Domain T unnels connect WX switches. T unnels are formed automatically in a Mobility Domain to extend a VLAN to the WX switch that a r oaming station is associated with. A single t unnel can carry traffic for many users and many VLANs. The tunn[...]
-
Seite 160
160 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Displaying Roaming VLANs and Their Affinities The command display roaming vlan displays all VLANs in the Mobility Domain, the WX switches servic ing the VLANs, and their tunnel affinity values configur ed on each switch for the VLANs. The member WX switch that offers the requeste[...]
-
Seite 161
Understanding the Sessions of Roaming Users 161 Understanding the Sessions of Roaming Users When a wireless client su ccessfully roams fr om one MAP to another , its sessions ar e af fected in the following ways: The WX treats this client session as a roaming session and not a new session. RADIUS accoun ting is handled as a continuation of [...]
-
Seite 162
162 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING Effects of Timers on Roaming An unsuccessful roaming attempt might be caused by the following timers. Y ou cannot configu r e either timer . Grace period — A disassociated session has a grace period of 5 seconds during which MSS can retrieve and forward the session history [...]
-
Seite 163
Mobility Domain Scenario 163 Mobility Domain Scenario The following scenario illustrates ho w to create a Mobility Domain named sunflower consisting of three members from a seed WX switch at 192.168.253.2 1: 1 Make the current WX switch the Mobility Domain seed. T ype the following command: WX1200# set mobility-domain mode see d domain-name sunflow[...]
-
Seite 164
164 C HAPTER 8: C ONFIGURING AND M ANAGING M OBILITY D OMAIN R OAMING vlan-wep 192.168.12.7 5 vlan-wep 192.168.15.5 5 7 T o display active roaming tunnel s, type the following command: WX1200# display tunnel VLAN Local Address Remote Address State Port LVID RVID -------------- --------------- ----- ---------- ------- ----- ----- - ---- vlan-eng 192[...]
-
Seite 165
9 C ONFIGURING N ETWORK D OMAINS A Network Domain is a group of ge ographically dispersed Mobilit y Domains that share information over a W AN li nk. This sh ar ed information allows a user configur ed in one Mob ility Domain to establish connectivity on a WX switch in a r emote Mobility Doma in. The WX switch forwar ds the user traffic by creating[...]
-
Seite 166
166 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS Figure 4 Network Domain In a Network Domain, one or more WX switches acts as a seed device. A Network Domain seed stores information about all of the VLANs on the Network Domain members. The Ne twork Domain seeds shar e this information among themselves, so that every seed has an identical database. In[...]
-
Seite 167
About the Network Domain Feature 167 Figure 5 illustrates how user Bob, who is based at Sales Of fice C gets connectivity and is placed in a VLAN when he visits the Corpo rate Of fice. Figure 5 How a user connects to a r emote VLAN in a Network Domain In this example, Bob establishes connectivity as follows: 1 Bob connects to the wireless network a[...]
-
Seite 168
168 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS 4 A VLAN tunnel is created between the WX switch at the Corporate Office and the WX switch at Sales Office C. 5 Bob establishes connectivity on the network at t he corporate of fice and is placed in VLAN Red. Network Domain Seed Affinity When there ar e multiple Network Domain seeds in an installation,[...]
-
Seite 169
Configuring a Network Domain 169 In the previous example, a WX swit ch in the Mobility Domain at the corporate office is configur ed as a me mber of a Network Domain that has a local seed, as well as seeds at the tw o branch offices and the thr ee sales offices. The WX switch has an af finity value of 10 (highest) for the local seed, and an affinit[...]
-
Seite 170
170 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS For example, the following command sets the current WX switch as a seed with the Network Domain California : WX1200# s et network-domain mode seed domain-name California success: change accepted. If the seed in a Network Domain is also intended to be a member of the Network Domain, you must enter the f[...]
-
Seite 171
Configuring a Network Domain 171 For example, the following command sets the current WX switch as a peer of the Netw ork Domain seed with IP address 192.168.9.254: WX1200# set network-domain peer 192. 168.9.254 success: change accepted. This command is valid on Ne twork Domain seeds only . Configuring Network Domain Members In a Network Domain, at [...]
-
Seite 172
172 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS T o specify 10.8.107.1 as an additional Networ k Domain seed for the WX switch to connect to if the 192.168.9.254 seed is unavailable, ent er the following command: WX1200# set network-domain mode memb er seed-ip 10.8.107.1 affinity 2 success: change accepted. Displaying Network Domain Information T o [...]
-
Seite 173
Configuring a Network Domain 173 Clearing Network Domain Configuration fr om a WX Switch Y ou can clear all Network Domain configuration from a WX switch, rega rdl ess of whether the WX switch is a seed or a member of a Network Domain. Y o u may want to do this in or der to change a WX switch from one Network Domain to another , or to r emove a WX [...]
-
Seite 174
174 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS Network Domain Scenario The following scenario illust rates how to cr eate a Network Domain named globaldom consisting of three Mobility Domains at two geographically separated sites. Figur e 7 below illustrates this scenario. Figure 7 Network Domain Scenario In this scenario, there ar e thr ee Mob ili[...]
-
Seite 175
Network Domain Scenario 175 The following is the Network Domain configuration for this scenario: 1 Make the WX switch with IP addr ess 10.10.10.1 a seed of a Network Domain called globaldom and establish a peer relationship with the WX switch with IP address 20.20.20.1. T ype the following commands: WX1200# set network-domain mode seed domain-name [...]
-
Seite 176
176 C HAPTER 9: C ONFIGURING N ETWORK D OMAINS 20.20.20.1 UP SEED 20.20.20.2 UP MEMBER 20.20.20.3 UP MEMBER 30.30.30.1 UP MEMBER 30.30.30.2 UP MEMBER Member Network Domain name: globaldo m Member State Mode --------------- ------------- ------ --------------- 10.10.10.1 UP SEED 10.10.10.2 UP MEMBER 10.10.10.3 UP MEMBER 20.20.20.1 UP SEED 20.20.20.2[...]
-
Seite 177
10 C ONFIGURING MAP A CCESS P OINTS MAPs contain radios that provide networking between your wir ed network and IEEE 802.11 wireless user s. A MAP connects to the wir ed network through a 10/100 Ether net link and connects to wireless users through radio signals. MAP Overview Figure 8 shows an example of a 3Com network containing MAPs and WX switch[...]
-
Seite 178
178 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Figure 8 Example 3Com Network T o configure MAPs, perform the fo llowing tasks, in this or der: Specify the country o f operation. Configure MAP access ports, Distri buted AP connections, and dual homing. If requir ed, configur e radio-specif ic parameters, which include the channel num[...]
-
Seite 179
MAP Overview 179 Y ou do not need to set channels and power if you use RF Auto-T uning to set these values. Y ou do no t need to specify an external antenna type unless a radio uses an exter nal antenna. However , if you do install an external antenna, you must ensure that the external antenna mode l parameter you specify exactly matches the extern[...]
-
Seite 180
180 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Similar to ports configured for di rectly connected MAPs, distributed MAP configurations are number ed and can r eference a particular MAP . These number ed configurations do not, however , reference any physical port. Distributed MAP Network Require ments Because Distributed MAPs are not direct ly[...]
-
Seite 181
MAP Overview 181 If only 3COMWX is defined in DNS, the MAP contacts the WX with an IP address r eturned for 3COMWX. Distributed MAPs and STP A Distributed MAP is a leaf device. Y o u do not need to enable STP on the port that is directly connected to the MAP . If Spanning T ree Pr otocol (STP) is enabled on the port that is dir ectly connected to a[...]
-
Seite 182
182 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Distributed MAPs and DHCP Option 43 The option 43 field in a DHCP Offer message can pr ovide a sim ple and effective way for MAPs to find WX switche s acr oss an intermediate Layer 3 network, and is especially useful in networks that are geographically distributed or have a flat domain name space. [...]
-
Seite 183
MAP Overview 183 MAP Parameters T able 9 summarizes parameters that apply to individual MAPs, including dual-homing parameters. (For in formation abo ut parameters for individual radios, see “Configuri ng a Radio Profile” on page 240 and “Configuring Radio-Specific Parameters” on page 246.) Ta b l e 9 Global MAP Parameters Parameter Default[...]
-
Seite 184
184 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Resiliency and Dual-Hom ing Options for MAPs MAPs can support a wide variety of resiliency options. Redundancy for data link connections and for WX serv ices can be provided to the MAP . PoE redundancy—On MAP models that have two Ethernet ports, yo u can provide PoE r edundancy by connecting [...]
-
Seite 185
MAP Overview 185 Dual-Homed Configuration Examples The following sections show examples of dual-homed con figurations. Y ou can use any of these configurations to dual home a MAP model that has two Ethernet ports. MAP models with one Eth ernet port support only the dual-homing configuration in “Du al-Homed Distributed Connections to WX Switches o[...]
-
Seite 186
186 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Dual-Homed Direct and Distribut ed Connections to WX Switches Figur e 11 shows an example of a dua l-homed configuration in which one MAP connection is direct and the othe r is distributed over the network. Figure 11 Dual-Homed Dir ect and Distribut ed Connections to WX Switches In this example, th[...]
-
Seite 187
MAP Overview 187 Dual-Homed Distributed Connecti ons to WX Switches on B oth MAP Ports Figur e 12 shows an example of a dual-homed configuration in which both MAP connections are distributed over the network. Figure 12 Dual-homed Distributed Co nnecti ons to WX Switches on Both MAP Ports In this configurat ion, the MAP first attempts to boot on its[...]
-
Seite 188
188 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Dual-Homed Distributed Connections to WX Switches on One MAP Port Figure 13 shows an example of a MAP with a single physical link to a netwo rk containing three WX switches. Figure 13 Single-homed Connection to Multiple WX Switches on One MAP Port In this configuration, the MAP sends a boot request[...]
-
Seite 189
MAP Overview 189 Boot Process for Distributed MAPs When a distributed MAP boots on the network, it uses the process described in this section. Note that th is pr ocess applies only to distributed MAPs; it does not apply to a dire ctly connected MAP . The boot process for a directly connected MAP occurs strictly between the MAP and WX switch and mak[...]
-
Seite 190
190 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Static IP Address Configuration for Distributed MAPs In cases where DHCP is not availabl e, you can manually assign IP addr ess information to a Distributed MAP . This information is config ur ed thr ough the CLI. Y ou can configure the following information for a Distribut ed MAP: a IP address, su[...]
-
Seite 191
MAP Overview 191 If no WX switches reply , the MAP repeatedly resends the Find WX messages. If no WX switches reply , the process continues with step 3. 2 If no IP addresses or hostnames were specified in the Option 43 field of the DHCP Offer message, the MAP send s a Find WX message to UDP port 5000 on the subnet broadcast addr ess. WX swi[...]
-
Seite 192
192 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS If only wlan-switch is defined in DNS, the MAP sends a u nicast Find WX message to the WX switch whose IP address is r eturned for wlan-switch . If both 3Com and wlan-switch are defined in DNS, the MAP sends a unicast Find WX message to the WX switch whose IP address is returned for 3Com . [...]
-
Seite 193
MAP Overview 193 How a Distributed MAP Contacts a WX Switch (Statically Configured Addr ess) When configuring a distributed MAP wi th static IP info rmation, you can specify the following information: a IP address, subnet mask, default gateway r outer , and whether the configured static IP address information is enabled for the MAP . b The IP addre[...]
-
Seite 194
194 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS If ther e is no r e sponse to t he br oadcast Find WX message, the WX continues broadcasting the Find WX message for a period of time. If still no response is r eceived, then th e pr ocess skips to step 4 on page 191. 3 If Items A and C are specified, the MAP sends a DNS r equest to resolve the[...]
-
Seite 195
MAP Overview 195 Loading and Activating an Operational Image A MAP’ s operational image is the software that allows it to function on the network as a wireless access point. As part of the MAP boot process, an operational image is loaded int o the MAP’ s RAM an d activated. The MAP stores copies of its operational image locally , in its intern [...]
-
Seite 196
196 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Figure 15 on page 198 shows an example of the boot process for a MAP connected through a Layer 3 network. Figure 16 on page 200 shows an example of the boot process for a dual-homed MAP that has one direct connection to a WX switch and an indirect connection through a Layer 2 network. F[...]
-
Seite 197
MAP Overview 197 1 The MAP sends a DHCP Discover message from the MAP port 1. 2 DHCP server rec eives the Discover message (thr ough a relay agent) and replies with a DHCP Of fer message containing IP address for the MAP , the router IP address for the MAP IP subnet, the DNS server address, and the domain name. MAP then sends a DHCP Request message[...]
-
Seite 198
198 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Example MAP Boot over Layer 3 Network Figure 15 shows an example of th e boot process for a MAP connected through a Layer 3 network. Figure 15 MAP Booting over Layer 3 Network 1 The MAP sends DHCP Discover message fr om the MAP’ s port 1 . 2 The DHCP server replies with a DHCP Offer message conta[...]
-
Seite 199
MAP Overview 199 5 The DNS server sends t he system IP address of the WX switch mapped t o 3com.example.com . In this example, the address is for WX1. 6 The MAP sends a unicast Fin d WX message to WX1. 7 WX1 receives the Find WX message and compares the bias settings on each WX for the MAP . More than one WX has a high bias for the MAP , so WX1 sel[...]
-
Seite 200
200 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Example Boot of Dual-Homed MAP Figure 16 shows an example of the boot process for a MAP that is dual homed with a direct connection to WX1 and an indirect connection to WX2 and WX3. In this configurat ion, since the MAP is directly connected to a WX switch, the MAP boot s using the dire ctly connec[...]
-
Seite 201
MAP Overview 201 1 MAP sends a DHCP Discover message fr om the MAP’ s port 1. 2 Because WX1 is configured for direct attachment, WX1 responds privately to the MAP and pr ovides the MAP with its operational image (or indicates that the MAp should us e a locally stored image) and configuration from WX1. Only in the event of a physical port failure [...]
-
Seite 202
202 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS After the MAP is configured with th e abov e information, the next time the MAP boots, the following ta kes place: 1 The MAP sends an ARP request for its own address, to ensure it is not in use elsewher e in the network. 2 The DNS server resolves the fully qualified domain name of the WX switch, wx[...]
-
Seite 203
MAP Overview 203 auth-fallthru web-auth Uses WebAAA for users who do not match an 802.1X o r MAC authentication rule for the SSID requested by the user. auth-psk disable Does no t support using a preshared key (PSK) to authenticate WPA clients. beacon enable Sends beacons to advertise the SSID managed by the service profile. cac-mode none Does not [...]
-
Seite 204
204 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS keep-initial-vlan disable Reassigns the user to a VLAN after roaming, instead of leaving the roamed user on the VLAN assigned by the switch where the user logged on. Note: Enabling this option does not retain the user’s initial VLAN assignment in all cases. no-br oadcast disable Does not reduce w[...]
-
Seite 205
MAP Overview 205 tkip-mc-time 60000 Uses Michael countermeasures for 60,000 ms (60 seconds) following detection of a second MIC failure within 60 seconds. transmit-rates 802.11a: mandatory: 6.0,12.0,24.0 beacon-rate: 6.0 multicast-rate: auto disabled: none 802.11b: mandatory: 1.0,2.0 beacon-rate: 2.0 multicast-rate: auto[...]
-
Seite 206
206 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (T o configure a service profile, see “Configuring a Service Pr ofile” on page 233.) web-portal-acl portalacl Note: This is the default only if the fallthru type on the service profile has been set to web-portal . Otherwise, the value is unconfigured. If set to portalacl and the service profile[...]
-
Seite 207
MAP Overview 207 Public and Private SSIDs Each radio can support the following types of SSIDs: Encrypted SSID — Clients using this SSID must use encryption. Use the encrypted SSID for secured a ccess to your enterprise network. Clear SSID — Clients using this SSID do not use encryption. Use the clear SSID for public access to nons ecure[...]
-
Seite 208
208 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Radios and SSIDs AP2750 The radio MAC address equals the MAP base MAC address. The BSSIDs for the SSIDs configured on the radio end in ev en numbe rs. The first BSSID is equal to the MAP’s base MAC address. The next BSSID is equal to the MAP’s base MAC address + 2, and so on. AP7250 AP8250 AP87[...]
-
Seite 209
MAP Overview 209 Encryption Encrypted SSIDs can use the following encryption methods: Wi -Fi Pr otected Access (WP A) Non-WP A d ynamic Wired Equivalent Privacy (WEP) Non-WP A s tatic WEP Dynamic WEP is enabled by default. (For more information, including configuration instructions, see Chapter 13, “Configur ing User Encryption,” on[...]
-
Seite 210
210 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (T o configure a radio profile, see “C onfiguring a Radio Pr ofile” on page 240.) frag-threshold 2346 Uses the short-retry-cou nt for frames shor ter than 2346 bytes and uses the long-retry-count for frames that are 2346 bytes or longer. max-rx-li fetime 2000 Allows a received frame to stay in [...]
-
Seite 211
MAP Overview 211 RF Auto-T uning The RF Auto- T uning feature dynamically assigns channel and power settings to MAP radios, and adjusts those settings when needed. RF Auto-T unin g can perform the following tasks: Assign initial channel and power setti ngs when a MAP radio is started. Periodically assess the RF environment and change the ch[...]
-
Seite 212
212 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Although these parameters have default values, 3Com recommends that you change the values for each radio for optimal performance. For example, leaving the channel number on each radio set to its default value can result in high interfer ence among the radios. (T o configure these parameters, see ?[...]
-
Seite 213
Configuring MAPs 213 Configuring MAPs T o configure MAPs, perform the fo llowing tasks, in this order: Specify the country of operation. (See “Specifying the Country of Operation” on page 213.) Configure an Auto-AP profile for automatic configuration of Distributed MAPs. (See “Confi guring an Auto-AP Profile for Automatic MAP Configur[...]
-
Seite 214
214 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T able 14 Country Codes Country Cod e Algeria DZ Argentina AR Australia AU Austria AT Bahrain BH Belgium BE Belize BZ Bolivia BO Boznia and Herzegovina BA Brazil BR Bulgaria BG Canada CA Chile CL China CN Colombia CO Costa Rica CR Cote d’Ivoire CI Croatia HR Cyprus CY Czech Republic CZ Denmark DK[...]
-
Seite 215
Configuring MAPs 215 Honduras HN Hong Kong HK Hungary HU Iceland IS India IN Indonesia ID Ireland IE Israel IL Italy IT Jamaica JM Japan JP Jordan JO Kazakhstan KZ Kenya KE Kuwait KW Latvia LV Lebano n LB Liechtenstein LI Lithuania LT Luxembourg LU Macedonia, former Yugoslav Republic of MK Malaysia MY Malta MT Mauritius MU Mexico MX Morocco MA Nami[...]
-
Seite 216
216 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Oman OM Pakistan PK Panama PA Paraguay PY Peru PE Philippines PH Poland PL Portugal PT Puerto Rico PR Qatar QA Romania RO Russia RU Saudi Arabia SA Serbia CS Singapore SG Slovakia SK Slovenia SI South Africa ZA South Korea KR Spain ES Sri Lanka LK Sweden SE Switzerland CH Taiwan TW Thailand TH Trin[...]
-
Seite 217
Configuring MAPs 217 The current software version might not support all of the countries listed here. T o verify the configur ation change, use the following command: display system The following commands set the country code to US (United States) and verify the setting: WX1200# set system countrycode US success: change accepted. WX1200# display sy[...]
-
Seite 218
218 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Configuring an Auto-AP Pr ofile for Automatic MAP Configuration Y ou can use an Auto-AP profile to deploy unconfigured Distributed MAPs. A Distributed MAP that does not have a configuration on a WX switch can receive its configuration from the Auto-AP profile instead. The Auto-AP profile assigns a [...]
-
Seite 219
Configuring MAPs 219 For example, suppose the Mobility Do main has two WX switches, with the capacities and loads listed in T able 15. For WX1200 A: The Number of MAPs that can be configured on the switch, minus th e number that are configur ed, is 30 - 25 = 5. The Number of MAPs that can be active on the switch, minus the number that are a[...]
-
Seite 220
220 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The disconnected MAP can then begin the boot process again to find another WX switch that has an Auto-AP profile. When the MAP is disconnected, the MAP c lients experience a service disruption, and will attempt to associate with anoth er MA P if availa ble to reconnect to the SSID they wer e using.[...]
-
Seite 221
Configuring MAPs 221 MAPs that receive their configurations from the Auto-AP profile also receive the radio settings from the radio pr ofile used by the Auto-AP profile. Lik ewise, the SSIDs and encryp tion settings come from the service profiles mapped to the radio profile. T o use a radio profile other than default , you must specify the radi o p[...]
-
Seite 222
222 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS MAP Parameters: set dap auto bias { high | low } set dap auto blink { enable | disable } set dap auto force-image-download { e nable | disable } set dap auto group name set dap auto mode { enable | disable } set dap auto persistent [ apnumber | all ] set dap auto upgrade-firmware { enabl e | disabl[...]
-
Seite 223
Configuring MAPs 223 Displaying Status Information for MAPs Configured by the Auto-AP Profile T o display status information for MAPs con figur ed by the Auto-AP profile, type the following command: WX# display ap status auto AP: 7, AP model: AP3750, manufacture r 3Com, name: MAP07 ================================ ==================== State: operat[...]
-
Seite 224
224 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The MAP continue s to operate withou t interrup tion after you enter the set ap auto persistent command. The next time the MAP is restarted, the Auto-AP profile is not used to configur e the MAP . Inst ead, the persistent configuration is used. (Use th e save config command to make the MAP configur[...]
-
Seite 225
Configuring MAPs 225 T o configure a MAP model MP-372 with serial-ID 0322199999, type the following command: WX# set ap 1 serial-id 0322199999 mo del mp-372 success: change accepted. (T o specify the exter nal antenna type, use the set ap radio antennatype command. See “Configuring the Exte r nal Antenna Model and Location” on page 247.) Config[...]
-
Seite 226
226 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Specifying WX Switch Information T o specify the WX switch a Distributed MAP contacts and att empts to use as its boot device, use the following command: set ap apnumber boot-switch [ switch- ip ip-addr ] [ name name dns ip-addr ] [ mode { enable | disable }] Y ou can specify the WX sw itch by its [...]
-
Seite 227
Configuring MAPs 227 The following command configures Distributed MAP 1 to use VLAN tag 100: WX1200# set ap 1 boot-vlan vlan-tag 100 mode enable success: change accepted. Clearing a MAP fro m the Configuration T o clear MAP settings from a port, use the following command: When you clear a MAP , MSS ends user sessions that are using the MAP . clear [...]
-
Seite 228
228 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The defa ult bias i s high. T o change the bias for a Distributed MAP to low , type the following command: WX# set ap 1 bias low success: change accepted. Disabling or Reenabling Au tomatic Firmwar e Upgrades A MAP can automatically upgrade its boot firmware by loading the upgrade version of the fi[...]
-
Seite 229
Configuring MAPs 229 The MAP loads its local image only if the WX is running MSS V ersion 5.0 or later and does not have a newe r MAP image than the one in the MAP’ s local storage. If the switch is not running MSS V ersion 5.0 or later , or the WX has a newer version of the MAP image than the version in the MAP’ s local stora ge, the MAP loads[...]
-
Seite 230
230 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS The maximum transmission unit (MTU) for e ncrypted MAP management traffic is 1498 bytes, whe reas the MTU for un encrypted management traffic is 1474 bytes. Ma ke sure the devices in the intermedia te network between the WX switch and Distribu ted MAP can support the hig her MTU. Encryption Key Fin[...]
-
Seite 231
Configuring MAPs 231 T able 18 lists the MAP security options and whether a MAP can establish a management session with a WX based on the option settings. V erifying a MAP Fingerprint on a WX Switch T o verify a MAP fingerprint, find the fing erprint and use the set ap fingerprint command to enter the f ingerprint in MSS. Finding the Fingerprint A [...]
-
Seite 232
232 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS bssid2: 00:0b:0e:0a:60:02, ss id: 3Com Radio 2 type: 802.11a, state: config ure succeed [Enabled] operational channel: 48 opera tional power: 11 base mac: 00:0b:0e:0a:60:01 bssid1: 00:0b:0e:0a:60:01, ss id: public bssid2: 00:0b:0e:0a:60:03, ss id: 3Com The fingerprint is displayed regardless of whe[...]
-
Seite 233
Configuring MAPs 233 Fingerprint Log Message If MAP encryption is optional, and a MAP whose fingerprint has not been verified in MSS establishes a mana gement session with the WX, MSS generates a log message such as the following: AP-HS:(secure optional)configure AP M9DE48B012F00 with fingerprint c6:98:9c:41:32:ab:37:09:7e:93:79 :a4:ca:dc:ec:fb The[...]
-
Seite 234
234 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Y ou can include blank spaces in the name, if you delimit the name with single or double quotation marks. Y ou must use the same type of quotation mark (either single or double) on bo th ends of the string. The following command configures a service profile named corp1 , and assigns SSID mycorp_rnd[...]
-
Seite 235
Configuring MAPs 235 SSIDs are beacone d by default. A MAP radio responds to an 802.11 probe any r equest only for a beaconed SSID. A clie nt that sends a probe any re que st rec ei ve s a separate response for each of the beaconed SSIDs supported by a radio. For a nonbeaconed SSID, radios resp ond only to directed 802.11 pr obe requests that match[...]
-
Seite 236
236 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T able 19 T r ansmit Rates Parameter Default Value Description mandatory 11a— 6.0,12.0,24 .0 11b— 1.0,2.0 11g— 1.0,2.0,5.5,11.0 Set of data transmission rates that clients are required to support in order to associate with an SSID on a MAP radio. A client must support at least one[...]
-
Seite 237
Configuring MAPs 237 T o change transmit rates for a ser vice pr ofile, use the following command: set service-profile name transmit-rates { 11a | 11b | 11g } mandatory rate-list [ disabled rate-list ] [ beacon-rate rate ] [ multicast-rate { rate | auto }] The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps and 9 Mb[...]
-
Seite 238
238 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Data rate enforcement is useful if yo u want to completely prevent clients from transmitting at disabled data rates. For exam ple, you can di sable slower data rates so that clients transmitting at these rates do not consume bandwidth on the channel at the expense of clients transmitting at faster [...]
-
Seite 239
Configuring MAPs 239 Responding to keepalive messages requir es power use by a client. If you need to conserve power on the client (for example, on a V oIP handset), you can disable idle-client probing. T o disable or reenable idle-client pr obing, use the following command: set service-profile name idle-client-probing { enable | disable } The foll[...]
-
Seite 240
240 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o change the short retry threshold for service profile sp1 to 3, type the following command: WX1200# set service-profile sp1 short-retry 3 success: change accepted. Changing the Long Retry Threshold The long retry threshold specifies th e number of times a radio can send a long unicast frame for [...]
-
Seite 241
Configuring MAPs 241 Creating a New Pr ofile T o create a radio pr ofile, use the following command: set radio-profile name [ mode { enable | disab le }] Specify a name of up to 16 alphanumeric cha racters. Do not include t he mode enable or mode disable option. After you create the radio profile, you can use the enable and disable options to enabl[...]
-
Seite 242
242 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Changing the DTIM Interval The DTIM interval specifies the number of times after every beacon t hat a ra dio sends a delivery traffic indication map (DTIM). A MAP sends the multicas t and br oadcast frames stored in its buffers to clients who r equest them in response to the DTIM. The DTIM interval[...]
-
Seite 243
Configuring MAPs 243 T o change the R TS thr eshold, use the following command: set radio-profile name rts-threshold thresho ld The threshold can be a value fr om 256 bytes thr ough 3000 bytes. The default is 2346. T o change the RTS threshold for radio profile rp1 to 15 00 bytes, type the following command: WX1200# set radio-profile rp1 rts-th res[...]
-
Seite 244
244 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Changing the Maximum T ransmit Threshold The maximum transmission threshold specifies the number of milliseconds a frame scheduled to be transmitted by a ra dio can r emain in buf fe r memory . T o change the maximum transmit lifet ime, use the following command: set radio-profile name max-tx-lifet[...]
-
Seite 245
Configuring MAPs 245 The default pr eamble length value is short . This command does not apply to 802.11a radios. T o change the preamble length advertised by 802.11b/g radios, use the following command: set radio-profile name preamble-length { long | short } T o configure 802.11b/g radios that use the radio profile rp_long to advertise support for[...]
-
Seite 246
246 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Y ou must disable all radios that are using a radio profile before you can remove the profile. (See “Disabling or Reenabling All Radios Using a Profile” on page 250.) T o disable the rad ios that ar e using radio profile rptest and r emove the profile, type the following commands: WX1200# set r[...]
-
Seite 247
Configuring MAPs 247 The maximum transmit power you can config ure on any 3Com radio is the highest setting allowed for the countr y of operation or the highest setting supported on the hard ware, whichever is lower . T o configure the 802.11b radio on por t 1 for channel 1 with a transmit power of 10 dBm, type the following co mmand: WX1200# set a[...]
-
Seite 248
248 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T able 21 lists the exter nal antenna models you can use with these MAPs. T able 22 lists the exter nal antenna models you can use with the MP-620. Specifying the External Antenna Model T o specify the external antenna model, use the following command: set ap apnumber radio { 1 | 2 } antenn atype {[...]
-
Seite 249
Configuring MAPs 249 T o configure antenna model ANT1060 for an MP-262 on MAP 1, type the following command: WX1200# set ap 1 radio 1 antennatype ANT1060 success: change accepted. Specifying the External Antenna Location In some cases, the set of valid channels for a radio differs depending on whether the antenna is located indoors or outdoors. Y o[...]
-
Seite 250
250 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o disable radio 1 on por t 6 without disabling the other rad ios using radio profile rp1 , type the following command: WX1200# set ap 6 radio 1 radio-profi le rp1 mode disable (T o disable or re enable all ra dios that are using a ra dio pr ofile, se e “Disabling or Reenabling All Radios Using [...]
-
Seite 251
Disabling or Reena bling Radio s 251 Resetting a Radio to its Factory Default Settings T o disable a MAP radio and reset it to its factory default settings, use the following command: clear ap apnumber radio { 1 | 2 | all } This command perf orms the following actions: Sets the transmit power , channel, an d external antenna type to their defau[...]
-
Seite 252
252 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Configuring Local Packet Switching on MAPs MAPs can be configured to perform local packet switching . Local packet switching allows packets to be switched dir ectly from the MAP to the wired network, in stead of passing thr ough an intermediate WX switch. When a MAP is configured to perform local s[...]
-
Seite 253
Configuring Local Packet Switching on MAPs 253 Configuring Local Switching Configuring a MAP to perform local switching consists of the following tasks: Configuring a VLAN profile for the MAP , which specifies the VLANs that ar e to be locally switched Enabling local switching on the MAP Applying the VLAN profile to the MAP In addition,[...]
-
Seite 254
254 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o enable local switching for MA P 7, type the following command: WX# set ap 7 local-switching mode enable success: change accepted. Applying a VLAN Profile to a MAP T o apply a VLAN profile to a MAP to use with local switching, use the following command: set ap apnumber local-switching vlan -prof[...]
-
Seite 255
Configuring Local Packet Switching on MAPs 255 T o clear th e VLAN pr ofi le that had been applied to MAP 7, type the following command: WX# clear ap 7 local-switching vlan- profile success: change accepted. Removing a VLAN Profile from the WX Switch T o remove a VLAN pr ofile or individual entries fr om a VLAN profile, use the following co mmand: [...]
-
Seite 256
256 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS Displaying MAP Information Y ou can display the follo wing MAP informatio n: MAP and radio-specific configuration setting s Connection information for Dist ributed MAPs configur ed on a WX List of Distributed MAPs that are not configur ed on a WX Connection information for Distribut[...]
-
Seite 257
Displaying MAP Information 257 force-rebalance: NO, Radio 2: type: 802.11a, mode: disa bled, channel: dynamic tx pwr: 17, profile: default auto-tune max-power: default, load-balance-group: , load-balance-enable: YES, force-rebalance: NO, local-switching: enabled, vlan-pro file: locals (For information about the fields in the out put, see the Wirele[...]
-
Seite 258
258 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS This command indicate s that the Mobility Do main contains four Distributed MAPs, with serial IDs M9DE4 8B012F00, M9DE48B123400, M9DE48B123600, an d M9DE48B123700. Each MAP is configured on two WX switches, with system IP ad dresses 10.3.8.111 and 10. 4.3.2. The bias for the MAP on each WX is liste[...]
-
Seite 259
Displaying MAP Information 259 The WX does not need to be the one that booted the MAP , but it must have the MAP in its configuration. Also, the WX that booted the MAP must be in the same Mobility Doma in as the WX where you use the command. Displaying Service Profile Information T o display service profile inform ation, use the following command: [...]
-
Seite 260
260 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) Displaying Radio Profile Information T o display radio profile information, use the following command: display radio-profile { name | ? } Entering display radio-profile ? displays a lis[...]
-
Seite 261
Displaying MAP Information 261 The following command displays the status of a Distributed MAP: WX# display ap status 1 AP: 7, AP model: AP3750, manufacture r 3Com, name: MAP07 ==================================== ================ State: operational (not encrypt) CPU info: IBM:PPC speed=266666664 H z version=405GPr, ram=33554432 s/n=0333703050 hw_re[...]
-
Seite 262
262 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS DNS IP: Mesh SSID: Mesh PSK: For information about the fields in the output, see the W ireless LAN Switch and Controller Command Reference .) Displaying MAP Statistics Counters T o display MAP statistics counters, use the follow ing commands: display ap counters [ apnumber [ radio { 1 | 2 }]] T o d[...]
-
Seite 263
Displaying MAP Information 263 (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) T o display statistics counters and other information for individual user sessions, use the dis play sessions network command. (For information, see Chapte r 25, “Ma naging Session s,” on pa ge 557.) D[...]
-
Seite 264
264 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) Displaying the Forwarding Database for a M AP T o display the entries in a specif ied MAP forwarding database, use the following command: display ap fdb apnumber The following command d[...]
-
Seite 265
Displaying MAP Information 265 4 green local 1 4 radio_1 23 5 yellow tunnel wx_tun 5 radio_1 24 (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) Displaying AC L Information for a MAP When a MAP is configured to perfor m local switching, you can display the number of packets filtered b[...]
-
Seite 266
266 C HAPTER 10: C ONFI GURING MAP A CCESS P OINTS T o display a summary of the security ACLs mapped on MAP 7, type the following command: WX# display ap acl map 7 ACL Type Class Mapping ---------------------------- ---- -- ---- ------- acl_123 IP Static In acl_133 IP Static In acl_124 IP Static (For information about the fields in the out put, see[...]
-
Seite 267
11 C ONFIGURING RF L OAD B ALANCING FOR MAP S This section describes the following configuration tasks: Disabling or re-enabling RF load balancing Assigning radios to load balancing groups Specifying band prefer ence for RF load balancing Setting strictness for RF load balancing Exempting an SSID from RF load balancing RF Load B[...]
-
Seite 268
268 C HAPTER 11: C ONFI GURING RF L OAD B ALANCING FOR MAP S MSS balances the client load by ad justing how MAPs ar e perceived by clients. As the relative capacity of a MAP handling new clients falls relative to other MAPs in the area, MSS makes the MAP mor e difficult for potential new clients to detect, which cau ses a client to associate with a[...]
-
Seite 269
Configuring RF Load Balancing 269 Assigning Radios to Load Balancing Gr oups Assigning radios to specific load ba lancing groups is optional. When you do this, MSS considers them to have exactly over lapping coverage areas, rather than using signal strength calculations to determine their overlapping coverag e. MSS attempts to distribute client ses[...]
-
Seite 270
270 C HAPTER 11: C ONFI GURING RF L OAD B ALANCING FOR MAP S Setting Strictness for RF Load Balancing T o perform R F load ba lancing, MS S makes MAP radi os with he avy client loads less visible to new clients, ca using them to associate wit h MAP radios that have a lighter load. Y ou can optionally specify how strictly MSS attempt s to keep the c[...]
-
Seite 271
Displaying RF Load Balanci ng Information 271 Exempting an SSID from RF Load Balancing By default, RF load balanc ing is applied to client sessi ons for all SSIDs. T o specifically exempt an SSID fr om load balancing, use the following command: set service-profile service-profile-name load-balancing-exempt { enable | disa ble } Exempting a service [...]
-
Seite 272
272 C HAPTER 11: C ONFI GURING RF L OAD B ALANCING FOR MAP S[...]
-
Seite 273
12 C ONFIGURING WLAN M ESH S ERVICES This section descr ibes how to configure the WLAN mesh services. WLAN Mesh Services Overview WLAN mesh services allow a MAP to provide wir eless services to clients without having a wired interface on the MAP . Instead of a wired interface, there is a radio link to another MAP with a wired interface. WLAN mesh s[...]
-
Seite 274
274 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES In the illustration, a client is associated with a Mesh AP , which is a MAP without a wired interface to the network. The Me sh AP is configur ed to communicate with a Mesh Portal AP , a MAP with wired connectivity to a WX switch. Communicat ion between th e Mesh AP and the Mesh Portal AP takes pl[...]
-
Seite 275
Configuring WLAN Mesh Servic es 275 Configuring the Mesh AP Before a Mesh AP can be installed in a location untethered fr om the network, it must be preconfigur ed for mesh services, includ ing the mesh services SSID, and the pr e-shar ed key th at is used for establishing the connection between the Mesh AP and the Mesh Portal AP . 1 Attach the MAP[...]
-
Seite 276
276 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES Configuring the Service Pr ofile for Mesh Services Y ou configure the Mesh Portal AP to beacon the mesh services SSID. T o do this, create a service profile and enable mesh services using the following commands: set service-profile mesh-service-pro file ssid-name mesh-ssid set service-profile mesh[...]
-
Seite 277
Configuring WLAN Mesh Servic es 277 Enabling Link Calibration Packets on the Mesh Portal MAP A Mesh Portal MAP can be configured to emit link calibration packets to assist with positioning the Mesh AP . A link calibration packet is an unencrypted 802.11 management packet of typ e Action . When enabled on a MAP , link calibration pa ckets ar e sent [...]
-
Seite 278
278 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES Configuring Wireless Bridging Y ou can use WLAN mesh services in a wir eless bridge configuration, implementing MAPs as bridg e endpoints in a transparent Layer 2 bridge. Configuring a wireless bridge to conn ect two sites pr ovides an alternative to installing Ether net cable to pr ovide b ridge [...]
-
Seite 279
Displaying WLAN Mesh Services Information 279 When wireless bridging is enabled for a service profile, the MAPs with the applied service profile serve as bridge peers. When a Mesh AP associates with a Mesh Portal AP through this service profile, the Mesh Portal AP automatically co nfigur es the Mesh AP to operate in bridge mode. The display service[...]
-
Seite 280
280 C HAPTER 12: C ONFI GURING WLAN M ESH S ERVICES Radio 2 type: 802.11a, state: config ure succeed [Enabled] operational channel: 36 operational po wer: 17 bssid1: 00:0b:0e:fd:fd:cd, ssid: mesh-ss id (mesh) The display mesh li nks command displays inform ation about the links a MAP has to Mesh APs and Mesh Portal APs. WX# display ap mesh-links 1 [...]
-
Seite 281
13 C ONFIGURING U SER E NCRYPTION Mobility System Software (MSS) encrypts wir eless user traffic for all users who are successfully authenticated to join an encrypte d SSID and who are then authorized to join a VLAN. Overview MSS supports the following types o f encryption for wireless user traffic: 802.11i Wi -Fi Pr otected Access (WP A) ?[...]
-
Seite 282
282 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Y ou can configure an SSID to support any combinat ion of WP A, RSN, and non-WP A clients. For example, a radi o can simultaneously use T emporal Key Integrity Protocol (TKIP) encryption for WP A clients and WEP encryption for non-W P A clients. The SSID type must be cr ypto (encrypt ed) for encrypti[...]
-
Seite 283
Overview 283 Figure 20 shows the client support when the default encryption settings are used. A radio using the default encr yption settings encrypts traffic for non-WP A dynamic WEP clients but not for WP A clients or static WEP clients. Th e radio di sassociates fr om these ot her client s. Figure 20 Default Encryption This rest of this chapter [...]
-
Seite 284
284 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Configuring WP A Wi-Fi Protected Access (WP A) is a se curity enhancement to the IEEE 802.11 wireless standard. WP A provides enhanced encryption with new cipher suites and provides per -packet message integrity checks. WP A is based on the 802.11i standard. Y ou can use WP A with 802.1X authenticati[...]
-
Seite 285
Configuring WPA 285 Figure 21 shows the client support when WP A encryp tion for TKIP only is enabled. A radio using WP A with TKIP encrypts traffic only for WP A TKIP clients but not for CCMP or WEP clie nts. The radio disassociates from these other clients. Figure 21 WP A Encryption with TKIP Only Encryption settings: -WP A enabled: TKIP only -Dy[...]
-
Seite 286
286 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Figure 22 shows the client support when both WEP encryption and TKIP are enabled. A radio using WP A with TKIP and WEP encrypts traffic for WP A TKIP clients, WP A WEP clients, and non-WP A dynamic WEP clients, but not for CCMP or static WEP clients. The radio disassociates from these other clients. [...]
-
Seite 287
Configuring WPA 287 TKIP Countermeasures WP A access po ints and clients verify the integrity of a wireless frame received on the network by generati ng a keyed message integrity check (MIC). The Michael MIC used with TKIP pr ovides a holddown mechanism to protect the network against tampering. If the recalculated MIC matches the MIC r eceived [...]
-
Seite 288
288 C HAPTER 13: C ONFI GURING U SER E NCRYPTION WP A Authentication Methods Y ou can configure an SSID to support one or both of the following authentication methods for WP A clients: 802.1X — The MAP and clien t use an Extensible Authentication Protocol (EAP) method to authenti cate one another , then use the resulting key in a handshake to[...]
-
Seite 289
Configuring WPA 289 Probe r esponse (sent by a MAP radio) — The WP A IE in a probe response frame lists the same WP A information that is contained in the beacon frame. Association r equest or reassociation (sent by a client) — The WP A IE in an association r equest lists the authentication method and cipher suite the client wan ts to u[...]
-
Seite 290
290 C HAPTER 13: C ONFI GURING U SER E NCRYPTION T able 24 lists the encryption support for WP A and non-WP A clients. Configuring WP A T o configure MAP radios to support WP A: 1 Create a service pr ofile for each SSID that will support WP A clients. 2 Enable the WP A IE in the service profile. 3 Enable the cipher suites you want to support in the[...]
-
Seite 291
Configuring WPA 291 Creating a Service Profile for WP A Encryption parameters apply to all us ers who use the SSID conf igur ed by a service profile. T o create a servic e pr ofile, use the following command: set service-profile name T o create a new service profile named wpa , type the following command: WX1200# set service-profile wpa success: ch[...]
-
Seite 292
292 C HAPTER 13: C ONFI GURING U SER E NCRYPTION After you type this command, the serv ice profile supports TKIP and 40-bit WEP . Microsoft Wind ows XP does not support WEP with WP A. T o configure a serv ice profile to provide WEP for XP clients, leave WP A disabled and see “Configuring WEP” on page 299. Changing the TKIP Countermeasures Timer[...]
-
Seite 293
Configuring WPA 293 The passphrase must be f r om 8 to 63 characters long, including blan ks. If you use blanks, you must enclose the string in quotation marks. T o configure service pr ofile wpa to use pa ssphrase 1234567890123<>?=+&% The quick brown fox jump s over the lazy sl , type the following command: WX1200# set service-profile wp[...]
-
Seite 294
294 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Displaying WP A Settings T o display the WP A settings in a service profile, use the following command: display service-profile { name | ? } T o display the WP A settings in effect in service pr ofile wp a , type the following command: WX1200# display service-profile sp1 ssid-name: priva te ssid-type[...]
-
Seite 295
Configuring WPA 295 Assigning the Service Profile to Radios an d Enabling the Radios After you configur e WP A settings in a service pr ofile , you can map the service profile to a radio pr ofile, a ssign the radio profile to radios, and enable the radios to activate the settings. T o map a service profile to a radio p r ofile, use the following co[...]
-
Seite 296
296 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Configuring RSN (802.11i) Robust Security Network (RSN) provid es 802.11i support. RSN uses AES encryption. Y ou can configure a service profile to support RSN clients exclusively , or to support RSN with WP A clien ts, or even RSN, WP A and WEP clients. The configuration tasks for a service pr ofile[...]
-
Seite 297
Configuring RSN (802.11i) 297 Specifying the RSN Cipher Suites T o use RSN, at least one cipher suite must be enabled. Y ou can enable one or more of the following cipher suites: CCMP TKIP 40-bit WEP 104-bit WEP By default, TKIP is enabled and th e other cipher suites are disabled. T o enable or disable ciph er suites, use the follo[...]
-
Seite 298
298 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Changing the TKIP Countermeasures Timer V alue T o change the TKIP counter measur es timer , see “Chan ging the TKIP Countermeasures Timer V alue” on page 298. The procedur e is the same for WP A and RSN. Enabling PSK Authentication T o enable PSK authe ntication, see “Enabling PSK Authenticati[...]
-
Seite 299
Configuring WEP 299 Configuring WEP Wired-Equivalent Privacy (WEP) is a security protocol defined in the 802.11 standard. WEP uses the RC4 encryption algorithm to encrypt data. T o provide integrity checking, WEP access points and clients check the integrity of a frame’ s cyclic r edundancy check (CRC), generate an integrity check value (ICV), an[...]
-
Seite 300
300 C HAPTER 13: C ONFI GURING U SER E NCRYPTION Figure 23 shows an example of a radio configur ed to provide static and dynamic WEP encryption for non-WP A c lients. The radio uses dynamically generated keys to encrypt traffic for dynamic WEP clients. The radio also encrypts traffic for static WEP clien ts whose keys match the keys configured on t[...]
-
Seite 301
Configuring WEP 301 Setting Static WEP Key V alues MSS supports d ynamic WEP automati cally . T o enable static WEP , configure WEP keys and assign them to unicast and multicast traffic. Y ou can set the values of the four static WEP keys, then specify which of the keys to use for encrypting multicast frames and unicast frames. If you do this, MSS [...]
-
Seite 302
302 C HAPTER 13: C ONFI GURING U SER E NCRYPTION T o configure an SSID that uses service pr ofile wepsrvc 4 to use WEP key index 4 for encrypting unicast traffic, type the following command: WX1200# set service-profile wepsrvc4 wep active-unicast-index 4 success: change accepted. Encryption Configuration Scenarios The following scenarios pr ovide e[...]
-
Seite 303
Encryption Configuration Scenarios 303 WX1200# display service-profile sp1 ssid-name: myco rp ssid-type: crypto Beacon: y es Proxy ARP: no DHCP restrict: no No broadcast: no Short retry limit: 5 Long retry limit: 5 Auth fallthru: no ne Sygate On-Demand (SODA): no Enforce SODA checks: y es SODA remediation ACL: Custom success web-page: Custom failur[...]
-
Seite 304
304 C HAPTER 13: C ONFI GURING U SER E NCRYPTION force-image download: YES Radio 1: type: 802.11g, mode: ena bled, channel: 6 tx pwr: 1, profile: rp1 auto-tune max-power: default Radio 2: type: 802.11a, mode: enab led, channel: 36 tx pwr: 1, profile: rp1 auto-tune max-power: default 8 Save the configuration. T ype the following command: WX1200# sav[...]
-
Seite 305
Encryption Configuration Scenarios 305 TKIP is already enabled by default when WP A is enabled. 6 Display the service pr ofile wpa-wep to verify the changes. T ype the following command: WX1200# display service-profile sp1 ssid-name: myco rp ssid-type: crypto Beacon: y es Proxy ARP: no DHCP restrict: no No broadcast: no Short retry limit: 5 Long re[...]
-
Seite 306
306 C HAPTER 13: C ONFI GURING U SER E NCRYPTION auto-tune max-power: default Port 6: AP model: mp-252, POE: ena ble, bias: high, name: MAP11 boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11g, mode: ena bled, channel: 6 tx pwr: 1, profile: rp2 auto-tune max-power: default Port 11: AP model: mp-252, POE: enab le, bias: high,[...]
-
Seite 307
Encryption Configuration Scenarios 307 4 V erify the AAA configu ration changes. T ype the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------ --------[...]
-
Seite 308
308 C HAPTER 13: C ONFI GURING U SER E NCRYPTION 10 Configure a passphrase for the pr eshared key . T ype th e following command: WX1200# set service-profile wpa-wep-for-mac psk-phrase "passphrase to convert into a presha red key" success: change accepted. 11 Display the WP A configuration change s. T ype the follow ing command: WX1200# d[...]
-
Seite 309
Encryption Configuration Scenarios 309 WX1200# display ap config Port 4: AP model: MP-241, POE: ena ble, bias: high, name: MAP04 boot-download-enable: YES force-image-download: YES Radio 1: type: 802.11a, mode: ena bled, channel: 36 tx pwr: 1, profile: rp3 auto-tune max-power: default Port 6: AP model: mp-252, POE: ena ble, bias: high, name: MAP06 [...]
-
Seite 310
310 C HAPTER 13: C ONFI GURING U SER E NCRYPTION[...]
-
Seite 311
14 C ONFIGURING RF A UTO -T UNING The RF Auto- T uning feature dynamically assigns channel and power settings to MAP radios, and adjusts those settings when needed. Overview RF Auto-T uning can perform the followin g tasks: Assign initial channel and power setti ngs when a MAP radio is started. Periodically assess the RF environment and cha[...]
-
Seite 312
312 C HAPTER 14: C ONFI GURING RF A UTO -T UNING During radio operation, MSS periodically reevaluates the channel and changes it if needed . (See “Channel T uning” on page 313.) Initial power assignment —The MAP sets a radio’ s initial power level to the maximum value a llowed for the country code (regulatory domain). In a deployment wi[...]
-
Seite 313
Overview 313 Power T uning By default, the switch evaluates the scan results for possible power changes every 300 seconds (5 minutes), and raises or lowers the power level if needed. If RF Auto-T uning determines that a power change is needed on a radio, MSS ramps the power up or down until the new power level is r eached. Ramp-up or ramp-down of t[...]
-
Seite 314
314 C HAPTER 14: C ONFI GURING RF A UTO -T UNING A radio also can change its channel before th e channel tuning interval expires to respond to RF anomalies. An RF a nomaly is a sudden major change in the RF environment, such as sudden major interfer ence on the channel. By default, a radio cannot change its channel more often than every 900 seconds[...]
-
Seite 315
Overview 315 channel-holddown 90 0 MSS maintains the channel setting on a radio for at least 900 seconds regardless of RF changes. channel-lock down disabled MSS continues to dynamically change channels if needed based on network conditions. power -config disable MSS uses the highest power level allowed for the country of operation or the highest s[...]
-
Seite 316
316 C HAPTER 14: C ONFI GURING RF A UTO -T UNING Changing RF Auto-T uning Settings Y ou can change the following RF Au to-T uning settings: Channel tuning Power tuning Minimum transport data rate Selecting A vailable Channels on the 802.11a Radio Y ou can configure the 802.11a radio on a MAP to allow certain channels to be available or [...]
-
Seite 317
Changing RF Auto-Tuning Settings 317 Changing the Channel T uning Interval The default channel tuning interval is 3600 seconds. Y ou can change the interval to a value from 0 to 65535 seco nds. If you set the interval to 0, RF Auto-T unin g does not reevaluate th e channel at regular intervals. However , RF Auto-T uning can still change the channel[...]
-
Seite 318
318 C HAPTER 14: C ONFI GURING RF A UTO -T UNING Changing the Power T uning Interval The default power t uning interval is 600 seconds. Y ou can change the interval to a value from 1 to 65535 seconds. T o chang e the power tuning interval, use the following command: set radio-profile name auto-tune pow er-interval seconds T o set the power tuning i[...]
-
Seite 319
Displaying RF Auto-Tuning Information 319 T o verify the static settings, use the display { ap | dap } c onfig command. T o save the locked down settings, you must save the switch’ s configuration. The following commands lock down the channel and power set tings for radios in radio profile rp2: WX1200# set radio-profile rp2 auto-t une channel-loc[...]
-
Seite 320
320 C HAPTER 14: C ONFI GURING RF A UTO -T UNING T o display the RF Au to-T uning sett ings that you can configure on an individual radio, use the following commands: display ap config [ port-list [ radio { 1 | 2 }]] display ap config [ ap-num [ radio { 1 | 2 }]] T o display the RF Auto-T uning and othe r individual radio settings on radio 1 of a d[...]
-
Seite 321
Displaying RF Auto-Tuning Information 321 T o display neighbor information for rad io 1 on the directly connected MAP on port 2, type th e following command: WX1200# display auto-tune neighbors ap 2 radio 1 Total number of entries for port 2 r adio 1: 5 Channel Neighbor BSS/MAC RSSI ------- ----------------- ---- 1 00:0b:85:06:e3:60 -46 1 00:0b:0e:[...]
-
Seite 322
322 C HAPTER 14: C ONFI GURING RF A UTO -T UNING[...]
-
Seite 323
1 5 C ONFIGURING MAP S T O B E A ER O S COUT L ISTENERS AeroScout RFID tags ar e wireless transmi tters that you can place on assets such as office equipment to track the equipment ’ s lo cation. Each tag regularly transmits its unique ID. Aer oScout listeners detect the transmissions from the RFID tags and r elay this information to an AeroScout[...]
-
Seite 324
324 C HAPTER 15: C ONFI GURING MAP S T O B E A ERO S COUT L ISTENERS Configuring MAP Radios to Listen for AeroScout RFID Ta g s T o configure MAP radios to listen for AeroScout RFID tags: Configure a service profile for the Ae r oScout listeners and set the SSID type to clear (unencrypted). Configure a radio pr ofile for the AeroScout liste[...]
-
Seite 325
Locating an RFID Tag 325 WX1200# set ap 69 radio 1 channel 7 success: change accepted. WX1200# set ap 67 radio 1 radio-prof ile rfid-listeners mode enable success: change accepted. WX1200# set ap 68 radio 1 radio-prof ile rfid-listeners mode enable success: change accepted. WX1200# set ap 69 radio 1 radio-prof ile rfid-listeners mode enable success[...]
-
Seite 326
326 C HAPTER 15: C ONFI GURING MAP S T O B E A ERO S COUT L ISTENERS 1 Connect to 3Com Wireless Switch Ma nager Services (the server) and open the network plan that c ontains the site information. 2 Select the Monitor tool bar option (at th e top of the main 3Com Wireless Switch Manager window). The Monitor dashboard appears. 3 Under the Clients gr[...]
-
Seite 327
16 C ONFIGURING Q UALITY OF S ERVICE This chapter describes the Quality of Service (QoS) features supported in MSS and how to configure and manage them. About QoS MSS supports Layer 2 and Layer 3 cla ssification a nd marking of traffic, and optimized forwarding of wire less traf fic for time-sensitive applications such as voice and video. Summary o[...]
-
Seite 328
328 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE QoS parameters configured in service profiles CAC mode Call Admission Control, which regulates addition of new VoIP sessions on MAP radios. O ne of the following modes can be enabled: None (the default) Session-based set service-pr ofile cac-mode See the following: “Call Admission Co[...]
-
Seite 329
About QoS 329 Transmit rates Data transmission rates supported by each radio type. The following categories are specified: Beacon Multicast Mandatory (a client mu st support at least one of these rates to associate) Disabled Standard (valid rates that are not disabled and are not mandatory) Defaults: Mandatory: - 802.11a—6[...]
-
Seite 330
330 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE QoS Mode MSS suppor ts Layer 2 and Layer 3 classifi cation and marking of traffic, to help provide end-to-end QoS throughout the network. The following modes of QoS are supported: Wi-Fi Multimedia (WMM)—Provides wireless QoS for time-sensitive applications such as voice and video. WMM QoS is[...]
-
Seite 331
WMM QoS Mode 331 The static CoS option enables you to easily se t CoS for all traf fic on an SSID by marking all the SSID’ s tra ffic with the same CoS va lue. Y ou can use ACLs to override CoS markings or set CoS for non-WMM traffic. The following sections describe each of these options. WMM QoS Mode WX switches and MAPs each pr ov ide classific[...]
-
Seite 332
332 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Figure 24 QoS on WX Switches—Classification of Ingr ess Packets WX receives packet. Ye s No (802.1p = 0) 802.1p value Set packet CoS 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 based on 802.1p: that is not 0? DSCP value that is not 0? Look up CoS for DSCP value and 8 - [...]
-
Seite 333
WMM QoS Mode 333 Figure 25 QoS on WX Switches—Marking of Egr ess Packets WX has classified Ye s No VLAN tag Mark 802.1p 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 with CoS value: Ye s No ingress packet. Egress interface has 802.1Q VLAN tag? Egress interface is IP tunnel? T ransmit p acket. Do not mark DSCP . Look up CoS[...]
-
Seite 334
334 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Figure 26 QoS on MAPs—Classification and Mark ing of Packets from Clients to WX MAP receives pac ket from client. Set pack et CoS 1 -> 1 2 -> 2 3 -> 3 4 -> 4 5 -> 5 6 -> 6 7 -> 7 based on 802.11 Service T ype: Set tunnel’ s IP T oS to 802.1p value . Look up CoS and mark pa[...]
-
Seite 335
WMM QoS Mode 335 Figure 27 QoS on MAPs—Classification and Ma rking of Packets fr om WX to Clients The following sectio ns describe in more detail how the WMM QoS mode works on WX switches and MAPs. MAP receiv es pack et from WX. Map CoS value to MAP f orwarding 0 or 3 -> Background 1 or 2 -> Best Effort 4 or 5 -> Video 6 or 7 -> V oic[...]
-
Seite 336
336 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE WMM QoS on the WX Switch MSS performs classification on ingress to determine a packet’ s CoS valu e. This CoS value is used to mark the pack et at the egr ess interface. The classification and marking pe rfo rmed by the switch depend on whether the ingress interface has an 802.1p or DSCP value o[...]
-
Seite 337
WMM QoS Mode 337 Y ou also can use ACLs to override ma rking for specific packets. Configure ACEs that use the dscp option to match on ingr ess DSCP value, and use the cos option to ma rk CoS. A CoS value assig ned by an ACE overrides the inter nal CoS value. (For inform ation, see “Using ACLs to Change CoS” on page 3 99.) WMM QoS on a MAP MAPs[...]
-
Seite 338
338 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE (T o display a MAP’ s CoS ma ppings and queue usage statistics, see “Displaying MAP Forwarding Queue Statistics” on page 349.) Figure 28 shows an example of end-to-end QoS in a 3Com network. In this example, voice traffic is prioritized based on WMM. This example assumes that the QoS mapping[...]
-
Seite 339
WMM QoS Mode 339 The MAP encapsulates the data in an IP tunnel packet, and marks the DSCP value in the tunnel header based on the internal CoS value. In this example, the MAP maps inte rnal CoS 7 to DSCP 56 and marks the IP tunnel header’ s DSCP field with valu e 56. The MAP the n sends the packet to the WX switch. 3 WX A receives the packet on t[...]
-
Seite 340
340 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE In this example, the MAP places th e packet in the V oice forwarding queue. The V oice queue has statistically more access to the air than the other queues, so the user’ s voice traffic receives priority treatment. SVP QoS Mode The SVP QoS mode optimizes forw ar ding of SVP traffic by setting th[...]
-
Seite 341
WMM QoS Mode 341 Broadcast Contr ol Y ou also can enhance bandwidth availa bility on an SSID by enabling the following broadcast contr ol features: Proxy ARP—WX r esponds on behalf of wireless clients to ARP r equests for their IP addr esses. DHCP Restrict—WX captures and does not forwar d any traffic except DHCP traffi c for a wir eles[...]
-
Seite 342
342 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Changing QoS Settings Y ou can change the settings of the following QoS option s: QoS mode U-APSD support CAC state and maximum number of sessions Broadcast contr ol Static CoS state an d CoS value DSCP-CoS mappings Using client DSCP value to classify QoS level of IP pa[...]
-
Seite 343
Changing QoS Settings 343 Configuring Call Admission Control T o configure CAC for an SSID, enable the feature on the SSID’ s se rvice profile. When enabled, CAC limits the number of active se ssions a radio can have to 14 by default. Y ou can change the maximu m number of sessions to a value from 0 to 100. Enabling CAC T o enable or disable CAC [...]
-
Seite 344
344 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE For example, to configure static CoS 7 for service pr ofile sp1 , use the following commands: WX1200# set service-profile sp1 static-cos enable success: change accepted. WX1200# set service-profile sp1 cos 7 success: change accepted. Changing CoS Mappings T o change CoS mappings, use the following[...]
-
Seite 345
Displaying QoS Information 345 Enabling Br oadcast Control T o enable broadcast control features on a service-pr ofile basis, using the following commands: set service-profile name proxy-arp { enable | disable } set service-profile name dhcp-restrict { enable | disa ble } set service-profile name no-broadcast { enable | disab le } For example, to e[...]
-
Seite 346
346 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE Tune Power Interval: 6 00 Channel Holddown: 300 Power Backoff Timer: 10 Countermeasures: none Active-Scan: y es QoS Mode: w mm Service profiles: sp1 In this example, the QoS mode is WMM. (For more information about this command’ s output, see the “MAP Commands” chapter in the Wi re l es s LA[...]
-
Seite 347
Displaying QoS Information 347 Configuration information for some se ttings appears in other chapters. T o configure transmit rates, or the long or short retr y , see “Configuring a Service Profile” on pag e 233. T o configure the user -idle timeout and idle-client probing, see “Displaying and Chan ging Network Session Timers” on page 565. [...]
-
Seite 348
348 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE 40-49 5 5 5 5 5 5 5 5 6 6 50-59 6 6 6 6 6 6 7 7 7 7 60-63 7 7 7 7 Egress QoS Marking Map (cos-to-dscp) CoS Level 0 1 2 3 4 5 6 7 ==================================== ================================ =========== Egress DSCP 0 8 16 24 32 40 48 56 Egress ToS byte 0x00 0x20 0 x40 0x60 0x80 0xA0 0xC0 0[...]
-
Seite 349
Displaying QoS Information 349 Displaying the DSCP Ta b l e T o display the standard mappings of DSCP , T oS, and precedence values, use the following command: WX1200# display qos dscp-table DSCP TOS preced ence tos dec hex dec hex ------------------------------------ ----------- 0 0x00 0 0x00 0 0 1 0x01 4 0x04 0 2 2 0x02 8 0x08 0 4 3 0x03 12 0x0c [...]
-
Seite 350
350 C HAPTER 16: C ONFI GURING Q UALITY OF S ERVICE[...]
-
Seite 351
17 C ONFIGURING AND M ANAGING S PANNING T RE E P RO T O C O L The purpose of the Spanning T ree Pr otocol (STP) is to maintain a loop-free network. A loop-free path is acco mplished when a device r ecognizes a loop in the topology and blocks one or more r edundant paths. Overview Mobility System Softwar e (MSS) sup ports 802.1D and Per -VLAN Spanni[...]
-
Seite 352
352 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Enabling the Spanning T ree Protocol STP is disabled by default. Y ou can enable STP globally or on individual VLANs. T o enable STP , use the following command: set spantree { enable | disable } [{ all | vlan vlan-id | port port-list vlan-id }] T o enable STP on all VLANs confi[...]
-
Seite 353
Changing Standard Sp anning Tree Parameters 353 Port Cost Po rt cost is a numeric value that STP adds to the total cost of a path to the root bridge. When a designated br idge has multiple equal-cost paths to the root bridge, the designated bridge uses the path with the lowest total cost. Y ou can set this parameter on an individual port basis, for[...]
-
Seite 354
354 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL T o change the bridge prior ity of VLAN pink to 69, type the following command: WX1200# set spantree priority 69 vla n pink success: change accepted. Changing STP Port Parameters Y ou can change the STP cost and priority of an individ ual port, on a global basis or an individual[...]
-
Seite 355
Changing Standard Sp anning Tree Parameters 355 The command applies only to the ports you specify . Th e port cost on other ports remains unchanged. T o reset the cost of ports 3 and 4 in the default VLAN to the default value, type the following command: WX1200# clear spantree portcost 3-4 success: change accepted. T o reset the cost of ports 3 and[...]
-
Seite 356
356 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Resetting the STP Port Priority to the Default V alue T o reset the STP port priority to the default value, use one of the following commands: clear spantree portpri port-list clear spantree portvlanpri port-list { all | vlan vlan-id } The command applies only to the ports you s[...]
-
Seite 357
Changing Standard Sp anning Tree Parameters 357 The command applies only to the ports you specify . Th e port cost on other ports remains unchanged. Changing Spanning Tr e e T i m e r s Y ou can change the following ST P timers: Hello interval — The interval between co nfiguration messages sent by a WX switch when the swit ch is acting as the[...]
-
Seite 358
358 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL The all option applies the change to all VLANs. Alternatively , specify an individual VLAN. T o change the for war ding delay on VLAN pink to 20 seconds, type the following command: WX1200# set spantree fwddelay 20 vla n pink success: change accepted. Changing the STP Maximum Ag[...]
-
Seite 359
Configuring and Managing STP Fast Convergenc e Features 359 Backbone Fast Convergence Backbone fast convergenc e accelerates a port’ s recovery following the failur e of an indir ect link. Normally , when a forwarding link fails, a bridge that is not directly connect ed to th e link does not d etect the link change until the maximum age timer exp[...]
-
Seite 360
360 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Displaying Port Fast Convergence Information T o display port fast convergence information, use the f ollowing command: display spantree portfast [ port-list ] T o display port fast convergence informat ion for all ports, type the following command: WX1200# display spantree port[...]
-
Seite 361
Displaying Spanning Tree Information 361 Configuring Uplink Fast Convergence T o enable or disable uplink fast convergence, use the following command: set spantree uplinkfast { enable | disable } Displaying Uplink Fast Convergence Information T o display uplink fast convergence informatio n, use the following command: display spantree uplinkfast [ [...]
-
Seite 362
362 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL T o list only the ports that are in the active (forwar ding) state, enter the active option. T o display STP information for VLAN mauve , type the following command: WX1200# display spantree vlan mauve VLAN 3 Spanning tree mode PVST+ Spanning tree type IEEE Spanning tree enabled[...]
-
Seite 363
Displaying Spanning Tree Information 363 Displaying Blocked STP Ports T o display information about ports that ar e in the ST P blocking state, use the following command: display spantree blockedports [ vlan vlan-id ] T o display information about blocked por ts on a WX switch for the default VLAN (VLAN 1), type the following command: WX1200# displ[...]
-
Seite 364
364 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL Port based information statistics config BPDU's xmitted(port/VLAN) 0 (1) config BPDU's received(port/VLAN) 21825 (43649) tcn BPDU's xmitted(port/VLAN) 0 (0) tcn BPDU's received(port/VLAN) 2 (2) forward transition count (port/VLAN) 1 (1) scp failure count 0 ro[...]
-
Seite 365
Spanning Tree Configuration Scenario 365 Other port specific info dynamic max age transition 0 port BPDU ok count 21825 msg age expiry count 0 link loading 0 BPDU in processing FALSE num of similar BPDU's to process 0 received_inferior_bpdu FALSE next state 0 src MAC count 21807 total src MAC count 21825 curr_src_mac 00-0b-0e-00-04-30 next_src[...]
-
Seite 366
366 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL 7 up down auto network 10/100BaseTx 8 up down auto network 10/100BaseTx 2 Configure a backbone VLAN and verify the c onfiguration change. T ype the following commands: WX1200# set vlan 10 name backbone po rt 1-2 success: change accepted. WX1200# display vlan config Admin VLAN Tu[...]
-
Seite 367
Spanning Tree Configuration Scenario 367 4 Reconnec t or r eena ble ports 21 and 22 and verif y the c hange. T ype the following commands: WX1200# set port enable 1-2 success: set "enable" on port 1-2 WX1200# display port status Port Name Admin Oper Config Actual Type Media ==================================== ============================[...]
-
Seite 368
368 C HAPTER 17: C ONFI GURING AND M ANAGING S PANNING T REE P ROTOCOL[...]
-
Seite 369
18 C ONFIGURING AND M ANAGING IGMP S NOOPING Internet Group Management Protocol (IGMP) snooping contr ols multicast traffic on a WX switch by forwardi ng packets for a multicast group only on the ports that are connected to members of the gr oup. A multicast group is a set of IP hosts that receive traf fic addr essed to a specific Class D IP addres[...]
-
Seite 370
370 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING Disabling or Reenabling Proxy Reporting Pr oxy r eporting re duces multic ast ov erhead by sending only one report for each active group to the multicast r outers, instead of sending a separate report fr om each multicast receiver . For example, if the WX switch receives reports fr om thre[...]
-
Seite 371
Changing IGMP Timers 371 Last member query interval — Number of tenths of a seco nd that the WX switch waits for a r esponse to a group-specific query after receiving a leave message for that group, before r emoving the r eceiver that sent the leave message from the list of receivers for the gr oup. If there ar e no more r eceivers for th e g[...]
-
Seite 372
372 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING Enabling Router Solicitation A WX switch can search for multicast r outers by sending multicast router solicitation messages. This message in vites multicast r outers that receive the message and that support router solicitation to immediately advertise themselves to the WX switch. Router [...]
-
Seite 373
Displaying Multicast Information 37 3 Adding or Removing a Static Multicast Router Port T o add or remove a static multicast router port, use the following command: set igmp mrouter port port-list { ena ble | disable } Adding or Removing a Static Multicast Receiver Port T o add a static multicast receiver port, use the following command: set igmp r[...]
-
Seite 374
374 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING 237.255.255.255 5 10.10.10.13 00:02:04:06:08:0d 258 237.255.255.255 5 10.10.10.14 00:02:04:06:08:0e 258 237.255.255.255 5 10.10.10.12 00:02:04:06:08:0c 258 237.255.255.255 5 10.10.10.10 00:02:04:06:08:0a 258 Querier information: Querier for vlan orange Port Querier-IP Querier-MAC TTL ---- [...]
-
Seite 375
Displaying Multicast Information 37 5 Displaying Multicast Queriers T o display information about the mu lticast querier only without also displaying all the other multicas t information, u se the following command: display igmp querier [ vlan vlan-id ] T o display querier information fo r VLAN orange , type the following command: WX1200# display i[...]
-
Seite 376
376 C HAPTER 18: C ONFI GURING AND M ANAGING IGMP S NOOPING Displaying Multicast Receivers T o display information about the mult icast receivers only without also displaying all the other multicas t information, u se the following command: display igmp receiver-table [ vlan vlan-id ] [ group group-ip-addr/mask-length ] Use the group parameter to d[...]
-
Seite 377
19 C ONFIGURING AND M ANAGING S ECURITY ACL S A security access control list (ACL) filters packets for the purpose of discarding them, permitting them, or permitting them with modification (marking) for class-of-serv ice (CoS) pr iority tr eatment. A typical use of security ACLs is to enable users to send and receive packets within the local intran[...]
-
Seite 378
378 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Figure 29 Setting Security ACLs Security ACL Filters A security ACL filters pack ets to restrict or permit network traffic. These filters can then be mapped by name to authenticated users, po rts, VLANs, virtual ports, or Distributed MAPs. Y ou can also assign a class-of-service (CoS) lev[...]
-
Seite 379
About Security Access Con trol Lists 379 The order in which ACEs ar e listed in an ACL is important. MSS applies ACEs that ar e higher in the list be for e ACEs lower in the li st. (See “Modifying a Security ACL” on page 394 .) An implicit “deny all” rule is always pr ocessed as the last AC E of an ACL. If a packet matches no ACE in the ent[...]
-
Seite 380
380 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Selection of User ACLs Identity-based ACLs (ACLs m apped to users) take pr ecedence over location-based ACLs (ACLs mapped to VLANs, ports, virtual ports, or Distributed MAPs). ACLs can be mapped to a user in the following ways: Location policy ( inacl or outacl is configured on the lo[...]
-
Seite 381
Creating and Committing a Security ACL 381 The simplest security ACL permits or denies packets from a source IP address: set security acl ip acl-name { permit [ cos cos ] | deny } source-ip-addr mask | any } [ before editbuffer -index | modify editbuffer-index ] [ hits ] For example, to create ACL acl-1 that permits all pack ets fr om IP address 19[...]
-
Seite 382
382 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Wildcard Masks When you specify source and destinat ion IP addr esses in an ACE, you must also include a mask for each in the form source-ip-add r mask and destination-ip-addr mask. The mask is a wildcar d mask. The se curity ACL checks the bits in IP addresses that corr espond to any 0 s[...]
-
Seite 383
Creating and Committing a Security ACL 383 MAP forwarding prioritization occurs automatically for W i-Fi Multimedia (WMM) traffic. Y ou do not need to configure ACLs to provide WMM prioritization. For non-WMM devices, you can provide MAP forwarding prioritization by configuring ACLs. If you disable WMM, MAP forwarding prioritization is optimized fo[...]
-
Seite 384
384 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S T ype-of-service level is 12 (minimum delay plus maximum throughput). Prece dence is 7 (network contr ol). WX1200# set security acl ip acl-3 pe rmit icmp 192.168.1.3 0.0.0.0 192.168.1.4 0.0.0.0 type 11 code 0 precedence 7 tos 12 before 1 hits The before 1 portion of the ACE places[...]
-
Seite 385
Creating and Committing a Security ACL 385 Setting TCP a nd UDP ACLs Security ACLs can filter TCP and UDP packets by source and destination IP address, preced ence, and TOS lev el. Y ou can apply a TCP ACL to established TCP sessions only , not to new TCP sessions. In addition, security ACLs for TCP and UDP can filt er packets accor ding to a sour [...]
-
Seite 386
386 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S For example, the following command pe rmits pack ets sent fr om IP address 192.168.1.5 to 192.168.1.6 wi th the TCP destination port equal to 524, a precedence of 7, and a type of service of 15, on an established TCP session, and counts the number of hits generated by the ACE: WX1200# set[...]
-
Seite 387
Creating and Committing a Security ACL 387 T o specify the order of the commands, use the following parameters: before editbuffer -index inserts an ACE befor e a specific location. modify editbuffer -index changes an existing A CE. If the security ACL you specify when creating an ACE does not exist when you enter set security acl ip , the s[...]
-
Seite 388
388 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S ACLs do not take effect until you map them to something (a user , Distributed MAP , VLAN, port, or vir tual port). T o map an ACL, see “Mapping Security ACLs” on page 390. T o display the mapped ACLs, use the display security acl command, without the editbuf fer or info option. Viewin[...]
-
Seite 389
Creating and Committing a Security ACL 389 Y ou can also view a specific security ACL. For example, to view acl-2 , type the following command: WX1200# display security acl info ac l-2 ACL information for acl-2 set security acl ip acl-2 (hits #1 0 ) ------------------------------------ ---------------- 1. permit L4 Protocol 115 source IP 192.168.1.[...]
-
Seite 390
390 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Clearing Security ACLs The clear security acl command removes the ACL from the edit buffer only . T o clear a security ACL, enter a specific ACL name, or enter all to delete all security ACLs. T o remove the security ACL from the running configuration and nonvolatile storage, you must als[...]
-
Seite 391
Mapping Security ACLs 391 T o map a security ACL to a us er session, follow these steps: 1 Create the securi ty ACL. For ex ampl e, to filter packets coming from 192.168.253.1 and goin g to 192.168.253.12, type the following: WX1200# set security acl ip acl-222 permit ip 192.168.253.1 0.0.0.0 198.168.253 .12 0.0.0.0 hits 2 Commit the security ACL t[...]
-
Seite 392
392 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S Mapping Security ACLs to Ports, VLANs, Virtual Ports, or Distributed MAPs Security ACLs can be mapped to ports, VLANs, virtual ports, and Distributed MAPs. Use the following command: set security acl map acl-name { vlan vlan-id | port port-list [ tag tag-value ] | ap apnumber } { in | out[...]
-
Seite 393
Mapping Security ACLs 393 T o display a summary of the securi ty ACLs mapped on a MAP (i n this example, MA P 7), type the following c ommand: WX# display ap acl map 7 ACL Type Class Mapping ---------------------------- ---- -- ---- ------- acl_123 IP Static In acl_133 IP Static In acl_124 IP Static Clearing a Security ACL Map T o clear the mapping[...]
-
Seite 394
394 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S If you no longer need the security ACL, delete it from the configuration with the clear security acl and commit securi ty acl commands. (See “Clearing Security ACLs” on page 390.) Modifying a Security ACL Y ou can modify a security ACL in the following ways: Add another ACE to a s[...]
-
Seite 395
Modifying a Security ACL 39 5 2 T o add anothe r ACE to the end of acl-violet , type the following command: WX1200# set security acl ip acl-viol et permit 192.168.123.11 0.0.0.255 hits 3 T o commit the updated security ACL acl-violet , type the following command: WX1200# commit security acl acl-viol et success: change accepted. 4 T o display the up[...]
-
Seite 396
396 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 T o view the results, type the following command: WX1200# display security acl info ACL information for all set security acl ip acl-111 (hits #4 0) ------------------------------------ ---------------- 1. deny IP source IP 192.168.254.12 0.0.0.255 destination IP any 2. permit IP source [...]
-
Seite 397
Modifying a Security ACL 39 7 3 T o view the results, type the following command: WX1200# display security acl info ACL information for all set security acl ip acl-111 (hits #4 0) ------------------------------------ ---------------- 1. permit IP source IP 192.168.254. 12 0.0.0.0 destination IP any 2. permit IP source IP 192.168.253. 11 0.0.0.0 des[...]
-
Seite 398
398 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 T o view details about these uncommitted ACEs, type the following command. WX1200# display security acl info al l editbuffer ACL edit-buffer information for all set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2) ------------------------------------ ---------------- 1. permit[...]
-
Seite 399
Using ACLs to Change CoS 399 Using ACLs to Change CoS For WMM or non-WMM traffic, you can change a packet’ s priority by using an A CL to cha nge the packet’ s CoS value. A CoS value a ssigned by an ACE overrides th e CoS value assigned by the switch’ s QoS map. T o change CoS values using an ACL, you must map the ACL to the outbound traffic [...]
-
Seite 400
400 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S T able 34 lists the CoS values to use when r eassigning traffic to a di ffer ent priority . The CoS deter mines the MAP forwarding queue to use for the traffic when sending it to a wireless client. Using the dscp Option The easiest way to filter ba sed on DSCP is to use the dscp codepoint[...]
-
Seite 401
Enabling Prioritization fo r Legacy Voice over IP 40 1 The following commands perform the same CoS reassignment as the commands in “Using the dscp Option” on page 400. They remap IP packets from IP addr ess 10.10.50.2 t hat have DSCP value 46 (equivalent to precedence value 5 and T oS valu e 12), to have CoS value 7 when they are forwar ded to [...]
-
Seite 402
402 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S General Guidelines 3Com recommends that you follow these guidelines for any wireless V oIP implementation: Ensure end-to-end priority forwarding by making sure none of the devices that will forward voice traf fic resets IP T oS or Diffserv values to 0. Some devices, such as some ty pe[...]
-
Seite 403
Enabling Prioritization fo r Legacy Voice over IP 40 3 If you are upgr ading a switch running MSS V ersion 3.x to MSS V ersion 4.x, and the switch uses ACLs to map V oIP traffic to CoS 4 or 5, and you plan to leave WMM enabled, 3Com recommends that you change the ACLs to map the traffic to CoS 6 or 7. Y ou must map the ACL to the outbound traffic d[...]
-
Seite 404
404 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 Commit the ACL to the configuration: WX4400# commit security acl voip Enabling SVP Optimization for SpectraLink Phones SpectraLink’ s V oice Interoperabilit y for Enterprise Wireless (VIEW) Certification Program is designed to ensure inter operability and high performance between SVP [...]
-
Seite 405
Enabling Prioritization fo r Legacy Voice over IP 40 5 Configuring a Service Profile for RSN (WP A2) T o configure a service pr ofile for SVP phones that use RSN (WP A 2): Create the service profile an d add the voice SSID to it. Enable the RSN information eleme nt (IE). Disable TKIP and enable CCMP . Disable 802.1X authentication a[...]
-
Seite 406
406 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S The following commands config ure a servi ce pr ofile called vowlan-wpa2 for RSN: WX4400# set service-profile vowlan-wpa ssid-name phones WX4400# set service-profile vowlan-wpa wpa-ie enable WX4400# set service-profile vowlan-wpa auth-dot1x disable WX4400# set service-profile vowlan-wpa a[...]
-
Seite 407
Enabling Prioritization fo r Legacy Voice over IP 40 7 Configuring a VLAN for V oice Clients MSS requir es all clients to be authenticated by RADIUS or the local database, and to be authorized for a specific VLAN. MSS places the user in the authorized VLAN. Configure a VLAN for voice clients Y ou can use the same VLAN for other clients. However[...]
-
Seite 408
408 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S WX1200# set security acl ip SVP perm it cos 7 119 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255. 255 WX1200# set security acl ip SVP perm it 0.0.0.0 255.255.255.255 WX1200# set security acl map SVP vla n v1 in WX1200# set security acl map SVP vla n v1 out WX1200# commit security acl SVP The[...]
-
Seite 409
Restricting Client-To-Client Fo rwarding Among IP-Only Clients 409 Setting 802.11b/g Radios to 802.11b (f or Siemens SpectraLink V oIP Phones only) If you plan to use Siemens SpectraLin k V oice over IP (V oIP) phone s, you must change the MAP radios that will support the phone s to operate in 802.11b mode only . This type of phon e expects the MAP[...]
-
Seite 410
410 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S 3 Configure an ACE that denies all IP traf fic fr om any IP address in the 10.10.11.0/24 subnet to any addr ess in the same subnet. WX1200# set secu rity acl ip c2c deny ip 10.10.11.0 0.0.0.255 10.10.11.0 0.0.0.255 4 Configure an ACE that permits all traffic that does not match the ACEs c[...]
-
Seite 411
Security ACL Conf iguration Scenario 411 4 To m a p acl-99 to port 6 to filter incoming packets, type the following command: WX1200# set security acl map acl-99 port 6 in mapping configuration accepted Because every security ACL includes an implicit rule denying all traffic that is not permitted, port 6 n ow accepts packets only fr om 192.168.1.1, [...]
-
Seite 412
412 C HAPTER 19: C ONFI GURING AND M ANAGING S ECURITY ACL S[...]
-
Seite 413
20 M ANAGING K EYS AND C ERTIFICATES A digital certificate is a form of elec tr onic identification for computers. The WX switch requires digital certificates to authenticate its communications to 3Com W ir eless Switch Manager and W eb Manager, to WebAAA clients, and to Extensib le Authentication Protocol (EAP) clients for which the WX performs al[...]
-
Seite 414
414 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Wireless Security through TLS In the case of wireless or wir ed authentication 802.1X users whose authentication is performed by the WX switch, the first stage of any EAP transaction is T ransport Layer Se curity (TLS) authentication and encryption. 3Com W ireless Switch Manager and Web Manager als[...]
-
Seite 415
About Keys and Certificates 415 About Keys and Certificates Public-private key pairs and digital si gnatures and certificates allow keys to be gene rated dy namically so t hat data ca n be secur ely e ncrypted an d delivered. Y ou generate the key pair s and certificates on the WX switch or install them on the switch after enr olling with a certifi[...]
-
Seite 416
416 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Public Key Infrastructures A public-key infrastructur e (PKI) is a system of digital certificates and certification authorities that verif y and authenticate the validity of each party involved in a t ransaction through the use of public key cryptography . T o have a PKI, the WX switch r equires th[...]
-
Seite 417
About Keys and Certificates 417 EAP certificate —Used by the WX switch to authenticate itself to EAP clients. WebAAA certificate —Used by the WX switch to authenticate itself to WebAAA clients, who use a web page served by a WX switch to log onto the network. Certificate authority (CA) certificates —Used by the WX switch in additi[...]
-
Seite 418
418 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Certificates Automatically Generated by MSS The first time you boot a switch with MSS V ersion 4.2 or later , MSS automatically generates keys and sel f-signed certificates, in cases where certificates are not already co nfigur ed or installed. MSS ca n automatically generate all the following type[...]
-
Seite 419
Creating Keys and Certificates 419 Creating Keys and Certificates Public-private key pairs and digi tal certificat es ar e r equired for management access with 3Com W ir eless Switch Manager or Web Manager, or for network access by 80 2.1X or W ebAAA users. The digital certificates can be self-signed or signe d by a certificate authority (CA). If y[...]
-
Seite 420
420 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Choosing the Appropriate Certificate Installation Method for Y our Network Depending on your network environment, you can use any of the following methods to install certificates and th eir public-private key pairs. The methods differ in terms of si mplicity and security . The simplest method is al[...]
-
Seite 421
Creating Keys and Certificates 421 Creating Public-Private Key Pairs T o use a self-signed certificate or Certificate Signing Request (CSR) certificate for WX switch authentication, you must gen erate a public-private key pair . T o create a public-private key pair , use the following command: crypto generate key { admin | domain | eap | ssh | web [...]
-
Seite 422
422 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Some key lengths apply only to specific ke y types. For example, 128 applies only to domain keys . SSH requir es an SSH authentication key , but you can allo w MSS to generate it automatically . The first ti me an SSH clie nt attempts to access the SSH server on a WX switch, the switch automaticall[...]
-
Seite 423
Creating Keys and Certificates 423 Installing a Key Pair and Certificate fr om a PKCS #12 Object File PKCS object files provide a file format for storin g and transferring storing data and cryptographic info rmatio n. (For mor e information, see “PKCS #7, PKCS #10, and PKCS #12 Object Files” on page 417.) A PKCS #12 object file, which you obtai[...]
-
Seite 424
424 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Creating a CSR and Installing a Certificate from a PKCS #7 Object File After creating a public-private key pair , you can obtain a signed certificate of authenticity from a CA by gene rating a Certificate Signing Request (CSR) from the WX switch. A CSR is a text block with an encoded request for a [...]
-
Seite 425
Creating Keys and Certificates 425 2 Use a text editor to open the PKCS #7 file, and copy and paste the entire text block, including t he beginning and ending delimiters, into the CLI. Y ou must paste the entire block, from the beginning -----BEGIN CERTIFICA TE----- to the end -----END CERTIFICA TE-----. Installing a CA ’ s Own Certificate If you[...]
-
Seite 426
426 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Displaying Certificate and Key Information T o display information about certif ica tes installed on a WX switch, use the following commands: display crypto ca-certificate { admin | eap | web } display crypto certificate { admin | eap | web } For example, to display information ab out an administra[...]
-
Seite 427
Key and Certificate Configuration Scenarios 427 Key and Certificate Configuration Scenarios The first scenario shows how to gene rat e self-signed certificates. The second scenario shows how to in stall CA-signed certificates using PKCS #12 object files, and the third scenario shows how to install CA-signed certificates using CSRs (PKCS #10 object [...]
-
Seite 428
428 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES Unstructured Name: WX in wiring clos et 4 Self-signed cert for eap is WX1200# crypto generate self-signed web Country Name: US State Name: CA Locality Name: San Francisco Organizational Name: example Organizational Unit: IT Common Name: WX 6 Email Address: admin@example.com Unstructured Name: WX in[...]
-
Seite 429
Key and Certificate Configuration Scenarios 429 WX1200# display crypto certificate w eb Certificate: Version: 3 Serial Number: 999 (0x3e7) Subject: C=US, ST=CA, L=PLEAS, O=M ycorp, OU=SQA, CN=BOBADMIN/emailAddress=BOBADMIN, u nstructuredName=BOB Signature Algorithm: md5WithRSAEnc ryption Issuer: C=US, ST=CA, L=PLEAS, O=My corp, OU=SQA, CN=BOBADMIN/[...]
-
Seite 430
430 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES For example: WX1200# crypto otp admin SeC%#6@o%c OTP set WX1200# crypto otp eap SeC%#6@o%d OTP set WX1200# crypto otp web SeC%#6@o%e OTP set 5 Unpack the PKCS #12 object files into the certificate and key storage area on the WX switch. Use the following command: crypto pkcs12 { admin | eap | web } [...]
-
Seite 431
Key and Certificate Configuration Scenarios 431 Installing CA-Signed Certificates Using a PKCS #10 Object File (CSR) and a PKCS #7 Object File This scenario shows how to use CSRs to install public-private key pairs, CA-signe d certificates , and CA certif ie s for administrative access, 802.1X (EAP) access, and Web AAA access. 1 Set time and date p[...]
-
Seite 432
432 C HAPTER 20: M ANAGING K EYS AND C ERTIFICATES 7 T o install the administ rative certi ficate on the WX switch, type the following command to display a prompt: WX1200# crypto certificate admin Enter PEM-encoded certificate 8 Paste the signed certificate text block into the WX switch’ s CLI, below the pr ompt. 9 Display information about the c[...]
-
Seite 433
21 C ONFIGURING AAA FOR N ETWORK U SERS The following sections describe the MSS authentication, authorizat ion, and accounting (AAA) features in detail. About AAA for Network Users Network users include the fo llowing types of users: Wireless users — Users who access the network by associating with an SSID on a 3Com radio. Wired auth enti[...]
-
Seite 434
434 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Each authentication rule specifies wh er e the user cre dentials ar e stor ed. The location can be a group of RADIUS servers or the switch’ s local database. In either case, if MS S has an authentication rule that matches on the requir ed parameters, MSS checks the user name or MAC address o[...]
-
Seite 435
About AAA for Network Users 435 SSID —If 802.1X or MAC authentication do not apply to th e SSID (no 802.1X or MAC access rules ar e configured for the SSID), the default authorization attributes set on the SS ID are applied to the user and the user is allowed onto the network. Wired auth entication port —If 802.1X or MAC authentication [...]
-
Seite 436
436 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Figure 30 Authentication Flowchart for Network Users last-resort? web? none? Client associates with MAP radio or requests access from wired authentication port Use fallthru authentication Ye s No Ye s Ye s Ye s Ye s No Ye s Ye s No No No No Client requests encrypted SSID? Client 802.1X rule th[...]
-
Seite 437
About AAA for Network Users 437 SSID Name “Any” In authentication rules for wirele ss access, you can specify the name any for the SSID. This value is a wildcar d that matches on any SSID string re quested by the use r . For 802.1X and WebAAA rules that match on SSID any , MSS checks the RADIUS servers or loca l database for the username (and p[...]
-
Seite 438
438 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS For a user to be successfully authenticated based on the MAC add r ess of the user device, the MAC address must be configur ed on the RADIUS servers used by the authentication rule or in the WX local database, if the local database is us ed by the rule. If the MAC address is configured in [...]
-
Seite 439
About AAA for Network Users 439 MSS provides the following VSAs, which you can assign to users configured in the local database or on a RADIUS server: Encryption-T ype — Specifies the type of encryption requir ed for access by the client. Clients who attempt to use an unauthorized encryption meth od ar e rejected. End-Date — Date and ti[...]
-
Seite 440
440 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS In addition to configuring authorizatio n attributes for users on RADIUS servers or the WX local database, you can also configure attributes within a service profile. These authorizatio n attri butes are applied to users accessing the SSID managed by the service pr ofile (in addition to any at[...]
-
Seite 441
AAA Tools for Network Users 441 Authorization for access control. Authorization pr ovides access control by means of such mechanis ms as per -user security access control lists (ACLs), VLAN membersh ip, Mobility Domain assignment, and timeout enforcement. Because au thorization is always performed on network access users so they can use a parti[...]
-
Seite 442
442 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS “Globs” and Gr oups for Network User Classification “Globbing” lets you classify users by user name or MAC addr ess for differ ent AAA tr eatments. A user glob is a string used by AAA and IEEE 802.1X or WebAAA methods to mat ch a user or set of users. MAC address globs match authentica[...]
-
Seite 443
AAA Tools for Network Users 443 Y ou can use the local database or R ADIUS servers for MAC access as well. If you use RADIUS servers, make su re you configure the password for the MAC addr ess user as 3Com . (This is the de fault author ization passwor d. T o change it, see “Changing th e MAC Authorization Passwor d for RADIUS” on page 459.) AA[...]
-
Seite 444
444 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Remote Authentication with Local Backup Y ou can use a combination of authenticatio n methods; for example, PEAP offload and local au thentication. When PEAP o f fload is configured, the WX switch offloads all EAP pr ocessing from server gr oups; the RADIUS servers ar e not required to communi[...]
-
Seite 445
AAA Tools for Network Users 445 Figure 31 shows the r esults of this combinat ion of methods. Figure 31 Remote Authentication with PEAP Of fload using Local Authenticatio n as Backup Authentication proceeds as follows: 1 When user Jose@example.com atte mp ts authentication, the WX switch sends an authentication request to the first AAA method, whic[...]
-
Seite 446
446 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS If one of the RADIUS servers in the group does respond, but it indicates that the user does no t exist on the RADIUS server , or that the user is not permitted on the network, then authentication for the user fails, regardless of any additional methods. Only if all the RADIUS servers in the se[...]
-
Seite 447
AAA Tools for Network Users 447 W ays a WX Switch Can Use EAP Network users with 80 2.1X support cann ot access the network u nless they are authenticated. Y ou can co nfigur e a WX switch to authent icate users with EAP on a gr oup of RADIUS ser vers and/or in a lo cal user database on the WX, or to offload some authenticat ion tasks from the serv[...]
-
Seite 448
448 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Effects of Authentication T ype on Encryption Method Wi r eless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encrypted by the following methods: Wi-Fi Protected Access (WP A) encryption Non-WP A d ynamic Wired Equivale nt Privacy[...]
-
Seite 449
Configuring 802.1 X Authentication 449 Configuring 802.1X Authentication The IEEE 802.1X standard is a framewo rk for passing EAP pr o tocols over a wired or wir eless LAN. Within th is f ramework, you can use TLS, PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed thr ough the WX switch to the RADIUS server . Some protocols can be processed l[...]
-
Seite 450
450 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS For example, the following command authen ticates all wir eless users who request SS ID marshes at example.co m by offloading PEAP pr ocessing onto the WX switch, while still perf orming MS-CHAP-V2 authentication via the server group shorebirds : WX1200# set authentication dot1x ssi d marshes [...]
-
Seite 451
Configuring 802.1 X Authentication 451 Binding User Authentication to Machine Authentication Bonded Auth™ (bond ed authentication) is a security feature that binds an 802.1X user auth entication to authentication of th e machine fr om which the user is attempting to log on. When this feature is enabled, MSS authenticates the user only if the mach[...]
-
Seite 452
452 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Authentication Rule Requir ements Bonded authentication r equir es an 802.1X auth entication rule for the machine itself, and a separate 802.1X authenticati on rule for the user(s). Use the bonded option in the user authentication rule, but not in the machine authentication rule. The authentic[...]
-
Seite 453
Configuring 802.1 X Authentication 453 host/*.nl.mycorp.com (userglob for the machine authentication rule) *.nl.mycorp.com (userglob for th e user authentication rule) host/*.de.mycorp.com (user glob for the machine authentication rule) *.de.mycorp.com (userglob for the user authentication rule) Bonded Auth Period The Bonded A uth p[...]
-
Seite 454
454 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Bonded Auth Configuration Example T o configure Bonded Auth: Configure separate authentication rules for the machine and for the user(s). Set the Bonded Auth period. V erify the config uration changes. The following commands configure two 802.1X authentication rules for access to S[...]
-
Seite 455
Configuring 802.1 X Authentication 455 In the following example, bob.mycorp.com uses Bonded Auth, and the Bonded Auth period is set to 60 seconds. WX1200# display dot1x config 802.1X user poli cy ------------------ ---- 'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU 'bob.mycorp.com' on ssid 'mycorp&a[...]
-
Seite 456
456 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring Authentication and Authorization by MAC Address Y ou must sometimes authenticate us ers based on the MAC addresses of their devices rather than a user name-password or certificate. For example, some V oice-over -IP (V oIP) phones and personal digital assistan ts (PDAs) do not suppo[...]
-
Seite 457
Configuring Authenticatio n and Authorization by MAC Address 45 7 For example, type the follow ing command to add MAC user 01:0f:03:04:05:06 to group macfans: WX1200# set mac-user 01:0f:03:04:05: 06 group macfans success: change accepted. Clearing MAC Users and Groups T o clear a MAC user from a user gr oup, use the following command: clear mac-use[...]
-
Seite 458
458 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS If the switch’ s configurat ion does not contain a set authentication mac command that matches a non-802.1X client’ s MAC address, MSS tries MAC authentication by default. Y ou can also glob MAC addresses. For example, the following command locally authenticates all MAC addresses that begi[...]
-
Seite 459
Configuring Authenticatio n and Authorization by MAC Address 45 9 Changing the MAC Authorization Password for RADIUS When you enable MAC authentication, the client does not supply a re gular username or passwor d. The MAC addr ess of th e user’ s device is extracted from frames rece ived from the device. T o authenticate and authorize MAC users v[...]
-
Seite 460
460 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring Web Portal WebAAA WebAAA simplifies secur e access to unencrypted SSIDs. When a use r requests access to an SSID or atte mpts to access a web page befor e logging onto the network, MSS serves a log in page to the user’ s browser . After the user enters a username and password, MS[...]
-
Seite 461
Configuring Web Portal W ebAAA 461 3 The user opens a Web br owser . The Web br owser sends a DNS r equest for the IP address of the home page or a URL requested by the user . 4 MSS does the following: Intercepts the DNS r equest, uses the MSS DNS proxy to obtain the URL IP address from the network DNS server , and sends the addr ess to the use[...]
-
Seite 462
462 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS If the WX does not receive a r eply to a client’ s DNS request, the WX spoofs a reply to the browser by sending the WX switch’ s own IP address as the resolution to the br owser’ s DNS query . The WX also serves the web login page. This behavior simplifies use of the WebAAA featur e in n[...]
-
Seite 463
Configuring Web Portal W ebAAA 463 Her e are some example s of co mmon names in th e recommended format: webaaa.login webaaa.customername.com portal.local Here are some examples of common nam es that are not in the recomme nded format: webaaa 3Com_webaaa webportal User VLAN—An IP interfac e must be configur ed on th e [...]
-
Seite 464
464 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Fallthru authentication type—The fallthr u authentication type for each SSID and wired authentication port that you want to support WebAAA, must be set to web-portal . The default authentication type for wired authentication ports an d for SSIDs is None (no fallthru authentication is use[...]
-
Seite 465
Configuring Web Portal W ebAAA 465 CAUTION: W ithout the W eb-Portal ACL, WebAAA users will be placed on the network without any filters. CAUTION: Do not change the deny rule at the bo ttom of the ACL. This rule must be present and the capture option must be used with the rule. If the rule does not have the capture option, the Web Portal user never[...]
-
Seite 466
466 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS T o modify a W ebAAA user’ s access a fter the user is authenticated and authorized, map an ACL to the individual WebAAA user . Changes you make to the ACL mapped to the web-portal- ssid or web-portal-wired user do not affect user access after authentication and au thorization are complete. [...]
-
Seite 467
Configuring Web Portal W ebAAA 467 Configuring Web Portal WebAAA T o configure W eb Portal WebAAA: 1 Configure an SSID or wir ed authentication port and set the fallthru authentication type to web-portal . The default for SSIDs and fo r wir ed authentication ports is none . 2 Configure individual WebAAA users. Because the VLAN is assigned based on [...]
-
Seite 468
468 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS WX1200# set service-profile mycorp-srvcprof auth-fallthru web-portal success: change accepted. WX1200# set service-profile mycorp-srvcprof attr vlan-name mycorp-vlan success: change accepted. WX1200# set service-profile mycorp-srvcprof rsn-ie enable success: change accepted. WX1200# set servic[...]
-
Seite 469
Configuring Web Portal W ebAAA 469 The rule does not by itself allow a ccess to all usernames. The ** value simply makes all username s eligible for authentica tion, in this case by searching the switch’ s local database for the matching user names and passwords. If a username does not match on the access rule’ s userglob , the user is denied a[...]
-
Seite 470
470 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Displaying Session Information for W eb Portal W ebAAA Users T o display user session informati on for Web Portal W ebAAA users, use the following command: display sessions network [ user user- glob | mac-addr mac-addr-glob | ssid ssid-n ame | vlan vlan-glob | session-id session-id | wired ] [[...]
-
Seite 471
Configuring Web Portal W ebAAA 471 Using a Custom Login Page By default, MSS serves the 3Com login page for W eb login. T o serve a custom page instead, do the followin g: 1 Copy and modify the 3Com p a ge, or cr eate a new page. 2 Create a subdir ectory in the user files area of the WX switch’ s nonvolatile storage, and copy the cust om page int[...]
-
Seite 472
472 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS MSS uses the following process to find the login page to display to a user: If the user is att empting to access an SSID and a custom page is specified in the service profile, MSS serves the custom pa ge. If the switch nonvolat ile storage has a page in web named wba_form.html ( web/wb[...]
-
Seite 473
Configuring Web Portal W ebAAA 473 5 Save the modified page. Filenames and paths for image so urce f iles must be relative to the HTML page. For example, if login page mycorp-login.html and image file mylogo.gif are located in subdirector y mycorp/, specify the image source as mylogo.gif, not mycorp/mylogo.gif. It is recommended to keep the fo rm a[...]
-
Seite 474
474 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS c Change the greeting: <h3> Welcome to Mycorp’s Wireless LAN </h3> d Change the war ning statement if desir ed: <B>WARNING:</B> My corp’s warning text. e Do not change the form (delimited by the <form name => and </form> tags. The form values are r equir[...]
-
Seite 475
Configuring Web Portal W ebAAA 475 For the url , specify the full path; for example, mycorp-webaaa/mycorp-login.html . If the custom login page includes *.gif or *.jpg images, their path names are interpreted r elative to the directory from which the page is served. 9 Configure W ebAAA users and rules as described in “Configurin g W eb Portal Web[...]
-
Seite 476
476 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS When user piltdown is successfully authenticated an d authorized, MSS redir ects the user to the following URL: http://myserver .com/piltdown.html The following example configures a r edir ect URL that contains a script argument using the literal character ? : WX1200# set usergroup ancestors a[...]
-
Seite 477
Configuring Web Portal W ebAAA 477 5 Commit the new ACL to the configuration, using the following command: commit security acl 6 Change the Web-Portal ACL name set on the service profile, using the following command: set service-profile name web-portal-acl aclname 7 V erify the change by disp laying the service profile. 8 Save the configuration cha[...]
-
Seite 478
478 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS T o change the Web Portal W ebAAA session timeout period, use the following command: set service-profile name web-portal- session-timeout seconds Y ou can specify from 5 – 2,800 seconds. The default is 5 seconds. Note that the Web Portal W ebAAA session ti meout period applies only to W eb P[...]
-
Seite 479
Configuring Last-Resort Access 479 The URL should be of the fo rm https:// host /logout.html . By default, the logout URL uses the IP addr ess of the WX switch as the host part of the URL. Th e host can be eith er an IP address or a hostname. Specifying the logout URL is useful if you want to standardize it across your network. For example, you ca [...]
-
Seite 480
480 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Y ou do not need to configure an access rule for last-r esort access. Last-resort access is automatically enabled on all service profiles and wired authentication ports that have the fallthru authentication type set to last-resort . (The set authentication last-resort and clear authentication [...]
-
Seite 481
Configuring Last-Resort Access 481 WEP Unicast Index: 1 WEP Multicast Index: 1 Shared Key Auth: NO WPA and RSN enabled: ciphers: cipher-tkip, cipher-ccm p, cipher-wep40 authentication: 802.1X TKIP countermeasures time: 60000 ms vlan-name = guest-vlan ... Beginning with MSS V ersi on 5.0, the special user last-resort-ssid, where ssid is the SSID nam[...]
-
Seite 482
482 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring AAA for Users of Thir d-Party APs A WX switch can pr ovide network ac cess for users associated with a third-party AP that has authentica ted the users with RADIUS. Y ou can connect a third-party AP to a WX switch and configure the WX to provide authorization for clients who authen[...]
-
Seite 483
Configuring AAA for Users of Third-Party APs 483 For any users of an AP that sends SSID traffic to the WX on an untagged VLAN, the WX does not use 802.1X. The WX sends a RADIUS query for the special username web-portal-wired or last-r esort-wired , depending on the fallthru authenti cation type specified for the wired authentication port. 5 After s[...]
-
Seite 484
484 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS WX Switch Requirements The WX port connect ed to the third-party AP must be configured as a wired authentication port. If SSID tr af fic from the AP is tagged, the same VLAN tag value must be used on the wired authentication port. A MAC authentication rule must be configured to authent[...]
-
Seite 485
Configuring AAA for Users of Third-Party APs 485 Configure a MAC authentication rule for the AP . Use the following command: set authentication mac wired mac-addr-glob method1 Configure the WX port connected to the AP as a RADIUS proxy for the SSID supported by the AP . If SSID tr affic fr om the AP is tagged, assign the same tag value to t[...]
-
Seite 486
486 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS The following command configures a MAC authentication rule that matches on the third-party AP’ s MAC address. Because the AP is connected to the WX switch on a wired authentication port, the wire d option is used. WX4400# set authentication mac wired aa:bb:cc:01:01:01 srvrgrp1 success: chang[...]
-
Seite 487
Assigning Authorization Attributes 487 Configuring Authentication for Non-802.1X Users of a Third-Party AP with T agged SSIDs T o configure MSS to authenticate no n-802.1X users of a thir d-party AP , use the same commands as those required for 802.1X users. Ad ditionally , when configuring the wired authentication port, use the auth-fall-thru opti[...]
-
Seite 488
488 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS T able 43 lists the authorization attributes supported by MSS. (For brief descriptions of all the RADIUS a ttributes and 3Com vendor -specific attribute s supported by MSS, a s well as the vendor ID a nd types f or 3Com VSAs configured on a RADIUS server “Supported RADIUS Attributes” on pa[...]
-
Seite 489
Assigning Authorization Attributes 489 end-date Date and time after which the user is no longer allowed to be on the network. Date and time, in the following format: YY/MM/DD-HH:MM You can use end-date alone or with start-date . You also c an use start-date , end-date , or both in conjunction with time-of-day . filter -id (network access mode only)[...]
-
Seite 490
490 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS service-type Type of access the user is requesting. One of the following numbers: 2 —Framed; for network user access 6 —Administrative; for administrative access to the WX switch, with authorization to access the enabled (configuration) mode. The us er must enter the enable command to acce[...]
-
Seite 491
Assigning Authorization Attributes 491 start-date Date and time at which the user becomes eligible to access the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (i f specified). Date and time, in the following format: YY/MM/DD-HH:MM You can [...]
-
Seite 492
492 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Assigning Attributes to Users and Groups Y ou can assign author ization attributes to individual users or groups of users. Use any of the following co mma nds to assign an attribute to a user or group in the local WX database and specify its value: set user username attr attribute-nam e value [...]
-
Seite 493
Assigning Authorization Attributes 493 T o change the value of an authorization at tribute, r eenter the command with the new value. T o assign an authorization attribute to a user’ s configu ration on a RADIUS server , see the document ation for your RADIUS server . Assigning SSID Default Attributes to a Service Profile Y ou can configure a serv[...]
-
Seite 494
494 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS All of the authorization attribu tes listed in T a ble 40 on page 448 can be specified in a service profile except ssid . Assigning a Security ACL to a User or a Group Once a security access control list (ACL ) is defined and committed, it can be applied dynamically and aut omati cally to user[...]
-
Seite 495
Assigning Authorization Attributes 495 Y ou can set filters for inc oming and outgoi ng packet s: Use acl-name .in to filter traffic that enters the WX switch from users via a MAP access port or wired authentication port, or from the network via a network port. Use acl-name .out to filter traffic sent from the WX switch to users via a MAP a[...]
-
Seite 496
496 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Assigning Encryption Ty p e s t o W i r e l e s s Users When a user turns on a wireless laptop or PDA, the device attempts to find an access point and form an association with it. Because M APs support the encryp tion of wir eless traffic, clients can choose an encryption type to use. Y ou can[...]
-
Seite 497
Assigning Authorization Attributes 497 For example, the following command restricts the MAC user group mac-fans to access the network by using only TKIP: WX1200# set mac-usergroup mac-fans a ttr encryption-type 4 success: change accepted. Y ou can also specify a combination of allowed encryption types by summing the values. For example, the followi[...]
-
Seite 498
498 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Keeping Users on the Same VLAN Even After Roaming In some cases, a user can be assigne d to a differ ent VLAN after roaming to another WX switch. T able 46 lists the ways a VLAN can be assigned to a user after r oaming from one WX to another . Ye s in the table means the VLAN is set on the r o[...]
-
Seite 499
Overriding or Adding Attribute s Locally with a Location Policy 49 9 SSID means the VLAN is set on the r oamed-to switch, in th e service profile for the SSID the user is associated with. (The Vlan-name attribute is set by the set service-profile name attr vlan-name vlan-id command, entere d on the roamed-to switch. The name is the name of the [...]
-
Seite 500
500 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS About the Location Policy Each WX switch can have one location policy . The location policy co nsists of a set of rules. Each rule contains conditions, and an action to perform if all conditions in the rule match. The location policy can co ntain up to 50 rules. The action can b e one of the f[...]
-
Seite 501
Overriding or Adding Attribute s Locally with a Location Policy 50 1 Setting the Location Policy T o enable the location policy function on a WX swit ch, you must create at least one location policy rule with one of the following commands: set location policy deny if {ssid operator ssid-name | vlan oper ator vlan-glob | user operator user-glob | po[...]
-
Seite 502
502 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1 : WX1200# set location policy permit vlan kiosk_1 if ssi d eq tempvendor_a success: change accepted. Applying Security ACLs in a Location Policy Rule When reassigning security ACL filters, specify[...]
-
Seite 503
Overriding or Adding Attribute s Locally with a Location Policy 50 3 For example, suppose you have configured the following location policy rules: WX1200 display location policy Id Clauses ------------------------------------ ---------------------------- 1) deny if user eq *.theirfirm.com 2) permit vlan guest_1 if vlan neq * .ourfirm.com 3) permit [...]
-
Seite 504
504 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Configuring Accounting for Wireless Network Users Accounting record s come in three types: start-stop, stop-only , and update for network users. The recor ds pr ovide information about network resour ce usage. T o set accounting, type the follo wing command: set accounting { admin | console | [...]
-
Seite 505
Configuring Accounting for Wireles s Network Users 505 (For details about display accounting statistics ou tput, see the Wireless LAN Switch and Controller Command Reference . For information ab out accounting update records, see “Viewing Roaming Accounting Records” on page 505. T o configur e account in g on a RADIUS server , see the documenta[...]
-
Seite 506
506 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS User-Name=Administrator@example.com Acct-Session-Time=209 Acct-Output-Octets=1280 Acct-Input-Octets=1920 Acct-Output-Packets=10 Acct-Input-Packets=15 Event-Timestamp=1053536700 Vlan-Name=default Calling-Station-Id=00-06-25-09-39-5D Nas-Port-Id=2/1 Called-Station-Id=00-0B-0E-76-56-A0 The user t[...]
-
Seite 507
Displaying the AAA Configuration 507 Displaying the AAA Configuration T o view the r esults of the AAA comm ands you have set and verify their or der , type the display aaa command. The order in which the commands appear in the output de termines the order in which MSS matches them to users. (Sometimes the order might not be what you intended. See [...]
-
Seite 508
508 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS A voiding AAA Problems in Configuration Order This section describes some common AAA co nfiguration issues on the WX switch and how to avoid them. Using the Wildcar d “Any” as the SSID Name in Authentication Rules Y ou can config ur e an authentication rule to mat ch on all SSID strings by[...]
-
Seite 509
Avoiding AAA Problems in Configuration Order 509 Configuration Producing an Incorrect Pr ocessing Or der For example, suppose you initially set up start-stop accounting as follows for all 802.1X users vi a RADIUS server group 1: WX1200# set accounting dot1x ssid my corp * start-stop group1 success: change accepted. Y ou then set up PEAP-MS-CHAP-V2 [...]
-
Seite 510
510 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS The configuration order now shows that all 802.1X users are pr ocessed as you intended: WX1200# display aaa ... set accounting dot1x ssid mycorp EXA MPLE/* start-stop group1 set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1 set accounting dot1x ssid mycorp * s tart-stop group[...]
-
Seite 511
Configuring a Mobility Profile 511 Y ou can then assign this Mo bility Pr ofile to one or more users. For example, to assign the Mobilit y Pr ofile roses-profile to all users at EXAMPLE, type the following command: WX1200# set user EXAMPLE* attr mobi lity-profile roses-profile success: change accepted. (For a list of t he commands for a ssigning [...]
-
Seite 512
512 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Network User Configuration Scenarios The following scenarios pr ovide examples of ways in which you use AAA commands to configure access for users: “General Use of Network User Commands” on page 512 “Enabling RADIUS Pass-Through Authentication” on page 514 “Enabling PEAP-[...]
-
Seite 513
Network User Configuration Scenarios 513 5 Create a Mobility Pr ofile called tulip by typing the following commands: WX1200# set mobility-profile name tu lip port 2,5 success: change accepted. WX1200# set mobility-profile mode en able success: change accepted. WX1200# display mobility-profile Mobility Profiles Name Ports ========================= t[...]
-
Seite 514
514 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS 8 Save the configuration: WX1200# save config success: configuration saved. Enabling RADIUS Pass-Through Authentication The following example illustrates how to enable RADIUS pass-through authentication for all 802.1X network users: 1 Configure the RADIUS server r1 at IP address 10.1.1.1 with [...]
-
Seite 515
Network User Configuration Scenarios 515 3 T o assign Natasha to a VLAN named red , type the following command: WX1200# set user Natasha attr vlan-n ame red 4 T o assign Natasha a session timeou t value of 1200 seco nds, type the following command: WX1200# set user Natasha attr sessio n-timeout 1200 5 Save the configuration: WX1200# save config suc[...]
-
Seite 516
516 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS Combining EAP Offload with Pass-Through Authentication The following example illustrates how to enable PEAP-MS-CHAP-V2 offload for the marketing ( mktg ) group and RADIUS pass-through authentication for members of engine ering. This example assumes that engineering members are using DNS-style [...]
-
Seite 517
Network User Configuration Scenarios 517 1 Redirect bldga-prof- VLAN users to the VLAN bldgb-eng : WX1200# set location policy permit v lan bldgb-eng if vlan eq bldga-p rof-* 2 Allow writing instructors from - techcomm VLANs to use the bldgb-eng VLAN: WX1200# set location policy permit v lan bldgb-eng if vlan eq *-techc omm 3 Display the config ura[...]
-
Seite 518
518 C HAPTER 21: C ONFI GURING AAA FOR N ETWO RK U SERS[...]
-
Seite 519
22 C ONFIGURING C OMMUNICATION WITH RADIUS For a list of the standard and extended RADIUS attributes and 3Com vendor -specific att ributes (VSAs) supported by MSS, see “Supported RADIUS Attributes” on page 651. RADIUS Overview Remote Auth entication Dial-In User Service (RADIUS) is a distributed client-server system. RADIUS server s pr ovide a [...]
-
Seite 520
520 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS Figure 33 Wireless Client, MAP , WX Switch, and RADIUS Servers In the example shown in Figur e 33, the following events occur: 1 The wireless user (client) requests an IEEE 802.11 association from the MAP . 2 After the MAP cr eates the association, the WX switch sends an Extensible Authentic[...]
-
Seite 521
Before You Begin 52 1 Before Y ou Begin T o ensure that you can contact the RADIUS servers you plan to use for authentication , send the ping command to each one to verify connectivity . ping ip-address Y ou can then set up communication between the WX switch and each RADIUS server group. Configuring RADIUS Servers An authentication server authenti[...]
-
Seite 522
522 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS During the holddown, it is as if the dead RADIUS server d oes not exist. MSS skips over any de ad RADIUS servers to the next live server , or on to the next method if no more live server s ar e available, depending on your configuration. For example, if a RA DIUS server group is the primary [...]
-
Seite 523
Configuring RADIUS Servers 523 For example, the following command resets the dead-time timer to 0 minutes on all RADIUS servers in the WX configuration: WX1200# clear radius deadtime success: change accepted. Setting the System IP Address as the Sour ce Address By default, RADIUS packets leaving the WX switch have the source IP address of the outbo[...]
-
Seite 524
524 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS Y ou can configure multiple RADIUS servers. When you define server names and keys, case is si gnificant. For example: WX1200# set radius server rs1 addres s 10.6.7.8 key seCret success: change accepted. WX1200# set radius server rs2 addres s 10.6.7.9 key BigSecret success: change accepted. Y[...]
-
Seite 525
Configuring RADIUS Server Groups 525 Creating Server Gr oups T o create a server gr oup, you must first configure the RADIUS servers with their addresses and any optio nal parameters. After configuring RADIUS servers, type the following command: set server group group-name members server-name1 [ server-name2 ] [ server-name3 ] [ serve r-name4 ] For[...]
-
Seite 526
526 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS Configuring Load Balancing Y ou can configure the WX switch to distribute authentication requests across RADIUS servers in a server gr oup, which is called load balancing. Distributing the authentication process across multiple RADIUS servers significantly reduces the load on i ndividual ser[...]
-
Seite 527
Configuring RADIUS Server Groups 527 Adding Members to a Server Group T o add RADIUS servers to a server group, type the following command: set server group group-name members server-name1 [ server-name2 ] [ server-name3 ] [ server-na me4 ] The keyword members lists the RADIUS servers contained in the named server group. A server gr oup can contain[...]
-
Seite 528
528 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS The members of the gr oup remain configur ed, although no server groups are shown: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State --------------[...]
-
Seite 529
RADIUS and Server Group Configuration Scenario 529 6 Display the configuration. T y pe the following command: WX1200# display aaa Default Values authport=1812 acctport=1813 timeout= 5 acct-timeout=5 retrans=3 deadtime=0 key=(null) auth or-pass=(null) Radius Servers Server Addr Ports T/o Tries Dead State ------------------------------------ --------[...]
-
Seite 530
530 C HAPTER 22: C ONFI GURING C OMMUNICATION WITH RADIUS[...]
-
Seite 531
23 M ANAGING 802.1X ON THE WX S WITCH Certain settings for IEEE 802.1X se ssions on the WX switch ar e enabled by default. For best resu lts, change the settings only if you are awar e of a problem with the WX switch’ s 802.1X performance. For settings t hat you can reset with a clear command, MSS r everts to the default value. See “Managing WE[...]
-
Seite 532
532 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH The default setting is enable , which permits 802.1X authentication to occur as determined by the set dot1X port-contr ol command for each wired authentication port. The disable setting forces all wir ed authentication ports to unconditionally author ize all 802.1X authentication attempts by user [...]
-
Seite 533
Managing 802.1X Encryptio n Keys 533 Managing 802.1X Encryption Keys By default, the WX switch sen ds encryption key information to a wireless supplicant (client) in an Extensible Authentication Pr otocol over LAN (EAPoL) packet after authent ication is successful. Y ou can disable this feature or change the time in terval for key transmission. The[...]
-
Seite 534
534 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH T ype the following command to reset the retransmission interval to the 5-second default: WX1200# clear dot1x tx-period success: change accepted. Managing WEP Keys W ired-Equivalent Privacy (WEP) is part of the system security of 802.1X. MSS uses WEP to provide confidentiality to packets as they a[...]
-
Seite 535
Setting EAP Retransmission Attempts 535 T o reenable WEP reke ying, type the following command: WX1200# set dot1x wep-rekey enable success: wep rekeying enabled Configuring the Interval for WEP Rekeying The following command sets the interval for rotating the WEP broadcast and multica st keys: set dot1x wep-rekey-period seconds The default is 180 0[...]
-
Seite 536
536 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH Supplicant timeout (conf igur ed by the set dot1x timeout supplicant command) RADIUS session-timeout attribute If both of these timeouts are set, MSS uses the shorter of the two. If the RADIUS session-timeout attribute is not set, MSS uses the timeout specified by the set dot1x timeout sup[...]
-
Seite 537
Managing 802.1X Client Reauthentication 537 The default number of reauthentication attempts is 2. Y o u can specify from 1 to 10 attempts. For example, type the following command to set the number of authentication attempts to 8: WX1200# set dot1x reauth-max 8 success: dot1x max reauth set to 8. T ype the following command to reset the maximum numb[...]
-
Seite 538
538 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH Setting the Bonded Authentication Period The following command changes the Bonded Auth ™ (bonded authentication) period, which is th e numb er of seconds MSS retains session information fo r an authenticated machine while waiting for the 802.1X client on t he machine to start (re)authentication [...]
-
Seite 539
Managing Other Timers 539 T ype the following command to reset the 802.1X quiet period to the default: WX1200# clear dot1x quiet-period success: change accepted. Setting the 802.1X Timeout for an Authorization Server Use this command to configure the number of seconds before the WX switch times out a request to a RADIUS authorization server . set d[...]
-
Seite 540
540 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH Displaying 802.1X Information This command displays 802.1X information for clients, stat istics, VLANs, and configurat ion. display dot1x { clients | stats | con fig } display dot1x clients displays the user name, MAC addr ess, VLAN, and state of active 802.1X clients. display dot1x config[...]
-
Seite 541
Displaying 802.1X Information 54 1 802.1X parameter setting ---------------- ------- supplicant timeout 30 auth-server timeout 30 quiet period 5 transmit period 5 reauthentication period 3600 maximum requests 2 key transmission enabled reauthentication enabled authentication control enabled WEP rekey period 1800 WEP rekey enabled Bonded period 60 p[...]
-
Seite 542
542 C HAPTER 23: M ANAGING 802.1X ON THE WX S WITCH[...]
-
Seite 543
24 C ONFIGURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Sygate On-Demand (SODA) is an endpoin t security solution that allows enterprises to enforce security policies on client devices without having to install any special software on th e client machines. MSS can be configured to run SODA security checks on users’ ma chines as a re quir ement [...]
-
Seite 544
544 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Malicious Code Protection – Detects and blocks keystroke loggers that capture usernames and passwords, T rojans that create back-door user accounts, and Screen Scrapers that spy on user activity . The Malicious Code module integrat es a Virtual Keyboard function that req[...]
-
Seite 545
About SODA Endpoint Security 545 If the security ch ecks fail, the WX sw itch can deny the client acces s to the network, or g rant the client limited access based on a config ur ed security ACL. When the client closes the Virt ual Desktop, the WX switch can optionally disconnect the c lient from the network. How SODA Functionality Works on[...]
-
Seite 546
546 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH 6 Once the SODA agent files have been downloaded, one of the following can take place: a If the WX switch is configured to enfor ce the SODA agent security checks (the default), then the SODA agent checks a r e run on the user’ s computer . If the user’ s computer passes t[...]
-
Seite 547
Configuring SO DA Functionali ty 547 7 Specify a page for a client to lo ad when the SODA agent checks run successfully (optional). See “Speci fying a SODA Agent Success Page” on page 551. 8 Specify a page for a client to lo ad when the SODA agent checks fail (optional). See “Specifying a SODA Agent Failur e Page” on page 551. 9 Specify an [...]
-
Seite 548
548 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Note the following when creating the SODA agent in SODA Manager: The failure.html and success.html pages, when specified as success or failure URLs in SODA Manager , must be of the format: https:// hostname /soda/ssid/ xxx .html where xxx r efers to the name of the HTML fi[...]
-
Seite 549
Configuring SO DA Functionali ty 549 Copying the SODA Agent to the WX Switch After cr eating the SODA agent with SO DA manager , you co py the .zip file to the WX switch using TF TP . For example, the following command copies the soda.ZIP file fr om a TF TP server to the WX switch: WX1200# copy tftp://172.21.12.247/so da.ZIP soda.ZIP ..............[...]
-
Seite 550
550 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH Enabling SODA Functionality for the Service Profile T o enable SODA functionality f or a service pr ofile, use the following command: set service-profile name soda mode { enabl e | disable } When SODA functionality is enabled for a se rvice profi le, a SODA agent is downloaded[...]
-
Seite 551
Configuring SO DA Functionali ty 551 Specifying a SODA Agent Success Page When a client successfully runs the ch ecks performed by the SODA agent, by default a dynamically generated pa ge is displayed on the clien t indicating that the checks succ eeded. Y ou can optionally create a custom success page that is displayed on th e client instead of th[...]
-
Seite 552
552 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH T o reset the failur e page to the default value, use the following command: clear service-profile name soda fail ure-page The page refers to a file on the WX switch. After this page is loaded, the specified remediation ACL takes ef fect, or if ther e is no remediation ACL con[...]
-
Seite 553
Configuring SO DA Functionali ty 553 If configured, a r emediation ACL is ap plied to a client when the client loads the failure page. A client loads the failur e page only if the service profile is set to enfor ce SODA agent checks, and the client fails the SODA agent checks. Consequ ently , in order to app ly a r emediation ACL t o a client, you [...]
-
Seite 554
554 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH The following command specifies logout.html, in the soda-files directory on the WX switch, as the page to load when a client closes the SODA virt ual desktop: WX# set service-profile sp1 soda log out-page soda-files/logout.html success: change accepted. During authentication, [...]
-
Seite 555
Configuring SO DA Functionali ty 555 For example, the following command removes the directory sp1 and all of its contents: WX1200# uninstall soda agent agent-d irectory sp1 This will delete all files i n agent-directory, do you wish to continue? (y|n) [n] y Displaying SODA Configuration Information T o view information about the SODA configuration [...]
-
Seite 556
556 C HAPTER 24: C ONFI GURING SODA E NDPOINT S ECURITY FOR A WX S WITCH (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .)[...]
-
Seite 557
25 M ANAGING S ESSIONS About the Session Manager A session is a r elate d set of comm unication transactions between an authenticated user (client) and the spec ific station to which the client is bound. Packets are exchanged during a session. A WX switch supports the following kinds of sessions: Administrative sessions — A network administra[...]
-
Seite 558
558 C HAPTER 25: M ANAGING S ESSIONS Displaying and Clearing All Administrative Sessions T o view information about the sessions of all admin istrative users, type the following command: WX1200> display sessions admin Tty Username Time (s) Type ------- -------------------- -------- ---- tty0 3644 Console tty2 tech 6 Telnet tty3 sshadmin 381 SSH [...]
-
Seite 559
Displaying and Clearing Administrative Sessions 559 Displaying and Clearing Administrative T elnet Sessions T o view information about administ rative T elnet sessions, type the following command: WX1200> display sessions telnet Tty Username Time (s) Type ------- -------------------- -------- ---- tty3 sshadmin 2099 SSH 1 telnet session T o clea[...]
-
Seite 560
560 C HAPTER 25: M ANAGING S ESSIONS Displaying and Clearing Network Sessions Use the following command to display information about network sessions: display sessions network [ user user-glob | mac-addr mac-addr- glob | ssid ssid-name vlan vlan-glob | session-id session-id | wired ] [ verbose ] In most cases, you ca n display both summary and deta[...]
-
Seite 561
Displaying and Clearing Network Sessions 561 Displaying V erbose Network Session Information In the display sessions network commands, you can specify verbose to get more in-depth information. For example, to display detailed info rmation for all network sessions, type the following command: WX1200> display sessions network ver bose User Sess IP[...]
-
Seite 562
562 C HAPTER 25: M ANAGING S ESSIONS Displaying and Clearing Network Sessions by Username Y ou can view sessions by a username or user glob. (For a definition of user globs and their format, see “User Globs” on page 30.) T o see all sessions for a specific user or for a group of users, type the following command: display sessions network user u[...]
-
Seite 563
Displaying and Clearing Network Sessions 563 Displaying and Clearing Network Sessions by MAC Address Y ou can view sessions by MAC addr ess or MAC address glob. (For a definition of MAC address globs and the ir format, see “MAC Address Globs” on page 31.) T o view session informatio n for a MAC addr ess or set of MAC addr esses, ty pe the follo[...]
-
Seite 564
564 C HAPTER 25: M ANAGING S ESSIONS T o clear the sessions on a VLAN or set of VLANs, use the following command: clear sessions network vlan vlan-glob For example, the following command clears the sessions of all users on VLAN red : WX1200# clear sessions network vlan red Displaying and Clearing Network Sessions by Session ID Y ou can display info[...]
-
Seite 565
Displaying and Changing Network Session Timers 565 Last packet signal strength: -60 dBm Last packet data S/N ratio: 35 Protocol: 802.11 Session CAC: disabled (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) The verbose option is not available with the display sessions network session-[...]
-
Seite 566
566 C HAPTER 25: M ANAGING S ESSIONS MSS temporarily keeps session inform ation for disassociated web-portal clients to allow them time to reasso ciate after roaming. (See “Configuring the Web Portal W ebAAA Session Timeout Period” on page 477.) Disabling Keepalive Probes T o disable or reenable keepalive probes in a service profile, use the fo[...]
-
Seite 567
26 R OGUE D ETECTION AND C OUNTERMEASUR ES MAP radios automatically scan th e RF spectrum for other devices transmitting in the same sp ectrum. The RF scans discover third-party transmitters in addition to other 3Com radios. MSS considers the unknown transmitters to be devices of interest , which are potential rog ue s. Overview Y ou can display in[...]
-
Seite 568
568 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Rogue Classification When MSS detects a third-party wireless device that is not allowed on the network, MSS classifies the device as one of the following: Rogue—The device is in the 3C om network but does not belong there. Interfering device—The de vice is not part of the 3Com netw[...]
-
Seite 569
About Rogues an d RF Detection 569 Rogue Detection Lists Rogue detection list s specify the thir d-party devices an d SSIDs that MSS allows on the network, and the device s MSS classifies as rogues. Y ou can configure the following rogue detection lists: Permitted SSID list—A list of SSIDs allowed in the Mobili ty Domain. MSS generates a mess[...]
-
Seite 570
570 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Figure 34 Rogue Detection Algorithm MAP radio detects wireless packet. No Ye s Ye s Source MAC in SSID in Permitted Ignore List? Device is not a threat. SSID List? Ye s OUI in Permitted V endor List? No Source MAC in Attack List? No Generate an alarm. Classify device as a rogue. No Ye s Issue [...]
-
Seite 571
About Rogues an d RF Detection 571 RF Detection Scans All radios co ntinually scan for ot her RF transmitters. Radios perform passive scans and active scans: Passive scans — The radio listens for beacons and probe r esponses. Active scans — The radio sends probe any re qu est s ( pro be requ es ts with a null SSID name) to solicit probe[...]
-
Seite 572
572 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES When a MAP radio detects radar on a channel, the radio switches to another channel and doe s not attempt to use the channel where the radar was detected for 30 minutes . MSS also generates a message. The RF Auto-tuning feature must be enabled. Otherwise MSS can not change the channel. Counterm[...]
-
Seite 573
Summary of Rogue Detectio n Features 57 3 Summary of Rogue Detection Features T able 48 lists the rogue detection featur es in MSS. T able 48 Rogue Detection Features Rogue Detection Feature Description Applies To Third-Pa rty APs Clients Classification MSS can clas sify third-party APs as rogues or interfering devices. A rogue is a third-party AP [...]
-
Seite 574
574 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Configuring Rogue Detection Lists The following sections describe how to configure lists to specify the devices that are allowed on the networ k and the devices th at MSS should attack with countermeasures. (For information about how MSS us es the lists, see “Rogue Detection Lists” on page[...]
-
Seite 575
Configuring Rogue Detection Lis ts 575 If you add a device that MSS has classified as a rogue to the permitted vendor list, but not to the ignore list, MSS can still classify the device as a rogue. Adding an entry to the permit ted vendo r list mer ely indicates that the device is from an allowed vendo r. H o w e v e r, t o c a u s e M S S t o s t [...]
-
Seite 576
576 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Configuring a Permitted SSID List The permitted SSID l ist specifies the SSIDs that ar e allowed on the network. If MSS detects packets for an SSID that is not on the list, the AP that sent the packets is classified as a rogue. MSS issues countermeasur es against the rogue if they are enabled.[...]
-
Seite 577
Configuring Rogue Detection Lis ts 577 The following command clears SSID mycorp fr om the permitted SSID list: WX1200# clear rfdetect ssid-list myc orp success: mycorp is no longer in ssid -list. Configuring a Client Black List The client black list specifies clients that ar e not allowed on the network. MSS drops all packets fr om the clients on t[...]
-
Seite 578
578 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Configuring an Attack List The attack list specifies the MAC addresses of devices that MSS should issue countermeasures against when ever the devices are detected on the network. The attack list can cont ain the MAC addresses of APs and clients. By default, the attack list is empty . The attac[...]
-
Seite 579
Configuring Rogue Detection Lis ts 579 The following command clears MAC ad dr ess 11:22:33:44:55:66 from the attack list: WX4400# clear rfdetect attack-list 1 1:22:33:44:55:66 success: 11:22:33:44:55:66 is no lon ger in attacklist. Configuring an Ignore List By default, when countermeasur es ar e enabled, M SS considers any non-3Com transmitter to [...]
-
Seite 580
580 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES The following command displays an ignore list containing two BSSIDs: WX4400# display rfdetect ignore Total number of entries: 2 Ignore MAC ----------------- aa:bb:cc:11:22:33 aa:bb:cc:44:55:66 Enabling Countermeasures Countermeasures ar e disabled by de fault. Y ou can en able them on an indiv[...]
-
Seite 581
Enabling Countermeasures 581 The following command disables countermeasures in radio profile radprof3 : WX4400# clear radio-profile radprof3 countermeasures success: change accepted. Using On-Demand Countermeasures in a Mobility Domain If you are using on-demand countermeasures in a Mobility Domain, you should enable the feature and synchronize the[...]
-
Seite 582
582 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Disabling or Reenabling Active Scan When active scanning is enabled, th e MAP radios managed by the switch look for rogue devices by sending probe any frames (probes with a null SSID name), to solicit probe r esponses from other APs. Active scan is enable d by default. Y ou can disable or r ee[...]
-
Seite 583
Enabling MAP Signatures 583 Creating an Encrypted RF Fingerprint Key as a MAP Signature T o crea te an encry pted RF fi ngerprin t key to use as a signa tur e for a MAP , use the following command: set rfdetect signature key encrypted <key_value> For example: WXR100_desk# set rfdetect ? attack-list Add a device to attack-list black-list black[...]
-
Seite 584
584 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Disabling or Reenabling Logging of Rogues By default , a WX switch generates a log message when a r ogue is detected or disappears. T o disable or reenable the log messages, use the following command: set rfdetect log { enable | disable } T o display log messages on a switch, use the following[...]
-
Seite 585
IDS and DoS Alerts 585 Flood Attacks A floo d attack is a type of Denial of Service attack. Du ring a floo d attack, a rogue wir eless device attempts to overwhelm the resources of other wireless devices by continuously in jecting management frames into the air . For example, a rogue client can repeatedly send association requests to try to overwhe[...]
-
Seite 586
586 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Decrypt errors—An excessive number of decrypt err ors can indicate that multiple clients are using the same MAC address. A devic e’ s MAC address is supposed to be unique . Multiple instances of the same address can indicate that a rogue device is pretending to be a legitimate device b[...]
-
Seite 587
IDS and DoS Alerts 587 Weak WEP Key Used by Client A weak initialization vector (IV) ma kes a WEP ke y easier to hack. MS S alerts you regar ding clients who are using weak WEP IVs so that you can strengthen the encryption on these clients or replace the clients. Disallowed Devices or SSIDs Y ou can configure the following types of lists to explici[...]
-
Seite 588
588 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Management frame 6 flood Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 6 message flood. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Management frame 7 flood Client aa:bb:cc:dd:ee:ff is sending rsvd mgmt frame 7 message flood. Seen by AP on port 2, radio 1 on channel 11 wit[...]
-
Seite 589
IDS and DoS Alerts 589 Spoofed disassociation frames Disassociation frame from AP aa:bb:cc:dd:ee:ff is being spoofed. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Null probe respons es AP aa:bb:cc:dd:ee:ff is sending null probe responses. Seen by AP on port 2, radio 1 on channel 11 with RSSI -53. Broadcast deauthentications AP aa:bb:c[...]
-
Seite 590
590 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Displaying RF Detection Information Y ou can use the CLI commands listed in T able 50 to display rogue detection information. Spoofed AP AP Mac aa:bb:cc:dd:ee:ff(ss id myssid) is being spoofed. Received fingerprint 112234 3 does not match our fingerprint 123344. Detected by listener aa:bb: cc:[...]
-
Seite 591
Displaying RF Detection Information 591 (For information about the fields in the out put, see the Wireless LAN Switch and Controller Command Reference .) display rfdetect data Displays information about all BSSIDs detected on the air, and labels those that are from rogues or interfering devices. This command is valid on any switch in the Mobility D[...]
-
Seite 592
592 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Displaying Rogue Clients T o display the wireless c lients detected by a WX switch, use the following command: display rfdetect clients [ mac mac-ad dr ] The following command shows inform ation about all wireless clients detected by a WX switch’ s MAPs: WX# display rfdetect clients Total nu[...]
-
Seite 593
Displaying RF Detection Information 593 Displaying Rogue Detection Counters T o display rogue detection statis tics counters, use the following command: display rfdetect counters The command shows counters for rogue activity de tected by the WX switch on which you enter the command. WX1200# display rfdetect counters Type Current Tota l ------------[...]
-
Seite 594
594 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Access points not present in ssid-li st 0 0 Access points not present in vendor- list 0 0 Clients not present in vendor-list 0 0 Clients added to automatic black-lis t 0 0 MSS generates log messages for most of these statistics. See “IDS and DoS Alerts” on page 584. Displaying SSID or BSSI[...]
-
Seite 595
Displaying RF Detection Information 595 WX-IPaddress: 10.8.121.102 Port/Ra dio/Ch: 3/1/11 Mac: 00:0b:0e:00: 0a:6a Device-type: interfering Adhoc: no Crypto-types: clear RSSI: -85 SSID: 3Com-webaaa BSSID: 00:0b:0e:00:7a:8a Vendor: 3Co m SSID: 3Com-webaaa Type: intfr Adhoc: no Crypto-types: clear WX1200-IPaddress: 10.8.121.102 Por t/Radio/Ch: 3/1/1 M[...]
-
Seite 596
596 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES Displaying RF Detect Data T o display information about the APs detected by an individual WX switch, use the following command: display rfdetect data Y ou can enter this command on an y switch in the Mobility Dom ain. WX1200# display rfdetect data Total number of entries: 197 Flags: i = infras[...]
-
Seite 597
Displaying RF Detection Information 597 00:0a:5e:4b:4a:c6 3Com intfr 11 -85 i-t--- 3Com-tkip 00:0a:5e:4b:4a:c8 3Com intfr 11 -83 i----w 3Com-voip 00:0a:5e:4b:4a:ca 3Com intfr 11 -85 i----- 3Com-webaaa ... Displaying Countermeasures Information T o display the current status of countermeasures against rogues in the Mobility Domain, use the following[...]
-
Seite 598
598 C HAPTER 26: R OGUE D ETECTION AND C OUNTERMEASURES[...]
-
Seite 599
27 M ANAGING S YSTEM F ILES A W i reless Swit ch (WX) contains no nv olatile storage. MSS allows you to manage the files in nonvolatile storag e. In addition, you can copy files between the WX switch and a TF TP server on the network. About System Files Generally , a WX switch’ s n onvolatile storage contains the following typ es of files: Sy[...]
-
Seite 600
600 C HAPTER 27: M ANAGING S YST EM F ILES T o display version in formation for a WX switch, type the follo wing command: WX# display version Mobility System Software, Version: 6 .0.0.2 REL Copyright (c) 2002 - 2006 3Com Corpo ration. All rights reserved. Build Information: (build#0) REL_6_0 _0_branch 2006-10-06 23:46:00 Model: WX-20 Hardware Mainb[...]
-
Seite 601
About System Files 601 Displaying Boot Information Boot information consist s of the MSS version and the names of t he system image file and configuration file curr ently running on the WX switch. The boot command also lists the system image and configuration file that will be loaded after the next r eboot. The curr ently running versions ar e list[...]
-
Seite 602
602 C HAPTER 27: M ANAGING S YST EM F ILES Working with Files The following section describe how to manage files stored on the WX switch. Displaying a List of Files Files ar e store d on a WX switch in the following areas: File — Contains configuration files Boot — Contains system image fi les Te m p o r a r y — Contains log files[...]
-
Seite 603
Working with Files 603 ==================================== ================================ =========== Boot: Filename Size Creat ed boot0:WXA30001.Rel 9780 KB Aug 23 20 05, 15:54:08 *boot1:WXA40101.Rel 9796 KB Aug 28 20 05, 21:09:56 Boot0: Total: 9780 Kbytes use d, 2460 Kbytes free Boot1: Total: 9796 Kbytes use d, 2464 Kbytes free ===============[...]
-
Seite 604
604 C HAPTER 27: M ANAGING S YST EM F ILES The following command limits the output to the contents of the /tmp/core subdirectory: WX1200# dir core: ==================================== ================================ =========== file: Filename Size Creat ed core:command_audit.cur 37 bytes Aug 28 20 05, 21:11:41 Total: 37 bytes used, 91707 Kbytes f[...]
-
Seite 605
Working with Files 605 The tftp:// ip-addr / filename URL refers to a file on a TF TP ser ver . If DNS is configured on the WX switch, you can s pecify a TF TP server’ s hostname as an alternative to specifying the IP addr ess. The tmp: filename URL r efers to a file in temp orary storage. Y ou can copy a file out of temporary storag e but you ca[...]
-
Seite 606
606 C HAPTER 27: M ANAGING S YST EM F ILES The above comma nd copies the file to the same fi lename. T o rename the file when copying it, type the following command: WX1200# copy tftp://10.1.1.1/newconf ig wxconfig success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec] T o copy system imag e wxb04102.rel from a TF TP server to boot partit i[...]
-
Seite 607
Working with Files 607 4 Enter a command such as the followin g to calculate the checksum for the file: WX1200# md5 boot0:wxb04102.rel MD5 (boot0:WX040003.020) = b9cf7f527 f74608e50c70e8fb896392a Y ou must include the boot partition name in the filename. For example, you must specify boot0:WX040003.020. If you specify on ly WX040003.020, the CLI di[...]
-
Seite 608
608 C HAPTER 27: M ANAGING S YST EM F ILES Creating a Subdirecto ry Y ou can create subdir ectories in the user files area of nonvolatile storage. T o create a subdir ectory , use the following command: mkdir [ subdirname ] T o create a subdir ectory called corp2 and display the root dir ectory to verify the result, type the following commands: WX1[...]
-
Seite 609
Managing Configuration Files 609 Managing Configuration Files A configuration file contains CLI commands that set up the WX sw itch. The switch loads a designated conf iguration file immediately after loading the system softwar e when the softwar e is re booted. Y o u also c an load a configuration file while the switch is running to change the swi[...]
-
Seite 610
610 C HAPTER 27: M ANAGING S YST EM F ILES set log server 192.168.253.11 severi ty critical set timezone PST -8 0 set summertime PDT start first sun apr 2 0 end lastsun oct 2 0 set system name WX1200 set system countrycode US set system contact 3Com-pubs set radius server r1 address 192.168 .253.1 key sunflower set server group sg1 members r1 set e[...]
-
Seite 611
Managing Configuration Files 611 T o save the running configuration to a file named newconfig , type the following command: WX1200# save config newconfig success: configuration saved to newc onfig. Specifying the Configuration File to Use After the Next Reboot By default , the WX switch loads the conf iguration fi le named configuration from nonvol[...]
-
Seite 612
612 C HAPTER 27: M ANAGING S YST EM F ILES Specifying a Backup Configuration File In the event that part of the configuration file is invalid or otherwise unreadable, MSS stops reading information in the configuration file and does not use it. Y ou can optionally spec ify a backup file to load if MSS cannot load the original configu ration file. T [...]
-
Seite 613
Backing Up and Restoring the System 613 T o back up the cur r ent configuration file named configur ation and r eset the WX switch to t he factory default configuration, type the following commands: WX1200# copy configuration tftp://10 .1.1.1/backupcfg success: sent 365 bytes in 0.401 sec onds [ 910 bytes/sec] WX1200# clear boot config success: Res[...]
-
Seite 614
614 C HAPTER 27: M ANAGING S YST EM F ILES Both commands have options to specif y the types of files you want to back up and r estor e: critical —Backs up or restor es system files, including the configuration file used when booting, and certific ate files. The size of an ar chive created by this option is generally 1M B or less. This is the [...]
-
Seite 615
Backing Up and Restoring the System 615 Managing Configuration Changes The backup command places the boo t configuration file into the archive. (The boot configuration file is the Configured boot conf iguration in the display boot command’ s output.) If the running config uration contains changes that have not been saved, these changes are not in[...]
-
Seite 616
616 C HAPTER 27: M ANAGING S YST EM F ILES The following command restor es syst em-critical files on a switch, fr om archive sysa_bak : WX1200# restore system tftp:/10.10 .20.9/sysa_bak success: received 11908 bytes in 0.1 50 seconds [ 79386 bytes/sec] success: restore complete. Upgrading the System Image T o upgrade the WX switch from one MSS vers[...]
-
Seite 617
Upgrading the System Image 617 Upgrading an Individual Switch Using the CLI 1 Save the configurat ion, using the save config command. 2 Back up the switch, using t he backup system command. 3 Copy the new system im age onto a TF TP server . For example, log in to http://www .3com.com using a web browser on your TF TP server and download the image o[...]
-
Seite 618
618 C HAPTER 27: M ANAGING S YST EM F ILES Upgrade Scenario T o upgrade a WX1200 switch from MSS V ersion 4.0 to MSS V ersio n 4.1, type the following commands. This example copies the image file into boot partition 1. On your switch, copy the image file into the boot part ition that was not used the last time the switch was restarted. For example,[...]
-
Seite 619
A T R OUBLESHOOTING A WX S WITCH Some common problems that occur during WX installation and basic configuration are simple to solve. However , to “recover” the system password, you must delete the existing WX configuration. Fixing Common WX Setup Problems System logs provide a history of MS S events. T races display real-time messages from all [...]
-
Seite 620
620 C HAPTER A: T ROUBLESHOOTING A WX S WITC H T able 51 WX Setup Problems and Remedies Symptom Diagnosis Remedy 3Com Wireless Switch Manager or a web brows er (if you are using Web Manager) warns that the WX switch’s certificate date is invalid. The switch’s time and date are currently incorrect, or were incorrect when you generated the self-s[...]
-
Seite 621
Fixing Common WX Setup Problems 621 Client cannot access the network. This symptom has more than one possible cause: The client might be failing authentication or might not be authorized for a VLAN. 1 Type the displa y aaa command to ensure that the authentication rules on the WX switch allow the client to authenticate. (See “Displaying the A[...]
-
Seite 622
622 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Recovering the System When the Enable Password is Lost Y ou can recover any model switch if y ou have lost or fo rgotten the enable password. Y ou also can recover a WXR100 even if you have lost or forgotten the login password. Recovering the system will de lete your configuration file T o recover a WX[...]
-
Seite 623
Configuring and Managing the System Log 623 Configuring and Managing the System Log System logs provide information about system events that you can use to monitor and troubleshoot MSS. Event messages for the WX switch and its attached MAPs can be stored or sent to the following destinations: Stored in a local buf fer on the WX Displayed on[...]
-
Seite 624
624 C HAPTER A: T ROUBLESHOOTING A WX S WITC H System events and con ditions at differ ent severity levels can be logged to multiple destinations. By default, ev ents at the error level and higher are posted to the conso le and to the log buffer . Deb ug output is logged to the trace buffer by default. T able 5 3 summarizes the destinations and def[...]
-
Seite 625
Configuring and Managing the System Log 625 Using Log Commands T o enable, disable, or modify system logging to the WX switch’ s log buffer , console, current T elnet session, or trace buf fer , use the following command: set log { buffer | console | current | sessions | trace } [ severity severity-level ] [ enable | disable ] T o configure syste[...]
-
Seite 626
626 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Logging to the Log Buf fer The system log consists of rolling entries stored as a last-in first-out queue maintained by the WX. Logging to th e buffer is enabled by default for events at the error level and higher . T o modify settings to another seve rity level, use the following command: set log buff[...]
-
Seite 627
Configuring and Managing the System Log 627 T o filter the event log by MSS ar ea, use the facility facility-name keyword. For a list of facilities fo r which you can view event messages, type the following command: WX1200# display log buffer facility ? <facility name> Select o ne of: KERNEL, AAA, SYSLOGD, ACL, APM, ARP, ASO, BOOT, C LI, CLUS[...]
-
Seite 628
628 C HAPTER A: T ROUBLESHOOTING A WX S WITC H If you type anything to the console, the typing disables log output to the console until you press the Enter key . Logging Messages to a Syslog Server T o send event messages to a syslog server , use the following command: set log server ip-addr [ port port-nu mber ] severity severity-level [ local[...]
-
Seite 629
Configuring and Managing the System Log 629 T o disable session logging, use the fo llowing command: set log sessions disable Changing the Current T elnet Session Defaults By default, log information is not sent to yo ur curr ent T elnet session, and the log level is set to information (info) or higher . T o modify the severity of events logged to [...]
-
Seite 630
630 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Mark messages ar e disabled by default. When they ar e enabled, MSS generates a message at the notice level once every 300 seconds by default. T o enable mark messages, use the following command: WX4400# set log mark enable success: change accepted. Saving T race Messages in a File T o save the accumul[...]
-
Seite 631
Running Traces 631 Running T races T race commands enable yo u to perf orm diagnostic routines. Y ou can set a trace command with a keyword, such as auth entication or sm , to trace activity for a particular feature, such as authentication or th e session manager . WAR NI NG: Using the set trace command can have adverse effects on system performanc[...]
-
Seite 632
632 C HAPTER A: T ROUBLESHOOTING A WX S WITC H T racing Authorization Activity T racing authorization acti vity can help diagnose author ization pr oblems. For example, to trace the authoriza tion of MAC addr ess 00:00:30:b8:72:b0, type th e following command: WX1200# set trace authorization mac- addr 00:00:30:b8:72:b0 success: change accepted. T r[...]
-
Seite 633
Running Traces 633 About T race Results The trace commands use the un derlyi ng logging mechanism to deliver trace messages. T race me ssages are generated with the debug severity level. By default, the only log t arget that r eceiv es deb ug-level messages is the volatile trace buffer . (T o see the contents of the trace buffer , see “Displaying[...]
-
Seite 634
634 C HAPTER A: T ROUBLESHOOTING A WX S WITC H / number -of-messages — Disp lays the specified number of the most recent entries in the log, starting with the least r ecent. T o filt er trace output by MSS ar ea, use the facility facility-name keywor d. For a list of valid facilities for whic h you can view event messages, type the following [...]
-
Seite 635
Using displa y Commands 635 Using display Commands T o troubleshoot the WX switch, you can use display commands to display information about different ar eas of the MSS. The following commands can provide helpful inform ation if you are experiencing MSS performance issues. Viewin g VLAN Interfaces T o view interface information for VLANs, type the [...]
-
Seite 636
636 C HAPTER A: T ROUBLESHOOTING A WX S WITC H (For more information about AAA, see Chapter 3, “Configuring AAA for Administrativ e and Loca l Access,” on page 51 and Chapter 2 1, “Configuring AAA for Networ k Users,” on page 433.) Vie wi ng FD B Information The display fdb command displays the hosts learned by the WX switch and the ports t[...]
-
Seite 637
Port Mirroring 63 7 Port Mirroring Port mirr oring is a troubleshooting feat ur e that copies (mirrors) traf fic sent or received by a WX port (the source port) to another WX port (the observer). Y ou can attach a protocol analyzer to the observer port to examine the source port’ s traffic. Both tra ffic dir ections (send and receive) are mirror [...]
-
Seite 638
638 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Remotely Monitoring T raffic Remote traffic monitoring enables yo u to snoop wireless traffic, by using a MAP as a snif fing devic e. The MAP copie s the snif fed 802.11 packets and sends the copies to an observer , which is typically a pr otocol analyzer such as Ether eal or T ethereal. How Remote T r[...]
-
Seite 639
Remotely Monitoring Traffic 639 Best Practices for Remote T raf fic Monitoring Do not specify an observer that is associated with the MAP wher e the snoop filter is running. This config uration causes an endless cycle of snoop traffic. If the snoop filter is running on a Distributed MAP , and the MAP used a DHCP server in its local subnet t[...]
-
Seite 640
640 C HAPTER A: T ROUBLESHOOTING A WX S WITC H src-mac { eq | neq | lt | gt } mac-addr dest-mac { eq | neq | lt | gt } mac-addr host-mac { eq | neq | lt | gt } mac-ad dr mac-pair mac-addr1 mac-addr2 direction { eq | neq } { transmit | receive } T o match on packets to or from a specific MAC addr ess, use the dest-mac or src-mac option. T o match on[...]
-
Seite 641
Remotely Monitoring Traffic 641 Displaying Configur ed Snoop Filters T o display the snoop filt ers configur ed on the WX switch, use the following command: display snoop info [ filter-name ] The following command shows the snoop filters configured in the examples a bove: WX1200# display snoop info snoop1: observer 10.10.30.2 snap-len gth 100 all p[...]
-
Seite 642
642 C HAPTER A: T ROUBLESHOOTING A WX S WITC H The following command maps snoop filter snoop1 to radio 2 on MAP 3: WX1200# set snoop map snoop1 ap 3 ra dio 2 success: change accepted. Displaying the Snoop Filters Mapped to a Radio T o display the snoop fil ters tha t are mapped to a radio, use the following command: display snoop map filter-name Th[...]
-
Seite 643
Remotely Monitoring Traffic 643 Enabling or Disabling a Snoop Filter A snoop filter does not take ef fect unti l you ena ble it. T o enable or disable a snoop filter , use the following command: set snoop { filter-name | all } mode { enable | disable } The filter operates unt il you manually disable it. The filter mode is retained even if you disab[...]
-
Seite 644
644 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Use Netcat to listen to UDP packets on the TZSP port. This avoids a constant flow of ICMP destination unrea chable messages fr om the obse rver back to the radio. Y ou can obtain Netcat thr oug h the following link: http://www .vulnw atch.org/netcat/ If the observer is a PC, you can use a T cl script i[...]
-
Seite 645
Capturing System Information and Sending it to Technical Support 645 Capturing System Information and Sending it to T echnical Support If you need help from 3Com T echnical Support to diagnose a system problem, you can make troubleshooti ng the problem easier by providing the following: display tech-support output Core files Debug messa[...]
-
Seite 646
646 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Core Files If a WX switch restarts due to an error condition (crashes), the switch generates a core file in the temporary file area. The name of the file indicates the system are a where the problem occurred. C ore files are saved in tarball ( tar ) format. Core files ar e erased when you restart the s[...]
-
Seite 647
Capturing System Information and Sending it to Technical Support 647 If the switch’ s network interface s to the TF TP server have gone down, copy the core file to the nonvolatile file area before r estarting the switch. The following commands copy netsys.cor e.217.tar to the nonvolatile f ile area and verify the result: WX4400# copy core:netsys.[...]
-
Seite 648
648 C HAPTER A: T ROUBLESHOOTING A WX S WITC H Sending Information to 3Com T echnical Support After you save the display tech-support output, as well as core files and debug messages (if applicable), you can send them to 3Com. 3Com has an external F TP server for use by customers to upload MSS debugging information, 3Com W ir eless Switch Manager p[...]
-
Seite 649
B E NABLING AND L OGGING I NTO W EB V IEW Web View is a web-based manageme nt application available on WX switches. Y ou can use Web View for common configuration and management tasks. On most WX models (WX-2200, WX-4400, or WXR100), you also can use Web View to perform initial configuration of a new switch. System Requirements Browser Requirements[...]
-
Seite 650
650 C HAPTER B: E NABLING AND L OGGING I NTO W EB V IEW The switch must have an IP interface that can be r eached by the PC where the br owser is installed. If you are configuring a new WX-2200, WX-4 400, or WXR100, you can access Web V iew without any preconfigur ation. Attach your PC directly to a WX-2200 switch’ s Ethernet management port [...]
-
Seite 651
C S UPPORTED RADIUS A TTRIBUTES 3Com Mobility System Softwa re (M SS) supports the standard and extended RADIUS authenti cation and accounting att ributes listed in T able 55 on page 652. Also supported are 3Com vendor -specific attributes (VSAs), listed in T able 56 on page 659. Attributes An attribute is sent to R ADIUS accounting only if the tab[...]
-
Seite 652
652 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Supported Standard and Extended Attributes The RADIUS attributes shown in T able 55 are sent by WX switches to RADIUS servers during authentication and accountin g. T able 55 801.1X Attributes Attribute Type Rcv in Access Resp? Sent in Access Reqst? Sent in Acct Reqst? Description User-Name 1 No Yes Ye[...]
-
Seite 653
Supported Standard and Extended Attributes 653 Service- Type 5 No Yes Yes Access type, which ca n be one of the following: 2—Framed; for network user access 6—Administrative; for administrative access to the WX switch, with authorization to access the enabled (configuration) mode. The user must enter the enable command to access the enabled mod[...]
-
Seite 654
654 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Filter-Id 11 Yes No Optional If configured in the WX switch’s local database, this attribute can be an access control list (ACL) to filter outbound or inbound traffic. Use the following format: filter -id inboundacl .in or filter -id outboundacl .out If you are configuring the attribute on a RADIUS s[...]
-
Seite 655
Supported Standard and Extended Attributes 655 Reply- Message 18 Yes No No String. Text that can be displayed to the user. Multiple Reply-Messages can be included. If any are displayed, they must appear in the order in which they ap pear in the packet. State 24 Yes Yes No Can be sent by a RADIUS server in an Access-Challenge message to the WX switc[...]
-
Seite 656
656 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Called- Station-Id 30 No Yes Yes For IEEE 802.1X authenticators, stores the MAP MAC address in uppercase ASCII format, with octet values separated by hyphens (for example, 00-10-A4-23-19-C0). Calling- Station-Id 31 No Yes Yes For IEEE 802.1X authenticators, stores the supplicant MAC address in uppercas[...]
-
Seite 657
Supported Standard and Extended Attributes 657 Acct-Output- Octets 43 No No Yes Number of octets sent on the port in the course of this service being provided. Can be pr esent only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update. Acct- Session-Id 44 No No Yes Unique accounting ID to facilitate matc[...]
-
Seite 658
658 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES Acct-Output- Packets 48 No No Yes Number of packets sent in the course of this service being provided. Can be present only in Accounting-Request records in which Acct-Status-Type is set to Acct-Stop or Acct-Interim-Update. Acct-Multi- Session-Id 50 No No Yes Unique acc ounting ID that facilitates linki[...]
-
Seite 659
3Com Vendor-Specific Attributes 65 9 3Com V endor -Specific Attributes The vendor - specific attributes (VSA s) cr eated by 3Com are embedded according to the pr ocedure r ecommended in RFC 2865, with V endor -ID set to 43. T a ble 56 describes the 3Com VSAs, listed in or der by vendor type number . (For attribute details, see T able 43, “Authent[...]
-
Seite 660
660 C HAPTER C: S UPPORTED RADIUS A TTRIB UTES SSID 26, 43, 6 Yes No Yes Name of the SSID you want the user to use. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to 3Com radios in the Mobility Domain. End-Date 26, 43, 7 Yes No No Date and time after which the user is no longer all[...]
-
Seite 661
D T RAF FIC P ORTS U SED BY MSS When deploying a 3Com wireless network, you might attach 3Com equipment to subnets that have fi rewalls or access controls betwe en them. 3Com equipment uses variou s protocol ports to exchange information. T o ensure full operation of your networ k, make sur e the equipment can exchange info rmatio n on the ports li[...]
-
Seite 662
662 C HAPTER D: T RAFFIC P ORTS U SED BY MSS Roaming traffic uses IP tunnels, en capsulated with IP protocol 4. T o list the TCP p ort numbers in use on a WX, including those for t he other end of a connection, use the display tcp command. IP/UDP (17) 5000 WX-MAP communication. This applies to WX communication with Dis tributed MAPs and with direct[...]
-
Seite 663
E DHCP S ERVER MSS has a DHCP serv er that the switch uses to al locate IP addr esses to the following: Directly connected MAPs Host connected to a new (unconfigured) WXR100, to configur e the switch using the W eb Quick Start DHCP service for these items is enabled by default. Optionally , you can configur e the DHCP server to also provide[...]
-
Seite 664
664 C HAPTER E: DHCP S ER VER The MSS DHCP server is configur ab le on an individual VLAN basis only , and operates only on the subnets for which you configure it. Use of the MSS DHCP ser ver to allocate client addresses is intended for temporary , demonstration deployment s and not for production networks. 3Com recommends that you do not use t[...]
-
Seite 665
Configuring the DHCP Server 665 Option 3—Default Router . If this option is not set with the set interface dhcp-server command’ s default-router option, the MSS DHCP server can use the value set by the set ip route command. A default route configured by set ip r oute can be used if the route is in the DHCP client’ s subnet. Otherwise, the[...]
-
Seite 666
666 C HAPTER E: DHCP S ER VER Displaying DHCP Server Information T o display information about the MS S DHCP server , use the following command: display dhcp-server [ interface vlan-id ] [ verbose ] If you enter the command without the interface or verbose option, the command displays a table of all the IP addr esses leased by the server . Y ou can[...]
-
Seite 667
F O BTAINING S UPPORT FOR Y OUR 3C OM P R ODUCTS 3Com offers pr oduct r egistration, ca se management, and repair services through eSupport.3com.com . Y ou must have a user name and password to access these services, which ar e described in this appendix. Register Y our Product to Gain Service Benefits T o take advantage of warranty and ot her serv[...]
-
Seite 668
668 A PPENDIX F: O BTAINING S UPPORT FO R Y OUR 3C OM P RODUCTS Purchase Extended W arranty and Professional Services T o enhance r espon se times or extend you r warranty benefits, y ou can purchase value-added services such as 24x7 telephone technical support, software upgrades, onsite assistance, or advanced hardware replacement. Experienced eng[...]
-
Seite 669
Contact Us 669 T elephone T echnical Support and Repair T o obtain telephone support as part of your warranty and other service benefits, you must first register your pr oduct at: http://eSupport.3com.com/ When you contact 3Com for assistance, please have the following information ready: ■ Product model name, part number , and serial number ■ A[...]
-
Seite 670
670 A PPENDIX F: O BTAINING S UPPORT FO R Y OUR 3C OM P RODUCTS From the following countries, call the appropriate number: Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 0800 297 468 0800 71429 800 17309 0800 113153 0800 917959 0800 182 1502 06800 12813 1 800 553 117 180 945 3794 800 879489 Luxembourg Netherlands Norway[...]
-
Seite 671
G LOSSARY 3Com Wir eless Switch Manager™ (3WXM)™ A tool suite for planning, configuring, deploying, and managing a 3Com Mobility System wireless LAN (WLAN). Based on site and user requir ements, 3WXM determines th e location of Wireless Switches (WXs) and Managed Access Points (M APs) and can store and verify configuration information before in[...]
-
Seite 672
672 G LOSSARY 802.2 An IEEE LAN specification that de fines the logical link contr ol (LLC) sublayer , the upper portion of the Data Link layer . LLC encapsulation can be used by any lower -layer LAN technology . Co mpar e 802.3 ; Ethernet II . 802.3 An IEEE LAN specification for a Carrier Sense Multiple Access with Collision Detection (CSMA-CD) ne[...]
-
Seite 673
G LOSSARY 673 802.11g A supplement to the IEEE 802.11 wi reless LAN (WLAN) specification, describing transmission through th e Physical layer (P HY) based on orthogonal frequency division multip lexing (OFDM), at a frequency of 2.4 GHz and data rates of up to 54 Mbps. 802.11i A draft supplement to the IEEE 802 .11 wir eless LAN (WLAN) specification[...]
-
Seite 674
674 G LOSSARY ad hoc network One of two IEEE 802.11 network framewo rks. In an ad hoc network, a set of wir eless stations communicate dire ctly with one another without using an access point (AP) o r any connection to a wir ed network. Wit h an ad hoc network, also k nown as a peer -to-peer n etwork or independent basic service set (IBSS) , you ca[...]
-
Seite 675
G LOSSARY 675 authentication, authorization, and accounting See AAA . authentica tion mobility The ability of a user (client) authenticated via Extensible Au thentication Protocol (EAP) — plus an appr opr iate subprotocol and back-end authentication, authorization, and accounting (AAA) service — to r oam to differ ent access points (APs) withou[...]
-
Seite 676
676 G LOSSARY BSSID Basic service set identifier . The 48-bit media access contr ol (MAC ) address of the radio in the access point (AP) that serv es the stations in a basic service set (BSS). CA See certificate authority (CA) . CBC-MAC See CCMP . CCI Co-channel interference. Obstruction that occurs when one signal on a particular frequency intrude[...]
-
Seite 677
G LOSSARY 677 CHAP Challenge Handshake Authenticati on Protocol. An authentication protocol that defines a thr ee-way handshake to authenticate a user (client). CHAP uses the MD5 hash algorithm to generate a response to a challenge that can be checked by the authenticator . For wireless connections, CHAP is not secure and must be pr otected by the [...]
-
Seite 678
678 G LOSSARY cryptography The science of information security . Moder n cryptography is typically concerned with the pr ocesses of scrambling or dinary text (known as plain text or clear text ) into encrypted text at the sender’ s end of a connection, and decrypting the encryp ted text back into clear text at the re ceiver’ s end. Beca use its[...]
-
Seite 679
G LOSSARY 679 DES Data Encryption Stand ar d. A federa lly approved sy mmetric encryption algorithm in use for many years and replaced by the Advanced Encryption S tandar d (AES). See also 3DES . DHCP Dynamic Host Configuration Protocol. A protocol that dynamically assigns IP addresses to stations, fr om a centralized server . DHCP is the successor[...]
-
Seite 680
680 G LOSSARY domain policy A collect ion of configuration settings that you can define once in 3Com Wi r eless Switch Manager (3WXM) and apply to many W ireless Switches (WXs). Each Mobility Domain group in the network has a default domain policy that applies to every WX switch in the Mobility Domain. See also Policy Manager . DSA Digital Signat u[...]
-
Seite 681
G LOSSARY 681 EAP Extensible Authentication Pr otocol . A general point-to-point protocol that supports multiple au thentication mechanisms. Defined in RFC 2284, EAP has been adopted by IEEE 802.1X in an encapsulated form for carrying authentication messages in a standard message exchange between a user (clie nt) and an authenticator . The encapsul[...]
-
Seite 682
682 G LOSSARY enabled access Permission to use all Mobility Syst em Software (MSS) command-line interface (CLI) commands requir ed for configuration and troubleshooting. Enabled access requ ires a separate enable passwor d. Compare restricted access . encryption Any procedur e used in cryptography to translate data into a form that can be read by o[...]
-
Seite 683
G LOSSARY 683 FDB See forwarding d atabase (FDB) . Federal Communications Commission See FCC . FHSS Frequency-hopping spread-spectrum. One of two types of spread-spectrum radio technology used in wireless LAN (WLAN) transmissions. The FHSS technique m odulates the data signal with a narrowband carrier signal that “hops” in a predictable sequenc[...]
-
Seite 684
684 G LOSSARY GMK Group master key . A cryptograp hic key used to derive a group transient key (GTK) for the T empor al Key Integrity Pr otocol (TKIP) and Advanced Encryption Stan dar d (AES). green field network An original deployment of a telecomm unicatio ns networ k. GRE tunnel A virtual link between two r emote points on a network, created by [...]
-
Seite 685
G LOSSARY 685 Hewlett-Packard Open View See HPOV . homologation The process of certifying a product or specification to verify that it meets regulatory standar ds. HPOV Hewlett-Packard Open View . The umbrella network management system (NMS) family of products fr om Hewlett-Packard. The 3Com Wi r eless Switch Manager (3WXM) tool suite interacts wit[...]
-
Seite 686
686 G LOSSARY IGMP snooping A feature that pr events the flow of m ulticast stream pac kets within a virtual LAN (VLAN) and forwards the multicast traf fic thr ough a path to only the clients that want to receiv e it. A Wireless Switch (WX) uses IGMP snooping to monitor the Int ernet Group Management Protocol (IGMP) conversation between hosts and r[...]
-
Seite 687
G LOSSARY 687 Internet Authentication Service See IAS . Internet Group Management Protocol See IGMP . Interswitch Link See ISL . ISL Interswitch Link. A proprietary Ci sco pr otocol for inter connecting multiple switches and maintaining virtual LAN (VLAN) information as traffic travels between switches. W o rking in a way similar to VLAN trunking, [...]
-
Seite 688
688 G LOSSARY location policy An order ed list of rules that overrides the virtual LAN (VLAN) assignment and security ACL filtering applied to users during normal authentication, authorization, and accounting (AAA) — or assigns a VLAN or security ACL to users wi thout these assignments. Defining location policy rules creates a locati on policy fo[...]
-
Seite 689
G LOSSARY 689 Managed Access Point™ (MAP™) A small hardwar e unit that functions as a wireless access point (AP) in a 3Com Mobility System. Using one or more radio transmitters, a MAP transmits and receives information as radio f re quency (RF) signals to and from a wir eless user (client). The MAP transmits and receives information over a 10/1[...]
-
Seite 690
690 G LOSSARY message integrity code See MIC . MIC Message integrity code. The IEEE term for a message authentication code (MAC). See MAC . Microsoft Challenge Handshake Authentication Protocol See MS-CHAP-V2 . minimum data transmit rate The lowest rate at which a Mana ge d Access Point (MAP) can transmit data to its associated mobile clients. If t[...]
-
Seite 691
G LOSSARY 691 MSDU MAC service data unit. In IEEE 802.11 communications, the data payload encapsulated within a MAC protocol data unit (MPDU). MSS See Mobility System Software™ (MSS™) . MTU Maximum transmission unit . The size of the l argest packet that can be transmitted over a particular medium. Packets ex ceeding the MTU value in size are f[...]
-
Seite 692
692 G LOSSARY PEAP Protected Extensible Authentication Protocol. A draft extension to the Extensible Authentication Protocol with T ransport Layer Security (EAP-TLS), developed by Micr osoft C orporation, C isco Systems, a nd RSA Data Security , Inc. TLS is used in PE AP Part 1 to authenticate the server only , and thus avoids having to distribute [...]
-
Seite 693
G LOSSARY 693 The PKI uses the digital certificate to identify an individual or an organization. The private key is given only to the requesting party and is never shared, and the public key is made publicly available (as part of the digital certificate) in a directory tha t all parties ca n access. Y ou use the private key to decrypt text that has[...]
-
Seite 694
694 G LOSSARY pre-master secr et A key generated during th e handshake pr ocess in T ransport Layer Security (TLS) protocol negotiatio ns and used to derive a master secret. preshar ed key See PSK . PRF Pseudorandom function. A functi on that pr oduces effectively unpredictable output. A PRF can use multiple iterations of one or more hash algorithm[...]
-
Seite 695
G LOSSARY 695 PTK Pairwise t ransient key . A value derived from a pairwise master key (PMK) and split into multiple encr yption keys and message integrity code (MIC) keys for use by a client and se rver as temporal session keys for IEEE 802.11i robust security . See also 802.11i . public key In cryptography , one of a pair of keys, one public and [...]
-
Seite 696
696 G LOSSARY RADIUS Remote Authentication Dial-In User Service. A client-server security protocol described in RFC 2865 and RFC 2866. RADIUS extensions , including RADIUS support for the Ex tensible Authentication Protocol (EAP), are described in RFC 2869. Originally developed by Livingston Enterprises, Inc., to authenticate, authorize, and accoun[...]
-
Seite 697
G LOSSARY 697 roa mi ng The ability of a wireless user (clien t) to maintain network access when moving between access points (APs). robust security network See RSN . rogue access point An access point (AP) that is n ot authorized to operate within a wir eless network. Rogue access points subvert th e security of an enterprise network by allowing p[...]
-
Seite 698
698 G LOSSARY seed (1) An input to a pseudorandom number generator (PRNG), that is generally the combination of two or more inputs. (2) The Wireless Switch (WX) that distributes information to all the WX switches in a Mobility Domain™ group. SentrySweep™ A radio fr eque ncy (RF) det ection sweep that runs c ontinuous ly on the disabled radios i[...]
-
Seite 699
G LOSSARY 699 SSL Secure Sockets L ayer protocol. A pr otocol developed by Netscape fo r managing the security of message tr ansmission over t he Internet. SSL has been succeeded by T ransport Laye r Security (TLS) protocol, which is based on SSL. The sockets part of the term r efers to the sockets method of passing data back and fo rth between a c[...]
-
Seite 700
700 G LOSSARY TLS T ransport Layer Security protocol. An authentication and encrypt ion protocol that is the successor to the Secure Sockets Layer (SSL) protocol for private transmission over the Inter net. Defined in RFC 2246 , TLS provides mutual authentication with non r epudiation, encryption, algorithm negotiation, secure key derivation , and [...]
-
Seite 701
G LOSSARY 701 U-NII Unlicensed National Information Infrastructure. Thr ee unlicensed frequency bands of 100 MHz each in the 5 GHz band, designated by the U.S. Federal Communications Commission (FCC) to pr ovide high-speed wireless networking . The three fr equency bands — 5.15 GHz through 5.25 G Hz (for indoor use only), 5.25 GHz through 5.35 GH[...]
-
Seite 702
702 G LOSSARY VLAN glob A 3Com convention for appl ying the au thenticat ion, aut horizatio n, and accounting (AAA) attributes in the location policy on a WX switch t o one or more users, based on a virtual LAN (VLAN) attribute. T o specify all VLANs, use the double-asterisk (**) wildcard characters. T o match any number of characters up to , but n[...]
-
Seite 703
G LOSSARY 703 WEP Wired-Equivalent Privacy protocol. A sec urity pr otoc ol, specifi ed in the IEEE 802.11 standard, that attempts to pr ovide a wireless LAN (WLAN) with a minimal level of security a nd privacy comparable to a typical wired LAN. WEP encrypts data transmitted over the WLAN to protect the vulnerable wireless connection between users [...]
-
Seite 704
704 G LOSSARY wir eless LAN See WLAN . Wireless Switch™ (WX™) A switch in a 3Com Mobility System. A WX provides forwar ding, queuing, tunneling, and some security services for the info rmation it recei ves from its dir ectly attached Managed Access Points (MAPs). In addition, the WX coordinates, pr ovides power to, and manages the configuration[...]
-
Seite 705
G LOSSARY 705 X.509 An Inter national T elecommunications Union T e lecommunication Standardization Sector (ITU-T) Recommendation and the most widely used standard for defining digital certificates. XML Extensible Markup Language. A simple r and easier -to-use subset of the Standard Generalized Markup Lang uage (SGML), with unlimited, self-defining[...]
-
Seite 706
706 G LOSSARY[...]
-
Seite 707
I NDEX Numbers 3Com Knowledgebase tool 667 3Com Professional Services 668 3Com resour ces, directory 669 3Com T e chnical Support 645 3WXM keys and certificates requirement 413 802.11a 74, 224 802.11b 74, 224 802.11g 74, 224 802.1Q tagging 90 802.1X authentication 449 authentication port control 532 authorization 511 client reauthentication 536 cli[...]
-
Seite 708
708 I NDEX sessions, clearing 55 7 sessions, displaying 557 T elnet client sessions, disp laying and clearing 559 T elnet sessions, disp laying and clearing 559 AeroScout RFID tag support 323 affinity 90 configuring 93 in roaming VLANs 160 number 160 aging timeout ARP 131 FDB 99 alert logging leve l 624 aliases 123 all access 36 ARP aging timeout 1[...]
-
Seite 709
I NDEX 709 Calling-Station-Id attribute 656 case in user names and passwords 58 Catalyst sw itch, in terope rating with load-sharing port groups 87 CCMP 284 enabling 291, 297 certificate authority certificate source 415 enrolling with 424 Certificate Signing Request (CSR) 420, 421 defined 417 generating 424 certificates configuration scenario s 427[...]
-
Seite 710
710 I NDEX logging system messages to 627 no authentication 57 passwords 59 sessions, clearing 55 8 sessions, displaying 558 target 624 conventions CLI 27 notice icons, About This G uide 23 text, About This Guide 24 CoS (class of service) default 382 filtering by , in security ACLs 380 priority assigned 382 countermeasures 567 enabling 580 SNMP not[...]
-
Seite 711
I NDEX 711 enabled mode. See enabled access encrypted SSID 207 encryption affects of authentication methods on 448 assigning a type locally 496 assigning a type on a RADIUS s erver 497 clearing types from users 497 configuration scenario s 302 effects of authentication on 448 radios 281 encryption keys configuration scenario s 427 overview 413 publ[...]
-
Seite 712
712 I NDEX other -querier -pr esent interval, configuring 37 1 proxy re porting 370 pseudo-querier 370 querier , dis playing 375 query interval 370 query interval, configuring 371 query response interval 370 query response interval, configuring 371 robustness value 371 robustness value, configuring 371 router solicitation 372 statistics 374 timers [...]
-
Seite 713
I NDEX 713 defined 499 disabling 503 displaying rules in 502 order of rules in 502 location policy rules clearing 503 configuring 501 defined 500 displaying 502 positioning 502 reassigning security ACLs 502 lock-out user , restore 70 log configuration 630 log message components 623 logging console 627 current session 629 displaying current configur[...]
-
Seite 714
714 I NDEX monitoring roaming use rs 162 names 154 roaming VLANs in 160 seed 153, 154 status 155 Mobility Points (MAPs) Wi -Fi Multimedia (WMM) 327 Mobility Profile 510, 511 authorization 510 defined 510 Mobility System Software CL I. See CLI (command-line interface) Mobility-Profile attribute, description 659 modify editbuffer -index defined 387 m[...]
-
Seite 715
I NDEX 715 other -querier -present interval 370 configuring 371 OTP 423, 429 outbound authorization password 459 output filters, reassigning 502 override, local, scenario 64 P packets CoS handling 382 denying or permitting with security ACLs 377 pass-through authentication configuration scenario 514 configuring 450 defined 447 keys and certificates[...]
-
Seite 716
716 I NDEX STP port cost, configuring 354 STP port cost, displaying 362 STP port priority 353 STP port priority , configuring 355, 356 Te l n e t 117 types. See port types VLANs, configuration scenari o 100 wired, authentication on 532 Power over Ethernet. See PoE (Power over Ethernet) preamble length 244 Privacy-Enhanced Mail (PEM) 424 private key[...]
-
Seite 717
I NDEX 717 value characteristics 651 VLAN assignment 88 VSAs 659 RADIUS proxy 482 range operator in security ACLs 385 reauthentication 802.1X client 536 interval 537 number of attempts 537 reauthorization atte mpts 537 receivers, multicast 376 recovering the system, lost password 622 redundancy MAP links 184 port groups 85 registering your product [...]
-
Seite 718
718 I NDEX Network Domain 174 overriding VLAN assignment 516 PEAP-MS-CHAP-V2 configuration 514 PEAP-MS-CHAP-V2 offload aut hentication 515 PEAP-MS-CHAP-V2 with pass-through authentication 516 port and VLAN configuration 100 problems in configuration order 508 RADIUS and server group configuration 528 RADIUS authentication for T elnet users 62 RADIU[...]
-
Seite 719
I NDEX 719 Simple Network Time Protocol. See NTP (Network Time Protocol) single asterisks (*) in MAC addr ess g lobs 31 in network session informatio n 560 in user glob s 30 in VLAN globs 32 wildcard 34 SNMP community strings 140 informs 144 notifications, rogue detection 584 trap receiver 148 traps 144 SNMP ports for get and set operations 661 for[...]
-
Seite 720
720 I NDEX system logs configuring 625 destinations 623 disabling output to the console 628 displaying the configuration of 630 managing 623 message components 623 severity levels 624 system recovery , lost password 622 system time, configuring 124 T table of 3Com support contact numbers 668 tabs, for command completion 34 tag type 90 target buff e[...]
-
Seite 721
I NDEX 721 incomplete boot load 621 invalid certificate 620 missing configuration 621 MSS debugging via trace 631 MSS logging 623 no network access 621 system trace files for 599 VLAN authorization failure 621 WX switch 619 TTY sessions, current, logging system messages to 629 T unnel-Private-Group-ID attribute 88, 659 tunnels affinity of a WX for [...]
-
Seite 722
722 I NDEX disconnected, troubleshooting 621 display ing 95 mapping security ACLs to 392 overriding assignmen t with the location policy 516 ports, configuration scenario 100 remo ving 93 roaming, displaying 160 tagging 90 user assignment 88 See also VLAN globs; VLAN ID or name; VLAN names; VLAN-Name attribute voice over IP 401 Wi -Fi Multimedia (W[...]
-
Seite 723
C OMMAND I NDEX B backup system 613, 616 C clear ap 77, 227 clear ap radio 251 clear boot config 612 clear dot1x bonded-period 453 clear dot1x max-req 535 clear dot1x port-control 532 clear dot1x quiet-peri od 539 clear dot1x reauth-max 537 clear dot1x reauth-period 537 clear dot1x timeout auth-server 539 clear dot1x timeout supplicant 539 clear do[...]
-
Seite 724
726 C OMMAND I NDEX clear snmp usm 141 clear snoop 641 clear snoop map 642 clear spantree portcost 354 clear spantree portpri 356 clear spantree portvlancos t 354 clear spantree portvlanpri 356 clear spantree statistics 365 clear summertime 126 clear system idle-timeout 119 clear system ip-addre ss 108 clear timezone 125 clear trace 632 clear user [...]
-
Seite 725
C OMMAND I NDEX 727 display security acl map 392, 393 display security l2-restrict 94 display service-profile 259, 294 display service-profile {name | ?} 346 display se ssions admin 115, 117, 558 display sessions console 558 display se ssions netw ork 560 display sessions n etwork mac- addr 563 display session s network sessio n-id 564 display sess[...]
-
Seite 726
728 C OMMAND I NDEX set boot configuration-file 611 set dot1x authcontrol 531 set dot1x bonded-peri od 453 set dot1x key-tx 533 set dot1x max-req 535 set dot1x port-control 532 set dot1x quiet-period 538 set dot1x reauth 536 set dot1x reauth-max 536 set dot1x reauth-period 537 set dot1x timeout auth-server 539 set dot1x timeout supplicant 539 set d[...]
-
Seite 727
C OMMAND I NDEX 729 set radio-profile service-profile 249, 295, 298 set radio-profile wmm-powe rsave 342 set radius 522 set radius proxy client 485 set radius proxy port 485 set radius server 523 set radius server address key 523 set radius server author-password 459 set rfdetect attack-list 578 set rfdete ct black-list 577 set rfdete ct signature [...]
-
Seite 728
730 C OMMAND I NDEX set usergroup attr filter-id 494 set vlan name 91 set vlan port 92 set vlan tunnel-affinity 93 set vlan-profile 253 T telnet 132 traceroute 134 U uninstall s oda-agent 554[...]