Extreme Networks AP3917E Wireless 802.11 a/ac+b/g/n Access Point User Manual WiNG 5 9 1 WC CLI

Extreme Networks, Inc. Wireless 802.11 a/ac+b/g/n Access Point WiNG 5 9 1 WC CLI

WiNG 5.9.1 CLI Reference Guide Part 1

WiNG™ 5.9.1Access Point, Wireless Controller and Service PlatformCLI Reference GuidePublished September 20179035205Published September 2017 9035205
9035205Copyright © 2017 Extreme Networks, Inc. All Rights Reserved.Legal NoticesExtreme Networks, Inc. reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made.The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice.TrademarksExtreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners.For additional information about Extreme Networks trademarks, go to: www.extremenetworks.com/company/legal/trademarks/SupportFor product support, including documentation, visit: www.extremenetworks.com/support/
iAccess Point, Wireless Controller and Service Platform CLI Reference GuideContentsABOUT THIS GUIDEChapter 1, INTRODUCTION1.1 CLI Overview  ....................................................................................................................................................................................................................1-21.2 Getting Context Sensitive Help ................................................................................................................................................................................1-71.3 Using the No Command ............................................................................................................................................................................................. 1-91.3.1 Basic Conventions ............................................................................................................................................................................................. 1-91.4 Using CLI Editing Features and Shortcuts  ......................................................................................................................................................... 1-91.4.1 Moving the Cursor on the Command Line .............................................................................................................................................1-101.4.2 Completing a Partial Command Name ...................................................................................................................................................1-101.4.3 Command Output Pagination ..................................................................................................................................................................... 1-111.5 Using CLI to Create Profiles and Enable Remote Administration ............................................................................................................. 1-111.5.1 Creating Profiles ................................................................................................................................................................................................ 1-121.5.2 Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface ............................................. 1-131.5.3 Enabling Remote Administration ..............................................................................................................................................................1-14Chapter 2, USER EXEC MODE COMMANDS2.1 User Exec Commands .................................................................................................................................................................................................2-22.1.1 captive-portal-page-upload ......................................................................................................................................................................... 2-42.1.2 change-passwd ................................................................................................................................................................................................ 2-82.1.3 clear ....................................................................................................................................................................................................................... 2-92.1.4 clock ....................................................................................................................................................................................................................2-202.1.5 cluster .................................................................................................................................................................................................................. 2-212.1.6 connect ..............................................................................................................................................................................................................2-222.1.7 create-cluster ..................................................................................................................................................................................................2-232.1.8 crypto .................................................................................................................................................................................................................2-242.1.9 crypto-cmp-cert-update ............................................................................................................................................................................ 2-332.1.10 database ..........................................................................................................................................................................................................2-342.1.11 database-backup ..........................................................................................................................................................................................2-382.1.12 database-restore ......................................................................................................................................................................................... 2-402.1.13 device-upgrade ..............................................................................................................................................................................................2-412.1.14 disable ..............................................................................................................................................................................................................2-492.1.15 enable ...............................................................................................................................................................................................................2-502.1.16 file-sync .............................................................................................................................................................................................................2-512.1.17 join-cluster ......................................................................................................................................................................................................2-542.1.18 l2tpv3 ................................................................................................................................................................................................................2-562.1.19 logging .............................................................................................................................................................................................................2-582.1.20 mint ................................................................................................................................................................................................................. 2-602.1.21 no ........................................................................................................................................................................................................................2-622.1.22 on .......................................................................................................................................................................................................................2-642.1.23 opendns ..........................................................................................................................................................................................................2-652.1.24 page ..................................................................................................................................................................................................................2-672.1.25 ping ...................................................................................................................................................................................................................2-682.1.26 ping6 ................................................................................................................................................................................................................2-702.1.27 ssh ....................................................................................................................................................................................................................... 2-712.1.28 telnet ................................................................................................................................................................................................................ 2-722.1.29 terminal ........................................................................................................................................................................................................... 2-732.1.30 time-it ..............................................................................................................................................................................................................2-742.1.31 traceroute ........................................................................................................................................................................................................ 2-752.1.32 traceroute6 2-76
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  ii2.1.33 virtual-machine ............................................................................................................................................................................................ 2-772.1.34 watch ...............................................................................................................................................................................................................2-832.1.35 exit .....................................................................................................................................................................................................................2-84Chapter 3, PRIVILEGED EXEC MODE COMMANDS3.1 Privileged Exec Mode Commands  ........................................................................................................................................................................ 3-33.1.1 archive ................................................................................................................................................................................................................... 3-63.1.2 boot ....................................................................................................................................................................................................................... 3-83.1.3 captive-portal-page-upload ....................................................................................................................................................................... 3-93.1.4 cd ..........................................................................................................................................................................................................................3-133.1.5 change-passwd ...............................................................................................................................................................................................3-143.1.6 clear ......................................................................................................................................................................................................................3-153.1.7 clock ....................................................................................................................................................................................................................3-283.1.8 cluster .................................................................................................................................................................................................................3-293.1.9 configure ...........................................................................................................................................................................................................3-303.1.10 connect .............................................................................................................................................................................................................3-313.1.11 copy ....................................................................................................................................................................................................................3-323.1.12 cpe ......................................................................................................................................................................................................................3-333.1.13 create-cluster .................................................................................................................................................................................................3-353.1.14 crypto ...............................................................................................................................................................................................................3-373.1.15 crypto-cmp-cert-update ...........................................................................................................................................................................3-463.1.16 database ..........................................................................................................................................................................................................3-473.1.17 database-backup .........................................................................................................................................................................................3-503.1.18 database-restore ..........................................................................................................................................................................................3-523.1.19 delete ................................................................................................................................................................................................................3-533.1.20 device-upgrade ...........................................................................................................................................................................................3-543.1.21 diff ..................................................................................................................................................................................................................... 3-603.1.22 dir ........................................................................................................................................................................................................................3-613.1.23 disable ..............................................................................................................................................................................................................3-623.1.24 edit ....................................................................................................................................................................................................................3-633.1.25 enable ..............................................................................................................................................................................................................3-643.1.26 erase .................................................................................................................................................................................................................3-653.1.27 ex3500 ............................................................................................................................................................................................................3-673.1.28 factory-reset .................................................................................................................................................................................................3-753.1.29 file-sync ...........................................................................................................................................................................................................3-793.1.30 halt ....................................................................................................................................................................................................................3-823.1.31 join-cluster ......................................................................................................................................................................................................3-833.1.32 l2tpv3 ...............................................................................................................................................................................................................3-853.1.33 logging .............................................................................................................................................................................................................3-873.1.34 mint ...................................................................................................................................................................................................................3-893.1.35 mkdir .................................................................................................................................................................................................................3-913.1.36 more .................................................................................................................................................................................................................3-923.1.37 no .......................................................................................................................................................................................................................3-933.1.38 on .......................................................................................................................................................................................................................3-953.1.39 opendns ..........................................................................................................................................................................................................3-963.1.40 page ...............................................................................................................................................................................................................3-1003.1.41 ping ................................................................................................................................................................................................................... 3-1013.1.42 ping6 .............................................................................................................................................................................................................. 3-1033.1.43 pwd .................................................................................................................................................................................................................3-1043.1.44 re-elect .......................................................................................................................................................................................................... 3-1053.1.45 reload .............................................................................................................................................................................................................3-1063.1.46 rename .............................................................................................................................................................................................................3-1113.1.47 rmdir .................................................................................................................................................................................................................3-112
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide iii3.1.48 self .....................................................................................................................................................................................................................3-1133.1.49 ssh .................................................................................................................................................................................................................... 3-1143.1.50 t5 .......................................................................................................................................................................................................................3-1153.1.51 telnet .................................................................................................................................................................................................................3-1173.1.52 terminal ...........................................................................................................................................................................................................3-1183.1.53 time-it ............................................................................................................................................................................................................. 3-1193.1.54 traceroute .................................................................................................................................................................................................... 3-1203.1.55 traceroute6 ....................................................................................................................................................................................................3-1213.1.56 upgrade ..........................................................................................................................................................................................................3-1223.1.57 upgrade-abort ............................................................................................................................................................................................ 3-1263.1.58 virtual-machine ...........................................................................................................................................................................................3-1273.1.59 watch ..............................................................................................................................................................................................................3-1333.1.60 exit .................................................................................................................................................................................................................. 3-1343.1.61 raid ....................................................................................................................................................................................................................3-135Chapter 4, GLOBAL CONFIGURATION COMMANDS4.1 Global Configuration Commands  ......................................................................................................................................................................... 4-44.1.1 aaa-policy ............................................................................................................................................................................................................4-94.1.2 alias .......................................................................................................................................................................................................................4-114.1.3 aaa-tacacs-policy ......................................................................................................................................................................................... 4-204.1.4 ap6521 ................................................................................................................................................................................................................4-224.1.5 ap6522 ...............................................................................................................................................................................................................4-234.1.6 ap6532 ...............................................................................................................................................................................................................4-244.1.7 ap6562 ...............................................................................................................................................................................................................4-254.1.8 ap71xx ................................................................................................................................................................................................................4-264.1.9 ap7502 ...............................................................................................................................................................................................................4-274.1.10 ap7522 .............................................................................................................................................................................................................4-284.1.11 ap7532 ...............................................................................................................................................................................................................4-294.1.12 ap7562 ............................................................................................................................................................................................................. 4-304.1.13 ap7602 ..............................................................................................................................................................................................................4-314.1.14 ap7612 ...............................................................................................................................................................................................................4-324.1.15 ap7622 ..............................................................................................................................................................................................................4-334.1.16 ap7632 ............................................................................................................................................................................................................ 4-344.1.17 ap7662 ..............................................................................................................................................................................................................4-354.1.18 ap81xx ...............................................................................................................................................................................................................4-364.1.19 ap82xx ..............................................................................................................................................................................................................4-374.1.20 ap8432 ............................................................................................................................................................................................................4-384.1.21 ap8533 ..............................................................................................................................................................................................................4-394.1.22 application .................................................................................................................................................................................................... 4-404.1.23 application-group ...................................................................................................................................................................................... 4-484.1.24 application-policy .......................................................................................................................................................................................4-554.1.25 association-acl-policy ...............................................................................................................................................................................4-784.1.26 auto-provisioning-policy .........................................................................................................................................................................4-794.1.27 bgp .....................................................................................................................................................................................................................4-814.1.28 bonjour-gateway-discovery-policy .....................................................................................................................................................4-834.1.29 bonjour-gw-forwarding-policy ............................................................................................................................................................ 4-904.1.30 bonjour-gw-query-forwarding-policy ...............................................................................................................................................4-924.1.31 captive portal  ................................................................................................................................................................................................4-934.1.32 clear ................................................................................................................................................................................................................4-1464.1.33 client-identity ............................................................................................................................................................................................. 4-1474.1.34 client-identity-group ............................................................................................................................................................................... 4-1564.1.35 clone ...............................................................................................................................................................................................................4-1644.1.36 crypto-cmp-policy ................................................................................................................................................................................... 4-165
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  iv4.1.37 customize .....................................................................................................................................................................................................4-1664.1.38 database-client-policy ............................................................................................................................................................................ 4-1774.1.39 database-policy .........................................................................................................................................................................................4-1844.1.40 device ............................................................................................................................................................................................................ 4-1924.1.41 device-categorization ..............................................................................................................................................................................4-1944.1.42 dhcp-server-policy ................................................................................................................................................................................. 4-2004.1.43 dhcpv6-server-policy ..............................................................................................................................................................................4-2014.1.44 dns-whitelist ..............................................................................................................................................................................................4-2034.1.45 end .................................................................................................................................................................................................................4-2084.1.46 event-system-policy ..............................................................................................................................................................................4-2094.1.47 ex3500 ......................................................................................................................................................................................................... 4-2264.1.48 ex3500-management-policy .............................................................................................................................................................. 4-2334.1.49 ex3500-qos-class-map-policy ...........................................................................................................................................................4-2544.1.50 ex3500-qos-policy-map ...................................................................................................................................................................... 4-2624.1.51 ex3524 ........................................................................................................................................................................................................... 4-2774.1.52 ex3548 .......................................................................................................................................................................................................... 4-2794.1.53 firewall-policy ............................................................................................................................................................................................4-2804.1.54 global-association-list ............................................................................................................................................................................ 4-2824.1.55 guest-management ................................................................................................................................................................................ 4-2854.1.56 host ................................................................................................................................................................................................................ 4-2974.1.57 inline-password-encryption ................................................................................................................................................................4-2984.1.58 ip .....................................................................................................................................................................................................................4-2994.1.59 ipv6 .................................................................................................................................................................................................................4-3014.1.60 ipv6-router-advertisement-policy ...................................................................................................................................................4-3024.1.61 l2tpv3 .............................................................................................................................................................................................................4-3204.1.62 mac ................................................................................................................................................................................................................ 4-3224.1.63 management-policy ............................................................................................................................................................................... 4-3234.1.64 meshpoint ................................................................................................................................................................................................... 4-3254.1.65 meshpoint-qos-policy ............................................................................................................................................................................ 4-3274.1.66 mint-policy ................................................................................................................................................................................................. 4-3284.1.67 nac-list .......................................................................................................................................................................................................... 4-3294.1.68 no ................................................................................................................................................................................................................... 4-3354.1.69 nsight-policy ..............................................................................................................................................................................................4-3394.1.70 passpoint-policy ......................................................................................................................................................................................4-3504.1.71 password-encryption .............................................................................................................................................................................. 4-3524.1.72 profile ............................................................................................................................................................................................................ 4-3534.1.73 radio-qos-policy ....................................................................................................................................................................................... 4-3574.1.74 radius-group .............................................................................................................................................................................................. 4-3584.1.75 radius-server-policy ................................................................................................................................................................................4-3594.1.76 radius-user-pool-policy .......................................................................................................................................................................... 4-3614.1.77 rename ......................................................................................................................................................................................................... 4-3624.1.78 replace ..........................................................................................................................................................................................................4-3644.1.79 rf-domain ....................................................................................................................................................................................................4-3664.1.80 rfs6000 ........................................................................................................................................................................................................4-4034.1.81 rfs4000 ........................................................................................................................................................................................................ 4-4044.1.82 nx5500 .........................................................................................................................................................................................................4-4054.1.83 nx75xx ......................................................................................................................................................................................................... 4-4064.1.84 nx9000 ........................................................................................................................................................................................................4-4074.1.85 roaming-assist-policy ........................................................................................................................................................................... 4-4084.1.86 role-policy ....................................................................................................................................................................................................4-4104.1.87 route-map ..................................................................................................................................................................................................... 4-4114.1.88 routing-policy ............................................................................................................................................................................................. 4-4124.1.89 rtl-server-policy ......................................................................................................................................................................................... 4-4134.1.90 schedule-policy .........................................................................................................................................................................................4-419
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide v4.1.91 self ...................................................................................................................................................................................................................4-4264.1.92 sensor-policy ............................................................................................................................................................................................. 4-4274.1.93 smart-rf-policy ..........................................................................................................................................................................................4-4364.1.94 t5 ....................................................................................................................................................................................................................4-4384.1.95 web-filter-policy ...................................................................................................................................................................................... 4-4404.1.96 wips-policy ..................................................................................................................................................................................................4-4514.1.97 wlan ...............................................................................................................................................................................................................4-4524.1.98 wlan-qos-policy ........................................................................................................................................................................................4-5494.1.99 url-filter ......................................................................................................................................................................................................... 4-5514.1.100 url-list ..........................................................................................................................................................................................................4-5654.1.101 vx9000 ......................................................................................................................................................................................................... 4-571Chapter 5, COMMON COMMANDS5.1 Common Commands  ................................................................................................................................................................................................. 5-25.1.1 clrscr ....................................................................................................................................................................................................................... 5-35.1.2 commit ................................................................................................................................................................................................................. 5-45.1.3 exit ......................................................................................................................................................................................................................... 5-55.1.4 help ........................................................................................................................................................................................................................ 5-65.1.5 no ........................................................................................................................................................................................................................... 5-95.1.6 revert ................................................................................................................................................................................................................... 5-125.1.7 service .................................................................................................................................................................................................................5-135.1.8 show ....................................................................................................................................................................................................................5-585.1.9 write ................................................................................................................................................................................................................... 5-60Chapter 6, SHOW COMMANDS6.1 show commands .......................................................................................................................................................................................................... 6-26.1.1 show ....................................................................................................................................................................................................................... 6-56.1.2 adoption ............................................................................................................................................................................................................ 6-106.1.3 bluetooth ...........................................................................................................................................................................................................6-146.1.4 boot .....................................................................................................................................................................................................................6-166.1.5 bonjour ...............................................................................................................................................................................................................6-176.1.6 captive-portal ..................................................................................................................................................................................................6-186.1.7 captive-portal-page-upload .................................................................................................................................................................... 6-206.1.8 cdp .......................................................................................................................................................................................................................6-226.1.9 classify-url ........................................................................................................................................................................................................6-246.1.10 clock ..................................................................................................................................................................................................................6-256.1.11 cluster ................................................................................................................................................................................................................6-266.1.12 cmp-factory-certs ........................................................................................................................................................................................6-286.1.13 commands ......................................................................................................................................................................................................6-296.1.14 context ............................................................................................................................................................................................................ 6-306.1.15 critical-resources ...........................................................................................................................................................................................6-316.1.16 crypto ...............................................................................................................................................................................................................6-326.1.17 database ..........................................................................................................................................................................................................6-356.1.18 device-upgrade ............................................................................................................................................................................................6-376.1.19 dot1x ..................................................................................................................................................................................................................6-396.1.20 dpi ......................................................................................................................................................................................................................6-416.1.21 eguest .............................................................................................................................................................................................................. 6-446.1.22 environmental-sensor ...............................................................................................................................................................................6-456.1.23 event-history ............................................................................................................................................................................................... 6-486.1.24 event-system-policy ................................................................................................................................................................................. 6-496.1.25 ex3500 ........................................................................................................................................................................................................... 6-506.1.26 extdev ..............................................................................................................................................................................................................6-53
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  vi6.1.27 file-sync ...........................................................................................................................................................................................................6-546.1.28 firewall .............................................................................................................................................................................................................6-566.1.29 global .............................................................................................................................................................................................................. 6-606.1.30 gre .....................................................................................................................................................................................................................6-626.1.31 guest-registration ........................................................................................................................................................................................6-636.1.32 interface ...........................................................................................................................................................................................................6-716.1.33 ip ........................................................................................................................................................................................................................6-756.1.34 ip-access-list .................................................................................................................................................................................................6-826.1.35 ipv6 .................................................................................................................................................................................................................. 6-846.1.36 ipv6-access-list ............................................................................................................................................................................................6-886.1.37 l2tpv3 ...............................................................................................................................................................................................................6-896.1.38 lacp ...................................................................................................................................................................................................................6-926.1.39 ldap-agent .....................................................................................................................................................................................................6-956.1.40 licenses .......................................................................................................................................................................................................... 6-966.1.41 lldp .................................................................................................................................................................................................................... 6-996.1.42 logging ......................................................................................................................................................................................................... 6-1006.1.43 mac-access-list ...........................................................................................................................................................................................6-1016.1.44 mac-address-table ...................................................................................................................................................................................6-1026.1.45 mac-auth ......................................................................................................................................................................................................6-1036.1.46 mac-auth-clients .......................................................................................................................................................................................6-1056.1.47 mint ................................................................................................................................................................................................................6-1076.1.48 nsight ............................................................................................................................................................................................................... 6-1116.1.49 ntp .................................................................................................................................................................................................................... 6-1126.1.50 password-encryption ............................................................................................................................................................................... 6-1146.1.51 pppoe-client .................................................................................................................................................................................................. 6-1156.1.52 privilege ......................................................................................................................................................................................................... 6-1166.1.53 radius .............................................................................................................................................................................................................. 6-1176.1.54 reload .............................................................................................................................................................................................................. 6-1196.1.55 rf-domain-manager .................................................................................................................................................................................6-1206.1.56 role ................................................................................................................................................................................................................... 6-1216.1.57 route-maps .................................................................................................................................................................................................. 6-1226.1.58 rtls ................................................................................................................................................................................................................... 6-1236.1.59 running-config ........................................................................................................................................................................................... 6-1256.1.60 session-changes ....................................................................................................................................................................................... 6-1326.1.61 session-config ............................................................................................................................................................................................. 6-1336.1.62 sessions ......................................................................................................................................................................................................... 6-1346.1.63 site-config-diff ........................................................................................................................................................................................... 6-1356.1.64 smart-rf ......................................................................................................................................................................................................... 6-1366.1.65 spanning-tree .............................................................................................................................................................................................6-1406.1.66 startup-config ............................................................................................................................................................................................ 6-1426.1.67 t5 ...................................................................................................................................................................................................................... 6-1436.1.68 terminal .......................................................................................................................................................................................................... 6-1516.1.69 timezone ...................................................................................................................................................................................................... 6-1526.1.70 traffic-shape ............................................................................................................................................................................................... 6-1536.1.71 upgrade-status ............................................................................................................................................................................................ 6-1556.1.72 version ........................................................................................................................................................................................................... 6-1566.1.73 vrrp ................................................................................................................................................................................................................. 6-1576.1.74 web-filter ...................................................................................................................................................................................................... 6-1596.1.75 what ................................................................................................................................................................................................................. 6-1616.1.76 wireless ......................................................................................................................................................................................................... 6-1626.1.77 wwan .............................................................................................................................................................................................................. 6-1856.1.78 virtual-machine .......................................................................................................................................................................................... 6-1866.1.79 raid .................................................................................................................................................................................................................. 6-189
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide viiChapter 7, PROFILES7.1 Profile Config Commands  .........................................................................................................................................................................................7-77.1.1 adopter-auto-provisioning-policy-lookup ............................................................................................................................................. 7-117.1.2 adoption ............................................................................................................................................................................................................. 7-137.1.3 alias ....................................................................................................................................................................................................................... 7-157.1.4 application-policy .......................................................................................................................................................................................... 7-227.1.5 area ......................................................................................................................................................................................................................7-247.1.6 arp ........................................................................................................................................................................................................................ 7-257.1.7 auto-learn ......................................................................................................................................................................................................... 7-277.1.8 autogen-uniqueid ..........................................................................................................................................................................................7-287.1.9 autoinstall .........................................................................................................................................................................................................7-307.1.10 bridge ................................................................................................................................................................................................................ 7-317.1.11 captive-portal .................................................................................................................................................................................................7-627.1.12 cdp .....................................................................................................................................................................................................................7-637.1.13 cluster ...............................................................................................................................................................................................................7-647.1.14 configuration-persistence ........................................................................................................................................................................7-677.1.15 controller .........................................................................................................................................................................................................7-687.1.16 critical-resource ............................................................................................................................................................................................ 7-727.1.17 crypto ............................................................................................................................................................................................................... 7-807.1.18 database ........................................................................................................................................................................................................ 7-1437.1.19 device-onboard .......................................................................................................................................................................................... 7-1447.1.20 device-upgrade ......................................................................................................................................................................................... 7-1457.1.21 diag .................................................................................................................................................................................................................. 7-1477.1.22 dot1x ............................................................................................................................................................................................................... 7-1487.1.23 dpi .................................................................................................................................................................................................................... 7-1507.1.24 dscp-mapping .............................................................................................................................................................................................7-1537.1.25 eguest-server (VX9000 only)  ............................................................................................................................................................. 7-1547.1.26 eguest-server (NOC Only)  .....................................................................................................................................................................7-1557.1.27 email-notification ...................................................................................................................................................................................... 7-1567.1.28 enforce-version .......................................................................................................................................................................................... 7-1587.1.29 environmental-sensor ............................................................................................................................................................................. 7-1597.1.30 events ............................................................................................................................................................................................................. 7-1617.1.31 export .............................................................................................................................................................................................................. 7-1627.1.32 file-sync ......................................................................................................................................................................................................... 7-1637.1.33 floor ................................................................................................................................................................................................................. 7-1647.1.34 gre ................................................................................................................................................................................................................... 7-1657.1.35 http-analyze .................................................................................................................................................................................................7-1777.1.36 interface ........................................................................................................................................................................................................ 7-1807.1.37 ip ..................................................................................................................................................................................................................... 7-3487.1.38 ipv6 ................................................................................................................................................................................................................ 7-3587.1.39 l2tpv3 ............................................................................................................................................................................................................ 7-3627.1.40 l3e-lite-table .............................................................................................................................................................................................. 7-3647.1.41 led .................................................................................................................................................................................................................... 7-3657.1.42 led-timeout ................................................................................................................................................................................................. 7-3667.1.43 legacy-auto-downgrade ....................................................................................................................................................................... 7-3687.1.44 legacy-auto-update ................................................................................................................................................................................ 7-3697.1.45 lldp ................................................................................................................................................................................................................. 7-3707.1.46 load-balancing ...........................................................................................................................................................................................7-3727.1.47 logging ..........................................................................................................................................................................................................7-3777.1.48 mac-address-table .................................................................................................................................................................................. 7-3797.1.49 mac-auth .......................................................................................................................................................................................................7-3817.1.50 management-server ............................................................................................................................................................................... 7-3847.1.51 memory-profile .......................................................................................................................................................................................... 7-385
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  viii7.1.52 meshpoint-device .................................................................................................................................................................................... 7-3867.1.53 meshpoint-monitor-interval ................................................................................................................................................................ 7-3887.1.54 min-misconfiguration-recovery-time .............................................................................................................................................. 7-3897.1.55 mint ................................................................................................................................................................................................................7-3907.1.56 misconfiguration-recovery-time ....................................................................................................................................................... 7-3977.1.57 neighbor-inactivity-timeout ................................................................................................................................................................ 7-3987.1.58 neighbor-info-interval ............................................................................................................................................................................ 7-3997.1.59 no ................................................................................................................................................................................................................... 7-4007.1.60 noc .................................................................................................................................................................................................................7-4027.1.61 nsight .............................................................................................................................................................................................................7-4037.1.62 ntp ..................................................................................................................................................................................................................7-4087.1.63 otls .................................................................................................................................................................................................................... 7-4117.1.64 offline-duration .......................................................................................................................................................................................... 7-4147.1.65 power-config .............................................................................................................................................................................................. 7-4157.1.66 preferred-controller-group ................................................................................................................................................................... 7-4177.1.67 preferred-tunnel-controller .................................................................................................................................................................. 7-4187.1.68 radius ............................................................................................................................................................................................................. 7-4197.1.69 rf-domain-manager ................................................................................................................................................................................7-4207.1.70 router ............................................................................................................................................................................................................. 7-4217.1.71 spanning-tree .............................................................................................................................................................................................. 7-4237.1.72 traffic-class-mapping ............................................................................................................................................................................. 7-4267.1.73 traffic-shape ............................................................................................................................................................................................... 7-4287.1.74 trustpoint (profile-config-mode)  ......................................................................................................................................................7-4347.1.75 tunnel-controller ....................................................................................................................................................................................... 7-4367.1.76 use .................................................................................................................................................................................................................. 7-4377.1.77 vrrp .................................................................................................................................................................................................................7-4437.1.78 vrrp-state-check ....................................................................................................................................................................................... 7-4477.1.79 virtual-controller .......................................................................................................................................................................................7-4487.1.80 wep-shared-key-auth ............................................................................................................................................................................7-4507.1.81 service ............................................................................................................................................................................................................. 7-4517.1.82 zone ............................................................................................................................................................................................................... 7-4567.2 Device Config Commands .................................................................................................................................................................................. 7-4577.2.1 adoption-site ................................................................................................................................................................................................7-4647.2.2 area .................................................................................................................................................................................................................. 7-4657.2.3 channel-list ...................................................................................................................................................................................................7-4667.2.4 contact ........................................................................................................................................................................................................... 7-4677.2.5 country-code ............................................................................................................................................................................................... 7-4687.2.6 floor .................................................................................................................................................................................................................7-4697.2.7 geo-coordinates .........................................................................................................................................................................................7-4707.2.8 hostname ....................................................................................................................................................................................................... 7-4717.2.9 lacp .................................................................................................................................................................................................................. 7-4727.2.10 layout-coordinates .................................................................................................................................................................................. 7-4737.2.11 license ............................................................................................................................................................................................................ 7-4747.2.12 location ......................................................................................................................................................................................................... 7-4777.2.13 mac-name ................................................................................................................................................................................................... 7-4787.2.14 no .................................................................................................................................................................................................................... 7-4797.2.15 nsight ............................................................................................................................................................................................................7-4807.2.16 override-wlan ............................................................................................................................................................................................7-4847.2.17 remove-override .......................................................................................................................................................................................7-4867.2.18 rsa-key ..........................................................................................................................................................................................................7-4887.2.19 sensor-server .............................................................................................................................................................................................7-4897.2.20 timezone .....................................................................................................................................................................................................7-4907.2.21 trustpoint (device-config-mode)  ....................................................................................................................................................... 7-4917.2.22 raid ................................................................................................................................................................................................................ 7-493
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide ix7.3 T5 Profile Config Commands  ............................................................................................................................................................................7-4947.3.1 cpe .................................................................................................................................................................................................................... 7-4957.3.2 interface ......................................................................................................................................................................................................... 7-4977.3.3 ip .......................................................................................................................................................................................................................7-4997.3.4 no .....................................................................................................................................................................................................................7-5007.3.5 ntp ..................................................................................................................................................................................................................... 7-5017.3.6 override-wlan .............................................................................................................................................................................................. 7-5027.3.7 t5 ....................................................................................................................................................................................................................... 7-5037.3.8 t5-logging .....................................................................................................................................................................................................7-5047.3.9 use ...................................................................................................................................................................................................................7-5057.4 EX3524 & EX3548 Profile/Device Config Commands ............................................................................................................................7-5067.4.1 interface ......................................................................................................................................................................................................... 7-5077.4.2 ip ........................................................................................................................................................................................................................7-5277.4.3 power ............................................................................................................................................................................................................. 7-5287.4.4 upgrade ......................................................................................................................................................................................................... 7-5297.4.5 use ...................................................................................................................................................................................................................7-5307.4.6 no .......................................................................................................................................................................................................................7-531Chapter 8, AAA-POLICY8.1 aaa-policy ....................................................................................................................................................................................................................... 8-38.1.1 accounting ........................................................................................................................................................................................................... 8-48.1.2 attribute ............................................................................................................................................................................................................... 8-88.1.3 authentication ...................................................................................................................................................................................................8-118.1.4 health-check .....................................................................................................................................................................................................8-168.1.5 mac-address-format .....................................................................................................................................................................................8-178.1.6 no ..........................................................................................................................................................................................................................8-198.1.7 proxy-attribute ................................................................................................................................................................................................8-218.1.8 server-pooling-mode ...................................................................................................................................................................................8-228.1.9 use .......................................................................................................................................................................................................................8-23Chapter 9, AUTO-PROVISIONING-POLICY9.1 auto-provisioning-policy ..........................................................................................................................................................................................9-49.1.1 adopt ..................................................................................................................................................................................................................... 9-59.1.2 auto-create-rfd-template .......................................................................................................................................................................... 9-109.1.3 default-adoption .............................................................................................................................................................................................9-129.1.4 deny .....................................................................................................................................................................................................................9-139.1.5 evaluate-always ..............................................................................................................................................................................................9-169.1.6 redirect ...............................................................................................................................................................................................................9-179.1.7 upgrade ..............................................................................................................................................................................................................9-219.1.8 no .........................................................................................................................................................................................................................9-24Chapter 10, ASSOCIATION-ACL-POLICY10.1 association-acl-policy .............................................................................................................................................................................................10-210.1.1 deny .....................................................................................................................................................................................................................10-310.1.2 no .........................................................................................................................................................................................................................10-510.1.3 permit ............................................................................................................................................................................................................... 10-6Chapter 11, ACCESS-LIST11.1 ip-access-list ..................................................................................................................................................................................................................11-411.1.1 deny ....................................................................................................................................................................................................................... 11-511.1.2 disable .................................................................................................................................................................................................................11-17
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  x11.1.3 insert .................................................................................................................................................................................................................. 11-2011.1.4 no .........................................................................................................................................................................................................................11-2211.1.5 permit .................................................................................................................................................................................................................11-2311.2 mac-access-list ......................................................................................................................................................................................................... 11-3411.2.1 deny ....................................................................................................................................................................................................................11-3511.2.2 disable ...............................................................................................................................................................................................................11-3811.2.3 ex3500 ............................................................................................................................................................................................................11-4011.2.4 insert ................................................................................................................................................................................................................ 11-4311.2.5 no ....................................................................................................................................................................................................................... 11-4511.2.6 permit .............................................................................................................................................................................................................. 11-4611.3 ipv6-access-list ......................................................................................................................................................................................................... 11-4911.3.1 deny ................................................................................................................................................................................................................... 11-5011.3.2 no ....................................................................................................................................................................................................................... 11-5611.3.3 permit ................................................................................................................................................................................................................11-5711.4 ip-snmp-access-list ................................................................................................................................................................................................ 11-6311.4.1 deny ................................................................................................................................................................................................................... 11-6411.4.2 permit .............................................................................................................................................................................................................. 11-6511.4.3 no ....................................................................................................................................................................................................................... 11-6611.5 ex3500-ext-access-list ......................................................................................................................................................................................... 11-6711.5.1 deny ................................................................................................................................................................................................................... 11-6811.5.2 permit .................................................................................................................................................................................................................11-7111.5.3 no ....................................................................................................................................................................................................................... 11-7411.6 ex3500-std-access-list ..........................................................................................................................................................................................11-7511.6.1 deny ................................................................................................................................................................................................................... 11-7611.6.2 permit ...............................................................................................................................................................................................................11-7711.6.3 no ........................................................................................................................................................................................................................11-78Chapter 12, DHCP-SERVER-POLICY12.1 dhcp-server-policy ................................................................................................................................................................................................... 12-312.1.1 bootp ...................................................................................................................................................................................................................12-412.1.2 dhcp-class ........................................................................................................................................................................................................12-512.1.3 dhcp-pool .........................................................................................................................................................................................................12-1112.1.4 dhcp-server .................................................................................................................................................................................................. 12-5612.1.5 no ...................................................................................................................................................................................................................... 12-5812.1.6 option .............................................................................................................................................................................................................. 12-5912.1.7 ping ..................................................................................................................................................................................................................12-6012.2 dhcpv6-server-policy ........................................................................................................................................................................................... 12-6112.2.1 dhcpv6-pool ................................................................................................................................................................................................. 12-6212.2.2 option ..............................................................................................................................................................................................................12-7312.2.3 restrict-vendor-options ...........................................................................................................................................................................12-7512.2.4 server-preference ..................................................................................................................................................................................... 12-7612.2.5 no ......................................................................................................................................................................................................................12-77Chapter 13, FIREWALL-POLICY13.1 firewall-policy ............................................................................................................................................................................................................. 13-313.1.1 acl-logging ........................................................................................................................................................................................................13-413.1.2 alg ........................................................................................................................................................................................................................13-513.1.3 clamp .................................................................................................................................................................................................................. 13-713.1.4 dhcp-offer-convert ......................................................................................................................................................................................13-813.1.5 dns-snoop ........................................................................................................................................................................................................13-913.1.6 firewall ............................................................................................................................................................................................................. 13-1013.1.7 flow .....................................................................................................................................................................................................................13-11
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide xi13.1.8 ip .........................................................................................................................................................................................................................13-1313.1.9 ip-mac ............................................................................................................................................................................................................. 13-2013.1.10 ipv6 .................................................................................................................................................................................................................13-2213.1.11 ipv6-mac ....................................................................................................................................................................................................... 13-2613.1.12 logging .......................................................................................................................................................................................................... 13-2813.1.13 no ..................................................................................................................................................................................................................... 13-3013.1.14 proxy-arp ......................................................................................................................................................................................................13-3213.1.15 proxy-nd ........................................................................................................................................................................................................13-3313.1.16 stateful-packet-inspection-12 .............................................................................................................................................................. 13-3413.1.17 storm-control ..............................................................................................................................................................................................13-3513.1.18 virtual-defragmentation .........................................................................................................................................................................13-37Chapter 14, MINT-POLICY14.1 mint-policy ...................................................................................................................................................................................................................14-214.1.1 level ......................................................................................................................................................................................................................14-314.1.2 lsp ........................................................................................................................................................................................................................14-414.1.3 mtu ......................................................................................................................................................................................................................14-514.1.4 router .................................................................................................................................................................................................................14-614.1.5 udp ......................................................................................................................................................................................................................14-714.1.6 no .........................................................................................................................................................................................................................14-8Chapter 15, MANAGEMENT-POLICY15.1 management-policy ................................................................................................................................................................................................. 15-315.1.1 aaa-login ............................................................................................................................................................................................................15-515.1.2 allowed-locations .......................................................................................................................................................................................... 15-715.1.3 banner ................................................................................................................................................................................................................15-915.1.4 ftp ...................................................................................................................................................................................................................... 15-1015.1.5 http ....................................................................................................................................................................................................................15-1215.1.6 https ..................................................................................................................................................................................................................15-1315.1.7 idle-session-timeout ...................................................................................................................................................................................15-1515.1.8 ipv6 ................................................................................................................................................................................................................... 15-1615.1.9 no ....................................................................................................................................................................................................................... 15-1815.1.10 passwd-entry ............................................................................................................................................................................................. 15-2015.1.11 privilege-mode-password .......................................................................................................................................................................15-2215.1.12 rest-server ................................................................................................................................................................................................... 15-2415.1.13 restrict-access .............................................................................................................................................................................................15-2515.1.14 snmp-server ................................................................................................................................................................................................ 15-2815.1.15 ssh ....................................................................................................................................................................................................................15-3315.1.16 t5 ..................................................................................................................................................................................................................... 15-3415.1.17 telnet .............................................................................................................................................................................................................. 15-3615.1.18 user ..................................................................................................................................................................................................................15-3715.1.19 service ............................................................................................................................................................................................................ 15-41Chapter 16, RADIUS-POLICY16.1 radius-group ................................................................................................................................................................................................................16-216.1.1 guest ....................................................................................................................................................................................................................16-416.1.2 policy ..................................................................................................................................................................................................................16-516.1.3 rate-limit ...........................................................................................................................................................................................................16-916.1.4 no .......................................................................................................................................................................................................................16-1016.2 radius-server-policy .............................................................................................................................................................................................. 16-1216.2.1 authentication .............................................................................................................................................................................................. 16-14
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  xii16.2.2 bypass ............................................................................................................................................................................................................. 16-1616.2.3 chase-referral .............................................................................................................................................................................................. 16-1716.2.4 crl-check ........................................................................................................................................................................................................ 16-1816.2.5 ldap-agent .................................................................................................................................................................................................... 16-1916.2.6 ldap-group-verification ........................................................................................................................................................................... 16-2116.2.7 ldap-server ................................................................................................................................................................................................... 16-2216.2.8 local ................................................................................................................................................................................................................ 16-2516.2.9 nas ................................................................................................................................................................................................................... 16-2616.2.10 no ................................................................................................................................................................................................................... 16-2816.2.11 proxy ..............................................................................................................................................................................................................16-3016.2.12 session-resumption ................................................................................................................................................................................ 16-3216.2.13 termination ................................................................................................................................................................................................. 16-3316.2.14 use ................................................................................................................................................................................................................. 16-3416.3 radius-user-pool-policy ...................................................................................................................................................................................... 16-3516.3.1 duration .......................................................................................................................................................................................................... 16-3616.3.2 user ................................................................................................................................................................................................................. 16-3716.3.3 no .....................................................................................................................................................................................................................16-40Chapter 17, RADIO-QOS-POLICY17.1 radio-qos-policy .........................................................................................................................................................................................................17-417.1.1 accelerated-multicast ................................................................................................................................................................................... 17-517.1.2 admission-control .........................................................................................................................................................................................17-617.1.3 no ....................................................................................................................................................................................................................... 17-1017.1.4 smart-aggregation ......................................................................................................................................................................................17-1217.1.5 service .............................................................................................................................................................................................................. 17-1417.1.6 wmm ................................................................................................................................................................................................................ 17-16Chapter 18, ROLE-POLICY18.1 role-policy ....................................................................................................................................................................................................................18-218.1.1 default-role .......................................................................................................................................................................................................18-318.1.2 ldap-deadperiod ............................................................................................................................................................................................18-518.1.3 ldap-query .......................................................................................................................................................................................................18-618.1.4 ldap-server ...................................................................................................................................................................................................... 18-718.1.5 ldap-timeout ...................................................................................................................................................................................................18-918.1.6 no .......................................................................................................................................................................................................................18-1018.1.7 user-role ............................................................................................................................................................................................................18-11Chapter 19, SMART-RF-POLICY19.1 smart-rf-policy ...........................................................................................................................................................................................................19-319.1.1 area ......................................................................................................................................................................................................................19-419.1.2 assignable-power .........................................................................................................................................................................................19-519.1.3 avoidance-time ..............................................................................................................................................................................................19-619.1.4 channel-list ......................................................................................................................................................................................................19-819.1.5 channel-width .................................................................................................................................................................................................19-919.1.6 coverage-hole-recovery ........................................................................................................................................................................... 19-1119.1.7 enable .............................................................................................................................................................................................................. 19-1319.1.8 group-by ......................................................................................................................................................................................................... 19-1419.1.9 interference-recovery ............................................................................................................................................................................... 19-1519.1.10 neighbor-recovery .................................................................................................................................................................................... 19-1719.1.11 no ...................................................................................................................................................................................................................... 19-1919.1.12 sensitivity ...................................................................................................................................................................................................... 19-21
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide xiii19.1.13 smart-ocs-monitoring ............................................................................................................................................................................ 19-23Chapter 20, WIPS-POLICY20.1 wips-policy ............................................................................................................................................................................................................... 20-420.1.1 ap-detection ..................................................................................................................................................................................................20-520.1.2 enable ..............................................................................................................................................................................................................20-720.1.3 event ............................................................................................................................................................................................................... 20-820.1.4 history-throttle-duration ....................................................................................................................................................................... 20-1220.1.5 interference-event ................................................................................................................................................................................... 20-1320.1.6 no ....................................................................................................................................................................................................................20-1420.1.7 signature .......................................................................................................................................................................................................20-1620.1.8 use .................................................................................................................................................................................................................20-33Chapter 21, WLAN-QOS-POLICY21.1 wlan-qos-policy ......................................................................................................................................................................................................... 21-221.1.1 accelerated-multicast ................................................................................................................................................................................... 21-321.1.2 classification ....................................................................................................................................................................................................21-521.1.3 multicast-mask ............................................................................................................................................................................................... 21-721.1.4 no .........................................................................................................................................................................................................................21-821.1.5 qos .......................................................................................................................................................................................................................21-921.1.6 rate-limit ......................................................................................................................................................................................................... 21-1021.1.7 svp-prioritization ..........................................................................................................................................................................................21-1321.1.8 voice-prioritization ..................................................................................................................................................................................... 21-1421.1.9 wmm .................................................................................................................................................................................................................21-15Chapter 22, L2TPV3-POLICY22.1 l2tpv3-policy-commands ..................................................................................................................................................................................... 22-322.1.1 cookie-size ......................................................................................................................................................................................................22-522.1.2 failover-delay ................................................................................................................................................................................................22-622.1.3 force-l2-path-recovery ............................................................................................................................................................................. 22-722.1.4 hello-interval .................................................................................................................................................................................................22-822.1.5 no .......................................................................................................................................................................................................................22-922.1.6 reconnect-attempts ................................................................................................................................................................................. 22-1022.1.7 reconnect-interval ......................................................................................................................................................................................22-1122.1.8 retry-attempts .............................................................................................................................................................................................22-1222.1.9 retry-interval ................................................................................................................................................................................................22-1322.1.10 rx-window-size ......................................................................................................................................................................................... 22-1422.1.11 tx-window-size ...........................................................................................................................................................................................22-1522.2 l2tpv3-tunnel-commands ................................................................................................................................................................................. 22-1622.2.1 establishment-criteria ..............................................................................................................................................................................22-1722.2.2 fast-failover ................................................................................................................................................................................................ 22-1922.2.3 hostname .................................................................................................................................................................................................... 22-2022.2.4 local-ip-address .........................................................................................................................................................................................22-2122.2.5 mtu .................................................................................................................................................................................................................22-2222.2.6 no ....................................................................................................................................................................................................................22-2322.2.7 peer ............................................................................................................................................................................................................... 22-2422.2.8 router-id ...................................................................................................................................................................................................... 22-2822.2.9 session ......................................................................................................................................................................................................... 22-2922.2.10 use .................................................................................................................................................................................................................22-3122.3 l2tpv3-manual-session-commands ..............................................................................................................................................................22-3222.3.1 local-cookie ................................................................................................................................................................................................ 22-34
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  xiv22.3.2 local-ip-address ........................................................................................................................................................................................22-3522.3.3 local-session-id ........................................................................................................................................................................................ 22-3622.3.4 mtu .................................................................................................................................................................................................................22-3722.3.5 no ................................................................................................................................................................................................................... 22-3822.3.6 peer ............................................................................................................................................................................................................... 22-3922.3.7 remote-cookie ..........................................................................................................................................................................................22-4022.3.8 remote-session-id .................................................................................................................................................................................... 22-4122.3.9 traffic-source ............................................................................................................................................................................................ 22-42Chapter 23, ROUTER-MODE COMMANDS23.1 router-mode ..............................................................................................................................................................................................................23-223.1.1 area .................................................................................................................................................................................................................... 23-323.1.2 auto-cost .......................................................................................................................................................................................................23-1223.1.3 default-information ...................................................................................................................................................................................23-1323.1.4 ip ...................................................................................................................................................................................................................... 23-1423.1.5 network ..........................................................................................................................................................................................................23-1523.1.6 ospf ................................................................................................................................................................................................................. 23-1623.1.7 passive ............................................................................................................................................................................................................23-1723.1.8 redistribute .................................................................................................................................................................................................. 23-1823.1.9 route-limit .................................................................................................................................................................................................... 23-1923.1.10 router-id .......................................................................................................................................................................................................23-2123.1.11 no .....................................................................................................................................................................................................................23-22Chapter 24, ROUTING-POLICY24.1 routing-policy-commands ...................................................................................................................................................................................24-224.1.1 apply-to-local-packets ..............................................................................................................................................................................24-324.1.2 logging ............................................................................................................................................................................................................24-424.1.3 route-map ......................................................................................................................................................................................................24-524.1.4 route-map-mode ........................................................................................................................................................................................24-824.1.5 use ................................................................................................................................................................................................................... 24-1824.1.6 no .................................................................................................................................................................................................................... 24-19Chapter 25, AAA-TACACS-POLICY25.1 aaa-tacacs-policy ....................................................................................................................................................................................................25-225.1.1 accounting ......................................................................................................................................................................................................25-325.1.2 authentication ..............................................................................................................................................................................................25-625.1.3 authorization .................................................................................................................................................................................................25-925.1.4 no ......................................................................................................................................................................................................................25-12Chapter 26, MESHPOINT26.1 meshpoint-config-instance .................................................................................................................................................................................26-226.1.1 allowed-vlans .................................................................................................................................................................................................26-426.1.2 beacon-format .............................................................................................................................................................................................26-526.1.3 control-vlan ...................................................................................................................................................................................................26-626.1.4 data-rates ......................................................................................................................................................................................................26-726.1.5 description .................................................................................................................................................................................................... 26-1126.1.6 force ............................................................................................................................................................................................................... 26-1226.1.7 meshid ........................................................................................................................................................................................................... 26-1326.1.8 neighbor ....................................................................................................................................................................................................... 26-1426.1.9 no ..................................................................................................................................................................................................................... 26-1526.1.10 root ............................................................................................................................................................................................................... 26-17
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide xv26.1.11 security-mode ............................................................................................................................................................................................ 26-1926.1.12 service .........................................................................................................................................................................................................26-2026.1.13 shutdown .................................................................................................................................................................................................... 26-2126.1.14 use ................................................................................................................................................................................................................ 26-2226.1.15 wpa2 ............................................................................................................................................................................................................ 26-2326.2 meshpoint-qos-policy-config-instance ...................................................................................................................................................... 26-2626.2.1 accelerated-multicast ............................................................................................................................................................................ 26-2726.2.2 no ................................................................................................................................................................................................................... 26-2926.2.3 rate-limit .....................................................................................................................................................................................................26-3026.3 meshpoint-device-config-instance .............................................................................................................................................................. 26-3426.3.1 meshpoint-device .................................................................................................................................................................................... 26-3526.3.2 meshpoint-device-commands .......................................................................................................................................................... 26-37Chapter 27, PASSPOINT POLICY27.1 passpoint-policy ......................................................................................................................................................................................................27-227.1.1 3gpp ................................................................................................................................................................................................................... 27-327.1.2 access-network-type .................................................................................................................................................................................27-427.1.3 connection-capability ................................................................................................................................................................................ 27-527.1.4 domain-name ............................................................................................................................................................................................... 27-727.1.5 hessid ...............................................................................................................................................................................................................27-827.1.6 internet ............................................................................................................................................................................................................27-927.1.7 ip-address-type ......................................................................................................................................................................................... 27-1027.1.8 nai-realm ........................................................................................................................................................................................................27-1227.1.9 net-auth-type ..............................................................................................................................................................................................27-1827.1.10 no ................................................................................................................................................................................................................... 27-1927.1.11 operator ....................................................................................................................................................................................................... 27-2027.1.12 osu ...................................................................................................................................................................................................................27-2127.1.13 roam-consortium ......................................................................................................................................................................................27-3127.1.14 venue ............................................................................................................................................................................................................27-3227.1.15 wan-metrics .............................................................................................................................................................................................. 27-36Chapter 28, BORDER GATEWAY PROTOCOL28.1 bgp-ip-prefix-list-config commands ...............................................................................................................................................................28-228.1.1 deny ...................................................................................................................................................................................................................28-428.1.2 permit ..............................................................................................................................................................................................................28-528.1.3 no .......................................................................................................................................................................................................................28-628.2 bgp-ip-access-list-config commands ............................................................................................................................................................28-728.2.1 deny ..................................................................................................................................................................................................................28-828.2.2 permit .............................................................................................................................................................................................................28-928.2.3 no ....................................................................................................................................................................................................................28-1028.3 bgp-as-path-list-config commands ...............................................................................................................................................................28-1128.3.1 deny ................................................................................................................................................................................................................ 28-1228.3.2 permit ........................................................................................................................................................................................................... 28-1328.3.3 no .................................................................................................................................................................................................................... 28-1428.4 bgp-community-list-config commands  ..................................................................................................................................................... 28-1528.4.1 deny .................................................................................................................................................................................................................28-1728.4.2 permit ........................................................................................................................................................................................................... 28-1928.4.3 no ................................................................................................................................................................................................................... 28-2128.5 bgp-extcommunity-list-config commands  .............................................................................................................................................. 28-2228.5.1 deny ............................................................................................................................................................................................................... 28-2328.5.2 permit .......................................................................................................................................................................................................... 28-2528.5.3 no ................................................................................................................................................................................................................... 28-27
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  xvi28.6 bgp-route-map-config commands  ............................................................................................................................................................. 28-2828.6.1 description ..................................................................................................................................................................................................28-3028.6.2 match ............................................................................................................................................................................................................ 28-3128.6.3 no ................................................................................................................................................................................................................... 28-3428.6.4 set ................................................................................................................................................................................................................. 28-3528.7 bgp-router-config commands ....................................................................................................................................................................... 28-3928.7.1 aggregate-address ................................................................................................................................................................................... 28-4128.7.2 asn ................................................................................................................................................................................................................. 28-4228.7.3 bgp ................................................................................................................................................................................................................ 28-4328.7.4 bgp-route-limit ........................................................................................................................................................................................28-4828.7.5 distance .......................................................................................................................................................................................................28-4928.7.6 ip ....................................................................................................................................................................................................................28-5028.7.7 network ........................................................................................................................................................................................................ 28-5128.7.8 no ................................................................................................................................................................................................................... 28-5228.7.9 route-redistribute ................................................................................................................................................................................... 28-5328.7.10 timers ......................................................................................................................................................................................................... 28-5528.8 bgp-neighbor-config commands ................................................................................................................................................................. 28-5628.8.1 activate ......................................................................................................................................................................................................... 28-5928.8.2 advertisement-interval .........................................................................................................................................................................28-6028.8.3 allowas-in .................................................................................................................................................................................................... 28-6128.8.4 attribute-unchanged ............................................................................................................................................................................. 28-6228.8.5 capability .................................................................................................................................................................................................... 28-6328.8.6 default-originate .....................................................................................................................................................................................28-6428.8.7 description ................................................................................................................................................................................................. 28-6528.8.8 disable-connected-check .................................................................................................................................................................... 28-6628.8.9 dont-capability-negotiate ................................................................................................................................................................... 28-6728.8.10 ebgp-multihop ....................................................................................................................................................................................... 28-6828.8.11 enforce-multihop .................................................................................................................................................................................... 28-6928.8.12 local-as .......................................................................................................................................................................................................28-7028.8.13 maximum-prefix ......................................................................................................................................................................................28-7128.8.14 next-hop-self .......................................................................................................................................................................................... 28-7228.8.15 no ................................................................................................................................................................................................................. 28-7328.8.16 override-capability ............................................................................................................................................................................... 28-7428.8.17 passive ....................................................................................................................................................................................................... 28-7528.8.18 password .................................................................................................................................................................................................. 28-7628.8.19 peer-group ................................................................................................................................................................................................28-7728.8.20 port ............................................................................................................................................................................................................ 28-7828.8.21 remote-as ................................................................................................................................................................................................. 28-7928.8.22 remove-private-as ...............................................................................................................................................................................28-8028.8.23 route-server-client ................................................................................................................................................................................ 28-8128.8.24 send-community .................................................................................................................................................................................. 28-8228.8.25 shutdown ................................................................................................................................................................................................. 28-8328.8.26 soft-reconfiguration ............................................................................................................................................................................ 28-8428.8.27 strict-capability-match ....................................................................................................................................................................... 28-8528.8.28 timers ........................................................................................................................................................................................................ 28-8628.8.29 unsuppress-map ................................................................................................................................................................................... 28-8828.8.30 update-source ....................................................................................................................................................................................... 28-8928.8.31 use ...............................................................................................................................................................................................................28-9028.8.32 weight ........................................................................................................................................................................................................ 28-91Chapter 29, CRYPTO-CMP-POLICY29.1 crypto-cmp-policy-instance ...............................................................................................................................................................................29-229.1.1 ca-server ..........................................................................................................................................................................................................29-3
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide xvii29.1.2 cert-key-size .................................................................................................................................................................................................29-529.1.3 cert-renewal-timeout ................................................................................................................................................................................29-629.1.4 cross-cert-validate .....................................................................................................................................................................................29-729.1.5 subjectAltName ...........................................................................................................................................................................................29-829.1.6 trustpoint .......................................................................................................................................................................................................29-929.1.7 use .................................................................................................................................................................................................................... 29-1129.1.8 no ..................................................................................................................................................................................................................... 29-1229.2 other-cmp-related-commands  ...................................................................................................................................................................... 29-1329.2.1 use ................................................................................................................................................................................................................... 29-1429.2.2 show .............................................................................................................................................................................................................. 29-15Chapter 30, ROAMING ASSIST POLICY30.1 roaming-assist-policy-instance .........................................................................................................................................................................30-230.1.1 action ................................................................................................................................................................................................................30-330.1.2 aggressiveness ........................................................................................................................................................................................... 30-430.1.3 detection-threshold ...................................................................................................................................................................................30-530.1.4 disassoc-time .............................................................................................................................................................................................. 30-630.1.5 handoff-count ..............................................................................................................................................................................................30-730.1.6 handoff-threshold ..................................................................................................................................................................................... 30-830.1.7 monitoring-interval ................................................................................................................................................................................... 30-930.1.8 sampling-interval ......................................................................................................................................................................................30-1030.1.9 no ..................................................................................................................................................................................................................... 30-11Appendix A, CONTROLLER MANAGED WLAN USE CASEA.1 Creating a First Controller Managed WLAN .....................................................................................................................................................A-1A.1.1 Assumptions .......................................................................................................................................................................................................A-1A.1.2 Design ..................................................................................................................................................................................................................A-2A.1.3 Using the Command Line Interface to Configure the WLAN .......................................................................................................A-2Appendix B, PUBLICLY AVAILABLE SOFTWAREB.1 General Information  ....................................................................................................................................................................................................B-1B.2 Open Source Software Used  .................................................................................................................................................................................B-2B.3  OSS Licenses ..............................................................................................................................................................................................................B-15B.3.1 Apache License, Version 2.0  .....................................................................................................................................................................B-15B.3.2 The BSD License ............................................................................................................................................................................................B-17B.3.3 Creative Commons Attribution-ShareAlike License, version 3.0 ............................................................................................. B-18B.3.4 DropBear License  ........................................................................................................................................................................................B-23B.3.5 GNU General Public License, version 2  ...............................................................................................................................................B-25B.3.6 GNU GENERAL PUBLIC LICENSE  ........................................................................................................................................................ B-26B.3.7 GNU Lesser General Public License 2.1 ...............................................................................................................................................B-30B.3.8 CCO 1.0 Universal .........................................................................................................................................................................................B-37B.3.9 GNU General Public License, version 3  .............................................................................................................................................. B-39B.3.10 ISC License ................................................................................................................................................................................................... B-48B.3.11 GNU Lesser General Public License, version 3.0 ............................................................................................................................ B-48B.3.12  GNU General Public License 2.0 ...........................................................................................................................................................B-51B.3.13 GNU Lesser General Public License, version 2.0 ............................................................................................................................B-57B.3.14 GNU Lesser General Public License, version 2.1 ............................................................................................................................ B-63B.3.15 GNU LESSER GENERAL PUBLIC LICENSE ...................................................................................................................................... B-65B.3.16 MIT License  .................................................................................................................................................................................................. B-69B.3.17 Mozilla Public License, version 2 .......................................................................................................................................................... B-70B.3.18 The Open LDAP Public License  ........................................................................................................................................................... B-74
ContentsAccess Point, Wireless Controller and Service Platform CLI Reference Guide  xviiiB.3.19 OpenSSL License ........................................................................................................................................................................................B-75B.3.20 WU-FTPD Software License ................................................................................................................................................................ B-76B.3.21 zlib License ....................................................................................................................................................................................................B-77B.3.22 Python License, Version 2 (Python-2.0)  ......................................................................................................................................... B-78B.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 ........................................................................................................ B-78B.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1) .......................................................................................... B-79B.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 ...........................................................................................B-80B.3.26 Zope Public License (ZPL) Version 2.0  ............................................................................................................................................ B-81B.3.27 Zope Public License (ZPL) Version 2.1 ............................................................................................................................................. B-82
iAccess Point, Wireless Controller and Service Platform CLI Reference GuideABOUT THIS GUIDEThis manual supports the following wireless controllers, service platformss, and access points:• Wireless Controllers – RFS4000, RFS6000• Service Platformss – NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000• Access Points – AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432, AP8533A simplified version of the WiNG operating system user interface (UI) is available on the following access point and service platforms models:• AP6521E, AP6522E, AP6562E, AP7502E, AP7522E, AP7532E, AP7562E, AP7602, AP7612, AP7632, AP7662• NX5500E, NX7510E, and VX9000E This new WiNG Express (WE) UI, simplifies configuration and monitoring of small access point deployments by limiting monitoring, analytics, and configuration capabilities. The WE UI is designed for single-site access point deployments not exceeding more than 24 access points of the same model.This section is organized into the following topics:•Document Conventions•Notational Conventions•End-User Software License AgreementNOTE: In this document AP8122, AP8132, AP8163 are collectively referred to as AP81XX.CAUTION: To configure a WE access point, exclusively use the WE UI. Do not use the command line interface (CLI) along with it. Similarly, when using the CLI to configure the WE access point, do not use the WE UI along with it.
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  iiDocument ConventionsThe following conventions are used in this document to draw your attention to important information:Notational ConventionsThe following notational conventions are used in this document:• Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents• Bullets (•) indicate:- lists of alternatives- lists of required steps that are not necessarily sequential-action items• Sequential lists (those describing step-by-step procedures) appear as numbered listsUnderstanding Command SyntaxNOTE: Indicates tips or special requirements.CAUTION: Indicates conditions that can cause equipment damage or data loss.WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage.Switch Note: Indicates caveats unique to a RFS4000, RFS6000, NX5500,NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, or NX9600 modelcontroller.<variable> Variables are described with a short description enclosed within a ‘<‘ and a ‘>’ pair.For example, the command,nx9500-6C8809>show interface ge 1is documented as:show interface ge <1-2>where:• show – is the command – displays information• interface – is the keyword – represents the interface type• <1-2> – is the variable – represents the ge interface index value!
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide iii| The pipe symbol. This is used to separate the variables/keywords in a list.For example, the command,nx9500-6C8809> show .....is documented as:show [adoption|bluetooth|bonjour|boot|......where:• show – is the command – displays information• [adoption|bluetooth|bonjour|boot|.......] – indicates the different keywords that can be combined with the show command. However, only one of the above option can be used at a time.show adoption ...show bluetooth ...show bonjour ...[] Of the different keywords and variables listed inside a ‘[‘ & ‘]’ pair, only one can be used. Each choice in the list is separated with a ‘|’ (pipe) symbol.For example, the command,nx9500-6C8809#clear ...is documented as:clear [arp-cache|bonjour|cdp|counters|crypto|event-history|firewall|gre|ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-table|mint|role|rtls|spanning-tree|traffic-shape|vrrp]where:• clear – is the command• [arp-cache|cdp|bonjour|counters|crypto|event-history|firewall|gre|ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-table|mint|role|rtls|spanning-tree|traffic-shape|vrrp] – indicates that these keywords are available for this command. However, only one can be used at a time.
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  iv{ } Any command/keyword/variable or a combination of them inside a ‘{‘ &‘}’ pair is optional. All optional commands follow the same conventions as listed above. However, they are displayed italicized.For example, the command,nx9500-6C8809> show adoption ....is documented as:show adoption info {on <DEVICE-NAME>}here:• show adoption info – is the command. This command can also be used as:show adoption infoThe command can also be extended as:show adoption info {on <DEVICE-NAME>}here:• {on <DEVICE-NAME>} – is the keyword, which is optional.command / keyword The first word is always a command. Keywords are words that must be entered as is. Commands and keywords are mandatory.For example, the command,nx9500-6C8809>show wirelessis documented as:show wirelesswhere:• show – is the command• wireless – is the keyword() Any command/keyword/variable or a combination of them inside a ‘(‘ & ‘)’ pair are recursive. All recursive commands can be listed in any order and can be used once along with the rest of the commands.For example, the command,crypto pki export request generate-rsa-key test autogen-subject-name ...is documented as:nx9500-6C8809#crypto pki export request generate-rsa-key test autogen-subject-name (<URL>,email <EMAIL>,fqdn <FQDN>,ip-address <IP>)here:• crypto pki export request generate-rsa-key <RSA-KEYPAIR-NAME> auto-gen-subject-name – is the command• <RSA-KEYPAIR-NAME> – is the RSA keypair name (in this example, the keypair name is ‘test’), and is a variable• (<URL>,email <EMAIL>,fqdn <FQDN>,ip-address <IP>) – isthe set of recursive parameters (separated by commas) that canbe used in any order.
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide vEnd-User Software License AgreementThis document is an agreement (“Agreement”) between You, the end user, and Extreme Networks, Inc., on behalf of itself and its Affiliates (“Extreme”) that sets forth your rights and obligations with respect to the “Licensed Materials”. BY INSTALLING SOFTWARE AND/OR THE LICENSE KEY FOR THE SOFTWARE (“License Key”) (collectively, “Licensed Software”), IF APPLICABLE, COPYING, OR OTHERWISE USING THE LICENSED SOFTWARE AND/OR ANY OF THE LICENSED MATERIALS UNDER THIS AGREEMENT, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE(S) AND THE LIMITATION(S) OF WARRANTY AND DISCLAIMER(S)/LIMITATION(S) OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE LICENSE KEY (IF APPLICABLE) TO EXTREME OR YOUR DEALER, IF ANY, OR DO NOT USE THE LICENSED SOFTWARE AND/OR LICENSED MATERIALS AND CONTACT EXTREME OR YOUR DEALER WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT TO ARRANGE FOR A REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT EXTREME, Attn: LegalTeam@extremenetworks.com.1 DEFINITIONS. “Affiliates” means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. “Server Application” means the software application associated to software authorized for installation (per License Key, if applicable) on one or more of Your servers as further defined in the Ordering Documentation. “Client Application” shall refer to the application to access the Server Application. “Network Device” for purposes of this Agreement shall mean a physical computer device, appliance, appliance component, controller, wireless access point, or virtual appliance as further described within the applicable product documentation, which includes the Order Documentation. “Licensed Materials” means the Licensed Software (including the Server Application and Client Application), Network Device (if applicable), Firmware, media embodying software, and the accompanying documentation. “Concurrent User” shall refer to any of Your individual employees who You provide access to the Server Application at any one time. “Firmware” refers to any software program or code embedded in chips or other media. “Standalone” software is software licensed for use independent of any hardware purchase as identified in the Ordering Documentation. “Licensed Software” collectively refers to the software, including Standalone software, Firmware, Server Application, Client Application or other application licensed with conditional use parameters as defined in the Ordering Documentation. “Ordering Documentation” shall mean the applicable price quotation, corresponding purchase order, relevant invoice, order acknowledgement, and accompanying documentation or specifications for the products and services purchased, acquired or licensed hereunder from Extreme either directly or indirectly.2TERM. This Agreement is effective from the date on which You accept the terms and conditions of this Agreement via click-through, commence using the products and services or upon delivery of the License Key if applicable, and shall be effective until terminated. In the case of Licensed Materials offered on a subscription basis, the term of “licensed use” shall be as defined within Your Ordering Documentation.3 GRANT OF LICENSE. Extreme will grant You a non-transferable, non-sublicensable, non-exclusive license to use the Licensed Materials and the accompanying documentation for Your own business purposes subject to the terms and conditions of this Agreement, applicable licensing restrictions, and any term, user server networking device, field of use, or other restrictions as set forth in Your Ordering Documentation. If the Licensed Materials are being licensed on a subscription and/or capacity basis, the applicable term and/or capacity limit of the license shall be specified in Your Ordering Documentation. You may install and use the Licensed Materials as permitted by the license type purchased as described below in License Types. The license type purchased is specified on the invoice issued to You by Extreme
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  vior Your dealer, if any. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT.4LICENSE TYPES.•Single User, Single Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials as bundled with a single Network Device as identified by a unique serial number for the applicable Term, if and as specified in Your Ordering Documentation, or any replacement for that network device for that same Term, for internal use only. A separate license, under a separate License Agreement, is required for any other network device on which You or another individual, employee or other third party intend to use the Licensed Materials. A separate license under a separate License Agreement is also required if You wish to use a Client license (as described below).•Single User, Multiple Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials with a defined amount of Network Devices as defined in the Ordering Documentation.•Client. Under the terms of the Client license, the license granted to You by Extreme will authorize You to install the License Key for the Licensed Materials on your server and allow the specific number of Concurrent Users as ordered by you and is set forth in Your Ordering Documentation. A separate license is required for each additional Concurrent User.•Standalone. Software or other Licensed Materials licensed to You for use independent of any Network Device.•Subscription. Licensed Materials, and inclusive Software, Network Device or related appliance updates and maintenance services, licensed to You for use during a subscription period as defined in Your applicable Ordering Documentation.•Capacity. Under the terms of this license, the license granted to You by Extreme authorizes You to use the Licensed Materials up to the amount of capacity or usage as defined in the Ordering Documentation.5AUDIT RIGHTS. You agree that Extreme may audit Your use of the Licensed Materials for compliance with these terms and Your License Type at any time, upon reasonable notice. In the event that such audit reveals any use of the Licensed Materials by You other than in full compliance with the license granted and the terms of this Agreement, Extreme reserves the right to charge You for all reasonable expenses related to such audit in addition to any other liabilities and overages applicable as a result of such non-compliance, including but not limited to additional fees for Concurrent Users, excess capacity or usage over and above those specifically granted to You. From time to time, the Licensed Materials may upload information about the Licensed Materials and the associated usage to Extreme. This is to verify the Licensed Materials are being used in accordance with a valid license and/or entitlement. By using the Licensed Materials, you consent to the transmission of this information.6 RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse engineer the Licensed Materials, including the Licensed Software, or to translate the Licensed Materials into another computer language. The media embodying the Licensed Materials may be copied by You, in whole or in part, into printed or machine readable form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Extreme’ prior written consent, and in no event shall You operate more copies of the Licensed Software than the specific licenses granted to You. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the location of the original media and all copies of the Licensed Software, in whole or in part, made by You. Any portion of the Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall remain subject to
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide viiall the terms and conditions of this Agreement. You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software or any such modular work containing the Licensed Software or any part thereof.7 TITLE AND PROPRIETARY RIGHTSa The Licensed Materials are copyrighted works and are the sole and exclusive property of Extreme, any company or a division thereof which Extreme controls or is controlled by, or which may result from the merger or consolidation with Extreme (its “Affiliates”), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion thereof, to any other party.b You further acknowledge that in the event of a breach of this Agreement, Extreme shall suffer severe and irreparable damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach of this Agreement, Extreme shall be entitled to monetary damages and its reasonable attorney’s fees and costs in enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available to Extreme.8 PROTECTION AND SECURITY.  In the performance of this Agreement or in contemplation thereof, You and your employees and agents may have access to private or confidential information owned or controlled by Extreme relating to the Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or agents under this Agreement or in contemplation hereof shall be and shall remain Extreme’ exclusive property, and You shall use all commercially reasonable efforts to keep, and have your employees and agents keep, any and all such information and data confidential, and shall not copy, publish, or disclose it to others, without Extreme’ prior written approval, and shall return such information and data to Extreme at its request. Nothing herein shall limit your use or dissemination of information not actually derived from Extreme or of information which has been or subsequently is made public by Extreme, or a third party having authority to do so.You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Extreme or its employees, except for purposes specifically related to your use of the Licensed Materials on a single computer as expressly provided in this Agreement, without the prior written consent of Extreme. You acknowledge that the Licensed Materials contain valuable confidential information and trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Extreme or its Affiliates and/or its/their software suppliers.9 MAINTENANCE AND UPDATES. Except as otherwise defined below, updates and certain maintenance and support services, if any, shall be provided to You pursuant to the terms of an Extreme Service and Maintenance Agreement, if Extreme and You enter into such an agreement. Except as specifically set forth in such agreement, Extreme shall not be under any obligation to provide updates, modifications, or enhancements, or maintenance and support services for the Licensed Materials to You. If you have purchased Licensed Materials on a subscription basis then the applicable service terms for Your Licensed Materials are as provided in Your Ordering Documentation. Extreme will perform the maintenance and updates in a timely and professional manner, during the Term of Your subscription, using qualified and experienced personnel. You will cooperate in good faith with Extreme in the performance of the support services including, but not limited to, providing Extreme with: (a) access to the Extreme Licensed Materials (and related systems); and (b) reasonably requested assistance and
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  viiiinformation. Further information about the applicable maintenance and updates terms can be found on Extreme’s website at http://www.extremenetworks.com/company/legal/terms-of-support10 DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this Agreement, including a failure to pay any sums due to Extreme, or in the event that you become insolvent or seek protection, voluntarily or involuntarily, under any bankruptcy law, Extreme may, in addition to any other remedies it may have under law, terminate the License and any other agreements between Extreme and You.a Immediately after any termination of the Agreement, Your licensed subscription term, or if You have for any reason discontinued use of Licensed Materials, You shall return to Extreme the original and any copies of the Licensed Materials and remove the Licensed Materials, including an Licensed Software, from any modular works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned to Extreme.b Sections 1, 7, 8, 10, 11, 12, 13, 14 and 15 shall survive termination of this Agreement for any reason.11 EXPORT REQUIREMENTS. You are advised that the Licensed Materials, including the Licensed Software is of United States origin and subject to United States Export Administration Regulations; diversion contrary to United States law and regulation is prohibited. You agree not to directly or indirectly export, import or transmit the Licensed Materials, including the Licensed Software to any country, end user or for any Use that is prohibited by applicable United States regulation or statute (including but not limited to those countries embargoed from time to time by the United States government); or contrary to the laws or regulations of any other governmental entity that has jurisdiction over such export, import, transmission or Use.12 UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private expense; (ii) contain “restricted computer software” submitted with restricted rights in accordance with section 52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Extreme and/or its suppliers. For Department of Defense units, the Licensed Materials are considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein.13 LIMITED WARRANTY AND LIMITATION OF LIABILITY. Extreme warrants to You that (a) the initially-shipped version of the Licensed Materials will materially conform to the Documentation; and (b) the media on which the Licensed Software is recorded will be free from material defects for a period of ninety (90) days from the date of delivery to You or such other minimum period required under applicable law. Extreme does not warrant that Your use of the Licensed Materials will be error-free or uninterrupted.NEITHER EXTREME NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. IN NO EVENT WILL EXTREME OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED MATERIALS, TO ANY PARTY EVEN IF EXTREME OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide ixEXTREME OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS.Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited warranty gives You specific legal rights, and You may also have other rights which vary from state to state.14 JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in accordance with the laws and in the State and Federal courts of the State of California, without regard to its rules with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement.15 FREE AND OPEN SOURCE SOFTWARE. Portions of the Software (Open Source Software) provided to you may be subject to a license that permits you to modify these portions and redistribute the modifications (an Open Source License). Your use, modification and redistribution of the Open Source Software are governed by the terms and conditions of the applicable Open Source License. More details regarding the Open Source Software and the applicable Open Source Licenses are available at www.extremenetworks.com/services/SoftwareLicensing.aspx. Some of the Open Source software may be subject to the GNU General Public License v.x (GPL) or the Lesser General Public Library (LGPL), copies of which are provided with the Licensed Materials and are further available for review at www.extremenetworks.com/services/SoftwareLicensing.aspx, or upon request as directed herein. In accordance with the terms of the GPL and LGPL, you may request a copy of the relevant source code. See the Software Licensing web site for additional details. This offer is valid for up to three years from the date of original download of the software.16 GENERAL.a This Agreement is the entire agreement between Extreme and You regarding the Licensed Materials, and all prior agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and canceled.b This Agreement may not be changed or amended except in writing signed by both parties hereto.c You represent that You have full right and/or authorization to enter into this Agreement.d This Agreement shall not be assignable by You without the express written consent of Extreme. The rights of Extreme and Your obligations under this Agreement shall inure to the benefit of Extreme’ assignees, licensors, and licensees.e Section headings are for convenience only and shall not be considered in the interpretation of this Agreementf The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall nevertheless be binding on and enforceable by and between the parties heretog Extreme’s waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations, statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall supersede this Agreement.
ABOUT THIS GUIDEAccess Point, Wireless Controller and Service Platform CLI Reference Guide  xh Should You have any questions regarding this Agreement, You may contact Extreme at the address set forth below. Any notice or other communication to be sent to Extreme must be mailed by certified mail to the following address:Extreme Networks, Inc.16480 Via Del San Jose, CA 95119 United StatesTel: +1 408-579-2800Toll-free: +1 888-257-3000
1 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide1INTRODUCTIONThis chapter describes the commands available within a device’s Command Line Interface (CLI) structure. CLI is available for wireless controllers, access points (APs), and service platforms.Access the CLI by using:• A terminal emulation program running on a computer connected to the serial port on the device (access point, wireless controller, and service platform).• A Telnet session through Secure Shell (SSH) over a network.Configuration for connecting to a Controller using a terminal emulatorIf connecting through the serial port, use the following settings to configure your terminal emulator:When a CLI session is established, complete the following (user input is in bold):login as: <username>administrator’s login password: <password>User CredentialsUse the following credentials when logging into a device for the first time:When logging into the CLI for the first time, you are prompted to change the password.Examples in this reference guideExamples used in this reference guide are generic to each supported wireless controller, service platform, and AP model. Commands that are not common, are identified using the notation “Supported in the following platforms:” For an example, see below:Supported in the following platforms:• Wireless Controller – RFS6000The above example indicates the command is only available for an RFS6000 model wireless controller.Bits Per Second 19200For AP8533, AP8432, AP7662, AP7632, AP7622, AP7612, AP7602, AP7502, AP7522, AP7532, AP7562, AP6521, AP6522, AP6532, AP6562 model access points set this value to 115200.Data Bits 8Parity NoneStop Bit 1Flow Control NoneUser Name adminPassword admin123
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 2This chapter is organized into the following sections:•CLI Overview•Getting Context Sensitive Help•Using the No Command•Using CLI Editing Features and Shortcuts•Using CLI to Create Profiles and Enable Remote Administration1.1 CLI OverviewINTRODUCTIONThe CLI is used for configuring, monitoring, and maintaining the network. The user interface allows you to execute commands on supported wireless controllers, service platforms, and APs, using either a serial console or a remote access method.This chapter describes basic CLI features. Topics covered include an introduction to command modes, navigation and editing features, help features and command history.The CLI is segregated into different command modes. Each mode has its own set of commands for configuration, maintenance, and monitoring. The commands available at any given time depend on the mode you are in, and to a lesser extent, the particular model used. Enter a question mark (?) at the system prompt to view a list of commands available for each command mode/instance.Use specific commands to navigate from one command mode to another. The standard order is: USER EXEC mode, PRIV EXEC mode and GLOBAL CONFIG mode.Figure 1-1 Hierarchy of User ModesCommand ModesA session generally begins in the USER EXEC mode (one of the two access levels of the EXEC mode). For security, only a limited subset of EXEC commands are available in the USER EXEC mode. This level is
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 3reserved for tasks that do not change the device’s (wireless controller, service platform, or AP) configuration.rfs6000-6DB5D4>The system prompt signifies the device name and the last three bytes of the device MAC address.To access commands, enter the PRIV EXEC mode (the second access level for the EXEC mode). Once in the PRIV EXEC mode, enter any EXEC command. The PRIV EXEC mode is a superset of the USER EXEC mode.rfs6000-6DB5D4>enablerfs6000-6DB5D4#Most of the USER EXEC mode commands are one-time commands and are not saved across device reboots. Save the command by executing ‘commit’ command. For example, the show command displays the current configuration and the clear command clears the interface.Access the GLOBAL CONFIG mode from the PRIV EXEC mode. In the GLOBAL CONFIG mode, enter commands that set general system characteristics. Configuration modes, allow you to change the running configuration. If you save the configuration later, these commands are stored across device reboots.Access a variety of protocol specific (or feature-specific) modes from the global configuration mode. The CLI hierarchy requires you to access specific configuration modes only through the global configuration mode.rfs6000-6DB5D4#configure terminalEnter configuration commands, one per line. End with CNTL/Z.rfs6000-6DB5D4(config)#You can also access sub-modes from the global configuration mode. Configuration sub-modes define specific features within the context of a configuration mode.rfs6000-6DB5D4(config)#aaa-policy testrfs6000-6DB5D4(config-aaa-policy-test)#The following table summarizes available CLI commands:Table 1.1 Controller CLI Modes and CommandsUser Exec Mode Priv Exec Mode Global Configuration Modecaptive-portal-page-upload archive aaa-policychange-passwd boot aaa-tacacs-policyclear captive-portal-page-upload aliasclock cd ap6521cluster change-passwd ap6522commit clear ap6532connect clock ap6562create-cluster cluster ap7161crypto commit ap7502crypto-cmp-cert-update configure ap7522database connect ap7532database-backup copy ap7562
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 4database-restore cpe (RFS4000, RFS6000, NX9500, NX9600, VX9000)ap7602debug create-cluster ap7612device-upgrade crypto ap7622disable crypto-cmp-cert-update ap7632enable database ap7662file-sync database-backup ap81xx (ap8122, ap8132, ap8163)help database-restore ap8232join-cluster debug ap8432l2tpv3 delete ap8533logging device-upgrade applicationmint diff application-groupno dir application-policyon disable association-acl-policyopendns edit auto-provisioning-policypage enable bgpping erase bonjour-gw-discovery-policyping6 ex3500 bonjour-gw-forwarding-policyrevert factory-reset bonjour-gw-query-forwarding-policyservice file-sync captive-portalshow halt clearssh help client-identitytelnet join-cluster client-identity-groupterminal l2tpv3 clonetime-it logging crypto-cmp-policytraceroute mint customizetraceroute6 mkdir database-client-policy (supported only on VX9000virtual-machine (supported only on NX9500, NX9600, and VX9000)more database-policy (supported only on NX9500, NX9600, and VX9000)watch no devicewrite on device-categorizationclrscr opendns dhcp-server-policyexit page dhcp6-server-policyping dns-whitelistping6 event-system-policyTable 1.1 Controller CLI Modes and CommandsUser Exec Mode Priv Exec Mode Global Configuration Mode
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 5pwd ex3500raid (supported only on NX9500 and NX7530)ex3500-management-policyre-elect ex3500-qos-class-map-policyreload ex3500-qos-policy-mapremote-debug ex3524rename ex3548revert firewall-policyrmdir global-association-listself guest-managementservice helpshow hostssh igmp-snoop-policy (This command has been deprecated. IGMP snooping is now configurable under the profile/device configuration mode. For more information, see ip. t5 (supported only on RFS4000, RFS6000, NX9500, NX9600, and VX9000)inline-password-encryptiontelnet ipterminal ipv6time-it ipv6-router-advertisement-policytraceroute l2tpv3traceroute6 macupgrade management-policyupgrade-abort meshpointvirtual-machine (supported only on NX9500, NX9600, and VX9000)meshpoint-qos-policywatch mint-policywrite nac-listclrscr noexit nsight-policynx5500 (supported only on NX9500, NX9600, VX9000)nx75xx (supported only on NX9500, NX9600, VX9000)nx9000 (supported only on NX9500, NX9600, VX9000)Table 1.1 Controller CLI Modes and CommandsUser Exec Mode Priv Exec Mode Global Configuration Mode
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 6nx9600 (supported only on NX9600)passpoint-policypassword-encryptionprofileradio-qos-policyradius-groupradius-server-policyradius-user-pool-policyrenamereplacerf-domainrfs4000rfs6000roaming-assist-policyrole-policyroute-maprouting-policyrtl-server-policyschedule-policyselfsensor-policysmart-rf-policyt5 (supported only on RFS4000, RFS6000, NX9500, NX9600, VX9000)url-filter (supported only on NX9500, NX9600, VX9000)url-list (supported only on NX9500, NX9600, VX9000)vx9000 (supported only on NX9500, and NX9600, VX9000)web-filter-policywips-policywlanwlan-qos-policywriteclrscrTable 1.1 Controller CLI Modes and CommandsUser Exec Mode Priv Exec Mode Global Configuration Mode
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 71.2 Getting Context Sensitive HelpINTRODUCTIONEnter a question mark (?) at the system prompt to display a list of commands available for each mode. Obtain a list of arguments and keywords for any command using the CLI context-sensitive help.Use the following commands to obtain help specific to a command mode, command name, keyword or argument:commitdoendexitrevertserviceshowTable 1.1 Controller CLI Modes and CommandsUser Exec Mode Priv Exec Mode Global Configuration ModeCommand Description(prompt)#help Displays a brief description of the help system(prompt)#abbreviated-command-entry? Lists commands in the current mode that begin with a particular character string(prompt)#abbreviated-command-entry[TAB] Completes a partial command name(prompt)#? Lists all commands available in the command mode(prompt)#command ? Lists the available syntax options (arguments and keywords) for the command(prompt)#command keyword ? Lists the next available syntax option for the commandNOTE: The system prompt varies depending on the configuration mode.NOTE: Enter Ctrl + V to use ? as a regular character and not as a character used for displaying context sensitive help. This is required when the user has to enter a URL that ends with a ?NOTE: The escape character used through out the CLI is “\”. To enter a "\" use "\\" instead.
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 8When using context-sensitive help, the space (or lack of a space) before the question mark (?) is significant. To obtain a list of commands that begin with a particular sequence, enter the characters followed by a question mark (?). Do not include a space. This form of help is called word help, because it completes a word.rfs6000-6DB5D4#service?service Service Commandsrfs6000-6DB5D4#serviceEnter a question mark (?) (in place of a keyword or argument) to list keywords or arguments. Include a space before the “?”. This form of help is called command syntax help. It shows the keywords or arguments available based on the command/keyword and argument already entered.rfs6000-6DB5D4#service ?  block-adopter-config-update       Block configuration updates from the  bluetooth                         Bluetooth service commands  clear                             Clear adoption history  cli-tables-skin                   Choose a formatting layout/skin for CLI                                    tabular outputs (EXPERIMENTAL-Applies only                                    to certain commands)  cluster                           Cluster Protocol  copy                              Copy files or directories  delete                            Delete sessions  delete-offline-aps                Delete Access Points that are configured                                    but offline  force-send-config                 Resend configuration to the device  force-update-vm-stats             Force VM statistics to be pushed up to the                                    NOC  load-balancing                    Wireless load-balancing service commands  load-ssh-authorized-keys          Load Ssh authorized keys  locator                           Enable leds flashing on the device  mint                              MiNT protocol  pktcap                            Start packet capture  pm                                Process Monitor  radio                             Radio parameters  radius                            Radius test  request-full-config-from-adopter  Request full configuration from the                                    adopter  set                               Set global options  show                              Show running system information  signal                            Send a signal to a process  smart-rf                          Smart-RF Management Commands  snmp                              Snmp  ssm                               Command related to ssm  start-shell                       Provide shell access  syslog                            Syslog service  trace                             Trace a process for system calls and                                    signals  troubleshoot                      Troubleshooting  wireless                          Wireless commandsrfs6000-6DB5D4#It is possible to abbreviate commands and keywords to allow a unique abbreviation. For example, “configure terminal” can be abbreviated as config t. Since the abbreviated command is unique, the controller accepts the abbreviation and executes the command.Enter the help command (available in any command mode) to provide the following description:rfs6000-6DB5D4>helpWhen using the CLI, help is provided at the command line when typing '?'. If no help is available, the help content will be empty. Backup until entering a '?' shows the help content.There are two styles of help provided:1. Full help. Available when entering a command argument (e.g. 'show ?'). This will
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 9   describe each possible argument.2. Partial help. Available when an abbreviated argument is entered. This will display which arguments match the input (e.g. 'show ve?').rfs6000-6DB5D4>1.3 Using the No CommandINTRODUCTIONAlmost every command has a no form. Use no to disable a feature or function or return it to its default. Use the command without the no keyword to re-enable a disabled feature.1.3.1 Basic ConventionsKeep the following conventions in mind while working within the CLI structure:• Use “?” at the end of a command to display the sub-modes (keywords) associated with the command. Type the first few characters of the required sub-mode and press the tab key to auto-fill. Continue using “?” until you reach the last sub-mode.• Pre-defined CLI commands and keywords are case-insensitive: cfg = Cfg = CFG. However (for clarity), CLI commands and keywords are displayed (in this guide) using mixed case. For example, apPolicy, trapHosts, channelInfo.• Enter commands in uppercase, lowercase, or mixed case. Only passwords are case sensitive.1.4 Using CLI Editing Features and ShortcutsINTRODUCTIONA variety of shortcuts and edit features are available. The following sections describe these features:•Moving the Cursor on the Command Line•Completing a Partial Command Name•Command Output Pagination
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 101.4.1 Moving the Cursor on the Command LineUsing CLI Editing Features and ShortcutsThe following table shows the key combinations or sequences to move the command line cursor. Ctrl defines the control key, which must be pressed simultaneously with its associated letter key. Esc means the escape key (which must be pressed first), followed by its associated letter key. Keys are not case sensitive. Specific letters are used to provide an easy way of remembering their functions.1.4.2 Completing a Partial Command NameUsing CLI Editing Features and ShortcutsIf you cannot remember a command name (or if you want to reduce the amount of typing you have to perform), enter the first few letters of a command, then press the Tab key. The command line parser completes the command if the string entered is unique to the command mode. If your keyboard does not have a Tab key, press Ctrl-L.Table 1.2 Keystrokes DetailsKeystrokes Function Summary Function DetailsLeft ArroworCtrl-BBack character Moves the cursor one character to the leftWhen entering a command that extends beyond a single line, press the Left Arrow or Ctrl-B keys repeatedly to move back to the system prompt.Right Arrow or Ctrl-F Forward character Moves the cursor one character to the rightEsc- B Back word Moves the cursor back one wordEsc- F Forward word Moves the cursor forward one wordCtrl-A Beginning of line Moves the cursor to the beginning of the command lineCtrl-E End of line Moves the cursor to the end of the command lineCtrl-D Deletes the current characterCtrl-U Deletes text up to cursorCtrl-K Deletes from the cursor to end of the lineCtrl-P Obtains the prior command from memoryCtrl-N Obtains the next command from memoryEsc-C Converts the letter at the cursor to uppercaseEsc-L Converts the letter at the cursor to lowercaseEsc-D Deletes the remainder of a wordCtrl-W Deletes the word up to the cursorCtrl-Z Returns to the root promptCtrl-T Transposes the character to the left of the cursor with the character located at the cursorCtrl-L Clears the screen
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 11The CLI recognizes a command once you have entered enough characters to make the command unique. If you enter “conf” within the privileged EXEC mode, the CLI associates the entry with the configure command, since only the configure command begins with conf.In the following example, the CLI recognizes a unique string in the privileged EXEC mode when the Tab key is pressed:rfs6000-6DB5D4#conf[TAB]rfs6000-6DB5D4#configureWhen using the command completion feature, the CLI displays the full command name. The command is not executed until the [Return] or [Enter] key is pressed. Modify the command if the full command was not what you intended in the abbreviation. If entering a set of characters (indicating more than one command), the system lists all commands beginning with that set of characters.Enter a question mark (?) to obtain a list of commands beginning with a particular set of characters. Do not leave a space between the last letter and the question mark (?).In the following example, all commands, available in the current context, starting with the characters ‘co’ are listed:rfs6000-6DB5D4#co?  commit     Commit all changes made in this session  configure  Enter configuration mode  connect    Open a console connection to a remote device  copy       Copy from one file to anotherrfs6000-6DB5D4#1.4.3 Command Output PaginationUsing CLI Editing Features and ShortcutsOutput often extends beyond the visible screen length. For cases where output continues beyond the screen, the output is paused and a--More--prompt displays at the bottom of the screen. To resume the output, press the [Enter] key to scroll down one line or press the Spacebar to display the next full screen of output.1.5 Using CLI to Create Profiles and Enable Remote AdministrationINTRODUCTIONThe following sections describe the following essential procedures:•Creating Profiles•Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface•Enabling Remote AdministrationNOTE: The characters entered before the question mark are reprinted to the screen to complete the command entry.
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 121.5.1 Creating ProfilesUsing CLI to Create Profiles and Enable Remote AdministrationProfiles are sort of a ‘template’ representation of configuration. The system has:• a default profile for each of the following devices:- RFS4000, RFS6000• a default profile for each of the following service platforms:- NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000• a default profile for each of the following access points:- AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533You can modify a default profile. In the following example, an IP address is assigned to the management port on the default RFS6000 profile.rfs6000-6DB5D4(config)#profile rfs6000 default-rfs6000rfs6000-6DB5D4(config-profile-default-rfs6000)#interface me1rfs6000-6DB5D4(config-profile-default-rfs6000-if-me1)#ip address 172.16.10.2/24rfs6000-6DB5D4(config-profile-default-rfs6000-if-me1)#commitrfs6000-6DB5D4(config-profile-default-rfs6000)#exitrfs6000-6DB5D4(config)#The following command displays a default AP7562 profile configuration:rfs6000-6DB5D4(config-profile-default-ap7562)#rfs6000-6DB5D4(config-profile-default-ap7562)#show contextprofile ap7562 default-ap7562 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto load-management crypto remote-vpn-client interface radio1  placement outdoor interface radio2  placement outdoor interface ge1 interface ge2 interface vlan1  ip address dhcp  ip address zeroconf secondary  ip dhcp client request options all--More--rfs6000-6DB5D4(config-profile-default-ap7562)#
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 131.5.2 Changing the default profile by creating vlan 150 and mapping to ge3 Physical interfaceUsing CLI to Create Profiles and Enable Remote AdministrationLogon to the controller in config mode and follow the procedure below:rfs6000-6DB5D4(config-profile-default-rfs6000)#interface vlan 150rfs6000-6DB5D4(config-profile-default-rfs6000-if-vlan150)#ip address 192.168.150.20/24rfs6000-6DB5D4(config-profile-default-rfs6000-if-vlan150)#exitrfs6000-6DB5D4(config-profile-default-rfs6000)#interface ge 3rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#switchport access vlan 150rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#commit writePlease Wait .[OK]rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#show interface vlan 150Interface vlan150 is UP  Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-74-2D  Index: 6, Metric: 1, MTU: 1500  IP-Address: 192.168.150.20/24    input packets 0, bytes 0, dropped 0, multicast packets 0    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0    output packets 2, bytes 140, dropped 0    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0    collisions 0  IPv6 mode is disabledrfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#1.5.2.1 Viewing Configured APsTo view previously configured APs, enter the following command:rfs6000-6DB5D4>show wireless ap configured-------------------------------------------------------------------------------- IDX     NAME             MAC             PROFILE      RF-DOMAIN    ADOPTED-BY      --------------------------------------------------------------------------------  1  ap7532-80C2AC  84-24-8D-80-C2-AC  default-ap7532  TechPubs  00-15-70-81-74-2D      2  ap8132-74B45C  B4-C7-99-74-B4-5C  default-ap81xx  TechPubs  00-15-70-81-74-2D      3  ap7522-8330A4  84-24-8D-83-30-A4  default-ap7522  default   00-15-70-81-74-2D      4  ap8132-711728  B4-C7-99-71-17-28  default-ap81xx  TechPubs  00-15-70-81-74-2D      5 ap8533-9A12DB  74-67-F7-9A-12-DB  default-ap8533  default   un-adopted             6  ap7562-84A224  84-24-8D-84-A2-24  default-ap7562  TechPubs  00-15-70-81-74-2D    --------------------------------------------------------------------------------rfs6000-6DB5D4>
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 141.5.3 Enabling Remote AdministrationUsing CLI to Create Profiles and Enable Remote AdministrationA terminal server may function in remote administration mode if either the terminal services role is not installed on the machine or the client used to invoke the session has enabled the admin controller.• A terminal emulation program running on a computer connected to the serial port on the controller. The serial port is located on the front of the controller.• A Telnet session through a Secure Shell (SSH) over a network. The Telnet session may or may not use SSH depending on how the controller is configured. It is recommended you use SSH for remote administration tasks.This section is organized into the following sub sections:•Configuring Telnet for Management Access•Configuring SSH for Management Access1.5.3.1 Configuring Telnet for Management AccessEnabling Remote AdministrationTo enable Telnet for management access, use the serial console to login to the device and perform the following:1 The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC mode). Access the PRIV EXEC mode from the USER EXEC mode.rfs6000-6DB5D4>enrfs6000-6DB5D4#2 Access the GLOBAL CONFIG mode from the PRIV EXEC mode.rfs6000-6DB5D4>enrfs6000-6DB5D4#configure terminalEnter configuration commands, one per line.  End with CNTL/Z.rfs6000-6DB5D4(config)#3 Go to ‘default-management-policy’ mode.rfs6000-6DB5D4(config)#management-policy ?  MANAGEMENT  Name of the management policy to be configured (will be created              if it does not exist)rfs6000-6DB5D4(config)#management-policy defaultrfs6000-6DB5D4(config-management-policy-default)#4 Enter Telnet and the port number at the command prompt. Note, the port number is optional. If you do not specify the port, the system, by default, assigns port 23 for Telnet. Commit your changes. Telnet is enabled.rfs6000-6DB5D4(config-management-policy-default)#telnetrfs6000-6DB5D4(config-management-policy-default)#commit writerfs6000-6DB5D4(config-management-policy-default)#endrfs6000-6DB5D4#exit5 Connect to the controller through Telnet using its configured IP address. If logging in for the first time, use the following credentials:At the first-time login instance, you will be prompted to change the password. Set a new password.User Name adminPassword admin123
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 156 On subsequent logins, to change the password, access the default management-policy configuration mode and enter the username, new password, role, and access details.rfs6000-6DB5D4(config-management-policy-default)#user testuser password test@123 role helpdesk access allrfs6000-6DB5D4(config-management-policy-default)#commitrfs6000-6DB5D4(config-management-policy-default)#show contextmanagement-policy default telnet http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all user testuser password 1 32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access all snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/QAAAAiDhBZTln0UIu+y/W6E/0tR snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/QAAAAjdvbWANBNw+We/xHkH9kLi no https use-secure-ciphers-onlyrfs6000-6DB5D4(config-management-policy-default)#7 Logon to the Telnet console and provide the user details configured in the previous step to access the controller.rfs6000 release 5.9.1.0-015Drfs6000-6DB5D4 login: testuserPassword:Welcome to CLIStarting CLI...rfs6000-6DB5D4>1.5.3.2 Configuring SSH for Management AccessEnabling Remote AdministrationBy default, SSH is enabled from the factory settings on the controller. The controller requires an IP address and login credentials.To enable SSH access on a device, login through the serial console and perform the following:1 The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC mode). Access the PRIV EXEC mode from the USER EXEC mode.rfs6000-6DB5D4>enrfs6000-6DB5D4#2 Access the GLOBAL CONFIG mode from the PRIV EXEC mode.rfs6000-6DB5D4>enrfs6000-6DB5D4#configure terminalEnter configuration commands, one per line.  End with CNTL/Z.rfs6000-6DB5D4(config)#3 Go to ‘default-management-policy’ mode.rfs6000-6DB5D4(config)#management-policy ?  MANAGEMENT  Name of the management policy to be configured (will be created              if it does not exist)rfs6000-6DB5D4(config)#management-policy defaultrfs6000-6DB5D4(config-management-policy-default)#
INTRODUCTIONAccess Point, Wireless Controller and Service Platform CLI Reference Guide  1 - 164 Enter SSH at the command prompt. rfs6000-6DB5D4(config-management-policy-default)#sshrfs6000-6DB5D4(config-management-policy-default)#commit writerfs6000-6DB5D4(config-management-policy-default)#endrfs6000-6DB5D4#exit5 Connect to the controller through SSH using its configured IP address. If logging in for the first time, use the following credentials:At the first-time login instance, you will be prompted to change the password. Set a new password.6 On subsequent logins, to change the password, access the default management-policy configuration mode and enter the username, new password, role, and access details.rfs6000-6DB5D4(config-management-policy-default)#user testuser password test@123 role helpdesk access allrfs6000-6DB5D4(config-management-policy-default)#commitrfs6000-6DB5D4(config-management-policy-default)#show contextmanagement-policy default telnet http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all user testuser password 1 32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access all snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/QAAAAiDhBZTln0UIu+y/W6E/0tR snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/QAAAAjdvbWANBNw+We/xHkH9kLi no https use-secure-ciphers-onlyrfs6000-6DB5D4(config-management-policy-default)#7 Logon to the SSH console and provide the user details configured in the previous step to access the controller.rfs6000 release 5.9.1.0-015Drfs6000-6DB5D4 login: testuserPassword:Welcome to CLIStarting CLI...rfs6000-6DB5D4>User Name adminPassword admin123
2 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide2USER EXEC MODE COMMANDSLogging in to the wireless controller places you within the USER EXEC command mode. Typically, a login requires a user name and password. You have three login attempts before the connection attempt is refused. USER EXEC commands (available at the user level) are a subset of the commands available at the privileged level. In general, USER EXEC commands allow you to connect to remote devices, perform basic tests, and list system information.To list available USER EXEC commands, use ? at the command prompt. The USER EXEC prompt consists of the device host name followed by an angle bracket (>).<DEVICE>>?Command commands:  captive-portal-page-upload  Captive portal internal and advanced page upload  change-passwd               Change password  clear                       Clear  clock                       Configure software system clock  cluster                     Cluster commands  commit                      Commit all changes made in this session  connect                     Open a console connection to a remote device  create-cluster              Create a cluster  crypto                      Encryption related commands  crypto-cmp-cert-update      Update the cmp certs  database                    Database  database-backup             Backup database  database-restore            Restore database  debug                       Debugging functions  device-upgrade              Device firmware upgrade  disable                     Turn off privileged mode command  enable                      Turn on privileged mode command  file-sync                   File sync between controller and adoptees  help                        Description of the interactive help system  join-cluster                Join the cluster  l2tpv3                      L2tpv3 protocol  logging                     Modify message logging facilities  mint                        MiNT protocol  no                          Negate a command or set its defaults  on                          On RF-Domain  opendns                     OpenDNS configuration  page                        Toggle paging  ping                        Send ICMP echo messages  ping6                       Send ICMPv6 echo messages  revert                      Revert changes  service                     Service Commands  show                        Show running system information  ssh                         Open an ssh connection  telnet                      Open a telnet connection  terminal                    Set terminal line parameters  time-it                     Check how long a particular command took between                              request and completion of response  traceroute                  Trace route to destination  traceroute6                 Trace route to destination(IPv6)  virtual-machine             Virtual Machine  watch                       Repeat the specific CLI command at a periodic                              interval  write                       Write running configuration to memory or                              terminal  clrscr                      Clears the display screen  exit                        Exit from the CLI<DEVICE>>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 22.1 User Exec CommandsUSER EXEC MODE COMMANDSThe following table summarizes the User Exec Mode commands:Table 2.1 User Exec Mode CommandsCommand Description Referencecaptive-portal-page-uploadUploads captive portal advanced pages to adopted access points page 2-4change-passwd Changes the password of a logged user page 2-8clear Resets the last saved command page 2-9clock Configures the system clock page 2-20cluster Accesses the cluster context page 2-21connect Establishes a console connection to a remote device page 2-22create-cluster Creates a new cluster on a specified device page 2-23crypto Enables encryption and configures encryption related parameters page 2-24crypto-cmp-cert-updateTriggers a CMP certificate update on a specified device or devices page 2-33database Enables automatic repairing (vacuuming) and dropping of databases (Captive-portal and NSight)page 2-34database-backupBacks up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP serverpage 2-38database-restoreRestores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored to the original database.page 2-40device-upgrade Configures device firmware upgrade settings page 2-41disable Turns off (disables) the privileged mode command set page 2-49enable Turns on (enables) the privileged mode command set page 2-50file-sync Configures parameters enabling syncing of PKCS#12 and wireless-bridge certificate between the staging-controller and adopted access pointspage 2-51join-cluster Adds a device (access point, wireless controller, or service platform) to an existing cluster of devicespage 2-54l2tpv3 Establishes or brings down Layer 2 Tunneling Protocol Version 3 (L2TPV3) tunnelspage 2-56logging Modifies message logging facilities page 2-58mint Configures MiNT protocol page 2-60no Negates a command or sets its default page 2-62on Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and showpage 2-64
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 3opendns Connects to the OpenDNS site using OpenDNS registered credentials (username, password) OR OpenDNS API token to fetch the OpenDNS device_id. This command is a part of the process that integrates access points, controllers, and service platforms with OpenDNS.page 2-65page Toggles a device’s (access point, wireless controller, or service platform) paging functionpage 2-67ping Sends ICMP echo messages to a user-specified location page 2-68ping6 Sends ICMPv6 echo messages to a user-specified IPv6 address page 2-70ssh Opens an SSH connection between two network devices page 2-71telnet Opens a Telnet session page 2-72terminal Sets the length and width of the terminal window page 2-73time-it Verifies the time taken by a particular command between request and responsepage 2-74traceroute Traces the route to its defined destination page 2-75traceroute6 Traces the route to a specified IPv6 destination page 2-76virtual-machine Installs, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controllerpage 2-77watch Repeats a specific CLI command at a periodic interval page 2-83Table 2.1 User Exec Mode CommandsCommand Description ReferenceNOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.NOTE: The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an underscore (_) character.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 42.1.1 captive-portal-page-uploadUser Exec CommandsUploads captive portal advanced pages to adopted access points. Use this command to provide access points with specific captive portal configurations, so that they can successfully provision login, welcome, and condition pages to clients attempting to access the wireless network using the captive portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|load-file]captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all] {from-controller} {(upload-time <TIME>)}captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|all]]captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>Parameters• captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}NOTE: Ensure that the captive portal pages uploaded are *.tar files.captive-portal-page-upload <CAPTIVE-PORTAL-NAME>Uploads advanced pages of the captive-portal identified by the <CAPTIVE-PORTAL-NAME> parameter• <CAPTIVE-PORTAL-NAME> – Specify the captive portal’s name (should be existing and configured).<MAC/HOSTNAME> Uploads to a specified AP• <MAC/HOSTNAME> – Specify AP’s MAC address or hostname.all Uploads to all APs
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 5• captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all] {from-controller} {(upload-time <TIME>)}• captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|all]]• captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>upload-time <TIME> Optional. Schedules an AP upload time• <TIME> – Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format.The scheduled upload time is your local system’s time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device.To view a list of uploaded captive portal files, execute the show > captive-portal-page-upload > list-files <CAPTIVE-PORTAL-NAME> command.captive-portal-page-upload <CAPTIVE-PORTAL-NAME>Uploads advanced pages of the captive portal identified by the <CAPTIVE-PORTAL-NAME> parameter• <CAPTIVE-PORTAL-NAME> – Specify captive portal name (should be existing and configured).rf-domain [<DOMAIN-NAME>|all]Uploads to all APs within a specified RF Domain or all RF Domains• <DOMAIN-NAME> – Uploads to APs within a specified RF Domain. Specify the RF Domain name.• all – Uploads to APs across all RF Domainsfrom-controller Optional. Uploads captive-portal pages to APs via the controller to which the APs are adoptedupload-time <TIME> Optional. Schedules an AP upload time• <TIME> – Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format.The scheduled upload time is your local system’s time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device.captive-portal-page-upload cancel-uploadCancels a scheduled AP uploadcancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|all]]Select one of the following options:• <MAC/HOSTNAME> – Cancels scheduled upload to a specified AP. Specify the AP’s MAC address or hostname.• all – Cancels all scheduled AP uploads• on rf- domain – Cancels all scheduled uploads to APs within a specified RF Domain or all RF Domains• <DOMAIN-NAME> – Cancels scheduled uploads to APs within a specified RF Do-main. Specify RF Domain name.• all – Cancels scheduled uploads across all RF Domainscaptive-portal-page-upload delete-fileDeletes a specified captive portal’s uploaded captive-portal Web page files<CAPTIVE-PORTAL-NAME> <FILE-NAME>Identifies the captive-portal and Web pages to delete• <CAPTIVE-PORTAL-NAME> – Specify the captive portal name.• <FILE-NAME> – Specify the file name. The specified internal captive portal page isdeleted.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 6• captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>Exampleap6562-B1A214>captive-portal-page-upload load-file captive_portal_test tftp://89.89.89.17/pages_new_only.tarap6562-B1A214>ap6562-B1A214>show captive-portal-page-upload load-image-statusDownload of captive_portal_test advanced page file is completeap6562-B1A214>ap6562-B1A214>captive-portal-page-upload captive_portal_test all--------------------------------------------------------------------------------         CONTROLLER             STATUS                   MESSAGE--------------------------------------------------------------------------------  FC-0A-81-B1-A2-14         Success         Added 6 APs to upload queue--------------------------------------------------------------------------------ap6562-B1A214>captive-portal-page-upload load-fileLoads captive-portal advanced pages<CAPTIVE-PORTAL-NAME> <URL>Specify the captive portal name and location. The captive portal should be existing and configured.• <URL> – Specifies location of the captive-portal Web pages. Use one of the following formats to specify the location:IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileIPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileNote: The captive portal pages are downloaded to the controller from the location specified here. After downloading use the captive-portal-page-upload > <CAPTIVE-PORTAL-NAME> > <DEVICE-OR-DOMAIN-NAME> command to upload these pages to APs.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 7ap6562-B1A214>show captive-portal-page-upload statusNumber of APs currently being uploaded : 1Number of APs waiting in queue to be uploaded : 0---------------------------------------------------------------------------------------        AP           STATE     UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY---------------------------------------------------------------------------------------  ap6562-B1A738   downloading   immediate   100      0       -                 None---------------------------------------------------------------------------------------ap6562-B1A214>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 82.1.2 change-passwdUser Exec CommandsChanges the password of the logged user. When this command is executed without any parameters, the password can be changed interactively.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchange-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>Parameters• change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>Usage GuidelinesA password must be from 1 - 64 characters in length.Examplerfs6000-81742D>change-passwdEnter old password:Enter new password:Password for user 'admin' changed successfullyPlease write this password change to memory(write memory) to be persistent.rfs6000-81742D#write memoryOKrfs6000-81742D><OLD-PASSWORD> Optional. Specify the existing password.<NEW-PASSWORD> Specify the new password.Note: The password can also be changed interactively. To do so, press [Enter] after the command.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 92.1.3 clearUser Exec CommandsClears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared, using this command, depends on the mode where the clear command is executed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclear [arp-cache|bonjour|cdp|counters|crypto|eguest|event-history|gre|ip|ipv6|lacp|lldp|mac-address-table|mint|role|rtls|spanning-tree|traffic-shape|vrrp]clear arp-cache {on <DEVICE-NAME>}clear bonjour cache {on <DEVICE-NAME>}clear [cdp|lldp] neighbors {on <DEVICE-NAME>}clear counters [ap|radio|wireless-client]clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client {<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}clear crypto [ike|ipsec] saclear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}clear crypto ipsec sa {on <DEVICE-NAME>}clear eguest registration statisticsclear event-historyclear gre stats {on <DEVICE-NAME>}clear ip [bgp|dhcp|ospf]clear ip bgp [<IP>|all|external|process]clear ip bgp [<IP>|all|external] {in|on|out|soft}clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}clear ip bgp process {on <DEVICE-NAME>}clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}clear ip ospf process {on <DEVICE-NAME>}clear ipv6 neighbor-cache {on <DEVICE-NAME>}clear lacp [<1-4> counters|counters]NOTE: When using the clear command, refer to the interface details provided in interface.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 10clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-NAME>}clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}clear mac-address-table {interface [<IN-NAME>|ge <1-2>|port-channel <1-2>|vmif <1-8>]} {on <DEVICE-NAME>}clear mac-address-table mac-auth-state address <MAC> vlan <1-4094> {on <DEVICE-NAME>}clear mint mlcp history {on <DEVICE-NAME>}clear role ldap-stats {on <DEVICE-NAME>}clear rtls [aeroscout|ekahau]clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|on <DEVICE-OR-DOMAIN-NAME>}clear spanning-tree detected-protocols {interface|on}clear spanning-tree detected-protocols {on <DEVICE-NAME>}clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}clear vrrp [error-stats|stats] {on <DEVICE-NAME>}Parameters• clear arp-cache {on <DEVICE-NAME>}• clear bonjour cache {on <DEVICE-NAME>}• clear [cdp|lldp] neighbors {on <DEVICE-NAME>}arp-cache Clears Address Resolution Protocol (ARP) cache entries on a device. This protocol matches layer 3 IP addresses to layer 2 MAC addresses.on <DEVICE-NAME> Optional. Clears ARP cache entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.bonjour cache Clears all Bonjour cached statistics. Once cleared the system has to re-discover available Bonjour services.on <DEVICE-NAME> Optional. Clears all Bonjour cached statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.cdp Clears Cisco Discovery Protocol (CDP) table entrieslldp Clears Link Layer Discovery Protocol (LLDP) table entriesneighbors Clears CDP or LLDP neighbor table entries based on the option selected in the preceding stepon <DEVICE-NAME> Optional. Clears CDP or LLDP neighbor table entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 11• clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client {<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}• clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}• clear crypto ipsec sa {on <DEVICE-NAME>}counters Clears counters based on the parameters passed. The options are: AP, radio, and wireless clients.ap <MAC> Clears counters for all APs or a specified AP• <MAC> – Optional. Specify the AP’s MAC address.Note: If no MAC address is specified, all AP counters are cleared.radio <MAC/DEVICE-NAME> <1-X>Clears radio interface counters on a specified device or on all devices• <MAC/DEVICE-NAME> – Optional. Specify the device’s hostname or MAC address. Optionally, append the radio interface number (to the radio ID) using one of the following formats: AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX (where RX is the interface number).• <1-X> – Optional. Identifies the radio interface by its index. Specify the radio inter-face index, if not specified as part of the radio ID. Note, the number of radio interfacesavailable varies with the access point type.If no device name or MAC address is specified, all radio interface counters are cleared.wireless-client <MAC> Clears counters for all wireless clients or a specified wireless client• <MAC> – Optional. Specify the wireless client’s MAC address.If no MAC address is specified, all wireless client counters are cleared.on <DEVICE-OR-DOMAIN-NAME>The following option is common to all of the above keywords:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears AP, radio, or wireless client counters on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller,service platform, or RF Domain.crypto Clears encryption module’s cached statisticsike sa [<IP>|all] Clears Internet Key Exchange (IKE) security associations (SAs)• <IP> – Clears IKE SA entries for the peer identified by the <IP> keyword• all – Clears IKE SA entries for all peerson <DEVICE-NAME> Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.crypto Clears encryption module’s cached statisticsipsec sa on <DEVICE-NAME>Clears Internet Protocol Security (IPSec) database SAs• on <DEVICE-NAME> – Optional. Clears IPSec SA entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 12• clear eguest registration statistics• clear gre stats {on <DEVICE-NAME>}• clear event-history• clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}• clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}eguest registration statisticsClears EGuest registration server counters. When cleared EGuest registration details are deleted, and the show > eguest > registration > statistics command output is null.This command is applicable only on the NX9500, NX9600, and VX9000 model service platforms.gre stats Clears GRE tunnel statisticson <DEVICE-NAME> Optional. Clears GRE tunnel statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.event-history Clears event history cache entriesip bgp [<IP>|all|external]Clears on-going BGP sessions based on the option selected• <IP> – Clears BGP session with the peer identified by the <IP> keyword. Specify the BGP peer’s IP address.• all – Clears all BGP peer sessions• external – Clears external BGP (eBGP) peer sessionsThis command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms.Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce lose of route updates during the process, use the ‘soft’ option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage.in prefix-filter Optional. Clears inbound route updates• prefix-filter – Optional. Clears the existing Outbound Route Filtering (ORF) prefix-liston <DEVICE-NAME> Optional. Clears route updates on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip bgp [<IP>|all|external]Clears on-going BGP sessions based on the option selected• <IP> – Clears BGP session with the peer identified by the <IP> keyword. Specify the BGP peer’s IP address.• all – Clears all BGP peer sessions• external – Clears eBGP peer sessionsThis command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms.Contd..
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 13• clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}• clear ip bgp process {on <DEVICE-NAME>}• clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce lose of route updates during the process, use the ‘soft’ option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage.out Optional. Clears outbound route updates. Optionally specify the device on which to execute this command.on <DEVICE-NAME> The following keyword is recursive and optional.• on <DEVICE-NAME> – Optional. Clears BGP sessions on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip bgp [<IP>|all|external]Clears on-going BGP sessions based on the option selected• <IP> – Clears the BGP peer session with the peer identified by the <IP> keyword. Specify the BGP peer’s IP address.• all – Clears all BGP peer sessions• external – Clears eBGP peer sessionsThis command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms.soft {in|out} Optional. Initiates soft-reconfiguration of route updates for the specified IP address• in – Optional. Enables soft reconfiguration of inbound route updates• out – Optional. Enables soft reconfiguration of outbound route updatesModifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce loss of route updates during the process, use the ‘soft’ option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage.on <DEVICE-NAME> Optional. Initiates soft reconfiguration inbound/outbound route updates on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip bgp process Clears all BGP processes runningThis command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms.on <DEVICE-NAME> Optional. Clears all BGP processes on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip Clears a Dynamic Host Configuration Protocol (DHCP) server’s IP address binding entriesdhcp bindings Clears DHCP connections and server bindings<IP> Clears specific address binding entries. Specify the IP address to clear binding entries.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 14• clear ip ospf process {on <DEVICE-NAME>}• clear ipv6 neighbor-cache {on <DEVICE-NAME>}• clear lacp [<1-4> counters|counters]• clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}all Clears all address binding entrieson <DEVICE-NAME> Optional. Clears a specified address binding or all address bindings on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ip ospf process Clears already enabled Open Shortest Path First (OSPF) process and restarts the processon <DEVICE-NAME> Optional. Clears OSPF process on a specified deviceOSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighboring routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer, which makes routing decisions based solely on the destination IP address found in IP packets.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.clear ipv6 neighbor-cacheClears IPv6 neighbor cache entrieson <DEVICE-NAME> Optional. Clears IPv6 neighbor cache entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.clear lacp [<1-4> counters|counters]Clears Link Aggregation Control Protocol (LACP) counters for a specified port-channel group or all port-channel groups configured• <1-4> counters – Clears LACP counters for a specified port-channel. Specify the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels, and the other model service platforms support four (4) port-channels.• counters – Clears LACP counters for all configured port-channels on the devicemac-address-table Clears MAC address forwarding table data based on the parameters passedUse this command to clear the following: all or specified MAC addresses from the system, all MAC addresses on a specified interface, all MAC addresses on a specified VLAN, or the authentication state of a MAC address.address <MAC> Optional. Clears a specified MAC address from the MAC address table.• <MAC> – Specify the MAC address in one of the following formats: AA-BB-CC-DD-EE-FF or AA:BB:CC;DD:EE:FF or AABB.CCDD.EEFFIf executed without specifying any MAC address(es), all MAC addresses from the MAC address table will be removed.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 15• clear mac-address-table {interface [<IF-NAME>|ge <1-X>|port-channel <1-X>]} {on <DEVICE-NAME>}• clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-NAME>}vlan <1-4094> Optional. Clears all MAC addresses for a specified VLAN• <1-4094> – Specify the VLAN ID from 1 - 4094.on <DEVICE-NAME> Optional. Clears a single MAC entry or all MAC entries, for the specified VLAN on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.mac-address-table Clears MAC address forwarding table data based on the parameters passedUse this command to clear the following: all or specified MAC addresses from the system, all MAC addresses on a specified interface, all MAC addresses on a specified VLAN, or the authentication state of a MAC address.interface Clears all MAC addresses for the selected interface. Use the options available to specify the interface.<IF-NAME> Clears MAC address forwarding table for the specified layer 2 interface (Ethernet port)• <IF-NAME> – Specify the layer 2 interface name.ge <1-X> Clears MAC address forwarding table for the specified GigabitEthernet interface• <1-X> – Specify the GigabitEthernet interface index from 1 - X.The number of GE interfaces supported varies for different device types.port-channel <1-X> Clears MAC address forwarding table for the specified port-channel interface• <1-X> – Specify the port-channel interface index from 1 - X.The number of port-channel interfaces supported varies for different device types.on <DEVICE-NAME> Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.mac-address-table mac-auth-state address <MAC> vlan <1-4904>Clears MAC addresses learned from a particular VLAN when WLAN MAC authentication and captive-portal fall back is enabledAccess points/controllers provide WLAN access to clients whose MAC address has been learned and stored in their MAC address tables. Use this command to clear a specified MAC address on the MAC address table. Once cleared the client has to re-authenticate, and is provided access only on successful authentication.• <MAC> – Specify the MAC address to clear.• vlan <1-4904> – Specify the VLAN interface from 1 - 4094. In the AP/controller’sMAC address table, the specified MAC address is cleared on the specified VLAN in-terface.on <DEVICE-NAME> Optional. Clears the specified MAC address on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.If a device is not specified, the system clears the MAC address on all devices.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 16• clear mint mlcp history {on <DEVICE-NAME>}• clear role ldap-stats {on <DEVICE-NAME>}• clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|on <DEVICE-OR-DOMAIN-NAME>}• clear spanning-tree detected-protocols {on <DEVICE-NAME>}• clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}mint Clears MiNT related informationmlcp history Clears MiNT Link Creation Protocol (MLCP) client historyon <DEVICE-NAME> Optional. Clears MLCP client history on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.role ldap-stats Clears Lightweight Directory Access Protocol (LDAP) server statisticson <DEVICE-NAME> Optional. Clears LDAP server statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.rtls Clears Real Time Location Service (RTLS) statisticsaeroscout Clears RTLS Aeroscout statisticsekahau Clears RTLS Ekahau statistics<MAC/DEVICE-NAME> This keyword is common to the ‘aeroscout’ and ‘ekahau’ parameters.• <MAC/DEVICE-NAME> – Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified AP, wireless controller, or service platform. Specify the AP’s MAC address or hostname.on <DEVICE-OR-DOMAIN-NAME>This keyword is common to the ‘aeroscout’, ‘ekahau’, and <MAC/DEVICE-NAME> parameters.• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified device• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller,service platform, or RF Domain.spanning-tree Clears spanning tree entries on an interface, and restarts protocol migrationdetected-protocols Restarts protocol migrationon <DEVICE-NAME> Optional. Clears spanning tree entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.spanning-tree Clears spanning tree entries on an interface and restarts protocol migrationdetected-protocols Restarts protocol migration
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 17• clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}• clear vrrp [error-stats|stats] {on <DEVICE-NAME>}interface [<INTERFACE-NAME>|ge <1-X>|me1|port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]Optional. Clears spanning tree entries on different interfaces• <INTERFACE-NAME> – Clears detected spanning tree entries on a specified interface. Specify the interface name.• ge <1-X> – Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - X.• me1 – Clears FastEthernet interface spanning tree entries• port-channel <1-X> – Clears detected spanning tree entries for the selected port channel interface. Select the port channel index from 1 - X.The number of port-channel interfaces supported varies for different device types.• pppoe1 – Clears detected spanning tree entries for Point-to-Point Protocol over Ethernet (PPPoE) interface• up1 – Clears detected spanning tree entries for the WAN Ethernet interface• vlan <1-4094> – Clears detected spanning tree entries for the selected VLAN interface. Select a Switch Virtual Interface (SVI) VLAN ID from 1- 4094.• wwan1 – Clears detected spanning tree entries for wireless WAN interface.on <DEVICE-NAME> Optional. Clears spanning tree entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.traffic-shape statistics Clears traffic shaping statisticsclass <1-4> Clears traffic shaping statistics for a specific traffic class• <1-4> – Specify the traffic class from 1 - 4.Note: If the traffic class is not specified, the system clears all traffic shaping statistics.on <DEVICE-NAME> Optional. Clears traffic shaping statistics for the specified traffic class on a specified device• <DEVICE-NAME> – Specify the name of the access point, wireless controller, or service platform.Note: For more information on configuring traffic-shape, see traffic-shape.vrrp Clears a device’s Virtual Router Redundancy Protocol (VRRP) statisticsVRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.error-stats Clears global error statisticsstats Clears VRRP related statisticson <DEVICE-NAME> The following keywords are common to the ‘error-stats’ and ‘stats’ parameters:• on <DEVICE-NAME> – Optional. Clears VRRP statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 18Examplerfs4000-229D58>clear event-historyrfs4000-229D58>clear spanning-tree detected-protocols interface port-channel 1rfs4000-229D58>clear spanning-tree detected-protocols interface ge 1rfs4000-229D58>show lldp neighbors-------------------------Chassis ID: 00-23-68-88-0D-A7System Name: rfs4000-880DA7Platform: RFS-4011-11110-US, Version 5.8.6.0-008BCapabilities: Bridge WLAN Access Point RouterEnabled Capabilities: Bridge WLAN Access Point RouterLocal Interface: ge5, Port ID (outgoing port): ge5TTL: 176 secManagement Addresses: 192.168.13.8,192.168.0.1,1.2.3.4rfs4000-229D58>rfs4000-229D58>clear lldp neighborsrfs4000-229D58>show lldp neighborsrfs4000-229D58>show cdp neighbors--------------------------------------------------------------------------------     Device ID           Platform        Local Intrfce    Port ID      Duplex-------------------------------------------------------------------------------- rfs4000-880DA7    RFS-4011-11110-US    ge1              ge1        full rfs6000-434CAA    RFS6000              ge1              ge1        full ap7131-139B34     AP7131N              ge1              ge1        full--------------------------------------------------------------------------------rfs4000-229D58>rfs4000-229D58>clear cdp neighborsrfs4000-229D58>show cdp neighbors--------------------------------------------------------------------------------     Device ID         Platform     Local Intrfce      Port ID        Duplex----------------------------------------------------------------------------------------------------------------------------------------------------------------rfs4000-229D58>rfs4000-229D58>clear role ldap-statsrfs4000-229D58>show role ldap-statsNo ROLE LDAP statistics found.rfs4000-229D58>rfs4000-229D58>show mac-address-table-------------------------------------------------------- BRIDGE VLAN PORT             MAC               STATE-------------------------------------------------------- 1      1    ge5              00-02-B3-28-D1-55 forward 1      1    ge5              00-0F-8F-19-BA-4C forward 1      1    ge5              B4-C7-99-5C-FA-8E forward 1      1    ge5              00-23-68-0F-43-D8 forward 1      1    ge5              00-15-70-38-06-49 forward 1      1    ge5              00-23-68-13-9B-34 forward 1      1    ge5              B4-C7-99-58-72-58 forward 1      1    ge5              00-15-70-81-74-2D forward--------------------------------------------------------Total number of MACs displayed: 8rfs4000-229D58>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 19rfs4000-229D58>clear mac-address-table address 00-02-B3-28-D1-55rfs4000-229D58>show mac-address-table-------------------------------------------------------- BRIDGE VLAN PORT             MAC               STATE--------------------------------------------------------1      1    ge5              00-0F-8F-19-BA-4C forward1      1    ge5              B4-C7-99-5C-FA-8E forward1      1    ge5              00-23-68-0F-43-D8 forward1      1    ge5              00-15-70-38-06-49 forward1      1    ge5              00-23-68-13-9B-34 forward1      1    ge5              B4-C7-99-58-72-58 forward1      1    ge5              00-15-70-81-74-2D forward--------------------------------------------------------Total number of MACs displayed: 7rfs4000-229D58>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 202.1.4 clockUser Exec CommandsSets a device’s system clock. By default all WiNG devices are shipped with the time zone and time format set to UTC and 24-hour clock respectively. If a device’s clock is set without resetting the time zone, the time is displayed relative to the Universal Time Coordinated (UTC) – Greenwich Time. To display time in the local time zone format, in the device’s configuration mode, use the timezone command. You can also reset the time zone at the RF Domain level. When configured as RF Domain setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the clock is recommended. For more information on configuring RF Domain time zone, see timezone.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}Parameters• clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}ExampleThe following commands set the time zone and clock for the logged device:nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#timezone America/Los_Angelesnx9500-6C8809>clock set 11:24:30 21 Jan 2017nx9500-6C8809>show clock2017-01-21 12:14:14 PDTnx9500-6C8809>Note, if the clock is set without resetting the time zone, the time displays as UTC time, as shown in the following example:nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#no timezonenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#commitnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show clock2017-01-21 19:15:55 UTCnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#clock set Sets a device’s software system clock<HH:MM:SS> Sets the current time (in military format hours, minutes, and seconds)Note: By default, the WiNG software displays time in the 24-hour clock format. This setting cannot be changed.<1-31> Sets the numerical day of the month<MONTH> Sets the month of the year (Jan to Dec)<1993-2035> Sets a valid four digit year from 1993 - 2035on <DEVICE-NAME>Optional. Sets the clock on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 212.1.5 clusterUser Exec CommandsInitiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member.Commands executed under this context are executed on all members of the cluster.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcluster start-electionParameters• cluster start-electionExamplenx9500-6C8809>cluster start-electionnx9500-6C8809>Related Commandsstart-election Starts a new cluster master electioncreate-cluster Creates a new cluster on the specified devicejoin-cluster Adds a wireless controller or service platform, as a member, to an existing cluster of controllers
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 222.1.6 connectUser Exec CommandsBegins a console connection to a remote device using the remote device’s MiNT ID or nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxconnect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]Parameters• connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]Examplerfs6000-81742D>show mint lsp-db9 LSPs in LSP-db of 19.6D.B5.D4:LSP 19.6C.88.09 at level 1, hostname nx9500-6C8809", 8 adjacencies, seqnum 1294555LSP 19.6D.B5.D4 at level 1, hostname "rfs6000-81742D", 8 adjacencies, seqnum 1915724LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 8 adjacencies, seqnum 1468229LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 8 adjacencies, seqnum 649244LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 8 adjacencies, seqnum 202821LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 8 adjacencies, seqnum 380340LSP 68.88.0D.A7 at level 1, hostname "rfs4000-880DA7", 8 adjacencies, seqnum 1494523LSP 68.99.BB.7C at level 1, hostname "ap7131-99BB7C", 8 adjacencies, seqnum 831532rfs6000-81742D>rfs6000-81742D>connect mint-id 19.6C.88.09Entering character modeEscape character is '^]'.NX9500 release 5.9.1.0-012Dnx9500-6C8809 login:mint-id <MINT-ID> Connects to the remote system using its MiNT ID• <MINT-ID> – Specify the remote device’s MiNT ID.<REMOTE-DEVICE-NAME>Connects to the remote system using its name• <REMOTE-DEVICE-NAME> – Specify the remote device’s name.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 232.1.7 create-clusterUser Exec CommandsCreates a new device cluster with the specified name and assigns it an IP address and routing levelA cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the cluster, members discover and establish connections to other members and provide wireless network self-healing support in the event of member's failure.A cluster's load is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcreate-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}Parameters• create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}Examplerfs6000-81742D>create-cluster name TechPubs ip 192.168.13.23 level 1... creating cluster... committing the changes... saving the changesPlease Wait .[OK]rfs6000-81742D>rfs6000-81742D>show context session-config include-factory | include cluster name TechPubs cluster name TechPubsrfs6000-81742D>Related Commandscreate-cluster Creates a clustername <CLUSTER-NAME>Configures the cluster name• <CLUSTER-NAME> – Specify a cluster name. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters.ip <IP> Specifies the device’s IP address used for cluster creation• <IP> – Specify the device’s IP address in the A.B.C.D format.level [1|2] Optional. Configures the cluster’s routing level• 1 – Configures level 1 (local) routing• 2 – Configures level 2 (inter-site) routingcluster Initiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member.join-cluster Adds a device, as a member, to an existing cluster of devices
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 242.1.8 cryptoUser Exec CommandsEnables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name, etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR).This command also enables trustpoint configuration. Trustpoints contain the CA’s identity and configuration parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto [key|pki]crypto key [export|generate|import|zeroize]crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|on|passphrase}crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|on|passphrase}crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}crypto pki [authenticate|export|generate|import|zeroize]crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background} {(on <DEVICE-NAME>)}crypto pki export [request|trustpoint]crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME)}
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 25crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}crypto pki import [certificate|crl|trustpoint]crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on <DEVICE-NAME>})crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}Parameters• crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}• crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.export rsa <RSA-KEYPAIR-NAME>Exports an existing RSA Keypair to a specified destination• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.<EXPORT-TO-URL> Specify the RSA Keypair destination address. Both IPv4 and IPv6 address formats are supported.After specifying the destination address (where the RSA Keypair is exported), configure one of the following parameters: background or passphrase.background Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on.passphrase <KEY-PASSPHRASE> backgroundOptional. Encrypts RSA Keypair before exporting• <KEY-PASSPHRASE> – Specify a passphrase to encrypt the RSA Keypair.• background – Optional. Performs export operation in the background. After spec-ifying the passphrase, optionally specify the device (access point or controller) toperform the export on.on <DEVICE-NAME> The following parameter is recursive and common to all of the above parameters:• on <DEVICE-NAME> – Optional. Performs export operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 26• crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}• crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}generate rsa <RSA-KEYPAIR-NAME> [2048|4096]Generates a new RSA Keypair• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.• [2048|4096] – Sets the size of the RSA key in bits. The options are 2048 bits and4096 bits. The default size is 2048 bits.After specifying the key size, optionally specify the device (access point or controller) to generate the key on.on <DEVICE-NAME> Optional. Generates the new RSA Keypair on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.import rsa <RSA-KEYPAIR-NAME>Imports a RSA Keypair from a specified source• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.<IMPORT-FROM-URL> Specify the RSA Keypair source address. Both IPv4 and IPv6 address formats are supported.After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase.background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.passphrase <KEY-PASSPHRASE> backgroundOptional. Decrypts the RSA Keypair after importing• <KEY-PASSPHRASE> – Specify the passphrase to decrypt the RSA Keypair.• background – Optional. Performs import operation in the background. After spec-ifying the passphrase, optionally specify the device (access point, controller, or ser-vice platform) to perform the import on.on <DEVICE-NAME> The following parameter is recursive and common to the ‘background’ and ‘passphrase’ keywords:• on <DEVICE-NAME> – Optional. Performs import operation on a specific device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.zeroize rsa <RSA-KEYPAIR-NAME>Deletes a specified RSA Keypair• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.Note: All device certificates associated with this key will also be deleted.force Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 27• crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-NAME>)}• crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Deletes all certificates associated with the RSA Keypair on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates.authenticate <TRUSTPOINT-NAME>Authenticates a trustpoint and imports the corresponding CA certificate• <TRUSTPOINT-NAME> – Specify the trustpoint name.<URL> Specify CA’s location. Both IPv4 and IPv6 address formats are supported.Note: The CA certificate is imported from the specified location.background Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point, controller, or service platform) to perform the export on.on <DEVICE-NAME> The following parameter is recursive and optional:•on <DEVICE-NAME> – Optional. Performs authentication on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.export request Exports CSR to the CA for digital identity certificate. The CSR contains applicant’s details and RSA Keypair’s public key.[generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.autogen-subject-name Auto generates subject name from configuration parameters. The subject name identifies the certificate.<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are supported.Note: The CSR is exported to the specified location.email <SEND-TO-EMAIL>Exports CSR to a specified e-mail address• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.fqdn <FQDN> Exports CSR to a specified Fully Qualified Domain Name (FQDN)• <FQDN> – Specify the CA’s FQDN.ip-address <IP> Exports CSR to a specified device or system• <IP> – Specify the CA’s IP address.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 28• crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)• crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.export request Exports CSR to the CA for a digital identity certificate. The CSR contains applicant’s details and RSA Keypair’s public key.[generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• short [generate-rsa-key|use-rsa-key] – Generates and exports a shorter version of the CSR• generate-rsa-key – Generates a new RSA Keypair for digital authentication. If gen-erating a new RSA Keypair, specify a name for it.• use-rsa-key – Uses an existing RSA Keypair for digital authentication. If using anexisting RSA Keypair, specify its name.• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.subject-name <COMMON-NAME>Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate• <COMMON-NAME> – Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length).<COUNTRY> Sets the deployment country code (2 character ISO code)<STATE> Sets the state name (2 to 64 characters in length)<CITY> Sets the city name (2 to 64 characters in length)<ORGANIZATION> Sets the organization name (2 to 64 characters in length)<ORGANIZATION-UNIT>Sets the organization unit (2 to 64 characters in length)<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are supported.The CSR is exported to the specified location.email <SEND-TO-EMAIL>Exports CSR to a specified e-mail address• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.fqdn <FQDN> Exports CSR to a specified FQDN• <FQDN> – Specify the CA’s FQDN.ip-address <IP> Exports CSR to a specified device or system• <IP> – Specify the CA’s IP address.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 29•  crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}export trustpoint <TRUSTPOINT-NAME>Exports a trustpoint along with CA certificate, Certificate Revocation List (CRL), server certificate, and private key• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).<EXPORT-TO-URL> Specify the destination address. Both IPv4 and IPv6 address formats are supported.The trustpoint is exported to the address specified here.background Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export onpassphrase <KEY-PASSPHRASE> backgroundOptional. Encrypts the key with a passphrase before exporting• <KEY-PASSPHRASE> – Specify the passphrase to encrypt the trustpoint.• background – Optional. Performs export operation in the background. After spec-ifying the passphrase, optionally specify the device (access point or controller) toperform the export on.on <DEVICE-NAME> The following parameter is recursive and common to the ‘background’ and ‘passphrase’ keywords:• on <DEVICE-NAME> – Optional. Performs export operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates.generate Generates a certificate and a trustpointself-signed <TRUSTPOINT-NAME>Generates a self-signed certificate and a trustpoint• <TRUSTPOINT-NAME> – Specify a name for the certificate and its trustpoint.[generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair, or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.autogen-subject-name Auto generates the subject name from the configuration parameters. The subject name helps to identify the certificate.email <SEND-TO-EMAIL>Optional. Exports the self-signed certificate to a specified e-mail address• <SEND-TO-EMAIL> – Specify the e-mail address.fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN• <FQDN> – Specify the FQDN.ip-address <IP> Optional. Exports the self-signed certificate to a specified device or system• <IP> – Specify the device’s IP address.on <DEVICE-NAME> Optional. Exports the self-signed certificate on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 30•  crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}• crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on <DEVICE-NAME>)}pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates.generate self-signed <TRUSTPOINT-NAME>Generates a self-signed certificate and a trustpoint• <TRUSTPOINT-NAME> – Specify a name for the certificate and its trustpoint.[generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair, or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.subject-name <COMMON-NAME>Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate• <COMMON-NAME> – Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.<COUNTRY> Sets the deployment country code (2 character ISO code)<STATE> Sets the state name (2 to 64 characters in length)<CITY> Sets the city name (2 to 64 characters in length)<ORGANIZATION> Sets the organization name (2 to 64 characters in length)<ORGANIZATION-UNIT>Sets the organization unit (2 to 64 characters in length)email <SEND-TO-EMAIL>Optional. Exports the self-signed certificate to a specified e-mail address• <SEND-TO-EMAIL> – Specify the e-mail address.fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN• <FQDN> – Specify the FQDN.ip-address <IP> Optional. Exports the self-signed certificate to a specified device or system• <IP> – Specify the device’s IP address.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.import Imports certificates, Certificate Revocation List (CRL), or a trustpoint to the selected device[certificate|crl] <TRUSTPOINT-NAME>Imports a signed server certificate or CRL• certificate – Imports signed server certificate•crl – Imports CRL• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported.The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 31• crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}• crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Performs import operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.import Imports certificates, CRL, or a trustpoint to the selected devicetrustpoint <TRUSTPOINT-NAME>Imports a trustpoint and its associated CA certificate, server certificate, and private key• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are supported.background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.passphrase <KEY-PASSPHRASE> backgroundOptional. Decrypts trustpoint with a passphrase after importing• <KEY-PASSPHRASE> – Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on.• background – Optional. Performs import operation in the background. After spec-ifying the passphrase, optionally specify the device (access point or controller) toperform the import on.on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Performs import operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.zeroize trustpoint<TRUSTPOINT-NAME>Deletes a trustpoint and its associated CA certificate, server certificate, and private key• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).del-key Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on.on <DEVICE-NAME> The following parameter is recursive and optional:•on <DEVICE-NAME> – Optional. Deletes the trustpoint on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 32Usage GuidelinesThe system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:•IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/file•IPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileExamplerfs6000-81742D>crypto key generate rsa key 1025RSA Keypair successfully generatedrfs6000-81742D>rfs6000-81742D>crypto key import rsa test123 url passphrase word backgroundRSA key import operation is started in backgroundrfs6000-81742D>rfs6000-81742DE>crypto pki generate self-signed word generate-rsa-key word autogen-subject-name fqdn wordSuccessfully generated self-signed certificaterfs6000-81742D>rfs6000-81742D>crypto pki zeroize trustpoint word del-keySuccessfully removed the trustpoint and associated certificates%Warning: Applications associated with the trustpoint will start using default-trustpointrfs6000-81742D>rfs6000-81742D>crypto pki authenticate word url backgroundImport of CA certificate started in backgroundrfs6000-81742D>rfs6000-81742D>crypto pki import trustpoint word url passphrase wordImport operation started in backgroundrfs6000-81742D>Related Commandsno Removes server certificates, trustpoints and their associated certificates
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 332.1.9 crypto-cmp-cert-updateUser Exec CommandsTriggers a Certificate Management Protocol (CMP) certificate update on a specified device or devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}Parameters• crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}Examplerfs4000-229D58>crypto-cmp-cert-update test on B4-C7-99-71-17-28CMP Cert update successrfs4000-229D58>crypto-cmp-cert-update <TRUSTPOINT-NAME> on <DEVICE-NAME>Triggers a CMP certificate update on a specified device or devices• <TRUSTPOINT-NAME> – Specify the target trustpoint name. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Use the crypto-cmp-policy context mode to configure the trustpoint.• on <DEVICE-NAME> – Optional. Initiates a CMP certificate update and response on aspecified device or devices. Specify the name of the AP, wireless controller, or serviceplatform. Multiple devices can be provided as a comma separated list.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 342.1.10 databaseUser Exec CommandsEnables automatic repairing (vacuuming) and dropping of captive-portal and NSight databasesIf enforcing authenticated access to the database, use this command to generate the keyfile. Every keyfile has a set of associated users having a username and password. Access to the database is allowed only if the user credentials entered during database login are valid. For more information on enabling database authentication, see Enabling Database Authentication.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdatabase [drop|keyfile|repair]database drop [all|captive-portal|nsight]database repair {on <DEVICE-NAME>}database keyfile [export|generate|import|zerzoise]database keyfile generatedatabase keyfile [export|import] <URL>database keyfile zerzoiseParameters• database drop [all|captive-portal|nsight]• database repair {on <DEVICE-NAME>}database drop [all|captive-portal|nsight]Drops (deletes) all or a specified database. Execute the command on the database.• all – Drops all databases, captive portal and NSight• captive-portal – Drops the captive-portal database• nsight – Drops the NSight databasedatabase repair on <DEVICE-NAME>Enables automatic repairing of all databases. Repairing (vacuuming a database refers to the process of finding and reclaiming space left over from previous DELETE statements. Execute the command on the database host.• on <DEVICE-NAME> – Optional. Specifies the name of the database host. When specified, databases on the specified host are periodically checked to identify and remove obsolete data documents.• <DEVICE-NAME> – Specify the name of the access point, wireless controller, or ser-vice platform.Note: If no device is specified, the system repairs all databases.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 35• database keyfile generate• database keyfile [export|import] <URL>• database keyfile zerzoiseExamplenx9500-6C8809>database repair on nx9500-6C8809nx9500-6C8809>nx9500-6C8809>database keyfile generateDatabase keyfile successfully generatednx9500-6C8809>nx9500-6C8809>database keyfile zeroizeDatabase keyfile successfully removednx9500-6C8809>vx9000-1A1809>database keyfile generateDatabase keyfile successfully generatedvx9000-1A1809>vx9000-1A1809>database keyfile export ftp://1.1.1.111/db-keyDatabase keyfile successfully exportedvx9000-1A1809>database keyfile [generate|zerzoise]Enables database keyfile management. This command is part of a set of configurations required to enforce database authentication. Use this command to generate database keyfiles. After generating the keyfile, create the username and password combination required to access the database. For information on creating database users see, service. For information on enabling database authentication, see Enabling Database Authentication.• generate – Generates the keyfile. In case of a replica-set deployment, execute the command on the primary database host. Once generated, export the keyfile to a specified location from where it is imported on to the replica-set hosts.database keyfile [export|import] <URL>Enables database keyfile management. This command is part of a set of configurations required to enforce database authentication. Use this command to exchange keyfiles between replica set members.• export – Exports the keyfile to a specified location on an FTP/SFTP/TFTP server. Execute the command on the database host on which the keyfile has been generated.• import – Imports the keyfile from a specified location. Execute the command on the replica set members.The following parameter is common to both of the above keywords:• <URL> – Specify the location to/from where the keyfile is to be exported/imported.Use one of the following options to specify the keyfile location:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]/path/filetftp://<hostname|IP>[:port]/path/filedatabase keyfile zerzoiseEnables database keyfile management. Use this command to delete keyfiles• zerzoise – Deletes an existing keyfile.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 36vx9000-D031F2>database keyfile import ftp://1.1.1.111/db-keyDatabase keyfile successfully importedvx9000-D031F2>Example Enabling Database AuthenticationFollow the steps below to enable database authentication.1 On the primary database host,a Generate the database keyfile.Primary-DB-HOST>database keyfile generateDatabase keyfile successfully generatedPrimary-DB-HOST>bUse the show > database > keyfile command to view the generated keyfile.c Export the keyfile to an external location. This is required only in case of database replica-set deployment.Primary-DB-HOST>database keyfile export ftp://1.1.1.111/db-keyDatabase keyfile successfully exportedPrimary-DB-HOST>d Create the users that are allowed access to the database.Primary-DB-HOST#service database authentication create-user username techpubs password techPubs@123Database user [techpubs] created.Primary-DB-HOST#e View the database user account created.Primary-DB-HOST#show database users--------------------------------         DATABASE USER-------------------------------- techpubs--------------------------------Primary-DB-HOST#2 On the replica set host, import the keyfile from the location specified in Step 1 c. Secondary-DB-HOST#database keyfile import ftp://1.1.1.111/db-key3 In the database-policy context, --- (used on the NSight/EGuest database hosts)a Enable authentication.Primary-DB-HOST(config-database-policy-techpubs)#authenticationb Configure the user accounts created in Step 1 d.Primary-DB-HOST(config-database-policy-techpubs)#authentication username techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnrPrimary-DB-HOST(config-database-policy-techpubs)#show contextdatabase-policy techpubs authentication authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr replica-set member nx7500-A02B91 arbiter replica-set member vx9000-1A1809 priority 1
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 37 replica-set member vx9000-D031F2 priority 20Primary-DB-HOST(config-database-policy-techpubs)#4 In the database-client policy context --- (used on the NSight/EGuest server host),Note, this configuration is required only if the NSight/EGuest server and database are hosted on separate hosts.a Configure the user credentials created in Step 1 d.NOC-Controller(config-database-client-policy-techpubs)#authentication username techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnrb View the configuration.NOC-Controller(config-database-client-policy-techpubs)#show contextdatabase-client-policy techpubs authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnrNOC-Controller(config-database-client-policy-techpubs)#Related Commandsdatabase-backup Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP serverdatabase-restore Restores a previously exported database [captive-portal and/or NSight]database-policy Documents database-policy configuration commands. Use this option to enable the database. database-client-policyDocuments database-client-policy configuration commands. Use this option to configure the database host details (IP address or hostname). If enforcing database authentication, use it to configure the users having database access. Once configured, use the policy in the NSight/EGuest server’s device config context.service Documents the database user account configuration details
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 382.1.11 database-backupUser Exec CommandsBacks up captive-portal and/or NSight database to a specified location and file on an FTP, SFTP, or TFTP server. Execute this command on the database host.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdatabase-backup database [captive-portal|nsight|nsight-placement-info] <URL>database-backup database [captive-portal|nsight] <URL>database-backup database nsight-placement-info <URL>Parameters• database-backup database [captive-portal|nsight] <URL>• database-backup database nsight-placement-info <URL>ExampleNS-DB-nx9510-6C87EF>database-backup database nsight tftp://192.168.9.50/testbckupNS-DB-nx9510-6C87EF>show database backup-statusLast Database Backup Status : In_Progress(Starting tftp transfer.)Last Database Backup Time   : 2017-04-17 12:48:05NS-DB-nx9510-6C87EF>show database backup-statusLast Database Backup Status : SuccessfulLast Database Backup Time   : Mon Apr 17 12:48:08 IST 2017NS-DB-nx9510-6C87EF>Apr 17 12:48:17 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-OPERATION_COMPLETE: backup for database nsight successfulNS-DB-nx9510-6C87EF#database-backup database [captive-portal|nsight]Backs up captive portal and/or NSight database to a specified location. Select the database to backup:• captive-portal – Backs up captive portal database• nsight – Backs up NSight databaseAfter specifying the database type, configure the destination location.<URL> Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzdatabase-backup database nsight-placement-info <URL>Backs up the NSight access point placement related details to a specified location• <URL> – Specify the URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gztftp://<hostname|IP>[:port]/path/file.tar.gz
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 39NS-DB-nx9510-6C87EF>database-backup database nsight-placement-info tftp://192.168.9.50/plmentinfoNS-DB-nx9510-6C87EF>show database backup-statusLast Database Backup Status : SuccessfulLast Database Backup Time   : Mon Apr 17 12:48:48 IST 2017NS-DB-nx9510-6C87EF>Apr 17 12:49:03 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-OPERATION_COMPLETE: backup for database nsight-placement-info successfulNS-DB-nx9510-6C87EF>Related Commandsdatabase Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and/or NSight)database-restore Restores a previously exported (backed up) database (captive-portal and/or NSight)]
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 402.1.12 database-restoreUser Exec CommandsRestores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original database.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdatabase-restore database [captive-portal|nsight] <URL>Parameters• database-restore database [captive-portal|nsight] <URL>Examplenx9500-6C8809>database-restore database nsight ftp://anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gzRelated Commandsdatabase-restore database [captive-portal|nsight]Restores previously exported (backed up) captive-portal and/or NSight database. Specify the database type:• captive-portal – Restores captive portal database• nsight – Restores NSight databaseAfter specifying the database type, configure the destination location and file name from where the files are restored.<URL> Configures the destination location. The database is restored from the specified location. Specify the location URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gztftp://<hostname|IP>[:port]/path/file.tar.gzdatabase Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight)database-backup Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 412.1.13 device-upgradeUser Exec CommandsEnables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms). In an hierarchically managed (HM) network, this command enables centralized device upgradation across the network. The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller. The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy.Use the device-upgrade command to schedule firmware upgrades across adopted devices within the network. Devices are upgraded based on their device names, MAC addresses, or RF Domain. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdevice-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|cancel-upgrade|load-image|rf-domain]device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}NOTE: Hierarchical management allows the NOC controller to upgrade controllers and access points that are directly or indirectly adopted to it. However, ensure that the NOC controller is loaded with the correct firmware version.NOTE: If the persist-images option is selected, the RF Domain manager retains the old firmware image, or else deletes it. For more information on enabling device upgrade on profiles and devices (including the ‘persist-images’ option), see device-upgrade.NOTE: A NOC controller’s capacity is equal to, or higher than that of a site controller. The following devices can be deployed at NOC and sites:• NOC controller – NX95XX (NX9500 and NX9510), NX9600, VX9000• Site controller – RFS4000, RFS6000, NX5500, or NX95XXNOTE: Standalone devices have to be manually upgraded.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 42device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|on rf-domain [<RF-DOMAIN-NAME>|all]]device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}Parameters• device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}• device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}<MAC/HOSTNAME> Upgrades firmware on the device identified by the <MAC/HOSTNAME> keyword• <MAC/HOSTNAME> – Specify the device’s MAC address or hostname.no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.upgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic device firmware upgrade on a specified day and time• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (thedevice must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successfulupgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.all Upgrades firmware on all devicesforce Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot.no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 43• device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}upgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic device firmware upgrade on all devices on a specified day and time• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (thedevice must be manually restarted).• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successfulupgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.staggered-reboot This keyword is recursive and common to all of the above.• Optional. Enables staggered device reboot (one at a time) without network impactdevice-upgrade <DEVICE-TYPE> allUpgrades firmware on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000.After selecting the device type, schedule an automatic upgrade and/or an automatic reboot.force Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot.no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade• <TIME> – Optional. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.upgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic firmware upgrade on all devices, of the specified type, on a specified day and time• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (thedevice must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successfulupgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.staggered-reboot This keyword is recursive and common to all of the above.• Optional. Enables staggered device reboot (one at a time) without network impact
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 44• device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|on rf-domain [<RF-DOMAIN-NAME>|all]]• device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx500|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters passed. This command provides the following options to cancel scheduled firmware upgrades:• Cancels upgrade on specific device(s). The devices are identified by their MAC addresses or hostnames.• Cancels upgrade on all devices within the network• Cancels upgrade on all devices of a specific type. Specify the device type.• Cancels upgrade on specific device(s) or all device(s) within a specific RF Domain or all RF Domains. Specify the RF Domain name.cancel-upgrade [<MAC/HOSTNAME>|all]Cancels a scheduled firmware upgrade on a specified device or on all devices• <MAC/HOSTNAME> – Cancels a scheduled upgrade on the device identified by the <MAC/HOSTNAME> keyword. Specify the device’s MAC address or hostname.• all – Cancels scheduled upgrade on all devicescancel-upgrade <DEVICE-TYPE> allCancels scheduled firmware upgrade on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000.cancel-upgrade on rf-domain [<RF-DOMAIN-NAME>|all]Cancels scheduled firmware upgrade on all devices in a specified RF Domain or all RF Domains• <RF-DOMAIN-NAME> – Cancels scheduled device upgrade on all devices in a specified RF Domain. Specify the RF Domain name.• all – Cancels scheduled device upgrade on all devices across all RF Domainsload-image <DEVICE-TYPE>Loads device firmware image from a specified location. Use this command to specify the device type and the location of the corresponding image file. • <DEVICE-TYPE> – Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000.After specifying the device type, provide the location of the required device firmware image.<IMAGE-URL> Specify the device’s firmware image location in one of the following formats:IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/file
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 45• device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}IPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileon <DEVICE-OR-DOMAIN-NAME>Specify the name of the device or RF Domain. The image, of the specified device type is loaded from the device specified here. In case of an RF Domain, the image available on the RF Domain manager is loaded.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>]Upgrades firmware on devices in a specified RF Domain or all RF Domains. Devices within a RF Domain are upgraded through the RF Domain manager.• <RF-DOMAIN-NAME> – Upgrades devices in the RF Domain identified by the <RF-DOMAIN-NAME> keyword.• <RF-DOMAIN-NAME> – Specify the RF Domain name.• all – Upgrades devices across all RF Domains• containing <WORD> – Filters RF Domains by their names. RF Domains with names containing the sub-string identified by the <WORD> keyword are filtered. Devices on the filtered RF Domains are upgraded.• filter location <WORD> – Filters devices by their location. All devices with location matching the <WORD> keyword are upgraded.<DEVICE-TYPE> After specifying the RF Domain, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000.After specifying the RF Domain and the device type, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller.<MAC/HOSTNAME> Optional. Use this option to identify specific devices for upgradation. Specify the device’s MAC address or hostname. The device should be within the specified RF Domain and of the specified device type. After identifying the devices to upgrade, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller.Note: If no MAC address or hostname is specified, all devices of the type selected are upgraded.force Optional. Select this option to force upgrade for the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time.from-controller Optional. Upgrades a device through the adopted device. If initiating an upgrade through the adopting controller, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 46Examplenx9500-6C8809>show adoption status--------------------------------------------------------------------------------------------------------DEVICE-NAME       VERSION         CFG-STAT       MSGS   ADOPTED-BY     LAST-ADOPTION     UPTIME--------------------------------------------------------------------------------------------------------rfs6000-81742D 5.9.1.0-012D    configured       No   nx9500-6C8809 2 days 12:23:52    13 days 22:32:38t5-ED7C6C         5.4.2.0-010R    configured       No   nx9500-6C8809 13 days 22:47:46    16 days 22:33:25--------------------------------------------------------------------------------------------------------Total number of devices displayed: 2nx9500-6C8809>nx9500-6C8809>show device-upgrade versions--------------------------------------------------------------------------------          CONTROLLER               DEVICE-TYPE                VERSION--------------------------------------------------------------------------------  nx9500-6C8809               ap621                   5.9.0.0-014D  nx9500-6C8809               ap622                   5.9.1.0-012D  nx9500-6C8809               ap650                   5.9.1.0-012D  nx9500-6C8809               ap6511                  none  nx9500-6C8809               ap6521                  5.9.0.0-014D  nx9500-6C8809               ap6522                  5.9.1.0-012D  nx9500-6C8809               ap6532                  5.9.1.0-012D  nx9500-6C8809               ap6562                  5.9.1.0-012D  nx9500-6C8809               ap71xx                  5.9.1.0-012D  nx9500-6C8809               ap7502                  5.9.1.0-012D  nx9500-6C8809               ap7522                  5.9.1.0-012D  nx9500-6C8809               ap7532                  5.9.1.0-012D  nx9500-6C8809               ap7562                  5.9.1.0-012D  nx9500-6C8809               ap7602                  5.9.1.0-012D  nx9500-6C8809               ap7612                  5.9.1.0-012D  nx9500-6C8809               ap7622                  5.9.1.0-012D  nx9500-6C8809               ap7632                  5.9.1.0-012D  nx9500-6C8809               ap7662                  5.9.1.0-012D  nx9500-6C8809               ap81xx                  5.9.1.0-012D  nx9500-6C8809               ap82xx                  5.9.1.0-012D  nx9500-6C8809               ap8432                  5.9.1.0-012D  nx9500-6C8809               ap8533                  5.9.1.0-012D  nx9500-6C8809               nx45xx                  none  nx9500-6C8809               nx5500                  noneno-reboot {staggered-reboot}Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> {staggered-reboot}Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.staggered-reboot This keyword is common to all of the above.Optional. Enables staggered reboot (one at a time) without network impactupgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic firmware upgrade• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format.After a scheduled upgrade, the following actions can be performed.• no-reboot – Optional. Disables automatic reboot after a successful upgrade thedevice must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successfulupgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 47  nx9500-6C8809               nx65xx                  none  nx9500-6C8809               nx75xx                  none  nx9500-6C8809               nx9000                  none  nx9500-6C8809               rfs4000                 5.9.1.0-012D  nx9500-6C8809               rfs6000                 5.9.1.0-012D  nx9500-6C8809               rfs7000                 5.9.0.0-010D  nx9500-6C8809               vx9000                  none--------------------------------------------------------------------------------nx9500-6C8809>nx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W591/RFS6000-LEAN-5.9.1.0-015D.img--------------------------------------------------------------------------------      CONTROLLER          STATUS                      MESSAGE--------------------------------------------------------------------------------  nx9500-6C8809        Success        Successfully initiated load image--------------------------------------------------------------------------------nx9500-6C8809#nx9500-6C8809#show device-upgrade load-image-statusDownload of rfs6000 firmware file is completenx9500-6C8809#nx9500-6C8809>show device-upgrade versions--------------------------------------------------------------------------------          CONTROLLER               DEVICE-TYPE                VERSION--------------------------------------------------------------------------------  nx9500-6C8809               ap621                   5.9.0.0-014D  nx9500-6C8809               ap622                   5.9.1.0-012D  nx9500-6C8809               ap650                   5.9.1.0-012D  nx9500-6C8809               ap6511                  none  nx9500-6C8809               ap6521                  5.9.0.0-014D  nx9500-6C8809               ap6522                  5.9.1.0-012D  nx9500-6C8809               ap6532                  5.9.1.0-012D  nx9500-6C8809               ap6562                  5.9.1.0-012D  nx9500-6C8809               ap71xx                  5.9.1.0-012D  nx9500-6C8809               ap7502                  5.9.1.0-012D  nx9500-6C8809               ap7522                  5.9.1.0-012D  nx9500-6C8809               ap7532                  5.9.1.0-012D  nx9500-6C8809               ap7562                  5.9.1.0-012D  nx9500-6C8809               ap7602                  5.9.1.0-012D  nx9500-6C8809               ap7612                  5.9.1.0-012D  nx9500-6C8809               ap7622                  5.9.1.0-012D  nx9500-6C8809               ap7632                  5.9.1.0-012D  nx9500-6C8809               ap7662                  5.9.1.0-012D  nx9500-6C8809               ap81xx                  5.9.1.0-012D  nx9500-6C8809               ap82xx                  5.9.1.0-012D  nx9500-6C8809               ap8432                  5.9.1.0-012D  nx9500-6C8809               ap8533                  5.9.1.0-012D  nx9500-6C8809               nx45xx                  none  nx9500-6C8809               nx5500                  none  nx9500-6C8809               nx65xx                  none  nx9500-6C8809               nx75xx                  none  nx9500-6C8809               nx9000                  none  nx9500-6C8809               rfs4000                 5.9.1.0-012D  nx9500-6C8809               rfs6000                 5.9.1.0-015D  nx9500-6C8809               rfs7000                 5.9.0.0-010D  nx9500-6C8809               vx9000                  none--------------------------------------------------------------------------------nx9500-6C8809>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 48nx9500-6C8809>device-upgrade rfs6000-81742D--------------------------------------------------------------------------------         CONTROLLER             STATUS                   MESSAGE--------------------------------------------------------------------------------  B4-C7-99-6C-88-09         Success         Queued 1 devices to upgrade--------------------------------------------------------------------------------nx9500-6C8809>nx9500-6C8809>show device-upgrade statusNumber of devices currently being upgraded : 1Number of devices waiting in queue to be upgraded : 0Number of devices currently being rebooted : 0Number of devices waiting in queue to be rebooted : 0Number of devices failed upgrade : 0--------------------------------------------------------------------------------------------------------------      DEVICE          STATE     UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR    UPGRADED BY--------------------------------------------------------------------------------------------------------------  rfs6000-81742D downloading   immediate    immediate   17       0       -                 nx9500-6C8809--------------------------------------------------------------------------------------------------------------nx9500-6C8809>nx9500-6C8809>show adoption status---------------------------------------------------------------------------------------------------------------DEVICE-NAME       VERSION         CFG-STAT         MSGS ADOPTED-BY        LAST-ADOPTION                  UPTIME---------------------------------------------------------------------------------------------------------------rfs6000-81742D 5.9.1.0-015D    version-mismatch No   nx9500-6C8809 0 days 00:00:42     0 days 00:03:33t5-ED7C6C         5.4.2.0-010R    configured       No   nx9500-6C8809 13 days 23:09:38    16 days 22:55:17----------------------------------------------------------------------------------------------------------------Total number of devices displayed: 2nx9500-6C8809>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 492.1.14 disableUser Exec CommandsThis command can be executed in the Priv Exec Mode only. When executed, the command turns off (disables) the privileged mode command set and returns to the User Executable Mode. The prompt changes from rfs6000-81742D# to rfs6000-81742D>.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxdisableParametersNoneExamplerfs6000-81742D#disablerfs6000-81742D>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 502.1.15 enableUser Exec CommandsTurns on (enables) the privileged mode command set. The prompt changes from rfs6000-81742D> to rfs6000-81742D#. This command does not do anything in the Privilege Executable mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplerfs6000-81742D>enablerfs6000-81742D#
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 512.1.16 file-syncUser Exec CommandsSyncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and adopted access points. When enabling file syncing, consider the following points:• The X.509 certificate needs synchronization only if the access point is configured to use EAP-TLS authentication.• Execute the command on the controller adopting the access points.• Ensure that the X.509 certificate file is installed on the controller.Syncing of trustpoint/wireless-bridge certificate can be automated. To automate file syncing, in the controller’s device/profile configuration mode, execute the following command: file-sync [auto|count <1-20>]. For more information, see file-sync.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632,AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfile-sync [cancel|load-file|trustpoint|wireless-bridge]file-sync cancel [trustpoint|wireless-bridge]file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all]]file-sync load-file [trustpoint|wireless-bridge]]file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}Parameters• file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all]]file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all]]Cancels scheduled file synchronization• trustpoint – Cancels scheduled trustpoint synchronization on a specified AP, all APs, or APs within a specified RF Domain• wireless-bridge – Cancels scheduled wireless-bridge certificate synchronization on a specified AP, all APs, or APs within a specified RF Domain• <DEVICE-NAME> – Cancels scheduled trustpoint/certificate synchronization on aspecified AP. Specify the AP’s hostname or MAC address.• all – Cancels scheduled trustpoint/certificate synchronization on all APsContd..
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 52• file-sync load-file [trustpoint|wireless-bridge] <URL>• file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}• rf-domain [<DOMAIN-NAME>|all] – Cancels scheduled trustpoint/certificate syn-chronization on all APs in a specified RF Domain or in all RF Domains• <DOMAIN-NAME> – Cancels scheduled trustpoint/certificate synchronization onall APs within a specified RF Domain. Specify the RF Domain’s name.• all – Cancels scheduled trustpoint/certificate synchronization on all RF Domainsfile-sync load-file [trustpoint|wireless-bridge] <URL>Loads the following files on to the staging controller:• trustpoint – Loads the trustpoint, including CA certificate, server certificate and private key• wireless-bridge – Loads the wireless-bridge certificate to the staging controllerUse this command to load the certificate to the controller before scheduling or initiating a certificate synchronization.• <URL> – Provide the trustpoint/certificate location using one of the following for-mats:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileNote: Both IPv4 and IPv6 address types are supported.file-sync trustpoint <TRUSTPOINT-NAME> [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all] from-controller]Configures file-syncing parameters• trustpoint <TRUSTPOINT-NAME> – Syncs a specified trustpoint between controller and its adopted APs• <TRUSTPOINT-NAME> – Specify the trustpoint name.• wireless-bridge – Syncs wireless-bridge certificate between controller and its adopted APsAfter specifying the file that is to be synced, configure following file-sync parameters:• <DEVICE-NAME> – Syncs trustpoint/certificate with a specified AP. Specify the AP’shostname or MAC address.• all – Syncs trustpoint/certificate with all APs• rf-domain [<DOMAIN-NAME>|all] – Syncs trustpoint/certificate with all APs in aspecified RF Domain or in all RF Domains• <DOMAIN-NAME> – Select to sync with APs within a specified RF Domain. Specifythe RF Domain’s name.• all – Select to sync with APs across all RF Domains• from-controller – Optional. Loads certificate to the APs from the adoptingcontroller and not the RF Domain managerAfter specifying the access points, specify the following options: reset-radio and upload-time.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 53Examplerfs6000-81742D>file-sync wireless-bridge ap7131-11E6C4 upload-time 06/01/2017-12:30--------------------------------------------------------------------------------          CONTROLLER               STATUS                  MESSAGE--------------------------------------------------------------------------------  B4-C7-99-6D-CD-4B           Success           Queued 1 APs to upload--------------------------------------------------------------------------------rfs6000-81742D>The following command uploads certificate to all access points:rfs6000-81742D>file-sync wireless-bridge all upload-time 06/01/2017-23:42reset-radio This keyword is recursive and applicable to all of the above parameters.Optional. Resets the radio after file synchronization. Reset the radio in case the certificate is renewed along with no changes made to the ‘bridge EAP username’ and ‘bridge EAP password’.upload-time <TIME> This keyword is recursive and applicable to all of the above parameters.• upload-time – Optional. Schedules certificate upload at a specified time• <TIME> – Specify the time in the MM/DD/YYYY-HH:MM or HH:MM format. If no timeis configured, the process is initiated as soon as the command is executed.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 542.1.17 join-clusterUser Exec CommandsAdds a device (access point, wireless controller, or service platform), as a member, to an existing cluster of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only formed of devices of the same model type.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxjoin-cluster <IP> user <USERNAME> password <WORD> {level|mode}join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}Parameters• join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}Usage GuidelinesTo add a device to an existing cluster:• Configure a static IP address on the device (access point, wireless controller, or service platform).• Provide username and password for superuser, network admin, system admin, or operator accounts.After adding the device to a cluster, execute the “write memory” command to ensure the configuration persists across reboots.Examplerfs4000-880DA7>join-cluster 192.168.13.15 user admin password superuser level 1mode standby... connecting to 192.168.13.15... applying cluster configuration... committing the changes... saving the changes[OK]rfs4000-880DA7>join-cluster Adds an access point, wireless controller, or service platform to an existing cluster<IP> Specify the cluster member’s IP address.user <USERNAME> Specify a user account with super user privileges on the new cluster memberpassword <WORD> Specify password for the account specified in the user parameterlevel [1|2] Optional. Configures the routing level• 1 – Configures level 1 routing• 2 – Configures level 2 routingmode [active|standby]Optional. Configures the cluster mode• active – Configures this cluster as active• standby – Configures this cluster to be on standby mode
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 55rfs4000-880DA7>show context!! Configuration of RFS4000 version 5.9.1.0-012D!!version 2.5!!................................................................................ interface vlan1  ip address 192.168.13.15/24  no ipv6 enable  no ipv6 request-dhcpv6-options cluster name TechPubs cluster mode standby cluster member ip 192.168.13.15 logging on logging console warnings logging buffered warnings!!endrfs4000-880DA7>Related Commandscluster Initiates cluster context. The cluster context enables centralized management and configuration of all cluster members from any one member.create-cluster Creates a new cluster on a specified device
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 562.1.18 l2tpv3User Exec CommandsEstablishes and/or brings down a Layer 2 Tunnel Protocol Version 3 (L2TPV3) tunnelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxl2tpv3 tunnel [<TUNNEL-NAME>|all]l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}Parameters• l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}• l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}• l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}l2tpv3 tunnel Establishes or brings down L2TPv3 tunnels<TUNNEL-NAME> [down|up]Specifies the tunnel name to establish or bring down• down – Brings down the specified tunnel• up – Establishes the specified tunnelon <DEVICE-NAME>Optional. Establishes or brings down a tunnel on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.l2tpv3 tunnel Establishes or brings down L2TPv3 tunnels<TUNNEL-NAME> [session <SESSION-NAME>] [down|up]Establishes or brings down a specified session inside an L2TPv3 tunnel• <TUNNEL-NAME> – Specify the tunnel name.• session <SESSION-NAME> – Identifies a specific session• <SESSION-NAME> – Specify the session name.• down – Brings down the session identified by the <SESSION-NAME> key-word• up – Establishes the session identified by the <SESSION-NAME> keywordon <DEVICE-NAME>Optional. Establishes or brings down a tunnel session on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.l2tpv3 tunnel Establishes or brings down L2TPv3 tunnelsall [down|up] Establishes or brings down all L2TPv3 tunnels• down – Brings down all tunnels• up – Establishes all tunnels
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 57Examplerfs6000-81742D>l2tpv3 tunnel Tunnel1 session Tunnel1Session1 up on rfs6000-81742Don <DEVICE-NAME>Optional. Establishes or brings down all tunnels on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 582.1.19 loggingUser Exec CommandsModifies message logging settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings}Parameters• logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings}Examplerfs6000-81742D(config-device-00-15-70-81-74-2D)##logging onrfs6000-81742D>logging monitor debuggingrfs6000-81742D>show loggingLogging module: enabled    Aggregation time: disabled    Console logging: level warnings    Monitor logging: level debugging    Buffered logging: level warnings    Syslog logging: level warnings        Facility: local7Log Buffer (69317 bytes):monitor Sets the terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system uses default settings, if no logging severity level is specified.• <0-7> – Optional. Specify the logging severity level from 0-7. The various levels and their implications are as follows:• alerts – Optional. Immediate action needed (severity=1)• critical – Optional. Critical conditions (severity=2)• debugging – Optional. Debugging messages (severity=7)• emergencies – Optional. System is unusable (severity=0)• errors – Optional. Error conditions (severity=3)• informational – Optional. Informational messages (severity=6)• notifications – Optional. Normal but significant conditions (severity=5)• warnings – Optional. Warning conditions (severity=4)Note: Before configuring the message logging level, ensure logging module is enabled. To enable message logging, in the device’s configuration mode, execute the logging > on command. Message logging can also be enabled on a profile. All devices using the profile will have message logging enabled.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 59Apr 04 11:53:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPMApr 04 11:43:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM--More--rfs6000-81742D>Related Commandsno Resets terminal lines logging levels
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 602.1.20 mintUser Exec CommandsUses MiNT protocol to perform a ping and traceroute to a remote deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmint [ping|traceroute]mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|source-port <1-65535>|timeout <1-255>)}Parameters• mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}• mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|source-port <1-65535>|timeout <1-255>)}ping <MINT-ID> Sends a MiNT echo message to a specified destination• <MINT-ID> – Specify the destination device’s MiNT ID.count <1-10000> Optional. Sets the pings to the MiNT destination• <1- 10000> – Specify a value from 1 - 10000. The default is 3.size <1-64000> Optional. Sets the MiNT payload size in bytes• <1-64000> – Specify a value from 1 - 640000 bytes. The default is 64 bytes.timeout <1-10> Optional. Sets a response time in seconds• <1-10> – Specify a value from 1 sec - 10 sec. The default is 1 second.traceroute <MINT-ID>Prints the route packets trace to a device• <MINT-ID> – Specify the destination device’s MiNT ID.destination-port <1-65535>Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port• <1- 65535> – Specify a value from 1 - 65535. The default port is 45.max-hops <1-255> Optional. Sets the maximum number of hops a traceroute packet traverses in the forward direction• <1- 255> – Specify a value from 1 - 255. The default is 30.source-port <1-65535>Optional. Sets the ECMP source port• <1- 65535> – Specify a value from 1 - 65535. The default port is 45.timeout <1-255> Optional. Sets the minimum response time period in seconds• <1- 255> – Specify a value from 1 sec - 255 sec. The default is 30 seconds.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 61Examplerfs6000-81742D>mint ping 19.6C.88.09MiNT ping 19.6C.88.09 with 64 bytes of data. Response from 19.6C.88.09: id=1 time=0.219 ms Response from 19.6C.88.09: id=2 time=0.145 ms Response from 19.6C.88.09: id=3 time=0.127 ms--- 19.6C.88.09 ping statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max = 0.127/0.164/0.219 msrfs6000-81742D>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 622.1.21 noUser Exec CommandsUse the no command to revert a command or to set parameters to their default. This command turns off an enabled feature or reverts settings to default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [adoption|captive-portal|crypto|debug|logging|page|service|terminal|virtual-machine|wireless]no adoption {on <DEVICE-OR-DOMAIN-NAME>}no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>] {on <DEVICE-OR-DOMAIN-NAME>}no crypto pki [server|trustpoint]no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|on <DEVICE-NAME>}no logging monitorno pageno service [block-adopter-config-update|locator|snmp|ssm|wireless]no service snmp sysoid wing5no service block-adopter-config-updateno service ssm trace pattern {<WORD>} {on <DEVICE-NAME>}no service wireless [trace pattern {<WORD>} {on <DEVICE-NAME>}|unsanctioned ap air-terminate <BSSID> {on <DOMAIN-NAME>}]no service locator {on <DEVICE-NAME>}no terminal [length|width]no virtual-machine assign-usb-ports {on <DEVICE-NAME>}no wireless client [all|<MAC>]NOTE: The “no” command sub-set of commands changes with the context in which it is executed.NOTE: The no > adoption command resets the adoption state of a specified device (and all devices adopted to it) or devices within a specified RF Domain. When executed without specifying the device or RF Domain, the command resets the adoption state of the logged device and all devices, if any, adopted to it.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 63no wireless client all {filter|on}no wireless client all {filter [wlan <WLAN-NAME>]}no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs4000-880DA7>no adoptionrfs4000-880DA7>no pageno <PARAMETERS> Resets or reverts settings based on the parameters passed
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 642.1.22 onUser Exec CommandsExecutes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and showSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxon rf-domain [<RF-DOMAIN-NAME>|all] Parameters• on rf-domain [<RF-DOMAIN-NAME>|all]Examplenx9500-6C8809>on rf-domain TechPubsnx9500-6C8809(TechPubs)>?on RF-Domain Mode commands:  clrscr   Clears the display screen  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  service  Service Commands  show     Show running system informationnx9500-6C8809(TechPubs)>nx9500-6C8809(rf-domain-all)>?on RF-Domain Mode commands:  clrscr   Clears the display screen  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  service  Service Commands  show     Show running system informationnx9500-6C8809(rf-domain-all)>on rf-domain [<RF-DOMAIN-NAME>|all]Enters the RF Domain context based on the parameter specified• <RF-DOMAIN-NAME> – Specify the RF Domain name. Enters the specified RF Domain context.• all – Specifies all RF Domains.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 652.1.23 opendnsUser Exec CommandsFetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled. OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is a reliable DNS service that provides the following services: DNS query resolution, Web-filtering, protection against virus and malware attacks, performance enhancement, etc.This command is part of a set of configurations that are required to integrate WiNG devices with OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as proxy DNS servers.For more information on integrating WiNG devices with OpenDNS site, see Enabling OpenDNS Support.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxopendns [APIToken|username]opendns APIToken <OPENDNS-APITOKEN>opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>Note, as per the current implementation both of the above commands can be used to fetch the device_id from the OpenDNS site.Parameters• opendns APIToken <OPENDNS-APITOKEN>• opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>opendns Fetches the device_id from the OpenDNS site using the OpenDNS API tokenAPIToken <OPENDNS-APITOKEN>Configures the OpenDNS APIToken. This is the token provided you by CISCO at the time of subscribing for their OpenDNS service.• <OPENDNS-APITOKEN> – Provide the OpenDNS API token (should be a valid token).For every valid OpenDNS API token provided a device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns.opendns Fetches the device_id from the OpenDNS site using the OpenDNS credentialsusername <USERNAME>Configures the OpenDNS user name. This is your OpenDNS email ID provided by CISCO at the time of subscribing for their OpenDNS service.• <USERNAME> – Provide the OpenDNS user name (should be a valid OpenDNS username).
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 66Usage GuidelinesUse your OpenDNS credentials to logon to the opendns.org site and use the labels, edit settings, and customize content filtering options to configure Web filtering settings.Exampleap7161-E6D512>opendns username bob@examplecompany.com password opendns label company_nameConnecting to OpenDNS server...device_id = 0014AADF8EDC6C59ap7161-E6D512>nx9600-7F3C7F>opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 001480fe36dcb245nx9600-7F3C7F>password <OPENDNS-PSWD>Configures the password associated with the user name specified in the previous step• <OPENDNS-PSWD> – Provide the OpenDNS password (should be a valid OpenDNS password).label <LABEL> Configures the network label. This the label (the user friendly name) of your network, and should be the same as the label (name) configured on the OpenDNS portal.• <LABEL> – Specify your network label.For every set of user name, password, and label passed only one unique device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 672.1.24 pageUser Exec CommandsToggles a device’s paging function. When executed, this command enables the display of CLI command outputs page by page, instead of running the entire output at once.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602. AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxpageParametersNoneExamplerfs4000-880DA7>pagerfs4000-880DA7>Related Commandsno Disables device paging
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 682.1.25 pingUser Exec CommandsSends Internet Controller Message Protocol (ICMP) echo messages to a user-specified locationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|source [<IP>|pppoe|vlan <1-4094>|wwan]}Parameters• ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|source[<IP>|pppoe|vlan <1-4094>|wwan]}<IP/HOSTNAME> Specify the destination IP address or hostname. When entered without any parameters, this command prompts for an IP address or a hostname.count <1-10000> Optional. Sets the pings to the specified destination• <1-10000> – Specify a value from 1 - 10000. The default is 5.dont-fragment {count|size}Optional. Sets the don’t fragment bit in the ping packet. Packets with the dont-fragment bit specified are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified maximum transmission unit (MTU) value, an error message is sent from the device trying to fragment it.• count <1-10000> – Optional. Sets the pings to the specified destination from 1 - 10000. The default is 5.• size <1-64000> – Optional. Sets the ping payload size from 1 - 64000 bytes. The default is 100 bytes.size <1-64000> Optional. Sets the ping payload size in bytes• <1-64000> – Specify the ping payload size from 1 - 64000. The default is 100 bytes.source [<IP>|pppoe|vlan <1-4094>|wwan]Optional. Sets the source address or interface name. This is the source of the ICMP packet to the specified destination.• <IP> – Specifies the source IP address• pppoe – Selects the PPP over Ethernet interface• vlan <1-4094> – Selects the VLAN interface from 1 - 4094• wwan – Selects the wireless WAN interface
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 69Examplerfs6000-81742D>ping 192.168.13.13 count 4PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data.108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.291 ms108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.243 ms108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.239 ms108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.232 ms--- 192.168.13.13 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3000msrtt min/avg/max/mdev = 0.232/0.251/0.291/0.025 msrfs6000-81742D>rfs6000-81742D>ping 10.233.89.182 source vlan 1PING 10.233.89.182 (10.233.89.182) from 192.168.13.24 vlan1: 100(128) bytes of data.From 192.168.13.2 icmp_seq=1 Packet filteredFrom 192.168.13.2 icmp_seq=2 Packet filteredFrom 192.168.13.2 icmp_seq=3 Packet filteredFrom 192.168.13.2 icmp_seq=4 Packet filteredFrom 192.168.13.2 icmp_seq=5 Packet filtered--- 10.233.89.182 ping statistics ---5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3997msrfs6000-81742D>>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 702.1.26 ping6User Exec CommandsSends ICMPv6 echo messages to a user-specified IPv6 addressSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}Parameters• ping <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}Usage GuidelinesTo configure a device’s IPv6 address, in the VLAN interface configuration mode, use the ipv6 > address <IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 > enable command to enable IPv6. For more information, see ipv6.Examplerfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#show ipv6 interface brief--------------------------------------------------------------------------------INTERFACE  IPV6 MODE  IPV6-ADDRESS/MASK               TYPE         STATUS  PROTOCOL--------------------------------------------------------------------------------vlan1       True      fe80::223:68ff:fe88:da7/64     Link-Local       UP      upvlan1       True      2001:10:10:10:10:10:10:1/64  Global-Permanent   UP      upvlan2       False     UNASSIGNED                       None           UP      up--------------------------------------------------------------------------------rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#rfs4000-229D58>ping6 2001:10:10:10:10:10:10:1 count 6PING 2001:10:10:10:10:10:10:1(2001:10:10:10:10:10:10:1) 100 data bytes108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=1 ttl=64 time=0.401 ms108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=2 ttl=64 time=0.311 ms108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=3 ttl=64 time=0.300 ms108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=4 ttl=64 time=0.309 ms108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=5 ttl=64 time=0.299 ms108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=6 ttl=64 time=0.313 ms--- 2001:10:10:10:10:10:10:1 ping statistics ---6 packets transmitted, 6 received, 0% packet loss, time 6999msrtt min/avg/max/mdev = 0.299/0.318/0.401/0.031 msrfs4000-229D58><IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.<INTF-NAME> Specify the interface name for link local/broadcast addresscount <1-10000> Optional. Sets the pings to the specified IPv6 destination• <1-10000> – Specify a value from 1 - 10000. The default is 5.size <1-64000> Optional. Sets the IPv6 ping payload size in bytes• <1-64000> – Specify the ping payload size from 1 - 64000. The default is 100 bytes.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 712.1.27 sshUser Exec CommandsOpens a Secure Shell (SSH) connection between two network devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}Parameters• ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}Examplenx9500-6C8809>ssh 192.168.13.24 adminadmin@192.168.13.24's password:rfs6000-81742D><IP/HOSTNAME> Specify the remote system’s IP address or hostname.<USERNAME> Specify the name of the user requesting SSH connection with the remote system.<INF-NAME/LINK-LOCAL-ADD>Optional. Specify the interface’s name or link local address.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 722.1.28 telnetUser Exec CommandsOpens a Telnet session between two network devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtelnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}Parameters• telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}Examplenx9500-6C8809#telnet 192.168.13.10Entering character modeEscape character is '^]'.Welcome to Microsoft Telnet Servicelogin:<IP/HOSTNAME> Configures the destination remote system’s IP (IPv4 or IPv6) address or hostname. The Telnet session is established between the connecting system and the remote system.• <IP/HOSTNAME> – Specify the remote system’s IPv4 or IPv6 address or hostname.<TCP-PORT> Optional. Specify the Transmission Control Protocol (TCP) port number.<INTF-NAME> Optional. Specify the interface name for the link local address.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 732.1.29 terminalUser Exec CommandsSets the length and width of the CLI display window on a terminalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxterminal [length|width] <0-512>Parameters• terminal [length|width] <0-512>Examplerfs6000-81742D>terminal length 150rfs6000-81742D>terminal width 215rfs6000-81742D>show terminalTerminal Type: xtermLength: 150     Width: 215rfs6000-81742D>Related Commandslength <0-512> Sets the number of lines displayed on the terminal window• <0-512> – Specify a value from 0 - 512.width <0-512> Sets the width (the number of characters displayed in one line) of the terminal window• <0-512> – Specify a value from 0 - 512.no Resets the width or length of the terminal window
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 742.1.30 time-itUser Exec CommandsVerifies the time taken by a particular command between request and responseSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtime-it <COMMAND>Parameters• time-it <COMMAND>Examplerfs6000-81742D>time-it enableThat took 0.00 seconds..rfs6000-81742D#time-it <COMMAND> Verifies the time taken by a particular command to execute and provide a result• <COMMAND> – Specify the command.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 752.1.31 tracerouteUser Exec CommandsTraces the route to a defined destinationUse ‘--help’ or ‘-h’ to display a complete list of parameters for the traceroute commandSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtraceroute <LINE>Parameters• traceroute <LINE>Examplerfs6000-81742D>traceroute --helpBusyBox v1.14.4 () multi-call binaryUsage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]        [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]        [-z pausemsecs] HOST [data size]Options:        -F      Set the don't fragment bit        -I      Use ICMP ECHO instead of UDP datagrams        -l      Display the ttl value of the returned packet        -d      Set SO_DEBUG options to socket        -n      Print hop addresses numerically rather than symbolically        -r      Bypass the normal routing tables and send directly to a host        -v      Verbose        -m max_ttl      Max time-to-live (max number of hops)        -p port#        Base UDP port number used in probes                        (default is 33434)        -q nqueries     Number of probes per 'ttl' (default 3)        -s src_addr     IP address to use as the source address        -t tos          Type-of-service in probe packets (default 0)        -w wait         Time in seconds to wait for a response                        (default 3 sec)        -g              Loose source route gateway (8 max)rfs6000-81742D>rfs6000-81742D>traceroute 192.168.13.13traceroute to 192.168.13.13 (192.168.13.13), 30 hops max, 38 byte packets 1  192.168.13.13 (192.168.13.13)  1.150 ms  0.261 ms  0.214 msrfs6000-81742D>traceroute <LINE> Traces the route to a destination IP address or hostname• <LINE> – Specify the destination IPv6 address or hostname.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 762.1.32 traceroute6User Exec CommandsTraces the route to a specified IPv6 destinationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtraceroute6 <LINE>Parameters• traceroute6 <LINE>Examplerfs6000-81742D>traceroute6 2001:10:10:10:10:10:10:1traceroute to 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) from 2001:10:10:10:10:10:10:2, 30 hops max, 16 byte packets 1  2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1)  6.054 ms  0.448 ms  0.555 msrfs6000-81742D>traceroute6 <LINE> Traces the route to a destination IPv6 address or hostname• <LINE> – Specify the destination IPv6 address or hostname.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 772.1.33 virtual-machineUser Exec CommandsInstalls, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controllerSupported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxvirtual-machine [assign-usb-ports|export|install|restart|set|start|stop|uninstall]virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}virtual-machine install [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>| vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}The following virtual-machine commands are supported only on the VX9000 platform:virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-group]virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-DEVICE-LABEL>virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>Parameters• virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}• virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}assign-usb-ports team-vowlanAssigns USB ports to TEAM-VoWLAN on a specified device•on <DEVICE-NAME> – Optional. Specify the device name.Note: Use the no > virtual-machine > assign-usb-ports to reassign the port to WiNG.Note: TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-VoWLAN.virtual-machine export Exports an existing VM image and settings. Use this command to export the VM to another <NX54XX> or <NX65XX> device in the same domain.• <VM-NAME> – Specify the VM name.• <FILE> – Specify the location and name of the source file (VM image). The VM im-age is retrieved and exported from the specified location.• <URL> – Specify the destination location. This is the location to which the VM im-age is copied. Use one of the following formats to provide the destination path:Contd..
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 78• virtual-machine install [<VM-NAME>|adsp|team-centro|team-rls|team-vowlan] {on <DEVICE-NAME>}• virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>|vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/file•on <DEVICE-NAME> – Optional. Executes the command on a specified device or devices•<DEVICE-NAME> – Specify the service platform name. In case of multiple devices, listthe device names separated by commas.Note: The VM should be in a stop state during the export process.Note: If the destination is a device, the image is copied to a predefined location (VM archive).virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. Select one of the following options:• <VM-NAME> – Installs a VM having name specified by <VM-NAME> keyword.• adsp – Installs ADSP• team-centro – Installs the VM TEAM-Centro image• team-rls – Installs the VM TEAM-RLS image• team-vowlan – Installs the VM TEAM-VoWLAN imageSpecify the device on which to install the VM.• on <DEVICE-NAME> – Optional. Executes the command on a specified device or devices• <DEVICE-NAME> – Specify the service platform name. In case of multiple devices,list the device names separated by commas.virtual-machine set Configures the VM settings•autostart – Specifies whether to autostart the VM on system reboot• ignore – Enables autostart on each system reboot• start – Disables autostart• memory – Defines the VM memory size• <512-8192> – Specify the VM memory from 512 - 8192 MB. The default is 1024 MB.• vcpus – Specifies the number of VCPUS for this VM• <1-4> – Specify the number of VCPUS from 1- 4.• vif-count – Configures or resets the VM's VIFs• <0-2> – Specify the VIF number from 0 - 2.• vif-mac – Configures the MAC address of the selected virtual network interface• <1-2> – Select the VIF• <1-8> – Specify the MAC index for the selected VIF• <MAC> – Specify the customized MAC address for the selected VIF in the AA-BB-CC-DD-EE-FF format.Contd..
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 79• virtual-machine start [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}Each VM has a maximum of two network interfaces (indexed 1 and 2, referred to as VIF). By default, each VIF is automatically assigned a MAC from the range allocated for that device. However, you can use the ‘set’ keyword to specify the MAC from within the allocated range. Each of these VIFs are mapped to a layer 2 port in the dataplane (referred to as VMIF). These VMIFs are standard l2 ports on the DP bridge, supporting all VLAN and ACL commands. The WiNG software supports up to a maximum of 8 VMIFs. By default, a VM’s interface is always mapped to VMIF1. You can map a VIF to any of the 8 VMIFs. Use the vif-to-vmif command to map a VIF to a VMIF on the DP bridge.•vif-to-vmif – Maps the virtual interface (1 or 2) to the selected VMIF interface. Specify the VMIF interface index from 1 - 8.WiNG provides a dataplane bridge for external network connectivity for VMs. VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of the twelve ports for <NX9500> on the dataplane bridge. This mapping determines the destination for service platform routing.By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1, by default, is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QoS rules.•vnc – Disables/enables VNC port option for an existing VM. When enabled, provides remote access to VGA through the noVNC client.•disable – Disables VNC port• enable – Enables VNC portAfter configuring the VM settings, identify the VM to apply the settings.• <VM-NAME> – Applies these settings to the VM identified by the <VM-NAME> keyword. Specify the VM name.• adsp – Applies these settings to the ADSP VM• team-urc – Applies these settings to the VM TEAM-URC• team-rls – Applies these settings to the VM TEAM-RLS• team-vowlan – Applies these settings to the VM TEAM-VoWLANvirtual-machine start Starts the VM, based on the parameters passed. Select one of the following options:• <VM-NAME> – Starts the VM identified by the <VM-NAME> keyword. Specify the VM name.• adsp – Starts the ADSP VM• team-urc – Starts the VM TEAM-URC• team-rls – Starts the VM TEAM-RLS• team-vowlan – Starts the VM TEAM-VoWLANThe following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Executes the command on a specified device or devices• <DEVICE-NAME> – Specify the service platform name. In case of multiple devic-es, list the device names separated by commas.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 80• virtual-machine stop [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}• virtual-machine uninstall [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}• virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]virtual-machine stop hardStops the VM, based on the parameters passed. Select one of the following options:• <VM-NAME> – Stops the VM identified by the <VM-NAME> keyword. Specify the VM name.• ADSP – Stops the ADSP VM• team-urc – Stops the VM TEAM-URC• team-rls – Stops the VM TEAM-RLS• team-vowlan – Stops the VM TEAM-VoWLANThe following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Executes the command on a specified device ordevices• <DEVICE-NAME> – Specify the service platform name. In case of multiple de-vices, list the device names separated by commas.Note: The option ‘hard’ forces the selected VM to shutdown.virtual-machine uninstallUninstalls the specified VM• <VM-NAME> – Uninstalls the VM identified by the <VM-NAME> keyword. Specify the VM name.•ADSP – Uninstalls the ADSP VM• team-urc – Uninstalls the VM TEAM-URC• team-rls – Uninstalls the VM TEAM-RLS• team-vowlan – Uninstalls the VM TEAM-VoWLANThe following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Executes the command on a specified device ordevices• <DEVICE-NAME> – Specify the service platform name. In case of multiple de-vices, list the device names separated by commas.Note: This command releases the VM’s resources, such as memory, VCPUS, VNC port, disk space, and removes the RF Domain reference from the system.virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]Enables provisioning of logical volume-groups on the VX9000 platform. Logical volume-groups are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. However, volume-groups can be provisioned only on new VX9000 installation and cannot be added to existing VX9000 installation.Note: The logical volume-group is supported only on a VX9000 running the WiNG 5.9.1 image.• add-drive – Adds a new block-device to the VM. Note, currently a maximum of 3 (three) block devices can be added. To add a new drive, first halt the VM, In the Hypervisor, add a new storage disk to the VM and restart the VM. Once the VM comes up, use this command to add the new drive. To identify the new drive execute the show > virtual-machine > volume-group > status command.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 81• virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-DEVICE-LABEL>]• virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]ExampleThe following examples show the VM installation process:Insatllation media: USB<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enableInstallation media: pre-installed disk image<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable  on <DEVICE-NAME>In the preceding example, the command is executed on the device identified by the <DEVICE-NAME> keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first boot device.Installation media: VM archive<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-NAME> vcpus 3• resize-drive - Resizes a drive in the VM’s volume group. To increase the size of a drive in the volume-group, first halt the VM. In the Hypervisor, increase the size of the existing secondary storage drive and restart the VM. Once the VM comes up, use this command to resize the drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command.The following keyword is common to all of the above parameters:• <BLOCK-DEVICE-LABEL> –Specify the block-device label to be added or resizeddepending on the action being performed. virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-DEVICE-LABEL>]Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives.• replace-drive – Replaces an existing block-device with a new block-device in a volume-group. To replace a drive in the volume-group, first halt the VM. In the Hypervisor, add the new drive and restart the VM. Once the VM comes up, use this command to replace an existing drive with the new drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command• <BLOCK-DEVICE-LABEL> –Specify the block-device label to be replaced.• <BLOCK-DEVICE-LABEL> – Specify the replacement block-device label.virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives• resize-volume-group – Adds drive space to an existing block-device in the volume-group• <BLOCK-DEVICE-LABEL> –Specify the block-device label to which additionaldrive space is to be provided
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 82In the preceding example, the default configuration attached with the VM archive overrides any parameters specified.Exporting an installed VM:<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state).<exsw6>>virtual-machine install team-urcVirtual Machine install team-urc command successfully sent.<exsw6>>vx9000-DE6F97>cirtual-machine add-drive sdbvx9000-DE6F97>show virtual-machine volume-group status-----------------------------------------Logical Volume: lv1----------------------------------------- STATUS           : available SIZE             : 81.89 GiB VOLUME GROUP     : vg0 PHYSICAL VOLUMES :     sda10        : 73.90 GiB     sdc1         : 8.00 GiB AVAILABLE DISKS  :     sdb          : size: 8590MB-----------------------------------------* indicates a drive that must be resized-----------------------------------------vx9000-DE6F97>
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 832.1.34 watchUser Exec CommandsRepeats the specified CLI command at periodic intervalsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwatch <1-3600> <LINE>Parameters• watch <1-3600> <LINE>Examplerfs6000-81742D>watch 40 ping 192.168.13.13PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data.108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.335 ms108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.217 ms108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.209 ms108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.202 ms108 bytes from 192.168.13.13: icmp_seq=5 ttl=64 time=0.235 ms--- 192.168.13.13 ping statistics ---5 packets transmitted, 5 received, 0% packet loss, time 3999msrtt min/avg/max/mdev = 0.202/0.239/0.335/0.051 msrfs6000-81742D>watch Repeats a CLI command at a specified interval (in seconds)<1-3600> Select an interval from 1 - 3600 sec. Pressing CTRL-Z halts execution of the command.<LINE> Specify the CLI command.
USER EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  2 - 842.1.35 exitUser Exec CommandsEnds the current CLI session and closes the session windowFor more information, see exit.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxexitParametersNoneExamplerfs6000-81742D>exit
3 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide3PRIVILEGED EXEC MODE COMMANDSMost PRIV EXEC commands set operating parameters. Privileged-level access should be password protected to prevent unauthorized use. The PRIV EXEC command set includes commands contained within the USER EXEC mode. The PRIV EXEC mode also provides access to configuration modes, and includes advanced testing commands.The PRIV EXEC mode prompt consists of the hostname of the device followed by a pound sign (#).To access the PRIV EXEC mode, enter the following at the prompt:<DEVICE>>enable<DEVICE>#The PRIV EXEC mode is often referred to as the enable mode, because the enable command is used to enter the mode.There is no provision to configure a password to get direct access to PRIV EXEC (enable) mode.<DEVICE>#?Privileged command commands:  archive                     Manage archive files  boot                        Boot commands  captive-portal-page-upload  Captive portal internal and advanced page upload  cd                          Change current directory  change-passwd               Change password  clear                       Clear  clock                       Configure software system clock  cluster                     Cluster commands  commit                      Commit all changes made in this session  configure                   Enter configuration mode  connect                     Open a console connection to a remote device  copy                        Copy contents of one dir to another  cpe                         T5 CPE configuration  create-cluster              Create a cluster  crypto                      Encryption related commands  crypto-cmp-cert-update      Update the cmp certs  database                    Database  database-backup             Backup database  database-restore            Restore database  debug                       Debugging functions  delete                      Deletes specified file from the system  device-upgrade              Device firmware upgrade  diff                        Display differences between two files  dir                         List files on a filesystem  disable                     Turn off privileged mode command  edit                        Edit a text file  enable                      Turn on privileged mode command  erase                       Erase a filesystem  ex3500                      EX3500 commands  factory-reset               Delete startup configuration on device(s),                              reload the device(s) and remove configuration                              entry from the controller  file-sync                   File sync between controller and adoptees  format                      Format file systemNOTE: To password-protect the Privilege mode, in the Management Policy, configure the privilege-mode-password. For more information, see privilege-mode-password.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 2  halt                        Halt the system  help                        Description of the interactive help system  join-cluster                Join the cluster  l2tpv3                      L2tpv3 protocol  logging                     Modify message logging facilities  mint                        MiNT protocol  mkdir                       Create a directory  more                        Display the contents of a file  no                          Negate a command or set its defaults  on                          On RF-Domain  opendns                     Opendns username/password configuration  page                        Toggle paging  ping                        Send ICMP echo messages  ping6                       Send ICMPv6 echo messages  pwd                         Display current directory  raid                        RAID operations  re-elect                    Perform re-election  reload                      Halt and perform a warm reboot  remote-debug                Troubleshoot remote system(s)  rename                      Rename a file  revert                      Revert changes  rmdir                       Delete a directory  self                        Config context of the device currently logged                              into  service                     Service Commands  show                        Show running system information  ssh                         Open an ssh connection  t5                          T5 commands  telnet                      Open a telnet connection  terminal                    Set terminal line parameters  time-it                     Check how long a particular command took between                              request and completion of response  traceroute                  Trace route to destination  traceroute6                 Trace route to destination(IPv6)  upgrade                     Upgrade software image  upgrade-abort               Abort an ongoing upgrade  virtual-machine             Virtual Machine  watch                       Repeat the specific CLI command at a periodic                              interval  write                       Write running configuration to memory or                              terminal  clrscr                      Clears the display screen  exit                        Exit from the CLI<DEVICE>#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 33.1 Privileged Exec Mode CommandsPRIVILEGED EXEC MODE COMMANDSThe following table summarizes the PRIV EXEC Mode commands:Table 3.1 Privileged Exec CommandsCommand Description Referencearchive Manages file archive operations page 3-6boot Specifies the boot partition (primary or secondary). The device uses the image stored in the specified partition to boot.page 3-8captive-portal-page-uploadUploads captive portal advanced pages to adopted access points page 3-9cd Changes the current directory page 3-13change-passwd Changes the password of a logged user page 3-14clear Clears parameters, cache entries, table entries, and other similar entries page 3-15clock Configures the system clock page 3-28cluster Initiates a cluster context page 3-29configure Enters the global configuration mode page 3-30connect Begins a console connection to a remote device page 3-31copy Copies a file from any location to the wireless controller, service platform, or access pointpage 3-32cpe Enables adopted T5 Customer Premises Equipment (CPE) device(s) management. Use this command to perform the following operations on the CPEs: boot, reload, upgrade. This command is specific to the RFS4000, RFS6000, and NX9500 devices.page 3-33create-cluster Creates a new cluster on a specified device page 3-35crypto Enables encryption page 3-37crypto-cmp-cert-updateTriggers a CMP certificate update on a specified device or devices page 3-46database Enables automatic repairing (vacuuming) and dropping of databases (Captive-portal and NSight)page 3-47database-backupBacks up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP serverpage 3-50database-restoreRestores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored to the original database.page 3-52delete Deletes a specified file from the system page 3-53device-upgrade Configures device firmware upgrade parameters page 3-54diff Displays the differences between two files page 3-60dir Displays the list of files on a file system page 3-61disable Disables the privileged mode command set page 3-62edit Enables ext file editing page 3-63
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 4enable Turns on (enables) the privileged mode commands set page 3-64erase Erases a file system page 3-65ex3500 Enables EX3500 switch firmware management. Use this command to perform the following operations: boot, copy, delete, and IP related configurations.page 3-67factory-reset Erases startup configuration on a specified device or all devices within a specified RF Domainpage 3-75file-sync Configures parameters enabling syncing of PKCS#12 and wireless-bridge certificate between the staging-controller and adopted access pointspage 3-79halt Halts a device (access point, wireless controller, or service platform) page 3-82join-cluster Adds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devicespage 3-83l2tpv3 Establishes or brings down Layer 2 Tunneling Protocol Version 3 (L2TPV3) tunnelspage 3-85logging Modifies message logging parameters page 3-87mint Configures MiNT protocols page 3-89mkdir Creates a new directory in the file system page 3-91more Displays the contents of a file page 3-92no Reverts a command or sets values to their default page 3-93on Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, showpage 3-95opendns Connects to the OpenDNS site using OpenDNS registered credentials (username, password) OR OpenDNS API token to fetch the OpenDNS device_id. This command is a part of the process integrating access points, controllers, and service platforms with OpenDNS.page 3-96page Toggles a device’s (access point, wireless controller, or service platform) paging functionpage 3-100ping Sends ICMP echo messages to a user-specified location page 3-101ping6 Sends ICMPv6 echo messages to a user-specified location page 3-103pwd Displays the current directory page 3-104re-elect Re-elects the tunnel controller (wireless controller, service platform, or access point)page 3-105reload Halts a device (wireless controller, service platform, or access point) and performs a warm rebootpage 3-106rename Renames a file in the existing file system page 3-111rmdir Deletes an existing file from the file system page 3-112self Displays the configuration context of the device page 3-113ssh Connects to another device using a secure shell page 3-114t5 Executes the following operations on a T5 device: copy, rename, delete, and write. This command is specific to the RFS4000, RFS6000, NX9500 devices.page 3-115Table 3.1 Privileged Exec CommandsCommand Description Reference
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 5telnet Opens a Telnet session page 3-117terminal Sets the length and width of the terminal window page 3-118time-it Verifies the time taken by a particular command between request and responsepage 3-119traceroute Traces the route to a defined destination page 3-120traceroute6 Sends ICMPv6 echo messages to a user-specified location page 3-121upgrade Upgrades the logged device’s software image page 3-122upgrade-abort Aborts an ongoing software image upgrade page 3-126virtual-machine Installs, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controllerpage 3-127watch Repeats a specified CLI command at a periodic interval page 3-133raid Enables RAID managementThis command is specific to the NX7530, NX9500, and NX9510 service platforms.page 3-135Table 3.1 Privileged Exec CommandsCommand Description ReferenceNOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.NOTE: The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an underscore (_) character.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 63.1.1 archivePrivileged Exec Mode CommandsManages file archive operationsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxarchive tar /table [<FILE>|<URL>]archive tar /create [<FILE>|<URL>] <FILE>archive tar /xtract [<FILE>|<URL>] <DIR>Parameters• archive tar /table [<FILE>|<URL>]• archive tar /create [<FILE>|<URL>] <FILE>• archive tar /xtract [<FILE>|<URL>] <DIR>tar Manipulates (creates, lists, or extracts) a tar file/table Lists the files in a tar file<FILE> Defines a tar filename<URL> Sets the tar file URLtar Manipulates (creates, lists or extracts) a tar file/create Creates a tar file<FILE> Defines tar filename<URL> Sets the tar file URLtar Manipulates (creates, lists or extracts) a tar file/xtract Extracts content from a tar file<FILE> Defines tar filename<URL> Sets the tar file URL<DIR> Specify a directory name. When used with /create, dir is the source directory for the tar file. When used with /xtract, dir is the destination file where contents of the tar file are extracted.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 7ExampleFollowing examples show how to zip the folder flash:/log/?nx9500-6C8809#dir flash:/Directory of flash:/ -rw-   62937      Tue Nov 24 16:00:06 2015   run-config-backup.txt  drwx             Mon Apr  3 12:40:23 2017   crashinfo  drwx             Wed Mar 22 13:58:28 2017   upgrade  drwx             Mon Sep 28 09:48:33 2015   tmptpd  drwx             Wed Apr  5 11:20:11 2017   log  drwx             Thu Mar 30 15:07:54 2017   archived_logs  drwx             Tue May 24 22:23:54 2016   cache  drwx             Thu Feb 19 08:53:45 2015   floorplans  -rw-   42018304  Tue Sep 27 10:19:24 2016   in.tar  drwx             Tue Jan 17 10:02:01 2017   hotspotnx9500-6C8809#nx9500-6C8809#archive tar /create flash:/in.tar flash:/log/log/nsightd.log.1log/nsight_reportd.loglog/messages.1.loglog/martdb.loglog/reportd.log.2log/adopts.log.2log/mongod.log.2log/dpd2.loglog/nsight_server.loglog/mart_websock_server.loglog/nuxi/log/nuxi/beanyaml.loglog/nuxi/statsreqresp.1.loglog/nuxi/hadoop.log.2014-08-03log/nuxi/puts.loglog/nuxi/copy2w.loglog/nuxi/obj2yaml.loglog/nuxi/infl.log--More--nx9500-6C8809#nx9500-6C8809#dir flash:/Directory of flash:/  -rw-   62937     Tue Nov 24 16:00:06 2015   run-config-backup.txt  drwx             Thu Sep 22 00:12:07 2016   crashinfo  drwx             Sat Sep 17 05:14:43 2016   upgrade  drwx             Mon Sep 28 09:48:33 2015   tmptpd  drwx             Tue Sep 27 09:59:12 2016   log  drwx             Mon Sep 26 09:58:54 2016   archived_logs  drwx             Tue May 24 22:23:54 2016   cache  drwx             Thu Feb 19 08:53:45 2015   floorplans  -rw-   42018304  Tue Sep 27 10:19:24 2016   in.tar  drwx             Mon Sep 15 03:40:02 2014   hotspotnx9500-6C8809#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 83.1.2 bootPrivileged Exec Mode CommandsSpecifies the image used after rebootSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxboot system [primary|secondary] {on <DEVICE-NAME>}Parameters• boot system [primary|secondary] {on <DEVICE-NAME>}Examplenx9500-6C8809#show boot--------------------------------------------------------------------------------     IMAGE            BUILD DATE             INSTALL DATE          VERSION--------------------------------------------------------------------------------  Primary       03/26/2017 01:48:56     03/30/2017 15:02:18     5.9.0.0-012D  Secondary     03/17/2017 13:13:38     03/22/2017 13:36:50     5.9.0.0-010D--------------------------------------------------------------------------------Current Boot       : PrimaryNext Boot          : PrimarySoftware Fallback  : EnabledVM support         : Not presentnx9500-6C8809#nx9500-6C8809#boot system secondaryUpdated system boot partitionnx9500-6C8809#nx9500-6C8809#show boot--------------------------------------------------------------------------------     IMAGE            BUILD DATE             INSTALL DATE          VERSION--------------------------------------------------------------------------------  Primary       03/26/2017 01:48:56     03/30/2017 15:02:18     5.9.0.0-012D  Secondary     03/17/2017 13:13:38     03/22/2017 13:36:50     5.9.0.0-010D--------------------------------------------------------------------------------Current Boot       : PrimaryNext Boot          : SecondarySoftware Fallback  : EnabledVM support         : Not presentnx9500-6C8809#system [primary|secondary]Specifies the image used after a device reboot• primary – Uses the primary image after reboot• secondary – Uses the secondary image after rebooton <DEVICE-NAME>Optional. Specifies the primary or secondary image location on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 93.1.3 captive-portal-page-uploadPrivileged Exec Mode CommandsUploads captive portal advanced pages to connected access points. Use this command to provide connected access points with specific captive portal configurations so they can successfully provision login, welcome, and condition pages to requesting clients attempting to access the wireless network using the captive portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|load-file]captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all] {from-controller} {(upload-time <TIME>)}captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain {<DOMAIN-NAME>|all]]captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>Parameters• captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all] {upload-time <TIME>}NOTE: Ensure that the captive portal pages to be uploaded are *.tar files.captive-portal-page-upload <CAPTIVE-PORTAL-NAME>Uploads advanced pages specified by the <CAPTIVE-PORTAL-NAME> parameter• <CAPTIVE-PORTAL-NAME> – Specify captive portal name (should be existing and configured).<MAC/HOSTNAME> Uploads to a specified AP• <MAC/HOSTNAME> – Specify the AP’s MAC address or hostname.all Uploads to all APs
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 10• captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all] {from-controller} {(upload-time <TIME>)}• captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|all]]• captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>upload-time <TIME> Optional. Schedules an upload time• <TIME> – Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format.The scheduled upload time is your local system’s time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device.To view a list of uploaded captive portal files, execute the show > captive-portal-page-upload > list-files <CAPTIVE-PORTAL-NAME> command.captive-portal-page-upload <CAPTIVE-PORTAL-NAME>Uploads advanced pages specified by the <CAPTIVE-PORTAL-NAME> parameter• <CAPTIVE-PORTAL-NAME> – Specify captive portal name (should be existing and configured).rf-domain [<DOMAIN-NAME>|all]Uploads to all APs within a specified RF Domain or all RF Domains• <DOMAIN-NAME> – Uploads to APs within a specified RF Domain. Specify the RF Domain name.• all – Uploads to APs across all RF Domainsfrom-controller Optional. Uploads to APs from the adopted deviceupload-time <TIME> Optional. Schedules an AP upload• <TIME> – Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format.The scheduled upload time is your local system’s time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device.captive-portal-page-upload cancel-uploadCancels a scheduled AP uploadcancel-upload[<MAC/HOSTNAME>|all|on rf-domain [<DOMAIN-NAME>|all]]Select one of the following options:• <MAC/HOSTNAME> – Cancels a scheduled upload to a specified AP. Specify the AP MAC address or hostname.• all – Cancels all scheduled AP uploads• on rf- domain – Cancels all scheduled uploads within a specified RF Domain or all RF Domains• <DOMAIN-NAME> – Cancels scheduled uploads within a specified RF Domain.Specify RF Domain name.• all – Cancels scheduled uploads across all RF Domainscaptive-portal-page-upload delete-fileDeletes a specified captive portal’s uploaded captive-portal internal page files<CAPTIVE-PORTAL-NAME> <FILE-NAME>Deletes a captive portal’s, identified by the <CAPTIVE-PORTAL-NAME> keyword, uploaded internal page files• <CAPTIVE-PORTAL-NAME> – Specify the captive portal’s name.• <FILE-NAME> – Specify the file name. The specified internal captive portal page isdeleted.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 11• captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>Exampleap6562-B1A214#captive-portal-page-upload load-file captive_portal_test tftp://89.89.89.17/pages_new_only.tarap6562-B1A214#ap6562-B1A214#show captive-portal-page-upload load-image-statusDownload of captive_portal_test advanced page file is completeap6562-B1A214#ap6562-B1A214#captive-portal-page-upload captive_portal_test all--------------------------------------------------------------------------------         CONTROLLER             STATUS                   MESSAGE--------------------------------------------------------------------------------  FC-0A-81-B1-A2-14         Success         Added 6 APs to upload queue--------------------------------------------------------------------------------ap6562-B1A214#captive-portal-page-upload load-fileLoads captive-portal advanced pages<CAPTIVE-PORTAL-NAME> <URL>Specify captive portal name (should be existing and configured) and location.• <URL> – Specifies location of the captive-portal's advanced pages. Use one of the following formats:IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileIPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileNote: The captive portal pages are downloaded to the controller from the location specified here. After downloading use the captive-portal-page-upload> <CAPTIVE-PORTAL-NAME> > <DEVICE-OR-DOMAIN-NAME> command to upload these pages to APs.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 12ap6562-B1A214#show captive-portal-page-upload statusNumber of APs currently being uploaded : 1Number of APs waiting in queue to be uploaded : 0---------------------------------------------------------------------------------------    AP           STATE     UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY---------------------------------------------------------------------------------------  ap6562-B1A738   downloading   immediate   100      0       -                 None---------------------------------------------------------------------------------------ap6562-B1A214#The following example lists captive portal CP-BW uploaded files:nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW--------------------------------------------------------------------------------       NAME                   SIZE                LAST MODIFIED--------------------------------------------------------------------------------  CP-BW-1.tar.gz              6133              2017-05-16 10:38:40  CP-BW.tar.gz                3370              2017-05-16 10:45:44--------------------------------------------------------------------------------nx7500-7F2C13#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 133.1.4 cdPrivileged Exec Mode CommandsChanges the current directorySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcd {<DIR>}Parameters• cd {<DIR>}Examplerfs6000-81742D#cd flash:/log/rfs6000-81742D#pwdflash:/log/rfs6000-81742D#<DIR> Optional. Changes the current directory to the directory identified by the <DIR> keyword. If a directory name is not provided, the system displays the current directory.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 143.1.5 change-passwdPrivileged Exec Mode CommandsChanges the password of a logged user. When this command is executed without any parameters, the password can be changed interactively.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchange-passwd <OLD-PASSWORD> <NEW-PASSWORD>Parameters• change-passwd <OLD-PASSWORD> <NEW-PASSWORD>Usage GuidelinesA password must be from 1 - 64 characters in length.Examplerfs6000-81742D#change-passwdEnter old password:Enter new password:Password for user 'admin' changed successfullyPlease write this password change to memory(write memory) to be persistent.rfs6000-81742D#write memoryOKrfs6000-81742D#<OLD-PASSWORD> Specify the password to be changed.<NEW-PASSWORD> Specify the new password.Note: The password can also be changed interactively. To do so, press [Enter] after the command.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 153.1.6 clearPrivileged Exec Mode CommandsClears parameters, cache entries, table entries, and other entries. The clear command is available for specific commands only. The information cleared using this command varies depending on the mode where the clear command is executed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclear [arp-cache|bonjour|cdp|counters|crypto|eguest|event-history|firewall|gre|ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-table|mint|role|rtls|spanning-tree|traffic-shape|vrrp]clear arp-cache {on <DEVICE-NAME>}clear bonjour cache {on <DEVICE-NAME>}clear [cdp|lldp] neighbors {on <DEVICE-NAME>}clear counters [all|ap|bridge|interface|radio|router|thread|wireless-client]clear counters [all|bridge|router|thread]clear counters [ap|wireless-client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}clear counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]clear counters radio {<MAC/HOSTNAME>|on}clear counters radio {<MAC/HOSTNAME> <1-X>} {(on <DEVICE-OR-DOMAIN-NAME>)}clear crypto [ike|ipsec]clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}clear crypto ipsec sa {on <DEVICE-NAME>}clear eguest registration statisticsclear event-historyclear firewall [dhcp snoop-table|dos stats|flows [ipv4|ipv6]|neighbors snoop-table] {on <DEVICE-NAME>}clear gre stats {on <DEVICE-NAME>}clear ip [bgp|dhcp|ospf]clear ip bgp [<IP>|all|external|process]NOTE: When using the clear command, refer to the interface details provided in interface.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 16clear ip bgp [<IP>|all|external] {in|on|out|soft}clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}clear ip bgp process {on <DEVICE-NAME>}clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}clear ip ospf process {on <DEVICE-NAME>}clear ipv6 neighbor-cache {on <DEVICE-NAME>}clear lacp [<1-4> counters|counters]clear l2tpv3-stats tunnel <L2TPV3-TUNNEL-NAME> {session <SESSION-NAME>} {(on <DEVICE-NAME>)}clear license [borrowed|lent]clear license borrowed {on <DEVICE-NAME>}clear license lent to <DEVICE-NAME> {on <DEVICE-NAME>}clear logging {on <DEVICE-NAME>}clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-NAME>}clear mac-address-table mac-auth-state address <AMC> vlan <1-4094> {on <DEVICE-NAME>}clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}clear mac-address-table interface [<IF-NAME>|ge <1-X>|port-channel <1-X>|t1e1 <1-4> <1-1>|up <1-X>|xge <1-4>] {on <DEVICE-NAME>}clear mint mlcp history {on <DEVICE-NAME>}clear role ldap-stats {on <DEVICE-NAME>}clear rtls [aeroscout|ekahau]clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|on <DEVICE-OR-DOMAIN-NAME>}clear spanning-tree detected-protocols {interface|on <DEVICE-NAME>}clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-x>|me1|port-channel <1-x>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]} {on <DEVICE-NAME>}clear traffic-shape statistics {class <1-4>} {(on <DEVICE-NAME>)}clear vrrp [error-stats|stats] {on <DEVICE-NAME>}The following clear command is specific to the NX95XX series service platforms:clear logging analytics {on <DEVICE-NAME>}
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 17Parameters• clear arp-cache {on <DEVICE-NAME>}• clear bonjour cache {on <DEVICE-NAME>}• clear [cdp|lldp] neighbors {on <DEVICE-NAME>}• clear counters [all|bridge|router|thread]• clear counters [ap|wireless-client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}arp-cache Clears Address Resolution Protocol (ARP) cache entries on a device. This protocol matches layer 3 IP addresses to layer 2 MAC addresses.on <DEVICE-NAME> Optional. Clears ARP cache entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.bonjour cache Clears all Bonjour cached statistics. Once cleared, the system has to re-discover available Bonjour services.on <DEVICE-NAME> Optional. Clears all Bonjour cached statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.cdp Clears Cisco Discovery Protocol (CDP) table entriesldp Clears Link Layer Discovery Protocol (LLDP) neighbor table entriesneighbors Clears CDP or LLDP neighbor table entries based on the option selected in the preceding stepon <DEVICE-NAME> Optional. Clears CDP or LLDP neighbor table entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.counters [all|bridge|router|thread]Clears counters on a system• all – Clears all counters irrespective of the interface type• bridge – Clears bridge counters• router – Clears router counters• thread – Clears per-thread counterscounters [ap|wireless-client]Clears counters on a system• ap – Clears access point wireless counters• wireless-client – Clears wireless client counters<MAC> The following keyword is common to the ‘ap’ and ‘wireless-client’ parameters:• <MAC> – Optional. Clears counters of the AP/wireless client identified by the <MAC> keyword. Specify the MAC address of the AP or wireless client.The system clears all AP or wireless client counters, if no MAC address is specified.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 18• clear counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]• clear counters radio {<MAC/HOSTNAME> <1-X>} {(on <DEVICE-OR-DOMAIN-NAME>)}• clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and is applicable to the <MAC> parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears AP/wireless-client counters on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller,service platform, or RF Domain.If no MAC address is specified, the system clears all AP or wireless client counters on the specified AP, wireless controller, service platform, or RF Domain.counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]Clears interface counters for a specified interface• <INTERFACE-NAME> – Clears a specified interface counters. Specify the interface name.• all – Clears all interface counters• ge <1-X> – Clears GigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - X.• me1 – Clears FastEthernet interface counters• port-channel <1- X> – Clears port-channel interface counters. Specify the port channel interface index from 1 - X.Note: The number of port-channel interfaces supported varies for different device types. For example, RFS4000 supports 3 port-channels.• pppoe1 – Clears Point-to-Point Protocol over Ethernet (PPPoE) interface counters• vlan <1-4094> – Clears interface counters. Specify the Switch Virtual Interface (SVI) VLAN ID from 1 - 4094.• wwan1 – Clears wireless WAN interface counters• xge <1-4> – Clears TenGigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - 4.counters radio Clears wireless radio counters<MAC/HOSTNAME> <1-X>Clears counters of a radio identified by the <MAC/HOSTNAME> keyword.• <MAC/HOSTNAME> – Optional. Specify the hostname or MAC address. Optionally, append the interface number to form radio ID in the form of AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX• <1-X> – Optional. Specify the radio index (if not specified as part of the radio ID).The maximum number of radio antennas supported varies with the access pointtype.If no MAC address or radio index is specified, the system clears all radio counters.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and is applicable to the <MAC> parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears AP/wireless-client counters on a specified device or RF DomainIf no MAC address is specified, the system clears all AP or wireless client counters on the specified AP, wireless controller, service platform, or RF Domain.crypto Clears encryption module database
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 19• clear crypto ipsec sa {on <DEVICE-NAME>}• clear eguest registration statistics• clear event-history• clear firewall [dhcp snoop-table|dos stats|flows [ipv4|ipv6]|neighbors snoop-table] {on <DEVICE-NAME>}• clear gre stats {on <DEVICE-NAME>}ike sa [<IP>|all] Clears Internet Key Exchange (IKE) security associations (SAs)• <IP> – Clears IKE SAs for a certain peer• all – Clears IKE SAs for all peerson <DEVICE-NAME> Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.crypto Clears encryption module databaseipsec sa {on <DEVICE-NAME>}Clears Internet Protocol Security (IPSec) database SAs• on <DEVICE-NAME> – Optional. Clears IPSec SA entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.eguest registration statisticsClears EGuest registration server counters. When cleared EGuest registration details are deleted, and the show > eguest > registration > statistics command output is null.This command is applicable only on the NX95XX, NX9600, and the VX9000 model platforms.event-history Clears event history cache entriesfirewall Clears firewall event entriesdhcp snoop-table Clears DHCP snoop table entriesdos stats Clears denial of service statisticsflows [ipv4|ipv6] Clears established IPv4 or IPv6 firewall sessionsneighbors snoop-table Clears IPv6 neighbors snoop-table entrieson <DEVICE-NAME> The following keywords are common to the DHCP, DOS, and flows parameters:• on <DEVICE-NAME> – Optional. Clears DHCP snoop table entries, denial of service statistics, or the established firewall sessions on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.gre stats Clears GRE tunnel statisticson <DEVICE-NAME> Optional. GRE tunnel statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 20• clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}• clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}• clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}ip bgp [<IP>|all|external]Clears BGP routing table information based on the option selected• <IP> – Clears the BGP peer identified by the <IP> keyword. Specify the BGP peer’s IP address.• all – Clears Route Updates Received From All BGP Peers• external – Clears route updates received from external BGP peersThis command is applicable only to the RFS4000, RFS6000, NX95XX, and NX9600 series service platforms.In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect.in prefix-filter Optional. Clears soft-reconfiguration inbound route updates• prefix-filter – Optional. Clears the existing Outbound Route Filtering (ORF) prefix-list. on <DEVICE-NAME> Optional. Clears soft-reconfiguration inbound route updates on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip bgp [<IP>|all|external]Clears BGP routing table information based on the option selected• <IP> – Clears the BGP peer identified by the <IP> keyword. Specify the BGP peer’s IP address.• all – Clears route updates received from all BGP peers• external – Clears route updates received from external BGP peersThis command is applicable only to the RFS4000, RFS6000, and NX95XX series service platforms.In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect.out Optional. Clears soft-reconfiguration outbound route updates. Optionally specify the device on which to execute this command.on <DEVICE-NAME> The following keyword is recursive and optional.• on <DEVICE-NAME> – Optional. Clears BGP sessions on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip bgp [<IP>|all|external]Clears BGP routing table information based on the option selected• <IP> – Clears the BGP peer identified by the <IP> keyword. Specify the BGP peer’s IP address.• all – Clears route updates received from all BGP peers• external – Clears route updates received from external BGP peersThis command is applicable only to the RFS4000, RFS6000, and NX95XX series service platforms.In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 21• clear ip bgp process {on <DEVICE-NAME>}• clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}• clear ip ospf process {on <DEVICE-NAME>}soft {in|out} Optional. Enables soft-reconfiguration of route updates for the specified IP address. This option allows routing tables to be reconfigured without clearing BGP sessions.• in – Optional. Enables soft reconfiguration of inbound route updates• out – Optional. Enables soft reconfiguration of outbound route updatesModifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce loss of route updates during the process, use the ‘soft’ option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage.on <DEVICE-NAME> Optional. Clears soft-reconfiguration inbound/outbound route updates on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip bgp process Clears all BGP processes runningThis command is applicable only to the RFS4000, RFS6000, NX95XX, NX9600 platforms.on <DEVICE-NAME> Optional. Clears all BGP processes on a specified device• <DEVICE-NAME> – Specify the name of the AP or service platform.ip Clears a Dynamic Host Configuration Protocol (DHCP) server’s IP address bindings entriesdhcp bindings Clears DHCP server’s connections and address binding entries<IP> Clears specific address binding entries. Specify the IP address to clear binding entries.all Clears all address binding entrieson <DEVICE-NAME> Optional. Clears a specified address binding or all address bindings on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ip ospf process Clears already enabled open shortest path first (OSPF) process and restarts the processon <DEVICE-NAME> Optional. Clears OSPF process on a specified deviceOSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet layer which makes routing decisions based solely on the destination IP address found in IP packets.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 22• clear ipv6 neighbor-cache {on <DEVICE-NAME>}• clear lacp [<1-4> counters|counters]• clear l2tpv3-stats tunnel <L2TPV3-TUNNEL-NAME> {session <SESSION-NAME>} {(on <DEVICE-NAME>)}• clear license borrowed {on <DEVICE-NAME>}• clear license lent to <DEVICE-NAME> {on <DEVICE-NAME>}clear ipv6 neighbor-cacheClears IPv6 neighbor cache entrieson <DEVICE-NAME> Optional. Clears IPv6 neighbor cache entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.clear lacp [<1-4> counters|counters]Clears Link Aggregation Control Protocol (LACP) counters for a specified port-channel group or all port-channel groups configured• <1-4> counters – Clears LACP counters for a specified port-channel. Specify the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels, and the other model service platforms support four (4) port-channels.• counters – Clears LACP counters for all configured port-channels on the devicel2tpv3-stats Clears L2TPv3 tunnel session statisticstunnel <L2TPV3-TUNNEL-NAME>Clears all sessions associated with a specified L2TPv3 tunnel• <L2TPV3-TUNNEL-NAME> – Specify the L2TPv3 tunnel name.session <SESSION-NAME>Optional. Clears a specified L2TPv3 tunnel session, identified by the <SESSION-NAME> keyword• <SESSION-NAME> – Specify the session name.on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Specifies the device running the L2TPv3 tunnel session• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.If no optional parameters are specified, the system clears all L2TPv3 tunnel session statistics.license borrowed {on <DEVICE-NAME>}Releases or revokes all licenses borrowed by a site controller• on <DEVICE-NAME> – Optional. Specifies the borrowing controller’s name.• <DEVICE-NAME> – Specify the wireless controller’s name.If no device name is specified, the system clears all borrowed licenses on the logged device.license lent NOC controller releases or revokes all licenses loaned to a site controllerto <DEVICE-NAME> Specifies the borrowing controller’s name• <DEVICE-NAME> – Specify the controller's name.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 23• clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}• clear mac-address-table interface [<IF-NAME>|ge <1-X>|port-channel <1-X>|t1e1 <1-4> <1-1>|up <1-X>|xge <1-4>] {on <DEVICE-NAME>}on <DEVICE-NAME> Optional. Specifies the controller’s name• <DEVICE-NAME> – Specify the wireless controller’s name.If no device name is specified, the system clears all loaned licenses on the logged device.mac-address-table Clears the MAC address forwarding tableaddress <MAC> Optional. Clears a specified MAC address from the MAC address table.• <MAC> – Specify the MAC address in one of the following formats: AA-BB-CC-DD-EE-FF or AA:BB:CC;DD:EE:FF or AABB.CCDD.EEFFvlan <1-4094> Optional. Clears all MAC addresses for a specified VLAN• <1-4094> – Specify the VLAN ID from 1 - 4094.on <DEVICE-NAME> Optional. Clears a single entry or all MAC entries for the specified VLAN in the MAC address forwarding table on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.mac-address-table Clears the MAC address forwarding tableinterface Clears all MAC addresses for the selected interface. Use the options available to specify the interface.<IF-NAME> Clears MAC address forwarding table for the specified layer 2 interface (Ethernet port)• <IF-NAME> – Specify the layer 2 interface name.ge <1-X> Clears MAC address forwarding table for the specified GigabitEthernet interface• <1-X> – Specify the GigabitEthernet interface index from 1 - X.port-channel <1-X> Clears MAC address forwarding table for the specified port-channel interface• <1-X> – Specify the port-channel interface index from 1 - X.up <1-X> Clears MAC address forwarding table for the WAN Ethernet interfaceThe number of WAN Ethernet interfaces supported varies for different devices. The RFS4000 and RFS6000 devices support 1 WAN Ethernet interface.xge <1-4> Clears MAC address forwarding table for the specified TenGigabitEthernet interface• <1-4> – Specify the GigabitEthernet interface index from 1 - 4.on <DEVICE-NAME> Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 24• clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-NAME>}• clear mint mlcp history {on <DEVICE-NAME>}• clear role ldap-stats {on <DEVICE-NAME>}• clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|on <DEVICE-OR-DOMAIN-NAME>}mac-address-table mac-auth-state address <MAC> vlan <1-4904>Clears MAC addresses learned from a particular VLAN when WLAN MAC authentication and captive-portal fall back is enabledAccess points/controllers provide WLAN access to clients whose MAC address has been learned and stored in their MAC address tables. Use this command to clear a specified MAC address on the MAC address table. Once cleared the client has to re-authenticate, and is provided access only on successful authentication.• <MAC> – Specify the MAC address to clear.• vlan <1-4904> – Specify the VLAN interface from 1 - 4094. In the AP/controller’sMAC address table, the specified MAC address is cleared on the specified VLAN in-terface.on <DEVICE-NAME> Optional. Clears the specified MAC address on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.If a device is not specified, the system clears the MAC address from the MAC address table of all devices.mint Clears MiNT related informationmlcp history Clears MiNT Link Creation Protocol (MLCP) client historyon <DEVICE-NAME> Optional. Clears MLCP client history on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platformrole ldap-stats Clears role based Lightweight Directory Access Protocol (LDAP) server statisticson <DEVICE-NAME> Optional. Clears role based LDAP server statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.rtls Clears Real Time Location Service (RTLS) statisticsaeroscout Clears RTLS Aeroscout statisticsekahau Clears RTLS Ekahau statistics<MAC/DEVICE-NAME> This keyword is common to the ‘aeroscout’ and ‘ekahau’ parameters.• <MAC/DEVICE-NAME> – Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified AP, wireless controller, or service platform. Specify the AP’s MAC address or hostname.on <DEVICE-OR-DOMAIN-NAME>This keyword is common to the ‘aeroscout’ and ‘ekahau’ parameters.• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified device or RF Domain • <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 25• clear spanning-tree detected-protocols {on <DEVICE-NAME>}• clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]} {on <DEVICE-NAME>}• clear traffic-shape statistics {class <1-4>} {(on <DEVICE-NAME>)}• clear vrrp [error-stats|stats] {on <DEVICE-NAME>}spanning-tree Clears spanning tree protocols on an interface, and also restarts protocol migrationdetected-protocols Restarts protocol migrationon <DEVICE-NAME> Optional. Clears spanning tree protocols on a specified device• <DEVICE-NAME> – Optional. Specify the name of the AP, wireless controller, or service platform.spanning-tree Clears spanning tree protocols on an interface and restarts protocol migrationdetected-protocols Restarts protocol migrationinterface [<INTERFACE-NAME>|ge <1-X>|me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]Optional. Clears spanning tree entries on different interfaces• <INTERFACE-NAME> – Clears detected spanning tree entries on a specified interface. Specify the interface name.• ge <1-X> – Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - X• me1 – Clears FastEthernet interface spanning tree entries• port-channel <1- X> – Clears detected spanning tree entries for the selected port channel interface. Select the port channel index from 1 - X.The number of port-channel interfaces supported varies for different device types. For example, RFS4000 supports 3 port-channels.• pppoe1 – Clears detected spanning tree entries for PPPoE interface.• vlan <1-4094> – Clears detected spanning tree entries for the selected VLAN interface. Select a SVI VLAN ID from 1 - 4094.• wwan1 – Clears detected spanning tree entries for wireless WAN interface• xge <1-4> – Clears detected spanning tree entries for TenGigabitEthernet interfaces. Specify the GigabitEthernet interface index from 1 - 4.on <DEVICE-NAME> Optional. Clears spanning tree protocol entries on a selected device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.traffic-shape statistics Clears traffic shaping statisticsclass <1-4> Optional. Clears traffic shaping statistics for a specific traffic class• <1-4> – Specify the traffic class from 1 - 4.Note: If the traffic class is not specified, the system clears all traffic shaping statistics.on <DEVICE-NAME> Optional. Clears traffic shaping statistics for the specified traffic class on a specified device• <DEVICE-NAME> – Specify the name of the access point, wireless controller, or service platform.Note: For more information on configuring traffic-shape, see interface.vrrp Clears Virtual Router Redundancy Protocol (VRRP) statistics for a device
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 26Examplerfs4000-229D58#clear crypto ike sa allrfs4000-229D58#show crypto ike sa---------------------------------------------------------------------------------------IDX     PEER         VERSION    ENCR ALGO      HASH ALGO       DH GROUP     IKE STATE------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total IKE SAs: 0rfs4000-229D58#rfs6000-81742D#clear spanning-tree detected-protocols interface port-channel 1rfs6000-81742D#clear ip dhcp bindings 172.16.10.9rfs6000-81742D#clear cdp neighborsrfs4000-229D58#clear spanning-tree detected-protocols interface ge 1rfs4000-229D58#clear lldp neighborsrfs6000-81742D#show event-historyEVENT HISTORY REPORTGenerated on '2017-04-04 13:49:57 IST' by 'admin'2017-04-04 13:37:31     rfs6000-81742D  SYSTEM     LOGIN                Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'2017-04-04 13:15:19     rfs6000-81742D  SYSTEM     LOGOUT               Logged out user 'admin' with privilege 'superuser' from '192.168.13.10'2017-04-04 13:09:47     rfs6000-81742D  LICMGR     LIC_AP_AAP_DEPLETED  Depleted AP/AAP license count: 12017-04-04 13:09:47     rfs6000-81742D  LICMGR     LIC_AP_AAP_DEPLETED  Depleted AP/AAP license count: 1--More--rfs6000-81742D#jrfs6000-81742D#clear event-historyrfs6000-81742D#show event-historyEVENT HISTORY REPORTGenerated on '2017-04-04 13:51:27 IST' by 'admin'rfs6000-81742D#error-stats {on <DEVICE-NAME>}Clears global error statistics• on <DEVICE-NAME> – Optional. Clears VRRP global error statistics on a selected device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.stats {on <DEVICE-NAME>}Clears VRRP related statistics• on <DEVICE-NAME> – Optional. Clears VRRP related statistics on a selected device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 27rfs6000-81742D#show mac-address-table-------------------------------------------------------- BRIDGE VLAN PORT             MAC               STATE-------------------------------------------------------- 1      1    up1              00-02-B3-28-D1-55 forward 1      1    up1              00-0F-8F-19-BA-4C forward 1      1    up1              84-24-8D-80-C2-AC forward 1      1    up1              84-24-8D-80-BF-34 forward 1      1    up1              1C-7E-E5-18-FA-67 forward 1      1    up1              84-24-8D-83-30-A4 forward 1      1    up1              B4-C7-99-DD-31-C8 forward 1      1    up1              B4-C7-99-6C-88-09 forward 1      1    up1              00-18-71-D0-1B-F3 forward 1      1    up1              B4-C7-99-71-17-28 forward 1      1    up1              FC-0A-81-42-93-6C forward 1      1    up1              B4-C7-99-6D-CD-4B forward 1      1    up1              84-24-8D-84-A2-24 forward 1      1    up1              3C-CE-73-F4-47-83 forward 1      1    up1              B4-C7-99-74-B4-5C forward--------------------------------------------------------Total number of MACs displayed: 15rfs6000-81742D#rfs6000-81742D>clear mac-address-table address 3C-CE-73-F4-47-83 on rfs6000-81742Drfs6000-81742D#show mac-address-table-------------------------------------------------------- BRIDGE VLAN PORT             MAC               STATE-------------------------------------------------------- 1      1    up1              00-02-B3-28-D1-55 forward 1      1    up1              00-0F-8F-19-BA-4C forward 1      1    up1              84-24-8D-80-C2-AC forward 1      1    up1              84-24-8D-80-BF-34 forward 1      1    up1              1C-7E-E5-18-FA-67 forward 1      1    up1              84-24-8D-83-30-A4 forward 1      1    up1              B4-C7-99-DD-31-C8 forward 1      1    up1              B4-C7-99-6C-88-09 forward 1      1    up1              00-18-71-D0-1B-F3 forward 1      1    up1              B4-C7-99-71-17-28 forward 1      1    up1              FC-0A-81-42-93-6C forward 1      1    up1              B4-C7-99-6D-CD-4B forward 1      1    up1              84-24-8D-84-A2-24 forward 1      1    up1              B4-C7-99-74-B4-5C forward--------------------------------------------------------Total number of MACs displayed: 14rfs6000-81742D#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 283.1.7 clockPrivileged Exec Mode CommandsSets a device’s system clock. By default all WiNG devices are shipped with the time zone and time format set to UTC and 24-hour clock respectively. If a device’s clock is set without resetting the time zone, the time is displayed relative to the Universal Time Coordinated (UTC) – Greenwich Time. To display time in the local time zone format, in the device’s configuration mode, use the timezone command to reset the time zone. You can also reset the time zone at the RF Domain level. When configured as RF Domain setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the clock is recommended. For more information on configuring RF Domain time zone, see timezone.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}Parameters• clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}ExampleThe following commands set the time zone and clock for the logged device:nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#timezone America/Los_Angelesnx9500-6C8809#clock set 00:25:10 16 Jan 2017nx9500-6C8809#show clock2017-01-16 03:31:16 ISTnx9500-6C8809#clock set Sets a device’s system clock<HH:MM:SS> Sets the current time (in military format hours, minutes and seconds)Note: By default the WiNG software displays time in the 24-hour clock format. This setting cannot be changed.<1-31> Sets the numerical day of the month<MONTH> Sets the month of the year from Jan - Dec<1993-2035> Sets a valid four digit year from 1993 - 2035on <DEVICE-NAME> Optional. Sets the clock on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 293.1.8 clusterPrivileged Exec Mode CommandsInitiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member.Commands executed under this context are executed on all members of the cluster.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntaxcluster start-electionParameters• cluster start-electionExamplerfs4000-880DA7#cluster start-electionrfs4000-880DA7#Related Commandsstart-election Starts a new cluster master electioncreate-cluster Creates a new cluster on a specified devicejoin-cluster Adds a controller, as cluster member, to an existing cluster of devices
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 303.1.9 configurePrivileged Exec Mode CommandsEnters the configuration mode. Use this command to enter the current device’s configuration mode, or enable configuration from the terminal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxconfigure {self|terminal}Parameters• configure {self|terminal}Examplerfs6000-81742D#configure selfEnter configuration commands, one per line.  End with CNTL/Z.rfs6000-81742D(config-device-00-15-70-81-74-2D)#rfs6000-81742D#configure terminalEnter configuration commands, one per line.  End with CNTL/Z.rfs6000-81742D(config)#self Optional. Enables the current device’s configuration modeterminal Optional. Enables configuration from the terminal
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 313.1.10 connectPrivileged Exec Mode CommandsBegins a console connection to a remote device using the remote device’s MiNT ID or nameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxconnect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]Parameters• connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]Examplenx9500-6C8809#show mint lsp-db9 LSPs in LSP-db of 19.6C.88.09:LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 8 adjacencies, seqnum 1294552LSP 19.6D.B5.D4 at level 1, hostname "rfs6000-81742D", 8 adjacencies, seqnum 1915721LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 8 adjacencies, seqnum 1468227LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 8 adjacencies, seqnum 649241LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 8 adjacencies, seqnum 202818LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 8 adjacencies, seqnum 380337LSP 68.88.0D.A7 at level 1, hostname "rfs4000-880DA7", 8 adjacencies, seqnum 1494520LSP 68.99.BB.7C at level 1, hostname "ap7131-99BB7C", 8 adjacencies, seqnum 831529nx9500-6C8809#nx9500-6C8809#connect mint-id ?  MINT-ID  MiNT ID of device to connect tonx9500-6C8809#connect mint-id 19.6D.B5.D4Entering character modeEscape character is '^]'.RFS6000 release 5.9.0.0-012Drfs6000-81742D login: adminPassword:rfs6000-81742D>mint-id <MINT-ID> Connects to a remote system using the MiNT ID• <MINT-ID> – Specify the remote device’s MiNT ID.<REMOTE-DEVICE-NAME>Connects to a remote system using its name• <REMOTE-DEVICE-NAME> – Specify the remote device’s name.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 323.1.11 copyPrivileged Exec Mode CommandsCopies a file (config,log,txt...etc) from any location to the access point, wireless controller, or service platform and vice-versaSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcopy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]Parameters• copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]ExampleTransferring file snmpd.log to remote TFTP server.rfs6000-81742D#copy flash:/log/snmpd.log tftp://10.233.89.183:/snmpd.logAccessing running-config file from remote TFTP server into switch running-config.rfs6000-81742D#copy tftp://10.233.89.183:/running-config running-configNOTE: Copying a new config file to an existing running-config file merges it with the existing running-config file on the wireless controller. Both the existing running-config and the new config file are applied as the current running-config.Copying a new config file to a start-up config file replaces the existing start-up config file with the parameters of the new file. It is better to erase the existing start-up config file and then copy the new config file to the startup config.<SOURCE-FILE> Specify the source file to copy.<SOURCE-URL> Specify the source file’s location (URL).<DESTINATION-FILE> Specify the destination file to copy to.<DESTINATION-URL> Specify the destination file’s location (URL).
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 333.1.12 cpePrivileged Exec Mode CommandsEnables a WiNG controller to perform certain operations on Customer Premises Equipment (CPEs) through an adopted T5 controllerA T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcpe [boot|reload|upgrade]cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}Parameters• cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}NOTE: These commands can also be executed on the T5 profile and device context. For more information, see T5 Profile Config Commands.cpe boot system Changes the image used by a CPE to boot. When reloading, the CPE uses the specified image.cpe [<1-24>|all] Identifies the CPE(s) on which this change is implemented• <1-24> – Reloads only those CPEs whose IDs have been specified. Specify the ID from 1 - 24.• all – Reloads all CPEs[primary|secondary] Select the next boot image• primary – Uses the primary image when reloading• secondary – Uses the secondary image when reloadingon <T5-DEVICE-NAME>Optional. Performs this operation on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 34• cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}Examplenx9500-6C8809#show t5 cpe boot on t5-ED7C6C----------------------------------------------------------------------------------------------------  DEVICE   PRIMARY VERSION   SECONDARY VERSION   NEXT BOOT   UPGRADE STATUS    UPGRADE PROGRESS %---------------------------------------------------------------------------------------------------- cpe1      5.4.2.0-010R      5.4.2.0-006B       primary     none              0  cpe2      5.4.2.0-010R      5.4.2.0-006B       primary     none              0 ----------------------------------------------------------------------------------------------------nx9500-6C8809#nx9500-6C8809#cpe boot system cpe 1 secondary on t5-ED7C6CUpdated T5 CPE system boot partitionnx9500-6C8809#cpe [reload|upgrade <IMAGE-LOCATION>]Performs the following operations on CPEs• reload – Reloads the device• upgrade <IMAGE-LOCATION> – Upgrades the device• <IMAGE-LOCATION> – Specify the location of the firmware image. Both IPv4 and IPv6 addresses are supported. Use one of the following options to provide the location:IPv4 URLs: tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileIPv6 URLs: tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileNote: After specifying the operation to perform, identify the device(s).cpe [<1-24>|all] Identifies the CPE(s) on which the operation is performed• <1-24> – Configures the CPE’s ID from 1 - 24• all – Configures all CPEson <T5-DEVICE-NAME>Optional. Performs this operation on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 353.1.13 create-clusterPrivileged Exec Mode CommandsCreates a new device cluster, with the specified name, and assigns it an IP address and routing levelA cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the cluster, members discover and establish connections to other members and provide wireless network self-healing support in the event of member's failure.A cluster's load is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcreate-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}Parameters• create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}Examplerfs4000-229D58#create-cluster name TechPubs ip 192.168.13.8 level 2... creating cluster... committing the changes... saving the changesPlease Wait .[OK]rfs4000-229D58#rfs4000-229D58#show cluster configurationcreate-cluster Creates a clustername <CLUSTER-NAME>Configures the cluster name• <CLUSTER-NAME> – Specify a cluster name. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters.ip <IP> Specifies the device’s IP address used for cluster creation• <IP> – Specify the device’s IP address in the A.B.C.D format.level [1|2] Optional. Configures the routing level for this cluster• 1 – Configures level 1 (local) routing• 2 – Configures level 2 (inter-site) routing
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 36Cluster Configuration Information Name                         : TechPubsLAN Configured Mode              : Active Master Priority              : 128 Force configured state       : Disabled Force configured state delay : 5 minutes Handle STP                   : Disabled Radius Counter DB Sync Time  : 5 minutesrfs4000-229D58#rfs4000-229D58#show context!! Configuration of RFS4000 version 5.9.1.0-012D!!version 2.5!!firewall-policy default no ip dos tcp-sequence-past-window alg sip!!mint-policy global-default router packet priority 6!radio-qos-policy default!!management-policy default telnet http server https server no ftp--More--rfs4000-229D58#Related Commandscluster Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member.join-cluster Adds a wireless controller, access point, or service platform, as cluster member, to an existing cluster of devices
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 373.1.14 cryptoPrivileged Exec Mode CommandsEnables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name, etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR).This command also enables trustpoint configuration. Trustpoints contain the CA’s identity and configuration parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto [key|pki]crypto key [export|generate|import|zeroize]crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|on|passphrase}crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|on|passphrase}crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}crypto pki [authenticate|export|generate|import|zeroize]crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background} {(on <DEVICE-NAME>)}crypto pki export [request|trustpoint]crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME)}
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 38crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}crypto pki import [certificate|crl|trustpoint]crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on <DEVICE-NAME>})crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}Parameters• crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}• crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.export rsa <RSA-KEYPAIR-NAME>Exports an existing RSA Keypair to a specified destination• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.<EXPORT-TO-URL> Specify the RSA Keypair destination address. Both IPv4 and IPv6 address formats are supported.After specifying the destination address (where the RSA keypair is exported), configure one of the following parameters: background or passphrase.background Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on.passphrase <KEY-PASSPHRASE> backgroundOptional. Encrypts RSA Keypair before exporting• <KEY-PASSPHRASE> – Specify a passphrase to encrypt the RSA keypair.• background – Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller)to perform the export on.on <DEVICE-NAME> The following parameter is recursive and common to all of the above parameters:• on <DEVICE-NAME> – Optional. Performs export operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 39• crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}• crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}generate rsa <RSA-KEYPAIR-NAME> [2048|4096]Generates a new RSA Keypair• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.• [2048|4096] – Sets the size of the RSA key in bits. The options are 2048 bits and4096 bits. The default size is 2048 bits.After specifying the key size, optionally specify the device (access point or controller) to generate the key on.on <DEVICE-NAME> Optional. Generates the new RSA Keypair on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.import rsa <RSA-KEYPAIR-NAME>Imports a RSA Keypair from a specified source• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.<IMPORT-FROM-URL> Specify the RSA Keypair source address. Both IPv4 and IPv6 address formats are supported.After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase.background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.passphrase <KEY-PASSPHRASE> backgroundOptional. Decrypts the RSA Keypair after importing• <KEY-PASSPHRASE> – Specify the passphrase to decrypt the RSA keypair.• background – Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller)to perform the import on.on <DEVICE-NAME> The following parameter is recursive and common to the ‘background’ and ‘passphrase’ keywords:• on <DEVICE-NAME> – Optional. Performs import operation on a specific device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key.zeroize rsa <RSA-KEYPAIR-NAME>Deletes a specified RSA Keypair• <RSA-KEYPAIR-NAME> – Specify the RSA Keypair name.Note: All device certificates associated with this key will also be deleted.force Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 40• crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-NAME>)}• crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Deletes all certificates associated with the RSA Keypair on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates.authenticate <TRUSTPOINT-NAME>Authenticates a trustpoint and imports the corresponding CA certificate• <TRUSTPOINT-NAME> – Specify the trustpoint name.<URL> Specify CA’s location. Both IPv4 and IPv6 address formats are supported.Note: The CA certificate is imported from the specified location.background Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the authentication on.on <DEVICE-NAME> The following parameter is recursive and optional:•on <DEVICE-NAME> – Optional. Performs authentication on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.export request Exports CSR to the CA for digital identity certificate. The CSR contains applicant’s details and RSA Keypair’s public key.[generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.autogen-subject-name Auto generates subject name from configuration parameters. The subject name identifies the certificate.<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are supported.Note: The CSR is exported to the specified location.email <SEND-TO-EMAIL>Exports CSR to a specified e-mail address• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.fqdn <FQDN> Exports CSR to a specified Fully Qualified Domain Name (FQDN)• <FQDN> – Specify the CA’s FQDN.ip-address <IP> Exports CSR to a specified device or system• <IP> – Specify the CA’s IP address.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 41• crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>)• crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.export request Exports CSR to the CA for a digital identity certificate. The CSR contains applicant’s details and RSA Keypair’s public key.[generate-rsa-key|short [generate-rsa-key|use-rsa-key]|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• short [generate-rsa-key|use-rsa-key] – Generates and exports a shorter version of the CSR• generate-rsa-key – Generates a new RSA Keypair for digital authentication. If gen-erating a new RSA Keypair, specify a name for it.• use-rsa-key – Uses an existing RSA Keypair for digital authentication. If using anexisting RSA Keypair, specify its name.• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.subject-name <COMMON-NAME>Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate• <COMMON-NAME> – Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length).<COUNTRY> Sets the deployment country code (2 character ISO code)<STATE> Sets the state name (2 to 64 characters in length)<CITY> Sets the city name (2 to 64 characters in length)<ORGANIZATION> Sets the organization name (2 to 64 characters in length)<ORGANIZATION-UNIT>Sets the organization unit (2 to 64 characters in length)<EXPORT-TO-URL> Specify the CA’s location. Both IPv4 and IPv6 address formats are supported.The CSR is exported to the specified location.email <SEND-TO-EMAIL>Exports CSR to a specified e-mail address• <SEND-TO-EMAIL> – Specify the CA’s e-mail address.fqdn <FQDN> Exports CSR to a specified FQDN• <FQDN> – Specify the CA’s FQDN.ip-address <IP> Exports CSR to a specified device or system• <IP> – Specify the CA’s IP address.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 42•  crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}export trustpoint <TRUSTPOINT-NAME>Exports a trustpoint along with CA certificate, Certificate Revocation List (CRL), server certificate, and private key• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).<EXPORT-TO-URL> Specify the destination address. Both IPv4 and IPv6 address formats are supported.The trustpoint is exported to the address specified here.background Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on.passphrase <KEY-PASSPHRASE> backgroundOptional. Encrypts the key with a passphrase before exporting• <KEY-PASSPHRASE> – Specify the passphrase to encrypt the trustpoint.• background – Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller)to perform the export on.on <DEVICE-NAME> The following parameter is recursive and common to the ‘background’ and ‘passphrase’ keywords:• on <DEVICE-NAME> – Optional. Performs export operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates.generate Generates a certificate and a trustpointself-signed <TRUSTPOINT-NAME>Generates a self-signed certificate and a trustpoint• <TRUSTPOINT-NAME> – Specify a name for the certificate and its trustpoint.[generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair, or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.autogen-subject-name Auto generates the subject name from the configuration parameters. The subject name helps to identify the certificate.email <SEND-TO-EMAIL>Optional. Exports the self-signed certificate to a specified e-mail address• <SEND-TO-EMAIL> – Specify the e-mail address.fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN• <FQDN> – Specify the FQDN.ip-address <IP> Optional. Exports the self-signed certificate to a specified device or system• <IP> – Specify the device’s IP address.on <DEVICE-NAME> Optional. Exports the self-signed certificate on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 43•  crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY> <ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address <IP>,on <DEVICE-NAME>)}• crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background} {(on <DEVICE-NAME>)}pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates.generate self-signed <TRUSTPOINT-NAME>Generates a self-signed certificate and a trustpoint• <TRUSTPOINT-NAME> – Specify a name for the certificate and its trustpoint.[generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>Generates a new RSA Keypair, or uses an existing RSA Keypair• generate-rsa-key – Generates a new RSA Keypair for digital authentication• use-rsa-key – Uses an existing RSA Keypair for digital authentication• <RSA-KEYPAIR-NAME> – If generating a new RSA Keypair, specify a name for it.If using an existing RSA Keypair, specify its name.subject-name <COMMON-NAME>Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate• <COMMON-NAME> – Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.<COUNTRY> Sets the deployment country code (2 character ISO code)<STATE> Sets the state name (2 to 64 characters in length)<CITY> Sets the city name (2 to 64 characters in length)<ORGANIZATION> Sets the organization name (2 to 64 characters in length)<ORGANIZATION-UNIT>Sets the organization unit (2 to 64 characters in length)email <SEND-TO-EMAIL>Optional. Exports the self-signed certificate to a specified e-mail address• <SEND-TO-EMAIL> – Specify the e-mail address.fqdn <FQDN> Optional. Exports the self-signed certificate to a specified FQDN• <FQDN> – Specify the FQDN.ip-address <IP> Optional. Exports the self-signed certificate to a specified device or system• <IP> – Specify the device’s IP address.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.import Imports certificates, Certificate Revocation List (CRL), or a trustpoint to the selected device[certificate|crl] <TRUSTPOINT-NAME>Imports a signed server certificate or CRL• certificate – Imports signed server certificate•crl – Imports CRL• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported.The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 44• crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL> {background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}• crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on.on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Performs import operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.import Imports certificates, CRL, or a trustpoint to the selected devicetrustpoint <TRUSTPOINT-NAME>Imports a trustpoint and its associated CA certificate, server certificate, and private key• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are supported.background Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on.passphrase <KEY-PASSPHRASE> backgroundOptional. Decrypts trustpoint with a passphrase after importing• <KEY-PASSPHRASE> – Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on.• background – Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller)to perform the import on.on <DEVICE-NAME> The following parameter is recursive and optional:• on <DEVICE-NAME> – Optional. Performs import operation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates.zeroize trustpoint<TRUSTPOINT-NAME>Deletes a trustpoint and its associated CA certificate, server certificate, and private key• <TRUSTPOINT-NAME> – Specify the trustpoint name (should be authenticated).del-key Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on.on <DEVICE-NAME> The following parameter is recursive and optional:•on <DEVICE-NAME> – Optional. Deletes the trustpoint on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 45Usage GuidelinesThe system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:•IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/file•IPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileExamplerfs6000-81742D#crypto key generate rsa key 1025RSA Keypair successfully generatedrfs6000-81742D#rfs6000-81742D#crypto key import rsa test123 url passphrase word backgroundRSA key import operation is started in backgroundrfs6000-81742D#rfs6000-81742D#crypto pki generate self-signed word generate-rsa-key word autogen-subject-name fqdn wordSuccessfully generated self-signed certificaterfs6000-81742D#rfs6000-81742D#crypto pki zeroize trustpoint word del-keySuccessfully removed the trustpoint and associated certificates%Warning: Applications associated with the trustpoint will start using default-trustpointrfs6000-81742D#rfs6000-81742D#crypto pki authenticate word url backgroundImport of CA certificate started in backgroundrfs6000-81742D#rfs6000-81742D#crypto pki import trustpoint word url passphrase wordImport operation started in backgroundrfs6000-81742D#Related Commandsno Removes server certificates, trustpoints and their associated certificates
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 463.1.15 crypto-cmp-cert-updatePrivileged Exec Mode CommandsTriggers a Certificate Management Protocol (CMP) certificate update on a specified device or devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}Parameters• crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}Examplerfs4000-229D58#crypto-cmp-cert-update test on B4-C7-99-71-17-28CMP Cert update successrfs4000-229D58#crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}Triggers a CMP certificate update on a specified device or devices• <TRUSTPOINT-NAME> – Specify the target trustpoint name. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Use the crypto-cmp-policy context to configure the trustpoint.• on <DEVICE-NAME> – Optional. Triggers a CMP certificate update and responseon a specified device or devices. Specify the name of the AP, wireless controller, orservice platform. Multiple devices can be provided as a comma separated list.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 473.1.16 databasePrivileged Exec Mode CommandsEnables automatic repairing (vacuuming) and dropping of databases (Captive-portal and NSight). Vacuuming a database refers to the process of finding and reclaiming space left over from previous DELETE statements.If enforcing authenticated access to the database, use this command to generate the keyfile. Every keyfile has a set of associated users having a username and password. Database access is provided only if the keyfile and the user credentials entered during database longin match.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdatabase [drop|keyfile|repair]database drop [all|captive-portal|nsight]database repair {on <DEVICE-NAME>}database keyfile [export|generate|import|zerzoise]database keyfile generatedatabase keyfile [export|import] <URL>database keyfile zerzoiseParameters• database drop [all|captive-portal|nsight]• database repair {on <DEVICE-NAME>}NOTE: For information on enabling database authentication, see Enabling Database Authentication.database drop [all|captive-portal|nsight]Drops (deletes) all or a specified database. Execute the command on the database host.• all – Drops all databases, captive portal and NSight.• captive-portal – Drops captive-portal database only• nsight – Drops NSight database onlydatabase repair on <DEVICE-NAME>Enables automatic repairing of all databases. Execute the command on the database host.• on <DEVICE-NAME> – Optional. Specifies the name of the access point, wireless controller, or service platform hosting the database. When specified, databases on the specified device are periodically checked through to identify and remove obsolete data documents.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.If no device is specified, the system repairs all databases.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 48• database keyfile [generate|zerzoise]• database keyfile [export|import] <URL>• database keyfile zerzoiseExamplenx9500-6C8809#database repair on nx9500-6C8809nx9500-6C8809#nx9500-6C8809#database keyfile generateDatabase keyfile successfully generatednx9500-6C8809#nx9500-6C8809#database keyfile  zeroizeDatabase keyfile successfully removednx9500-6C8809#vx9000-1A1809#database keyfile generateDatabase keyfile successfully generatedvx9000-1A1809#vx9000-1A1809#database keyfile export ftp://1.1.1.111/db-keyDatabase keyfile successfully exportedvx9000-1A1809#vx9000-D031F2#database keyfile import ftp://1.1.1.111/db-keyDatabase keyfile successfully importedvx9000-D031F2#database keyfile [generate|zerzoise]Enables management of database keyfiles. This command is part of a series of configurations that are required to enforce authentication on the database. Use this command to generate keyfiles associated with the database. After generating the keyfile, create the users having the database access. For information on creating database users, see service.• generate – Generates the keyfile. Execute the command on the primary database host.• zerzoise – Deletes a keyfile.database keyfile [export|import] <URL>Enables database keyfile management. This command is part of a series of configurations required to enforce database authentication. Use this command to exchange keyfiles between replica set members.• export – Exports the keyfile to a specified location on an FTP/SFTP/TFTP server. Execute the command on the primary database host.• import – Imports the keyfile from a specified location. Execute the command on the replica set members.The following parameter is common to both of the above keywords:• <URL> – Specify the location to/from where the keyfile is to be exported/imported.Use one of the following options:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]/path/filetftp://<hostname|IP>[:port]/path/filedatabase keyfile zerzoiseEnables the management of database keyfiles• zerzoise – Deletes an existing keyfile.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 49Related Commandsdatabase-backup Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP serverdatabase-restore Restores a previously exported database [captive-portal and/or NSight]
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 503.1.17 database-backupPrivileged Exec Mode CommandsBacks up captive-portal/NSight database to a specified location and file on an FTP or SFTP serverSupported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxfdatabase-backup database [captive-portal|nsight|nsight-placement-info] <URL>database-backup database [captive-portal|nsight] <URL>database-backup database nsight-placement-info <URL>Parameters• database-backup database [captive-portal|nsight] <URL>• database-backup database nsight-placement-info <URL>ExampleNS-DB-nx9510-6C87EF#database-backup database nsight tftp://192.168.9.50/testbckupNS-DB-nx9510-6C87EF#show database backup-statusLast Database Backup Status : In_Progress(Starting tftp transfer.)Last Database Backup Time   : 2017-04-17 12:48:05NS-DB-nx9510-6C87EF#show database backup-statusLast Database Backup Status : SuccessfulLast Database Backup Time   : Mon Apr 17 12:48:08 T 2017NS-DB-nx9510-6C87EF#Apr 17 12:48:17 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-OPERATION_COMPLETE: backup for database nsight successfulNS-DB-nx9510-6C87EF#NS-DB-nx9510-6C87EF#database-backup database nsight-placement-info tftp://192.168.9.50/plmentinfoNS-DB-nx9510-6C87EF#show database backup-statusLast Database Backup Status : SuccessfulLast Database Backup Time   : Mon Apr 17 12:48:48 IST 2017NS-DB-nx9510-6C87EF#Apr 17 12:49:03 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-OPERATION_COMPLETE: backup for database nsight-placement-info successfulNS-DB-nx9510-6C87EF#database-backup database [captive-portal|nsight]Backs up captive portal and/or NSight database to a specified location. Select the database to backup:• captive-portal – Backs up captive portal database• nsight – Backs up NSight databaseAfter specifying the database type, configure the destination location.<URL> Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzdatabase-backup database nsight-placement-info <URL>Backs up the NSight access point placement related details to a specified location• <URL> – Specify the URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gztftp://<hostname|IP>[:port]/path/file.tar.gz
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 51Related Commandsdatabase Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight)database-restore Restores a previously exported (backed up) database [captive-portal and/or NSight]
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 523.1.18 database-restorePrivileged Exec Mode CommandsRestores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original database.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdatabase-restore database [captive-portal|nsight] <URL>Parameters• database-restore database [captive-portal|nsight] <URL>Examplenx9500-6C8809#database-restore database nsight ftp://anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gzRelated Commandsdatabase-restore database [captive-portal|nsight]Restores previously exported (backed up) captive-portal and/or NSight database. Specify the database type:• captive-portal – Restores captive portal database• nsight – Restores NSight databaseAfter specifying the database type, configure the destination location and file name from where the files are restored.<URL> Configures the destination location. The database is restored from the specified location. Specify the location URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzdatabase Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight)database-backup Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 533.1.19 deletePrivileged Exec Mode CommandsDeletes a specified file from the device’s file systemSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdelete [/force <FILE>|/recursive <FILE>|<FILE>]Parameters• delete [/force <FILE>|/recursive <FILE>|<FILE>]Examplerfs6000-81742D#delete flash:/out.tar flash:/out.tar.gzDelete flash:/out.tar [y/n]? yDelete flash:/out.tar.gz [y/n]? yrfs6000-81742D#delete /force flash:/tmp.txtrrfs6000-81742D#rfs6000-81742D#delete /recursive flash:/backup/Delete flash:/backup//fileMgmt_350_180B.core[y/n]? yDelete flash:/backup//fileMgmt_350_18212X.core_bk [y/n]? nDelete flash:/backup//imish_1087_18381X.core.gz [y/n]? nrfs6000-81742D#/force <FILE> Forces deletion without a prompt/recursive <FILE> Performs a recursive delete<FILE> Specifies the file name• Deletes the file specified by the <FILE> parameter
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 543.1.20 device-upgradePrivileged Exec Mode CommandsEnables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdevice-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|cancel-upgrade|load-image|rf-domain]device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx75xx|nx9000|nx9600|vx9000|on rf-domain [<RF-DOMAIN-NAME>|all]]device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|no-reboot|from-controller|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}Parameters• device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}}NOTE: A NOC controller’s capacity is equal to, or higher than that of a site controller. The following devices can be deployed at NOC and sites:• NOC controller – NX95XX (NX9500 and NX9510), NX9600• Site controller – RFS4000, RFS6000, NX5500, NX75XX, or NX95XX<MAC/HOSTNAME> Upgrades firmware on the device identified by the <MAC/HOSTNAME> keyword• <MAC/HOSTNAME> – Specify the device’s MAC address or hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 55• device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}• device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.upgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic device firmware upgrade on a specified day and time• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.all Upgrades firmware on all devicesforce Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot.no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade• <TIME> – Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.upgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic device firmware upgrade on all devices on a specified day and time• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MMformat.staggered-reboot This keyword is recursive and common to all of the above.• Optional. Enables staggered device reboot (one at a time), without network impactdevice-upgrade <DEVICE-TYPE> allUpgrades firmware on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.After selecting the device type, schedule an automatic upgrade and/or an automatic reboot.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 56• device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|on rf-domain [<RF-DOMAIN-NAME>|all]]force Optional. Select this option to force upgrade on selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot.no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade• <TIME> – Optional. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.upgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic firmware upgrade on all devices of the specified type, on a specified day and time• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MMformat.staggered-reboot This keyword is recursive and common to all of the above.• Optional. Enables staggered device reboot (one at a time), without network impactcancel-upgrade Cancels a scheduled firmware upgrade based on the parameters passed. This command provides the following options to cancel scheduled firmware upgrades:• Cancels upgrade on specific device(s). The devices are identified by their MAC addresses or hostnames.• Cancels upgrade on all devices within the network• Cancels upgrade on all devices of a specific type. Specify the device type.• Cancels upgrade on specific device or all device(s) within a specific RF Domain or all RF Domains. Specify the RF Domain name.cancel-upgrade [<MAC/HOSTNAME>|all]Cancels a scheduled firmware upgrade on a specified device or on all devices• <MAC/HOSTNAME> – Cancels a scheduled upgrade on the device identified by the <MAC/HOSTNAME> keyword. Specify the device’s MAC address or hostname.• all – Cancels scheduled upgrade on all devicescancel-upgrade <DEVICE-TYPE> allCancels scheduled firmware upgrade on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000.cancel-upgrade on rf-domain [<RF-DOMAIN-NAME>|all]Cancels scheduled firmware upgrade on all devices in a specified RF Domain or all RF Domains• <RF-DOMAIN-NAME> – Cancels scheduled device upgrade on all devices in a specified RF Domain. Specify the RF Domain name.• all – Cancels scheduled device upgrade on all devices across all RF Domains
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 57• device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-NAME>}• device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}load-image <DEVICE-TYPE>Loads device firmware image from a specified location. Select the device type and provide the location of the required device firmware image.• <DEVICE-TYPE> – Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the device type, provide the location of the required device firmware image.<IMAGE-URL> Specify the device’s firmware image location in one of the following formats:IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileIPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/fileon <DEVICE-OR-DOMAIN-NAME>Optional. Specifies the name of a device or RF Domain. The image, of the specified device type is loaded from the device specified here. In case of an RF Domain, the image available on the RF Domain manager is loaded.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>]Upgrades firmware on devices in a specified RF Domain or all RF Domains. Devices within a RF Domain are upgraded through the RF Domain manager.• <RF-DOMAIN-NAME> – Upgrades devices in the RF Domain identified by the <RF-DOMAIN-NAME> keyword.• <RF-DOMAIN-NAME> – Specify the RF Domain name.• all – Upgrades devices across all RF Domains• containing <WORD> – Filters RF Domains by their names. RF Domains with names containing the sub-string identified by the <WORD> keyword are filtered. Devices on the filtered RF Domains are upgraded.• filter location <WORD> – Filters devices by their location. All devices with locationmatching the <WORD> keyword are upgraded.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 58Examplenx9500-6C8809#show device-upgrade history on TechPubs-------------------------------------------------------------------------------------------------            Device      RESULT                 TIME  RETRIES        UPGRADED-BY LAST-UPDATE-ERROR-------------------------------------------------------------------------------------------------    rfs6000-81742D        done  2017-07-20 14:16:49        0      nx9500-6C8809 -    rfs6000-81742D        done  2017-07-06 15:19:23        0      nx9500-6C8809 -    rfs6000-81742D        done  2017-07-06 15:15:37        0      nx9500-6C8809 ---More--nx9500-6C8809#<DEVICE-TYPE> After specifying the RF Domain, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.After specifying the RF Domain and the device type, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller.<MAC/HOSTNAME> Optional. Use this option to identify specific devices for upgradation. Specify the device’s MAC address or hostname. The device should be within the specified RF Domain and of the specified device type. After identifying the devices to upgrade, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller.Note: If no MAC address or hostname is specified, all devices of the type selected are upgraded.force Optional. Select this option to force upgrade for the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time.from-controller Optional. Upgrades a device through the adopted device. If initiating an upgrade through the adopting controller, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time.no-reboot {staggered-reboot}Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)reboot-time <TIME> {staggered-reboot}Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.staggered-reboot This keyword is common to all of the above.Optional. Enables staggered reboot (one at a time), without network impactupgrade-time <TIME> {no-reboot|reboot-time <TIME>}Optional. Schedules an automatic firmware upgrade• <TIME> – Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. After a scheduled upgrade, the following actions can be performed:• no-reboot – Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted)• reboot-time <TIME> – Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 59nx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.168.13.17/RFS6000-LEAN-5.9.1.0-017D.img--------------------------------------------------------------------------------      CONTROLLER          STATUS                      MESSAGE--------------------------------------------------------------------------------  nx9500-6C8809        Success        Successfully initiated load image--------------------------------------------------------------------------------nx9500-6C8809#nx9500-6C8809#show device-upgrade load-image-statusDownload of rfs6000 firmware file is 50 percent completenx9500-6C8809#nx9500-6C8809#device-upgrade rfs6000-81742D--------------------------------------------------------------------------------         CONTROLLER             STATUS                   MESSAGE--------------------------------------------------------------------------------  B4-C7-99-6C-88-09         Success         Queued 1 devices to upgrade--------------------------------------------------------------------------------nx9500-6C8809#show device-upgrade statusNumber of devices currently being upgraded : 0Number of devices waiting in queue to be upgraded : 1Number of devices currently being rebooted : 0Number of devices waiting in queue to be rebooted : 0Number of devices failed upgrade : 0---------------------------------------------------------------------------------------------------------      DEVICE        STATE   UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR   UPGRADED BY---------------------------------------------------------------------------------------------------------  rfs6000-81742D   waiting   immediate    immediate   0        0       -                 nx9500-6C8809---------------------------------------------------------------------------------------------------------nx9500-6C8809#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 603.1.21 diffPrivileged Exec Mode CommandsDisplays the differences between two files on a device’s file system or a particular URLSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdiff [<FILE>|<URL>] [<FILE>|<URL>]Parameters• diff [<FILE>|<URL>] [<FILE>|<URL>]Examplenx9500-6C8809#diff startup-config running-config--- startup-config+++ running-config@@ -1,12 +1,10 @@+!### show running-config ! ! Configuration of NX9500 version 5.9.1.0-012D ! ! version 2.5 !-password-encryption-version 1.0-inline-password-encryption-password-encryption-key secret 2 776f9d6d5bb08fac753394d779cbc5a200000020a4ca26def55d4d77952308cd5e3afc66c06581bb1e5af6d6b033fd664c363522 ! client-identity-group default  load default-fingerprints@@ -35,13 +33,13 @@ ! alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 !-alias encrypted-string $READ 2 LKSXiTieTV5hybKxfbd6JwAAAAZ/lakoqHh/ZfyHLJWzluTH+alias encrypted-string $READ 2 1og6ZeMyEVJhybKxfbd6JwAAAAahnGq6RaJb70CEIbVpTYre--More--nx9500-6C8809#<FILE> The first <FILE> is the source file for the diff command. The second <FILE> is used for comparison.<URL> The first <URL> is the source file’s URL. The second <URL> is the second file’s URL.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 613.1.22 dirPrivileged Exec Mode CommandsLists files on a device’s file systemSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdir {/all|/recursive|<DIR>|all-filesystems}Parameters• dir {/all|/recursive|<DIR>|all-filesystems}Examplenx9500-6C8809#dir flash:/Directory of flash:/  -rw-   62937     Tue Nov 24 16:00:06 2015   run-config-backup.txt  drwx             Tue Nov 29 09:48:42 2016   crashinfo  drwx             Sat Sep 17 05:14:43 2016   upgrade  drwx             Mon Sep 28 09:48:33 2015   tmptpd  drwx             Wed Feb 15 11:53:07 2017   log  drwx             Wed Feb 15 11:02:55 2017   archived_logs  drwx             Tue May 24 22:23:54 2016   cache  drwx             Thu Feb 19 08:53:45 2015   floorplans  -rw-   42018304  Tue Sep 27 10:19:24 2016   in.tar  drwx             Tue Jan 17 10:02:01 2017   hotspotnx9500-6C8809#nx9500-6C8809#dir all-filesystemsDirectory of flash:/  -rw-   62937     Tue Nov 24 16:00:06 2015   run-config-backup.txt  drwx             Tue Nov 29 09:48:42 2016   crashinfo  drwx             Sat Sep 17 05:14:43 2016   upgrade  drwx             Mon Sep 28 09:48:33 2015   tmptpd  drwx             Wed Feb 15 11:53:07 2017   log  drwx             Wed Feb 15 11:02:55 2017   archived_logs  drwx             Tue May 24 22:23:54 2016   cache  drwx             Thu Feb 19 08:53:45 2015   floorplans  -rw-   42018304  Tue Sep 27 10:19:24 2016   in.tar  drwx             Tue Jan 17 10:02:01 2017   hotspotDirectory of nvram:/  lrwx   29        Tue Oct 27 16:22:21 2015   sensor_default_scan--More--nx9500-6C8809#/all Optional. Lists all files/recursive Optional. Lists files recursively<DIR> Optional. Lists files in the named file pathall-filesystems Optional. Lists files on all file systems
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 623.1.23 disablePrivileged Exec Mode CommandsTurns off (disables) the privileged mode command set. This command returns to the User Executable mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxdisableParametersNoneExamplerfs6000-81742D#disablerfs6000-81742D>
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 633.1.24 editPrivileged Exec Mode CommandsEdits a text file on the device’s file systemSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxedit <FILE>Parameters• edit <FILE>Examplerfs4000-880DA7#edit startup-config  GNU nano 1.2.4                File: startup-config!! Configuration of RFS4000 version 5.9.1.0-015D!!version 2.5!password-encryption-version 1.0inline-password-encryptionno password-encryption-key!client-identity-group default load default-fingerprints!ip snmp-access-list default permit any!firewall-policy default no ip dos tcp-sequence-past-window!                               [ Read 400 lines ]^G Get Help  ^O WriteOut  ^R Read File ^Y Prev Page ^K Cut Text  ^C Cur Pos^X Exit      ^J Justify   ^W Where Is  ^V Next Page ^U UnCut Txt ^T To Spell<FILE> Specify the name of the file to modify.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 643.1.25 enablePrivileged Exec Mode CommandsTurns on (enables) the privileged mode command set. This command does not do anything in the Privilege Executable mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplerfs6000-81742D#enablerfs6000-81742D#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 653.1.26 erasePrivileged Exec Mode CommandsErases a device’s (wireless controller, access point, and service platform) file system. Erases the content of the specified storage device. Also erases the startup configuration to restore the device to its default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxerase [flash:|nvram:|startup-config|usb1:|usb2:|usb3:|usb4:]erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}Parameters• erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]• erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}flash: Erases everything in the device’s flash: filenvram: Erases everything in the device’s nvram: filestartup-config Erases the device’s startup configuration file. The startup configuration file is used to configure the device when it reboots.usb1: Erases everything in the device's usb1: fileusb2: Erases everything in the device's usb2: fileusb3: Erases everything in the device's usb3: fileusb4: Erases everything in the device's usb4: filestartup-config: Erases the startup configuration file on a specified device or devices in a specified RF Domain. The specified device(s) are reloaded after the startup configuration file is erased. Use the ‘<HOSTNAME/MAC>’ or ‘on <DOMAIN-NAME>’ options to identify the device or RF Domain respectively. Once executed, the configuration file, for the targeted device or for all device(s) in the targeted RF Domain, is also erased from the adopting controller’s configuration file. The are automatically reloaded once the startup configuration file has been erased.<HOSTNAME/MAC> Optional. Erases the startup configuration file on the device identified by the <HOSTNAME/MAC> keyword. Specify the device’s hostname or MAC address.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 66Examplenx9500-6C8809#erase ?  cf:             Erase everything in cf:  flash:          Erase everything in flash:  nvram:          Erase everything in nvram:  startup-config  Reset configuration to factory default  usb1:           Erase everything in usb1:  usb2:           Erase everything in usb2:nx9500-6C8809#on <DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}Optional. Erases the startup configuration file on all devices or specified device(s) in a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:• containing <SUB-STRING> – Optional. Executes the command on all devices con-taining a specified sub-string in their hostname• <SUB-STRING> – Specify the sub-string to match. The startup configuration fileis erased on all devices whose hostname contains the sub-string specified here.• exclude-controllers – Optional. Executes the command on all devices excludingcontrollers. The startup configuration file is erased on all devices except controllers.• exclude-rf-domain-manager – Optional. Executes the command on all devices ex-cluding RF Domain managers. The startup configuration file is erased on all devices ex-cept RF Domain managers.• filter <DEVICE-TYPE> – Optional. Executes the command on all devices of a speci-fied type• <DEVICE-TYPE> – Specify the device type. The options are: AP6521, AP6522,AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612,AP7622, AP7632, AP7662, AP81XX, AP8532, AP8432, AP8533, RFS4000,RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup con-figuration file is erased on all devices of the type specified here. For example, ifAP6521 is the device-type specified, the startup configuration file on all AP6521s,within the RF Domain, is erased.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 673.1.27 ex3500Privileged Exec Mode CommandsEnables EX3500 switch firmware management. Use this command to perform the following operations: boot, copy, delete, and IP-related configurations.The copy keyword provides multiple copy options. It allows you to upload or download code images or configuration files between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600Syntaxex3500 [adoptd|boot|copy|delete|ip]ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 copy [file|ftp|running-config|startup-config|tftp|unit]ex3500 copy [file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 copy [ftp|tftp] [add-to-running-config|file|https-certificate|public-key|running-config|startup-config]ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> <SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> <SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD> on <EX3500-DEVICE-NAME>ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> <SOURCE-CONFIG-FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 copy running-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME> <PASSWORD> <DEST-FILE-NAME>|startup-config|tftp <TFTP-SERVER-IP> <DEST-FILE-NAME>] on <EX3500-DEVICE-NAME>ex3500 copy startup-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME> <PASSWORD> <DEST-FILE-NAME>|running-config|tftp <TFTP-SERVER-IP> <DEST-FILE-NAME>] on <EX3500-DEVICE-NAME>ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 delete [file|public-key]ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>] on <EX3500-DEVICE-NAME>ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 68ex3500 ip ssh [crypto|save]ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>ex3500 ip ssh crypto zeroize [dsa|rsa] on <EX3500-DEVICE-NAME>ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>Parameters• ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>• ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>• ex3500 copy file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>ex3500 adoptd upgradeUpgrades an adopted EX3500 switchNote: After an upgrade, reboot the EX3500 switch to initiate the new image. To view an EX3500’s current image version, use the show > version > on <EX3500-DEVICE-NAME> command.<URL> Specifies the location and image file name in the following format:tftp://<IP>[/path]/fileon <EX3500-DEVICE-NAME>Executes the command on a specified EX3500 switch• <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname.ex3500 boot system Boots a EX3500 switch using a specified configuration file<1-1> Identifies the EX3500 unit by its ID number. Specify the EX3500 ID from 1 - 1.Note: As of now only one (1) EX3500 unit can be managed through a NOC controller.(config|opcode) <FILE-NAME>The following keywords are recursive:Specifies the image file to use for booting. The options are:• config – Uses the configuration file to boot the switch• opcode – Uses the Operation Code (opcode), which is the runtime code, to boot the switch. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device.The following parameter is common to the ‘config’ and opcode’ keywords:• <FILE-NAME> – Specify the configuration/runtime-code file name.on <EX3500-DEVICE-NAME>Reloads a specified EX3500 switch• <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname. You can also specify its MAC address.ex3500 copy Copies a configuration file to another filefile file <SOURCE-FILE-NAME> <DEST-FILE-NAME>Copies a specified file (this is the source configuration file)• file – Copies the specified source file to a specified file (this is the destination configuration file)• <SOURCE-FILE-NAME> – Specify the source configuration file’s name• <DEST-FILE-NAME> – Specify the destination configuration file’s name.Contd..
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 69• ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> <SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>• ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>When specifying the destination file name, keep in mind the following points:- It should not contain slashes (\ or /),- It should not exceed 32 characters for files on the switch, or 127 characters for files on the server.on <EX3500-DEVICE-NAME>Copies the file to a specified EX3500 switch• <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname. The specified source file is copied to specified destination file on the EX3500 identified here.ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. This command also allows you to add a remote system’s running configuration to the current system configuration.add-to-running-config Adds a remote system’s running configuration to the current system<FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address in the A.B.C.D format.• <USER-NAME> – If using a FTP server, specify the FTP server’s user name (shouldbe an authorized user)• <PASSWORD> – Specify the password applicable for the above specified FTPserver user name.<SOURCE-FILE-NAME>After specifying the server details, specify the name of the running configuration file.• <SOURCE-FILE-NAME> – Specify the source file’s name.on <EX3500-DEVICE-NAME>Copies the file to a specified EX3500 switch• <EX3500-DEVICE-NAME> – Specify the EX3500 switch’s hostname. The specified source file is copied to specified destination file on the EX3500 identified here.ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. file Copies to a specified file system<FTP/TFTP-SERVER-IP> <USER-NAME> <PASS-WORD>Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address in the A.B.C.D format.• <USER-NAME> – If using a FTP server, specify the FTP server’s user name (shouldbe an authorized user)• <PASSWORD> – Specify the password applicable for the above specified FTPserver user name.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 70• ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> <SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD> on <EX3500-DEVICE-NAME>• ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>[1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME>After specifying the server details, select the file type and specify the name of the source and destination file names.• [1|2] – Select the file type from 1 - 2.• 1 – Copies the EX3500 configuration file.• 2 – Copies the opcode, which is the runtime code. The opcode is like an operatingsystem that enables the WiNG software to communicate with the EX3500 device.• <SOURCE-FILE-NAME> – Specify the source file’s name.• <DEST-FILE-NAME> – Specify the destination file’s name.on <EX3500-DEVICE-NAME>Copies the file to a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname. The specified source file is copied to specified destination file on the EX3500 identified here.ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. https-certificate Copies HTTPS secure site certificate from the FTP or TFTP server to the switch<FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address in the A.B.C.D format.• <USER-NAME> – If using a FTP server, specify the FTP server’s user name (shouldbe an authorized user)• <PASSWORD> – Specify the password applicable for the above specified FTPserver user name.<SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD>After identifying the FTP or TFTP server, specify the following:• <SOURCE-CERT-FILE-NAME> – Specify the source HTTPS secure site certificate file name.• <SOURCE-PVT-KEY-FILE-NAME> – Specify the source private-key file name.• <PVT-PASS-WORD> – Specify the private password.on <EX3500-DEVICE-NAME>Copies the file to a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. public-key Copies the SSH public key from the FTP or TFTP server to the switch
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 71• ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>• ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME><FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.• <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address in the A.B.C.D format.• <USER-NAME> – If using a FTP server, specify the FTP server’s user name (shouldbe an authorized user)• <PASSWORD> – Specify the password applicable for the above specified FTPserver user name.[1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME>After identifying the FTP or TFTP server, specify the following:• [1|2] – Configures the SSH public key type as RS or DSA• 1 – Configures the public key type as RSA• 2 – Configures the public key type as DSA• <SOURCE-PUB-KEY-FILE-NAME> – Specifies the source public key file name• <USER-NAME> – Specifies the public key’s user name.on <EX3500-DEVICE-NAME>Copies the public key to a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc.[running-config|startup-config]Copies the running or startup configuration file to one of the following destinations: file system, FTP server, or TFTP serverThe running configuration file can be copied to the startup configuration file and vice versa.<FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>If copying to a FTP/TFTP server, configure the following parameters: • <FTP/TFTP-SERVER-IP> – Specify the FTP or TFTP server’s IP address in the A.B.C.D format.• <USER-NAME> – If using a FTP server, specify the FTP server’s user name (shouldbe an authorized user)• <PASSWORD> – Specify the password applicable for the above specified FTPserver user name.<DEST-FILE-NAME> Configures the destination file name. The running or startup configuration file is copied to the specified destination file.• <DEST-FILE-NAME> – Specify the destination file name. You can also copy the running configuration file to the startup configuration file and vice versa.on <EX3500-DEVICE-NAME>Copies the running or startup configuration file on to a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname. ex3500 copy unit Copies from a EX3500 switch
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 72• ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>] on <EX3500-DEVICE-NAME>• ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>file <1-1> [1|2] Copies the file system from the EX3500 switch identified by the unit number• <1-1> – Specify the unit number from 1 - 1.• [1|2] – Select the file type from 1 - 2.• 1 – Copies the selected unit’s configuration file.• 2 – Copies the selected unit’s opcode, which is the runtime code. The opcode islike an operating system that enables the WiNG software to communicate withthe EX3500 device.<SOURCE-FILE-NAME>Configures the source file name• <SOURCE-FILE-NAME> – Specify the source file name. You can copy the running configuration file to the startup configuration file and vice versa.<DEST-FILE-NAME> Configures the destination file name. The running or startup configuration file is copied to the specified file.• <DEST-FILE-NAME> – Specify the destination file name. You can copy the running configuration file to the startup configuration file and vice versa.on <EX3500-DEVICE-NAME>Copies the running or startup configuration file on to a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname. ex3500 delete file Deletes a file or image on a specified EX3500 devicename <FILE-NAME> Specifies the file to delete. The specified file is deleted.• <FILE-NAME> – Specify the file name.unit <1-1> name <FILE-NAME>Identifies the unit in the stackable system on which the file is located• <1-1> – Select the unit from 1 - 1.• name – After identifying the unit, specify the file to delete. The specified file is deleted.• <FILE-NAME> – Specify the file name.on <EX3500-DEVICE-NAME>Executes the command on a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname. ex3500 delete public-key <USER-NAME> [dsa|rsa]Deletes a specified user’s public key• <USER-NAME> – Specify the SSH user’s name.• dsa – Deletes the specified user’s DSA (version 2) key• rsa – Deletes the specified user’s RSA (version 1) keyon <EX3500-DEVICE-NAME>Executes the command on a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 73• ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>• ex3500 ip ssh zeroize [dsa|rsa] <EX3500-DEVICE-NAME>• ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>Usage GuidelinesWhen using the ex3500 command and its parameters, keep in mind the following:• Destination file names should not:- Contain slashes (\ or /),- Exceed 32 characters for files on the switch, or 127 characters for files on the server• The FTP server’s default user name is set as “anonymous”.• The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. Follow instructions provided in the release notes for new firmware, or contact your distributor for help.• The “Factory_Default_Config.cfg” can be used as the source to copy from, but cannot be used as the destination.• Although the switch supports only two operation code files, the maximum number of user-defined configuration files supported is 16.ex3500 ip ssh crypto host-key generates [dsa|rsa] Generates the host-key pair (public and private). This host key is used by the SSH server to negotiate a session key and encryption method with the client trying to connect to it.• dsa – Generates DSA (version 2) key type• rsa – Generates RSA (version 1) key typeNote: The RSA Version 1 is used only for SSHv1.5 clients, whereas DSA Version 2 is used only for SSHv2 clients.Note: This generated host-key pair is stored in the volatile memory (i.e RAM). To save the host-key pair in the flash memory, use the ex3500 > ip > ssh > save > host-key command.on <EX3500-DEVICE-NAME>Executes the command on a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.ex3500 ip ssh zeroize [dsa|rsa]Removes the host-key (DSA and RSA) from the volatile memory (i.e. RAM)on <EX3500-DEVICE-NAME>Executes the command on a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.ex3500 ip ssh save host-keySaves the host-key (DSA and RSA) to the flash memoryon <EX3500-DEVICE-NAME>Executes the command on a specified EX3500 device• <EX3500-DEVICE-NAME> – Specify the EX3500 device’s hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 74Examplenx9500-6C8809#ex3500 adopted upgrade tftp://192.168.0.99/ex3500-adopted-5.8.5.0.img on ex3524-ED5EACFlash programming startedFlash programming completedSuccessfulnx9500-6C8809#nx9500-6C8809#ex3500 copy tftp file 10.2.0.100 1 m360.bix m360.bix on ex3524-ED5EAC\Write to FLASH Programming.-Write to FLASH finish.Success.nx9500-6C8809#nx9500-6C8809#ex3500 copy tftp startup-config 10.2.0.99 startup.01 startup on ex3524-ED5EACTFTP server ip address: 10.1.0.99Flash programming started.Flash programming completed.Success.nx9500-6C8809#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 753.1.28 factory-resetPrivileged Exec Mode CommandsErases startup configuration on a specified device or all devices within a specified RF DomainSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfactory-reset [<HOSTNAME/MAC>|config-all|config-device-only|on <RF-DOMAIN-NAME>]factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/MAC>}|on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}]Parameters• factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}• factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}factory-reset Erases startup configuration and reloads device(s) based on the parameters passedFor more information on the actions performed by this command, see Actions performed by the factory-reset command.<HOSTNAME/MAC> {<HOSTNAME/MAC>}Erases startup configuration and reloads the device identified by the <HOSTNAME/MAC> keyword. Specify the device’s hostname or MAC address.• <HOSTNAME/MAC> – Optional. You can optionally specify multiple space-separated devices.factory-reset Erases startup configuration and reloads device(s) based on the parameters passedFor more information on the actions performed by this command, see Actions performed by the factory-reset command.on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>]}Erases startup configuration and reloads all devices or specified device(s) within a specified RF Domain identified by the <RF-DOMAIN-NAME> keyword• <RF-DOMAIN-NAME> – Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:• containing <SUB-STRING> – Optional. Executes the command on all devices con-taining a specified sub-string in their hostname• <SUB-STRING> – Specify the sub-string to match.Contd...
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 76• factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/MAC>}|on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}]• exclude-controllers – Optional. Executes the command on all devices excludingcontrollers. Since only a NOC controller is capable of adopting other controllers, usethis option when executing the command on a NOC controller.• exclude-rf-domain-manager – Optional. Executes the command on all devices ex-cluding RF Domain managers. Use this option when executing the command on theNOC, site controller, or RF Domain manager.• filter <DEVICE-TYPE> – Optional. Executes the command on all devices of a speci-fied type• <DEVICE-TYPE> – Specify the device type. The options are: AP6521, AP6522,AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612,AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000,RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup con-figuration is erased on all devices of the type specified here. For example, ifAP6521 is the device-type specified, the command is executed on all AP6521swithin the specified RF Domain.factory-reset Erases startup configuration and reloads device(s) based on the parameters passedFor more information on the actions performed by this command, see Actions performed by the factory-reset command.[config-all|config-device-only]Erases startup configuration and reloads only controller-adopted devices or the controller as well as its adopted devices• config-all – Erases startup configuration on the controller and all devices adopted by it• config-device-only – Erases startup configuration only on the devices adopted by the controller<HOSTNAME/MAC> {<HOSTNAME/MAC>}This parameter is common to the ‘config-all’ and ‘config-device-only’ keywords:• <HOSTNAME/MAC> – Erases startup configuration and reloads the device identified by the <HOSTNAME/MAC> keyword. Specify the device’s hostname or MAC address.• <HOSTNAME/MAC> – Optional. You can optionally specify multiple space-separated devices.The following parameters are common to the ‘config-all’ and ‘config-device-only’ keywords:• on <RF-DOMAIN-NAME> – Erases startup configuration and reloads all devices or specified device(s) within a specified RF Domain• <RF-DOMAIN-NAME> – Specify the RF Domain name. After specifying the RF Do-main, optionally use the filters provided to identify specific device(s) within the RF Do-main. If none of the filters are used, the command is executed on all devices within theRF Domain. These filters are:• containing <SUB-STRING> – Optional. Executes the command on all devices con-taining a specified sub-string in their hostname• <SUB-STRING> – Specify the sub-string to match.• exclude-controllers – Optional. Executes the command on all devices excludingcontrollers. Since only a NOC controller is capable of adopting other controllers,use this option when executing the command on a NOC controller.Contd...
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 77Usage Guidelines Actions performed by the factory-reset command.The action taken by this command depends on the parameters passed.•For the ‘factory-reset [<DEVICE-NAME>|on <RF-DOMAIN-NAME>]’ options, the command:- Erases startup configuration on the target device (or) all devices in the target RF Domain.- Erases the device configuration entries from the controller’s configuration for the target device (or) for all the devices in the target RF Domain.- Reloads the target device (or) all devices in the target RF Domain.•For the ‘factory-reset config-all [<DEVICE-NAME>|on <RF-DOMAIN-NAME>]’ options, the command:- Erases startup configuration on the target device (or) all devices in the target RF Domain.- Erases the device configuration entries from the controller’s configuration for the target device (or) for all the devices in the target RF Domain.•For the ‘factory-reset config-device-only [<DEVICE-NAME>|on <RF-DOMAIN-NAME>]’ options, the command:- Erases startup configuration on the target device (or) all devices in the target RF Domain.Examplenx7500-7F3609#factory-reset config-all ap6522-5A873CIn progress ....Erased startup-config - success 1 fail 0Successful device deletion - total 1nx7500-7F3609#rfs6000-18072B# factory-reset B4-C7-99-5A-87-3CIn progress ....Erased startup-config and initiated reload - success 1 fail 0Successful device deletion - total 1rfs6000-18072B#The following example displays the access points in the RF Domain ‘rfd1’:nx7500-7F3609#show wireless ap on rfd1---------------------------------------------------------------------------------------  MODE        : radio modes - W = WLAN, S=Sensor, ' ' (Space) = radio not present------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ AP-NAME     AP-LOCATION  RF-DOMAIN     AP-MAC         #RADIOS  MODE  #CLIENT    IPv4   IPv6---------------------------------------------------------------------------------------on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>]}• exclude-rf-domain-manager – Optional. Executes the command on all devicesexcluding RF Domain managers. Use this option when executing the commandon the NOC, Site controller, or RF Domain manager.• filter <DEVICE-TYPE> – Optional. Executes the command on all devices of a spec-ified type•<DEVICE-TYPE> – Specify the device type. The options are: AP6521,AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562,AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432,AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, andVX9000. The startup configuration is erased on all devices of the typespecified here. For example, if AP6521 is the device-type specified, thecommand is executed on all AP6521s within the specified RF Domain.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 78ap7131-1180FC               rfd1     00-23-68-11-80-FC   2 W-W          0      0.0.0.0      ::ap6522-551648               rfd1     B4-C7-99-55-16-48   2 W-W          0      0.0.0.0      ::ap8232-7F0DF8                rfd1     FC-0A-81-7F-0D-F8    2 W-W          0       0.0.0.0      ::---------------------------------------------------------------------------------------Total number of APs displayed: 3nx7500-7F3609#Note, the factory-reset command executed on an RF Domain with the ‘exclude-rf-domain-manager’ option erases the startup configuration on all devices other than the RF Domain manager.nx7500-7F3609#factory-reset config-device-only on rfd1 exclude-rf-domain-managerIn progress ....Erased startup-config -ap7131-1180FC: OKap6522-551648: OKnx7500-7F3609#nx7500-7F3609# factory-reset on rfd2In progress ....Erased startup-config and initiated reload -ap650-A6566C: OK,Reload scheduled in 60 seconds...ap4532-34505C: OK,Reload scheduled in 60 seconds...ap650-345000: OK,Reload scheduled in 60 seconds...Successful device deletion - total 3nx7500-7F3609#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 793.1.29 file-syncPrivileged Exec Mode CommandsSyncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and adopted access points. When enabling file syncing, consider the following points:• The X.509 certificate needs synchronization only if the access point is configured to use EAP-TLS authentication.• Execute the command on the controller adopting the access points.• Ensure that the X.509 certificate file is installed on the controller.Syncing of trustpoint/wireless-bridge certificate can to be automated. To automate file syncing, in the controller’s device/profile configuration mode, execute the following command: file-sync [auto|count <1-20>]. For more information, see file-sync.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfile-sync [cancel|load-file|trustpoint|wireless-bridge]file-sync cancel [trustpoint|wireless-bridge]file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all]]file-sync load-file [trustpoint|wireless-bridge]]file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}Parameters• file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all]]file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all]]Cancels scheduled file synchronization• trustpoint – Cancels scheduled trustpoint synchronization on a specified AP, all APs, or APs within a specified RF Domain• wireless-bridge – Cancels scheduled wireless-bridge certificate synchronization on a specified AP, all APs, or APs within a specified RF Domain• <DEVICE-NAME> – Cancels scheduled trustpoint/certificate synchronization on aspecified AP. Specify the AP’s hostname or MAC address.Contd..
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 80• file-sync load-file [trustpoint|wireless-bridge] <URL>• file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}• all – Cancels scheduled trustpoint/certificate synchronization on all APs• rf-domain [<DOMAIN-NAME>|all] – Cancels scheduled trustpoint/certificate syn-chronization on all APs in a specified RF Domain or in all RF Domains• <DOMAIN-NAME> – Cancels scheduled trustpoint/certificate synchronization onall APs within a specified RF Domain. Specify the RF Domain’s name.• all – Cancels scheduled trustpoint/certificate synchronization on all RF Domainsfile-sync load-file [trustpoint|wireless-bridge] <URL>Loads the following files on to the staging controller:• trustpoint – Loads the trustpoint, including CA certificate, server certificate and private key• wireless-bridge – Loads the wireless-bridge certificate to the staging controllerUse this command to load the certificate to the controller before scheduling or initiating a certificate synchronization.• <URL> – Provide the trustpoint/certificate location using one of the following for-mats:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileNote: Both IPv4 and IPv6 address types are supported.file-sync trustpoint <TRUSTPOINT-NAME> [<DEVICE-NAME>|all|rf-domain [<DOMAIN-NAME>|all] from-controller]Configures file-syncing parameters• trustpoint <TRUSTPOINT-NAME> – Syncs a specified trustpoint between controller and its adopted APs• <TRUSTPOINT-NAME> – Specify the trustpoint name.• wireless-bridge – Syncs wireless-bridge certificate between controller and its adopted APsAfter specifying the file that is to be synced, configure following file-sync parameters:• <DEVICE-NAME> – Syncs trustpoint/certificate with a specified AP. Specify the AP’shostname or MAC address.• all – Syncs trustpoint/certificate with all APs• rf-domain [<DOMAIN-NAME>|all] from-controller – Syncs trustpoint/certificate withall APs in a specified RF Domain or in all RF Domains• <DOMAIN-NAME> – Select to sync with APs within a specified RF Domain. Specifythe RF Domain’s name.• all – Select to sync with APs across all RF Domains• from-controller – Optional. Loads certificate to the APs from the adoptingcontroller and not the RF Domain managerAfter specifying the access points, specify the following options: reset-radio and upload-time.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 81Examplerfs6000-81742D#file-sync wireless-bridge ap7131-11E6C4 upload-time 06/01/2017-12:30--------------------------------------------------------------------------------          CONTROLLER               STATUS                  MESSAGE--------------------------------------------------------------------------------  B4-C7-99-6D-CD-4B           Success           Queued 1 APs to upload--------------------------------------------------------------------------------rfs6000-81742D#The following command uploads certificate to all access points:rfs6000-81742D#file-sync wireless-bridge all upload-time 06/01/2017-23:42reset-radio This keyword is recursive and applicable to all of the above parameters.Optional. Resets the radio after file synchronization. Reset the radio in case the certificate is renewed along with no changes made to the ‘bridge EAP username’ and ‘bridge EAP password’.upload-time <TIME> This keyword is recursive and applicable to all of the above parameters.• upload-time – Optional. Schedules certificate upload at a specified time• <TIME> – Specify the time in the MM/DD/YYYY-HH:MM or HH:MM format. If no timeis configured, the process is initiated as soon as the command is executed.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 823.1.30 haltPrivileged Exec Mode CommandsStops (halts) a device (access point, wireless controller, or service platform). Once halted, the system must be restarted manually.This command stops the device immediately. No indications or notifications are provided while the device shuts down.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhalt {force} {(on <DEVICE-NAME>)}Parameters• halt {force} {(on <DEVICE-NAME>)}Examplenx9500-6C8809#halt on rfs6000-81742Dnx9500-6C8809#halt Halts a deviceforce Optional. Forces a device to halt ignoring in-progress operations, such as firmware upgrades, downloads, unsaved configuration changes, etc.on <DEVICE-NAME> The following keywords are recursive and applicable to the ‘force’ parameter:• on <DEVICE-NAME> – Optional. Specifies the name of the device to be halted• <DEVICE-NAME> – Enter the name of the AP, wireless controller, or service plat-form.If the device name is not specified, the logged device is halted.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 833.1.31 join-clusterPrivileged Exec Mode CommandsAdds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only formed of devices of the same model type.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxjoin-cluster <IP> user <USERNAME> password <WORD> {level|mode}join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}Parameters• join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode [active|standby]}Usage GuidelinesTo add a device to an existing cluster:• configure a static IP address on the device (access point, wireless controller, or service platform).• provide username and password for superuser, network admin, system admin, or operator accounts.After adding the device to a cluster, execute the “write memory” command to ensure the configuration persists across reboots.Examplerfs6000-81742D#join-cluster 192.168.13.16 user admin password superuser level 1 mode standby... connecting to 192.168.13.16... applying cluster configuration... committing the changes... saving the changes[OK]rfs6000-81742D#join-cluster Adds a access point, wireless controller, or service platform to an existing cluster<IP> Specify the cluster member’s IP address.user <USERNAME> Specify a user account with super user privileges on the new cluster member.password <WORD> Specify password for the account specified in the user parameter.level [1|2] Optional. Configures the routing level• 1 – Configures level 1 routing• 2 – Configures level 2 routingmode [active|standby] Optional. Configures the cluster mode• active – Configures cluster mode as active• standby – Configures cluster mode as standby
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 84rfs6000-81742D#show context!! Configuration of RFS6000 version 5.9.1.0-012D!!version 2.5!!................................................................................ interface ge1  switchport mode access  switchport access vlan 1 interface vlan1  ip address 192.168.13.16/24  ip dhcp client request options all  no ipv6 enable  no ipv6 request-dhcpv6-options cluster name TechPubs cluster mode standby cluster member ip 192.168.13.16 level 1 logging on logging console warnings logging buffered warnings!!endrfs6000-81742D#Related Commandscluster Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member.create-cluster Creates a new cluster on a specified device
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 853.1.32 l2tpv3Privileged Exec Mode CommandsEstablishes or brings down an L2TPv3 tunnelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxl2tpv3 tunnel [<TUNNEL-NAME>|all]l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}Parameters• l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}• l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}• l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}l2tpv3 tunnel<TUNNEL-NAME> [down|up]Establishes or brings down an L2TPv3 tunnel• <TUNNEL-NAME> – Specify the tunnel name.• down – Brings down the specified tunnel• up – Establishes the specified tunnelon <DEVICE-NAME> Optional. Establishes or brings down a tunnel on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.l2tpv3 tunnel <TUNNEL-NAME>Establishes or brings down an L2TPv3 tunnel• <TUNNEL-NAME> – Specify the tunnel name.session <SESSION-NAME> [down|up]Establishes or brings down a session in the specified tunnel• <SESSION-NAME> – Specify the session name.• down – Brings down the specified tunnel session• up – Establishes the specified tunnel sessionon <DEVICE-NAME> Optional. Establishes or brings down a tunnel session on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.l2tpv3 tunnel Establishes or brings down a L2TPv3 tunnelall [down|up] Establishes or brings down all L2TPv3 tunnels• down – Brings down all tunnels• up – Establishes all tunnels
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 86Examplerfs6000-81742D#l2tpv3 tunnel Tunnel1 session Tunnel1Session1 up on rfs6000-81742Don <DEVICE-NAME> Optional. Establishes or brings down all tunnels on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 873.1.33 loggingPrivileged Exec Mode CommandsModifies message logging settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|warnings|notifications}Parameters• logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings}monitor Sets terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system configures default settings, if no logging severity level is specified.• <0-7> – Optional. Enter the logging severity level from 0 - 7. The various levels and their implications are:• alerts – Optional. Immediate action needed (severity=1)• critical – Optional. Critical conditions (severity=2)• debugging – Optional. Debugging messages (severity=7)• emergencies – Optional. System is unusable (severity=0)• errors – Optional. Error conditions (severity=3)• informational – Optional. Informational messages (severity=6)• notifications – Optional. Normal but significant conditions (severity=5)• warnings – Optional. Warning conditions (severity=4)Note: Ensure that the logging module is enabled, before configuring the message logging level. To enable message logging, in the device’s configuration mode, execute the logging > on command. Message logging can also be enabled on a profile.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 88Examplerfs6000-81742D(config-device-00-15-70-81-74-2D)#logging onrfs6000-81742D#logging monitor debuggingrfs6000-81742D#show loggingLogging module: enabled    Aggregation time: disabled    Console logging: level warnings    Monitor logging: disabled    Buffered logging: level warnings    Syslog logging: level warnings        Facility: local7Log Buffer (70096 bytes):Apr 04 12:43:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPMApr 04 12:33:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM--More--rfs6000-81742D#Related Commandsno Resets terminal lines logging levels
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 893.1.34 mintPrivileged Exec Mode CommandsUses MiNT protocol to perform a ping and traceroute to a remote deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmint [ping|traceroute]mint ping <MINT-ID> {count <1-10000>|size <1-64000>|timeout <1-10>}mint traceroute <MINT-ID> {destination-port <1-65535>|max-hops <1-255>|source-port <1-65535>|timeout <1-255>}Parameters• mint ping <MINT-ID> {count <1-10000>|size <1-64000>|timeout <1-10>}• mint traceroute <MINT-ID> {destination-port <1-65535>|max-hops <1-255>|source-port <1-65535>|timeout <1-255>}ping <MINT-ID> Sends a MiNT echo message to a specified destination• <MINT-ID> – Specify the destination device’s MiNT ID.count <1-10000> Optional. Sets the pings to the MiNT destination• <1-10000> – Specify a value from 1 - 60. The default is 3.size <1-64000> Optional. Sets the MiNT payload size in bytes• <1-64000> – Specify a value from 1 - 640000 bytes. The default is 64 bytes.timeout <1-10> Optional. Sets a response time in seconds• <1-10> – Specify a value from 1 - 10 seconds. The default is 1 second.traceroute <MINT-ID>Prints the route packets trace to a device• <MINT-ID> – Specify the destination device’s MiNT ID.destination-port <1-65535>Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port• <1-65535> – Specify a value from 1 - 65535. The default port is 45.max-hops <1-255> Optional. Sets the maximum number of hops a traceroute packet traverses in the forward direction• <1-255> – Specify a value from 1 - 255. The default is 30.source-port <1-65535>Optional.Sets the ECMP source port• <1-65535> – Specify a value from 1 - 65535. The default port is 45.timeout <1-255> Optional. Sets the minimum response time period• <1-255> – Specify a value from 1 - 255 seconds. The default is 30 seconds.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 90Examplerfs4000-229D58#mint ping 68.88.0D.A7MiNT ping 68.88.0D.A7 with 64 bytes of data. Response from 68.88.0D.A7: id=1 time=0.364 ms Response from 68.88.0D.A7: id=2 time=0.333 ms Response from 68.88.0D.A7: id=3 time=0.368 ms--- 68.88.0D.A7 ping statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max = 0.333/0.355/0.368 msrfs4000-229D58#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 913.1.35 mkdirPrivileged Exec Mode CommandsCreates a new directory in the file systemSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmkdir <DIR>Parameters• mkdir <DIR>Examplerfs4000-880DA7#dirDirectory of flash:/.  drwx             Tue Sep 27 06:25:15 2016   log  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Wed Nov  4 16:12:15 2015   crashinfo  drwx             Mon Sep 26 10:45:03 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-880DA7#rfs4000-880DA7#mkdir testrfs4000-880DA7#dirDirectory of flash:/.  drwx             Tue Sep 27 06:25:15 2016   log  drwx             Tue Sep 27 15:20:01 2016   test  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Wed Nov  4 16:12:15 2015   crashinfo  drwx             Mon Sep 26 10:45:03 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-880DA7#<DIR> Specify a directory name.Note: A directory, specified by the <DIR> parameter, is created within the file system.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 923.1.36 morePrivileged Exec Mode CommandsDisplays files on the device’s file system. This command navigates and displays specific files in the device’s file system. Provide the complete path to the file more <file>.The more command also displays the startup configuration file.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmore <FILE>Parameters• more <FILE>Examplerfs4000-880DA7#more flash:/archived_logs/startup.5.log00-07-42-05-30-17May 30 05:37:43 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/logd"May 30 05:37:43 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/isDiag"May 30 05:37:48 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/rim"May 30 05:37:51 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPMMay 30 05:38:18 2017: %PM-6-PROCSTART: Starting process "/etc/init.d/cfgd"May 30 05:38:19 2017: %KERN-6-INFO: up1 { no link }.May 30 05:38:19 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/nsm"May 30 05:38:21 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/mstp"May 30 05:38:21 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/hsd"May 30 05:38:22 2017: %PM-6-PROCSTART: Starting process "/etc/init.d/dpd2.init"May 30 05:38:22 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/ssm"--More--rfs4000-880DA7#<FILE> Specify the file name and location.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 933.1.37 noPrivileged Exec Mode CommandsUse the no command to revert a command or a set of parameters to their default. This command is useful to turn off an enabled feature or to revert to default settings.The no commands have their own set of parameters that can be reset. These parameters depend on the context in which the command is being used.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [adoption|captive-portal|cpe|crypto|debug|logging|page|raid|service|terminal|upgrade|virtual-machine|wireless]no adoption {on <DEVICE-OR-DOMAIN-NAME>}no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>] {on <DEVICE-OR-DOMAIN-NAME>}no crypto pki [server|trustpoint]no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}| on <DEVICE-NAME>}no logging monitorno pageno service [block-adopter-config-update|locator|snmp|ssm|wireless]no service block-adopter-config-updateno service locator {on <DEVICE-NAME>}no service snmp sysoid wing5no service ssm trace pattern {<WORD>} {(on <DEVICE-NAME>)}no service wireless [trace pattern {<WORD>} {(on <DEVICE-NAME>)}|unsanctioned ap air-terminate <BSSID> {on <DOMAIN-NAME>}]no terminal [length|width]no upgrade <PATCH-NAME> {on <DEVICE-NAME>}no wireless client [all|<MAC>]NOTE: The no > adoption command resets the adoption state of a specified device (and all devices adopted to it) or devices within a specified RF Domain. When executed without specifying the device or RF Domain, the command resets the adoption state of the logged device and all devices, if any, adopted to it.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 94no wireless client all {filter|on}no wireless client all {filter [wlan <WLAN-NAME>]}no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}The following command is available only on the NX95XX series service platforms:no cpe led cpe [<1-24>|all] {on <T5-DEVICE-NAME>}no virtual-machine assign-usb-ports {on <DEVICE-NAME>}no raid locateParameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs4000-229D58#no adoptionrfs4000-229D58#rfs6000-81742D#no pagerfs6000-81742D#no <PARAMETERS> Resets or reverts settings based on the parameters passed
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 953.1.38 onPrivileged Exec Mode CommandsExecutes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and showSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxon rf-domain [<RF-DOMAIN-NAME>|all] Parameters• on rf-domain [<RF-DOMAIN-NAME>|all]Examplenx9500-6C8809#on rf-domain TechPubsnx9500-6C8809(TechPubs)#nx9500-6C8809(TechPubs)#?on RF-Domain Mode commands:  clrscr   Clears the display screen  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  service  Service Commands  show     Show running system informationnx9500-6C8809(TechPubs)#?nx9500-6C8809(TechPubs)#show adoption timeline on TechPubs/ap7562-84A224-------------------------------------------------------------------------------------            AP-NAME      RF-DOMAIN   LAST-ADOPTION-TIMESTAMP        ADOPTED-SINCE-------------------------------------------------------------------------------------      nx9500-6C8809       TechPubs       2016-09-09 00:00:14     7 days 05:19:49     rfs4000-880DA7       TechPubs       2016-09-08 23:59:57     7 days 05:20:06     rfs6000-81742D       TechPubs       2016-09-08 05:52:04     7 days 23:27:58-------------------------------------------------------------------------------------Total number of devices displayed: 3nx9500-6C8809(TechPubs)#on rf-domain [<RF-DOMAIN-NAME>|all]Enters the RF Domain context based on the parameter specified• <RF-DOMAIN-NAME> – Specify the RF Domain name. Enters the specified RF Domain context.• all – Specifies all RF Domains.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 963.1.39 opendnsPrivileged Exec Mode CommandsFetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled. OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is more reliable than other available DNS services, and provides the following services: DNS query resolution, Web-filtering, protection against virus and malware attacks, performance enhancement, etc.This command is part of a set of configurations that are required to integrate WiNG devices with OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as proxy DNS servers. For more information on enabling OpenDNS support, see Enabling OpenDNS Support.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxopendns [APIToken|username]opendns APIToken <OPENDNS-APITOKEN>opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>Note, you can use either of the above commands to fetch the device_id from the OpenDNS site. Parameters• opendns APIToken <OPENDNS-APITOKEN>• opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>opendns Fetches the device_id from the OpenDNS site using the OpenDNS API tokenAPIToken <OPENDNS-APITOKEN>Configures the OpenDNS APIToken. This is the token provided you by CISCO at the time of subscribing for their OpenDNS service.• <OPENDNS-APITOKEN> – Provide the OpenDNS API token (should be a valid token).For every valid OpenDNS API token provided a device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns.opendns Fetches the device_id from the OpenDNS site using the OpenDNS credentialsusername <USERNAME>Configures the OpenDNS user name. This is your OpenDNS email ID provided by CISCO at the time of subscribing for their OpenDNS service.• <USERNAME> – Provide the OpenDNS user name (should be a valid OpenDNS username).
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 97Exampleap7131-E6D512#opendns username bob@examplecompany.com password opendns label company_nameConnecting to OpenDNS server...device_id = 0014AADF8EDC6C59ap7131-E6D512#nx9600-7F3C7F#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073  device_id = 001480fe36dcb245nx9600-7F3C7F#Example Enabling OpenDNS SupportThe following example shows how to enable OpenDNS support’1 Fetch the OpenDNS device_id from the OpenDNS site.a In the User/Privilege executable mode execute one of the following commands:nx9500-6C874D#opendns APIToken <OPENDNS-APITOKEN>nx9500-6C8809#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073  device_id = 001480fe36dcb245nx9500-6C8809#ORnx9500-6C8809#opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>Note, the OpenDNS API token and/or user account credentials are provided the OpenDNS service provider when subscribing for the OpenDNS service.b Apply the device_id fetched in the step 1 to the WLAN.nx9500-6C8809(config-wlan-opendns)#opendns device-id <OPENDNS-DEVICE-ID>nx9500-6C8809(config-wlan-opendns)#opendns device-id 001480fe36dcb245nx9500-6C8809(config-wlan-opendns)#show contextwlan opendns ssid opendns bridging-mode local encryption-type none authentication-type none opendns device-id 001480fe36dcb245nx9500-6C8809(config-wlan-opendns)#Once applied, DNS queries originating from wireless clients associating with the WLAN are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet.2 Configure a DHCP server policy, and set the DHCP pool’s DNS server configuration to point to the OpenDNS servers.password <OPENDNS-PSWD>Configures the password associated with the user name specified in the previous step• <OPENDNS-PSWD> – Provide the OpenDNS password (should be a valid OpenDNS password).label <LABEL> Configures the network label. This the label (the user friendly name) of your network, and should be the same as the label (name) configured on the OpenDNS portal.• <LABEL> – Specify your network label.For every set of username, password, and label passed only one unique device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 98nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#dns-server 208.67.222.222Note, you can configure any one of the following OpenDNS servers: 208.67.222.222 OR 208.67.222.220nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#show context dhcp-pool opendnsPool  dns-server  208.67.222.222nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#3 Apply the DHCP server policy configured in step 2 on the access point, controller, or service platform.nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#use dhcp-server-policy opendnsnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include use use profile default-nx9000 use rf-domain TechPubs use database-policy default use nsight-policy noc use dhcp-server-policy opendns use auto-provisioning-policy TechPubsnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#When configured, DNS queries are forwarded by the access point, controller, or service platform to the specified OpenDNS resolver.4 Configure an IP Access Control List with the following permit and deny rules:nx9500-6C8809(config-ip-acl-OpenDNS)#permit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description "allow dns queries only to OpenDNS"nx9500-6C8809(config-ip-acl-OpenDNS)#deny udp any any eq dns rule-precedence 10 rule-description "block all DNS queries"nx9500-6C8809(config-ip-acl-OpenDNS)#permit ip any any rule-precedence 100 rule-description "allow all other ip packets"nx9500-6C8809(config-ip-acl-OpenDNS)#show contextip access-list OpenDNSpermit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description "allow dns queries only to OpenDNS"deny udp any any eq dns rule-precedence 10 rule-description "block all dns queries"permit ip any any rule-precedence 100 rule-description "allow all other ip packets"nx9500-6C8809config-ip-acl-OpenDNS)#When configured and applied in the WLAN context, the IP ACL prevents wireless clients from adding their own DNS servers to bypass the Web filtering and network policies enforced by OpenDNS.5 Apply the IP ACL configured in step 4 in the WLAN context.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 99nx9500-6C8809(config-wlan-opendns)#use ip-access-list out OpenDNSnx9500-6C8809(config-wlan-opendns)#show contextwlan opendns ssid opendns vlan 1 bridging-mode local encryption-type none authentication-type none use ip-access-list in OpenDNS use ip-access-list out OpenDNS opendns device-id 0014AADF8EDC6C59nx9500-6C8809(config-wlan-opendns)#When applied to the WLAN, only the DNS queries directed to the OpenDNS server are forwarded. All other DNS queries are dropped.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1003.1.40 pagePrivileged Exec Mode CommandsToggles controller paging. Enabling this command displays the CLI command output page by page, instead of running the entire output at once.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxpageParametersNoneExamplerfs6000-81742D#pagerfs6000-81742D#Related Commandsno Disables controller paging
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1013.1.41 pingPrivileged Exec Mode CommandsSends Internet Controller Message Protocol (ICMP) echo messages to a user-specified locationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|source [<IP>|pppoe|vlan <1-4094>|wwan]}Parameters• ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|source [<IP>|pppoe|vlan <1-4094>|wwan]}<IP/HOSTNAME> Specify the destination IP address or hostname to ping. When entered without any parameters, this command prompts for an IP address or a hostname.count <1-10000> Optional. Sets the pings to the specified destination• <1-10000> – Specify a value from 1 - 10000. The default is 5.dont-fragment {count|size}Optional. Sets the dont-fragment bit in the ping packet. Packets with the dont-fragment bit specified, are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified Maximum Transmission Unit (MTU) value, an error message is sent from the device trying to fragment it.• count <1-10000> – Sets the pings to the specified destination from 1 - 10000. The default is 5.• size – <1-64000> – Sets the size of ping payload size from 1 - 64000 bytes. The default is 100 bytes.size <1-64000> Optional. Sets the ping packet’s size in bytes• <1-64000> – Specify the ping payload size from 1 - 64000 bytes. The default is 100 bytes.source [<IP>|pppoe|vlan <1-4094>|wwan]Optional. Sets the source address or interface name. This is the source of the ICMP packet to the specified destination.• <IP> – Specifies the source IP address• pppoe – Selects the PPP over Ethernet interface• vlan <1-4094> – Selects the VLAN interface from 1 - 4094• wwan – Selects the wireless WAN interface
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 102Examplerfs6000-81742D#ping 192.168.13.13 count 4PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data.108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.356 ms108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.211 ms108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.199 ms108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.215 ms--- 192.168.13.13 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.199/0.245/0.356/0.065 msrfs6000-81742D#rfs6000-81742D#ping 10.233.89.182 source vlan 1PING 10.233.89.182 (10.233.89.182) from 192.168.13.24 vlan1: 100(128) bytes of data.From 192.168.13.2 icmp_seq=1 Packet filteredFrom 192.168.13.2 icmp_seq=2 Packet filteredFrom 192.168.13.2 icmp_seq=3 Packet filteredFrom 192.168.13.2 icmp_seq=4 Packet filteredFrom 192.168.13.2 icmp_seq=5 Packet filtered--- 10.233.89.182 ping statistics ---5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3997msrfs6000-81742D#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1033.1.42 ping6Privileged Exec Mode CommandsSends ICMPv6 echo messages to a user-specified IPv6 addressSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxping6 <IPv6/HOSTNAME> {<INTF-NAME>|count <1-10000>|size <1-64000>}Parameters• ping <IPv6/HOSTNAME> {<INTF-NAME>|count <1-10000>|size <1-64000>}Usage GuidelinesTo configure a device’s IPv6 address, in the VLAN interface configuration mode, use the ipv6 > address <IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 > enable command to enable IPv6. For more information, see ipv6.Examplerfs4000-880DA7#ping6 2001:10:10:10:10:10:10:2 count 6 size 200PING 2001:10:10:10:10:10:10:2(2001:10:10:10:10:10:10:2) 200 data bytes208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=1 ttl=64 time=0.509 ms208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=2 ttl=64 time=0.323 ms208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=3 ttl=64 time=0.318 ms208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=4 ttl=64 time=0.317 ms208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=5 ttl=64 time=0.314 ms208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=6 ttl=64 time=0.318 ms--- 2001:10:10:10:10:10:10:2 ping statistics ---6 packets transmitted, 6 received, 0% packet loss, time 4999msrtt min/avg/max/mdev = 0.314/0.349/0.509/0.075 msrfs4000-880DA7#<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.<INTF-NAME> Optional. Specify the interface name for link local/broadcast addresscount <1-10000> Optional. Sets the pings to the specified IPv6 destination• <1-10000> – Specify a value from 1 - 10000. The default is 5.size <1-64000> Optional. Sets the IPv6 ping payload size in bytes• <1-64000> – Specify the ping payload size from 1 - 64000. The default is 100 bytes.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1043.1.43 pwdPrivileged Exec Mode CommandsDisplays the full path of the present working directory, similar to the UNIX pwd commandSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxpwdParametersNoneExamplerfs4000-229D58#pwdflash:/rfs4000-229D58#rfs4000-229D58#dirDirectory of flash:/.  drwx             Mon Feb  8 17:37:21 2016   log  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Thu Nov 12 17:55:02 2015   crashinfo  drwx             Mon Feb  8 17:34:21 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-229D58#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1053.1.44 re-electPrivileged Exec Mode CommandsRe-elects the tunnel controller (wireless controller or service platform)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxre-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}Parameters• re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}Examplerfs4000-880DA7#re-elect tunnel-controllerOKrfs4000-880DA7#re-elect tunnel-controllerRe-elects the tunnel controller<WORD> {on <DEVICE-NAME>}Optional. Re-elects the tunnel controller on all devices whose preferred tunnel controller name matches <WORD>• on <DEVICE-NAME> – Optional. Re-elects the tunnel controller on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1063.1.45 reloadPrivileged Exec Mode CommandsHalts a device or devices and performs a warm rebootSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreload {<DEVICE-MAC-OR-HOSTNAME>|at|cancel|force|in|on|staggered}reload {(<DEVICE-MAC-OR-HOSTNAME>)}reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}reload {force} {(<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>|staggered)}reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}reload {in <1-999>} {list|on}reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}reload {in <1-999>} {on <DEVICE-OR-DOMAIN-NAME>}reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}Parameters• reload {(<DEVICE-MAC-OR-HOSTNAME>)}• reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}reload <DEVICE-MAC-OR-HOSTNAME>Initiates device(s) reload and configures associated parametersThe following keyword is recursive and allows you to specify multiple devices:• <DEVICE-MAC-OR-HOSTNAME> – Optional. Reloads a specified device(s), identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the device’s hostname or MAC address.If no device is specified, the system reloads the logged device.reload at Initiates device(s) reload and configures associated parameters• at – Optional. Schedules a reload at a specified time and day. Use the following keywords to specify the time and day: <TIME>, <1-31>, <MONTH>, and <1993-2035>.<TIME> Specifies the time in the HH:MM:SS format
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 107• reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}• reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}• reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}<1-31> Specifies the day of the month from 1 - 31<MONTH> Specifies the month from Jan - Dec<1993-2035> Specifies the year from 1993 - 2035. It should be a valid 4 digit year.on <DEVICE-OR-DOMAIN-NAME>Optional. Performs reload at the scheduled time, on a specified device or all devices within a specified RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain. When a RF Domain name is provided, all devices within the specified RF Domain are reloaded at the scheduled time.If no device is specified, the reload is scheduled on the logged device.reload cancel on <DEVICE-OR-DOMAIN-NAME>Cancels pending/scheduled reloads of device(s)• cancel – Optional. Cancels all pending reloads• on <DEVICE-OR-DOMAIN-NAME> – Optional. Cancels reloads pending on aspecified device or all devices within a specified RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.If no device is specified, the system cancels reloads pending on the logged device.reload force Initiates device(s) reload and configures associated parameters• force – Optional. Forces device(s) to reload, while ignoring conditions like upgrade in progress, unsaved changes, etc. Use the options provided to force a reload on a specified device or all devices in a RF Domain.<DEVICE-MAC-OR-HOSTNAME>This keyword is recursive and allows you to specify multiple devices.• <DEVICE-MAC-OR-HOSTNAME> – Optional. Forces a reload on a specified device identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the device’s hostname or MAC address. When executed, the specified device(s) are forced to halt and a warm reboot is performed.If no device is specified, the system forcefully reloads the logged device.reload force Initiates device(s) reload and configures associated parameters• force – Optional. Forces device(s) to reload, while ignoring conditions like upgrade in progress, unsaved changes, etc. Use the options provided to force a reload on a specified device or all devices in a RF Domain.on <DOMAIN-NAME> staggeredOptional. Forces a reload on all devices in a RF Domain• <DOMAIN-NAME> – Optional. Specify the name of the RF Domain. When executed, all devices within the specified RF Domain are forced to halt and a warm reboot is performed.• staggered – Optional. Enables staggered reload of devices (one at a time) with-out network impact. Use this option when rebooting multiple devices within an RFDomain. When executed, all devices within the specified RF Domain are forced tohalt and reboot in a staggered manner.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 108• reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}staggered {<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>}Optional. Enables staggered reload of devices (one at a time) without network impact• <DEVICE-MAC-OR-HOSTNAME> – Optional. Forces a reload on specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the device’s hostname or MAC address. This is a recursive keyword that allows you to specify multiple devices. When executed, the specified device(s) are forced to halt and a warm reboot is performed.• on <DOMAIN-NAME> – Optional. Forces a reload on all devices in a RF Domain. Specify the name of the RF Domain. When executed, all devices within the specified RF Domain are forced to halt and a warm reboot is performed.If no device or RF Domain is specified, the system forcefully reloads the logged device.{containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}When forcefully reloading devices in a RF Domain, you can use following options to filter specific devices or device types:• containing <WORD> – Optional. Filters out devices containing a specified sub-string in their hostnames• <WORD> – Optional. Provide the sub-string to match. All devices having host-names containing the provided sub-string are filtered and forcefully reloaded.• exclude-controllers – Optional. Excludes all controllers in the specified RF Domain from the reload process• exclude-rf-domain-manager – Optional. Excludes the RF Domain manager from the reload process• filter <DEVICE-TYPE> – Optional. Filters devices by the device type specified. Select the type of device. All devices, of the specified type, within the specified RF Domain, are forcefully reloaded.• <DEVICE-TYPE> – Select the type of device to reload. The options are: AP6521,AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602,AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000,RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5.reload in <1-999> Initiates device(s) reload and configures associated parameters• in – Optional. Performs a reload after a specified time period• <1-999> – Specify the time from 1 - 999 minuteslist {<LINE>|all} Optional. Reloads all adopted devices or specified devices• <LINE> – Optional. Reloads listed devices. List all devices (to be reloaded) separated by a space.• all – Optional. Reloads all devices adopted by this controlleron <DEVICE-OR-DOMAIN-NAME>Optional. Reloads a specified device or all devices within a specified RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 109• reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}• reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}reload on <DOMAIN-NAME>Initiates device(s) reload and configures associated parameters• on <DOMAIN-NAME> – Optional. Enables reload of all devices in a RF Domain• <DOMAIN-NAME> – Specify the name of the RF Domain. When executed, all de-vices within the specified RF Domain are immediately halted and a warm reboot isperformed.If no RF Domain is specified, the system reloads the logged device.{containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}When reloading devices in a RF Domain, you can use following options to filter specific devices or device types:• containing <WORD> – Optional. Filters out devices containing a specified sub-string in their hostnames.• <WORD> – Optional. Provide the sub-string to match. All devices having host-names containing the provided sub-string are filtered and forcefully reloaded.• exclude-controllers – Optional. Excludes all controllers in the specified RF Domain from the reload process• exclude-rf-domain-manager – Optional. Excludes the RF Domain manager from the reload process• filter <DEVICE-TYPE> – Optional. Filters devices by the device type specified. Select the type of device to reload. All devices, of the specified type, within the specified RF Domain, are forcefully reloaded.• <DEVICE-TYPE> – Select the type of device to reload. The options are: AP6521,AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX,AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX,NX9600, VX9000, t5. All devices of the type specified are reloaded.reload staggered Initiates device(s) reload and configures associated parameters• staggered – Optional. Enables staggered reload of devices (one at a time) without network impact{<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>}Use one of the following options to specify a single device, multiple devices, or a RF Domain• <DEVICE-MAC-OR-HOSTNAME> – Optional. Performs staggered reload on specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the device’s hostname or MAC address. This is a recursive keyword that allows you to specify multiple devices. When executed, the specified device(s) are halted and a warm reboot is performed. Multiple devices are halted and rebooted one at a time without impacting network functioning.Contd..• <DOMAIN-NAME> – Optional. Performs staggered reload of all devices in a RF Domain. Specify the name of the RF Domain. When executed, devices in the specified RF Domain are halted and rebooted one at a time without impacting network functioning. Use additional filter options to filter devices in the specified RF Domain.If no device or RF Domain is specified, the system reloads the logged device.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 110Examplerfs7000-6DCD4B#reload at 12:30:00 31 Mar 2015 on rfs6000-81742DReload scheduled at 2015-03-31 12:30:00 UTC ...rfs7000-6DCD4B#rfs7000-6DCD4B#reload cancel on rfs6000-81742DScheduled reload cancelled.rfs7000-6DCD4B#The following example schedules a reload on all non-controller devices in the RF Domain ‘default’:rfs7000-6DCD4B#reload on default exclude-controllersap8132-711728: OKrfs7000-6DCD4B#{containing <WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}When reloading devices in a RF Domain, you can use following options to filter specific devices or device types:• containing <WORD> – Optional. Filters out devices containing a specified sub-string in their hostnames.• <WORD> – Optional. Provide the sub-string to match. All devices having host-names containing the provided sub-string are filtered and reloaded.• exclude-controllers – Optional. Excludes all controllers in the specified RF Domain from the reload process• exclude-rf-domain-manager – Optional. Excludes the RF Domain manager from the reload process• filter <DEVICE-TYPE> – Optional. Filters devices by the device type specified. Select the type of device. All devices, of the specified type, within the specified RF Domain, are reloaded.• <DEVICE-TYPE> – Select the type of device to reload. The options are: AP6521,AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602,AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000,RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1113.1.46 renamePrivileged Exec Mode CommandsRenames a file in the devices’ file systemSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrename <OLD-FILE-NAME> <NEW-FILE-NAME>Parameters• rename <OLD-FILE-NAME> <NEW-FILE-NAME>Examplerfs4000-880DA7#dirDirectory of flash:/.  drwx             Wed Sep 14 13:54:10 2016   log  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Wed Nov  4 16:12:15 2015   crashinfo  drwx             Fri Sep 16 05:26:37 2016   testdir  drwx             Thu Sep  8 04:09:30 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-880DA7#rfs4000-880DA7#rename flash:/testdir/ Finalrfs4000-880DA7#rfs4000-880DA7#dirDirectory of flash:/.  drwx             Wed Sep 14 13:54:10 2016   log  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Fri Sep 16 05:26:37 2016   Final  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Wed Nov  4 16:12:15 2015   crashinfo  drwx             Thu Sep  8 04:09:30 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-880DA7#<OLD-FILE-NAME> Specify the file to rename.<NEW-FILE-NAME> Specify the new file name.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1123.1.47 rmdirPrivileged Exec Mode CommandsDeletes an existing directory from the file system (only empty directories can be removed)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrmdir <DIR>Parameters• rmdir <DIR>Examplerfs4000-880DA7#dirDirectory of flash:/.  drwx             Wed Sep 14 13:54:10 2016   log  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Fri Sep 16 05:26:37 2016   Final  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Wed Nov  4 16:12:15 2015   crashinfo  drwx             Thu Sep  8 04:09:30 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-880DA7#rfs4000-880DA7#rmdir Finalrfs4000-880DA7#rfs4000-880DA7#dirDirectory of flash:/.  drwx             Wed Sep 14 13:54:10 2016   log  drwx             Sat Jan  1 05:30:08 2000   configs  drwx             Sat Jan  1 05:30:08 2000   cache  drwx             Wed Nov  4 16:12:15 2015   crashinfo  drwx             Thu Sep  8 04:09:30 2016   archived_logs  drwx             Sat Jan  1 05:30:08 2000   upgrade  drwx             Sat Jan  1 05:30:23 2000   hotspot  drwx             Sat Jan  1 05:30:08 2000   floorplans  drwx             Sat Jan  1 05:30:08 2000   tmptpdrfs4000-880DA7#rmdir <DIR> Specifies the directory nameNote: The directory, specified by the <DIR> parameter, is removed from the file system.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1133.1.48 selfPrivileged Exec Mode CommandsEnters the logged device’s configuration contextSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxselfParametersNoneExamplerfs6000-81742D#selfEnter configuration commands, one per line.  End with CNTL/Z.rfs6000-81742D(config-device-00-15-70-81-74-2D)#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1143.1.49 sshPrivileged Exec Mode CommandsOpens a Secure Shell (SSH) connection between two network devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssh <IP/HOSTNAME> <USERNAME> {<INF-NAME/LINK-LOCAL-ADD>}Parameters• ssh <IP/HOSTNAME> <USERNAME> {<INF-NAME/LINK-LOCAL-ADD>}Usage GuidelinesTo exit the other device’s context, use the command that is relevant to that device.Examplenx9500-6C8809#ssh 192.168.13.16 adminadmin@192.168.13.16's password:rfs6000-81742D><IP/HOSTNAME> Specify the remote system’s IP address or hostname.<USERNAME> Specify the name of the user requesting the SSH connection.<INF-NAME/LINK-LOCAL-ADD>Optional. Specify the interface’s name or link local address.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1153.1.50 t5Privileged Exec Mode CommandsExecutes following operations on a T5 device through the WiNG controller:• copy, rename, and delete files on the T5 device’s file system• write running configuration to the T5 device’s memoryThe T5 switch is a means of providing cost-effective, high-speed, wall-to-wall coverage across a building. The T5 switch leverages the in-building telephone lines to extend Ethernet and Wireless LAN networks without additional expenditure on re-wiring. This setup is ideally suited for hotels, providing high-speed Wi-Fi coverage to guest rooms.The entire setup consists of the DSL T5 switch, TW-510 Ethernet wallplates, and TW-511 wireless wallplate access points. Replace the phone jack plate in a room with the TW-511 delivers 802.11 a/b/g/n and extend wireless connectivity in that room and the neighboring rooms. These TW-511 wallplates (also referred to as the CPEs) are connected to the T5 switch over the DSL interface using a phone block.The T5 switch is adopted and managed through a WiNG controller. The connection between the T5 and WiNG switches is over a WebSocket.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxt5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|rename <SOURCE-FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}Parameters• t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|rename <SOURCE-FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}NOTE: For more information on other T5 CPE related commands, see cpe.copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>Copies file to an external server• <SOURCE-FILE-NAME> – Specify the source file name.• <DEST-FILE-NAME> – Specify the destination file name.The content from the source file is copied to the destination file.The source or destination files can be local or remote FTP or TFTP files. The source file also can be a pre-defined keyword. At least one of the files should be a local file. Use this command to copy the startup and/or running configurations to an external server.delete <FILE-NAME> Deletes files on the T5 device’s file system• <FILE-NAME> – Specify the file name. The specified file is deleted.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 116Examplenx9500-6C8809#t5 write memory on t5-ED7C6CSuccessnx9500-6C8809#rename <SOURCE-FILE-NAME> <DEST-FILE-NAME>Renames a file on the T5 device’s file system• <SOURCE-FILE-NAME> – Specify the source file name• <DEST-FILE-NAME> – Specify the new file name. The source file is renamed to the input provided here.write memory Writes running configuration to an adopted T5 device’s memory• memory – Writes running configuration to the T5 device’s non-volatile (NV) memory.on <T5-DEVICE-NAME>Optional. Executes these operation on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1173.1.51 telnetPrivileged Exec Mode CommandsOpens a Telnet session between two network devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtelnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}Parameters• telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}Usage GuidelinesTo exit the other device’s context, use the command relevant to that device.Examplenx9500-6C8809#telnet 192.168.13.22Entering character modeEscape character is '^]'.AP7131 release 5.9.0.0-012Dap7131-11E6C4 login: adminPassword:ap7131-11E6C4><IP/HOSTNAME> Configures the remote system’s IP (IPv4 or IPv6) address or hostname. The Telnet session will be established between the connecting system and the remote system.• <IP> – Specify the remote system’s IPv4 or IPv6 address or hostname.<TCP-PORT> Optional. Specify the Transmission Control Protocol (TCP) port.<INTF-NAME> Optional. Specify the interface name for the link local address.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1183.1.52 terminalPrivileged Exec Mode CommandsSets the number of characters per line, and the number of lines displayed within the terminal windowSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxterminal [length|width] <0-512>Parameters• terminal [length|width] <0-512>Examplerfs6000-81742D#terminal length 150rfs6000-81742D#terminal width 215rfs6000-81742D#show terminalTerminal Type: xtermLength: 150     Width: 215rfs6000-81742D#Related Commandslength <0-512> Sets the number of lines displayed on the terminal window• <0-512> – Specify a value from 0 - 512.width <0-512> Sets the width or number of characters displayed on the terminal window• <0-512> – Specify a value from 0 - 512.no Resets the width of the terminal window or the number of lines displayed on a terminal window
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1193.1.53 time-itPrivileged Exec Mode CommandsVerifies the time taken by a particular command between request and responseSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtime-it <COMMAND>Parameters• time-it <COMMAND>Examplerfs6000-81742D#time-it config terminalEnter configuration commands, one per line.  End with CNTL/Z.That took 0.00 seconds..rfs6000-81742D(config)#time-it <COMMAND> Verifies the time taken by a particular command to execute and provide a result• <COMMAND> – Specify the command name.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1203.1.54 traceroutePrivileged Exec Mode CommandsTraces the route to a defined destinationUse ‘--help’ or ‘-h’ to display a complete list of parameters for the traceroute commandSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtraceroute <WORD>Parameters• traceroute <WORD>Examplenx9500-6C8809#traceroute 192.168.13.16traceroute to 192.168.13.16 (192.168.13.16), 30 hops max, 46 byte packets 1  192.168.13.16 (192.168.13.16)  0.479 ms  0.207 ms  0.199 msnx9500-6C8809#<WORD> Traces the route to a IP address or hostname• <WORD> – Specify the IPv4 address or hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1213.1.55 traceroute6Privileged Exec Mode CommandsTraces the route to a specified IPv6 destinationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtraceroute6 <WORD>Parameters• traceroute6 <WORD>Examplerfs4000-880DA7#traceroute6 2001:10:10:10:10:10:10:2traceroute to 2001:10:10:10:10:10:10:2 (2001:10:10:10:10:10:10:2) from 2001:10:10:10:10:10:10:1, 30 hops max, 16 byte packets 1  2001:10:10:10:10:10:10:2 (2001:10:10:10:10:10:10:2)  0.622 ms  0.497 ms  0.531 msrfs4000-880DA7#traceroute6 <WORD> Traces the route to a IPv6 address or hostname• <WORD> – Specify the IPv6 address or hostname.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1223.1.56 upgradePrivileged Exec Mode CommandsUpgrades a device’s software imageSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxupgrade [<FILE>|<URL>|dhcp-vendor-options]upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}upgrade dhcp-vendor-options {<DEVICE-NAME>|on <RF-DOMAIN-NAME>}upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}Parameters• upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}<FILE> Specify the target firmware image location in the following format:cf:/path/fileusb1:/path/fileusb2:/path/fileusb<n>:/path/file<URL> Specify the target firmware image location. Use one of the following formats:IPv4 URLs:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/filecf:/path/fileusb<n>:/path/fileIPv6 URLs:tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filehttp://<hostname|[IPv6]>[:port]/path/filebackground Optional. Performs upgrade in the background
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 123• upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}• upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}Examplenx9500-6C8809#show boot--------------------------------------------------------------------------------     IMAGE            BUILD DATE             INSTALL DATE          VERSION--------------------------------------------------------------------------------  Primary       02/05/2017 14:33:58     02/11/2017 12:27:53     5.9.0.0-024D  Secondary     02/01/2017 21:36:24     02/03/2017 12:05:48     5.8.6.0-007B--------------------------------------------------------------------------------Current Boot       : SecondaryNext Boot          : PrimarySoftware Fallback  : EnabledVM support         : Not presenttnx9500-6C8809#on <DEVICE-NAME>Optional. Upgrades the software image on a specified remote device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.on <RF-DOMAIN-NAME>Optional. Upgrades the software image on all devices within a specified RF Domain• <RF-DOMAIN-NAME> – Specify the name of the RF Domain.dhcp-vendor-options Uses DHCP vendor options to upgrade device(s)<DEVICE-NAME> {<DEVICE-NAME>}Optional. Uses DHCP vendor options to upgrade a specified device. Specify the name of the AP, wireless controller, or service platform.• <DEVICE-NAME> – Optional. You can optionally specify multiple comma-separated device names/MAC addresses to upgrade.dhcp-vendor-options Uses DHCP vendor options to upgrade device(s)on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}Optional. Uses DHCP vendor options to upgrade all devices or specified device(s) within the RF Domain identified by the <RF-DOMAIN-NAME> keyword• <RF-DOMAIN-NAME> – Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, all devices within the RF Domain are upgraded. These filters are:• containing <SUB-STRING> – Optional. Upgrades all devices, within the specified RFDomain, containing a specified sub-string in their hostname• <SUB-STRING> – Specify the sub-string to match.• exclude-controllers – Optional. Upgrades all devices, within the specified RF Domain,excluding controllers. Since only a NOC controller is capable of adopting other control-lers, use this option when executing the command on a NOC controller.• exclude-rf-domain-manager – Optional. Upgrades all devices, within the specifiedRF Domain, excluding RF Domain managers. Use this option when executing the com-mand on the NOC, Site controller, or RF Domain manager.• filter <DEVICE-TYPE> – Optional. Executes the command on all devices, within thespecified RF Domain, of a specified type• <DEVICE-TYPE> – Specify the device type. The options are: AP6521, AP6522,AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232,AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, andVX9000. Upgrades all devices of the type specified here. For example, if AP6521is the device-type specified, all AP6521s within the specified RF Domain are up-graded
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 124nx9500-6C8809#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/NX9500.imgRunning from partition /dev/sda7Validating image file headerRemoving other partitionMaking file systemExtracting files (this may take some time)........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Control C disabledVersion of firmware update file is 5.9.0.0-026DRemoving unneeded files from flash:/crashinfo directoryRemoving unneeded files from flash:/var2/log directoryCreating LILO filesRunning LILOSuccessfulnx9500-6C8809#nx9500-6C8809#show boot--------------------------------------------------------------------------------     IMAGE            BUILD DATE             INSTALL DATE          VERSION--------------------------------------------------------------------------------  Primary       05/01/2017 12:03:13 05/10/2017 10:12:53     5.9.0.0-026D  Secondary     05/01/2017 19:30:21 05/02/2017 10:05:48     5.9.0.0-007B--------------------------------------------------------------------------------Current Boot       : SecondaryNext Boot          : PrimarySoftware Fallback  : EnabledVM support         : Not presentnx9500-6C8809#After upgrading, the device has to be reloaded to boot using the new image.nx7500-7F3609#upgrade tftp://192.168.0.50/RFS6000-5.9.0.-012D.img rfs6000-6DCBB3--------------------------------------------------------------------------------      DEVICE                      STATUS                 MESSAGE--------------------------------------------------------------------------------  rfs6000-6DCBB3                 Success                   None--------------------------------------------------------------------------------nx7500-7F3609#show upgrade-statusLast Image Upgrade Status : SuccessfulLast Image Upgrade Time   : 2017-03-26 10:31:12nx7500-7F3609#The following example shows the upgrade status:nx7500-7F3609#show upgrade detailLast Image Upgrade Status : SuccessfulLast Image Upgrade Time   : 2017-03-26 10:31:12-----------------------------------------------Running from partition /dev/sda7var2 is 2 percent full/tmp is 2 percent fullFree Memory 15258044 kBFWU invoked via Linux shellValidating image file headerRemoving other partition
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 125Making file systemExtracting files (this may take some time).Control C disabledVersion of firmware update file is 5.9.0.-012DCreating LILO filesRunning LILOSuccessfulnx7500-7F3609#nx7500-7F3609#show upgrade on rfs6000-6DCBB3Last Image Upgrade Status :SuccessfulLast Image Upgrade Time   :2017-03-26 10:31:12nx7500-7F3609#Related Commandsno Removes a patch installed on a specified device
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1263.1.57 upgrade-abortPrivileged Exec Mode CommandsAborts an ongoing software image upgradeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxupgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}Parameters• upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}Examplerfs4000-229D58#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/RFS4000-5.9.0.0-012D.imgRunning from partition /dev/mtdblock6Validating image file headerMaking file systemExtracting files (this may take some time)..................rfs6000-81701D#upgrade-abort on rfs4000-229D58rfs4000-229D58#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/RFS4000-5.9.0.0-012D.img.imgRunning from partition /dev/mtdblock6Validating image file headerMaking file systemExtracting files (this may take some time)..................Update error:  Abortedrfs4000-229D58#upgrade-abort Aborts an ongoing software image upgradeon <DEVICE-OR-DOMAIN-NAME>Optional. Aborts an ongoing software image upgrade on a specified device or domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1273.1.58 virtual-machinePrivileged Exec Mode CommandsInstalls, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controllerSupported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxvirtual-machine [assign-usb-ports|export|install|restart|set|start|stop|uninstall]virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}virtual-machine install [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>| vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}The following virtual-machine commands are supported only on the VX9000 platform:virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-group]virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-DEVICE-LABEL>virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>Parameters• virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}• virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}assign-usb-ports team-vowlan Assigns USB ports to TEAM-VoWLAN on a specified device•on <DEVICE-NAME> – Optional. Specify the device name.Note: Use the no > virtual-machine > assign-usb-ports to reassign the port to WiNG.Note: TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-VoWLAN.virtual-machine export Exports an existing VM image and settings. Use this command to export the VM to another <NX54XX> or <NX65XX> device in the same domain.• <VM-NAME> – Specify the VM name.• <FILE> – Specify the location and name of the source file (VM image). The VMimage is retrieved and exported from the specified location.• <URL> – Specify the destination location. This is the location to which the VM im-age is copied. Use one of the following formats to provide the destination path:Contd..
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 128• virtual-machine install [<VM-NAME>|adsp|team-centro|team-rls|team-vowlan] {on <DEVICE-NAME>}• virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-INDEX>|vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/filehttp://<hostname|IP>[:port]/path/file•on <DEVICE-NAME> – Optional. Executes the command on a specified device or devices•<DEVICE-NAME> – Specify the service platform name. In case of multiple devices, listthe device names separated by commas.Note: The VM should be in a stop state during the export process.Note: If the destination is a device, the image is copied to a predefined location (VM archive).virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. Select one of the following options:• <VM-NAME> – Installs a VM having name specified by <VM-NAME> keyword.• adsp – Installs ADSP• team-centro – Installs the VM TEAM-Centro image• team-rls – Installs the VM TEAM-RLS image• team-vowlan – Installs the VM TEAM-VoWLAN imageSpecify the device on which to install the VM.• on <DEVICE-NAME> – Optional. Executes the command on a specified device or devices• <DEVICE-NAME> – Specify the service platform name. In case of multiple devices,list the device names separated by commas.virtual-machine set Configures the VM settings•autostart – Specifies whether to autostart the VM on system reboot• ignore – Enables autostart on each system reboot• start – Disables autostart• memory – Defines the VM memory size• <512-8192> – Specify the VM memory from 512 - 8192 MB. The default is 1024 MB.• vcpus – Specifies the number of VCPUS for this VM• <1-4> – Specify the number of VCPUS from 1- 4.• vif-count – Configures or resets the VM's VIFs• <0-2> – Specify the VIF number from 0 - 2.• vif-mac – Configures the MAC address of the selected virtual network interface• <1-2> – Select the VIF• <1-8> – Specify the MAC index for the selected VIF• <MAC> – Specify the customized MAC address for the selected VIF in the AA-BB-CC-DD-EE-FF format.Contd..
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 129• virtual-machine start [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}Each VM has a maximum of two network interfaces (indexed 1 and 2, referred to as VIF). By default, each VIF is automatically assigned a MAC from the range allocated for that device. However, you can use the ‘set’ keyword to specify the MAC from within the allocated range. Each of these VIFs are mapped to a layer 2 port in the dataplane (referred to as VMIF). These VMIFs are standard l2 ports on the DP bridge, supporting all VLAN and ACL commands. The WiNG software supports up to a maximum of 8 VMIFs. By default, a VM’s interface is always mapped to VMIF1. You can map a VIF to any of the 8 VMIFs. Use the vif-to-vmif command to map a VIF to a VMIF on the DP bridge.•vif-to-vmif – Maps the virtual interface (1 or 2) to the selected VMIF interface. Specify the VMIF interface index from 1 - 8.WiNG provides a dataplane bridge for external network connectivity for VMs. VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of the twelve ports for <NX9500> on the dataplane bridge. This mapping determines the destination for service platform routing.By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1, by default, is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QoS rules.•vnc – Disables/enables VNC port option for an existing VM. When enabled, provides remote access to VGA through the noVNC client.•disable – Disables VNC port• enable – Enables VNC portAfter configuring the VM settings, identify the VM to apply the settings.• <VM-NAME> – Applies these settings to the VM identified by the <VM-NAME> keyword. Specify the VM name.• adsp – Applies these settings to the ADSP VM• team-urc – Applies these settings to the VM TEAM-URC• team-rls – Applies these settings to the VM TEAM-RLS• team-vowlan – Applies these settings to the VM TEAM-VoWLANvirtual-machine start Starts the VM, based on the parameters passed. Select one of the following options:• <VM-NAME> – Starts the VM identified by the <VM-NAME> keyword. Specify the VM name.• adsp – Starts the ADSP VM• team-urc – Starts the VM TEAM-URC• team-rls – Starts the VM TEAM-RLS• team-vowlan – Starts the VM TEAM-VoWLANThe following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Executes the command on a specified device or devices• <DEVICE-NAME> – Specify the service platform name. In case of multiple devic-es, list the device names separated by commas.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 130• virtual-machine stop [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}• virtual-machine uninstall [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan] {on <DEVICE-NAME>}• virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]virtual-machine stop hardStops the VM, based on the parameters passed. Select one of the following options:• <VM-NAME> – Stops the VM identified by the <VM-NAME> keyword. Specify the VM name.• ADSP – Stops the ADSP VM• team-urc – Stops the VM TEAM-URC• team-rls – Stops the VM TEAM-RLS• team-vowlan – Stops the VM TEAM-VoWLANThe following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Executes the command on a specified device ordevices• <DEVICE-NAME> – Specify the service platform name. In case of multiple de-vices, list the device names separated by commas.Note: The option ‘hard’ forces the selected VM to shutdown.virtual-machine uninstallUninstalls the specified VM• <VM-NAME> – Uninstalls the VM identified by the <VM-NAME> keyword. Specify the VM name.•ADSP – Uninstalls the ADSP VM• team-urc – Uninstalls the VM TEAM-URC• team-rls – Uninstalls the VM TEAM-RLS• team-vowlan – Uninstalls the VM TEAM-VoWLANThe following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Executes the command on a specified device ordevices• <DEVICE-NAME> – Specify the service platform name. In case of multiple de-vices, list the device names separated by commas.Note: This command releases the VM’s resources, such as memory, VCPUS, VNC port, disk space, and removes the RF Domain reference from the system.virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]Enables provisioning of logical volume-groups on the VX9000 platform. Logical volume-groups are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. However, volume-groups can be provisioned only on new VX9000 installation and cannot be added to existing VX9000 installation.Note: The logical volume-group is supported only on a VX9000 running the WiNG 5.9.1 image.Contd..
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 131• virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-DEVICE-LABEL>]• virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]• add-drive – Adds a new block-device to the VM. Note, currently a maximum of 3 (three) block devices can be added. To add a new drive, first halt the VM, In the Hypervisor, add a new storage disk to the VM and restart the VM. Once the VM comes up, use this command to add the new drive. To identify the new drive execute the show > virtual-machine > volume-group > status command.• resize-drive - Resizes a drive in the VM’s volume group. To increase the size of a drive in the volume-group, first halt the VM. In the Hypervisor, increase the size of the existing secondary storage drive and restart the VM. Once the VM comes up, use this command to resize the drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command.The following keyword is common to all of the above parameters:• <BLOCK-DEVICE-LABEL> –Specify the block-device label to be added or resizeddepending on the action being performed. virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-DEVICE-LABEL>]Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives.• replace-drive – Replaces an existing block-device with a new block-device in a volume-group. To replace a drive in the volume-group, first halt the VM. In the Hypervisor, add the new drive and restart the VM. Once the VM comes up, use this command to replace an existing drive with the new drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command• <BLOCK-DEVICE-LABEL> –Specify the block-device label to be replaced.• <BLOCK-DEVICE-LABEL> – Specify the replacement block-device label.virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives• resize-volume-group – Adds drive space to an existing block-device in the volume-group• <BLOCK-DEVICE-LABEL> –Specify the block-device label to which additionaldrive space is to be provided
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 132ExampleThe following examples show the VM installation process:Insatllation media: USB<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enableInstallation media: pre-installed disk image<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable  on <DEVICE-NAME>In the preceding example, the command is executed on the device identified by the <DEVICE-NAME> keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first boot device.Installation media: VM archive<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-NAME> vcpus 3In the preceding example, the default configuration attached with the VM archive overrides any parameters specified.Exporting an installed VM:<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state).nx9500-6C8809#virtual-machine install team-urcVirtual Machine install team-urc command successfully sent.nx9500-6C8809#vx9000-DE6F97>cirtual-machine add-drive sdbvx9000-DE6F97>show virtual-machine volume-group status-----------------------------------------Logical Volume: lv1----------------------------------------- STATUS           : available SIZE             : 81.89 GiB VOLUME GROUP     : vg0 PHYSICAL VOLUMES :     sda10        : 73.90 GiB     sdc1         : 8.00 GiB AVAILABLE DISKS  :     sdb          : size: 8590MB-----------------------------------------* indicates a drive that must be resized-----------------------------------------vx9000-DE6F97#
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1333.1.59 watchPrivileged Exec Mode CommandsRepeats a specified CLI command at periodic intervalsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwatch <1-3600> <LINE>Parameters• watch <1-3600> <LINE>Examplerfs6000-81742D#watch 1 show clockrfs6000-81742D#watch <1-3600> Repeats a CLI command at a specified interval<1-3600> Select an interval from 1 - 3600 seconds. Pressing CTRL-Z halts execution of the command.<LINE> Specify the CLI command name.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 1343.1.60 exitPrivileged Exec Mode CommandsEnds the current CLI session and closes the session windowFor more information, see exit.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxexitParametersNoneExamplerfs6000-81742D#exit
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1353.1.61 raidPrivileged Exec Mode CommandsEnables Redundant Array of Independent Disks (RAID) managementRAID is a group of one or more independent, physical drives, referred to as an array or drive group, These physically independent drives are linked together and appear as a single storage unit or multiple virtual drives. Replacing a single, large drive system with an array, improves performance (input and output processes are faster) and increases fault tolerance within the data storage system. In an array, the drives can be organized in different ways, resulting in different RAID types. Each RAID type is identified by a number, which determines the RAID level. The common RAID levels are 0, 00, 1, 5, 6, 50 and 60. The WiNG MegaRAID implementation supports RAID-1, which provides data mirroring, but does not support data parity. RAID-1 consists of a two-drive array, where the data is simultaneously written on both drives, ensuring total data redundancy. In case of a drive failure the information on the other drive is used to rebuild the failed drive.An array is said to be degraded when one of its drives has failed. A degraded array continues to function and can be rebooted using the one remaining functional drive. When a drive fails, the chassis sounds an alarm (if enabled), and the CLI prompt changes to “RAID degraded”. The failed drive is automatically replaced with a hot spare (provided a spare is installed). The spare is used to re-build the array.Use this command to:• Verify the current array status• Start and monitor array consistency checks• Retrieve date and time of the last consistency check• Shut down drives before physically removing them• Install new drives• Assign drives as hot spares• Identify a degraded drive• Deactivate an alarm (triggered when a drive is removed from the array)Supported in the following platforms:• Service Platforms — NX7530, NX9500, NX9510Syntaxraid [check|install|locate|remove|silence|spare]raid [check|silence]raid [install|locate|remove|spare] drive <0-4>NOTE: RAID controller drive arrays are available within NX7530 and NX95XX series service platforms (NX9500 and NX9510 models) only. However, they can be administrated on behalf of a NX9500 profile by a different model service platform or controller. The NX9500 service platform includes a single Intel MegaRAID controller, configured to provide a single virtual drive. This virtual drive is of the RAID-1 type, and has a maximum of two physical drives. In addition to these two drives, there are three hot spares, which are used in case of a primary drive failure.
PRIVILEGED EXEC MODE COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  3 - 136Parameters• raid [check|silence]• raid [install|locate|remove|spare] drive <0-4>Examplenx9500-6C874D#raid install drive 0Error: Input Error: Drive 0 is already member of array, can't be addednx9500-6C874D#check Starts a consistency check on the RAID array. Use the show > raid command to view consistency check status.A consistency check verifies the data stored in the array. When regularly executed, it helps protect against data corruption, and ensures data redundancy. Consistency checks also warn of potential disk failures.silence Deactivates an alarmWhen enabled, an audible alarm is triggered when a drive in the array fails. The silence command deactivates the alarm (sound).Note: To enable RAID alarm, in the device configuration mode, use the raid > alarm > enable command. A NX9500 profile can also have the RAID alarm feature activated. For more information on the enabling RAID alarm, see raid.install <0-4> Installs a new drive, inserted in one of the available slots, in the array. Specify the drive number.Drives 0 and 1 are the array drives. Drives 2, 3, and 4 are the hot spare drives. You can include the new drive in a degraded array, or enable it as a hot spare.If the array is in a degraded state, the re-build process is triggered and the new drive is used to repair the degraded array.locate <0-4> Enables LEDs to blink on a specified drive. Specify the drive number.Blinking LEDs enable you correctly locate a drive.remove <0-4> Removes (shuts downs) a disk from the array, before it is physically removed from its slot. Specify the drive number containing the disk.Use this command to also remove a hot spare.spare <0-4> Converts an unused drive into a hot spare. Specify the drive number.
4 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide4GLOBAL CONFIGURATION COMMANDSThis chapter summarizes the global-configuration commands in the CLI command structure.The term global indicates characteristics or features effecting the system as a whole. Use the Global Configuration Mode to configure the system globally, or enter specific configuration modes to configure specific elements (such as interfaces or protocols). Use the configure terminal command (under PRIV EXEC) to enter the global configuration mode.The following example describes the process of entering the global configuration mode from the PRIV EXEC mode:<DEVICE>#configure terminal<DEVICE>(config)#Commands entered in the global configuration mode update the running configuration file as soon as they are entered. However, these changes are not saved in the startup configuration file until a commit write memory command is issued.<DEVICE>(config)#?Global configuration commands:aaa-policy                          Configure a                                      authentication/accounting/authorization                                      policy  aaa-tacacs-policy                   Configure an                                      authentication/accounting/authorization                                      TACACS policy  alias                               Alias  ap621                               AP621 access point  ap622                               AP622 access point  ap650                               AP650 access point  ap6511                              AP6511 access point  ap6521                              AP6521 access point  ap6522                              AP6522 access point  ap6532                              AP6532 access point  ap6562                              AP6562 access point  ap71xx                              AP71XX access point  ap7502                              AP7502 access point  ap7522                              AP7522 access point  ap7532                              AP7532 access point  ap7562                              AP7562 access point  ap7602                              AP7602 access point  ap7612                              AP7612 access point  ap7622                              AP7622 access point  ap7632                              AP7632 access point  ap7662                              AP7662 access point  ap81xx                              AP81XX access point  ap82xx                              AP82XX access point  ap8432                              AP8432 access point  ap8533                              AP8533 access point  application                         Configure an application  application-group                   Configure an application-group  application-policy                  Configure an application policy  association-acl-policy              Configure an association acl policy  auto-provisioning-policy            Configure an auto-provisioning policy  bgp                                 BGP Configuration  bonjour-gw-discovery-policy         Bonjour Gateway discovery policy  bonjour-gw-forwarding-policy        Bonjour Gateway forwarding policyNOTE: The system prompt changes to indicate you are now in the global configuration mode. The prompt consists of the device host name followed by (config) and a pound sign (#).
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2  bonjour-gw-query-forwarding-policy  Bonjour Gateway Query forwarding policy  captive-portal                      Configure a captive portal  clear                               Clear  client-identity                     Client identity (DHCP Device                                      Fingerprinting)  client-identity-group               Client identity group (DHCP Fingerprint                                      Database)  clone                               Clone configuration object  crypto-cmp-policy                   CMP policy  customize                           Customize the output of summary cli                                      commands  database-client-policy              Configure database client policy  database-policy                     Configure database policy  device                              Configuration on multiple devices  device-categorization               Configure a device categorization object  dhcp-server-policy                  DHCP server policy  dhcpv6-server-policy                DHCPv6 server related configuration  dns-whitelist                       Configure a whitelist  event-system-policy                 Configure a event system policy  ex3500                              Ex3500 device  ex3500-management-policy            Configure a ex3500 management policy  ex3500-qos-class-map-policy         Configure a ex3500 qos class-map policy  ex3500-qos-policy-map               Configure a ex3500 qos policy-map  ex3524                              EX3524 wireless controller  ex3548                              EX3548 wireless controller  firewall-policy                     Configure firewall policy  global-association-list             Configure a global association list  guest-management                    Configure a guest management policy  help                                Description of the interactive help                                      system  host                                Enter the configuration context of a                                      device by specifying its hostname  igmp-snoop-policy                   Create igmp snoop policy  inline-password-encryption          Store encryption key in the startup                                      configuration file  ip                                  Internet Protocol (IP)  ipv6                                Internet Protocol version 6 (IPv6)  ipv6-router-advertisement-policy    IPv6 Router Advertisement related                                      configuration  l2tpv3                              L2tpv3 tunnel protocol  mac                                 MAC configuration  management-policy                   Configure a management policy  meshpoint                           Create a new MESHPOINT or enter                                      MESHPOINT configuration context for one                                      or more MESHPOINTs  meshpoint-qos-policy                Configure a meshpoint quality-of-service                                      policy  mint-policy                         Configure the global mint policy  nac-list                            Configure a network access control list  no                                  .  nsight-policy                       Configure a Nsight policy  nx45xx                              NX45XX integrated services platform  nx5500                              NX5500 wireless controller  nx65xx                              NX65XX integrated services platform  nx75xx                              NX75XX wireless controller  nx9000                              NX9000 wireless controller  passpoint-policy                    Configure a passpoint policy  password-encryption                 Encrypt passwords in configuration  profile                             Profile related commands - if no                                      parameters are given, all profiles are                                      selected  radio-qos-policy                    Configure a radio quality-of-service                                      policy  radius-group                        Configure radius user group parameters  radius-server-policy                Create device onboard radius policy  radius-user-pool-policy             Configure Radius User Pool  rename                              Clone configuration object  replace                             Replace configuration object
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3  rf-domain                           Create a RF Domain or enter rf-domain                                      context for one or more rf-domains  rfs4000                             RFS4000 wireless controller  rfs6000                             RFS6000 wireless controller  rfs7000                             RFS7000 wireless controller  roaming-assist-policy               Configure a roaming-assist policy  role-policy                         Role based firewall policy  route-map                           Dynamic routing route map Configuration  routing-policy                      Policy Based Routing Configuration  rtl-server-policy                   Configure a rtl server policy  schedule-policy                     Configure a schedule policy  self                                Config context of the device currently                                      logged into  sensor-policy                       Configure a sensor policy  smart-rf-policy                     Configure a Smart-RF policy  t5                                  T5 DSL switch  url-filter                          Configure a url filter  url-list                            Configure a URL list  vx9000                              VX9000 wireless controller  web-filter-policy                   Configure a web filter policy  wips-policy                         Configure a wips policy  wlan                                Create a new WLAN or enter WLAN                                      configuration context for one or more                                      WLANs  wlan-qos-policy                     Configure a wlan quality-of-service                                      policy  write                               Write running configuration to memory or                                      terminal  clrscr                              Clears the display screen  commit                              Commit all changes made in this session  do                                  Run commands from Exec mode  end                                 End current mode and change to EXEC mode  exit                                End current mode and down to previous                                      mode  revert                              Revert changes  service                             Service Commands  show                                Show running system information<DEVICE>(config)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 44.1 Global Configuration CommandsGLOBAL CONFIGURATION COMMANDSThe following table summarizes Global Configuration mode commands:Table 4.1 Global Config CommandsCommand Description Referenceaaa-policy Creates a AAA policy and enters its configuration mode. This policy enables administrators to define access control within the network.page 4-9aaa-tacacs-policy Creates a AAA-TACACS policy and enters its configuration mode. This policy provides access control to network devices such as routers, network access servers, and other computing devices through centralized servers.page 4-20alias Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc.page 4-11ap6521 Adds an AP6521 to the network page 4-22ap6522 Adds an AP6522 to the network page 4-23ap6532 Adds an AP6532 to the network page 4-24ap6562 Adds an AP6562 to the network page 4-25ap71xx Adds an AP7161 to the network page 4-26ap7502 Adds an AP7502 to the network page 4-27ap7522 Adds an AP7522 to the network page 4-28ap7532 Adds an AP7532 to the network page 4-29ap7562 Adds an AP7562 to the network page 4-30ap7602 Adds an AP7602 to the network page 4-31ap7612 Adds an AP7612 to the network page 4-32ap7622 Adds an AP7622 to the network page 4-33ap7632 Adds an AP7632 to the network page 4-34ap7662 Adds an AP7662 to the network page 4-35ap81xx Adds an AP81XX to the network page 4-36ap82xx Adds an AP82XX to the network page 4-37ap8432 Adds an AP8432 to the network page 4-38ap8533 Adds an AP8533 to the network page 4-39application Creates an application definition and enters its configuration mode. This command allows you to create a customized application detection definition.page 4-40application-group Creates an application group and enters its configuration mode page 4-48application-policy Creates an application policy and enters its configuration mode. This policy defines the actions executed on recognized HTTP (e.g. Facebook), enterprise (e.g. Webex) and peer-to-peer (e.g. gaming) applications or application-categories.page 4-55
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5association-acl-policyCreates an association ACL policy and enters its configuration mode. This policy restricts access by specifying a client MAC address or range of addresses to either include or exclude from WLAN connectivity.page 4-78auto-provisioning-policyCreates an auto provisioning policy and enters its configuration mode. This policy defines the process by which an access point discovers controllers and associates with it.page 4-79bgp Configures Border Gateway Protocol (BGP) settings page 4-81bonjour-gw-discovery-policyCreates a Bonjour GW Discovery policy and enters its configuration mode. This policy configures the VLANs on which Bonjour services are located.page 4-84bonjour-gw-forwarding-policyConfigures a Bonjour GW Forwarding policy and enters its configuration mode. This policy enables the discovery of services on VLANs not visible to the device running the Bonjour Gateway.page 4-90bonjour-gw-query-forwarding-policyCreates a Bonjour GW Query Forwarding policy and enters its configuration mode. This policy enables Bonjour query forwarding across multiple VLANs.page 4-92captive portal Creates a captive portal and enters its configuration mode page 4-93clear Clears the event history page 4-146client-identity Creates a client identity definition and enters its configuration mode. This feature enables client identification through DHCP device fingerprinting.page 4-147client-identity-groupCreates a new client identity group and enters its configuration mode page 4-156clone Clones a specified configuration object page 4-164crypto-cmp-policy Creates a crypto Certificate Management Protocol (CMP) policy and enters its configuration mode. CMP is an Internet protocol designed to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network.page 4-165customize Customizes the CLI command summary output page 4-166database-client-policyCreates a database client policy and enters its configuration mode. The database client policy configures the IP address or hostname of the VX9000 hosting the captive-portal/NSight database. Use this option when deploying a split NSight/EGuest deployment.page 4-177database-policy Creates a database policy and enters its configuration mode. This policy enables the database, and also configures the database replica set.page 4-184device Specifies configuration on multiple devices page 4-192device-categorizationCreates a device categorization list and enters its configuration mode. The list categorizes devices as sanctioned or neighboring. Categorization of devices enables quick identification and blocking of unsanctioned devices in the network.page 4-194dhcp-server-policy Creates a DHCP server policy and enters its configuration mode. This policy allows hosts on an IP network to request and be assigned IP addresses and discover information about the network.page 4-200Table 4.1 Global Config CommandsCommand Description Reference
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 6dhcpv6-server-policyCreates a DHCPv6 server policy and enters its configuration mode. This policy configures hosts with IPv6 addresses, IP prefixes and other configuration attributes required on an IPv6 network.page 4-201dns-whitelist Creates a DNS whitelist and enters its configuration mode. A DNS whitelist is used with a captive portal to provide access services to requesting wireless clients.page 4-203event-system-policyCreates an Event system policy and enters its configuration mode. This policy enables administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform.page 4-209ex3500 Creates an EX3500 time range list and enters its configuration mode page 4-227ex3500-management-policyCreates an EX3500 management policy and enters its configuration mode. This policy controls access to the EX3500 switch from management stations using SNMP.page 4-233ex3500-qos-class-map-policyCreates an EX3500 QoS class map policy and enters its configuration mode. The QoS policy map assigns priority to mission critical EX3500 switch data traffic, prevent EX3500 switch bandwidth congestion, and prevent packet drops.page 4-254ex3500-qos-policy-mapCreates an EX3500 QoS policy map and enters its configuration mode. This policy defines rules that filter traffic exchanged between the EX3500 switch and its connected devices.page 4-262ex3524 Adds a EX3524 switch to the network page 4-277ex3548 Adds a EX3548 switch to the network page 4-279firewall-policy Creates a firewall policy and enters its configuration mode. This policy configures safe guards against denial of service (DoS) attacks and packet storms. It also configures firewall parameters, such as logging, application layer gateway, TCP protocol checks, state flow checks, etc.page 4-280global-association-listCreates a global list of client MAC addresses page 4-282guest-managementCreates a guest management policy and enters its configuration mode. This policy redirects guest users to a registration portal, upon association to a captive portal Service Set Identifier (SSID).page 4-286host Sets the system's network name page 4-297inline-password-encryptionStores the encryption key in the startup configuration file page 4-298ip Creates a IP access control list (ACL) and/or a Simple Network Management Protocol (SNMP) ACL, and enters its configuration modepage 4-299ipv6 Creates a IPv6 ACL and enters its configuration mode page 4-301ipv6-router-advertisement-policyCreates an IPv6 router advertisement (RA) policy and enters its configuration modepage 4-302l2tpv3 Creates Layer 2 Tunneling Protocol Version 3 (L2TPV3) tunnel policy and enters its configuration mode. This policy defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes.page 4-320Table 4.1 Global Config CommandsCommand Description Reference
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 7mac Configures MAC access lists (goes to the MAC ACL mode) page 4-322management-policyCreates a management policy and enters its configuration context. This policy configures services that run on a device, such as welcome messages, banners, etc.page 4-323meshpoint Creates a meshpoint and enters its configuration mode page 4-325meshpoint-qos-policyCreates a meshpoint quality of service (QoS) policy and enters its configuration modepage 4-327mint-policy Creates a MiNT security policy and enters its configuration mode page 4-328nac-list Creates a network ACL and enters its configuration mode page 4-329no Negates a command or sets its default page 4-335nsight-policy Creates an NSight policy and enters its configuration mode page 4-339passpoint-policy Creates a new passpoint policy and enters its configuration mode page 4-350password-encryptionEnables password encryption page 4-352profile Creates a device profile and enters its configuration mode page 4-353radio-qos-policy Creates a radio qos policy and enters its configuration mode page 4-357radius-group Creates a RADIUS group and enters its configuration mode page 4-358radius-server-policyCreates a RADIUS server policy and enters its configuration mode page 4-359radius-user-pool-policyCreates a RADIUS user pool policy and enters its configuration mode page 4-361rename Renames and existing top-level object (TLO) page 4-362replace Selects an existing device by its MAC address or hostname and replaces it with a new device having a different MAC addresspage 4-364rf-domain Creates an RF Domain and enters its configuration mode page 4-366rfs4000 Adds an RFS4000 to the network page 4-404rfs6000 Adds an RFS6000 to the network page 4-403nx5500 Adds an NX5500 to the network page 4-405nx75xx Adds an NX75XX to the network page 4-406nx9000 Adds a NX9500 or NX9510 to the network page 4-407roaming-assist-policyConfigures a roaming assist policy and enters its configuration mode. This policy enables access points to assist wireless clients in making roaming decisions, such as which access point to connect, etc.page 4-408role-policy Creates a role policy and enters its configuration mode page 4-410route-map Creates a dynamic BGP route map and enters its configuration mode page 4-411routing-policy Creates a routing policy and enters its configuration mode page 4-412rtl-server-policy Creates an RTL server policy and enters its configuration mode. The RTL server policy provides the exact location (URL) at which the Euclid server can be reached.page 4-413schedule-policy Creates a schedule policy and enters its configuration mode page 4-419Table 4.1 Global Config CommandsCommand Description Reference
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 8self Displays a logged device’s configuration context page 4-426sensor-policy Creates a sensor policy and enters its configuration mode page 4-427smart-rf-policy Creates a Smart RF policy and enters its configuration mode page 4-436t5 Configures a t5 wireless controller. This command is applicable only on the RFS4000, RFS6000, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, and VX9000 platforms.page 4-438web-filter-policy Creates a Web Filtering policy and enters its configuration mode page 4-440wips-policy Creates a WIPS policy and enters its configuration mode page 4-451wlan Creates a Wireless Local Area Network (WLAN) and enters its configuration modepage 4-452wlan-qos-policy Creates a WLAN QoS policy and enters its configuration mode page 4-549url-filter Creates an URL filter and enters its configuration mode. URL filtering is a licensed feature.page 4-551url-list Creates an URL list and enters its configuration mode. page 4-565vx9000 Configures a Virtual WLAN Controller (V-WLC) in a virtual machine (VM) environmentpage 4-571Table 4.1 Global Config CommandsCommand Description ReferenceNOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 94.1.1 aaa-policyGlobal Configuration CommandsConfigures an Authentication, Accounting, and Authorization (AAA) policy. Network administrators can use an AAA policy to define access control within the network.A controller, service platform, or access point can interoperate with external RADIUS and LDAP servers (AAA Servers) to provide an additional user database and authentication resource. Each WLAN can maintain its own unique AAA configuration. Up to six servers can be configured for providing AAA services.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 • Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaaa-policy <AAA-POLICY-NAME>Parameters• aaa-policy <AAA-POLICY-NAME>Examplerfs6000-81742D(config)#aaa-policy testrfs6000-81742D(config-aaa-policy-test)#?AAA Policy Mode commands:  accounting           Configure accounting parameters  attribute            Configure RADIUS attributes in access and accounting                       requests  authentication       Configure authentication parameters  health-check         Configure server health-check parameters  mac-address-format   Configure the format in which the MAC address must be                       filled in the Radius-Request frames  no                   Negate a command or set its defaults  proxy-attribute      Configure radius attribute behavior when proxying                       through controller or rf-domain-manager  server-pooling-mode  Configure the method of selecting a server from the                       pool of configured AAA servers  use                  Set setting to use  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-81742D(config-aaa-policy-test)#Related Commands<AAA-POLICY-NAME> Specify the AAA policy name. If the policy does not exist, it is created.no Removes an existing AAA policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 10NOTE: For more information on the AAA policy commands, see Chapter 8, AAA-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 114.1.2 aliasGlobal Configuration CommandsConfigures the following types of aliases: network, VLAN, host, string, network-service, etc.Aliases are objects having a unique name and content that is determined by the alias type (network, VLAN, and network-service).A typical large enterprize network consists of multiple sites (RF Domains) having similar configuration parameters with few elements that vary, such as networks or network ranges, hosts having different IP addresses, and VLAN IDs or URLs. These elements can be defined as aliases (object oriented wireless firewalls) and used across sites by applying overrides to the object definition. Using aliases results in a configuration that is easier to understand and maintain.Multiple instances of an alias (same type and same name) can be defined at any of the following levels: global, RF Domain, profile, or device. An alias defined globally functions as a top-level-object (TLO). An alias defined on a device is applicable to that device only. An alias defined on a profile applies to every device using the profile. Similarly, aliases defined at the RF Domain level apply to all devices within that domain.Aliases defined at any given level can be overridden at any of the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.The different aliases types supported are:• address-range alias – Maps a user-friendly name to a range of IP addresses. An address-range alias can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location.• host alias – Maps a user-friendly name to a specific host (identified by its IP address. For example, 192.168.10.23). A host alias can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote location’s local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements.• network alias – Maps a user-friendly name to a network. A network alias can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements.• network-group alias – Maps a user-friendly name to a single or a range of addresses of devices, hosts, and network configurations. Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20.A network-group alias can contain a maximum of eight (8) host entries, eight (8) network entries, and eight (8) IP address-range entries. A maximum of 32 network-group alias entries can be created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 12A network-group alias can be used in IP firewall rules to substitute hosts, subnets, and IP address ranges.• network-service alias – Maps a user-friendly name to service protocols and ports. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network-service alias. When used with an ACL, the network-service alias defines the service-specific components of the ACL rule. Overrides can be applied to the service alias, at the device level, without modifying the ACL. Application of overrides to the service alias allows an ACL to be used across sites.Use a network-service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node.• number alias – Maps a user-friendly name to a number• vlan alias – Maps a user-friendly name to a VLAN ID. A VLAN alias can be used at different deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an alias. At the remote deployment location, the network is functional with a VLAN ID of 26, but utilizes the name defined at the centrally managed network. A new VLAN need not be created specifically for the remote deployment.• string alias – Maps a user-friendly name to a specific string (for example, RF Domain name). A string alias can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.• encrypted-string alias – Maps a user-friendly name to a string value. The string value of this alias is encrypted when "password-encryption" is enabled. Encrypted-string aliases can be used for string configuration parameters that are encrypted by the "password-encryption" feature.• hashed-string alias – Maps a user-friendly name to a hashed-string value. Hashed-string aliases can be used for string configuration parameters that are hashed, such as passwords.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxalias [address-range|encrypted-string|hashed-string|host|network|network-group|network-service|number|string|vlan]alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>alias host <HOST-ALIAS-NAME> <HOST-IP>alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 13alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}alias number <NUMBER-ALIAS-NAME> <0-4294967295>alias string <STRING-ALIAS-NAME> <LINE>alias vlan <VLAN-ALIAS-NAME> <1-4094>Parameters• alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>• alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>address-range <ADDRESS-RANGE-ALIAS-NAME>Creates an address-range alias, defining a range of IP addresses• <ADDRESS-RANGE-ALIAS-NAME> – Specify the address-range alias name.Alias name should begin with ‘$’.<STARTING-IP> to <ENDING-IP>Associates a range of IP addresses with this address-range alias• <STARTING-IP> – Specify the first IP address in the range.• to <ENDING-IP> – Specify the last IP address in the range.encrypted-string <ENCRYPTED-STRING-ALIAS-NAME>Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.• <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias name.Alias name should begin with ‘$’.[0|2] <LINE> Configures the value associated with the alias name specified in the previous step• [0|2] <LINE> – Configures the alias valueNote, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:nx9500-6C8809(config)#show running-config!...............................alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//!--More--nx9500-6C8809In the above show > running-config output, the ‘2’ displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text.Cotnd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 14• alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>• alias host <HOST-ALIAS-NAME> <HOST-IP>• alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>However, if password-encryption is disabled the clear text is displayed as is:nx9500-6C8809(config)#show running-config!...............................!alias encrypted-string $enString 0 test11223344!--More--nx9500-6C8809For more information on enabling password-encryption, see password-encryption.hashed-string <HASHED-STRING-ALIAS-NAME>Creates an alias for a hashed string. Use this alias for configuration values that are hashed strings, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see .• <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias name.Alias name should begin with ‘$’.<LINE> Configures the hashed-string value associated with this alias.nx9500-6C8809(config)#show running-config!alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv!alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc750--More--nx9500-6C8809In the above show > running-config output, the ‘1’ displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text.host <HOST-ALIAS-NAME>Creates a host alias, defining a single network host• <HOST-ALIAS-NAME> – Specify the host alias name.Alias name should begin with ‘$’.<HOST-IP> Associates the network host’s IP address with this host alias. For example, ‘alias host $HOST 1.1.1.100’. In this example, the host alias name is: $HOST and the host IP address it is mapped to is: 1.1.1.100.• <HOST-IP> – Specify the network host’s IP address.network <NETWORK-ALIAS-NAME>Creates a network alias, defining a single network address• <NETWORK-ALIAS-NAME> – Specify the network alias name.Alias name should begin with ‘$’.<NETWORK-ADDRESS/MASK>Associates a single network with this network alias. For example, ‘alias network $NET 1.1.1.0/24’. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24.• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 15• alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]• alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}network <NETWORK-GROUP-ALIAS-NAME>Creates a network-group alias• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name.Alias name should begin with ‘$’.The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-group alias elements at the device or profile level.After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses.address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}Associates a range of IP addresses with this network-group alias• <STARTING-IP> – Specify the first IP address in the range.• to <ENDING-IP> – Specify the last IP address in the range.• <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than one range of IPaddresses. A maximum of eight (8) IP address ranges can be configured.host <HOST-IP> {<HOST-IP>}Associates a single or multiple hosts with this network-group alias• <HOST-IP> – Specify the hosts’ IP address.• <HOST-IP> – Optional. Specifies more than one host. A maximum of eight (8) hostscan be configured.network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}Associates a single or multiple networks with this network-group alias• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.• <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one network. Amaximum of eight (8) networks can be configured.alias network-service <NETWORK-SERVICE-ALIAS-NAME>Configures an alias that specifies available network services and the corresponding source and destination software ports• <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service alias name.Alias name should begin with ‘$’.Network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-service alias elements at the device or profile level.proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp]Use one of the following options to associate an Internet protocol with this network-service alias:• <0-254> – Identifies the protocol by its number. Specify the protocol number from 0 - 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocol’s (UDP) designated number is 17.• <WORD> – Identifies the protocol by its name. Specify the protocol name.• eigrp – Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 16•gre – Selects Generic Routing Encapsulation (GRE). The protocol number is 47.• igmp – Selects Internet Group Management Protocol (IGMP). The protocol number is 2.•igp – Selects Interior Gateway Protocol (IGP). The protocol number is 9.•ospf – Selects Open Shortest Path First (OSPF). The protocol number is 89.• vrrp – Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112.{(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.• <1-65535> – Optional. Configures a destination port number from 1 - 65535• <WORD> – Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22.• bgp – Optional. Configures the default Border Gateway Protocol (BGP) services port (179)• dns – Optional. Configures the default Domain Name System (DNS) services port (53)• ftp – Optional. Configures the default File Transfer Protocol (FTP) control services port (21)• ftp-data – Optional. Configures the default FTP data services port (20)• gopher – Optional. Configures the default gopher services port (70)• https – Optional. Configures the default HTTPS services port (443)• ldap – Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389)• nntp – Optional. Configures the default Newsgroup (NNTP) services port (119)• ntp – Optional. Configures the default Network Time Protocol (NTP) services port (123)• POP3 – Optional. Configures the default Post Office Protocol (POP3) services port (110)• proto – Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step.• sip – Optional. Configures the default Session Initiation Protocol (SIP) services port (5060)• smtp – Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25)• sourceport [<1-65535>|<WORD>] – Optional. After specifying the destination port, you may specify a single or range of source ports.• <1-65535> – Specify the source port from 1 - 65535.• <WORD> – Specify the source port range, for example 1-10.• ssh – Optional. Configures the default SSH services port (22)• telnet – Optional. Configures the default Telnet services port (23)• tftp – Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 17• alias number <NUMBER-ALIAS-NAME> <0-4294967295>• alias string <STRING-ALIAS-NAME> <LINE>• alias vlan <VLAN-ALIAS-NAME> <1-4094>Examplerfs4000-229D58(config)##alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13rfs4000-229D58(config)#alias network $NetworkAlias 192.168.13.0/24rfs4000-229D58(config)#alias host $HostAlias 192.168.13.100rfs4000-229D58(config)#alias vlan $VlanAlias 1rfs4000-229D58(config)#alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10rfs4000-229D58(config)#alias network-service $NetServAlias proto igmpalias number <NUMBER-ALIAS-NAME> <0-4294967295>Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, ‘alias number $NUMBER 100’• The number alias name is: $NUMBER• The value assigned is: 100The value referenced by alias $NUMBER, wherever used, is 100.• <NUMBER-ALIAS-NAME> – Specify the number alias name.• <0-4294967295> – Specify the number, from 0 - 4294967295, assigned to thenumber alias created.Alias name should begin with ‘$’.alias string <STRING-ALIAS-NAME>Creates a string alias identified by the <STRING-ALIAS-NAME> keyword• <STRING-ALIAS-NAME> – Specify the string alias name.• <LINE> – Specify the string value associated with the specified <STRING-ALIAS-NAME> keyword.String aliases map a name to an arbitrary string value. For example, ‘alias string $DOMAIN test.example_company.com’.• The string alias name is: $DOMAIN• The value assigned is: test.example_company.com (a domain name)The value referenced by alias $DOMAIN, wherever used, is test.example_company.com.Alias name should begin with ‘$’.You can also use a string alias to configure the Bonjour Service instance name. Once configured, use the string alias in the Bonjour Gateway Discovery Policy context to specify the Bonjour service instance name to be used as the match criteria. For more information, see allow-service.alias vlan <VLAN-ALIAS-NAME>Creates a VLAN alias identified by the <VLAN-ALIAS-NAME> keyword• <VLAN-ALIAS-NAME> – Specify the VLAN alias name.Alias name should begin with ‘$’.<1-4094> Maps the VLAN alias to a VLAN ID• <1-4094> – Specify the VLAN ID from 1 - 4094.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 18rfs4000-229D58(config)#show running-config | include aliasalias network-group $NetGrAlias address-range 192.168.13.7 to 192.168.13.9 192.168.13.20 to 192.168.13.25alias network $NetworkAlias 192.168.13.0/24alias host $HostAlias 192.168.13.10alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10alias network-service $NetServAlias proto igmpalias vlan $VlanAlias 1rfs4000-229D58(config)#nx9500-6C8809(config)#alias number $NUMBER 100nx9500-6C8809(config)#show context include-factory | include aliasalias string $DOMAIN test.examplecompany.comalias string $DOMAIN2 test.example_company.comalias number $NUMBER 100alias string $SN B4C7996C8809nx9500-6C8809(config)#The following examples show encrypted-string alias configuration:nx9500-6C8809(config)#alias encrypted-string $WRITE 0 privatenx9500-6C8809(config)#alias encrypted-string $READ 0 publicnx9500-6C8809(config)#show context | include aliasalias vlan $BLR-01 1alias string $IN-Blr-EcoSpace-Floor-4 IBEF4alias encrypted-string $READ 0 publicalias encrypted-string $WRITE 0 privatenx9500-6C8809(config)#The following example shows the encrypted-string aliases, configured in the previous example, used in the management-policy:nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $WRITE rwnx9500-6C8809(config-management-policy-default)#snmp-server community 0 $READ ronx9500-6C8809(config-management-policy-default)#show contextmanagement-policy default no telnet no http server https server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1nx9500-6C8809(config-management-policy-default)#The following example shows hashed-string alias configuration:nx9500-6C8809(config)#alias hashed-string $PriMode Test12345nx9500-6C8809(config)#show context | include aliasalias vlan $BLR-01 1alias string $IN-Blr-EcoSpace-Floor-4 IBEF4alias encrypted-string $READ 0 publicalias encrypted-string $WRITE 0 privatealias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75nx9500-6C8809(config)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 19The following example shows the hashed-string alias, configured in the previous example, used in the management-policy:nx9500-6C8809(config-management-policy-default)#show contextmanagement-policy defaulthttps server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 privilege-mode-password $PriModenx9500-6C8809(config-management-policy-default)#Related Commandsno Removes an existing network, VLAN, service, string, etc. alias
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 204.1.3 aaa-tacacs-policyGlobal Configuration CommandsConfigures AAA Terminal Access Controller Access-Control System+ (TACACS) policy. TACACS+ is a protocol created by CISCO Systems which provides access control to network devices such as routers, network access servers and other networked computing devices through one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers.TACACS controls user access to devices and network resources while providing separate accounting, authentication, and authorization services. Some of the services provided by TACACS are:• Authorizing each command with the TACACS+ server before execution.• Accounting each session’s logon and log off events.• Authenticating each user with the TACACS+ server before enabling access to network resources.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaaa-tacacs-policy <AAA-TACACS-POLICY-NAME>Parameters• aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>Examplerfs6000-81742D(config)#aaa-tacacs-policy testpolicyrfs6000-81742D(config-aaa-tacacs-policy-testpolicy)#?AAA TACACS Policy Mode commands:  accounting      Configure accounting parameters  authentication  Configure authentication parameters  authorization   Configure authorization parameters  no              Negate a command or set its defaults  clrscr          Clears the display screen  commit          Commit all changes made in this session  do              Run commands from Exec mode  end             End current mode and change to EXEC mode  exit            End current mode and down to previous mode  help            Description of the interactive help system  revert          Revert changes  service         Service Commands  show            Show running system information  write           Write running configuration to memory or terminalrfs6000-81742D(config-aaa-tacacs-policy-testpolicy)#Related Commands<AAA-TACACS-POLICY-NAME>Specify the AAA-TACACS policy name. If the policy does not exist, it is created.no Removes an existing AAA TACACS policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 21NOTE: For more information on the AAA-TACACS policy commands, see Chapter 25, AAA-TACACS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 224.1.4 ap6521Global Configuration CommandsAdds an AP6521 to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP6521• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap6521 <MAC>Parameters• ap6521 <MAC>Examplenx9500-6C8809(config)#ap6521 FC-0A-81-42-93-6Cnx9500-6C8809(config-device-FC-0A-81-42-93-6C)#show contextap6521 FC-0A-81-42-93-6C use profile default-ap6521 use rf-domain default hostname ap6521-42936Cnx9500-6C8809(config-device-FC-0A-81-42-93-6C)#nx9500-6C8809(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX        NAME                MAC             PROFILE      RF-DOMAIN       ADOPTED-BY---------------------------------------------------------------------------------------  1   ap6521-42936C      FC-0A-81-42-93-6C   default-ap6521     default     B4-C7-99-6C-88-09---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP6521’s MAC address.no Removes an AP6521 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 234.1.5 ap6522Global Configuration CommandsAdds an AP6522 to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP6522• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap6522 <MAC>Parameters• ap6522 <MAC>Examplenx9500-6C8809(config)#ap6522 B4-C7-99-58-72-58nx9500-6C8809(config-device-B4-C7-99-58-72-58)#show contextap6522 B4-C7-99-58-72-58 use profile default-ap6522 use rf-domain default hostname ap6522-587258nx9500-6C8809(config-device-B4-C7-99-58-72-58)#nx9500-6C8809(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX        NAME                MAC             PROFILE      RF-DOMAIN       ADOPTED-BY--------------------------------------------------------------------------------------- 1   ap6521-42936C      FC-0A-81-42-93-6C   default-ap6521     default     B4-C7-99-6C-88-09 2  ap6522-587258     B4-C7-99-58-72-58   default-ap6522    default   B4-C7-99-6C-88-09---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP6522’s MAC address.no Removes an AP6522 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 244.1.6 ap6532Global Configuration CommandsAdds an AP6532 to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP6532• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap6532 <MAC>Parameters• ap6532 <MAC>Examplenx9500-6C8809(config)#ap6532 00-23-68-31-16-59nx9500-6C8809(config-device-B4-C7-99-58-72-58)#show contextap6532 00-23-68-31-16-59 use profile default-ap6532 use rf-domain default hostname ap6532-311659nx9500-6C8809(config-device-00-23-68-31-16-59)#nx9500-6C8809(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX        NAME                MAC             PROFILE      RF-DOMAIN       ADOPTED-BY---------------------------------------------------------------------------------------  1   ap6521-42936C      FC-0A-81-42-93-6C   default-ap6521     default     B4-C7-99-6C-88-092  ap6522-587258     B4-C7-99-58-72-58   default-ap6522    default   B4-C7-99-6C-88-09 3  ap6532-311659     00-23-68-31-16-59   default-ap6532    default   B4-C7-99-6C-88-09---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP6532’s MAC address.no Removes an AP6532 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 254.1.7 ap6562Global Configuration CommandsAdds an AP6562 to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP6562• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap6562 <MAC>Parameters• ap6562 <MAC>Examplenx9500-6C8809(config)#ap6562 00-23-09-0E-12-60nx9500-6C8809(config-device-00-23-09-0E-12-60)#show contextap6562 00-23-09-0E-12-60 use profile default-ap6562 use rf-domain default hostname ap6562-0E1260nx9500-6C8809(config-device-00-23-09-0E-12-60)#nx9500-6C8809(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX        NAME                MAC             PROFILE      RF-DOMAIN       ADOPTED-BY---------------------------------------------------------------------------------------  1  ap6521-42936C      FC-0A-81-42-93-6C   default-ap6521     default     B4-C7-99-6C-88-092  ap6522-587258     B4-C7-99-58-72-58   default-ap6522    default   B4-C7-99-6C-88-09 3  ap6532-311659     00-23-68-31-16-59   default-ap6532    default   B4-C7-99-6C-88-09 4  ap6562-0E1260     00-23-09-0E-12-60   default-ap6562     default    B4-C7-99-6C-88-09---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP6562’s MAC address.no Removes an AP6562 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 264.1.8 ap71xxGlobal Configuration CommandsAdds an AP7161 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7161• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap71xx <MAC>Parameters• ap71xx <MAC>Examplenx9500-6C8809(config)#ap71xx 00-23-68-11-E6-C4nx9500-6C8809(config-device-00-23-68-11-E6-C4)#show contextap71xx 00-23-68-11-E6-C4 use profile default-ap71xx use rf-domain TechPubs hostname ap71xx-11E6C4 no staging-config-learnt ip default-gateway 192.168.13.2 interface vlan1  ip address 192.168.13.23/24 use auto-provisioning-policy TecPubs no auto-learn staging-config adopter-auto-provisioning-policy-lookup evaluate-alwaysnx9500-6C8809(config-device-00-23-68-11-E6-C4)#nx9500-6C8809(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX      NAME              MAC             PROFILE      RF-DOMAIN       ADOPTED-BY--------------------------------------------------------------------------------------- 1    ap71xx-11E6C4   00-23-68-11-E6-C4   default-ap71xx   TechPubs   un-adopted 2    ap7532-80C2AC    84-24-8D-80-C2-AC   default-ap7532    TechPubs    B4-C7-99-6C-88-09 3    ap7131-9C63D4   00-23-68-9C-63-D4   default-ap71xx   default    un-adopted 4    t5-ED7C6C        B4-C7-99-ED-7C-6C   default-t5        TechPubs    B4-C7-99-6C-88-09 5    rfs4000-880DA7   00-23-68-88-0D-A7   default-rfs4000   TechPubs    B4-C7-99-6C-88-09 6    ap7131-99BB7C    00-23-68-99-BB-7C   default-ap71xx    TechPubs    B4-C7-99-6C-88-09---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP7161’s MAC address.no Removes an AP7161 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 274.1.9 ap7502Global Configuration CommandsAdds an AP7502 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7502• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7502 <MAC>Parameters• ap7502 <MAC>Examplerfs6000-81742D(config)#ap7502 00-23-68-99-BF-A8rfs6000-81742D(config-device-00-23-68-99-BF-A8)#Related Commands<MAC> Specify the AP7502’s MAC address.no Removes an AP7502 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 284.1.10 ap7522Global Configuration CommandsAdds an AP7522 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point – AP7522• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7522 <MAC>Parameters• ap7522 <MAC>Examplerfs6000-81742D(config)#ap7522 00-23-09-0E-12-63 rfs6000-81742D(config-device-00-23-09-0E-12-63)#Related Commands<MAC> Specify the AP7522’s MAC address.no Removes an AP7522 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 294.1.11 ap7532Global Configuration CommandsAdds an AP7532 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7532• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7532 <MAC>Parameters• ap7532 <MAC>Examplerfs6000-81742D(config)#ap7532 00-23-09-0E-12-71rfs6000-81742D(config-device-00-23-09-0E-12-71)#Related Commands<MAC> Specify the AP7532’s MAC address.no Removes an AP7532 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 304.1.12 ap7562Global Configuration CommandsAdds an AP7562 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7562• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7562 <MAC>Parameters• ap7562 <MAC>Examplerfs6000-81742D(config)#ap7562 84-24-8D-80-C2-ACrfs6000-81742D(config-device-84-24-8D-80-C2-AC)#Related Commands<MAC> Specify the AP7562’s MAC address.no Removes an AP7562 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 314.1.13 ap7602Global Configuration CommandsAdds an AP7602 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7602• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7602 <MAC>Parameters• ap7602 <MAC>Examplenx9500-6C8809(config)#ap7602 11-2C-3b-01-aa-23nx9500-6C8809(config-device-11-2C-3B-01-AA-23)#show contextap7602 11-2C-3B-01-AA-23 use profile default-ap7602 use rf-domain default hostname ap7602-01AA23nx9500-6C8809(config-device-11-2C-3B-01-AA-23)#Related Commands<MAC> Specify the AP7602’s MAC address.no Removes an AP7602 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 324.1.14 ap7612Global Configuration CommandsAdds an AP7612 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7612• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7612 <MAC>Parameters• ap7612 <MAC>Examplenx9500-6C8809(config)#ap7612 10-1c-AB-11-0E-20nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#show contextap7612 10-1C-AB-11-0E-20 use profile default-ap7612 use rf-domain default hostname ap7612-110E20nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#Related Commands<MAC> Specify the AP7612’s MAC address.no Removes an AP7612 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 334.1.15 ap7622Global Configuration CommandsAdds an AP7622 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7622• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7622 <MAC>Parameters• ap7622 <MAC>Examplenx9500-6C8809(config-device-01-11-CD-21-0B-13)#show conap7622 01-11-CD-21-0B-13 use profile default-ap7622 use rf-domain default hostname ap7622-210B13nx9500-6C8809(config-device-01-11-CD-21-0B-13)#Related Commands<MAC> Specify the AP7622’s MAC address.no Removes an AP7622 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 344.1.16 ap7632Global Configuration CommandsAdds an AP7632 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7632• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7632 <MAC>Parameters• ap7632 <MAC>Examplenx9500-6C8809(config)#ap7632 23-12-A1-F0-12-02nx9500-6C8809(config-device-23-12-A1-F0-12-02)#show contextap7632 23-12-A1-F0-12-02 use profile default-ap7632 use rf-domain default hostname ap7632-F01202nx9500-6C8809(config-device-23-12-A1-F0-12-02)#Related Commands<MAC> Specify the AP7632’s MAC address.no Removes an AP7632 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 354.1.17 ap7662Global Configuration CommandsAdds an AP7662 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP7662• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap7662 <MAC>Parameters• ap7662 <MAC>Examplenx9500-6C8809(config)#ap7662 20-12-bd-4C-31-5Fnx9500-6C8809(config-device-20-12-BD-4C-31-5F)#show contextap7662 20-12-BD-4C-31-5F use profile default-ap7662 use rf-domain default hostname ap7662-4C315Fnx9500-6C8809(config-device-20-12-BD-4C-31-5F)#Related Commands<MAC> Specify the AP7662’s MAC address.no Removes an AP7662 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 364.1.18 ap81xxGlobal Configuration CommandsAdds an AP81XX series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP81XX• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap81xx <MAC>Parameters• ap81xx <MAC>Examplerfs6000-81742D#ap81xx B4-C7-99-71-17-28rfs6000-81742D(config-device-B4-C7-99-71-17-28)#show contextap8132 B4-C7-99-71-17-28 use profile default-ap81xx use rf-domain default hostname ap8132-711728 license AAP DEFAULT-LICENSErfs6000-81742D(config-device-B4-C7-99-71-17-28)#rfs6000-81742D(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX       NAME              MAC             PROFILE       RF-DOMAIN       ADOPTED-BY---------------------------------------------------------------------------------------  1   ap8132-711728   B4-C7-99-71-17-28   default-ap81xx   default     00-15-70-81-74-2D---------------------------------------------------------------------------------------rfs6000-81742D(config)#Related Commands<MAC> Specify the AP81XX’s MAC address.no Removes an AP81XX from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 374.1.19 ap82xxGlobal Configuration CommandsAdds an AP82XX series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap82xx <MAC>Parameters• ap82xx <MAC>Examplerfs6000-81742D(config-device-00-23-68-14-77-48)rfs6000-81742D(config-device-00-23-68-14-77-48)#show contextap82xx 00-23-68-14-77-48 use profile default-ap82xx use rf-domain default hostname ap8232-147748rfs6000-81742D(config-device-00-23-68-14-77-48)#rfs6000-81742D(config)#show wireless ap configured---------------------------------------------------------------------------------------IDX         NAME                MAC              PROFILE       RF-DOMAIN    ADOPTED-BY---------------------------------------------------------------------------------------1 ap6511-08456A      5C-0E-8B-08-45-6A   default-ap6511    default     un-adopted2 ap8232-147748      00-23-68-14-77-48   default-ap82xx    default     un-adopted---------------------------------------------------------------------------------------rfs6000-81742D(config)#Related Commands<MAC> Specify the AP82XX’s MAC address.no Removes an AP82XX from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 384.1.20 ap8432Global Configuration CommandsAdds an AP8432 series to the network. If a profile for the AP is not available, a new profile is created.Supported in the following platforms:• Access Point — AP8432• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap8432 <MAC>Parameters• ap8432 <MAC>Examplenx9500-6C8809(config)#ap8432 84-24-8D-80-C2-ACnx9500-6C8809(config-device-84-24-8D-80-C2-AC)#show contextap8432 84-24-8D-80-C2-AC use profile default-ap8432 use rf-domain default hostname ap8432-80C2ACnx9500-6C8809(config-device-84-24-8D-80-C2-AC)#nx9500-6C8809(config)#show wireless ap configured---------------------------------------------------------------------------------------IDX         NAME                MAC              PROFILE       RF-DOMAIN    ADOPTED-BY--------------------------------------------------------------------------------------- 1    ap8432-80C2AC       84-24-8D-80-C2-AC   default-ap8432   default      un-adopted---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP8432’s MAC address.no Removes an AP8432 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 394.1.21 ap8533Global Configuration CommandsAdds an AP8533 series to the network. If a profile for the AP is not available, a new profile is created.• Access Point — AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxap8533 <MAC>Parameters• ap8533 <MAC>Examplenx9500-6C8809(config)#ap8533 B4-C7-99-74-B4-5C)nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#show contextap8533 B4-C7-99-74-B4-5C use profile default-ap8533 use rf-domain default hostname ap8533-74B45Cnx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#nx9500-6C8809(config)#show wireless ap configured---------------------------------------------------------------------------------------IDX         NAME                MAC              PROFILE       RF-DOMAIN    ADOPTED-BY--------------------------------------------------------------------------------------- 1    ap8533-74B45C       B4-C7-99-74-B4-5C   default-ap8533   default      un-adopted---------------------------------------------------------------------------------------nx9500-6C8809(config)#Related Commands<MAC> Specify the AP8533’s MAC address.no Removes an AP8533 from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 404.1.22 applicationGlobal Configuration CommandsThe following table lists the commands that enable you to enter the Application definition configuration mode:Table 4.2 Application-Policy Config CommandCommand Description Referenceapplication Creates a new application definition and enters its configuration mode. This command allows you to create a customized application detection definition.page 4-41application-config-mode commandsSummarizes application definition configuration mode commands page 4-42
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 414.1.22.1 applicationapplicationCreates a new application definition and enters its configuration mode Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxapplication <APPLICATION-NAME>Parameters• application <APPLICATION-NAME>Examplenx9500-6C8809(config)#application Bingnx9500-6C8809(config-application-Bing)#?Application Mode commands:  app-category  Set application category (default is custom)  description   Add application description  https         Secure HTTP  no            Negate a command or set its defaults  use           Set setting to use  clrscr        Clears the display screen  commit        Commit all changes made in this session  do            Run commands from Exec mode  end           End current mode and change to EXEC mode  exit          End current mode and down to previous mode  help          Description of the interactive help system  revert        Revert changes  service       Service Commands  show          Show running system information  write         Write running configuration to memory or terminalnx9500-6C8809(config-application-Bing)#Related Commandsapplication <APPLICATION-NAME>Creates a new application definition and enters its configuration mode• <APPLICATION-NAME> – Specify a name of the new application definition. It is created if not already existing in the system.no Deletes an existing application definition
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 424.1.22.2 application-config-mode commandsapplicationThe following table summarizes Application definition configuration mode commands:Table 4.3 Application- Config-Mode CommandsCommand Description Referenceapp-category Configures the category for this application definition page 4-43description Configures a description for this application definition page 4-44https Configures the HTTPS common-name attribute value for this application category’s server certificate. Applicable only to applications using HTTPS protocol.page 4-45use Associates a network-service alias or a URL list with this application definition. Applicable for applications using protocols other than HTTPS.page 4-46no Removes or resets this application definition’s configured settings page 4-47
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 434.1.22.2.1 app-categoryapplication-config-mode commandsConfigures the category for this application definitionSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxapp-category <APP-CATEGORY-NAME>Parameters• app-category <APP-CATEGORY-NAME>Examplenx9500-6C8809(config-application-Bing)#app-category [TAB]business             conference           customdatabase             filetransfer         gaminggeneric              im                   mailmobile               network\ management  otherp2p                  remote_control       sharehostingsocial\ networking   streaming            tunnelvoip                 webnx9500-6C8809(config-application-Bing)#nx9500-6C8809(config-application-Bing)#app-category streamingnx9500-6C8809(config-application-Bing)#show contextapplication Bing app-category streamingnx9500-6C8809(config-application-Bing)#Related Commandsapp-category <APP-CATEGORY-NAME>Select the category best suited for this application definition. There are twenty three categories. These are: business, conference, custom, database, filetransfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and Web. The default setting is custom. Use this option to categorize your internal custom applications, so that they do not appear as unknown traffic.no Resets application category to default (custom)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 444.1.22.2.2 descriptionapplication-config-mode commandsConfigures a description for this application definitionSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <WORD>Parameters• description <WORD>Examplenx9500-6C8809(config-application-Bing)#description "Bing is Microsoft's Web search engine"nx9500-6C8809(config-application-Bing)#show contextapplication Bing description "Bing is Microsoft's Web search engine" app-category streamingnx9500-6C8809(config-application-Bing)#Related Commandsdescription <WORD>Configures a description for this application• <WORD> – Specify a description not exceeding 80 characters in length. Enter the descriptive text within double quotes.no Removes this description configured for this application
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 454.1.22.2.3 httpsapplication-config-mode commandsConfigures the HTTPS parameter type, attribute type, match criteria for the HTTPS server name and 64 character maximum server name attribute used in the HTTPS server message exchange Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttps server-cert common-name [contains|ends-with] <WORD>Parameters• https server-cert common-name [contains|ends-with] <WORD>Examplenx9500-6C8809(config-application-Bing)#https server-cert common-name exact bing.comnx9500-6C8809(config-application-Bing)#show contextapplication Bing description "Bing is Microsoft's web search engine" app-category streaming https server-cert common-name exact bing.comnx9500-6C8809(config-application-Bing)#Related Commandshttps server-cert Configures the HTTPS parameter type as server certificatecommon-name [contains|ends-with] <WORD>Configures the HTTPS attribute match criteria as common name. This is the only option applicable when the HTTPS parameter type is set to server-cert. Use one of the following options to provide the common-name attribute value used as the match criteria:• contains – Filters applications having common-name attributes containing the string specified here• ends-with – Filters applications ending with the string specified here• <WORD> – Specify the string to match (should not exceed 64 characters).no Removes the HTTPS common-name attribute value configured with this application category
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 464.1.22.2.4 useapplication-config-mode commandsAssociates a network-service alias or a URL list with this application definitionFor applications using protocols other than HTTPS, use this command to define the protocols, ports, and/or URL host name to match.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]Parameters• use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]Examplenx9500-6C8809(config-application-Bing)#use url-list Bingnx9500-6C8809(config-application-Bing)#show contextapplication Bing description "Bing is Microsoft's web search engine" app-category streaming use url-list Bing https server-cert common-name exact bing.comnx9500-6C8809(config-application-Bing)#Related Commandsuse Configures this application definition to use a network-service alias or a URL listnetwork-service <NETWORK-SERVICE-ALIAS-NAME>Associates a network-service alias with this application definition• <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured). The network-service alias should specify the protocols and ports to match.url-list <URL-LIST-NAME>Associates a URL list with this application definition. URL lists are utilized for whitelisting and blacklisting Web application URLs from being launched and consuming bandwidth within the WiNG managed network.• <URL-LIST-NAME> – Specify the URL list name (should be existing and configured). The URL list should specify the HTTP URL host names to match.no Removes the network-service alias or the URL list associated with this application definition
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 474.1.22.2.5 noapplication-config-mode commandsRemoves or resets this application definition’s configured settingsSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [app-category|description|https|use]no [app-category|description]no https server-cert common-name [contains|ends-with] <WORD>no use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]Parameters• no <PARAMETERS>ExampleThe following example displays the application definition ‘Bing’ parameters before the ‘no’ commands are executed:nx9500-6C8809(config-application-Bing)#show contextapplication Bing description "Bing is Microsoft's web search engine" app-category streaming use url-list Bing https server-cert common-name exact bing.comnx9500-6C8809config-application-Bing)#nx9500-6C8809(config-application-Bing)#no descriptionnx9500-6C8809(config-application-Bing)#no https server-cert common-name exact bing.comThe following example displays the application definition ‘Bing’ parameters after the ‘no’ commands are executed:nx9500-6C8809(config-application-Bing)#show contextapplication Bing app-category streaming use url-list Bingnx9500-6C8809(config-application-Bing)#no <PARAMETERS> Removes or resets this application definition’s configured settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 484.1.23 application-groupGlobal Configuration CommandsThe following table lists the commands that enable you to create a new application group and enter its configuration mode:Table 4.4 Application-Group Config CommandCommand Description Referenceapplication-group Creates a new application group and enters its configuration mode page 4-49application-group-mode commandsSummarizes application group configuration mode commands page 4-50
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 494.1.23.1 application-groupapplication-groupAn application group is a collection of system-provided and/or user-defined applications. It is a subset of the total number of supported applications. There are a total of 299 system-provided applications.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntaxapplication-group <APPLICATION-GROUP-NAME>Parameters• application-group <APPLICATION-GROUP-NAME>Examplenx9500-6C8809(config)#application-group amazonnx9500-6C8809(config-app-group-amazon)#?Application Group Mode commands:  application  Add application to group  description  Add application-group description  no           Negate a command or set its defaults  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-app-group-amazon)#Related Commandsapplication-group <APPLICATION-GROUP-NAME>Creates an application group and enters its configuration mode• <APPLICATION-GROUP-NAME – Specify the application group name. If an application group with the specified name does not exist, it is created. The name should not exceed 32 characters in length.no Removes an existing application group
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 504.1.23.2 application-group-mode commandsapplication-groupThe following table summarizes the application group configuration mode commands:Table 4.5 Application-Group-Config-Mode CommandsCommand Description Referenceapplication Adds an application to this application group page 4-51description Configures a description for this application group page 4-53no Removes this application group’s configured parameters (application and/or description)page 4-54
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 514.1.23.2.1 applicationapplication-group-mode commandsAdds an application to this application group. You can add a system-provided or user-defined application.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxapplication <APPLICATION-NAME>Parameters• application <APPLICATION-NAME>ExampleTo view all applications available in the system, use [TAB], as shown in the following example:nx9500-6C8809(config-app-group-test)#application [TAB]Display all 299 possibilities? (y or n)1-clickshare-com                 1-upload-com1-upload-to                      10upload-com--More--nx9500-6C8809(config-app-group-test)#Select the desired application from the list displayed, as shown in the following examples:nx9500-6C8809(config-app-group-amazon)#application amazon [TAB]amazon-prime-music  amazon-prime-video  amazon_cloud  amazon_shopnx9500-6C8809(config-app-group-amazon)#nx9500-6C8809(config-app-group-amazon)#application amazon-prime-musicnx9500-6C8809(config-app-group-amazon)#application amazon-prime-videonx9500-6C8809(config-app-group-amazon)#application amazon_cloudnx9500-6C8809(config-app-group-amazon)#application amazon_shopnx9500-6C8809(config-app-group-amazon)#show contextapplication-group amazon application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shopnx9500-6C8809(config-app-group-amazon)#Note, the system returns an error message if the application entered is not listed, as shown in the following example:nx9500-6C8809(config-app-group-test)#application bing% Error: application 'bing' is not definednx9500-6C8809(config-app-group-test)#application <APPLICATION-NAME>Configures the application to be added to this application group• <APPLICATION-NAME> – Provide the application name (should be available as an option in the system). A maximum of eight (8) applications can be added to a group.If the desired application is not available as an option, use the application command to add it.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 52Related Commandsno Removes a specified application from this application group
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 534.1.23.2.2 descriptionapplication-group-mode commandsConfigures a description for this application groupSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <WORD>Parameters• description <WORD>Examplenx9500-6C8809(config-app-group-amazon)#description “This application-group lists all Amazon applications.”nx9500-6C8809(config-app-group-amazon)#show contextapplication-group amazon description “This application-group lists all Amazon applications.” application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shopnx9500-6C8809(config-app-group-amazon)#Related Commandsdescription <WORD>Configures a description for this application group that uniquely differentiates it from other existing application groups• <WORD> – Provide a description not exceeding 80 characters in length.no Removes the description configured for this application group
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 544.1.23.2.3 noapplication-group-mode commandsRemoves this application group’s configured parameters (application and/or description)Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [application <APPLICATION-NAME>|description]Parameters• no [application <APPLICATION-NAME>|description]ExampleThe following example displays the application-group ‘amazon’ configuration before the execution of ‘no’ commands:nx9500-6C8809(config-app-group-amazon)#show contextapplication-group amazon description "This application-group lists all Amazon applications." application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shopnx9500-6C8809(config-app-group-amazon)#nx9500-6C8809(config-app-group-amazon)#no application amazon_cloudnx9500-6C8809(config-app-group-amazon)#no descriptionThe following example displays the application-group ‘amazon’ configuration after the execution of ‘no’ commands:nx9500-6C8809(config-app-group-amazon)#show contextapplication-group amazon application amazon-prime-music application amazon-prime-video application amazon_shopnx9500-6C8809(config-app-group-amazon)#no <PARAMETERS> Removes an application associated with this group, and removes this group’s description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 554.1.24 application-policyGlobal Configuration CommandsThe following table lists the commands that enable you to enter the Application policy configuration mode:Table 4.6 Application-Policy Config CommandCommand Description Referenceapplication-policy Creates an application policy and enters its configuration mode page 4-56application-policy-mode commandsSummarizes the application policy configuration mode commands page 4-58
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 564.1.24.1 application-policyapplication-policyWhen an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized applications (for example, Facebook) or application-categories (for example, social-networking). The following are the rules/actions that can be applied in an application policy:•Allow - Allow packets for a specific application or application category•Deny - Deny packets for a a specific application or application category•Mark - Mark packets with DSCP/8021p value for a specific application or application category•Rate-limit - Rate limit packets from specific application types.For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category.Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid. Once created and configured, apply the application policy at the following levels within the network to enforce application assurance:• RADIUS CoA usage – In the device/profile configuration mode, use the application-policy > radius > <APPLICATION-POLICY-NAME> command to apply the policy to every user successfully authenticated by the RADIUS server.• User role – In the role-policy-user-role configuration mode, use the use > application-policy <APPLICATION-POLICY-NAME> command to apply the policy to all users assigned to the role.• WLAN – In the WLAN configuration mode, use the use > application-policy <APPLICATION-POLICY-NAME> command to apply the policy to all users accessing the WLAN.• Bridge VLAN – In the bridge VLAN configuration mode, use the use > application-policy <APPLICATION-POLICY-NAME> command to apply the policy for the traffic corresponding to the bridged VLAN.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntaxapplication-policy <APPLICATION-POLICY-NAME>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 57Parameters• application-policy <APPLICATION-POLICY-NAME>Examplenx9500-6C8809(config)#application-policy TestAppliPolicynx9500-6C8809(config-app-policy-TestAppliPolicy)#?Application Policy Mode commands:  allow             Allow packets  deny              Deny packets  description       Application policy description  enforcement-time  Configure policy enforcement based on time  logging           Application recognition logging  mark              Mark packets  no                Negate a command or set its defaults  rate-limit        Rate-limit packets  clrscr            Clears the display screen  commit            Commit all changes made in this session  do                Run commands from Exec mode  end               End current mode and change to EXEC mode  exit              End current mode and down to previous mode  help              Description of the interactive help system  revert            Revert changes  service           Service Commands  show              Show running system information  write             Write running configuration to memory or terminalnx9500-6C8809(config-app-policy-TestAppliPolicy)#Related Commandsapplication-policy <APPLICATION-POLICY-NAME>Specify the application policy name. If an application policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length.no Removes an existing application policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 584.1.24.2 application-policy-mode commandsapplication-policyThe following table summarizes Application policy configuration mode commands:Table 4.7 Application- Policy-Mode CommandsCommand Description Referenceallow Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action appliedpage 4-59deny Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action appliedpage 4-62description Configures a brief description for this application policy that enables you to differentiate it from other application policiespage 4-65enforcement-timeConfigures an enforcement time period in days and hours for this application policy. The policy is enforced only during the specified time period.page 4-66logging Enables logging of application recognition hits made by the DPI engine. It also sets the logging level.page 4-68mark Creates a mark rule and configures the match criteria based on which packets are filtered and marked with 802.1p priority value or Differentiated Service Code Point (DSCP) codepage 4-70rate-limit Creates a rate-limit rule and configures the match criteria based on which incoming and outgoing packets are filtered and the configured rate limits appliedpage 4-73no Removes or resets this application policy’s settings page 4-76
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 594.1.24.2.1 allowapplication-policy-mode commandsCreates an allow rule and configures the match criteria based on which packets are filtered and the allow access action appliedSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxallow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)Parameters• allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)allow Creates an allow rule and configures the match criteria. The options are app-category and application.app-category [<APP-CATEGORY-NAME>|all]Uses application category as the match criteria• <APP-CATEGORY-NAME> – Specify the application category. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet’s app-category is matched with the value specified here. In case of a match, the system forwards the packet or else drops it.• all – The system forwards all packets irrespective of the application category.application <APPLICATION-NAME>Uses application name as the match criteria• <APPLICATION-NAME> – Specify the application name. Each packet’s application is matched with the application name specified here. In case of a match, the system forwards the packet.The WiNG database provides approximately 381 canned applications. In addition to these, the database also includes custom-made applications. These are application definitions created using the application command.schedule <SCHEDULE-POLICY-NAME>Schedules an enforcement time for this allow rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy’s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all’).Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 60ExampleThe following example shows how to view all built-in, system provided applications:nx9500-6C8809(config-app-policy-test)#allow application [TAB]Display all 366 possibilities? (y or n)1-clickshare-com                   1-upload-com1-upload-to                        10upload-com123upload-pl                       139pan-com163pan-com                         1clickshare-net1fichier-com                       1kxun2channel                           2gis2shared-com                        360mobile4fastfile-com                      4share-wsDota\ 2                            EA\ Origin--More--nx9500-6C8809(config-app-policy-test)#The following examples show two allow rules, allowing access to all packets belonging to the application category ‘business’ and the application ‘Bing’:nx9500-6C8809(config-app-policy-Bing)#allow application Bi [TAB]Bing                      BitTorrent                BitTorrent_encryptedBitTorrent_plain          BitTorrent_uTP            BitTorrent_uTP_encryptednx9500-6C8809(config-app-policy-Bing)#Note: Bing is not one of the WiNG built-in database applications. It is a customized application created using the application command.nx9500-6C8809(config-app-policy-Bing)#allow application Bing precedence 1• <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.precedence <1-256> Assigns a precedence value for this allow rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.Let us consider application youtube belonging to app-category streaming.The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming.The rules can be defined as:#allow application youtube precedence 1#deny app-category streaming precedence 2The following configuration is incorrect:#deny app-category streaming precedence 1#allow application youtube precedence 2Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 61nx9500-6C8809(config-app-policy-Bing)#allow app-category [TAB]all                  antivirus\ update    audiobusiness             conference           customdatabase             filetransfer         gaminggeneric              im                   mailmobile               network\ management  otherp2p                  remote_control       social\ networkingstandard             streaming            tunnelvideo                voip                 webnx9500-6C8809(config-app-policy-Bing)#nx9500-6C8809(config-app-policy-Bing)#allow app-category business precedence 2nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing allow application Bing precedence 1 allow app-category business precedence 2nx9500-6C8809(config-app-policy-Bing)#The following example shows an application policy 'SocialNet' having an allow rule with an associated schedule policy named 'FaceBook':nx9500-6C8809(config-app-policy-SocialNet)#allow application facebook schedule Facebook precedence 1nx9500-6C8809(config-app-policy-SocialNet)#show contextapplication-policy SocialNet description "This application policy relates to Social Networking sites." allow application facebook schedule FaceBook precedence 1nx9500-6C8809(config-app-policy-SocialNet)#The schedule policy ‘FaceBook’ configuration is as follows. As per this policy, the above allow rule will apply to all FaceBook packets every Friday between 13:00 and 18:00 hours.nx9500-6C8809(config-schedule-policy-FaceBook)#show contextschedule-policy FaceBook description "Allows FaceBook traffic on Fridays." time-rule days friday start-time 13:00 end-time 18:00nx9500-6C8809(config-schedule-policy-FaceBook)#Related Commandsno Removes this allow rule from the application policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 624.1.24.2.2 denyapplication-policy-mode commandsCreates a deny rule and configures the match criteria based on which packets are filtered and the deny access action appliedSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdeny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)Parameters• deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)deny Creates a deny rule and configures the match criteria. The options are app-category and application.app-category [<APP-CATEGORY-NAME>|all]Uses application category as the match criteria• <APP-CATEGORY-NAME> – Specify the application category name. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet’s app-category is matched with the value specified here. In case of a match, the system drops the packet.• all – The system drops all packets irrespective of the application category.application <APPLICATION-NAME>Uses application name as the match criteria• <APPLICATION-NAME> – Specify the application name. Each packet’s application is matched with the application name specified here. In case of a match, the system drops the packet.There are approximately some 381 canned applications in the database. In addition to these, the database displays custom-made applications also. These are application definitions created using the application command.schedule <SCHEDULE-POLICY-NAME>Schedules an enforcement time for this deny rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy’s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all’).Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 63ExampleThe following example shows one deny rule, denying access to all packets belonging to the application category ‘social\ networking’:nx9500-6C8809(config-app-policy-Bing)#deny app-category social\ networking precedence 3nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3nx9500-6C8809(config-app-policy-Bing)#The following example displays the schedule policy ‘DenyS-N’ settings. The time-rule defined in the policy is all weekdays from 9:30 AM to 11:30 PM.nx9500-6C8809(config-schedule-policy-DenyS-N)#show contextschedule-policy DenyS-N description "Denies all social Networking sites on weekdays." time-rule days weekdays start-time 09:30 end-time 23:30nx9500-6C8809(config-schedule-policy-DenyS-N)#The following example displays the schedule policy ‘FaceBook’ settings. The time-rule defined in the policy is Friday from 1:00 PM to 6:00 PM.nx9500-6C8809(config-schedule-policy-FaceBook)#show contextschedule-policy FaceBook description "Allows FaceBook traffic on Fridays." time-rule days friday start-time 13:00 end-time 18:00nx9500-6C8809(config-schedule-policy-FaceBook)#• <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.precedence <1-256> Assigns a precedence value for this deny rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.Let us consider application youtube belonging to app-category streaming.The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming.The rules can be defined as:#allow application youtube precedence 1#deny app-category streaming precedence 2The following configuration is incorrect:#deny app-category streaming precedence 1#allow application youtube precedence 2Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 64The following example shows an application policy ‘SocialNet’ defining an allow and deny rule. Both rules have different enforcement time, which is defined by their respective schedule policies (DentS-N and FaceBook). As per these two schedule policy settings, this application policy:• Denies all social\ networking sites on weekdays (barring Fridays between 1:00 PM to 6:00 PM) from 9:30 AM to 11:30 PM.On Fridays, between 1:00 PM to 6:00 PM, it:• Denies all social\ networking sites except Facebook.nx9500-6C8809(config-app-policy-SocialNet)#show contextapplication-policy SocialNet description "This application policy relates to Social Networking sites." allow application facebook schedule FaceBook precedence 1 deny app-category "social networking" schedule DenyS-N precedence 2nx9500-6C8809(config-app-policy-SocialNet)#Related Commandsno Removes this deny rule from the application policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 654.1.24.2.3 descriptionapplication-policy-mode commandsConfigures a brief description for this application policy that enables you to differentiate it from other application policiesSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-app-policy-Bing)#description "This application policy allows Bing search engine packets"nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3nx9500-6C8809(config-app-policy-Bing)#Related Commandsdescription <LINE> Configures this application policy’s description• <LINE> – Specify a brief description not exceeding 80 characters in length. no Removes this application policy’s description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 664.1.24.2.4 enforcement-timeapplication-policy-mode commandsConfigures an enforcement time period in days and hours for this application policy. The enforcement time is applicable only to those rules, within the application policy, that do not have a schedule policy associated. By default an application policy is enforced on all days.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxenforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}Parameters• enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}NOTE: Schedule policies are a means of enforcing allow/deny/mark/rate-limit rules at different time periods. If no schedule policy is applied, all rules within an application policy are enforced at the time specified using this enforcement-time command. For more information on configuring a schedule policy, see schedule-policy. enforcement-time daysEnforces this application policy on only on the days specified here• sunday – Enforces the policy only on Sundays• monday – Enforces the policy only on Mondays• tuesday – Enforces the policy only on Tuesdays• wednesday – Enforces the policy only on Wednesdays• thursday – Enforces the policy only on Thursdays• friday – Enforces the policy only on Fridays• saturday – Enforces the policy only on Saturdays• all – Enforces the policy on all days. This is the default setting.• weekends – Enforces the policy only on weekends• weekdays – Enforces the policy only on weekdaysIn case no enforcement time is specified, the application policy is enforced on all days (i.e., always active).If using schedule policies with the allow/deny/mark/rate-limit rules, the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting of ‘all’).start-time <HH:MM> end-time <HH:MM>Optional. Configures this application policy’s enforcement period• start-time – Configures the start time. This is the time at which the application policy enforcement begins.• end-time – Configures the end time. This is the time at which the application policy enforcement ends.• <HH:MM> – Specify the start and end time in the HH:MM format.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 67Examplenx9500-6C8809(config-app-policy-Bing)#enforcement-time days weekdays start-time 10:30 end-time 20:00nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" enforcement-time days weekdays start-time 10:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3nx9500-6C8809(config-app-policy-Bing)#Related Commandsno Removes this application policy’s enforcement period
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 684.1.24.2.5 loggingapplication-policy-mode commandsEnables DPI application recognition logging. It also sets the logging level.DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging [level|on]logging onlogging level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]Parameters• logging on• logging level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]logging on Enables logging of application recognition hits made by the DPI engine. This option is disabled by default.logging level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]Sets the logging level for application recognition hits made by the DPI engine. This option is disabled by default.• <0-7> – Sets the message logging severity level on a scale of 0 - 7• emergencies – Severity level 0: System is unusable• alerts – Severity level 1: Requires immediate action• critical – Severity level 2: Critical conditions• errors – Severity level 3: Error conditions• warnings – Severity level 4: Warning conditions• notifications – Severity level 5: Normal but significant conditions (this is the default setting)• informational – Severity level 6: Informational messages• debugging – Severity level 7: Debugging messages
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 69Examplenx9500-6C8809(config-app-policy-Bing)#logging level criticalnx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 logging level criticalnx9500-6C8809(config-app-policy-Bing)#Related Commandsno Resets the logging level to default (notifications). And the no > logging > on command disables DPI logging.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 704.1.24.2.6 markapplication-policy-mode commandsCreates a mark rule and configures the match criteria based on which packets are markedMarks packets, matching a specified set of application categories or applications/protocols, with 802.1p priority level or Differentiated Services Code Point (DSCP) type of service (ToS) code. Marking packets is a means of identifying them for specific actions, and is used to provide different levels of service to different traffic types.Supported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] [8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)Parameters• mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] [8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)mark Creates a mark rule and configures the match criteria. When applied, the rule marks packets, matching the criteria configured here, with 802.1p priority value or DSCP code. The match criteria options are: app-category and application.app-category [<APP-CATEGORY-NAME>|all]Uses application category as the match criteria• <APP-CATEGORY-NAME> – Specify the application category. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet’s app-category is matched with the value specified here. In case of a match, the system marks the packet.• all – The system marks all packets irrespective of the application category.application <APPLICATION-NAME>Uses application name as the match criteria• <APPLICATION-NAME> – Specify the application name. Each packet’s application is matched with the application name specified here. In case of a match, the system marks the packet.The WiNG database provides approximately 381 canned applications. In addition to these, the database includes custom-made applications. These are application definitions created using the application command.8021p <0-7> Marks packets matching the specified criteria with 802.1p priority value• <0-7> – Specify a value from 0 - 7.The IEEE 802.1p signaling standard enables marking of layer 2 network traffic. Layer 2 network devices (such as switches), using 802.1p standards, group traffic into classes based on their 802.1p priority value, which is appended to the packet’s MAC header. In case of traffic congestion, packets with higher priority get precedence over lower priority packets and are forwarded first.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 71dscp <0-63> Marks packets matching the specified criteria with DSCP ToS code• <0-63> – Specify a value from 0 - 63.The DSCP protocol marks layer 3 network traffic. Layer 3 network devices (such as routers) using DSCP, mark each layer 3 packet with a six-bit DSCP code, which is appended to the packet’s IP header. Each DSCP code is assigned a corresponding level of service, enabling packet prioritization.schedule <SCHEDULE-POLICY-NAME>Schedules an enforcement time for this mark rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy’s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all’).• <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing andconfigured). After applying a schedule policy, specify a precedence for the rule.In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.Let us consider application youtube belonging to app-category streaming.The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming.The rules can be defined as:#allow application youtube precedence 1#deny app-category streaming precedence 2The following configuration is incorrect:#deny app-category streaming precedence 1#allow application youtube precedence 2Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 72Examplenx9500-6C8809(config-app-policy-Bing)#mark app-category video dscp 9 precedence 4nx9500-6C8809(config-app-policy-Bing)#mark application facetime dscp 10 precedence 5nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 logging level criticalnx9500-6C8809(config-app-policy-Bing)#Related Commandsno Removes this mark rule from the application policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 734.1.24.2.7 rate-limitapplication-policy-mode commandsCreates a rate-limit rule and configures the match criteriaSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] ([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)Parameters• rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] ([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)rate-limit Creates a rate-limit rule and configures the match criteria. When applied, the rule applies a rate-limit to packets that match the criteria configured here. These packets could be incoming, outgoing, or both. The match criteria options are: app-category and application.app-category [<APP-CATEGORY-NAME>|all]Uses application category as the match criteria• <APP-CATEGORY-NAME> – Specify the application category. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet’s app-category is matched with the value specified here. In case of a match, the system rate-limits the packet.• all – The system rate-limits all packets irrespective of the application category.application <APPLICATION-NAME>Uses application name as the match criteria• <APPLICATION-NAME> – Specify the application name. Each packet’s application is matched with the application name specified here. In case of a match, the system rate-limits the packet.[egress|ingress] The egress and ingress parameters are recursive and can be used to rate limit either incoming, outgoing, or both incoming and outgoing traffic.• egress – Selects the traffic type as outgoing • ingress – Selects the traffic type as outgoingAfter selecting the traffic type (incoming/outgoing) configure the rate and maximum burst size. rate <50-1000000> The following parameters are common to the ‘egress’ and ‘ingress’ keywords:• rate – Configures the rate limit, in Kbps, for both incoming and outgoing packets• <50-1000000> – Specify the rate limit from 50 - 1000000 Kbps.max-burst-size The following parameters are common to the ‘egress’ and ‘ingress’ keywords:• max-burst-size – Configures the maximum burst size, in Kbytes, for both incoming and outgoing packets• <2-1024> – Specify the maximum burst size from 2 - 1024 Kbytes.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 74schedule <SCHEDULE-POLICY-NAME>Schedules an enforcement time for this rate-limit rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy’s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all’).• <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing andconfigured). After applying a schedule policy, specify a precedence for the rule.In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.Let us consider application youtube belonging to app-category streaming.The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming.The rules can be defined as:#allow application youtube precedence 1#deny app-category streaming precedence 2The following configuration is incorrect:#deny app-category streaming precedence 1#allow application youtube precedence 2Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 75Examplenx9500-6C8809(config-app-policy-Bing)#rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6 logging level criticalnx9500-6C8809(config-app-policy-Bing)#Related Commandsno Removes this rate-limit rule from the application policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 764.1.24.2.8 noapplication-policy-mode commandsRemoves or resets this application policy’s settingsSupported in the following platforms:• Access Points — AP7522, AP7532• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [allow|deny|description|enforcement-time|logging|mark|rate-limit]no allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] precedence <1-256>no deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] precedence <1-256>no descriptionno enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays]no logging [level|on]no mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] precedence <1-256>no rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] precedence <0-256>Parameters• no <PARAMETERS>ExampleThe following example shows the application policy ‘Bing’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6 logging level criticalnx9500-6C8809(config-app-policy-Bing)#nx9500-6C8809(config-app-policy-Bing)#no allow app-category business precedence 2nx9500-6C8809(config-app-policy-Bing)#no deny app-category social\ networking precedence 3no <PARAMETERS> Removes or resets this application policy settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 77The following example shows the application policy ‘Bing’ settings after the ‘no’ commands are executed:nx9500-6C8809(config-app-policy-Bing)#show contextapplication-policy Bing description "This application policy allows Bing search engine packets" enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6 logging level criticalnx9500-6C8809(config-app-policy-Bing)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 784.1.25 association-acl-policyGlobal Configuration CommandsConfigures an association ACL policy. This policy defines a list of devices allowed or denied access to the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassociation-acl-policy <ASSOCIATION-ACL-POLICY-NAME>Parameters• association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>Examplerfs6000-81742D(config)#association-acl-policy testrfs6000-81742D(config-assoc-acl-test)#?Association ACL Mode commands:  deny     Specify MAC addresses to be denied  no       Negate a command or set its defaults  permit   Specify MAC addresses to be permitted  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-assoc-acl-test)#Related Commands<ASSOCIATION-ACL-POLICY-NAME>Specify the association ACL policy name. If the policy does not exist, it is created.no Resets values or disables commandsNOTE: For more information on the association-acl-policy, see Chapter 10, ASSOCIATION-ACL-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 794.1.26 auto-provisioning-policyGlobal Configuration CommandsConfigures an auto provisioning policy. This policy configures the automatic provisioning of device adoption. The policy configures how an AP is adopted based on its type.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>Parameters• auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>Examplerfs6000-81742D(config)#auto-provisioning-policy testrfs6000-81742D(config-auto-provisioning-policy-test)#?Auto-Provisioning Policy Mode commands:  Auto-Provisioning Policy Mode commands:  adopt                     Add rule for device adoption  auto-create-rfd-template  When RF Domain specified by the matching rule                            template does not exist create new RF Domain                            automatically  default-adoption          Adopt devices even when no matching rules are                            found.  Assign default profile and default                            rf-domain  deny                      Add rule to deny device adoption  evaluate-always           Set the flag to evaluate the policy everytime,                            regardless of previous adoption status  no                        Negate a command or set its defaults  redirect                  Add rule to redirect device adoption  upgrade                   Add rule for device upgrade  clrscr                    Clears the display screen  commit                    Commit all changes made in this session  do                        Run commands from Exec mode  end                       End current mode and change to EXEC mode  exit                      End current mode and down to previous mode  help                      Description of the interactive help system  revert                    Revert changes  service                   Service Commands  show                      Show running system information  write                     Write running configuration to memory or terminalrfs6000-81742D(config-auto-provisioning-policy-test)#Related Commands<AUTO-PROVISIONING-POLICY-NAME>Specify the auto provisioning policy name. If the policy does not exist, it is created.no Removes an existing Auto Provisioning policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 80NOTE: For more information on the auto-provisioning-policy, see Chapter 9, AUTO-PROVISIONING-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 814.1.27 bgpGlobal Configuration CommandsConfigures Border Gateway Protocol (BGP) settingsBGP is an inter-ISP routing protocol which establishes routing between Internet Service Providers (ISPs). ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced.An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it.Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet).BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgment, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed).Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list] <LIST-NAME>Parameters• bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list] <LIST-NAME>as-path-list <LIST-NAME>Creates an AS path list and enters its configuration mode• <LIST-NAME> – Provide the AS-PATH-LIST name.community-list <LIST-NAME>Creates a community list and enters its configuration mode• <LIST-NAME> – Provide the COMMUNITY-LIST name.extcommunity-list <LIST-NAME>Creates an extended community list and enters its configuration mode• <LIST-NAME> – Provide the EXTCOMMUNITY-LIST name.ip-access-list <LIST-NAME>Creates a BGP IP access list and enters its configuration mode• <LIST-NAME> – Provide the BGP IP-ACCESS-LIST name.ip-prefix-list<LIST-NAME>Creates a BGP IP prefix list and enters its configuration mode• <LIST-NAME> – Provide the BGP IP-PREFIX-LIST name.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 82Examplenx9500-6C8809(config)#bgp ?  as-path-list       BGP AS path list Configuration  community-list     Add a community list entry  extcommunity-list  Add a extended community list entry (EXPERIMENTAL)  ip-access-list     Add an access list entry  ip-prefix-list     Build a prefix listnx9500-6C8809(config)#nx9500-6C8809(config)#bgp as-path-list AS-TEST-PATHnx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#?BGP AS Path List Mode commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalnx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#Related Commandsno Modifies BGP settings, based on the parameters passedNOTE: For more information on configuring BGP Top-Level Objects (TLOs), see Chapter 28, BORDER GATEWAY PROTOCOL.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 834.1.28 bonjour-gateway-discovery-policyGlobal Configuration CommandsThe following table lists the commands that allows you to create a Bonjour Gateway Discovery Policy:Table 4.8 Bonjour-Gateway-Discovery Config CommandsCommand Description Referencebonjour-gw-discovery-policyCreates a Bonjour Gateway Discovery policy and enters its configuration modepage 4-84bonjour-gateway-discovery-policy-mode commandsSummarizes Bonjour Gateway Discovery policy configuration mode commandspage 4-86
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 844.1.28.1 bonjour-gw-discovery-policybonjour-gateway-discovery-policyBonjour is Apple’s zero-configuration networking (Zeroconf) implementation. Bonjour enables automatic IP address assignment, name to address resolution, and service discovery without having to configure a DHCP server, DNS server, and Directory server. When configured and applied on a WLAN, the Bonjour Gateway Discovery policy queries for and locates Bonjour devices (printers, computers, file-sharing servers, etc.) and services these computers provide over a local network. Bonjour works only within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.Use this command to configure a Bonjour GW Discovery policy. The policy defines a list of services clients can discover across subnets. A maximum of 8 (eight) policies can be created on access points, wireless controllers, or service platforms.When configured and applied, this feature enables discovery of Bonjour services on local and/or tunneled VLANs.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbonjour-gw-discovery-policy <POLICY-NAME>Parameters• bonjour-gw-discovery-policy <POLICY-NAME><POLICY-NAME> Specify the Bonjour GW Discovery policy name. If the policy does not exist, it is created. In the Bonjour GW Discovery policy configuration mode, use the allow-service keyword to configure the services that the Bonjour gateway is allowed to discover. A maximum of 16 (sixteen) service rules can be created. Optionally, you can restrict this facility for users on specific VLANs. To do so, specify the VLAN IDs.Execute the bonjour-gw-forwarding-policy command to enable forwarding of Bonjour service responses across VLANs.To associate a Bonjour GW Discovery policy with a WLAN, in the WLAN configuration mode, execute the following command: use > bonjour-gw-discovery-policy > <POLICY-NAME>. For more information, see use.To associate a Bonjour GW Discovery policy with a VLAN, in the interface VLAN configuration mode, execute the following command: use > bonjour-gw-discovery-policy > <POLICY-NAME>. For more information, see use.To associate a Bonjour GW Discovery policy with a user role, in the role-policy - user-role - configuration mode, execute the following command: use > bonjour-gw-discovery-policy > <POLICY-NAME>. For more information, see use.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 85Examplerfs6000-81742D(config)#bonjour-gw-discovery-policy TestPolicyrfs6000-81742D(config-bonjour-gw-discovery-policy-TestPolicy)#? commands:  allow-service  Allow Bonjour Service on local or tunneled vlan,Optionally                 VLAN IDs can be given so service will be discovered for those                 vlan only  no             Negate a command or set its defaults  clrscr         Clears the display screen  commit         Commit all changes made in this session  do             Run commands from Exec mode  end            End current mode and change to EXEC mode  exit           End current mode and down to previous mode  help           Description of the interactive help system  revert         Revert changes  service        Service Commands  show           Show running system information  write          Write running configuration to memory or terminalrfs6000-81742D(config-bonjour-gw-discovery-policy-TestPolicy)#Related Commandsno Removes an existing Bonjour GW Discovery policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 864.1.28.2 bonjour-gateway-discovery-policy-mode commandsbonjour-gateway-discovery-policyThe following table summarizes the Bonjour Gateway Discovery Policy configuration mode commands:Table 4.9 Bonjour-Gateway-Discovery-Policy-Mode CommandsCommand Description Referenceallow-service Configures the Bonjour Services that can be discovered on Local or Tunneled VLANs. It configures the local VLANs on which these services can be found.page 4-87no Removes or modifies the Bonjour Gateway Discovery policy settings page 4-89
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 874.1.28.2.1 allow-servicebonjour-gateway-discovery-policy-mode commandsEnables discovery of Bonjour devices and the services they provide on Local or Tunneled VLANsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxallow-service <BONJOUR-SERVICE-NAME> [local|tunneled]allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>} ({service-vlans <WORD>})allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}Parameters• allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>} ({service-vlans <WORD>})allow-service <BONJOUR-SERVICE-NAME>Configures the services that can be discovered by the Bonjour gateway. And also configures the VLANs on which the selected services can be discovered.• <BONJOUR-SERVICE-NAME> – You can either select the Bonjour services from a set of system-provided, pre-defined Apple services, or use an existing alias to define a service not available in the predefined list.The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer, and Scanner.Use the <WORD> keyword to define a service not included in the system-provided, pre-defined list. Ensure this device is registered with the Multicast DNS Responder (mDNSResponder).local Select to enable the discovery of the selected Bonjour Services on the local VLANinstance-name contains <WORD>Optional. Specifies the selected Bonjour service’s instance name. When specified, the Bonjour service discovery queries contain the instance name. of the service to be discovered.This option is useful especially in large distributed, enterprise networks. Use it to create different instances of a Bonjour service for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s).• contains <WORD> – Specify the instance name. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example, $BONJOUR-STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring a string alias, see alias.service-vlans <WORD>Optional. Configures a VLAN or a list of VLANs on which the selected service is discoverable. When specified, Bonjour discovery queries are delivered to all clients on the specified VLANs. Applicable only if enabling Bonjour Services discovery on local VLANs.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 88• allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}Examplenx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Afp localnx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Printer local instance-name contains $Bonjour_Service service-vlans 1,2nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show contextbonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains $Bonjour_Service allow-service Afp localnx9500-6C8809(config-bonjour-gw-discovery-policy-test)#Following example configures the string alias named $Bonjour_Service:nx9500-6C8809(config)#alias string $Bonjour_Service adminnx9500-6C8809(config)#commitnx9500-6C8809(config)#show context include-factory | include alias stringalias string $Bonjour_Service adminnx9500-6C8809(config)#Related Commandsallow-service <BONJOUR-SERVICE-NAME>Configures the services that can be discovered by the Bonjour gateway. And also configures the VLANs on which the selected services can be discovered.• <BONJOUR-SERVICE-NAME> – You can either select the Bonjour Services from a set of system-provided, pre-defined Apple services, or use an existing alias to define a service not available in the predefined list.The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer, and Scanner.Use the <WORD> keyword to define a service not included in the system-provided, predefine list.tunneled Select to enable the discovery of the selected Bonjour Services on tunneled VLANsinstance-name contains <WORD>Optional. Adds a Bonjour Service instance name. If you have a large enterprise network, use this option to create different Bonjour Service instances for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s).• contains <WORD> – Specify the sub-string to match. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example, $BONJOUR-STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring aliases, see alias.no Removes or modifies this Bonjour Gateway Discovery Policy settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 894.1.28.2.2 nobonjour-gateway-discovery-policy-mode commandsRemoves or modifies the Bonjour Gateway Discovery policy settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}Parameters• no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}ExampleThe following example shows the Bonjour GW Discovery policy ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show contextbonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains $Bonjour_Service allow-service Afp localnx9500-6C8809(config-bonjour-gw-discovery-policy-test)#nx9500-6C8809(config-bonjour-gw-discovery-policy-test1)#no allow-service Afp localThe following example shows the Bonjour GW Discovery policy ‘test’ settings after the ‘no’ command was executed:nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show contextbonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains $Bonjour_Servicenx9500-6C8809(config-bonjour-gw-discovery-policy-test)#no <parameters> Removes allow-service rules in the selected Bonjour GW Discovery policy, based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 904.1.29 bonjour-gw-forwarding-policyGlobal Configuration CommandsConfigures a Bonjour GW Forwarding policy. When configured and applied on the controller, the policy defines the service VLANs (the VLANs on which Bonjour services are running) and client VLANs where clients are present. All Bonjour responses from service VLANs are forwarded to client VLANs. A maximum of 2 (two) policies can be created on a wireless controller or service platform. And only 1 (one) policy can be created on an access point.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbonjour-gw-forwarding-policy <POLICY-NAME>Parameters• bonjour-gw-forwarding-policy <POLICY-NAME>Examplerfs6000-81742D(config)#bonjour-gw-forwarding-policy TestPolicyrfs6000-81742D(config-bonjour-gw-forwarding-policy-TestPolicy)#? commands:  forward-bonjour-response  Forwards bonjour service response across vlans  no                        Negate a command or set its defaults  clrscr                    Clears the display screen  commit                    Commit all changes made in this session  do                        Run commands from Exec mode  end                       End current mode and change to EXEC mode  exit                      End current mode and down to previous mode  help                      Description of the interactive help system  revert                    Revert changes  service                   Service Commands  show                      Show running system information  write                     Write running configuration to memory or terminalrfs6000-81742D(config-bonjour-gw-forwarding-policy-TestPolicy)#<POLICY-NAME> Specify the Bonjour GW Forwarding policy name. If the policy does not exist, it is created.To receive Bonjour service responses from specific VLANs, specify the VLAN IDs. In the Bonjour GW Forwarding policy configuration mode, provide a list of VLAN IDs from which Bonjour responses can be received (format: 10-20, 25, 30-35). And then specify the list of client VLANs that can access Bonjour services.Execute the bonjour-gw-discovery-policy command to define the Bonjour services allowed on local and tunneled VLANs.To associate a Bonjour GW Forwarding policy with a device or profile, in the profile/device configuration mode, execute the use > bonjour-gw-forwarding-policy > <POLICY-NAME> command. For more information, see use.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 91Related Commandsno Removes an existing Bonjour GW Forwarding policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 924.1.30 bonjour-gw-query-forwarding-policyGlobal Configuration CommandsConfigures a Bonjour GW Query Forwarding policy and enters its configuration mode. When created and applied, this policy enables forwarding of Bonjour queries across VLANs.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbonjour-gw-query-forwarding-policy <POLICY-NAME>Parameters• bonjour-gw-query-forwarding-policy <POLICY-NAME>Examplerfs6000-81742D(config)#bonjour-gw-query-forwarding-policy TestPolicyrfs6000-81742D(config-bonjour-gw-query-forwarding-policy-test)#?(config-bonjour-gw-query-forwarding-policy) commands:  forward-bonjour-query  Forwards bonjour query across vlans  no                     Negate a command or set its defaults  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-81742D(config-bonjour-gw-query-forwarding-policy-test)#Related Commands<POLICY-NAME> Specify the Bonjour GW Query Forwarding policy name. If the policy does not exist, it is created.In the Bonjour GW Query Forwarding policy configuration mode, specify the ‘from’ and ‘to’ VLAN(s). The from-vlans option configures the VLAN(s) that are the source of the Bonjour queries. The to-vlans option configures the destination VLAN(s) that can access the Bonjour queries.To associate a Bonjour GW Query Forwarding policy with a device or profile, in the profile/device configuration mode, execute the use > bonjour-gw-query-forwarding-policy > <POLICY-NAME> command. For more information, see use.no Removes an existing Bonjour GW Query Forwarding policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 934.1.31 captive portalGlobal Configuration CommandsThe following table lists the commands that enable you to create a new captive portal policy and enter its configuration mode:Table 4.10 Captive-Portal Config CommandsCommand Description Referencecaptive-portal Creates a new captive portal and enters its configuration mode page 4-94captive-portal-mode commandsSummarizes captive portal configuration commands page 4-96
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 944.1.31.1 captive-portalcaptive portalConfigures a captive portal policy and enters its configuration mode. Once created and configured, use the captive portal policy in the WLAN context, and in the device/profile contexts of the access point or controller hosting the captive portal server.A captive portal provides secure access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network. Once logged into the captive portal, additional Acknowledgment, Agreement, Welcome, No Service, and Fail pages provide the administrator options to customize the screen flow and user appearance.Captive portals are recommended for providing guests or visitors authenticated access to network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption.Authentication for captive portal access requests is performed using a username and password pair, authenticated by an integrated RADIUS server. Authentication for private network access is conducted either locally on the requesting wireless client, or centrally at a data center.Captive portals use a Web provisioning tool to create guest user accounts directly on the controller, service platform, or access point. The connection medium defined for the Web connection is either HTTP or HTTPS. Both HTTP and HTTPS use a request and response procedure to disseminate information to and from requesting wireless clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal <CAPTIVE-PORTAL-NAME>Parameters• captive-portal <CAPTIVE-PORTAL-NAME><CAPTIVE-PORTAL-NAME>Specify the captive portal name. If a captive portal with the specified name does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 95Examplerfs6000-81742D(config)#captive-portal testrfs6000-81742D(config-captive-portal-test)#?Captive Portal Mode commands:access-time                 Allowed access time for the client. Used when                              there is no session time in radius response  access-type                 Access type of this captive portal  accounting                  Configure how accounting records are created for                              this captive portal policy  bypass                      Bypass captive portal  connection-mode             Connection mode for this captive portal  custom-auth                 Custom user information  data-limit                  Enforce data limit for clients  inactivity-timeout          Inactivity timeout in seconds. If a frame is not                              received from client for this amount of time,                              then current session will be removed  ipv6                        Internet Protocol version 6 (IPv6)  localization                Configure the FQDN address to get the                              localization parameters for the client  logout-fqdn                 Configure the FQDN address to logout the session                              from client  no                          Negate a command or set its defaults  oauth                       OAuth 2.0 authentication configuration  php-helper                  Configure the captive portal to use a server for                              help with php  post-authentication-vlan    Configure post authentication vlan for captive                              portal users  radius-vlan-assignment      Enable radius vlan assignment for captive portal                              users  redirection                 Configure connection redirection parameters  report-loyalty-application  Report customer loyalty application presence in                              clients  server                      Configure captive portal server parameters  simultaneous-users          Particular username can only be used by a                              certain number of MAC addresses at a time  terms-agreement             User needs to agree for terms and conditions  use                         Set setting to use  webpage                     Configure captive portal webpage parameters  webpage-auto-upload         Enable automatic upload of internal and advanced                              webpages  webpage-location            The location of the webpages to be used for                              authentication. These pages can either be hosted                              on the system or on an external web server.  welcome-back                Welcome back page settings  clrscr                      Clears the display screen  commit                      Commit all changes made in this session  do                          Run commands from Exec mode  end                         End current mode and change to EXEC mode  exit                        End current mode and down to previous mode  help                        Description of the interactive help system  revert                      Revert changes  service                     Service Commands  show                        Show running system information  write                       Write running configuration to memory or                              terminalrfs6000-81742D(config-captive-portal-test)#Related Commandsno Removes an existing captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 964.1.31.2 captive-portal-mode commandscaptive portalThe following table summarizes captive portal configuration mode commands:Table 4.11 Captive-Portal-Mode CommandsCommand Description Referenceaccess-time Defines a client’s access time. It is used when no session time is defined in the RADIUS response.page 4-98access-type Configures a captive portal’s access type page 4-99accounting Enables a captive portal’s accounting records page 4-100bypass Enables bypassing of captive portal detection requests from wireless clientspage 4-102connection-modeConfigures a captive portal’s connection mode page 4-103custom-auth Configures custom user information page 4-104data-limit Enforces data limit on captive portal clients page 4-105inactivity-timeoutDefines an inactivity timeout in seconds page 4-106ipv6 Configures the IPv6 address of the internal captive portal server page 4-107localization Configures an FQDN address string that enables the client to receive localization parameters. This command also allows the configuration of a response message.page 4-108logout-fqdn Clears the logout FQDN address page 4-110no Reverts the selected captive portal’s settings to default page 4-111oauth Enables OAuth-based authentication support on the captive portal. When enabled, OAuth allows captive-portal users to sign in to guest WLANs using their Facebook or Google credentials.page 4-113php-helper Configures a PHP helper to serve the captive portal’s PHP splash pages to guest users using social-media to login to the captive portal.page 4-115post-authentication-vlanAssigns a post authentication RADIUS VLAN for this captive portal’s userspage 4-117radius-vlan-assignmentAssigns a RADIUS VLAN for this captive portal page 4-118redirection Enables redirection of client connections to specified destination ports page 4-119report-loyalty-applicationEnables detection of captive portal client’s loyalty application presence and stores this information in the captive portal’s user databasepage 4-120server Configures the captive portal server settings page 4-121simultaneous-usersSpecifies a username used by a MAC address pool page 4-123terms-agreementEnforces the user to agree to terms and conditions (included in login page) for captive portal accesspage 4-124use Associates a AAA policy and a DNS whitelist with a captive portal page 4-125webpage Configures captive portal Web page settings page 4-127
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 97webpage-auto-uploadEnables automatic upload of advanced Web pages on a captive portal page 4-135webpage-locationSpecifies the location of Web pages used for captive portal authenticationpage 4-136welcome-back Enables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-inspage 4-137configuring device registration with dynamic VLAN assignmentDocuments configuration details required to enable device registration with dynamic VLAN assignment in a multi-vendor environmentpage 4-139configuring WeChat Wi-Fi hotspot support in WiNG captive portalDocuments configuration details required to support the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate serverpage 4-141configuring ExtremeGuest captive-portalDocuments the basic configurations required to deploy an ExtremeGuest setuppage 4-143Table 4.11 Captive-Portal-Mode CommandsCommand Description Reference
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 984.1.31.2.1 access-timecaptive-portal-mode commandsDefines the permitted access time for a client. It is used when no session time is defined in the RADIUS response.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccess-time <10-10080>Parameters• access-time <10-10080>Examplerfs6000-81742D(config-captive-portal-test)#access-time 35rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35rfs6000-81742D(config-captive-portal-test)#Related Commandsaccess-time <10-10080>Defines the duration wireless clients are allowed access to the Internet using this captive portal policy• <10-10080> – Specify a value from 10 - 10080 minutes. The default is 1440 minutes.no Reverts to the default permitted access time (1440 minutes)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 994.1.31.2.2 access-typecaptive-portal-mode commandsDefines the captive portal’s access type. The authentication scheme configured here is applied to wireless clients using this captive portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccess-type [custom-auth-radius|logging|no-auth|radius|registration]Parameters• access-type [custom-auth-radius|logging|no-auth|radius|registration]Examplerfs6000-81742D(config-captive-portal-test)#access-type loggingrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-type logging access-time 35rfs6000-81742D(config-captive-portal-test)#Related Commandscustom-auth-radius Specifies the custom user information used for authentication (RADIUS lookup of given information, such as name, e-mail address, telephone, etc.). When configured, accessing clients are required to provide a 1-32 character lookup data string used to authenticate their credentials.When selecting this option, use the custom-auth command to configure the required user information.logging Provides users access without authentication. The system logs access details of users allowed access.no-auth Defines no authentication required for a guest (guest is redirected to welcome message). Provides users access to the captive portal without authentication.radius Enables RADIUS authentication for wireless clients. Provides captive portal access to successfully authenticated users only. This is the default setting.registration Enables captive portal’s clients to self register in the captive portal’s database. When configured, a requesting client’s user credentials require authentication locally or through social media credential exchange and validation.If enabled, use the webpage > internal > registration > field command to customize the registration page. If not customized, the default, built-in registration Web page is displayed.no Removes the captive portal access type or reverts to default (radius)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1004.1.31.2.3 accountingcaptive-portal-mode commandsEnables support for accounting messages for this captive portalWhen enabled, accounting for clients entering and exiting the captive portal is initiated. Accounting is the method of collecting and sending security server information for billing, auditing, and reporting user data. This data includes information, such as start and stop times, executed commands (such as PPP), number of packets and number of bytes transmitted, etc. Accounting enables tracking of captive portal services consumed by clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccounting [radius|syslog]accounting radiusaccounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}Parameters• accounting radius• accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}radius Enables support for RADIUS accounting messages. When enabled, this option uses an external RADIUS resource for AAA accounting. This option is disabled by default.syslog host <IP/HOSTNAME>Enables support for syslog accounting messages. When enabled, data relating to wireless client usage of remote access services is logged on the specified external syslog resource. This information assists in differentiating between local and remote users. Remote user information can be archived to an external location for periodic network and user administration. This option is disabled by default.• host <IP/HOSTNAME> – Specifies the destination where accounting messages are sent. Specify the destination’s IP address or hostname.port <1-65535> Optional. Specifies the syslog server’s listener port• <1-65535> – Specify the UDP port from 1- 65535. The default is 514.proxy-mode [none|through-controller|through-rf-domain-manager]Optional. Specifies the mode of proxying the syslog server• none – Accounting messages are sent directly to the syslog server• through-controller – Accounting messages are sent through the controller configuring the device• through-rf-domain-manager – Accounting messages are sent through the local RF Domain manager
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 101Examplerfs6000-81742D(config-captive-portal-test)#accounting syslog host 172.16.10.13 port 1rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-type logging access-time 35 accounting syslog host 172.16.10.13 port 1rfs6000-81742D(config-captive-portal-test)#Related Commandsno Disables accounting records for this captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1024.1.31.2.4 bypasscaptive-portal-mode commandsEnables bypassing of captive portal detection requests from wireless clientsCertain devices, such as Apple IOS devices send Captive Network Assistant (CNA) requests to detect existence of captive portals. When enabled, the bypass option does not allow CNA requests to be redirected to the captive portal pages.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbypass captive-portal-detectionParameters• bypass captive-portal-detectionExamplerfs4000-229D58(config-captive-portal-test)#bypass captive-portal-detectionrfs4000-229D58(config-captive-portal-test)#show contextcaptive-portal test bypass captive-portal-detectionrfs4000-229D58(config-captive-portal-test)#Related Commandsbypass captive-portal-detectionBypasses captive portal detection requestsno Disables bypassing of captive portal detection requests
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1034.1.31.2.5 connection-modecaptive-portal-mode commandsConfigures a captive portal’s mode of connection to the Web server. HTTP uses plain unsecured connection for user requests. HTTPS uses an encrypted connection to support user requests.Both HTTP and HTTPS use the same Uniform Resource Identifier (URI), so controller and client resources can be identified. However, the use of HTTPS is recommended, as it affords controller and client transmissions some measure of data protection HTTP cannot provide.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxconnection-mode [http|https]Parameters• connection-mode [http|https]Examplerfs6000-81742D(config-captive-portal-test)#connection-mode httpsrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-type logging access-time 35 connection-mode https accounting syslog host 172.16.10.13 port 1rfs6000-81742D(config-captive-portal-test)#Related Commandshttp Sets HTTP as the default connection mode. This is the default setting.https Sets HTTPS as the default connection modeHTTPS is a more secure version of HTTP, and uses encryption while sending and receiving requests.no Removes this captive portal’s connection mode
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1044.1.31.2.6 custom-authcaptive-portal-mode commandsConfigures custom user informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcustom-auth info <LINE>Parameters• custom-auth info <LINE>Examplerfs6000-81742D(config-captive-portal-test)#custom-auth info bob bob@examplecompany.comrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https accounting syslog host 172.16.10.13 port 1rfs6000-81742D(config-captive-portal-test)#Related Commandsinfo <LINE> Configures information used for RADIUS lookup when custom-auth RADIUS access type is configured• <LINE> – Guest data needs to be provided. Specify the name, e-mail address, and telephone number of the user.no Removes custom user information configured with this captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1054.1.31.2.7 data-limitcaptive-portal-mode commandsEnforces data transfer limits on captive portal clients. This feature enables the tracking and logging of user usage. Users exceeding the allowed bandwidth are restricted from the captive portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdata-limit <1-102400> {action [log-and-disconnect|log-only]}Parameters• data-limit <1-102400> {action [log-and-disconnect|log-only]}Examplerfs6000-81742D(config-captive-portal-test)#data-limit 200 action log-and-disconnectrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test data-limit 200 action log-and-disconnectrfs6000-81742D(config-captive-portal-test)#Related Commandsdata-limit <1-102400>Sets a captive portal client’s data transfer limit in megabytes. This limit is applicable for both upstream and downstream data transfer.• <1-102400> – Specify a value from 1 - 102400 MB.action [log-and-disconnect|log-only]Optional. Specifies the action taken when a client exceeds the configured data limit. The options are:• log-and-disconnect – When selected, an entry is added to the log file any time a captive portal client exceeds the data limit, and the client is disconnected.• log-only – When selected, an entry is added to the log file any time a captive portal client exceeds the data limit. the client, however, remains connected to the captive portal. This is the default setting.no Removes data limit enforcement for captive portal clients
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1064.1.31.2.8 inactivity-timeoutcaptive-portal-mode commandsDefines the inactivity timeout in seconds. If a frame is not received from a client for the specified interval the current session is terminated.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinactivity-timeout <60-86400>Parameters• inactivity-timeout <60-86400>Examplerfs6000-81742D(config-captive-portal-test)#inactivity-timeout 750rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 accounting syslog host 172.16.10.13 port 1rfs6000-81742D(config-captive-portal-test)#Related Commands<60-86400> Defines the interval for which a captive portal session is kept alive without receiving a frame from the client. The session is automatically terminated once this interval is over. • <60-86400> – Specify a value from 60 - 86400 seconds. The default is 10 minutes or 600 seconds.no Removes the client inactivity-timeout configured with this captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1074.1.31.2.9 ipv6captive-portal-mode commandsConfigures the internal captive portal server’s (running on the centralized mode) IPv6 address. If using centralized server mode, use this option to define the controller, service platform, or access point resource’s (hosting the captive portal) IPv6 address. For information on configuring the server mode, see server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 server host <IPv6>Parameters• ipv6 server host <IPv6>Examplerfs6000-81742D(config-captive-portal-test2)#ipv6 server host 2001:10:10:10:6d:33:fa:8brfs6000-81742D(config-captive-portal-test2)#show contextcaptive-portal test2 access-type OAuth ipv6 server host 2001:10:10:10:6d:33:fa:8b OAuth client-id Google TechPubs.printer.google.comrfs6000-81742D(config-captive-portal-test2)#Related Commandsipv6 server host <IPv6>Configures the IPv6 address of the internal captive portal server• <IPv6> – Specify the captive portal server’s global IPv6 address.no Removes the captive portal server’s IPv6 address
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1084.1.31.2.10 localizationcaptive-portal-mode commandsConfigures an FQDN address string that enables the client to receive localization parameters. Use this option to add a URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocalization [fqdn <WORD>|response <WORD>]Parameters• localization [fqdn <WORD>|response <WORD>]localization Configures an FQDN address string that enables the client to receive localization parameters. This command also allows the configuration of a response message.fqdn <WORD> Configures the FQDN address string, which is used to obtain localization parameters for the captive portal’s client.• <WORD> – Specify the FQDN address string. For example, local.guestaccess.comresponse <WORD> Configures a message, which is sent back to the client in response to the client’s localization HTTP requests• <WORD> – Specify the response message (should not exceed 512 characters in length). The following built-in query tags can be included in the response message:WING_TAG_CLIENT_IP'              -Captive portal client IPv4 address'WING_TAG_CLIENT_MAC'         - Captive portal client MAC address'WING_TAG_WLAN_SSID '          - Captive portal client WLAN ssid'WING_TAG_AP_MAC'                 - Captive portal client AP MAC address'WING_TAG_AP_NAME'               - Captive portal client AP Name'WING_TAG_RF_DOMAIN'           - Captive portal client RF Domain'WING_TAG_USERNAME'            - Captive portal authentication username'WING_TAG_USERTYPE'             - Captive portal usertype(new/return/refresh)     Example:-<local><site>WING_TAG_RF_DOMAIN</site><ap>WING_TAG_AP_NAME</ap></local
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 109Examplenx9500-6C8809(config-captive-portal-test)#localization fqdn local.guestaccess.comnx9500-6C8809(config-captive-portal-test)#localization response <local><site>SJExtreme</site><ap>ap8132-74B45C</ap><user>Bob</user><local>nx9500-6C8809(config-captive-portal-TechPubsNew)#show contextcaptive-portal TechPubsNew webpage internal registration field city type text enable label "City" placeholder "Enter City" webpage internal registration field street type text enable label "Address" placeholder "123 Any Street" webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name" webpage internal registration field zip type number enable label "Zip" placeholder "Zip" webpage internal registration field via-sms type checkbox enable title "SMS Preferred" webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code" webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range" webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com" webpage internal registration field via-email type checkbox enable title "Email Preferred" localization fqdn local.guestaccess.com localization response <local><site>SJExtreme</site><ap>ap8132-74B45C</ap><user>Bob</user><local>nx9500-6C8809(config-captive-portal-TechPubsNew)#Related Commandsno Removes the FQDN address string and response message configured on a captive portal for localization
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1104.1.31.2.11 logout-fqdncaptive-portal-mode commandsConfigures the Fully Qualified Domain Name (FQDN) address to logout of the session from the clientSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogout-fqdn <WORD>Parameters• logout-fqdn <WORD>Examplerfs6000-81742D(config-captive-portal-test)#logout-fqdn logout.testuser.comrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test logout-fqdn logout.testuser.comrfs6000-81742D(config-captive-portal-test)#Related Commandslogout-fqdn <WORD> Configures the FQDN address used to logout• <WORD> – Provide the FQDN address (for example, logout.guestaccess.com).no Clears the logout FQDN address
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1114.1.31.2.12 nocaptive-portal-mode commandsThe no command reverts the selected captive portal’s settings or resets settings to default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [access-time|access-type|accounting|bypass|connection-mode|custom-auth|data-limit|inactivity-timeout|ipv6|localization|logout-fqdn|oauth|php-helper|post-authentication-vlan|radius-vlan-assignment|redirection|report-loyalty-application|server|simultaneous-users|terms-agreement|use|webpage|webpage-auto-upload|webpage-location|welcome-back]no [access-time|access-type|connection-mode|data-limit|inactivity-timeout|logout-fqdn|post-authentication-vlan|radius-vlan-assignment|report-loyalty-application|simultaneous-users|terms-agreement|webpage-auto-upload|webpage-location]no accounting [radius|syslog]no bypass captive-portal-detectionno custom-auth infono ipv6 server hostno localization [fqdn|response]no oauth {client-id}no php-helperno redirection portsno server hostno server mode {centralized-controller [hosting-vlan-interface]}no use [aaa-policy|dns-whitelist]no webpage external [acknowledgement|agreement|fail|login {post}|no-service|registration|welcome]no webpage internal [acknowledgement|agreement|fail|login|no-service|org-name|org-signature|registration|welcome]no webpage internal [org-name|org-signature]no webpage internal [acknowledgment|agreement|fail|login|no-service] [body-background-color|body-font-color|description|footer|header|main-logo|org-background-color|org-font-color|small-logo|title]no webpage internal registration [body-background-color|body-font-color|description|field|footer|header|main-logo|org-background-color|org-font-color|small-logo|title]
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 112no webpage internal registration field [age-range|city|country|custom <FIELD-NAME>|disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip] {enable}no webpage internal welcome [body-background-color|body-font-color|description|footer|header|main-logo|org-background-color|org-font-color|small-logo|title|use-external-success-url]no welcome-back pass-throughParameters• no <PARAMETERS>ExampleThe following example shows the captive portal ‘test’ settings before the ‘no’ commands are executed:rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 accounting syslog host 172.16.10.13 port 1rfs6000-81742D(config-captive-portal-test)#rfs6000-81742D(config-captive-portal-test)#no accounting syslogrfs6000-81742D(config-captive-portal-test)#no access-typeThe following example shows the captive portal ‘test’ settings after the ‘no’ commands are executed:rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750rfs6000-81742D(config-captive-portal-test)#no <PARAMETERS> Removes or resets this captive portal’s settings, based on the parameters passed.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1134.1.31.2.13 oauthcaptive-portal-mode commandsEnables OAuth-driven Google and/or Facebook authentication on captive portals that use internal Web pages. To enable Google and Facebook captive-portal authentication:• Enforce captive-portal authentication on the WLAN to which wireless-clients associate. For information, see captive-portal-enforcement.• Set captive-portal Web page location to internal. For more information, see webpage-location.• Register your captive-portal individually on Google/FaceBook APIs and generate a client-id and client-secret. The client-ids retrieved during registration are the IDs for the WiNG application running on the access point/controller. The WiNG application uses these client-ids to access the Google and Facebook Auth APIs, and authenticate the guest client on behalf of the user.If enabling OAuth-driven Google and/or Facebook authentication on the captive portal, use this command to configure the Google/Facebook client-ids. Once enabled, the captive portal landing page, displayed on the client’s browser, provides the Facebook and Google login buttons.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoauthoauth client-id [facebook|google] <WORD>Parameters• oauth• oauth client-id [facebook|google] <WORD>oauth Execute this command without the associated keywords to enable OAuth on this captive-portal. If enabling OAuth, ensure the captive-portal Web page location is configured as advanced or external.oauth client-id [facebook|google] <WORD>Configures the client-ids retrieved from the Google and Facebook API manager portals during registration• facebook – Configures the Facebook API client-id (is a 15 digit entity)• google – Configures the Google API client-id (is a 12 digit number)• <WORD> – Provide the Facebook/Google client-id.If the captive-portal Web page location is advanced or external, and you are enabling OAuth support, you need not configure the client-id. In such a scenario, the client-id is configured through the EGuest server UI and not the WiNG CLI.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 114Examplenx7500-6DCD39(config-captive-portal-test2)#OAuthnx7500-6DCD39(config-captive-portal-test2)#OAuth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyynx7500-6DCD39(config-captive-portal-test2)#show contextcaptive-portal test2 server host guest.social.com   oauth  oauth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyynx7500-6DCD39(config-captive-portal-test)#In the above example:• xxxxxxxxxxxx - Is the 12 digit numeric part of your Google client-id.• yyyyyyyyyyyyyyy - Is the 15 digit Facebook client-idRelated Commandsno Removes all OAuth client identities configured for this captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1154.1.31.2.14 php-helpercaptive-portal-mode commandsConfigures a PHP helper to serve the PHP splash pages to guest users logging in to the captive portal using social-media credentials. Configure a PHP helper only if the following criteria are fulfilled:• OAuth-based authentication is enabled on the captive portal.• The captive-portal server mode is “self”.• The access point, hosting the captive-portal server, has low memory space (for example, the AP6511, AP6521, AP6522, AP6532, and AP7502 model access points).• A hotspot server, hosting the captive-portal PHP splash pages, is up and running.The WiNG software introduces HybridAuth support on captive portals. HybridAuth is an open-source, social-sign on PHP Library. In addition to Google and Facebook, it allows a variety of third-party social authentications, such as LinkedIn, Twitter, Live, Yahoo, OpenID, etc. However, HybridAuth uses space-consuming PHP splash pages that cannot be loaded on access points with low memory space. These access points can only serve the initial landing page, where guests clicking on a social login button are redirected by the php-helper to a PHP page hosted on the PHP-helper.To create PHP splash pages, use the splash template configuration tool available on the ExtremeGuest (EGuest) dashboard. Upload the generated tar to both the hotspot server and the php helper. Note, the EGuest dashboard can be launched from the WiNG controller (NX9500/NX9600/VX9000) enabled as the EGuest server. For more information on enabling the EGuest server, see eguest-server (VX9000 only).For more information on configuring an EGuest captive portal, see configuring ExtremeGuest captive-portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxphp-helper [controller|domain-manager]php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4096>php-helper domain-manager <IP/HOSTNAME>Parameters• php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4094>]php-helper Configures the php-helper parameterscontroller <IP/HOSTNAME>Configures the controller adopting the captive-portal access point as the php-helper• <IP/HOSTNAME> – Specify the adopting controller’s IP address or host name.hosting-vlan-interface <0-4096>Optional. Configures the VLAN on which the php-helper is reachable• <0-4096> – Specify the VLAN hosting the php-helper from 0 - 4096.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 116• php-helper domain-manager <IP/HOSTNAME>ExampleTo enable php-helper configure the following parameters in the captive-portal context:ap6532-3163A4(config-captive-portal-php-helper)#oauthap6532-3163A4(config-captive-portal-php-helper)#php-helper controller nx9500-6C8809ap6532-3163A4(config-captive-portal-php-helper)#server mode selfap6532-3163A4(config-captive-portal-php-helper)#server host cpsocial.extreme.comNote, when configuring the server, specify the server’s hostname and not the IP address, because some social media do not allow IP address as a redirect URI.ap6532-3163A4(config-captive-portal-php-helper)#show running-config captive-portal php-helpercaptive-portal php-helper server host cpsocial.extreme.com php-helper controller nx9500-6C8809 oauth webpage internal registration field city type text enable label "City" placeholder "Enter City" webpage internal registration field street type text enable label "Address" placeholder "123 Any Street" webpage internal registration field name type text enable label "Full Name" placeholder --More--ap6532-3163A4(config-captive-portal-php-helper)#Related Commandsphp-helper Configures the php-helper parametersdomain-manager <IP/HOSTNAME>Configures the captive-portal access point’s RF Domain manager as the php-helper• <IP/HOSTNAME> – Specify the RF Domain manager’s IP address or host name.no Removes the PHP helper configuration
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1174.1.31.2.15 post-authentication-vlancaptive-portal-mode commandsConfigures the VLAN that is assigned to this captive portal’s users upon successful authenticationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpost-authentication-vlan [<1-4096>|<VLAN-ALIAS>]Parameters• post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]Examplerfs4000-229D58(config-captive-portal-test)#post-authentication-vlan 1rfs4000-229D58(config-captive-portal-test)#show contextcaptive-portal test post-authentication-vlan 1rfs4000-229D58(config-captive-portal-test)#Related Commandspost-authentication-vlan [<1-4096>|<VLAN-ALIAS>]Configures the post authentication VLAN. The VLAN specified here is assigned to this captive portal’s users after they have authenticated and logged on to the network. Provide the VLAN ID, or use an existing VLAN alias to identify the post authentication VLAN.• <1-4096> – Specify the VLAN’s number from 1 - 4096.• <VLAN-ALIAS> – Specify the VLAN alias (should be existing and configured).VLAN alias names begin with a ‘$’.no Removes the post authentication RADIUS VLAN assigned to this captive portal’s usersradius-vlan-assignmentEnables assignment of a RADIUS VLAN for this captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1184.1.31.2.16 radius-vlan-assignmentcaptive-portal-mode commandsEnables assignment of a RADIUS VLAN for this captive portalWhen enabled, if the RADIUS server as part of the authentication process returns a client’s VLAN-ID in a RADIUS access-accept packet, all client traffic is forwarded on the post authentication VLAN. If disabled, the RADIUS server’s VLAN assignment is ignored and the VLAN configuration defined within the WLAN configuration is used instead. This feature is disabled by default. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius-vlan-assignmentParametersNoneExamplerfs4000-229D58(config-captive-portal-test)#radius-vlan-assignmentrfs4000-229D58(config-captive-portal-test)#show contextcaptive-portal test post-authentication-vlan 1 radius-vlan-assignmentrfs4000-229D58(config-captive-portal-test)#Related Commandsno Disables assignment of a RADIUS VLAN for this captive portalpost-authentication-vlanAssigns a post authentication RADIUS VLAN for this captive portal’s users
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1194.1.31.2.17 redirectioncaptive-portal-mode commandsConfigures a list of destination ports (separated by commas, or using a dash for a range) that are taken into consideration when redirecting client connectionsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxredirection ports <LIST-OF-PORTS>Parameters• redirection ports <LIST-OF-PORTS>Examplerfs4000-229D58(config-captive-portal-test)#redirection ports 1,2,3rfs4000-229D58(config-captive-portal-test)#show contextcaptive-portal test redirection ports 1-3rfs4000-229D58(config-captive-portal-test)#Related Commandsports <LIST-OF-PORTS>Configures destination ports considered for redirecting client connectionA maximum of 16 ports can be specified in a comma-separated list. Standard ports 80 and 443 are always considered for client connections regardless of what’s entered by the administrator.no Disables redirection of client connection
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1204.1.31.2.18 report-loyalty-applicationcaptive-portal-mode commandsEnables detection of captive portal client’s usage of a selected (preferred) loyalty applicationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreport-loyalty-application {custom-app <APPLICATION-NAME>}Parameters• report-loyalty-application {custom-app <APPLICATION-NAME>}Examplenx9500-6C8809(config-captive-portal-test)#report-loyalty-application custom-appAntiVirusnx9500-6C8809(config-captive-portal-test)#show context include-factory | include report-loyalty-application report-loyalty-application custom-app AntiVirusnx9500-6C8809(config-captive-portal-test)#Related Commandsreport-loyalty-application {custom-app <APPLICATION-NAME>}Reports a captive portal client’s loyalty application presence and stores this information in the captive portal’s user database. The client’s loyalty application detection occurs on the access point to which the client is associated. Retail administrators can use this information to assess whether patrons’ loyalty application usage is as per expectation within specific retail environments. This option is disabled by default.• custom-app <APPLICATION-NAME> – Optional. Uses a custom application definition as match criteria.• <APPLICATION-NAME> – Specify the custom application name (should be existingand configured). Ensure that the application specified is available and configured. Ifnot, create an application definition. For more information, see application.If no custom application definition is specified, the system uses localization to detect application presence.no Disables detection of customer-loyalty application presence
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1214.1.31.2.19 servercaptive-portal-mode commandsConfigures captive portal server parameters, such as the hostname, IP address, and mode of operation. This is the captive-portal server hosting the captive portal Web pages.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver [host|mode]server host <IP/HOSTNAME>server mode [centralized|centralized-controller {hosting-vlan-interface <0-4096>}|self]Parameters• server host <IP/HOSTNAME>• server mode [centralized|centralized-controller {hosting-vlan-interface <0-4096>}|self]host <IP/HOSTNAME> Configures the internal captive portal server (wireless controller, access point, service platform)• <IP/HOSTNAME> – Specify the IPv4/IPv6 address or hostname of the captive portal server.For centralized-controller mode, the server host should be a virtual hostname and not an IP address.If enabling OAuth (social-media login) on the captive portal, configure the server’s hostname and not the IP address. This is because some social media do not allow IP address as redirect-uri. For more information, see oauth and php-helper.mode Configures the captive portal server mode. This parameter identifies the device that will capture and redirect a wireless user’s Web browser session to a landing page where the user has to provide login credentials in order to access the managed network. The WiNG captive portal implementation is very flexible and allows captive portal services to reside anywhere within the WiNG managed network. For example, the capture and redirection can be performed directly by the access points at the edge of the network, centrally on the controllers or service platforms managing the access points, or on dedicated wireless controller deployed within an isolated network.centralized Select this option if capture and redirection is provided by a designated wireless controller/service platform on the network defined using an IPv4/IPv6 address or hostname. This dedicated device can either be managing the dependent/independent access points or be a dedicated device deployed over the intermediate network.Ensure the IPv4 address or hostname of the WiNG wireless controller performing the capture and redirection is defined in the captive portal policy. And also, that the wireless controller is reachable via MINT.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 122Examplerfs6000-81742D(config-captive-portal-test)#server host 172.16.10.9rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9rfs6000-81742D(config-captive-portal-test)#Related Commandscentralized-controller{hosting-vlan-interface <0-4096>}Select this option if capture and redirection is on a cluster of wireless controller/service platforms managing dependent/independent access points when redundancy is required. The capture and redirection is provided by one of the controllers in the cluster that is operating as the designated forwarder for the tunneled VLAN. The cluster can be configured as active/active or active/standby as required.If using this option, ensure a non-resolvable virtual hostname is defined in the captive portal policy which is shared between the controllers in the cluster.• hosting-vlan-interface – Optional. Configures the VLAN where the client can reach the captive-portal server. This option is available only for the centralized-controller mode.• <0-4096> – Specify the VLAN number (0 implies the controller is available on theclient’s VLAN).self Select this option if capture and redirection is provided by the access point that is servicing the captive portal enabled Wireless LAN. This is the default setting.When enabled each remote access point servicing the captive portal enabled WLAN performs the captive portal capture and redirection internally. The WLAN users are mapped to a locally bridged VLAN for which each access point has a Switched Virtual Interface (SVI) defined. The SVI can either have a static or dynamic (DHCP) IPv4 address assigned. The capture, redirection, and presentation of the captive portal pages are performed using the SVI on each access point the wireless device is associated to.no Resets or disables captive portal host and mode settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1234.1.31.2.20 simultaneous-userscaptive-portal-mode commandsSpecifies the number of users (client MAC addresses) that can simultaneously logon to the captive portal. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsimultaneous-users <1-8192>Parameters• simultaneous-users <1-8192>Examplerfs6000-81742D(config-captive-portal-test)#simultaneous-users 5rfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5rfs6000-81742D(config-captive-portal-test)#Related Commandssimultaneous-users <1-8192>Specifies the number of MAC addresses that can simultaneously access the captive portal• <1-8192> – Select a number from 1 - 8192.no Resets or disables captive portal commands
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1244.1.31.2.21 terms-agreementcaptive-portal-mode commandsEnforces the user to agree to terms and conditions (included in the login page) for captive portal access. This feature is disabled by default.When enabled, the system enforces a previously registered user to re-confirm the terms of agreement, on successive log ins, only if the interval between the last log out and the current log in exceeds the agreement-refresh timeout configured in the WLAN context. For more information on configuring the agreement-refresh timeout value, see registration.For example:If the agreement-refresh timeout is set at 20 minutes, the following two possibilities can arise:• The interval between logging out and re-logging exceeds 20 minutes - in which case the user is served the Terms of Agreement page on successful authentication.• The interval between logging out and re-logging is less than 20 minutes - in which case the user is provided direct Internet access.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxterms-agreementParametersNoneExamplerfs6000-81742D(config-captive-portal-test)#terms-agreementrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreementrfs6000-81742D(config-captive-portal-test)#Related Commandsno Resets or disables captive portal commands
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1254.1.31.2.22 usecaptive-portal-mode commandsConfigures a AAA policy and DNS whitelist with this captive portal policy. AAA policies are used to configure authentication and accounting servers for this captive portal. DNS whitelists restrict users to a set of configurable domains on the Internet.For more information on AAA policies, see AAA-POLICY.For more information on DNS whitelists, see dns-whitelist.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]Parameters• use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]Examplerfs6000-81742D(config-captive-portal-test)#use aaa-policy testrfs6000-81742D(config-captive-portal-test)#use dns-whitelist testrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement use aaa-policy test use dns-whitelist testrfs6000-81742D(config-captive-portal-test)#aaa-policy <AAA-POLICY-NAME>Associates a AAA policy with this captive portal. AAA policies validate user credentials and provide captive portal access to the network.• <AAA-POLICY-NAME> – Specify the AAA policy name.dns-whitelist <DNS-WHITELIST-NAME>Associates a DNS whitelist to use with this captive portal. A DNS whitelist defines a set of allowed destination IP addresses. DNS whitelists restrict captive portal access.• <DNS-WHITELIST-NAME> – Specify the DNS whitelist name.To effectively host captive portal pages on an external Web server, the IP address of the destination Web server(s) should be added to the DNS whitelist.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 126Related Commandsno Removes a DNS Whitelist or a AAA policy from the captive portaldns-whitelist Configures a DNS whitelistaaa-policy Configures a AAA policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1274.1.31.2.23 webpagecaptive-portal-mode commandsUse this command to define the appearance and flow of Web pages requesting clients encounter when accessing a controller, service platform, or access point managed captive portal. Define whether the Web pages are maintained locally or externally to the managing device as well as messages displayed requesting clients.Configures Web pages displayed when interacting with a captive portal. These pages are:• acknowledgment – This page displays details for the user to acknowledge• agreement – This page displays “Terms and Conditions” that a user accepts before allowed access to the captive portal.• fail – This page is displayed when the user is not authenticated.• login – This page is displayed when the user connects to the captive portal. It fetches login credentials from the user.• no-service – This page is displayed when a captive portal user is unable to access the captive portal due to unavailability of critical services.• registration – This page is displayed when users are redirected to a Web page where they have to register in the captive portal’s database.• welcome – This page is displayed to welcome an authenticated user to the captive portal.These Web pages, which interact with captive portal users, can be located either on the controller or an external location.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwebpage [external|internal]webpage external [acknowledgment|agreement|fail|login {post}|no-service|registration|welcome] <URL>webpage internal [acknowledgment|agreement|fail|login|no-service|org-name|org-signature|registration|welcome]webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome] [description|footer|header|title] <CONTENT>webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome] [body-background-color|body-font-color|org-background-color|org-font-color] <WORD>webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome] [main-logo use-as-banner|small-logo] <URL>webpage internal registration field [age-range|city|country|custom|disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip] type [checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable {label <LINE>|mandatory|title <LINE>|placeholder <LINE>}
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 128webpage internal welcome use-external-success-urlwebpage internal [org-name|org-signature] <LINE>Parameters• webpage external [acknowledgment|agreement|fail|login {post}|no-service|registration|welcome] <URL>external Indicates Web pages being served are hosted on an external (to the captive portal) server resourceacknowledgment Indicates the page is displayed for user acknowledgment of details. Users are redirected to this page to acknowledge information provided.agreement Indicates the page is displayed for “Terms & Conditions”The agreement page provides conditions that must be agreed to before captive portal access is permitted.fail Indicates the page is displayed for login failureThe fail page asserts authentication attempt has failed, the user is not allowed to access the Internet (using this captive portal) and must provide the correct login information again to access the Internet.login {post} Indicates the page is displayed for getting user credentials. This page is displayed by default.• post – Optional. Redirects users to post externally during authenticationThe login page prompts the user for a username and password to access the captive portal and proceed to either the agreement page (if used) or the welcome page.no-service Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The no-service page asserts the captive portal service is temporarily unavailable due to technical reasons. Once the services become available, the captive portal user is automatically connected back to the services available through the captive portal. The possible scenarios are:• The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated• The external captive portal server is not reachable• The connectivity between the adopted AP and controller is lost• The external DHCP server is not reachableTo provide this service, enable the following:• External captive portal server monitoring• AAA server monitoring. This enables detection of RADIUS server failure.• External DHCP server monitoringFor more information on enabling these critical resource monitoring, see service.registration Indicates the page is displayed when users are redirected to a Web page where they have to register in the captive portal’s databaseGuest users are redirected to an internally (or) externally hosted registration page (registration.html) upon association to a captive portal SSID, where previously, not-registered guest users can register.welcome Indicates the page is displayed after a user has been successfully authenticatedThe welcome page asserts a user has logged in successfully and can access the captive portal.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 129• webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome] [description|footer|header|title] <CONTENT><URL> This parameter is common to all of the above mentioned Web pages, and specifies the Web page URL. The Web page is retrieved and served from the specified external location.The URL can include following query tags:'WING_TAG_CLIENT_IP'       - Captive portal client IPv4 address'WING_TAG_CLIENT_MAC' - Captive portal client MAC address'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid'WING_TAG_AP_MAC'         - Captive portal client AP MAC address'WING_TAG_AP_NAME'       - Captive portal client AP Name'WING_TAG_RF_DOMAIN'    - Captive portal client RF Domain'WING_TAG_CP_SERVER' - Captive portal server address'WING_TAG_USERNAME'   - Captive portal authentication usernameExample:http://cportal.com/policy/login.html?client_ip=WING_TAG_CLIENT_IP&ap_mc=WING_TAG_AP_MAC.Use '&' or '?' character to separate field-value pair.Enter 'ctrl-v' followed by '?' to configure query string.internal Indicates the Web pages are hosted on an internal server resource. This is the default setting.acknowledgment Indicates the Web page is displayed for users to acknowledge the information providedagreement Indicates the page is displayed for “Terms & Conditions”fail Indicates the page is displayed for login failurelogin Indicates the page is displayed for entering user credentialsno-service Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The possible scenarios are:• The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated• The external captive portal server is not reachable• The connectivity between the adopted AP and controller is lost• The external DHCP server is not reachableTo provide this service, enable the following:• External captive portal server monitoring• AAA server monitoring. This enables detection of RADIUS server failure.• External DHCP server monitoring• AP to controller connectivity monitoringFor more information on enabling these critical resource monitoring, see service.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 130• webpage internal [acknowledgment|agreement|fail|login|no-service|registration|welcome] [main-logo use-as-banner|small-logo] <URL>registration Indicates the page is displayed when users are redirected to a Web page where they have to register in the captive portal’s databaseGuest users are redirected to an internally (or) externally hosted registration page (registration.html) upon association to a captive portal SSID, where previously, not-registered guest users can register.welcome Indicates the page is displayed after a user has been successfully authenticateddescription Indicates the content is the description portion of each of the following internal Web pages: acknowledgment, agreement, fail, login, no-service, and welcomefooter Indicates the content is the footer portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The footer portion contains the signature of the organization that hosts the captive portal.header Indicates the content is the header portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The header portion contains the heading information for each of these pages.title Indicates the content is the title of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The title for each of these pages is configured here.<CONTENT> The following keyword is common to all of the above internal Web page options:• <CONTENT> – Specify the content displayed for each of the different components of the internal Web page. Enter up to 900 characters for the description and 256 characters each for header, footer, and title.internal Indicates the Web pages are hosted on an internal server resourceagreement Indicates the page is displayed for “Terms & Conditions”acknowledgment Indicates the Web page is displayed for users to acknowledge the information providedfail Indicates the page is displayed for login failurelogin Indicates the page is displayed for user credentialsno-service Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The possible scenarios are:• The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated• The external captive portal server is not reachable• The connectivity between the adopted AP and controller is lost• The external DHCP server is not reachableTo provide this service, enable the following:• External captive portal server monitoring• AAA server monitoring. This enables detection of RADIUS server failure.• External DHCP server monitoring• AP to controller connectivity monitoringFor more information on enabling these critical resource monitoring, see wlan.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 131• webpage internal registration field [age-range|city|country|custom|disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip] type [checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable {label <LINE>|mandatory|title <LINE>|placeholder <LINE>}registration Indicates the page displayed is the registration page to which users are redirected in order to register in the captive portal’s databaseGuest users are redirected to an internally (or) externally hosted registration page (registration.html) upon association to a captive portal SSID, where previously, not-registered guest users can register.welcome Indicates the page is displayed after a user has been successfully authenticatedmain-logo use-as-bannerThe following keyword is common to all of the above internal Web page options:• main-logo – Indicates the main logo displayed in the header of each Web page• use-as-banner – Uses the image, specified here, as the Web page banner, in placeof the logo and organization namesmall-logo The following keyword is common to all of the above internal Web page options:• small-logo – Indicates the logo image displayed in the footer of each Web page, and constitutes the organization’s signature<URL> This parameter is common to the ‘main-logo’ and ‘small-logo’ keywords and provides the complete URL from where the main-logo and small-logo files are loaded and subsequently cached on the system.• <URL> – Specify the location and name of the main-logo and the small-logo image files.internal Indicates the Web pages are hosted on an internal server resourceregistration Allows you to customize the user registration page. Select this option if the captive-portal’s access-type is set to registration. Use the field and type options to define the input fields (for example, age-range, city, email, etc.) and the field type (for example, text, checkbox, dropdown-menu, radio-button, etc.)Guest users are redirected to an internally (or) externally hosted registration page (registration.html) upon association to a captive portal SSID, where previously, not-registered guest users can register.If the registration Web page is not customized, the built-in, default registration page is displayed to the client.field [age-range|city|country|custom <WORD >|disclaimer|]Configures the captive portal’s registration page fieldsFollowing are the available fields and the field type for each:• age-range – Creates the age-range input field (enabled by default and included in the built-in registration page)• dropdown-menu – Configures the age-range field as a drop-down menu• radio-button – Configures the age-range field as a radio button menu•city – Creates the postal address: city name input field (enabled by default and included in the built-in registration page)• text – Configures the city field as only alpha-numeric and special characters inputfieldContd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 132• country – Creates the postal address: country name input field (disabled by default)• text – Configures the country field as only alpha-numeric and special characters in-put field• custom <WORD> – Creates a customized field (as per your requirement). Use the ‘custom’ option to create a field not included in the built-in list.• <WORD> – Provide a name for the field. On the registration page, the field is dis-played under the name specified here.• disclaimer – Creates client’s disclaimer-confirmation input field (disabled by default)• checkbox – Configures the disclaimer field as a check boxfield [dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip]•dob – Creates the client’s date of birth (DoB) input field (disabled by default)• date – Configures the DoB field as only date-format input field• dropdown-menu – Configures the DoB field as a drop-down menu• text – Configures the DoB field as only alpha-numeric and special characters inputfield• email – Creates the e-mail address input field (enabled by default and included in the built-in registration page)• e-address – Configures the e-mail field as only e-mail address format input field• gender – Creates client’s gender input field (disabled by default)• dropdown-menu – Configures the gender field as a drop-down menu• radio-button – Configures the gender field as a radio button menu• member – Creates client’s loyalty or captive-portal membership card number input field (disabled by default)• number – Configures the member field as only-numeric characters input field• text – Configures the member field as only alpha-numeric and special characters input field• mobile – Creates the mobile number input field (enabled by default and included in the built-in registration page)• number – Configures the mobile field as only-numeric characters input field• text – Configures the mobile field as only alpha-numeric and special characters in-put field• name – Creates the client name input field (enabled by default and included in the built-in registration page)• text – Configures the name field as only alpha-numeric and special characters inputfield• optout – Creates an input field that enables clients to opt out from registering• checkbox – Configures the optout field as a check box• street – Creates the postal address: street name/number input field (enabled by default and included in the built-in registration page)• text – Configures the street field as only alpha-numeric and special characters inputfield• via-email – Creates the client’s preferred mode of communication as e-mail input field (enabled by default and included in the built-in registration page)• checkbox – Configures the via-email field as a check box• via-sms – Creates the client’s preferred mode of communication as SMS input field (enabled by default and included in the built-in registration page)• checkbox – Configures the via-sms field as a check boxContd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 133• webpage internal welcome use-external-success-url• webpage internal [org-name|org-signature] <LINE>• zip – Creates the postal address: zip input field (enabled by default and included in the built-in registration page)• number – Configures the zip field as only-numeric characters input field• text – Configures the zip field as only alpha-numeric and special characters inputfieldtype [checkbox|date|dropdown-menu|e-address|number|radio-button|text]After specifying the field, configure the field type. The options displayed depend on the field selected in the previous step. These options are: checkbox, date, dropdown-menu, e-address, number, radio-button, and text.• checkbox – Configures the field as a check box• date – Configures the field as only date-format input field • dropdown-menu – Configures the field as a drop-down menu• e-address – Configures the field as an e-mail address input field• number – Configures the field as only-numeric characters input field• radio-button – Configures the field as a radio button• text – Configures the field as only alpha-numeric and special characters input fieldSome of the fields can have more than one field type options. For example, the field ‘zip’ can either be a numerical field or a text. Select the one best suited for your captive-portal.enable {label <LINE>|mandatory|title <LINE>|placeholder <LINE>}Enables the field. When enabled, the field is displayed on the registration page. After enabling the field, optionally configure the following parameters:• label <LINE> – Optional. Configures the field’s label• mandatory – Optional. Makes the field mandatory• title – Optional. Configures the comma-separated list of items to include in the drop-down menu.• placeholder <LINE> – Optional. Configures a string, not exceeding 300 characters, that is displayed within the field. If not configured, the field remains blank.internal Indicates the Web pages are hosted on an internal server resourcewelcome Indicates the page is displayed after a user has been successfully authenticateduse-external-success-urlWhen configured, redirects the user, on successful authentication, to an externally hosted success URL from the locally-hosted landing page.Use the webpage > external > welcome > <URL> command to specify the location of the Welcome page.internal Indicates the Web pages are hosted on an internal server resourceorg-name Specifies the company’s name, included on Web pages along with the main imageorg-signature Specifies the company’s signature information, included in the bottom of Web pages along with a small image<LINE> Specify the company’s name or signature depending on the option selected.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 134Examplerfs6000-81701D(config-captive-portal-guest)#webpage external welcome http://192.168.9.46/welcome.htmlrfs6000-81701D(config-captive-portal-guest)#show contextcaptive-portal guestwebpage external welcome http://192.168.9.46/welcome.htmlrfs6000-81701D(config-captive-portal-guest)#nx9500-6C8809(config-captive-portal-register)#webpage internal registration field age-range type dropdown-menu enable mandatory title 10-20,20-30,30-40,50-60,60-70nx9500-6C8809(config-captive-portal-register)#show context include-factory | include age-range webpage internal registration field age-range type dropdown-menu enable mandatory label "Age Range" title "10-20,20-30,30-40,50-60,60-70"nx9500-6C8809(config-captive-portal-register)#In the following examples, the background and font colors have been customized for the captive portal’s login page. Similar customizations can be applied to the acknowledgement, agreement, fail, welcome, no-service, and registration captive portal pages.rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login body-background-color #E7F0EBrfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login body-font-color #EF68A7rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login org-background-color #EFE4E9rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login org-font-color #BA4A21rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#show contextcaptive-portal cap-enhanced-policy webpage internal login org-background-color #EFE4E9 webpage internal login org-font-color #BA4A21 webpage internal login body-background-color #E7F0EB webpage internal login body-font-color #EF68A7rfs6000-81701D(config-captive-portal-ca-enhanced-policy)#The following examples configure a scenario where a successfully authenticated user is redirected to an externally hosted Welcome page from the internal landing page.rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage external welcome http://192.168.13.10/WelcomePage.htmlrfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal welcome use-external-success-urlrfs6000-81701D(config-captive-portal-cap-enhanced-policy)#show contextcaptive-portal cap-enhanced-policy webpage external welcome http://192.168.13.10/WelcomePage.html webpage internal acknowledgement org-background-color #33ff88 webpage internal acknowledgement org-font-color #bb6622 webpage internal acknowledgement body-background-color #22aa11 webpage internal acknowledgement body-font-color #bb6622 webpage internal welcome use-external-success-urlrfs6000-81701D(config-captive-portal-ca-enhanced-policy)#Related Commandsno Resets or disables captive portal configurations
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1354.1.31.2.24 webpage-auto-uploadcaptive-portal-mode commandsEnables automatic upload of advanced Web pages to requesting clients on association. Enable this option if the webpage-location is selected as advanced. For more information, see webpage-location.If this feature is enabled, access points shall request for Web pages from the controller during adoption. If the controller has a different set of Web pages, than the ones existing on the access points, the controller shall distribute the Web pages uploaded on it to the access points.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwebpage-auto-uploadParametersNoneExamplerfs6000-81742D(config-captive-portal-test)#webpage-auto-uploadrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test webpage-auto-upload logout-fqdn logout.testuser.comrfs6000-81742D(config-captive-portal-test)#Related Commandsno Disables automatic upload of advanced Web pages on a captive portalwebpage Configures Web pages displayed when interacting with a captive portalwebpage-location Specifies the location of the Web pages used for authentication
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1364.1.31.2.25 webpage-locationcaptive-portal-mode commandsSpecifies the location of the Web pages used for authentication. These pages can either be hosted on the system or on an external Web server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwebpage-location [advanced|external|internal]Parameters• webpage-location [advanced|external|internal]Examplerfs6000-81742D(config-captive-portal-test)#webpage-location externalrfs6000-81742D(config-captive-portal-test)#show contextcaptive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement webpage-location external use aaa-policy testrfs6000-81742D(config-captive-portal-test)#Related Commandsadvanced Uses Web pages for login, welcome, failure, and terms created and stored on the controller. Select advanced to use a custom-developed directory full of Web page content that can be copied in and out of the controller, service platform, or access point.If selecting advanced, enable the webpage-auto-upload option to automatically launch the advanced pages to requesting clients upon association. For more information, see webpage-auto-upload.external Uses Web pages for login, welcome, failure, and terms located on an external server. Provide the URL for each of these pages.internal Uses Web pages for login, welcome, and failure that are automatically generatedno Resets or disables captive portal Web page settingswebpage Configures a captive portal’s Web page (acknowledgment, agreement, login, welcome, fail, no-service, and terms) settingswebpage-auto-uploadEnables an automatic upload of advanced Web pages on a captive portal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1374.1.31.2.26 welcome-backcaptive-portal-mode commandsEnables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins. When enabled, a registered captive-portal guest user, on subsequent logins, is served the Acknowledgement page only if:•The agreement-refresh option is enabled for device-based (device and device-OTP) registration, and• The interval between logout and login is lesser than the agreement-refresh timeout configured in the WLAN context. If this interval exceeds the agreement-refresh timeout, the user is served the Agreement page. For more information on configuring the agreement-refresh timeout value, see registration.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwelcome-back pass-throughParameters• welcome-back pass-throughExamplenx9500-6C8809(config-captive-portal-test)#show contextcaptive-portal test welcome-back pass-through webpage internal registration field city type text enable label "City" placeholder "Enter City" webpage internal registration field street type text enable label "Address" placeholder "123 Any Street" webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name" webpage internal registration field zip type number enable label "Zip" placeholder "Zip" webpage internal registration field via-sms type checkbox enable title "SMS Preferred" webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code" webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range" webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com" webpage internal registration field via-email type checkbox enable title "Email Preferred"nx9500-6C8809(config-captive-portal-test)#welcome-back pass-throughEnables display of the Acknowledgement page to an already registered user on subsequent captive-portal log-ins, provided the interval between logout and login is lesser than the agreement-refresh timeout• pass-through – Provides user direct Internet access, from the Welcome-back page, without any user action
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 138Related Commandsno Disables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1394.1.31.2.27 configuring device registration with dynamic VLAN assignmentcaptive-portal-mode commandsThis section provides the configurations required to enable device registration with dynamic VLAN assignment in a multi-vendor environment.1 Create vendor-specific RADIUS user groups and assign an allowed VLAN to each group, as shown in the following examples:nx9500-6C8809(config)#radius-group Applenx9500-6C8809(config-radius-group-Apple)#policy vlan 200nx9500-6C8809(config)#radius-group Samsungnx9500-6C8809(config-radius-group-Samsung)#policy vlan 100nx9500-6C8809(config)#radius-group Devicesnx9500-6C8809(config-radius-group-Devices)#policy vlan 1Note, if necessary, configure the session-time for each of the above configured RADIUS group. This is the duration for which a RADIUS group client’s session remains active after successful authentication. Upon expiration, the RADIUS session is terminated. Use the policy > session-time > <5-144000> command to specify the session-time.2 Create a RADIUS user pool, add users to the pool, and assign the users to the vendor-specific user groups: as shown in the following examples:nx9500-6C8809(config)#radius-user-pool-policy Vendor-Devicesnx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user Samsung password 0 samsung group Samsungnx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user test password 0 test123 group Apple3 Create a RADIUS server policy, and associate the RADIUS groups and user pool created in steps 1 and 2 respectively, as shown in the following examples:nx9500-6C8809(config)#radius-server-policy Guest-Radiusnx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-user-pool-policy Vendor-Devicesnx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Samsungnx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Sonynx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Apple4 Create an AAA Policy, on the controller, and configure the authentication server as self, as shown in the following example:nx9500-6C8809(config)#aaa-policy OnBoard-NXnx9500-6C8809(config-aaa-policy-OnBoard-NX)#authentication server 1 onboard controllernx9500-6C8809(config-aaa-policy-OnBoard-NX)#show contextaaa-policy OnBoard-NX authentication server 1 onboard selfnx9500-6C8809(config-aaa-policy-OnBoard-NX)#5 Create a captive-portal, and point to the captive-portal’s server, enable RADIUS VLAN assignment, and associate the AAA policy, as shown in the following examples:
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 140nx9500-6C8809(config)#captive-portal DeviceRegistrationnx9500-6C8809(config-captive-portal-DeviceRegistration)#server host captive.extremenoc.comnx9500-6C8809(config-captive-portal-DeviceRegistration)#radius-vlan-assignmentnx9500-6C8809(config-captive-portal-DeviceRegistration)#use aaa-policy OnBoard-NXnx9500-6C8809(config-captive-portal-DeviceRegistration)#access-type radius6 Configure a WLAN and enable RADIUS VLAN assignment, as shown in the following examples:nx9500-6C8809(config)#wlan CP-OnBoardingnx9500-6C8809(config-wlan-CP-OnBoarding)#ssid CP-OnBoardingnx9500-6C8809(config-wlan-CP-OnBoarding)#radius vlan-assignmentnx9500-6C8809(config-wlan-CP-OnBoarding)#use aaa-policy OnBoard-NXnx9500-6C8809(config-wlan-CP-OnBoarding)#use captive-portal DeviceRegistrationnx9500-6C8809(config-wlan-CP-OnBoarding)#captive-portal-enforcement fall-backnx9500-6C8809(config-wlan-CP-OnBoarding)#registration device group-name Devices expiry-time 4320nx9500-6C8809(config-wlan-CP-OnBoarding)#authentication-type mac7 Create an access point profile, associate the RADIUS server policy, captive-portal policy to it, and also assign the WLAN to the AP radio, as shown in the following examples:nx9500-6C8809(config-profile-SITE-10)#use radius-server-policy Guest-Radiusnx9500-6C8809(config-profile-SITE-10)#use captive-portal server DeviceRegistrationnx9500-6C8809(config-profile-SITE-10-if-radio2)#wlan CP-OnBoarding bss 1 primarynx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport mode trunknx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk native vlan 90nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk allowed vlan 1,90,1000-1002nx9500-6C8809(config-profile-SITE-10-if-ge1)#no switchport trunk native tagged8 Use the access point profile in the access point’s device context.Related Commandsradius-server-policy Documents RADIUS server policy configuration commandsradius-group Documents RADIUS group policy configuration commandsradius-user-pool-policy Documents RADIUS user policy configuration commandsaaa-policy Documents AAA policy configuration commandscaptive portal Documents captive-portal configuration commandswlan Documents WLAN configuration commandsProfile Config CommandsDocuments profile configuration commands guest-registration Documents show > guest-registration command and outputs. Use this command to view guest registration statistics once device-registration is enabled.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1414.1.31.2.28 configuring WeChat Wi-Fi hotspot support in WiNG captive portalcaptive-portal-mode commandsWeChat is a popular messaging app used in China with more than 500 million installations. WeChat’s WiFi hotspot solution allows businesses to provide Internet access to their customers. The WiNG captive portal can be configured to incorporate the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate server.This section provides an example that shows the configurations required to be made on the WiNG portal to enable WeChat Wi-Fi hotspot.1 Create an AAA policy re-directing the WiNG captive portal user to WeChat’s AAA server for authentication, as shown in the following example:nx9500-6C8809(config)#aaa-policy cloud2nx9500-6C8809(config-aaa-policy-cloud2)#authentication server 1 host cloud2.synchroweb.com secret 0 firmwarenx9500-6C8809(config-aaa-policy-cloud2)#show contextaaa-policy cloud2authentication server 1 host cloud2.synchroweb.com secret 0 firmwarenx9500-6C8809(config-aaa-policy-cloud2)#Note, Synchroweb is an independent software vendor (ISV), whose third-party software is being used as the intermediate server. The AAA server and RADIUS accounting server configured in AAA policy must be as per the specification provided by the ISV.2 Create a DNS whitelist, whitelisting WeChat’s server name in order to initiate RADIUS authentication. The “qq.com” domain name is where WeChat server can be reached.nx9500-6C8809(config)#dns-whitelist wxWLnx9500-6C8809(config-dns-whitelist-wxWL)#permit cloud2.synchroweb.comnx9500-6C8809(config-dns-whitelist-wxWL)#permit qq.com suffixnx9500-6C8809(config-dns-whitelist-wxWL)#show contextdns-whitelist wxWLpermit qq.com suffixpermit cloud2.synchroweb.comnx9500-6C8809(config-dns-whitelist-wxWL)#3 Create a captive portal and associate the AAA policy and DNS whitelist created in steps 1 & 2, as shown in the following example:nx9500-6C8809(config)#captive-portal wxCPnx9500-6C8809(config-captive-portal-wxCP)#use aaa-policy cloud2nx9500-6C8809(config-captive-portal-wxCP)#use dns-whitelist wxWL4 Configure the following captive portal parameters:nx9500-6C8809(config)#captive-portal wxCPnx9500-6C8809(config-captive-portal-wxCP)#access-time 10nx9500-6C8809(config-captive-portal-wxCP)#server host guest.extreme.comnx9500-6C8809(config-captive-portal-wxCP)#webpage-location externalnx9500-6C8809(config-captive-portal-wxCP)#webpage external login http://cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MAC
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 142nx9500-6C8809(config-captive-portal-wxCP)#)#show contextcaptive-portal wxCPaccess-time 10server host guest.extreme.comwebpage-location externalwebpage external login http://cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MACuse aaa-policy cloud2use dns-whitelist wxWL--More--nx9500-6C8809(config-captive-portal-wxCP)#Note, the login URL configured here must be as per the specifications provided by the ISV.Note, the access-type remains unchanged (i.e radius, which is the default setting). The access-time is set to a minimum value (10 minutes in this example) in order to avoid the default value of 24 hours being applied, in case the RADIUS response does not contain the session-timeout attribute.5 Create a WLAN and associate the captive portal created in step 3:nx9500-6C8809(config)#wlan wxOpennx9500-6C8809(config-wlan-wxOpen)#ssid wxOpennx9500-6C8809(config-wlan-wxOpen)#vlan 200nx9500-6C8809(config-wlan-wxOpen)##use captive-portal wxCPnx9500-6C8809(config-wlan-wxOpen)#captive-portal-enforcementnx9500-6C8809(config-wlan-wxOpen)#show contextwlan wxOpenssid wxOpenvlan 200bridging-mode localencryption-type noneauthentication-type noneuse captive-portal wxCPcaptive-portal-enforcementnx9500-6C8809(config-wlan-wxOpen)#Note, the modes of authentication and encryption remain unchanged (i.e none, which is the default setting for both parameters). Ensure captive-portal-enforcement is enabled on the WLAN.Related CommandsAAA-POLICY Documents AAA policy configuration mode commandsdns-whitelist Documents DNS whitelist configuration mode commandscaptive portal Documents captive portal configuration mode commandswlan Documents WLAN configuration mode commands
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1434.1.31.2.29 configuring ExtremeGuest captive-portalcaptive-portal-mode commandsThis section documents the basic configurations required to deploy an ExtremeGuest (EGuest) setup. A typical EGuest deployment consists of the EGuest server, EGuest captive-portal database, and NOC adopting the access points. The EGuest server and database can be hosted only on the VX9000 platform.In the following example, the EGuest server and database are hosted on the same device.1 On the EGuest server/database host,a enable the EGuest daemon. When enabled, the EGuset server is up and running.EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-serverb apply a database-policy to enable the EGuest database.EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy defaultc configure the NTP server. This is to ensure time synchronization across replica-set members (this is mandatory in replica-set deployments and should be configured either on the replica-set members’ device or profile context).EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt2On the NOC,a create an AAA policy with the following configurations:- Configure the EGuest server (configured in Step 1) as the authentication and accounting RADIUS server.NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0 extreme123NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0 extreme123- Configure the proxy-mode as ‘through-controller’. When configured, all requests to the server are proxied through the NOC.NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-controllerNOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-controllerNOC(config-aaa-policy-EguestAAA)#show contextaaa-policy EguestAAAaccounting server 1 host EG-OnBServer secret 0 extreme123accounting server 1 proxy-mode through-controllerauthentication server 1 host EG-Server secret 0 extreme123authentication server 1 proxy-mode through-controllerNOC(config-aaa-policy-EguestAAA)#b Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS whitelist renders social plugin buttons on the client prior to successful captive portal authentication.- Configure the following permit rules:NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.netNOC(config-dns-whitelist-EguestDNS)#permit connect facebook.netNOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffixNOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 144NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffixNOC(config-dns-whitelist-EguestDNS)#permit google.com suffixNOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffixNOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffixNOC(config-dns-whitelist-EguestDNS)#permit static.licdn.comNOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffixNOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffixNOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.netNOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffixNOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.comNOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffixNOC(config-dns-whitelist-EguestDNS)#permit local.extreme.comc Create a captive-portal with the following configurations:- Specify the captive-portal server.NOC(config-captive-portal-EguestCP)#server host guest.extreme.com- Use the AAA policy created in Step 2 a.NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA- Enable social-media authentication. This setting is optional.NOC(config-captive-portal-EguestCP)#oauth- Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling OAuth on the captive-portal.NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS- Configure the webpage-location as advanced. Note, webpage-location should be ‘advanced’ if using pages created with EGuest splash templates.NOC(config-captive-portal-EguestCP)#webpage-location advancedd Create a WLAN policy with the following configurations:- Enable MAC authentication.NOC(config-wlan-EguestWLAN)#authentication-type mac- Use the AAA policy created in Step 2 a.NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA--When used, access points/controllers forward registration requests to the EGuest server specified in the AAA policy. However, ensure that the registration > external > follow-aaa option is configured on the WLAN. See below.NOC(config-wlan-EguestWLAN)#registration external follow-aaa--This enables the use of the Authentication and Accounting servers specified in the AAA policy applied on the WLAN.- Use the captive-portal created in Step 2 c.NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP- Enable captive-portal enforcement with fall-back.NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back- Configure the following guest registration parameters:
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 145NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time 4320 agreement-refresh 1440--This is the RADIUS group assigned to registered users post authentication.NOC(config-wlan-EguestWLAN)#show contextwlan EguestWLANssid _EXTREME-GUEST-NRF2017vlan 1bridging-mode localencryption-type noneauthentication-type macno answer-broadcast-probesno client-client-communicationwireless-client hold-time 300use aaa-policy EguestAAAuse captive-portal EguestCPcaptive-portal-enforcement fall-backregistration device group-name Eguest expiry-time 4320 agreement-refresh 1440registration external follow-aaamac-authentication cached-credentialsNOC(config-wlan-EguestWLAN)#e In the NOC’s self context, configure the EGuest server.NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https3 In the Access Point’s device or profile context,a Use the captive-portal configured in Step 2 c.Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP4 To view EGuest registration status and statistics, on the EGuest server, use the following commands:EG-Server-DB#show eguest registration statisticsEG-Server-DB#show eguest registration status5 To clear EGuest registration statistics, on the EGuest server, use the following command:EG-Server-DB#clear eguest registration statisticsRelated Commandseguest-server (VX9000 only)Documents the eguest-server command. When used in the EGuest server’s device/profile context, without the ‘host’ option, it enables the EGuest daemon. When used on the NOC along with the ‘host’ option, it points to the EGuest server.AAA-POLICY Documents AAA policy configuration commandsdns-whitelist Documents DNS-whitelist configuration commandscaptive portal Documents captive-portal configuration commandswlan Documents WLAN configuration commandseguest Documents the show > eguest command outputs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1464.1.32 clearGlobal Configuration CommandsClears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared using this command varies depending on the mode where executed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclear event-historyParameters• clear event-historyExamplerfs4000-880DA7(config)#show event-historyEVENT HISTORY REPORTGenerated on '2017-06-09 14:23:31 IST' by 'admin'2017-06-09 14:16:28 rfs4000-880DA7  SYSTEM     LOGIN                Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'2017-06-09 14:06:21 rfs4000-880DA7  DEVICE     OFFLINE              Device B4-C7-99-71-17-28(ap8132-711728) is offline, last seen:10 minutes ago on switchport ap7522-8330A4:ge12017-06-09 13:46:15 rfs4000-880DA7  SYSTEM     CONFIG_REVISION      Configuration revision updated to 10 from 92017-06-09 13:36:12 rfs4000-880DA7  SYSTEM     CONFIG_REVISION      Configuration revision updated to 9 from 82017-06-09 13:26:09 rfs4000-880DA7  SYSTEM     CONFIG_COMMIT        Configuration commit by user 'cfgd' (site apply config diff) from '127.0.0.1'2017-06-09 13:16:06 rfs4000-880DA7  DEVICE     UNADOPTED            Device('ap8132-711728'/'ap81xx'/B4-C7-99-71-17-28) at rf-domain:'TechPubs' unadopted. Radios: Count=2, Bss: B4-C7-99-78-53-10|B4-C7-99-78-53-70|2017-06-09 13:10:047     ap8132-711728  SYSTEM     WARM_START           System Warm Start Reason : Upgrade done, reloading... (user: system @ rfs4000-880DA7) Timestamp: Nov 04 11:32:27 20162017-06-09 13:06:03 rfs4000-880DA7  DEVICE     DEVICE_UPGRADE_REBOOT DEVICEUPGRADE: ap81xx mac B4-C7-99-71-17-28 Device upgrade rebooting--More--rfs4000-880DA7(config)#rfs4000-880DA7(config)#clear event-historyrfs4000-880DA7(config)#show event-historyEVENT HISTORY REPORTGenerated on '2017-06-09 14:27:05 IST' by 'admin'rfs4000-880DA7(config)#event-history Clears the event history file
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1474.1.33 client-identityGlobal Configuration CommandsWith an increase in Bring Your Own Device (BYOD) corporate networks, there is a parallel increase in the number of possible attack scenarios within the network. BYOD devices are inherently unsafe, as the organization’s security mechanisms do not extend to these personal devices deployed in the corporate wireless network. Organizations can protect their network by limiting how and what these BYODs can access on and through the corporate network.Device fingerprinting assists administrators by controlling how BYOD devices access a corporate wireless domain.Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a unique signature specific to device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each device class.The following table summarizes the commands available for creating and configuring a set of new client identity parameters:Table 4.12 Client-Identity-Config CommandsCommand Description Referenceclient-identity Creates a new client identity and enters its configuration mode page 4-148client-identity-mode commandsInvokes the client identity policy configuration mode commands page 4-150client-identity-groupCreates a new client identity group and enters its configuration mode page 4-156
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1484.1.33.1 client-identityclient-identityCreates a new client identity and enters its configuration mode. Client identity is a set of unique fingerprints used to identify a class of devices. This information is used to configure permissions and access rules for the identified class of devices in the network. The client-identity feature enables device fingerprinting.Device fingerprinting is a technique of collecting, analyzing, and identifying traffic patterns originating from remote computing devices. When enabled, device fingerprinting helps to identify a wireless client’s device type. There are two methods of fingerprinting devices: Active and Passive.Active fingerprinting is based on the fact that traffic patterns vary with varying device types. It involves the sending of requests (HTTP, etc.) to devices (clients) and analyzing their response to determine the device type. For example, an invalid request is sent to a device, and its error response is analyzed to identify the device type. Since active device fingerprinting involves sending of packets, the probability of the network getting flooded is very high, especially when many devices are being fingerprinted simultaneously.Passive fingerprinting involves monitoring of devices to check for known traffic patterns specific to devices based on the protocol, driver implementation, etc. This method accurately classifies a client’s TCP/IP configuration, OS fingerprints, wireless settings etc. No packets are sent to the device. Some of the commonly used protocols for passive device fingerprinting are, TCP, DHCP, HTTP, etc.This feature implements DHCP device fingerprinting, which relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class.The WiNG software provides a set of built-in device fingerprints that load by default and identify client device types. Use the service > show > client-identity-defaults command to view default client identity fingerprints.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-identity <CLIENT-IDENTITY-NAME>Parameters• client-identity <CLIENT-IDENTITY-NAME>client-identity <CLIENT-IDENTITY-NAME>Creates a new client identity policy and enters its configuration mode• <CLIENT-IDENTITY--NAME> – Specify a client identity policy name. If the client identity policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 149Usage GuidelinesThe following points should be considered when configuring the client identity (device fingerprinting) feature:• Ensure that DHCP is enforced on the WLANs. For more information on enforcing DHCP on WLANs, see enforce-dhcp.• Successful identification of different device types depends on the uniqueness of the configured fingerprints. DHCP fingerprinting identifies clients based on the patterns (fingerprints) in the DHCP discover and request messages sent by clients. If different operating systems have the same fingerprints. it will be difficult to identity the device type.• When associating client identities with a role policy, ensure that the profile/device, under which the role policy is being used, also has an associated client identity group (containing all the client identities used by the role policy).Examplerfs4000-229D58(config)#client-identity testrfs4000-229D58(config-client-identity-test)#?Client Identity Mode commands:  dhcp                     Add a DHCP option based match criteria  dhcp-match-message-type  Specify DHCP message type to match  no                       Negate a command or set its defaults  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminalrfs4000-229D58(config-client-identity-test)#Use the service > show > client-identity-defaults command to view default, built-in, system-provided client identity fingerprints:nx9500-6C8809#service show client-identity-defaultsclient-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37--More--nx9500-6C8809#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1504.1.33.2 client-identity-mode commandsclient-identityThe following table summarizes client identity configuration mode commands:Table 4.13 Client-Identity-Mode CommandsCommand Description Referencedhcp Configures the DHCP option match criteria for device fingerprinting page 4-151dhcp-match-message-typeConfigures the DHCP message type for device fingerprinting page 4-154no Removes the DHCP option (used for client identification) configurations page 4-155
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1514.1.33.2.1 dhcpclient-identity-mode commandsConfigures the DHCP option match criteria (signature) for the discover and request message types received from wireless clientsWhen accessing a network, DHCP discover and request messages are passed between wireless clients and the DHCP server. These messages contain DHCP options and option values that differ from device to device and are based on the DHCP implementation in the device’s operating system (OS). Options and option values contained in a client’s messages are parsed and compared against the configured DHCP option values to identify the device. Once a device type is identified, the wireless client database is updated with the discovered device type.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp <1-16> message-type [discover|request] [option|option-codes]dhcp <1-16> message-type [discover|request] [option <1-254>|option-codes] [contains|exact|starts-with] [ascii|hexstring] <WORD>Parameters• dhcp <1-16> message-type [discover|request] [option <1-254>|option-codes] [contains|exact|starts-with] [ascii|hexstring] <WORD>dhcp <1-16> Adds a DHCP option match criteria signature• <1-16> – Specify an index for this DHCP match criteria from 1 - 16.A maximum of 16 match criteria can be configured.message-type [discover|request]Specifies the message type to which this DHCP match criteria is applicable• discover – Applies this match criteria to DHCP discover messages only. Indicates that the fingerprint is only checked with any DHCP discover messages received from any device.• request – Applies this match criteria to DHCP request messages only. Indicates that the fingerprint is only checked with any DHCP request messages received from any device.It is recommended to configure client-identity with request messages, because clients rarely send discover messages.If the message type is not specified, the fingerprint is checked with all message types (DHCP request and DHCP discover).option <1-254> The following keywords are common to the ‘discover’ and ‘request’ message types:• option – Configures a DHCP option value, which is used as the match criteria• <1-254> – Configures a code for this DHCP option from 1 - 254 (except option 53)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 152Usage GuidelinesThe following DHCP options are useful for identifying different device types:• Option 55: Used by a DHCP client to request values for specific configuration parameters. It is a list of DHCP option codes and can be in the client’s order of preference.• Client configured list of DHCP options (all options parsed into a hex string).• Option 60: Vendor class identifier. Used to identify the vendor and functionality of a DHCP client (some devices do not set the value of this field).Though it is possible to use any option to configure a device fingerprint, the use of a combination of one or more of the preceding options to define a device is recommended.Examplerfs4000-229D58(config-client-identity-test)#dhcp 1 message-type request option60 exact ascii MSFT\5.0rfs4000-229D58(config-client-identity-test)#dhcp 2 message-type discover option 2 exact hexstring 012456c22c44rfs4000-229D58(config-client-identity-test)#show contextclient-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0rfs4000-229D58(config-client-identity-test)#option-codes The following keyword is common to the ‘discover’ and ‘request’ message types:• option-codes – Matches criteria based on the DHCP option codes contained in the client’s discover/request messagesDevices pass options in their DHCP discover/request messages as option codes, option types, and option value sets. These option codes are extracted and matched against the configured DHCP option codes and a fingerprint is derived. This derived fingerprint is used to identify the device.contains The following keyword is common to the ‘discover’ and ‘request’ message types:• contains – Specifies that the DHCP options received in the client’s discover/request messages contains the configured option code stringexact The following keyword is common to the discover and request message types:• exact – Specifies that the DHCP options received in the client’s discover/request messages is an exact match with the configured option code stringstarts-with The following keyword is common to the ‘discover’ and ‘request’ message types:• starts-with – Specifies that the DHCP options received in the client’s discover/request messages starts with the configured option code stringascii <WORD> The following keywords are common to the ‘contains’, ‘exact’, and ‘starts-with’ parameters:• ascii – Configures the DHCP option in the ASCII format• <WORD> – Specify the DHCP option ASCII value to match.hexstring <WORD> The following keywords are common to the ‘contains’, ‘exact’, and ‘starts-with’ parameters:• hexstring – Configures the DHCP option in the hexa-decimal format• <WORD> – Specify the DHCP option hexstring value to match.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 153Related Commandsno Removes a DHCP option signature (match criteria)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1544.1.33.2.2 dhcp-match-message-typeclient-identity-mode commandsConfigures the DHCP message type to matchSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-match-message-type [all|any|discover|request]Parameters• dhcp-match-message-type [all|any|discover|request]Examplerfs4000-229D58(config-client-identity-test)#dhcp-match-message-type allrfs4000-229D58(config-client-identity-test)#show contextclient-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type allrfs4000-229D58(config-client-identity-test)#Related Commandsdhcp-match-message-type [all|any|discover|request]Specifies the DHCP message type to consider for matching• all – Matches all message types: discover and request. Indicates that the fingerprint is checked with both the DHCP request and the DHCP discover message.• any – Matches any message type: discover or request. Indicates that the fingerprint is checked with either the DHCP request or the DHCP discover message.• discover – Matches discover messages only. Client matches the client identity only if the discover message sent by the client matches. Values configured for request messages are ignored.• request – Matches request messages only. Client matches the client identity only if the request message sent by the client matches. Values configured for discover messages are ignored.no Removes the DHCP message type to match
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1554.1.33.2.3 noclient-identity-mode commandsRemoves the DHCP options match criteria configurationsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dhcp <1-16>|dhcp-match-message-type]Parameters• no [dhcp <1-16>|dhcp-match-message-type]ExampleThe following example shows the client identity ‘test’ settings before the ‘no’ commands are executed:rfs4000-229D58(config-client-identity-test)#show contextclient-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type allrfs4000-229D58(config-client-identity-test)#The following example shows the client identity ‘test’ settings after the ‘no’ commands are executed:rfs4000-229D58(config-client-identity-test)#no dhcp 2rfs4000-229D58(config-client-identity-test)#no dhcp-match-message-typerfs4000-229D58(config-client-identity-test)#show contextclient-identity test dhcp 1 message-type request option 60 exact ascii MSFT5.0rfs4000-229D58(config-client-identity-test)#Related Commandsdhcp <1-16> Removes the DHCP option match criteria rule identified by the <1-16> keyword• <1-16> – Specify the DHCP option match criteria rule indexdhcp-match-message-typeRemoves the DHCP message type to matchdhcp Configures the DHCP option match criteria for device fingerprintingdhcp-match-message-typeConfigures the DHCP message type for device fingerprinting
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1564.1.34 client-identity-groupclient-identityThe following table summarizes commands available to enter the client identity group configuration mode:Table 4.14 Client-Identity-Group Config CommandsCommand Description Referenceclient-identity-groupCreates a new client identity group and enters its configuration mode page 4-157client-identity-group-mode commandsInvokes the client identity group configuration mode commands page 4-158client-identity Creates new client identity policy and enters its configuration mode page 4-147
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1574.1.34.1 client-identity-groupclient-identity-groupConfigures a new client identity groupA client identity group is a collection of client identities. Each client identity included in a client identity group is set a priority value that indicates the priority for that identity when device fingerprinting.Device Fingerprinting relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class.A client identity group can be attached to a profile or device, enabling device fingerprinting on them.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-identity-group <CLIENT-IDENTITY-GROUP-NAME>Parameters• client-identity-group <CLIENT-IDENTITY-GROUP-NAME>Examplerfs4000-229D58(config)#client-identity-group testrfs4000-229D58(config-client-identity-group-test)#Client Identity group Mode commands:  client-identity  Client identity (DHCP Device Fingerprinting)  load             Load Client identity Fingerprints  no               Negate a command or set its defaults  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalrfs4000-229D58(config-client-identity-group-test)#client-identity-group <CLIENT-IDENTITY-GROUP-NAME>Creates a new client identity group and enters its configuration mode• <CLIENT-IDENTITY-GROUP-NAME> – Specify a client identity group name. If the group does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1584.1.34.2 client-identity-group-mode commandsclient-identity-groupThe following table summarizes client identity group configuration mode commands:Table 4.15 Client-Identity-Group-Mode CommandsCommand Description Referenceclient-identity Associates an existing and configured client identity (device fingerprint) with this client identity grouppage 4-159load Loads default (system-provided) client identity fingerprints page 4-161no Removes the client identity associated with this client identity group page 4-155
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1594.1.34.2.1 client-identityclient-identity-group-mode commandsAssociates an existing and configured client identity (device fingerprint) with this client identity groupSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>Parameters• client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>ExampleThe following example shows two client identities created and configured:rfs4000-229D58(config)#show context!! Configuration of RFS4000 version 5.9.1.0-029R!!version 2.5!!client-identity TestClientIdentity dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f!client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all!client-identity-group ClientIdentityGroup client-identity TestClientIdentity precedence 1!client-identity-group test!ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" --More--rfs4000-229D58(config)#client-identity <CLIENT-IDENTITY-NAME>Associates a client identity with this group• <CLIENT-IDENTITY-NAME> – Specify a client identity name (should be existing and configured)precedence <1-10000>Determines the order in which client identity is used• <1-10000> – Specify this client identity precedence from <1-10000>.The client identity rule is applied based on its precedence value. Lower the value, higher is the precedence. Therefore, a client identity with precedence 5 gets precedence over a client identity having precedence 20.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 160The following example associates client identity ‘test’ with the client identity group ‘test’:rfs4000-229D58(config-client-identity-group-test)#client-identity test precedence 1The following example shows the client identity group ‘test’ with two associated client identities having precedence 1 and 2:rfs4000-229D58(config-client-identity-group-test)#client-identity TestClientIdentity precedence 2rfs4000-229D58(config-client-identity-group-test)#show contextclient-identity-group test client-identity test precedence 1 client-identity TestClientIdentity precedence 2rfs4000-229D58(config-client-identity-group-test)#Related Commandsno Removes the client identity associated with the client identity group
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1614.1.34.2.2 loadclient-identity-group-mode commandsLoads default (built-in, system-provided) client identity fingerprints. This option is enabled by default.The WiNG software provides some built-in client identity fingerprints that are automatically loaded when the client identity group if applied to a device (either directly or through the profile).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxload default-fingerprintsParameters• load default-fingerprintsExampleThe auto-load default fingerprints option is enabled by default, as shown in the following example:nx9500-6C8809(config-client-identity-group-test)#show contextclient-identity-group test load default-fingerprintsnx9500-6C8809(config-client-identity-group-test)#In scenarios where only customized client identities are to be applied, use the no > load > default-fingerprints command to disable auto-loading of default device fingerprints.nx9500-6C8809(config-client-identity-group-test)#no load default-fingerprintsnx9500-6C8809(config-client-identity-group-test)#show contextclient-identity-group test no load default-fingerprintsnx9500-6C8809(config-client-identity-group-test)#Use the service > show > client-identity-defaults command to view default client identity fingerprints:nx9500-6C8809#service show client-identity-defaultsclient-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37--More--nx9500-6C8809#load default-fingerprintsLoads client identity default fingerprints. This option is enabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 162Related Commandsno Disables automatic loading of default client identity fingerprints
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1634.1.34.2.3 noclient-identity-group-mode commandsRemoves the client identity associated with the client identity groupSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [client-identity|load]no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>no load default-fingerprintsParameters• no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>• no load default-fingerprintsExamplerfs4000-229D58(config-client-identity-group-test)#show contextclient-identity-group test client-identity test precedence 1rfs4000-229D58(config-client-identity-group-test)#rfs4000-229D58(config-client-identity-group-test)#no client-identity testrfs4000-229D58(config)#Related Commandsno client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>Disassociates a specified client identity from this client identity group• <CLIENT-IDENTITY-NAME> – Specify the client identity name.• precedence <1-10000> – Specify the above specified client identity’s precedencevalue from <1-10000>.The client identity rule is applied based on its precedence value. Lower the value, higher is the precedence. Therefore, a client identity with precedence 5 gets precedence over a client identity having precedence 20.no load default-fingerprintsDisables automatic loading of built-in, system-provided client identity fingerprintsclient-identity Associates an existing and configured client identity (device fingerprint) with this client identity groupload Loads default (built-in, system-provided) client identity fingerprints. This option is enabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1644.1.35 cloneGlobal Configuration CommandsCreates a replica of an existing object or device. The configuration of the new object or device is an exact copy of the existing object or device configuration. Use this command to copy existing configurations and then modifying only the required parameters.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclone [TLO|device]clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>Parameters• clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>• clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>Examplenx9500-6C8809(config)#clone rf_domain TechPubs Cloned_TechPubs2nx9500-6C8809(config)#show context!! Configuration of NX9500 version 5.9.1.0-008B!!version 2.5!................................................................................rf-domain TechPubs location SanJose timezone America/Los_Angeles country-code us!rf-domain Cloned_TechPubs2 location SanJose--More--nx9500-6C8809(config)#TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>Creates a new TLO by cloning an existing top-level object. The new object has the same configuration as the cloned object.• <EXISTING-OBJECT-NAME> – Specify the existing object’s (to be cloned) name• <NEW-OBJECT-NAME> – Provide the new object’s name.Enter clone and press Tab to list objects available for cloning.device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>Configures a new device based on an existing device configuration• <EXISTING-DEVICE-MAC/NAME> – Specify the existing device’s name or MAC address (the device to be cloned)• <NEW-DEVICE-MAC> – Provide the new device’s MAC address.Enter clone > device and press Tab to list devices available for cloning.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1654.1.36 crypto-cmp-policyGlobal Configuration CommandsCreates a crypto Certificate Management Protocol (CMP) policy and enters its configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>Parameters• crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>Examplenx9500-6C8809(config)#crypto-cmp-policy CMPnx9500-6C8809(config-cmp-policy-CMP)#?CMP Policy Mode commands:  ca-server             CMP CA Server configuration commands  cert-key-size         Set key size for certificate request  cert-renewal-timeout  Trigger a cert renewal request on timeout    cross-cert-validate   Validate cross-cert using factory-cert  no                    Negate a command or set its defaults  subjectAltName        Configure subjectAltName value  trustpoint            Trustpoint for CMP  use                   Set setting to use  clrscr                Clears the display screen  commit                Commit all changes made in this session  do                    Run commands from Exec mode  end                   End current mode and change to EXEC mode  exit                  End current mode and down to previous mode  help                  Description of the interactive help system  revert                Revert changes  service               Service Commands  show                  Show running system information  write                 Write running configuration to memory or terminalnx9500-6C8809(config-cmp-policy-CMP)#Related Commands<CRYPTO-CMP-POLICY-NAME>Specify the crypto CMP policy name. If the policy does not exist, it is created.no Resets values or disables commandsNOTE: For more information on the crypto CMP policy, see Chapter 29, CRYPTO-CMP-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1664.1.37 customizeGlobal Configuration CommandsCustomizes the output of the summary CLI commands. Use this command to define the data displayed as a result of various show commands.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcustomize [cdp-lldp-info-column-width|hostname-column-width|show-adoption-status|show-wireless-client|show-wireless-client-stats|show-wireless-client-stats-rf|show-wireless-meshpoint|show-wireless-meshpoint-accelerated-multicast|show-wireless-meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf|show-wireless-mint-client|show-wireless-mint-client-stats|show-wireless-mint-client-stats-rf|show-wireless-mint-portal|show-wireless-mint-portal-stats|show-wireless-mint-portal-stats-rf|show-wireless-radio|show-wireless-radio-stats|show-wireless-radio-stats-rf]customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,config-status,last-adoption,msgs,uptime,version)customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>,bss,enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,radio-id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan)customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)customize show-wireless-client-stats-rf (average-retry-number,error-rate,hostname <1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate)customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-addr,mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac,subscriptions)customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>,interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-ifid,next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-mpid)customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>,neighbor-hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>,average-retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise,q-index,rx-rate,signal,snr,t-index,tx-rate)customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-alias <1-64>,portal-bss,up-time)customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 167customize show-wireless-mint-client-stats-rf (average-retry-number,client-alias <1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,signal,snr,tx-rate)customize show-wireless-mint-portal (client-alias <1-64>,client-bss,portal-alias <1-64>,portal-bss,up-time)customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss,portal-alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)customize show-wireless-mint-portal-stats-rf (average-retry-number,client-alias <1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,signal,snr,tx-rate)customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>,num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state)customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac,rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets,tx-throughput)customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise,q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate)Parameters• customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>• customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,config-status,last-adoption,msgs,uptime,version)• customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>,bss,enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,radio-id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan)hostname-column-width <1-64>Configures default width of the hostname column in all show command outputs• <1-64> – Sets the hostname column width from 1 - 64 characterscdp-lldp-info-column-width <1-64>Configures the column width in the show > cdp/lldp > [neighbor|report] command output• <1-64> – Sets the column width from 1 - 64 charactersshow-adoption-status Configures the information displayed in the show > adoption > status command output. Select the columns (information) displayed from the following options: adopted-by, ap-name, cdp-lldp-info, config-status, last-adoption, msgs, uptime, and version. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Device-Name, Version, Config-Status, MSGS, Adopted-By, Last-Adoption, and Uptime.Where ever available, you can optionally use the <1-64> parameter to set the column width.show-wireless-client Customizes the show > wireless > client command outputThe columns displayed by default are: MAC, IPv4, Vendor, Radio-ID, WLAN. VLAN, and State.ap-name <1-64> Includes the ap-name column, which displays the name of the AP with which this client associates• <1-64> – Sets the ap-name column width from 1 - 64 charactersauth Includes the auth column, which displays the authorization protocol used by the wireless client
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 168• customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)client-identity <1-32> Includes the client-identity (device type) column, which displays details gathered from DHCP device fingerprinting feature (when enabled). For more information, see client-identity.• <1-32> – Sets the client-identity column width from 1 - 32 charactersbss Includes the BSS column, which displays the BSS ID the wireless client is associated withenc Includes the enc column, which displays the encryption suite used by the wireless clienthostname <1-64> Includes the hostname column, which displays the wireless client’s hostname• <1-64> – Sets the hostname column width from 1 - 64 charactersip Includes the IP column, which displays the wireless client’s current IP addresslast-active Includes the last-active column, which displays the time of last activity seen from the wireless clientlocation <1-64> Includes the location column, which displays the location of the client’s associated access points• <1-64> – Sets the location column width from 1 - 64 charactersmac Includes the MAC column, which displays the wireless client’s MAC addressradio-alias <3-67> Includes the radio-alias column, which displays the radio alias with the AP's hostname and radio interface number in the “HOSTNAME:RX” format• <3-64> – Sets the radio-alias column width from 3 - 67 charactersradio-id Includes the radio-id column, which displays the radio ID with the AP’s MAC address and radio interface number in the “AA-BB-CC-DD-EE-FF:RX” formatradio-type Includes the radio-type column, which displays the wireless client’s radio typerole <1-32> Includes the role column, which displays the client’s role• <1-32> – Sets the role column width from 1 - 32 charactersstate Includes the state column, which displays the wireless client’s current availability stateusername <1-64> Includes the username column, which displays the wireless client’s username• <1-64> – Specify the username column width from 1 - 64 characters.vendor Includes the vendor column, which displays the wireless client’s vendor IDvlan Includes the VLAN column, which displays the wireless client’s assigned VLANwlan Includes the WLAN column, which displays the wireless client’s assigned WLANshow-wireless-client-statsCustomizes the show > wireless > client > statistics command outputThe columns displayed by default are: MAC, Tx bytes, RX bytes, Tx pkts, Rx pkts, and Tx bps, RX bps, T-Index, and Dropped pkts.hostname <1-64> Includes the hostname column, which displays the wireless client’s hostname• <1-64> – Sets the hostname column width from 1 - 64 charactersmac Includes the MAC column, which displays the wireless client’s MAC addressrx-bytes Includes the rx-bytes column, which displays the total number of bytes received by the wireless client
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 169• customize show-wireless-client-stats-rf (average-retry-number,error-rate,host-name <1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate)rx-errors Includes the rx-error column, which displays the total number of errors received by the wireless clientrx-packets Includes the rx-packets column, which displays the total number of packets received by the wireless clientrx-throughput Includes the rx-throughput column, which displays the receive throughput at the wireless clientt-index Includes the t-index column, which displays the traffic utilization index at the particular wireless clienttx-bytes Includes the tx-bytes column, which displays the total number of bytes transmitted by the wireless clienttx-dropped Includes the tx-dropped column, which displays the total number of dropped packets by the wireless clienttx-packets Includes the tx-packets column, which displays the total number of packets transmitted by the wireless clienttx-throughput Includes the tx-throughput column, which displays the transmission throughput at the wireless clientshow-wireless-client-stats-rfCustomizes the show > wireless > client > statistics > rf command outputThe columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB), TX Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%).average-retry-numberIncludes the average-retry-number column, which displays the average number of retransmissions made per packeterror-rate Includes the error-rate column, which displays the rate of error for the wireless clienthostname <1-64> Includes the hostname column, which displays the wireless client’s hostname• <1-64> – Sets the hostname column width from 1 - 64 charactersmac Includes the MAC column, which displays the wireless client’s MAC addressnoise Includes the noise column, which displays the noise (in dBm) as detected by the wireless clientq-index Includes the q-index column, which displays the RF quality indexHigher values indicate better RF quality.rx-rate Includes the rx-rate column, which displays the receive rate at the particular wireless clientsignal Includes the signal column, which displays the signal strength (in dBm) at the particular wireless clientsnr Includes the snr column, which displays the signal to noise (SNR) ratio (in dB) at the particular wireless clienttx-rate Includes the tx-rate column, which displays the packet transmission rate at the particular wireless client
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 170• customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-addr,mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac,subscriptions)• customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>,interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-ifid,next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-mpid)show-wireless-meshpoint-accelerated-multicastConfigures the information displayed in the show > wireless > meshpoint > accelerated multicast command output. Select the columns (information) displayed from the following options: ap-hostname, group-addr, mesh-name, neighbor-hostname, neighbor-ifid, radio-alias, radio-id, radio-mac, subscriptions. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Mesh, Radio, Neighbor-IFID, Neighbor-Hostname, Group-MAC, and Subscriptions.show-wireless-meshpointCustomizes the show > wireless > meshpoint command outputThe columns displayed by default are: Mesh, Hostname, Hops, Is-Root, Config-As-Root, Root-Hostname, Root-Bound-Time, Path-Metric, Next-Hop-Hostname, and Next-Hop-Use-Time.ap-mac Includes the ap-mac column, which displays the AP’s MAC address in the AA-BB-CC-DD-EE-FF format. Applicable only in case of non-controller meshpointscfg-as-root Includes the cfg-as-root column, which displays the configured root state of the meshpointhops Includes the hops column, which displays the number of hops to the root for this meshpointhostname <1-64> Includes the hostname column, which displays the AP’s hostname. Applicable only in case of non-wireless controller meshpoints• <1-64> – Sets the hostname column width from 1 - 64 charactersinterface-ids Includes the interface-ids column, which displays the interface identifiers (interfaces used by this meshpoint)is-root Includes the is-root column, which displays the current root state of the meshpointmesh-name <1-64> Includes the mesh-name column, which displays the meshpoint’s name• <1-64> – Sets the mesh-name column width from 1 - 64 charactersmpid Includes the mpid column, which displays the meshpoint identifier in the AA-BB-CC-DD-EE-FF formatnext-hop-hostname <1-64>Includes the next-hop-hostname column, which displays the next-hop AP’s name (the AP next in the path to the bound root)• <1-64> – Sets the next-hop-hostname column width from 1 - 64 charactersnext-hop-ifid Includes the next-hop-ifid column, which displays the next-hop interface identifier in the AA-BB-CC-DD-EE-FF formatnext-hop-use-time Includes the next-hop-use-time column, which displays the time since this meshpoint started using this next hoproot-bound-time Includes the root-bound-time column, which displays the time since this meshpoint has been bound to the current root
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 171• customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>,neighbor-hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)• customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>,average-retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise,q-index,rx-rate,signal,snr,t-index,tx-rate)root-hostname <1-64>Includes the root-hostname column, which displays the root AP’s hostname to which this meshpoint is bound• <1-64> – Sets the root-hostname column width from 1 - 64 charactersroot-mpid Includes the root-mpid column, which displays the bound root meshpoint identifier in the AA-BB-CC-DD-EE-FF formatshow-wireless-meshpoint-neighbor-statsCustomizes the show > wireless > meshpoint > neighbor > statistics command outputThe columns displayed by default are: AP Hostname, Neighbor-IFID, TX bytes, RX bytes, Tx pkts, Rx pkts, Tx (bps), Rx (bps), T-Index (%), and Dropped pkts.ap-name <1-64> Includes the ap-name column, which displays name of the AP reporting a neighbor• <1-64> – Sets the ap-name column width from 1 - 64 charactersneighbor-hostname <1-64>Includes the neighbor-hostname column, which displays the reported neighbor’s hostname• <1-64> – Sets the neighbor-hostname column width from 1 - 64 charactersneighbor-ifid Includes the neighbor-ifid column, which displays the neighbor’s interface IDrx-bytes Includes the rx-bytes column, which displays the total bytes receivedrx-errors Includes the rx-error column, which displays the total bytes of error receivedrx-packets Includes the rx-packets column, which displays the number of packets receivedrx-throughput Includes the rx-throughput column, which displays neighbor’s received throughputt-index Includes the t-index column, which displays the traffic utilization index at the neighbor endtx-bytes Includes the tx-bytes column, which displays the total bytes transmittedtx-dropped Includes the tx-dropped column, which displays the total bytes droppedtx-packets Includes the tx-packets column, which displays the number of packets transmittedtx-throughput Includes the tx-throughput column, which displays neighbor’s transmitted throughputshow-wireless-meshpoint-neighbor-stats-rfCustomizes the show > wireless > meshpoint > neighbor > statistics > rf command outputThe columns displayed by default are: AP Hostname, Neighbor-IFID, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%).ap-name <1-64> Includes the ap-name column, which displays name of the AP reporting a neighbor• <1-64> – Sets the ap-name column width from 1 - 64 charactersaverage-retry-numberIncludes the average-retry-number column, which displays the average number of retransmissions made per packet.error-rate Includes the error-rate columnneighbor-hostname <1-64>Includes the neighbor-hostname, which displays reported neighbor’s hostname• <1-64> – Sets the neighbor-hostname column width from 1 - 64 characters
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 172• customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-alias <1-64>,portal-bss,up-time)• customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)• customize show-wireless-mint-client-stats-rf (average-retry-number,client-alias <1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,signal,snr,tx-rate)noise Includes the noise column, which displays the noise level in dBmq-index Includes the q-index column, which displays the q-indexrx-rate Includes the rx-rate column, which displays rate of receivingsignal Includes the signal column, which displays the signal strength in dBmsnr Includes the snr column, which displays the signal-to-noise ratiot-index Includes the t-index column, which displays t-indextx-rate Includes the tx-rate column, which displays rate of transmissionshow-wireless-mint-clientConfigures the information displayed in the show > wireless > mint > client command output. Select the columns (information) displayed from the following options: client-alias, client-bss, portal-alias, portal-bss, and up-time. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Client-Radio-MAC, and Up-Time.show-wireless-mint-client-statsConfigures the information displayed in the show > wireless > mint > client > statistics command output. Select the columns (information) displayed from the following options: client-alias, portal-alias, portal-bss, rx-bytes, rx-errors, rx-packets, rx-throughput, t-index, tx-bytes, tx-dropped, tx-packets, tx-throughput. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Tx bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and Dropped pkts.Where ever available, you can optionally use the <1-64> parameter to set the column width.show-wireless-mint-client-stats-rfConfigures the information displayed in the show > wireless > mint > client > statistics > rf command output. Select the columns (information) displayed from the following options: average-retry-number, client-alias, error-rate, noise, portal-alias, portal-bss, q-index, rx-rate, signal, snr, and tx-rate. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%).Where ever available, you can optionally use the <1-64> parameter to set the column width.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 173• customize show-wireless-mint-portal (client-alias <1-64>,client-bss,portal-alias <1-64>,portal-bss,up-time)• customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss,portal-alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput)• customize show-wireless-mint-portal-stats-rf (average-retry-number,client-alias <1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,signal,snr,tx-rate)• customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>,num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state)show-wireless-mint-portalConfigures the information displayed in the show > wireless > mint > portal command output. Select the columns (information) displayed from the following options: client-alias, client-bss, portal-alias, portal-bss, and up-time. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Client, Client-Radio-MAC, Portal, Portal-Radio-MAC, and Up-Time.Where ever available, optionally use the <1-64> parameter to set the column width.show-wireless-mint-portal-statsConfigures the information displayed in the show > wireless > mint > portal > statistics command output. Select the columns (information) displayed from the following options: client-alias, client-bss, portal-alias, rx-bytes, rx-errors, rx-packets, rx-throughput, t-index, tx-bytes, tx-dropped, tx-packets, tx-throughput. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Client, Client-Radio-MAC, Portal, Tx bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and Dropped pkts.Where ever available, optionally use the <1-64> parameter to set the column width.show-wireless-mint-portal-stats-rfConfigures the information displayed in the show > wireless > mint > portal > statistics > rf command output. Select the columns (information) displayed from the following options: average-retry-number, client-alias, client-bss, error-rate, noise, portal-alias, q-index, rx-rate, signal, snr, tx-rate. These are recursive parameters and you can select multiple options at a time.The columns displayed by default are: Client, Client-Radio-MAC, Portal, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%).Where ever available, optionally use the <1-64> parameter to set the column width.show-wireless-radio Customizes the show wireless radio command outputadopt-to Includes the adopt-to column, which displays information about the wireless controller adopting this APap-name <1-64> Includes the ap-name column, which displays information about the AP this radio belongs• <1-64> – Sets the ap-name column width from 1 - 64 characterschannel Includes the channel column, which displays information about the configured and current channel for this radiolocation <1-64> Includes the location column, which displays the location of the AP this radio belongs• <1-64> – Sets the location column width from 1 - 64 charactersnum-clients Includes the num-clients column, which displays the number of clients associated with this radio
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 174• customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac,rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets,tx-throughput)• customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise,q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate)power Includes the power column, which displays the radio’s configured and current transmit powerradio-alias <3-67> Includes the radio-alias column, which displays the radio’s alias (combination of AP's hostname and radio interface number in the “HOSTNAME:RX” formate)• <3-67> – Sets the radio-alias column width from 3 - 67 charactersradio-id Includes the radio-id column, which displays the radio‘s ID (combination of AP’s MAC address and radio interface number in the “AA-BB-CC-DD-EE-FF:RX” format)radio-mac Includes the radio-mac column, which displays the radio’s base MAC addressrf-mode Includes the rf-mode column, which displays the radio’s operating mode. The radio mode can be 2.4 GHz, 5.0 GHz, or sensor.state Includes the state column, which displays the radio’s current operational stateshow-wireless-radio-statsCustomizes the show wireless radio statistics command outputradio-alias <3-67> Includes the radio-alias column, which displays the radio’s alias (combination of AP's hostname and radio interface number in the “HOSTNAME:RX” format)• <3-67> – Sets the radio-alias column width from 3 - 67 charactersradio-id Includes the radio-id column, which displays the radio‘s ID (combination of AP’s MAC address and radio interface number in the “AA-BB-CC-DD-EE-FF:RX” format)radio-mac Includes the radio-mac column, which displays the radio’s base MAC addressrx-bytes Includes the rx-bytes column, which displays the total number of bytes received by the radiorx-errors Includes the rx-error column, which displays the total number of errors received by the radiorx-packets Includes the rx-packets column, which displays the total number of packets received by the radiorx-throughput Includes the rx-throughput column, which displays the receive throughput at the radiotx-bytes Includes the tx-bytes column, which displays the total number of bytes transmitted by the radiotx-dropped Includes the tx-dropped column, which displays the total number of packets dropped by the radiotx-packets Includes the tx-packets column, which displays the total number of packets transmitted by the radiotx-throughput Includes the tx-throughput column, which displays the transmission throughput at the radioshow-wireless-radio-stats-rfCustomizes the show wireless radio stats RF command outputaverage-retry-number Includes the average-retry-number column, which displays the average number of retransmissions per packet
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 175ExampleThe following example shows the shows the show > adoption > status command output before customizing the output:rfs6000-81742D#show adoption statusAdopted by:Type          : nx9000System Name   : nx9500-6C8809MAC address   : B4-C7-99-6C-88-09MiNT address  : 19.6C.88.09Time          :   4 days 22:38:32 agoAdopted Devices:---------------------------------------------------------------------------------------------------------------DEVICE-NAME       VERSION         CFG-STAT         MSGS ADOPTED-BY        LAST-ADOPTION                  UPTIME---------------------------------------------------------------------------------------------------------------ap7532-A2A56C     5.9.0.0-010D   *configured No   rfs6000-81742D      4 days 22:25:56     4 days 22:31:23----------------------------------------------------------------------------------------------------------------Total number of devices displayed: 1rfs6000-81742D#rfs6000-81742D(config)#customize show-adoption-status adopted-by ap-name config-status last-adoptionrfs6000-81742D(config)#commitThe following example shows the shows the show > adoption > status command output after customizing the output:rfs6000-81742D#show adoption statusAdopted by:Type          : nx9000System Name   : nx9500-6C8809error-rate Includes the error-rate column, which displays the rate of error for the radionoise Includes the noise column, which displays the noise detected by the radioq-index Includes the q-index column, which displays the RF quality indexHigher values indicate better RF quality.radio-alias <3-67> Includes the radio-alias column, which displays the radio’s alias (combination of AP's hostname and radio interface number in the “HOSTNAME:RX” format)• <3-67> – Sets the radio-alias column width from 3 - 67 charactersradio-id Includes the radio-id column, which displays the radio‘s ID (combination of AP’s MAC address and radio interface number in the “AA-BB-CC-DD-EE-FF:RX” format)radio-mac Includes the radio-mac column, which displays the radio’s base MAC addressrx-rate Includes the rx-rate column, which displays the receive rate at the particular radiosignal Includes the signal column, which displays the signal strength at the particular radiosnr Includes the snr column, which displays the signal-to-noise ratio at the particular radiot-index Includes the t-index column, which displays the traffic utilization index at the particular radiotx-rate Includes the tx-rate column, which displays the packet transmission rate at the particular radio
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 176MAC address   : B4-C7-99-6C-88-09MiNT address  : 19.6C.88.09Time Adopted Devices:------------------------------------------------------------------------ADOPTED-BY        DEVICE-NAME       CFG-STAT         LAST-ADOPTION------------------------------------------------------------------------rfs6000-81742D ap7532-A2A56C    *configured        4 days 22:25:56------------------------------------------------------------------------Total number of devices displayed: 1rfs6000-81742D(config)#Use the no > customize > show-adoption-status command to revert back to the default format.rfs6000-81742D(config)#no customize show-adoption-statusrfs6000-81742D(config)#commitrfs6000-81742D#show adoption statusAdopted by:Type          : nx9000System Name   : nx9500-6C8809MAC address   : B4-C7-99-6C-88-09MiNT address  : 19.6C.88.09Time          :   4 days 22:38:32 agoAdopted Devices:---------------------------------------------------------------------------------------------------------------DEVICE-NAME       VERSION         CFG-STAT         MSGS ADOPTED-BY        LAST-ADOPTION                  UPTIME---------------------------------------------------------------------------------------------------------------ap7532-A2A56C     5.9.0.0-010D   *configured No   rfs6000-81742D      4 days 22:25:56     4 days 22:31:23----------------------------------------------------------------------------------------------------------------Total number of devices displayed: 1rfs6000-81742D#Related Commandsno Restores custom CLI settings to defaultwireless (show commands)Displays wireless configuration and other information
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1774.1.38 database-client-policyGlobal Configuration CommandsThe following table summarizes the config database client policy commands:Table 4.16 Database-Client-Policy Config CommandsCommand Description Referencedatabase-client-policy Creates a database-client policy and enters its configuration mode page 4-178database-client-policy-mode commandsSummarizes the database client policy mode commands page 4-180
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1784.1.38.1 database-client-policydatabase-client-policyCreates a database-client-policy and enters its configuration mode. The database-client-policy configures the IP address or hostname of the database host, and is used on the NSight/EGuest server’s device cortext. However, the database-client-policy is required only in a split deployment, where the server and database are hosted on separate boxes. In such a scenario, the database-client-policy enables the server to identify the database host. If enforcing database authentication, configure the user-name and password required to access the database on the database-client-policy. For more information on enabling database authentication, see database.Supported in the following platforms:• Service Platforms — NX9500, NX9600, VX9000Syntaxdatabase-client-policy <DATABASE-CLIENT-POLICY-NAME>Parameters• database-client-policy <DATABASE-CLIENT-POLICY-NAME>Examplevx9000-34B78B(config)#database-client-policy DBClientPolicyvx9000-34B78B(config-database-client-policy-DBClientPolicy)#?Database Client Policy Mode commands:  authentication   Database authentication  database-server  Add database server  no               Negate a command or set its defaults  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalvx9000-34B78B(config-database-client-policy-DBClientPolicy)#To setup a database/server environment, with the database and the server hosted n separate hosts:1 On the database host, use the database policy. This brings up the database server.2 On the NSight/EGuest server, create the database-client-policy, and configure the database host’s IP address or hostname.database-policy <DATABASE-CLIENT-POLICY-NAME>Specify the database-client-policy name. If the policy does not exist, it is created.Once created and configured, use this policy in the NSight/EGuest server’s device context.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 179vx9000-34B78B(config)#database-client-policy DBClientPolicyvx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show contextdatabase-client-policy DBClientPolicy  database-server 192.168.13.10vx9000-34B78B(config-database-client-policy-DBClientPolicy)#3 Use this database-client-policy in the NSight/EGuest server’s device configuration context. Once applied, the server posts details to the database specified in the policy.vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#use database-client-policy DBClientPolicyvx9000-34B78B(config-device-00-0C-29-34-B7-8B)#show context include-factory | include database-client-policy use database-client-policy DBClientPolicyvx9000-34B78B(config-device-00-0C-29-34-B7-8B)#Related Commandsno Removes an existing database-client-policydatabase-policy Documents database policy configuration commands. If enforcing authenticated database access, use this command to enable authentication on the database and configure the username and password.nsight-policy Documents NSight policy configuration commands. The NSight policy is a tool, which when created and applied at the RF Domain level allows the RF Domain manager to send statistics (polled from devices within the RF Domain) to the NOC. The NOC, when enabled as the NSight server, stores this data in a locally or externally hosted database.use (profile/device context)Uses a database-client-policy in the VX9000’s device or profile contextdatabase Drops or repairs a database. Also provides database keyfile management capabilities. If enforcing authenticated access to the database, use this command to generate, export, import, and zerzoise the keyfile.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1804.1.38.2 database-client-policy-mode commandsdatabase-client-policyThe following table summarizes database-client-policy configuration mode commands:Table 4.17 Database-Client-Policy-Config-Mode CommandsCommand Description Referenceauthentication Configures the captive-portal/NSight database users page 4-181database-server Configures the database host’s IP address or hostname. Use this command to configure the IP address or hostname of the VM hosting the database.page 4-182no Removes the database host’s IP/hostname configuration page 4-183
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1814.1.38.2.1 authenticationdatabase-client-policy-mode commandsConfigures the database’s username and passwordSupported in the following platforms:• Service Platforms — NX9500, NX9600, VX9000Syntaxauthentication username <USER-NAME> password <PASSWORD>Parameters• authentication username <USER-NAME> password <PASSWORD>Examplevx9000-65672(config-database-client-policy-DBClientPolicy)# authentication username extreme password 2 test@12345vx9000-656725#show running-config database-client-policy replica-setdatabase-client-policy replica-set database-server 13.13.13.3 database-server 14.14.14.2 authentication username extreme password 2 q4cUyedmA4BFsn1kg/xjCQAAAAliMbdrXKblQbsyrwMGdVzvvx9000-656725#Related Commandsauthentication username <USER-NAME> password <PASSWORD>Configures the username and password required to access the database. Note, username and password specified here should be the same as those already created on the database host. For more information on creating database users, see service.• username <USER-NAME> – Configures the user name• password <PASSWORD> – Configures the password for the username specifiedabove.However, ensure database authentication is enabled in the database-policy.For more information on database-policy, see database-policy.For more information on enabling database authentication, see databaseno Removes an existing database username and password
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1824.1.38.2.2 database-serverdatabase-client-policy-mode commandsConfigures the IPv4/IPv6 address or hostname of the VM hosting the databaseSupported in the following platforms:• Service Platforms — VX9000Syntaxdatabase-server [<IP>|<HOSTNAME>|<IPv6>]Parameters• database-server [<IP>|<HOSTNAME>|<IPv6>]Examplevx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show contextdatabase-client-policy DBClientPolicydatabase-server 192.168.13.10vx9000-34B78B(config-database-client-policy-DBClientPolicy)#Related Commandsdatabase-server [<IP>|<HOSTNAME>|<IPv6>]Identifies the database host using one of the following options:• <IP> – Specifies the host’s IPv4 address• <HOSTNAME> – Specifies the host’s hostname• <IPv6> – Specifies the host’s IPv6 address.no Removes the database server’s (the VM hosting the database) IP/hostname configuration
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1834.1.38.2.3 nodatabase-client-policy-mode commandsRemoves the database host’s IP/hostname configurationSupported in the following platforms:• Service Platforms — VX9000Syntaxno [authentication|database-server]no authentication username <USER-NAME>no database-server [<IP>|<HOST-NAME>|<IPv6>]Parameters• no [authentication|database-server]Examplevx9000-34B78B(config-database-client-policy-DBClientPolicy)#show contextdatabase-client-policy DBClientPolicydatabase-server 192.168.13.10vx9000-34B78B(config-database-client-policy-DBClientPolicy)#vx9000-34B78B(config-database-client-policy-DBClientPolicy)#no database-servervx9000-34B78B(config-database-client-policy-DBClientPolicy)#show contextdatabase-client-policy DBClientPolicyvx9000-34B78B(config-database-client-policy-DBClientPolicy)#no database-server Removes the database VM’s IPv4/Ipv6 address or hostname associated with this database client policy. Also removes database user details.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1844.1.39 database-policyGlobal Configuration CommandsThe following table summarizes the config database policy commands:Table 4.18 Database-Policy Config CommandsCommand Description Referencedatabase-policy Creates a database policy and enters its configuration mode page 4-185database-policy-mode commandsLists database policy configuration mode commands page 4-186
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1854.1.39.1 database-policydatabase-policyCreates a database-policy and enters its configuration mode. After creating the database-policy, use it on the database host. This enables the database. If deploying a database replica-set, use this command to define the replica set configurations. To enforce database authentication, enable authentication on the database-policy, and configure the username and password required to access the database. Note, this command is part of a set of configurations that are required to enable authentication. For more information on the entire set of configurations, see database.Supported in the following platforms:• Service Platforms — NX9500, NX9510, VX9000Syntaxdatabase-policy <DATABASE-POLICY-NAME>Parameters• database-policy <DATABASE-POLICY-NAME>Examplenx9500-6C8809(config-database-policy-test)#?Database Policy Mode commands:  authentication  Database authentication  no              Negate a command or set its defaults  replica-set     Replica Set  shutdown        Disable database server  clrscr          Clears the display screen  commit          Commit all changes made in this session  do              Run commands from Exec mode  end             End current mode and change to EXEC mode  exit            End current mode and down to previous mode  help            Description of the interactive help system  revert          Revert changes  service         Service Commands  show            Show running system information  write           Write running configuration to memory or terminalnx9500-6C8809(config-database-policy-test)#Related Commandsdatabase-policy <DATABASE-POLICY-NAME>Specify the database policy name. If the policy does not exist, it is created.no Removes an existing database policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1864.1.39.2 database-policy-mode commandsdatabase-policyThe following table summarizes database-policy configuration mode commands:Table 4.19 Database-Policy-Config-Mode CommandsCommand Description Referenceauthentication Enables database authentication and configures the username and password required to access the databasepage 4-187replica-set Adds a member to a database replica set page 4-188shutdown Shuts down the database server page 4-190no Removes a member from the database replica set page 4-191
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1874.1.39.2.1 authenticationdatabase-policy-mode commandsEnables database authentication. When enabled and applied on the database host, this policy enforces authenticated access to the database. This command also configures the username and password required to access the database.Supported in the following platforms:• Service Platforms — NX9500, NX9600, VX9000Syntaxauthenticationauthentication username <USER-NAME> password <PASSWORD>Parameters• authentication• authentication username <USER-NAME> password <PASSWORD>Examplenx9500-6C8809(config-database-policy-test)#authenticationnx9500-6C8809(config-database-policy-test)#no shutdownnx9500-6C8809(config-database-policy-test)#authentication username user1 password uesr@123nx9500-6C8809(config-database-policy-test)#show contextdatabase-policy test authentication authentication username user1 password 2 f20/dTjYiMnR/tqbGFaO5gAAAAjL/xo8clisk1TZjimo128tnx9500-6C8809(config-database-policy-test)#Related Commandsauthentication Enables database authentication on this database-policy. When executed without the associated keywords, the command enables authentication on the database host using the policy. Execute the command along with the username and password inputs to configure the user credentials required for access the database.authentication username <USER-NAME> password <PASSWORD>Configures the username and password required to access the database. Note, username and password specified here should be the same as those already created on the database host. For more information, see service.• username <USER-NAME> – Configures the database username• password <PASSWORD> – Configures the password for the username specifiedaboveUsers using these credentials are allowed database access. In case of a split NSight/EGuest deployment, ensure that the database-client-policy running on the NSight/EGuest server has the same user details configured.For information on creating database-client-policy, see database-client-policyFor more information on enabling database authentication, see database.no Disables database authentication, and removes the username and password configuration.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1884.1.39.2.2 replica-setdatabase-policy-mode commandsAdds a member to a database replica set. A replica-set is a group of devices (replica-set members) running the database instances that maintain the same data set. Replica sets provide redundancy and high availability and are the basis for all production deployments. The replica set usually consists of: an arbiter, a primary member, and one or more secondary members. The primary member and the secondary member(s) maintain replicas of the data set.Before deploying a replica set, ensure that each of the replica-set member:• has the DB instances installed, and• is able to communicate with every other member in the set.After ensuring the above,• Create a database policy (with identical replica-set configuration) on each of the member devices, and• Use the database policy in the member device’s configuration mode.These member devices elect a primary member, which begins accepting client-write operations. Remaining devices in the replica-set, with the exception of the arbiter, are designated as secondary members.Supported in the following platforms:• Service Platforms — NX9500, NX9600, VX9000, NX7500, NX5500Syntaxreplica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}Parameters• replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}Adds a member to the database replica set. To identify the member, use one of the following options:• <IP> – Specify the member’s IP address.• <FQDN> – Specify the member’s Fully Qualified Domain Name (FQDN).After specifying the IP address or FQDN, specify the following:• arbiter – Optional. Select to configure the member as the arbiter.• priority <0-255> – Optional. Configures the priority of a non-arbiter member of thereplica set• <0-255> – Specify the priority from 0 - 255. This value determines the member’sposition within the replica set as primary or secondary. It also helps in electing thefall-back primary member in the eventuality of the current primary member beingunreachable.A replica set should have at least three members. The maximum number of members can go up to fifty (50). However, configuring a three-member replica set is recommended. Replica sets should have odd number of members. In case of an even-numbered replica set, add an arbiter to make the member count odd. This ensures that at least one member gets a majority vote in the primary-member election.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 189Examplenx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.14 arbiternx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.16 priority 1nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.12 priority 2nx9500-6C8809(config-database-policy-test)#show contextdatabase-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.14 arbiter replica-set member 192.168.13.16 priority 1nx9500-6C8809(config-database-policy-test)#Related Commandsno Removes a member from the database replica set
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1904.1.39.2.3 shutdowndatabase-policy-mode commandsShuts down the database server. The factory default is set as no shutdown.Supported in the following platforms:• Service Platforms — NX9500, NX9600, VX9000, NX7500, NX5500SyntaxshutdownParametersNoneExamplenx9500-6C8809(config-database-policy-test)#shutdownnx9500-6C8809(config-database-policy-test)#show contextdatabase-policy test shutdownnx9500-6C8809(config-database-policy-test)#Related Commandsno Enables the database server
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1914.1.39.2.4 nodatabase-policy-mode commandsRemoves or reverts the database policy settings to default values Supported in the following platforms:• Service Platforms — NX9500, NX9600, VX9000, NX7500, NX5500Syntaxno [authentication|replica-set|shutdown]no authentication {username <USER-NAME>}no replica-set member [<IP>|<FQDN>]no shutdownParameters• no <PARAMETERS>ExampleThe following example shows a three-member replica set:nx9500-6C8809(config-database-policy-test)#show contextdatabase-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.14 arbiter replica-set member 192.168.13.16 priority 1nx9500-6C8809(config-database-policy-test)#In the following example the arbiter is being removed, leaving the replica set with only two members:nx9500-6C8809(config-database-policy-test)#no replica-set member 192.168.13.14nx9500-6C8809(config-database-policy-test)#show contextdatabase-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.16 priority 1nx9500-6C8809(config-database-policy-test)#Since a replica set must have at least three members, another member must be added to this replica set. This member may or may not be an arbiter.nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.8 priority 3nx9500-6C8809(config-database-policy-test)#show contextdatabase-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.16 priority 1 replica-set member 192.168.13.8 priority 3nx9500-6C8809(config-database-policy-test)#no <PARAMETERS> Removes a member from the database replica set, or brings up a database server that is down. Also disables database authentication and removes user
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1924.1.40 deviceGlobal Configuration CommandsEnables simultaneous configuration of multiple devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdevice {containing|filter}device {containing <STRING>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}device {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}Parameters• device {containing <STRING>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}• device {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}device Enters a device’s configuration mode. Use this command to simultaneously configure devices having similar configuration.containing <STRING> Optional. Configures the string to search for in the device’s hostname. All devices having hostnames containing the string specified here are filtered, and can be configured simultaneously.• <STRING> – Specify the string to search for in the device’s hostname.filter type <DEVICE-TYPE>Optional. Filters out a specific device type. After specifying the hostname string, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, EX3524, EX3548, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, t5, and VX9000 (V-WLC).The t5 option is applicable only on the NX7500, NX7510, NX7520, NX7530, NX95XX, NX9500, NX9510, and NX9600 platforms.The VX9000 option is applicable only to the NX9500, NX9510, and NX9600 platforms.device Configures a basic device profile
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 193Examplerfs6000-81742D(config)#device filter type ap7532rfs6000-81742D(config-device-{'type': 'ap7532'})#Related Commandsfilter type <DEVICE-TYPE>Optional. Filters out a specific device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, EX3524, EX3548, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, t5, and VX9000 (V-WLC).The t5 option is applicable only on the NX7500, NX7510, NX7520, NX7530, NX95XX, NX9500, NX9510, and NX9600 platforms.The VX9000 option is applicable only to the NX9500, NX9510, and NX9600 platforms.no Removes multiple devices from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1944.1.41 device-categorizationGlobal Configuration CommandsCategorizes devices as sanctioned or neighboring. Categorization of devices enables quick identification and blocking of unsanctioned devices in the network.The following table summarizes the device categorization mode commands:Table 4.20 Device-Categorization Config CommandCommand Description Referencedevice-categorization Creates a device categorization list and enters its configuration modepage 4-195device-categorization-mode commandsSummarizes device categorization list configuration mode commandspage 4-196
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1954.1.41.1 device-categorizationdevice-categorizationConfigures a device categorization listProper classification and categorization of devices (access points, clients, etc.) helps suppress unnecessary unauthorized access point alarms, allowing network administrators to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization.Authorized access points and clients are generally known to you and conform with your organization’s security policies. Unauthorized devices are those detected as interoperating within the network, but are not approved. These devices should be filtered to avoid jeopardizing the data within a managed network. Use this command to apply the neighboring and sanctioned (approved) filters on peer devices operating within a wireless controller or access point’s radio coverage area. Detected client MAC addresses can also be filtered based on their classification.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdevice-categorization <DEVICE-CATEGORIZATION-LIST-NAME>Parameters• device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>Examplerfs6000-81742D(config)#device-categorization rfs6000rfs6000-81742D(config-device-categorization-rfs6000)#?Device Category Mode commands:  mark-device  Add a device  no           Negate a command or set its defaults  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalrfs6000-81742D(config-device-categorization-rfs6000)#Related Commands<DEVICE-CATEGORIZATION-LIST-NAME>Specify the device categorization list name. If a list with the same name does not exist, it is created.no Removes an existing device categorization list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 1964.1.41.2 device-categorization-mode commandsdevice-categorizationThe following table summarizes device categorization configuration mode commands:Table 4.21 Device-Categorization-Mode CommandsCommand Description Referencemark-device Adds a device to the device categorization list page 4-197no Removes a device from the device categorization list page 4-199
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1974.1.41.2.1 mark-devicedevice-categorization-mode commandsAdds a device to the device categorization list as sanctioned or neighboring. Devices are further classified as AP or client.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmark-device <1-1000> [sanctioned|neighboring] [ap|client]mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac <MAC>}}mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}Parameters• mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac <MAC>}}• mark-device [sanctioned|neighboring] client {mac <MAC>}<1-1000> Configures the device categorization entry index numbersanctioned Marks a device as sanctioned. A sanctioned device is authorized to use network resources.neighboring Marks a device as neighboring. A neighboring device is a neighbor in the same network as this device.ap{mac <MAC>|ssid <SSID>}Marks a specified AP as sanctioned or neighboring based on its MAC address or SSID• mac <MAC> – Optional. Specify the AP’s MAC address• ssid <SSID> – Optional. Specify the AP’s SSID. After specifying the SSID, you can optionally specify its MAC SSID.All APs are marked if no specific MAC address or SSID is provided.<1-1000> Configures the device categorization entry index numbersanctioned Marks the wireless client as sanctioned. A sanctioned device is authorized to use network resources.neighboring Marks the wireless client as neighboring. A neighboring device is a neighbor in the same network as this device.client {mac <MAC>} Marks a specified wireless client as sanctioned or neighboring based on its MAC address• mac <MAC> – Optional. Specify the wireless client’s MAC address.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 198Examplerfs6000-81742D(config-device-categorization-rfs6000)#mark-device 1 sanctioned ap mac 11-22-33-44-55-66rfs6000-81742D(config-device-categorization-rfs6000)#show contextdevice-categorization rfs6000 mark-device 1 sanctioned ap mac 11-22-33-44-55-66rfs6000-81742D(config-device-categorization-rfs6000)#Related Commandsno Removes an entry from the device categorization list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1994.1.41.2.2 nodevice-categorization-mode commandsRemoves a device from the device categorization listSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno mark-device <1-1000> [neighboring|sanctioned] [ap|client]no mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}no mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac <MAC>}}Parameters• no <PARAMETERS>ExampleThe following example shows the device categorization list ‘rfs6000’ settings before the ‘no’ command is executed:rfs6000-81742D(config-device-categorization-rfs6000)#show contextdevice-categorization rfs6000 mark-device 1 sanctioned ap mac 11-22-33-44-55-66rfs6000-81742D(config-device-categorization-rfs6000)#rfs6000-81742D(config-device-categorization-rfs6000)#no mark-device 1 sanctioned ap mac 11-22-33-44-55-66The following example shows the device categorization list ‘rfs6000’ settings after the ‘no’ command is executed:rfs6000-81742D(config-device-categorization-rfs6000)#show contextdevice-categorization rfs6000rfs6000-81742D(config-device-categorization-rfs6000)#Related Commandsno <PARAMETERS> Removes a mark device (AP or wireless client) entry from this device categorization listmark-device Adds a device to a list of sanctioned or neighboring devices
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2004.1.42 dhcp-server-policyGlobal Configuration CommandsConfigures DHCPv4 server policy parameters, such as class, address range, and options. A new policy is created if it does not exist.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-server-policy <DHCP-SERVER-POLICY-NAME>Parameters• dhcp-server-policy <DHCP-SERVER-POLICY-NAME>Examplerfs6000-81742D(config)#dhcp-server-policy testrfs6000-81742D(config-dhcp-policy-test)#?DHCP policy Mode commands:  bootp        BOOTP specific configuration  dhcp-class   Configure DHCP class (for address allocation using DHCP               user-class options)  dhcp-pool    Configure DHCP server address pool  dhcp-server  Activating dhcp server based on criteria  no           Negate a command or set its defaults  option       Define DHCP server option  ping         Specify ping parameters used by DHCP Server  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalrfs6000-81742D(config-dhcp-policy-test)#Related Commands<DHCP-SERVER-POLICY-NAME>Specify the DHCPv4 server policy name. If the policy does not exist, it is created.no Removes an existing DHCP server policyNOTE: For more information on DHCP policy, see Chapter 12, DHCP-SERVER-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2014.1.43 dhcpv6-server-policyGlobal Configuration CommandsCreates a DHCPv6 server policy and enters its configuration modeDHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network.DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non-duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool.When configured and applied to a device, the DHCPv6 server policy enables the device to function as a stateless DHCPv6 server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>Parameters• dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>Examplerfs6000-81742D(config-dhcpv6-server-policy-test)#?DHCPv6 server policy Mode commands:  dhcpv6-pool              Configure DHCPV6 server address pool  no                       Negate a command or set its defaults  option                   Define DHCPv6 server option  restrict-vendor-options  Restrict vendor specific options to be sent in                           server reply  server-preference        Server preference value sent in the reply, by the                           server to client  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminalrfs6000-81742D(config-dhcpv6-server-policy-test)#<DHCPv6-SERVER-POLICY-NAME>Specify the DHCPv6 server policy name. If the policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 202Related Commandsno Removes an existing DHCPv6 server policyNOTE: For more information on DHCP policy, see Chapter 12, DHCP-SERVER-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2034.1.44 dns-whitelistGlobal Configuration CommandsConfigures a DNS whitelist. A DNS whitelist is a list of domains allowed access to the network.The following table lists DNS Whitelist configuration mode commands:Table 4.22 DNS-Whitelist Config CommandsCommand Description Referencedns-whitelist Creates a DNS whitelist and enters its configuration mode page 4-204dns-whitelist-mode commandsSummarizes DNS whitelist configuration mode commands page 4-205
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2044.1.44.1 dns-whitelistdns-whitelistConfigures a DNS whitelist. A DNS whitelist is a list of allowed DNS destination IP addresses pre-approved to access a controller, service platform, or access point managed captive portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-whitelist <DNS-WHITELIST-NAME>Parameters• dns-whitelist <DNS-WHITELIST-NAME>Examplerfs6000-81742D(config)#dns-whitelist testrfs6000-81742D(config-dns-whitelist-test)#?DNS Whitelist Mode commands:  no       Negate a command or set its defaults  permit   Match a host  clrscr   Clears the display screen  commit   Commit all changes made in this session  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-dns-whitelist-test)#Related Commands<DNS-WHITELIST-NAME>Specify the DNS whitelist name. If the whitelist does not exist, it is created.no Removes an existing DNS Whitelist
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2054.1.44.2 dns-whitelist-mode commandsdns-whitelistThe following table summarizes DNS Whitelist configuration mode commands:Table 4.23 DNS-Whitelist-Mode CommandsCommand Description Referencepermit Permits a host, existing on a DNS whitelist, access to the network or captive portalpage 4-206no Negates a command or reverts to default page 4-207
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2064.1.44.2.1 permitdns-whitelist-mode commandsA whitelist is a list of host names and IP addresses permitted access to the network or captive portal. This command adds a host or destination IP address to the DNS whitelist.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpermit <IPv4/IPv6/HOSTNAME> {suffix}Parameters• permit <IPv4/IPv6/HOSTNAME> {suffix}Examplerfs6000-81742D(config-dns-whitelist-test)#permit example_company.com suffixrfs6000-81742D(config-dns-whitelist-test)#show contextdns-whitelist testpermit example_company.com suffixrfs6000-81742D(config-dns-whitelist-test)#Related Commands<IPv4/IPv6/HOSTNAME>Adds a device to the DNS whitelist• <IPv4/IPv6/HOSTNAME> – Provide a hostname or numerical IPv4 or IPv6 address for each destination IP address or host included in the whitelist.A maximum of 256 entries can be made.suffix Optional. Matches any hostname or domain name including the specified name as suffixno Removes a DNS whitelist entry
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2074.1.44.2.2 nodns-whitelist-mode commandsRemoves a specified host or IP address from the DNS whitelist, and prevents it from accessing network resourcesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno permit <IPv4/IPv6/HOSTNAME>Parameters• no permit <IPv4/IPv6/HOSTNAME>Examplerfs6000-81742D(config-dns-whitelist-test)#show contextdns-whitelist testpermit example_company.com suffixrfs6000-81742D(config-dns-whitelist-test)#rfs6000-81742D(config-dns-whitelist-test)#no permit example_company.comrfs6000-81742D(config-dns-whitelist-test)#show contextdns-whitelist testrfs6000-81742D(config-dns-whitelist-test)#Related Commands<IPv4/IPv6/HOSTNAME>Removes a device from the DNS whitelist (identifies the device by its IP address or hostname)• <IPv4/IPv6/HOSTNAME> – Specify the device’s IPv4/IPv6 address or hostname.permit Adds a device to the DNS whitelist
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2084.1.45 endGlobal Configuration CommandsEnds and exits the current mode and moves to the PRIV EXEC modeThe prompt changes to the PRIV EXEC mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxendParametersNoneExamplerfs4000-229D58(config)#endrfs4000-229D58#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2094.1.46 event-system-policyGlobal Configuration CommandsThe following table lists event system configuration mode commands:Table 4.24 Event-System-Policy Config CommandCommand Description Referenceevent-system-policyCreates an event system policy and enters its configuration mode page 4-210event-system-policy-mode commandsSummarizes event system policy configuration mode commands page 4-211
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2104.1.46.1 event-system-policyevent-system-policyConfigures a system wide events handling policyEvent system policies enable administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform. Each listed event can have customized notification settings defined and saved as part of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client association, authentication or encryption, and performance events. Once policies are defined, they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices.To view an existing event system policy configuration details, use the show > event-system-policy command.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevent-system-policy <EVENT-SYSTEM-POLICY-NAME>Parameters• event-system-policy <EVENT-SYSTEM-POLICY-NAME>Examplerfs6000-81701D(config)#event-system-policy event-testpolicyrfs6000-81701D(config-event-system-policy-event-testpolicy)#?Event System Policy Mode commands:  event    Configure an event  no       Negate a command or set its defaults  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81701D(config-event-system-policy-event-testpolicy)#Related Commands<EVENT-SYSTEM-POLICY-NAME>Specify the event system policy name. If the policy does not exist, it is created.no Removes an event system policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2114.1.46.2 event-system-policy-mode commandsevent-system-policyThe following table summarizes event system policy configuration mode commands:Table 4.25 Event-System-Policy Mode CommandsCommand Description Referenceevent Configures an event page 4-212no Negates a command or reverts to default page 4-225
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2124.1.46.2.1 eventevent-system-policy-mode commandsConfigures an event and sets the action performed when the event happensSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevent <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog) [default|on|off]The event types are:rfs6000-81742D(config-event-system-policy-testpolicy)#event ?  aaa             AAA/Radius module  adapt           Adaptivity Module   adopt-service   Adoption Service  adv-wips        Adv-wips module   ap              Access Point module  bt              Bluetooth  captive-portal  Captive Portal  cdp             Cisco Discovery Protocol  certmgr         Certificate Manager (Not valid for NCAP/MCN)    cfgd            Cfgd module  cluster         Cluster module  crm             Critical Resource Monitoring  database        Database Services  device          Device module  dhcpsvr         DHCP Configuration Daemon  diag            Diag module  dot11           802.11 management module  dot1x           802.1X Authentication  fwu             Firmware update module  isdn            Isdn module  l2gre           Layer 2 GRE Tunnel  l2tpv3          Layer 2 Tunneling Protocol Version 3  licmgr          License module  lldp            Link Layer Discovery Protocol  mesh            Mesh module  mgmt            Management Services  nsm             Network Services Module  pm              Process-monitor module  radconf         Radius Configuration Daemon  rasst           Roaming-Assist module  radio           Radio module  smrt            Smart-rf module  smtpnot         Smtpnot module  system          System module  test            Test module  vrrp            Virtual Router Redundancy Protocol  webf            Webf module  wips            Wireless IPS modulerfs6000-81742D(config-event-system-policy-testpolicy)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 213Parameters• event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog) [default|on|off]NOTE: The parameter values for <EVENT-TYPE> and <EVENT-NAME> are summarized in the table under the Parameters section.<event-type> <event-name>aaa Enables and configures logging of the following authentication, authorization, and accounting related events:• radius-discon-msg – RADIUS disconnection• radius-session-expired – RADIUS session expired• radius-session-not-started – RADIUS session not started• radius-vlan-update – RADIUS VLAN updateadapt Enables and configures logging of the following adaptivity module related events:• adaptivity-change – Event adaptivity change• adaptivity-rehome – Event adaptivity rehomeadopt-services Enables and configures the logging of adopted services related eventsadv-wips Enables and configures the logging of advanced WIPS related eventsap Enables and configures logging of the following AP related events:• adopted – Event AP adopted• adopted-to-controller – Event AP adopted to wireless controller• ap-adopted – Event access port adopted• ap-autoup-done – Event AP autoup done• ap-autoup-fail – Event AP autoup fail• ap-autoup-needed – Event AP autoup needed• ap-autoup-no-need – Event AP autoup not needed• ap-autoup-reboot – Event AP autoup reboot• ap-autoup-timeout – Event AP autoup timeout• ap-autoup-ver – Event AP autoup version• ap-reset-detected – Event access port reset detected• ap-reset-request – Event access port user requested reset• ap-timeout – Event access port timed out• ap-unadopted – Event access port unadopted• image-parse-failure – Event image parse failure message• legacy-auto-update – Event legacy auto update• no-image-file – Event no image file•offline – Event AP detected as offline• online – Event offline AP detected as onlineContd...
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 214• reset – Event AP reset• sw-conn-lost – Event software connection with AP lost• unadopted – Event AP unadoptedbt Enables and configures logging of the following bluetooth related events:•bt-started – Event bluetooth (bt) started• bt-state-change – Event bt state changecaptive-portal Enables and configures logging of the following captive portal (hotspot) related events:• allow-access – Event client allowed access• auth-failed – Event client authentication failed• auth-success – Event client authentication success• client-disconnect – Event client disconnected• client-removed – Event client removed• data-limit-exceed – Event client data limit exceed• flex-log-access – Event flexible log access granted to client• inactivity-timeout – Event client time-out due to inactivity• page-cre-failed – Event captive portal page creation failure• purge-client – Event client purged• session-timeout – Event client’s session timeout• vlan-switch – Event client switched VLANcdp Enables and configures logging of the following CISCO Discovery Protocol (cdp) related event:• duplex-mismatch – Event duplex mismatch detected between CDP neighborscertmgr Enables and configures logging of the following certificate manager related events (not applicable to AP6511 and AP6521 model access points):• ca-cert-actions-failure – Event CA certificate actions failure• ca-cert-actions-success – Event CA certificate actions success• ca-key-actions-failure – Event CA key actions failure• ca-key-actions-success – Event CA key actions success• cert-expiry – Event certificate expiry• crl-actions-failure – Event Certificate Revocation List (CRL) actions failure• crl-actions-success – Event CRL actions success• csr-export-failure – Event CSR export failure• csr-export-success – Event CSR export success• delete-trustpoint-action – Event delete trustpoint action• export-trustpoint – Event trustpoint exported• import-trustpoint – Event trustpoint imported• rsa-key-actions-failure – Event RSA key actions failure• rsa-key-actions-success – Event RSA key actions success• svr-cert-actions-success – Event server certificate actions success• svr-cert-actions-failure – Event server certificate actions failure<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 215certmgr-lite Enables and configures logging of certificate manager (lite version) related event messages (applicable only to AP6521 and AP6511 model access points)cfgd Enables and configures logging of the following configuration daemon module related events:• acl-attached-altered – Event Access List (ACL) attached altered• acl-rule-altered – Event ACL rule alteredcluster Enables and configures logging of the following cluster module related events:• cmaster-cfg-update-fail – Event cluster master config update failed• max-exceeded – Event maximum cluster count exceeded• state-change – Event cluster state change (active/inactive)• state-change-active – Event cluster state change to active• state-change-inactive – Event cluster state change to inactive• state-retain-active – Event cluster state retained as activecrm Enables and configures logging of the following Critical Resource Monitoring (CRM) related events:• critical-resource-down – Event critical resource goes down• critical-resource-up – Event critical resource comes updevice Enables and configures the logging of device module related eventsdatabase Enables and configures logging of the following error conditions in the captive-portal/NSIght database:• database-election-fail – Event primary database node selection failure. Requires manual intervention to select primary database node.• database-exception – Event database may need to be dropped and device restarted• database-low-disk-space – Event database low disk space• Database-new-state –  Event database state change• database-op-failure – Event database failure• database-set-name-mismatch – Event replica-set not enabled on host• database-storage-mismatch – Event database mismatch. All database files must be removed.• operation-complete – Event database operation completed successfully• operation-failed – Event database operation failuredhcpsvr Enables and configures logging of the following DHCP server related events:• dhcp-start – Event DHCP server started• dhcpsvr-stop – Event DHCP sever stopped• relay-iface-no-ip – Event no IP address on DHCP relay interface• relay-no-iface – Event no interface for DHCP relay• relay-start – Event relay agent started• relay-stop – Event DHCP relay agent stopped<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 216diag Enables and configures logging of the following diagnostics module related events:• autogen-tech-sprt – Event autogen technical support• buf-usage – Event buffer usage• cpu-load – Event CPU load• cpu-usage-too-high – Event CPU usage high• cpu-usage-too-high-recover – Event recovery from high CPU usage• disk-usage – Event disk usage• elapsed-time – Event elapsed time• fan-underspeed – Event fan underspeed• fd-count – Event forward count• free-flash-disk – Event free flash disk• free-flash-inodes – Event free flash inodes• free-nvram-disk – Event free nvram disk• free-nvram-inodes – Event free nvram inodes• free-ram – Event free ram• free-ram-disk – Event free ram disk• free-ram-inodes – Event free ram inodes• head-cache-usage – Event head cache usage• high-temp – Event high temp• ip-dest-usage – Event ip destination usage• led-identify – Event led identify• low-temp – Event low temp• mem-usage-too-high – Event memory usage high• mem-usage-too-high-recover – Event recovery from high memory usage• new-led-state – Event new led state• over-temp – Event over temp• over-voltage – Event over voltage• poe-init-fail – Event PoE init fail• poe-power-level – Event PoE power level• poe-read-fail – Event PoE read fail• poe-state-change – Event PoE state change• poe-state-change – Event PoE state change• pwrsply-fail – Event failure of power supply• raid-degraded – Event Redundant Array of Independent Disks (RAID) degraded• raid-error – Event RAID error• ram-usage – Event ram usage• under-voltage – Event under voltage• wd-reset-sys – Event wd reset system• wd-state-change – Event wd state change<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 217dot11 Enables and configures logging of the following 802.11 management module related events:• client-assoc-ignored – Wireless client association ignored event• client-associated – Wireless client associated event• client-denied-assoc – Event client denied association• client-disassociated – Wireless client disassociated• country-code – Event country code applied• country-code-error – Event country code error• eap-cached-keys – Event Extensible Authentication Protocol (EAP) cached keys• eap-client-timeout – Event EAP client timeout• eap-failed – Event EAP failed• eap-opp-cached-keys – Event EAP opp cached keys• eap-preauth-client-timeout – Event EAP pre authentication client timeout• eap-preauth-failed – Event EAP pre authentication failed• eap-preauth-server-timeout – Event EAP pre authentication server timeout• eap-preauth-success – Event EAP pre authentication success• eap-server-timeout – Event EAP server timeout• eap-success – Event EAP success• ft-roam-success – Event client fast BSS transition• gal-rx-request – Event GAL request received event • gal-tx-response – Event response sent to GAL request• gal-validate-failed – Event GAL validation failed• gal-validate-req – Event GAL validation request• gal-validate-success – Event GAL validation success• kerberos-client-success – Event client Kerberos authentication success• kerberos-wlan-failed – Event WLAN Kerberos authentication failed • kerberos-wlan-success – Event WLAN Kerberos authentication success• kerberos-wlan-timeout – Event Kerberos authentication timed out• move-operation-success – Event move operation success• neighbor-denied-assoc – Event neighbor denied association• tkip-cntrmeas-end – Event TKIP countermeasures ended• tkip-cntrmeas-start – Event TKIP countermeasures initiated• tkip-mic-fail-report – Event TKIP MIC failure report• tkip-mic-failure – Event TKIP MIC check failed• voice-call-completed – Event voice call completed• voice-call-established – Event voice call established• voice-call-failed – Event voice call failed• wlan-time-access-disable – Event WLAN disabled by time-based-access• wlan-time-access-enable – Event WLAN re-enabled by time-based-accessContd..<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 218• wlan-time-access-disable – Event WLAN disabled by time-based-access• wlan-time-access-enable – Event WLAN re-enabled by time-based-access• wpa-wpa2-failed – Event WPA-WPA2 failed• wpa-wpa2-key-rotn – Event WPA-WPA2 key rotn• wpa-wpa2-success – Event WPA-WPA2 successdot1x Enables and configures logging of the following 802.1X authentication related events:• dot1x-failed – Event EAP authentication failure• dot1x-success – Event dot1x-successfwu Enables and configures logging of the following firmware update (fwu) related events:• fwuaborted – Event fwu aborted• fwubadconfig – Event fwu aborted due to bad config• fwucorruptedfile – Event fwu aborted due to corrupted file• fwucouldntgetfile – Event fwu aborted because the system could not get file• fwudone – Event fwu done• fwufileundef – Event fwu aborted due to file undefined• fwunoneed – Event fwu no need• fwuprodmismatch – Event fwu aborted due to product mismatch• fwuserverundef – Event fwu aborted due to server undefined• fwuserverunreachable – Event fwu aborted due to server unreachable• fwusignmismatch – Event fwu aborted due to signature mismatch• fwusyserr – Event fwu aborted due to system error• fwuunsupportedhw – Event fwu aborted due to unsupported hardware• fwuunsupportedmodelnum – Event fwu aborted due to unsupported FIPS model number• fwuvermismatch – Event fwu aborted due to version mismatchisdn Enables and configures logging of the following file Integrated Service Digital Network (ISDN) module related events:• isdn-alert – Event ISDN alert• isdn-crit – Event ISDN critical• isdn-debug – Event ISDN debug• isdn-emerg – Event ISDN emergency• isdn-err – Event ISDN error• isdn-info – Event ISDN info• isdn-notice – Event ISDN notice• isdn-warning – Event ISDN warningl2gre Enables and configures logging of the following Layer 2 GRE (L2GRE) tunnel related events:• l2gre-tunnel-down – Event L2GRE tunnel down• l2gre-tunnel-failover – Event L2GRE tunnel failover• l2gre-tunnel-up – Event L2GRE tunnel up<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 219l2tpv3 Enables and configures logging of the following L2TPv3 related events:• l2tpv3-tunnel-down – Event L2TPv3 tunnel down• l2tpv3-tunnel-up – Event L2TPv3 tunnel uplicmgr Enables and configures logging of the following license manager module related events:• lic-installed-count – Event total number of license installed count• lic-installed-default – Event default license installation• lic-installed – Event license installed• lic-invalid – Event license installation failed• lic-removed – Event license removedlldp Enables and configures logging of the following Link Layer Discovery Protocol (LLDP) related events:• lldp-loop-detected – Event layer 2 switching loop• lldp-loop-recovery – Event recovery from layer 2 switching loopmgmt Enables and configures logging of the following management services module related events:• log-http-init – Event Web server started• log-http-local-start – Event Web server started in local mode• log-http-start – Event Web server started in external mode• log-https-start – Event secure Web server started• log-https-wait – Event waiting for Web server to start• log-key-deleted – Event RSA key associated with SSH is deleted• log-key-restored – Event RSA key associated with SSH is added• log-trustpoint-deleted – Event trustpoint associated with HTTPS is deletedmesh Enables and configures logging of the following mesh module related events:• mesh-link-down – Event mesh link down• mesh-link-up – Event mesh link up• meshpoint-down – Event meshpoint down• meshpoint-loop-prevent-off – Event meshpoint loop prevent off• meshpoint-loop-prevent-on – Event meshpoint loop prevent on• meshpoint-path-change – Event meshpoint-path-change• meshpoint-root-change – Event meshpoint-root-change• meshpoint-up – Event meshpoint upnsm Enables and configures logging of the following Network Service Module (NSM) related events:• dhcpc-err – Event DHCP certification error• dhcpdefrt – Event DHCP defrt• dhcpip – Event DHCP IP• dhcpipchg – Event DHCP IP change• dhcpipnoadd – Event DHCP IP overlaps static IP addressContd...<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 220• dhcplsexp – Event DHCP lease expiry• dhcpnak – Event DHCP server returned DHCP NAK response• dhcpnodefrt – Event interface no default route• if-failback – Event interface failback message• if-failover – Event interface failover message• ifdown – Event interface down message• ifipcfg – Event interface IP config message• ifup – Event interface up message• nsm-ntp – Event translate host name message• ntp-start – Event NTP server start message• ntp-stop – Event NTP server stop messagepm Enables and configures logging of the following process monitor module related events:• procid – Event proc ID generated• procmaxrstrt – Event proc max restart• procnoresp – Event proc no response• procrstrt – Event proc restart• procstart – Event proc start• procstop – Event proc stop• procsysrstrt – Event proc system restart• startupcomplete – Event startup completeradconf Enables and configures logging of the following RADIUS configuration daemon related events:• could-not-stop-radius – Event could not stop RADIUS server• radiusdstart – Event RADIUS server started• radiusdstop – Event RADIUS server stoppedradio Enables and configures logging of the following radio module related events:• acs-scan-complete – Event ACS scan completed• acs-scan-started – Event ACS scan started• cb-associated – Event client-bridge access point associates with an infrastructure access point• cb-roam – Event client-bridge access point roams from one infrastructure access point to another infrastructure access point• cb-wired-client-added – Event wired client is added to the client-bridge• cb-wired-client-removed – Event wired client is removed from the client-bridge• channel-country-mismatch – Event channel and country of operation mismatch• radar-det-info – Event radar detected radar info• radar-detected – Event radar detected• radar-scan-completed – Event radar scan completed• radar-scan-started – Event radar scan started• radio-antenna-error – Event invalid antenna type on this radioContd..<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 221• radio-antenna-setting – Event antenna type setting on this radio• radio-state-change – Event radio state change• resume-home-channel – Event resume home channelrasst Enables and configures the logging of roaming assist module related eventssmrt Enables and configures logging of the following SMART RF module related events:• calibration-done – Event calibration done• calibration-started – Event calibration started• channel-change – Event channel change• config-cleared – Configuration cleared event• cov-hole-recovery – Event coverage hole recovery• cov-hole-recovery-done – Event coverage hole recovery done• interference-recovery – Event interference recovery• neighbor-recovery – Event neighbor recovery• power-adjustment – Event power adjustment• root-recovery – Event meshpoint root recoverysmtpnot Enables and configures logging of the following SMTP module related events:•cfg – Event cfg• cfginc – Event cfg inc•net – Event net•proto – Event proto• smtpauth – Event SMTP authentication• smtperr – Event SMTP error• smtpinfo – Event SMTP informationsystem Enables and configures logging of the following system module related events:• clock-reset – Event clock reset• cold-start – Event cold start• config-commit – Event configuration commit• config-revision – Event config-revision done• devup-rfd-fail – Event device-upgrade failed on rf-domain manager managed devices• guest-user-exp – Event guest user purging• http-err – Event Web server failed to start• login – Event user successfully logged in• login-fail – Event login fail. Occurs when user authentication fails.• login-fail-access – Event login fail access. Occurs in case of access violation.• login-fail-bad-role – Event login fail bad role. Occurs when user uses an invalid role to logon.Contd..<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 222system • login-lockout – Event user account locked out message. Occurs when a user account is locked due to exceeding of maximum number failed login attempts threshold. Configure this event notification only if the max-fail and lockout-time parameters have been configured in the management-policy context. For more information, see passwd-entry.• login-unlocked – Event user account un-locked. Occurs when a locked user account is re-activated. Enable this event notification only if the max-fail and lockout-time parameters have been configured in the management-policy context. For more information, see passwd-entry.• logout – Event user logout• maat-light – Event action on Research in Motion (RIM) radio(s) from the Maat light module•panic – Event panic• periodic-heart-beat – Event periodic heart beat• procstop – Event proc stop• server-unreachable – Event server-unreachable• system-autoup-disable – Event system autoup disable• system-autoup-enable – Event system autoup enable• t5-config-error – Event t5-config-error• ui-user-auth-fail – Event user authentication fail• ui-user-auth-success – Event user authentication success• warm-start – Event warm start• warm-start-recover – Event recovery from warm starttest Enables and configures logging of the following test module related events:• testalert – Event test alert• testargs – Event test arguments• testcrit – Event test critical• testdebug – Event test debug• testemerg – Event test emergency• testerr – Event test error• testinfo – Event test information• testnotice – Event test notice• testwarn – Event test warningvrrp Enables and configures logging of the following Virtual Router Redundancy Protocol (VRRP) related events:• vrrp-monitor-change – Event VRRP monitor link state change• vrrp-state-change – Event VRRP state transition• vrrp-vip-subnet-mismatch – Event VRRP IP not overlapping with an interface addresses<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 223Examplerfs4000-229D58(config-event-system-policy-event-testpolicy)#event aaa radius-discon-msg email on forward-to-switch default snmp default syslog defaultrfs4000-229D58(config-event-system-policy-event-testpolicy)#rfs4000-229D58(config-event-system-policy-testpolicy)#show contextevent-system-policy test event aaa radius-discon-msg email onrfs4000-229D58(config-event-system-policy-testpolicy)#nx9500-6C8809(config-event-system-policy-test)#event database database-exception syslog default snmp default forward-to-switch default email defaultnx9500-6C8809(config-event-system-policy-test)#event database operation-failed syslog default snmp default forward-to-switch default email defaultwebf Enables and configures logging of the following Web Filtering (webf) module related events:• malform-url-request – Event malformed URL request• no-parent-engine – Event ‘no session to URL classification server’• srvr-connect-fail – Event URL classification server unreachable• url-blocked – Event URL blocked• webf-lic-acquired – Event webf license acquired• webf-lic-missing – Event webf license missing• webf-lic-revoked – Event webf license revokedwips Enables and configures logging of the following Wireless IPS module related events:• air-termination-active – Event air termination active• air-termination-ended – Event air termination ended• air-termination-inactive – Event air termination inactive• air-termination-initiated – Event air termination initiated• rogue-ap-active – Event rogue AP active• rogue-ap-inactive – Event rogue AP inactive• unsanctioned-ap-active – Event unsanctioned AP active• unsanctioned-ap-inactive – Event unsanctioned AP inactive• unsanctioned-ap-status-change – Event unsanctioned AP changed state• wips-client-blacklisted – Event WIPS client blacklisted• wips-client-rem-blacklist – Event WIPS client rem blacklist• wips-event – Event WIPS event triggeredemail Sends e-mail notifications to a pre configured e-mail IDforward-to-switch Forwards the messages to an external serversnmp Logs an SNMP eventsyslog Logs an event to syslogdefault Performs the default action for the eventoff Switches the event off, when the event happens, and no action is performedon Switches the event on, when the event happens, and the configured action is taken<event-type> <event-name>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 224nx9500-6C8809(config-event-system-policy-test)#show context include-factory | grep operation-failed event database operation-failed syslog default snmp default forward-to-switch default email defaultnx9500-6C8809(config-event-system-policy-test)#Related Commandsno Resets or disables event monitoring
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2254.1.46.2.2 noevent-system-policy-mode commandsNegates an event monitoring configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno event <EVENT-TYPE> <EVENT-NAME> [email|forward-to-switch|snmp|syslog] [default|on|off]Parameters• no <PARAMETERS>Examplerfs4000-229D58(config-event-system-policy-TestPolicy)#event ap adopted syslog defaultrfs4000-229D58(config-event-system-policy-TestPolicy)#no event ap adopted syslogRelated Commandsno <PARAMETERS> Removes event monitoring and message forwarding activity based on the parameters passedThe system stops network monitoring for the occurrence of the specified event and no notification is sent if the event occurs.event Configures the action taken for each event
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2264.1.47 ex3500GLOBAL CONFIGURATION COMMANDSThe following table lists EX3500 time-range configuration mode commands. It also provides links to other EX3500 related configuration modes:Table 4.26 EX3500-Time-Range-List Config CommandCommand Description Referenceex3500 Creates an EX3500 time range list and enters its configuration mode page 4-227ex3500-time-range-config-mode commandsSummarizes EX3500 time range list configuration mode commands page 4-228ex3500-management-policyCreates an EX3500 management policy and enters its configuration modepage 4-233ex3500-qos-class-map-policyCreates an EX3500 QoS class map policy and enters its configuration modepage 4-254ex3500-qos-policy-mapCreates an EX3500 QoS policy map and enters its configuration modepage 4-262ex3524 Adds a EX3524 switch to the network page 4-277ex3548 Adds a EX3548 switch to the network page 4-279
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2274.1.47.1 ex3500ex3500Creates an EX3500 time range list and enters its configuration modeAn EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed).The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. The EX3500 series switch can adopt to a WiNG NOC controller and be managed by it. The EX3500 time range values configured here are used in EX3500 MAC ACL firewall rules that filter an EX3500’s incoming and outgoing traffic. For more information on creating EX3500 MAC ACL rules, see ex3500 and access-group.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxex3500 time-range <TIME-RANGE-NAME>Parameters• ex3500 time-range <TIME-RANGE-NAME>Examplenx9500-6C8809(config)#ex3500 time-range EX3500_TimeRange_02nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#?EX3500 Time Range Configuration commands:  absolute  Absolute time and date  no        Negate a command or set its defaults  periodic  Periodic time and date  clrscr    Clears the display screen  commit    Commit all changes made in this session  do        Run commands from Exec mode  end       End current mode and change to EXEC mode  exit      End current mode and down to previous mode  help      Description of the interactive help system  revert    Revert changes  service   Service Commands  show      Show running system information  write     Write running configuration to memory or terminalnx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#Related Commandsex3500 time-range <TIME-RANGE-NAME>Configures EX3500 time range list and enters its configuration mode• <TIME-RANGE-NAME> – Enter a name for this EX3500 time range. If the time range does not exist, it is created.no Removes this EX3500 time range list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2284.1.47.2 ex3500-time-range-config-mode commandsex3500The following table summarizes EX3500 time-range configuration mode commands:Table 4.27 EX3500-Time-Range-Mode CommandsCommand Description Referenceabsolute Configures an absolute time range rule for this EX3500 time range list page 4-229periodic Configures a periodic time range rule for this EX3500 time range list page 4-230no Removes this EX3500 time range list settings page 4-232
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2294.1.47.2.1 absoluteex3500-time-range-config-mode commandsConfigures an absolute time range rule for this EX3500 time range listAbsolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxabsolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31> <MONTH> <2013-2037>}Parameters•  absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31> <MONTH> <2013-2037>}Examplenx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#absolute start 1 0 1 june 2017 end 1 0 30 june 2018nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show contextex3500 time-range EX3500-TimeRange-01 absolute start 1 0 1 june 2017 end 1 0 30 june 2018nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#Related Commandsabsolute Configures an absolute time range rule settingsstart <0-23> <0-59> <1-31> <MONTH> <2013-2037>Configures the start day and time settings• <0-23> – Specify the start time from 0 - 23 hours.• <0-59> – Specify the start time from 0 - 59 minutes.For example, if the values provided are 12 hours and 30 minutes, the start time is 12:30 A.M on the specified day.• <1-31> – Specify the day of month from 1 - 31 when the time range starts.• <MONTH> – Specify the month. The options are: April, August, December, February, January, July, June, March, May, November, October, September.• <2013-2037> – Specify the year from 2013 - 2037.end <0-23> <0-59> <1-31> <MONTH> <2013-2037>Optional. Configures the end day and time settings• <0-23> – Specify the end time from 0 - 23 hours.• <0-59> – Specify the end time from 0 - 59 minutes.• <1-31> – Specify the day of month from 1 - 31 when the time range ends.• <MONTH> – Specify the month. The options are: April, August, December, February, January, July, June, March, May, November, October, September.• <2013-2037> – Specify the year from 2013 - 2037.no Removes this absolute time range rule from the EX3500 time range list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2304.1.47.2.2 periodicex3500-time-range-config-mode commandsConfigures a periodic time range rule for this EX3500 time range listPeriodic time ranges are configured to recur based on periodicity such as daily, weekly, weekends, weekdays, and on specific week days, such as on every successive Sunday.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxperiodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> to [<023> <0-59>|daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> rule-precedence <1-7>Parameters• periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> to [<023> <0-59>|daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> rule-precedence <1-7>periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend]Configures this periodic time range’s start day. The options are:•daily•Friday•Monday•Saturday•Sunday• Thursday•Tuesday•Wednesday•weekdays•weekend<0-23> <0-59> After specifying the start day, specify the start time in hours (24 hours format) and minutes• <0-23> – Specify the start time from 0 - 23 hours.• <0-59> – Specify the start time from 0 - 59 minutes.For example, if the values provided are 12 hours and 30 minutes, the start time is 12:30 A.M on the specified day.to [<023> <0-59>|daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend]Configures this periodic time range’s end day. This is the day when the time range ends. The options available changes depending on the start day configured. The options are:• <0-23> <0-59> – Select this option to end the time range on the same day as it starts. Specify the end hour from 0 - 23 hours and the minutes from 0 - 59 minutes.• daily – Select this option if the time range starts and ends every day at a specified time• friday – Select this option if the time range ends on FridaysContd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 231Examplenx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#periodic daily 1 10to daily 23 10 rule-precedence 1nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show contextex3500 time-range EX3500-TimeRange-01 periodic daily 1 10 to daily 23 10 rule-precedence 1 absolute start 1 0 1 june 2017 end 1 0 30 june 2018nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#Related Commands• monday – Select this option if the time range ends on Mondays• saturday – Select this option if the time range ends on Saturdays• sunday – Select this option if the time range ends on Sundays• thursday – Select this option if the time range ends on Thursdays• tuesday – Select this option if the time range ends on Tuesdays• wednesday – Select this option if the time range ends on Wednesdays• weekdays – Select this option if the time range ends on Weekdays• weekend – Select this option if the time range ends on WeekendsIf the time range does not end on the same day, select the end day, and then specify the end time, or else just specify the end time.<0-23> <0-59> After specifying the end day, specify the end time in hours (in 24 hours format) and minutes• <0-23> – Specify the end time from 0 - 23 hours.• <0-59> – Specify the end minute from 0 - 59 minutes.In case of time ranges starting and ending on the same day, ensure that the end time (hours and minutes) is not lower than the specified start time.rule-precedence <1-7>Configures a precedence value for this periodic time range rule. Rules with lower precedence have higher priority and are applied first.• <1-7> – Specify a precedence value from 1 - 7.no Removes this periodic time range rule from the EX3500 time range list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2324.1.47.2.3 noex3500-time-range-config-mode commandsRemoves this EX3500 time range list settingsSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxno [absolute|periodic]no absoluteno periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> to [<0-23> <0-59>|daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekend]Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show contextex3500 time-range EX3500-TimeRange-01 periodic daily 1 10 to daily 23 10 rule-precedence 1 absolute start 1 0 1 june 2015 end 1 0 30 june 2016nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#no periodic daily 110 to daily 23 10 rule-precedence 1nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show contextex3500 time-range EX3500-TimeRange-01 absolute start 1 0 1 june 2015 end 1 0 30 june 2016nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#no <PARAMETERS> Removes this EX3500 time range list settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2334.1.48 ex3500-management-policyGlobal Configuration CommandsThe following table lists EX3500 management policy configuration mode commands:Table 4.28 EX3500-Management-Policy Config CommandCommand Description Referenceex3500-management-policyCreates an EX3500 management policy and enters its configuration modepage 4-234ex3500-management-policy config commandsSummarizes EX3500 management policy configuration mode commandspage 4-236ex3500 Creates an EX3500 time range list and enters its configuration mode page 4-226ex3500-qos-class-map-policyCreates an EX3500 QoS class map policy and enters its configuration modepage 4-254ex3500-qos-policy-mapCreates an EX3500 QoS policy map and enters its configuration modepage 4-262ex3524 Adds a EX3524 switch to the network page 4-277ex3548 Adds a EX3548 switch to the network page 4-279
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2344.1.48.1 ex3500-management-policyex3500-management-policyCreates an EX3500 management policy and enters its configuration mode. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP.The EX3500 management policy is either applied:• Individually on an adopted EX3500 series switch (in the device configuration mode), or• To a EX3524 and/or EX3548 profile, which is then applied to an adopted EX3500 series switch.EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources.Going forward NX9500 and NX7500 WiNG managed series service platforms and WiNG VMs can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the proprietary operating system running the EX3500 switches. The WiNG service platforms utilize standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a translation layer, understood by the EX3500 switch, for statistics retrieval.WiNG can partially manage an EX3500 without using DHCP option 193, provided the EX3500 is directly configured to specify the IPv4 addresses of potential WiNG adopters. To identify the potential WiNG adopter, in the EX3500’s device configuration mode specify the adopter’s IPv4 address using the controller > host > <IP-ADDRESS> command. WiNG service platforms leave the proprietary operating system running the EX3500 switches unmodified, and partially manage them utilizing standardized WiNG interfaces. WiNG service platforms use a translation layer to communicate with the EX3500.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxex3500-management-policy <POLICY-NAME>Parameters• ex3500-management-policy <POLICY-NAME><POLICY-NAME> Specify the EX3500 management policy name. If the policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 235Examplenx9500-6C8809(config)#ex3500-management-policy testnx9500-6C8809(config-ex3500-management-policy-test)#?EX3500_Management Mode commands:  enable       Modifies enable password parameters  http         Hyper Text Terminal Protocol (HTTP)  memory       Memory utilization  no           Negate a command or set its defaults  process-cpu  Process-cpu utilization  snmp-server  Enable SNMP server configuration  ssh          Secure Shell server connections  username     Login TACACS server port  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-ex3500-management-policy-test)#Related Commandsno Removes this EX3500 management policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2364.1.48.2 ex3500-management-policy config commandsex3500-management-policyThe following table summarizes EX3500 management policy configuration mode commands:Table 4.29 EX3500-Management-Policy Config Mode CommandsCommand Description Referenceenable Configures an executive password for this EX3500 management policy page 4-237http Configures the HTTP server settings used to authenticate HTTP connection to a EX3500 switchpage 4-239memory Configures the EX3500’s memory utilization rising (upper) and falling (lower) threshold valuespage 4-240process-cpu Configures the EX3500’s CPU (processor) utilization rising (upper) and falling (lower) threshold valuespage 4-241snmp-server Configures Simple Network Management Protocol (SNMP) server settings. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP.page 4-242ssh Configures the SSH server settings used to authenticate Secure Shell (SSH) connection to a EX3500 switchpage 4-249username Configures a EX3500 switch user settings page 4-251no Removes or reverts this EX3500 management policy settings page 4-252
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2374.1.48.2.1 enableex3500-management-policy config commandsConfigures an executive password for this EX3500 management policyEach EX3500 management policy can have a unique executive password with its own privilege level assigned. Utilize these passwords as specific EX3500 management sessions require priority over others.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxenable password [0|7|level]enable password [0|7] <PASSWORD>enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]Parameters• enable password [0|7] <PASSWORD>• enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]Examplenx9500-6C8809(config-ex3500-management-policy-test)#enable password level 3 7 12345678901020304050607080929291nx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1nx9500-6C8809(config-ex3500-management-policy-test)#enable password [0|7] <PASSWORD>Creates a new executive password for this EX3500 management policy. The password could be in clear text or encrypted• 0 – Configures a clear text password using ASCII characters (should be 1 - 32 characters long)• 7 – Configures an encrypted password using HEX characters (should be 32 characters long)• <PASSWORD> – Specify the password.enable password level <0-15>Creates a new executive password for this EX3500 management policy and sets its privilege level• <0-15> – Specify the privilege level for this executive password from 0 - 15. Lower values have higher priority, to slot and prioritize executive passwords and EX3500 management sessions.[0|7] <PASSWORD> After setting the privilege level, configure the password, which could be in clear text or encrypted• 0 – Configures a clear text password using ASCII characters (should be 1 - 32 characters long)• 7 – Configures an encrypted password using HEX characters (should be 32 characters long)• <PASSWORD> – Specify the password.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 238Related Commandsno Removes a executive password from this EX3500 management policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2394.1.48.2.2 httpex3500-management-policy config commandsConfigures the HTTP server settings used to authenticate HTTP connection to a EX3500 switchManagement access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxhttp [port <1-65535>|secure-port <1-65535>|secure-server|server]Parameters• http [port <1-65535>|secure-port <1-65535>|secure-server|server]Examplenx9500-6C8809(config-ex3500-management-policy-test)#http secure-servernx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1nx9500-6C8809(config-ex3500-management-policy-test)#Related Commandshttp Configures following HTTP settings: port, secure-port, secure-server, and serverport <1-65535> Configures the HTTP port number. This is the port used to connect to the HTTP server.• <1-65535> – Specify a value from 1 - 65535. The default port is 80.secure-port <1-65535>Enables secure HTTP connection over a designated secure port. Ensure that the HTTP secure server is enabled before specifying the secure-server port.• <1-65535> – Specify the secure HTTP server port from 1 - 65535. The default port is 443.secure-server Enables HTTP secure server. This option is disabled by default.server Enables HTTP server. This option is enabled by default. Consequently, HTTP management access is allowed by default.no Reverts to default HTTP server settings (HTTP server enabled, HTTP port 80)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2404.1.48.2.3 memoryex3500-management-policy config commandsConfigures the EX3500’s memory utilization rising (upper) and falling (lower) threshold values. Once configured, the system sends a notification when the memory utilization exceeds the specified rising limit or falls below the specified falling limit.By customizing an EX3500’s memory and CPU utilization’s upper and lower thresholds, you can avoid over utilization of the EX3500’s processor capacity when sharing network resources with an NX series service platform or a WiNG VM.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxmemory [falling-threshold|rising-threshold] <1-100>Parameters• memory [falling-threshold|rising-threshold] <1-100>Examplenx9500-6C8809(config-ex3500-management-policy-test)#memory falling-threshold 50nx9500-6C8809(config-ex3500-management-policy-test)#memory rising-threshold 95nx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 memory falling-threshold 50 memory rising-threshold 95nx9500-6C8809(config-ex3500-management-policy-test)#Related Commandsmemory Configures the EX3500’s memory utilization rising and falling threshold values. The system generates a notification when either of these limits is exceeded.falling-threshold <1-100>Configures the falling threshold for the EX3500 memory utilization• <1-100> – Specify the falling threshold as a percentage from 1 - 100. The default is 70%.rising-threshold <1-100>Configures the rising threshold for the EX3500’s memory utilization• <1-100> – Specify the rising threshold as a percentage from 1 - 100. The default is 90%.no Reverts the memory utilization's falling-threshold and/or rising threshold to 70% and 90% respectively
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2414.1.48.2.4 process-cpuex3500-management-policy config commandsConfigures the EX3500’s CPU (processor) utilization rising (upper) and falling (lower) threshold values. Once configured, the system sends a notification when the CPU utilization exceeds the specified rising limit or falls below the specified falling limit.By customizing an EX3500’s memory and CPU utilization’s upper and lower thresholds, you can avoid over utilization of the EX3500’s processor capacity when sharing network resources with an NX series service platform or a WiNG VM.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxprocess-cpu [falling-threshold|rising-threshold] <1-100>Parameters• process-cpu [falling-threshold|rising-threshold] <1-100>Examplenx9500-6C8809(config-ex3500-management-policy-test)#process-cpu falling-threshold 60nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu rising-threshold 80nx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80nx9500-6C8809(config-ex3500-management-policy-test)#Related Commandsprocess-cpu Configures the EX3500’s CPU utilization rising and falling threshold values. The system generates a notification when either of these limits is exceeded.falling-threshold <1-100>Configures the falling threshold for the EX3500’s CPU utilization• <1-100> – Specify the falling threshold as a percentage from 1 - 100. The default is 70%.rising-threshold <1-100>Configures the rising threshold for the EX3500’s CPU utilization• <1-100> – Specify the rising threshold as a percentage from 1 - 100. The default is 90%.no Reverts the CPU utilization's falling-threshold and/or rising threshold to 70% and 90% respectively
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2424.1.48.2.5 snmp-serverex3500-management-policy config commandsConfigures Simple Network Management Protocol (SNMP) server settings. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP.SNMP is an application layer protocol that facilitates the exchange of management information between the management stations and a managed EX3500 switch. SNMP-enabled devices listen on port 162 (by default) for SNMP packets from the management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system's performance and other parameters.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxsnmp-server {community|contact|enable|engine-id|group|host|location|notify-filter|user|view}snmp-server {community <STRING> {ro|rw}}snmp-server {contact <NAME>}snmp-server {enable traps {authentication|link-up-down}}snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|read <WORD>|write <WORD>}}snmp-server {host <IP> [<STRING>|inform]}snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING> version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}snmp-server {location <WORD>}snmp-server {notify-filter <WORD> remote <IP>}snmp-server {user <USER-NAME> <GROUP-NAME> [remote-host|v1|v2c|v3]}snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3 [auth|encrypted auth] [md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 243Parameters• snmp-server {community <STRING> {ro|rw}}• snmp-server {contact <NAME>}• snmp-server {enable traps {authentication|link-up-down}}• snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}snmp-server community <STRING> {ro|rw}Configures SNMP-server related settings• community – Optional. Configures an SNMP community access string used to authorize management access by clients using SNMP v1, v2c, or v3• <STRING> – Specify the SNMP community access string (should not exceed 32 char-acters).After specifying the string, optionally specify the access type associated with it.• ro – Optional. Provides read-only access with this SNMP community string. Allows authorized clients to only retrieve Management Information Base (MIB) objects. This is the default setting.• rw – Optional. Provides read-write access with this SNMP community string. Allows authorized clients to retrieve as well as modify MIB objects.You can configure a maximum of five (5) community strings per EX3500 management policy.snmp-server contact <NAME>Configures SNMP-server related settings• contact – Optional. Configures the system’s contact information• <NAME> – Specify the contact person’s name (should not exceed 255 characters).snmp-server enable traps {authentication|link-up-down}Configures SNMP-server related settings• enable traps – Optional. Enables the EX3500 switch to send following SNMP traps or notifications:• authentication – Optional. Enables SNMP authentication trap. This option is disabledby default.• link-up-down – Optional. Enables SNMP link up and link down traps. This option isdisabled by default.If the command is executed without either of the above mentioned trap options, the system enables both authentication and link-up-down traps.If enabling SNMP traps, use the snmp-server > host command to specify the host(s) receiving the SNMP notifications.snmp-server engine-id [local <WORD>|remote <IP> <WORD>]Configures SNMP-server related settings• engine-id – Optional. Configures an identification string for the SNMPv3 engine. The SNMP engine is an independent SNMP agent residing either on the logged switch or on a remote device. It prevents message replay, delay, and redirection. In SNMPv3, the engine ID in combination with user passwords generates the security keys that is used for SNMPv3 packet authentication and encryption.• local – Configures the SNMP engine on the logged switch• <WORD> – Specify the hexadecimal engine ID string identifying the SNMP engine(should be 9 - 64 characters in length).Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 244• snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|read <WORD>|write <WORD>}}• snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}• remote <IP> <WORD> – Configures a remote device as the SNMP engine• <IP> – Specify the remote device’s IP address.• <WORD> – Specify the hexadecimal engine ID string identifying the SNMP engine (should be 9 - 64 characters in length).Configure the remote engine ID when using SNMPv3 informs. The remote ID configured here is used to generate the security digest for authentication and encryption of packets exchanged between the switch and the and the remote host user. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.snmp-server group <GROUP-NAME>Configures SNMP-server related settings• group – Optional. Configures an SNMP user group, mapping SNMP users to SNMP views• <GROUP-NAME> – Specify the SNMP group name (should not exceed 32 charac-ters).[v1|v2c|v3 [auth|noauth|priv]] Configures the SNMP version used for authentication by this user group• v1 – Configures the SNMP version as v1.• v2c – Configures SNMP version as v2c• v3 – Configures the SNMP version as v3. If using SNMP v3, specify the authentication and encryption levels.• auth – Uses SNMP v3 with authentication and no privacy• noauth – Uses SNMP v3 with no authentication and no privacy • priv – Uses SNMP v3 with authentication and privacynotify <WORD> Optional. Configures the notification view string• <WORD> – Specify the string (should not exceed 32 characters).read <WORD> Optional. Configures the read view string• <WORD> – Specify the string (should not exceed 32 characters).write <WORD> Optional. Configures the write view string• <WORD> – Specify the string (should not exceed 32 characters).snmp-server host <IP>Configures SNMP-server related settings• host – Optional. Configures the host(s) receiving the SNMP notifications. At least one SNMP server host should be configured in order to configure the switch to send notifications • <IP> – Specify the SNMP host’s IP address.You can configure a maximum of five (5) SNMP trap recipients per EX3500 management policy.Ensure that SNMP trap notification is enabled.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 245• snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING> version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}<STRING> Configures the SNMP community string. You can configure the SNMP community string here, or else use the string configured using the snmp-server > community <STRING> > {ro|rw} command. It is recommended that you configure the SNMP community string prior to configuring the SNMP host.• <STRING> – Specify the community string. The string configured here is sent in the SNMP traps to the SNMPv1 or SNMPv2c hosts.version [v1|v2c|v3 [auth|noauth|priv]]Configures the SNMP version used• v1 – Configures the SNMP version as 1. This is the default setting.• v2c – Configures SNMP version as 2c• v3 – Configures the SNMP version as 3. If using SNMPv3, specify the authentication and encryption levels.• auth – Uses SNMP v3 with authentication and no privacy• noauth – Uses SNMP v3 with no authentication and no privacy • priv – Uses SNMP v3 with authentication and privacyudp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host UDP port• <1-65535> – Specify the UDP port. The default is 162.snmp-server host <IP>Configures SNMP-server related settings• host – Optional. Configures the host(s) receiving the SNMP notifications• <IP> – Specify the SNMP host’s IP address.You can configure a maximum of five (5) SNMP trap recipients per EX3500 management policy.Ensure that SNMP trap notification is enabled.inform [retry <0-255>|timeout <0-2147483647>]Enables sending of SNMP notifications as inform messages, and configures inform message settings.• retry <0-255> – Configures the maximum number attempts made to re-send an inform message in case the specified SNMP host does not acknowledge receipt.• <0-255> – Specify a value from 0 - 255. The default is 3.• timeout <0-2147483647> – Configures the interval, in seconds, to wait for an acknowledgment from the SNMP host before re-sending an inform message• <0-2147483647> – Specify a value from 0 - 2147483647 seconds. The default is 1500seconds.Inform messages are more reliable than trap messages since they include a request for acknowledgement of receipt. Using inform messages to communicate critical information would be good practice. However, since inform messages are retained in the memory until a response is received, they consume more memory and may also result in traffic congestion. Take into considerations these facts when configuring the notification format.<STRING> Configures the SNMP community string. You can configure the SNMP community string here, or else use the string configured using the snmp-server > community <STRING> > {ro|rw} command. It is recommended that you configure the SNMP community string prior to configuring the SNMP host.• <STRING> – Specify the community string. The string configured here is sent in the SNMP inform messages to the SNMPv2c or SNMPv3 hosts.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 246• snmp-server {location <WORD>}• snmp-server {notify-filter <WORD> remote <IP>}• snmp-server {user <USER-NAME> <GROUP-NAME> remote <IP> v3 {auth|encrypted auth} [md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}version [v2c|v3 [auth|noauth|priv]]Configures the SNMP version used• v2c – Configures the SNMP version as v2c• v3 – Configures the SNMP version as v3. If using SNMP v3, specify the authentication and encryption levels.• auth – Uses SNMP v3 with authentication and no privacy• noauth – Uses SNMP v3 with no authentication and no privacy • priv – Uses SNMP v3 with authentication and privacySNMP inform messages are not supported on SNMP v1.udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host UDP port• <1-65535> – Specify the UDP port. The default is 162.snmp-server location <WORD>Configures SNMP-server related settings• location – Optional. Configures the EX3500’s location string• <WORD> – Specify the location (should not exceed 255 characters).snmp-server notify-filter <WORD>Configures SNMP-server related settings• notify-filter – Optional. Modifies the SNMP server’s notify filter• <WORD> – Specify the SNMP notify-filter name.remote <IP> Optional. Configures the remote host’s IP address• <IP> – Specify the IP address in the A.B.C.D format.snmp-server user <USER-NAME> <GROUP-NAME>Configures SNMP-server related settings• user – Optional. Configures the name of the SNMP user (connecting to the SNMP agent) and adds the user to an existing SNMP group. It also specifies the SNMP version type used. In case of SNMP version 3, this command also configures the remote host’s IP address and the authentication type used.• <USER-NAME> – Specify the user’s name (should not exceed 32 characters).• <GROUP-NAME> – Specify the SNMP group name to which this user is assigned.remote <IP> v3 Configures the remote host on which the SNMPv3 engine is running• <IP> – Specify the remote host’s IP address.This option is available only for SNMPv3 engine.After configuring the remote host, optionally configure the authentication type and the corresponding authentication password used.{auth|encrypted auth} [md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}Optional. Configures authentication and encryption settings• auth – Specifies the authentication type used and configures the authentication password• encrypted – Enables encryption. When enabled all communications between the user and the SNMP engine are encrypted. After enabling encryption, specify the authentication type and configure the authentication password.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 247• snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}• snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}The following parameters are common to the ‘auth’ and ‘encrypted’ keywords:• md5 – Uses MD5 to authenticate the user• sha – Uses SHA to authenticate the userThe following parameter is common to the ‘md5’ and ‘sha’ keywords:• <WORD> – Specify the authentication password.If the ‘encrypted’ option is not being used, enter an 8 - 40 characters ASCII password. Whereas, in case of an encrypted password enter a HEX characters password of 32 characters.• priv – Optional. Uses SNMPv3 with privacy. Select one of the privacy options: des, aes128, aes192, aes256, des56• <WORD> – Configures the privacy password. If the ‘encrypted’ option is not beingused, enter an 8 - 40 characters long ASCII password. Whereas, the encrypted pass-word should be 32 HEX characters.snmp-server user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]Configures SNMP-server related settings• user – Optional. Configures the name of the SNMP user (connecting to the SNMP agent) and adds the user to an existing SNMP group. It also specifies the SNMP version type used. In case of SNMPv3, this command also configures the authentication type used and the enables encryption.• <USER-NAME> – Specify the user’s name (should not exceed 32 characters).• <GROUP-NAME> – Specify the SNMP group name to which this user is assigned.• [v1|v2c|v3] – After specifying the group name, specify the SNMP versionused. The options are SNMP version v1, SNMP version 2c, and SNMP version3.If using SNMP version 3, optionally specify the authentication type and the corresponding authentication password used. Please see previous table for SNMPv3 authentication and encryption configuration details.snmp-server view <VIEW-NAME>Configures SNMP-server related settings• view – Optional. Creates an SNMP view. SNMP views are used to control user access to the MIB.• <VIEW-NAME> – Provide a name for this SNMP view (should not exceed 32 charac-ters).<OID-TREE-STRING> [excluded|included]Configures the object identifier (OID) of a branch within the MIB tree• excluded – Specifies an excluded view• included – Specifies an included view
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 248Examplenx9500-6C8809(config-ex3500-management-policy-test)#snmp-server enable trapsnx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 1.2.3.4 inform retry 2 test version 3 auth udp-port 180nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server engine-id local1234567890nx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80nx9500-6C8809(config-ex3500-management-policy-test)#Related Commandsno Removes SNMP server related settings or reverts them to default
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2494.1.48.2.6 sshex3500-management-policy config commandsConfigures the SSH server settings used to authenticate Secure Shell (SSH) connection to a EX3500 switchManagement access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-120>]Parameters• ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-120>]Examplenx9500-6C8809(config-ex3500-management-policy-test)#ssh authentication-retries 4nx9500-6C8809(config-ex3500-management-policy-test)#ssh timeout 90nx9500-6C8809(config-ex3500-management-policy-test)#ssh server-key size 600nx9500-6C8809(config-ex3500-management-policy-test)#ssh servernx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server enable traps authentication --More--nx9500-6C8809(config-ex3500-management-policy-test)#ssh Enables SSH management access to an EX3500 switch. This option is disabled by default. Use this command to configure SSH access settings.authentication-retries <1-5>Configures the maximum number of retries made to connect to the SSH server resource• <1-5> – Specify a value from 1 - 5. The default setting is 3.server Enables SSH server connectionserver-key size <512-1024>Configures the SSH server key size• <512-1024> – Specify the SSH server key from 512 - 1,024. The default length is 768.timeout <1-120> Configures the SSH server resource inactivity timeout value in seconds. When the specified time is exceeded, the SSH server resource becomes unreachable and must be re-authenticated. • <1-120> – Specify a value from 1 120 seconds. The default is 120 seconds.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 250Related Commandsno Disables SSH management access to an EX3500 switch
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2514.1.48.2.7 usernameex3500-management-policy config commandsConfigures a EX3500 switch user settingsThe EX3500 switch user details are stored in a local database on the NX9500, NX7500, or WiNG VM. You can configure multiple users, each having a unique name, access level, and password.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxusername <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]Parameters• username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]Examplenx9500-6C8809(config-ex3500-management-policy-test)#username user1 access-level 5nx9500-6C8809(config-ex3500-management-policy-test)#username user1 password 0 user1@1234nx9500-nx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1--More--nx9500-6C8809(config-ex3500-management-policy-test)#Related Commandsusername <USER-NAME>Configures the TACACS server port username• <USER-NAME> – Specify the user name (should not exceed 32 characters)access-level <0-15> Configures the access level for this user. This value determines the access priority of each user requesting access and interoperability with EX3500 switch.• <0-15> – Specify the access level from 0 - 15. The default is 0.nopassword Allows user to login without a passwordpassword [0|7] <PASSWORD>Configures the password for this user• 0 – Configures a plain text password• 7 – Configures an encrypted password (should be 32 characters in length)• <PASSWORD> – Specify the password.no Removes this SNMP user settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2524.1.48.2.8 noex3500-management-policy config commandsRemoves or reverts this EX3500 management policy settingsSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxno [enable|http|memory|process-cpu|snmp-server|ssh|username]no enable password {level <0-15>}no http [port|secure-port|secure-sever|server]no memory [falling-threshold|rising-threshold]no process-cpu [falling-threshold|rising-threshold]no snmp-server {community|contact|enable|engine-id|group|host|location|notify-filter|user|view}no snmp-server {community <STRING>}no snmp-server {contact}no snmp-server {enable traps {authentication|link-up-down}}no snmp-server {engine-id [local|remote <IP>]}no snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]]}no snmp-server {host <IP>}no snmp-server {location}no snmp-server {notify-filter <WORD> remote <IP>}no snmp-server {user <USER-NAME> [v1|v2c|v3]}no snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3}no snmp-server {view <VIEW-NAME> {<OID-TREE-STRING>}}no ssh [authentication-retries|server|server-key size <512-1024>|timeout]no usernameParameters• no <PARAMETERS>no <PARAMETERS> Removes this EX3500 management policy settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 253Examplenx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80nx9500-6C8809(config-ex3500-management-policy-test)#nx9500-6C8809(config-ex3500-management-policy-test)#no http secure-servernx9500-6C8809(config-ex3500-management-policy-test)#no memory falling-thresholdnx9500-6C8809(config-ex3500-management-policy-test)#no process-cpu rising-thresholdnx9500-6C8809(config-ex3500-management-policy-test)#no snmp-server notify-filter 3 remote 1.2.3.4nx9500-6C8809(config-ex3500-management-policy-test)#show contextex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory rising-threshold 95 process-cpu falling-threshold 60nx9500-6C8809(config-ex3500-management-policy-test)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2544.1.49 ex3500-qos-class-map-policyGlobal Configuration CommandsThe following table lists EX3500 QoS class map policy configuration mode commands:Table 4.30 EX3500-QoS-Class-Map Config CommandCommand Description Referenceex3500-qos-class-map-policyCreates an EX3500 QoS class map policy and enters its configuration modepage 4-255ex3500-qos-class-map-policy config commandsSummarizes EX3500 QoS class map policy configuration mode commandspage 4-256ex3500-qos-policy-mapCreates an EX3500 QoS policy map and enters its configuration modepage 4-262ex3500 Creates an EX3500 time range list and enters its configuration mode page 4-226ex3500-management-policyCreates an EX3500 management policy and enters its configuration modepage 4-233ex3524 Adds a EX3524 switch to the network page 4-277ex3548 Adds a EX3548 switch to the network page 4-279
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2554.1.49.1 ex3500-qos-class-map-policyex3500-qos-class-map-policyCreates a EX3500 Quality of Service (QoS) class map policy and enters its configuration modeA QoS class map policy contains a set of Differentiated Services (DiffServ) classification criteria that are used to classify incoming traffic into different category and provide differentiated service based on this classification. Each policy defines a set match criteria rules that use objects, such as access lists, IP precedence or DSCP values, and VLANs. When configured and applied, the policy classifies traffic based on layer 2, layer 3, or layer 4 information contained in each incoming packet.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxex3500-qos-class-map-policy <POLICY-NAME>Parameters• ex3500-qos-class-map-policy <POLICY-NAME>Examplenx9500-6C8809(config)#ex3500-qos-class-map-policy dscpnx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#?EX3500_Qos_class_map Mode commands:  description  Class-map description  match        Defines the match criteria to classify traffic  no           Negate a command or set its defaults  rename       Redefines the name of class-map  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#Related Commands<POLICY-NAME> Specify the EX3500 QoS class map policy name. If the policy does not exist, it is created.no Removes an existing EX3500 QoS class map policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2564.1.49.2 ex3500-qos-class-map-policy config commandsex3500-qos-class-map-policyThe following table summarizes EX3500 QoS class map policy configuration mode commands:Table 4.31 EX3500-Management-Policy CommandsCommand Description Referencedescription Configures a description for this EX3500 QoS class map policy page 4-257match Configures match criteria rules used to classify traffic page 4-258rename Renames an existing EX3500 QoS class map object page 4-260no Removes this EX3500 QoS class map policy’s description and match criteriapage 4-261
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2574.1.49.2.1 descriptionex3500-qos-class-map-policy config commandsConfigures this EX3500 QoS class map policy’s descriptionSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#description "Matches packets marked for DSCP service 3"nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show contextex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#Related Commandsdescription <LINE> Configures this EX3500 QoS class map policy’s description• <LINE> – Enter a description that allows to you differentiate it from other policies with similar configuration (should not exceed 64 characters)no Removes this EX3500 QoS class map policy’s description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2584.1.49.2.2 matchex3500-qos-class-map-policy config commandsConfigures match criteria rules used to classify trafficAccess lists, IP precedence, DSCP values, or VLANs are commonly used to classify traffic. Access lists select traffic based on layer 2, layer 3, or layer 4 information contained in each packet.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxmatch [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl] <ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-4094>]Parameters• match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl] <ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-4094>]match Configures the match criteria. The options are: access-list, cos, ip, ipv6, vlanIncoming packets matching the specified criteria are included in this QoS class map.access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl] <ACL-NAME>Uses access lists to provide the match criteria. You can use any one the following ACL types to classify traffic:• ex3500-ext-access-list – Uses an IPv4 EX3500 extended ACL• ex3500-std-access-list – Uses an IPv4 EX3500 standard ACL• mac-acl – Uses a MAC EX3500 ACLThe following keyword is common to all of the above ACL types:• <ACL-NAME> – Specify the ACL name (should be existing and configured).cos <0-7> Configures the class of service (CoS) value used to apply user priority. CoS is a form of QoS applicable only to layer 2 Ethernet frames. It uses 3-bits (8 values) of the 802.1Q tag to differentiate and shape network traffic.• <0-7> – Specify the CoS value from 0 - 7.Following are the 8 traffic classes based on the CoS value:000 (0) - Routine001 (1) - Priority010 (2) - Immediate011 (3) - Flash100 (4) - Flash Override101 (5) - Critical110 (6) - Internetwork Control111 (7) - Network Control
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 259Usage GuidelinesWhen configuring match entries, take into consideration the following points:• Deny rules included in an ACL (associated with a EX3500 QoS class map policy) are ignored whenever an incoming packet matches the ACL.• A class map policy cannot include both IP ACL or IP precedence rule and a VLAN rule.• A class map policy containing a MAC ACL or VLAN rule cannot include either an IP ACL or a IP precedence rule.• A class map policy can include a maximum of 16 match entries.Examplenx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#match ip dscp 3nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show contextex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3" match ip dscp 3nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#nx9500-6C8809(config-ex3500-qos-class-map-policy-test2)#match ip precedence 1Related Commandsip [dscp <0-63>|precedence <0-7>]Configures the IPv4 DSCP value to match and/or the IP precedence value to match.• <0-63> – Specify the DSCP value from 0 - 63. Use this option to specify the type of service (ToS) field values included in the IP header. The ToS field exists between the header length and the total length fields. The DSCP constitutes the first 6 bits of the ToS field.• precedence <0-7> – Configures the IP precedence to match. Following are the 8 traffic classes based on the IP precedence values: 000 (0) - Routine001 (1) - Priority010 (2) - Immediate011 (3) - Flash100 (4) - Flash Override101 (5) - Critical110 (6) - Internetwork Control111 (7) - Network Controlipv6 dscp <0-63> Configures the IPv6 DSCP value to match• <0-63> – Specify the DSCP value from 0 - 63.vlan <1-4094> Configures the VLAN to match• <1-4094> – Specify the VLAN ID.no Removes match criteria rules configured for this EX3500 QoS class map policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2604.1.49.2.3 renameex3500-qos-class-map-policy config commandsRenames an existing EX3500 QoS class map policySupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxrename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME>Parameters• rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME>Examplenx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]dscp   test   test2nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename test2 IP_Precedencenx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]dscp   IP_Precedence   testnx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-NAME>Renames an existing EX3500 QoS class map• <EX3500-QOS-CLASS-MAP-POLICY-NAME> – Enter the EX3500 QoS class map’s current name.• <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME> – Enter the new name.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2614.1.49.2.4 noex3500-qos-class-map-policy config commandsRemoves this EX3500 QoS class map policy’s description and match criteriaSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxno [description|match]no descriptionno match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl] <ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-4094>]Parameters• no <PARAMETERS>ExampleThe following example shows the EX3500 QoS class map policy ‘test’ settings before the ‘no’ command are executed:nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show contextex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3" match ip dscp 3nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no descriptionnx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no match ip dscpThe following example shows the EX3500 QoS class map policy ‘test’ settings after the ‘no’ command are executed:nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show contextex3500-qos-class-map-policy testnx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no <PARAMETERS> Removes the EX3500 QoS class map policy’s settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2624.1.50 ex3500-qos-policy-mapGlobal Configuration CommandsThe following table lists EX3500 QoS policy map configuration mode commands:Table 4.32 EX3500-QoS-Policy-Map Config CommandCommand Description Referenceex3500-qos-policy-mapCreates a EX3500 policy map and enters its configuration mode page 4-263ex3500-qos-policy-map config commandsSummarizes EX3500 QoS policy map configuration mode commands page 4-264
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2634.1.50.1 ex3500-qos-policy-mapex3500-qos-policy-mapCreates an EX3500 policy map and enters its configuration modeAn EX3500 policy map contains one or more EX3500 QoS class maps traffic classifications (existing and configured) and can be attached to multiple interfaces. Creates an EX3500 policy map, and then use the class parameter to configure policies for traffic that matches the criteria defined in the EX3500 QoS class map policy. For more information, see match.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>Parameters• ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>Examplenx9500-6C8809(config)#ex3500-qos-policy-map testPolicyMapnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#?EX3500_Qos_policy_map Mode commands:  class        Defines a traffic classification for the policy  description  Policy-map description  no           Negate a command or set its defaults  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#Related Commands<EX3500-QOS-POLICY-MAP-NAME>Specify the EX3500 policy map’s nameno Removes an existing EX3500 QoS policy map
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2644.1.50.2 ex3500-qos-policy-map config commandsex3500-qos-policy-mapThe following table summarizes EX3500 QoS policy map configuration mode commands:Table 4.33 EX3500-QoS-Policy-Map CommandsCommand Description Referenceclass Creates a policy map class and enters its configuration mode page 4-265description Configures this EX3500 QoS policy map's description page 4-275no Removes this EX3500 QoS policy map's settings. Use this keyword to remove or modify the description and to remove the QoS traffic classification created.page 4-276
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2654.1.50.2.1 classex3500-qos-policy-map config commandsCreates a policy map class and enters its configuration mode. The policy map class is a traffic classification upon which a policy can act.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxclass <EX3500-QoS-CLASS-MAP-POLICY-NAME>Parameters• class <EX3500-QoS-CLASS-MAP-POLICY-NAME>Examplenx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#class dscpnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#?commands:  no       Negate a command or set its defaults  police   Defines a policer for classified traffic  set      Classify IP traffic  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#Related Commands<EX3500-QoS-CLASS-MAP-POLICY-NAME>Specify the EX3500 QoS class map policy’s name (should be existing and configured)no Removes this policy map class associationex3500-qos-policy-mapEX3500 QoS policy map configuration mode commands
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2664.1.50.2.2 ex3500-qos-policy-map-class-config commandsclassThe following table summarizes the policy map class configuration mode commandsTable 4.34 EX3500-Policy-Map-Class Config CommandCommand Description Referencepolice Configures an enforcer for classified traffic page 4-267set Sets class of service (CoS) value, per-hop behavior (PHB) value, and IP DSCP value in matching packetspage 4-272no Removes this traffic classification’s settings page 4-274
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2674.1.50.2.3 policeex3500-qos-policy-map-class-config commandsConfigures an enforcer for classified trafficSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxpolice [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-color-blind]police flow <0-1000000> <0-16000000> conform-action transmit violate-action [<0-63>|drop]police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|drop]police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000> <0-1000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|drop]Parameters• police flow <0-1000000> <0-16000000> conform-action transmit violate-action [<0-63>|drop]police Configures an enforcer for classified trafficflow <0-1000000> <0-16000000>Configures an enforcer for classified traffic based on the metered flow rate• <0-1000000> – Configures the committed information rate (CIR) from 0 -1000000 kilobits per second.• <0-16000000> – Configures the committed burst size (BC) from 0 - 16000000bytes.Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is specified by the committed-burst field, and the average rate tokens are added to the bucket is specified by the committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698.The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented CIR and the maximum size of the token bucket BC.The token bucket C is initially full, that is, the token count Tc(0) = BC. Thereafter, the token count Tc is updated CIR times per second as follows:• If Tc is less than BC, Tc is incremented by one, else• Tc is not incremented.When a packet of size B bytes arrives at time t, the following happens:• If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else• The packet is red and Tc is not decremented.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 268• police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|drop]conform-action transmitConfigures the action applied when packets fall within the specified CIR and BC limits• transmit – Transmits packets falling within the specified CIR and BC limits. This is subject to there being enough tokens to service the packet, in which case the packet is set green.violate-action [<0-63>|drop]Configures the action applied when packets violate the specified CIR and BC limits• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.• drops – Drops packets violating the specified CIR and BC limitspolice Configures an enforcer for classified traffic[srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000> <0-16000000>Configures an enforcer for classified traffic based on single rate three color meter (srTCM) mode. The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE).• srtcm-color-blind - Single rate three color meter in color-blind mode• srtcm-color-aware - Single rate three color meter in color-aware modeThe meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DSfield [RFC 2474] of the packet.• <0-1000000> – Configures the CIR from 0 -1000000 kilobits per second.• <0-16000000> – Configures the BC from 0 - 1600000 bytes.• <0-16000000> – Configures the BE from 0 - 1600000 bytes.The behavior of the meter is specified in terms of its mode and two token buckets, C and E, which both share the common rate CIR. The maximum size of the token bucket C is BC and the maximum size of the token bucket E is BE.The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows:• If Tc is less than BC, Tc is incremented by one, else• If Te is less then BE, Te is incremented by one, else• neither Tc nor Te is incremented.When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode:• If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else• if Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B down to the minimum value of 0,• else the packet is red and neither Tc nor Te is decremented.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 269• police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000> <0-1000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-63>|drop]When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-aware mode:• If the packet has been pre-colored as green and Tc(t)-B ? 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else• If the packet has been pre-colored as yellow or green and if• Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.The metering policy guarantees a deterministic behavior where the volume of green packets is never smaller than what has been determined by the CIR and BC, that is, tokens of a given color are always spent on packets of that color. Refer to RFC 2697 for more information on other aspects of srTCM.conform-action transmit Configures the action applied when packet rates fall within the specified CIR and BC limits• transmit – Transmits packets falling within the specified CIR and BC limitsexceed-action [<0-63>|drop]Configures the action applied when packet rates exceed the specified CIR and BC limits• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.• drops – Drops packets exceeding the specified CIR and BC limitsviolate-action [<0-63>|drop]Configures the action applied when packet rates exceed the specified BE limit• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.• drops – Drops packets exceeding the specified BE limitpolice Configures an enforcer for classified traffic[trtcm-color-aware|trtcm-color-blind]<0-1000000> <0-16000000> <0-1000000> <0-16000000> Configures an enforcer for classified traffic based on a two rate three color meter (trTCM) mode. The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP).• trtcm-color-blind - Two rate three color meter in color-blind mode• trtcm-color-aware - Two rate three color meter in color-aware mode• <0-1000000> – Configures the CIR from 0 - 1000000 kilobits per second• <0-16000000> – Configures the BC from 0 - 1600000 bytes.• <0-1000000> – Configures the PIR from 0 - 1000000 kilobits per second• <0-16000000> – Configures the BP from 0 - 1600000 bytesThe meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 270Usage GuidelinesWhen configuring the traffic class enforcer parameters, take into consideration the following factors:• You can configure up to 200 enforcers/policers (i.e., class maps) for ingress ports.• The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes.The behavior of the meter is specified in terms of its mode and two token buckets, P and C, which are based on the rates PIR and CIR, respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC.The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC. Thereafter, the token count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC.When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode:• If Tp(t)-B < 0, the packet is red, else• if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else• The packet is green and both Tp and Tc are decremented by B.When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode:• If the packet has been pre-colored as red or if Tp(t)-B < 0, the packet is red, else• if the packet has been pre-colored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else• the packet is green and both Tp and Tc are decremented by B.The trTCM can be used to mark a IP packet stream in a service, where different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.conform-action transmit Configures the action applied when packet rates fall within the specified CIR and BP limits• transmit – Transmits packets falling within the specified CIR and BC limitsexceed-action [<0-63>|drop]Configures the action applied when packet rates exceed the specified CIR limit, but are within the specified PIR limit• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.• drops – Drops packets exceeding the specified CIR and BC limitviolate-action [<0-63>|drop]Configures the action applied when packet rates exceed the specified PIR limit• <0-63> – Applies a new DSCP value. Select the DSCP value from 0 - 63.• drops – Drops packets exceeding the specified BE limit
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 271ExampleThe following example uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 Kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate.nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp  police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#Related Commandsno Removes the traffic enforcer settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2724.1.50.2.4 setex3500-qos-policy-map-class-config commandsSets class of service (CoS) value, per-hop behavior (PHB) value, and IP DSCP value in matching packetsSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxset [cos <0-7>|ip dscp <0-63>|phb <0-7>]Parameters• set [cos <0-7>|ip dscp <0-63>|phb <0-7>]ExampleThe following example uses the set > phb command to classify the service that incoming packets will receive, and then uses the police > trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 Kbps, the peak burst size to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate.nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#set phb 3nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#police trtcm-color-blind 100000 4000 1000000 6000 conform-action transmit exceed-action 0 violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#showcontext class test2  set phb 3  police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#set Sets the match criteria used to identify and classify traffic into different classes. The match criteria options are: CoS, IP DSCP, and PHB values.cos <0-7> Configures the CoS value for a matching packet (as specified by the match command) in the packet’s VLAN tag• <0-7> – Specify a value from 0 - 7. The CoS is modified to the value specified here.ip dscp <0-63> Modifies the IP DSCP value in a matching packet (as specified by the match command)• <0-63> – Specify a value from 0 - 63. The DSCP value is modified to the value specified here.phb <0-7> Configures a PHB value for a matching packets• <0-7> – Specify a value from 0 -7.The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green, yellow, or red as per the following:• green if it does not exceed the CIR and BC limits• yellow if it exceeds the CIR and BC limits, but not the BE limit, and • red otherwise.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 273The following example uses the set > ip dscp command to classify the service that incoming packets will receive, and then uses the police > flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets:nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#set ip  dscp 3nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police flow 100000 4000 conform-action transmit violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp  set ip dscp 3  police flow 100000 4000 conform-action transmit violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#Related Commandsno Removes CoS value, PHB value, or IP DSCP value from this traffic class
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2744.1.50.2.5 noex3500-qos-policy-map-class-config commandsRemoves this traffic classification’s settingsSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxno [police|set]no police [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-color-blind]no set [cos|ip dscp|phb]Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp  set ip dscp 3  police flow 100000 4000 conform-action transmit violate-action dropnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no set ip dscpnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no police flownx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscpnx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no <PARAMETERS> Removes this traffic class settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2754.1.50.2.6 descriptionex3500-qos-policy-map config commandsConfigures this EX3500 QoS policy map's descriptionSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-ex3500-qos-policy-map-test)#description "This is a test EX3500 QoS Policy Map"nx9500-6C8809(config-ex3500-qos-policy-map-test)#show contextex3500-qos-policy-map test description "This is a test EX3500 QoS Policy Map" class testnx9500-6C8809(config-ex3500-qos-policy-map-test)#Related Commandsdescription <LINE> Configures this EX3500 QoS policy map's description• <LINE> – Enter a description that allows to you differentiate it from other policies with similar configuration (should not exceed 64 characters)no Removes this EX3500 QoS policy map's description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2764.1.50.2.7 noex3500-qos-policy-map config commandsRemoves this EX3500 QoS policy map's settings. Use this keyword to remove the description and to remove the QoS traffic classification created.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxno [class <EX3500-QoS-POLICY-MAP-NAME>|description]Parameters• no <PARAMETERS>ExampleThe following example shows the EX3500 QoS policy map ‘test’ settings before the ‘no’ command are executed:nx9500-6C8809(config-ex3500-qos-policy-map-test)#show contextex3500-qos-policy-map test description "This is a test EX3500 QoS Policy Map" class testnx9500-6C8809(config-ex3500-qos-policy-map-test)#nx9500-6C8809(config-ex3500-qos-policy-map-test)#no descriptionnx9500-6C8809(config-ex3500-qos-policy-map-test)#no class testThe following example shows the EX3500 QoS policy map ‘test’ settings after the ‘no’ command are executed:nx9500-6C8809(config-ex3500-qos-policy-map-test)#show contextex3500-qos-policy-map testnx9500-6C8809(config-ex3500-qos-policy-map-test)#no <PARAMETERS> Removes this EX3500 QoS policy map's settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2774.1.51 ex3524Global Configuration CommandsAdds a EX3524 switch to the networkThe EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity.To enable layer 3 adoption of the logged EX3524 switch to a NOC controller, navigate to the EX3524 switch’s device configuration mode and execute the following command: controller > host > <IP/HOSTANME>.EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources.Going forward NX9500 and NX7500 WiNG managed series service platforms and WiNG VMs can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the proprietary operating system running the EX3500 switches. The WiNG service platforms utilize standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a translation layer, understood by the EX3500 switch, for statistics retrieval.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxex3524 <DEVICE-EX3524-MAC>Parameters• ex3524 <DEVICE-EX3524-MAC>Examplenx9500-6C8809(config)#ex3524 A1-C4-33-6D-66-07nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#?EX35xx Device Mode commands:  hostname         Set system's network name  interface        Select an interface to configure  ip               Internet Protocol (IP)  no               Negate a command or set its defaults  power            EX3500 Power over Ethernet Command  remove-override  Remove configuration item override from the device (so                   profile value takes effect)  upgrade          Configures upgrade option for ex3500 system  use              Set setting to use  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes<DEVICE-EX3524-MAC> Specifies the MAC address of a EX3524 switch
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 278  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalnx9500-6C8809(config-device-A1-C4-33-6D-66-07)#Related Commandsno Removes a EX3524 switch from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2794.1.52 ex3548Global Configuration CommandsAdds a EX3548 switch to the networkThe EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity.Supported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxex3548 <DEVICE-EX3548-MAC>Parameters• ex3548 <DEVICE-EX3548-MAC>Examplenx9500-6C8809(config)#ex3548 22-65-78-09-12-35nx9500-6C8809(config-device-22-65-78-09-12-35)#?EX35xx Device Mode commands:  hostname         Set system's network name  interface        Select an interface to configure  ip               Internet Protocol (IP)  no               Negate a command or set its defaults  power            EX3500 Power over Ethernet Command  remove-override  Remove configuration item override from the device (so                   profile value takes effect)  upgrade          Configures upgrade option for ex3500 system  use              Set setting to use  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalnx9500-6C8809(config-device-22-65-78-09-12-35)#Related Commands<DEVICE-EX3548-MAC>Specifies the MAC address of a EX3548 switchno Removes a EX3548 switch from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2804.1.53 firewall-policyGlobal Configuration CommandsConfigures a firewall policy. This policy defines a set of rules for managing network traffic and prevents unauthorized access to the network behind the firewall.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfirewall-policy <FIREWALL-POLICY-NAME>Parameters• firewall-policy <FIREWALL-POLICY-NAME>Examplerfs6000-81742D(config)#firewall-policy testrfs6000-81742D(config-fw-policy-test)#?Firewall policy Mode commands:  acl-logging                    Log on flow creating traffic  alg                            Enable ALG  clamp                          Clamp value  dhcp-offer-convert             Enable conversion of broadcast dhcp offers to                                 unicast  dns-snoop                      DNS Snooping  firewall                       Wireless firewall  flow                           Firewall flow  ip                             Internet Protocol (IP)  ip-mac                         Action based on ip-mac table  ipv6                           Internet Protocol version 6 (IPv6)  ipv6-mac                       Action based on ipv6-mac table  logging                        Firewall enhanced logging  no                             Negate a command or set its defaults  proxy-arp                      Enable generation of ARP responses on behalf                                 of another device  proxy-nd                       Enable generation of ND responses (for IPv6)                                 on behalf of another device  stateful-packet-inspection-l2  Enable stateful packet inspection in layer2                                 firewall  storm-control                  Storm-control  virtual-defragmentation        Enable virtual defragmentation for IPv4                                 packets (recommended for proper functioning                                 of firewall)  clrscr                         Clears the display screen  commit                         Commit all changes made in this session  do                             Run commands from Exec mode  end                            End current mode and change to EXEC mode  exit                           End current mode and down to previous mode  help                           Description of the interactive help system  revert                         Revert changes  service                        Service Commands  show                           Show running system information  write                          Write running configuration to memory or<FIREWALL-POLICY-NAME>Specify the firewall policy name. If a firewall policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 281                                 terminalrfs6000-81742D(config-fw-policy-test)#Related Commandsno Removes an existing firewall policyNOTE: For more information on Firewall policy, see Chapter 13, FIREWALL-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2824.1.54 global-association-listGlobal Configuration CommandsConfigures a global list of client MAC addresses. Based on the deny or permit rules specified, clients are either allowed or denied access to the managed network. The global association list serves the same purpose as an Association Access Control List (ACL). However, the Association ACL allows a limited number of entries, a few thousand only, and does not suffice the requirements of a large deployment. This gap is filled by a global association list, which is much larger (with tens of thousands of entries). Both lists co-exist in the system. When an access request comes in, the association ACL is looked up first and if the requesting MAC address is listed in one of the deny ACLs, the association is denied. But, if the requesting client is permitted access, or if in case none of the ACLs list the client’s MAC address, the global association ACL is checked. Once authenticated, the client’s credentials are cached on the access point, and subsequent requests are not referenced to the controller. An entry in an APs credential cache means a pass in the global association list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxglobal-association-list <GLOBAL-ASSOC-LIST-NAME>Parameters• global-association-list <GLOBAL-ASSOC-LIST-NAME>Examplerfs4000-229D58(config)#global-association-list my-clientsrfs4000-229D58(config-global-assoc-list-my-clients)#?Global Association List Mode commands:  default-action  Configure the default action when the client MAC does not                  match any rule  deny            Specify MAC addresses to be denied  no              Negate a command or set its defaults  permit          Specify MAC addresses to be permitted  clrscr          Clears the display screen  commit          Commit all changes made in this session  do              Run commands from Exec mode  end             End current mode and change to EXEC mode  exit            End current mode and down to previous mode  help            Description of the interactive help system  revert          Revert changes  service         Service Commands<GLOBAL-ASSOC-LIST-NAME>Specify the global association list name. If a list with the same name does not exist, it is created.Map this global association list to a device (controller) or a controller profile. Once associated, the controller applies this association list to requests received from all adopted APs. For more information, see use.The global association list can also be mapped to a WLAN. The usage of global access lists is controlled on a per-WLAN basis. For more information, see association-list.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 283  show            Show running system information  write           Write running configuration to memory or terminalrfs4000-229D58(config-global-assoc-list-my-clients)#To enable global-association-list controlled client association, execute the following commands:1 Create a global association list, and configure it as shown in the following examples:rfs4000-229D58(config)#global-association-list vtt-listrfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 01-22-33-44-55-66 description samplerfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 40-B8-9A-39-F1-27 description acerrfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 42-B8-9A-39-F1-27 description amirfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 6C-40-08-B2-80-6C description macrfs4000-880DA7(config-global-assoc-list-vtt-list)#permit E0-98-61-34-11-47 description my_mobilerfs4000-880DA7(config-global-assoc-list-vtt-list)#show contextglobal-association-list vtt-list default-action deny permit 01-22-33-44-55-66 description sample permit 40-B8-9A-39-F1-27 description acer permit 42-B8-9A-39-F1-27 description ami permit 6C-40-08-B2-80-6C description mac permit E0-98-61-34-11-47 description my_mobilerfs4000-880DA7(config-global-assoc-list-vtt-list)#2 Attach this global association list to the profile or device context of the access point or controller, as shown in the following examples:3 On the access point’s profile context:Note: Ensure that the global association list is associated with the profile being applied on the access point.rfs4000-880DA7(config-profile-testAP6522)#use global-association-list server vtt-listrfs4000-880DA7(config-profile-testAP6522)#show context include-factory | include global-association-list service global-association-list blacklist-interval 60 use global-association-list server vtt-listrfs4000-880DA7(config-profile-testAP6522)#4 On the access point’s device context:ap6522(config-device-B4-C7-99-EA-DF-2C)#use global-association-list server vtt-listap6522 (config-device-B4-C7-99-EA-DF-2C)#show context include-factory | include global-association-list use global-association-list server vtt-listap6522(config-device-B4-C7-99-EA-DF-2C)#5 On the controller’s device context:
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 284rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#use global-association-list server vtt-listrfs4000-880DA7(config-device-00-23-68-88-0D-A7)#show context include-factory | include global-association-list use global-association-list server vtt-listap6522(config-device-B4-C7-99-EA-DF-2C)#6 Attach this global association list with the WLAN, as shown in the following example:rfs4000-880DA7(config-wlan-GLAssList)#association-list global vtt-listrfs4000-880DA7(config-wlan-GLAssList)#show context include-factory | include association-list association-list global vtt-listrfs4000-880DA7(config-wlan-GLAssList)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2854.1.55 guest-managementGlobal Configuration CommandsThe following table summarizes the guest management policy configuration mode commands:Table 4.35 Guest-Management Policy Config CommandCommand Description Referenceguest-management Creates a guest management policy and enters its configuration modepage 4-286guest-management-mode commandsSummarizes guest management policy configuration mode commandspage 4-287
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2864.1.55.1 guest-managementguest-managementConfigures a guest management policy that redirects guest users to a registration portal upon association to a captive portal. Guest users are redirected to an internally (or) externally hosted registration page (registration.html) where previously, not-registered guest users can register. The internally hosted captive portal registration page can be customized based on business requirements.Use the guest management policy commands to configure parameters, such as E-mail host and SMS gateway along with the credentials required for sending pass code to guest via e-mail and SMS. You can configure up to 32 different guest management policies. Each guest management policy allows you to configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents, and E-mail message body. Although, at any point-in-time, multiple guest management policies may exist, only one guest management policy can be active per device.Guest registration is supported only on the NX95XX and NX7500 series service platforms. However, the number of user identity entries supported on each varies. It is 2 million and 1 million user-identity entries for the NX95XX and NX75XX model service platforms respectively.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntaxguest-management <POLICY-NAME>Parameters• guest-management <POLICY-NAME>Examplenx9500-6C8809(config)#guest-management guestnx9500-6C8809(config-guest-management-guest)#?Guest Management Mode commands:  email                  Email guest-notification configuration  guest-database-backup  Configure guest-database-backup parameters  guest-database-export  Configure guest-database-export parameters  no                     Negate a command or set its defaults  sms                    SMS guest-notification configuration  sms-over-smtp          Sms-over-smtp configuration to email sms gateway                         address  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalnx9500-6C8809(config-guest-management-guest)#Related Commands<POLICY-NAME> Specify the guest management policy name. If the policy does not exist, it is created.no Removes an existing guest management policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2874.1.55.2 guest-management-mode commandsguest-managementThe following table summarizes guest management policy configuration mode commands:Table 4.36 Guest-Management-Policy-Config-Mode CommandsCommand Description Referenceemail Configures guest user e-mail notification settings page 4-288guest-database-backupEnables periodic backup of the captive portal’s guest registration user databasepage 4-290guest-database-exportSchedules an export of the Guest Management User database to a specified external serverpage 4-291sms Configures guest user SMS notification settings page 4-292sms-over-smtp Configures an e-mail host server along with sender credentials and the recipient’s gateway e-mail address to which the message is e-mailed. The gateway server converts the e-mail into SMS and forwards the message to the guest users’s mobile device.page 4-294no Removes this guest management policy settings page 4-296
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2884.1.55.2.1 emailguest-management-mode commandsConfigures guest user e-mail notification settings. When configured, guest users can register themselves with their e-mail credentials as a primary key for authentication. The captive portal system provides the pass code for their registration. Guest users need to use their registered e-mail, mobile, or member ID and the received pass code for subsequent logins to the captive portal.This option is disabled by default. Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemail [host|message|subject]email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security [none|ssl|starttls] username <USER-NAME> password <PASSWORD>email message <LINE>email subject <LINE>Parameters• email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security [none|ssl|starttls] username <USER-NAME> password <PASSWORD>email Configures guest user e-mail notification settingshost [<IP/HOSTNAME>|<HOST-ALIAS-NAME>]Configures the SMTP server’s IP address or hostname used for guest management e-mail traffic, guest user credential validation, and pass code reception. Optionally you can use an existing host alias to identify the SMTP server host.• <IP/HOSTNAME> – Specify the SMTP server’s IPv4 address or hostname.• <HOST-ALIAS-NAME> – Specify the host alias name (should be existing and configured). Consider providing the host as an alias. A host alias is a configuration item that maps the alias to a hostname. Once created, it can be used across different configuration modes. Where ever used the alias is replaced by the associated hostname.sender <EMAIL-ADDRESS>Configures the sender’s name for the guest user receiving the passcode required for registering their guest E-mail credentials using SMTP.• <EMAIL-SENDER> – Specify the sender’s name (should not exceed 100 characters).security [none|ssl|starttls]Configures the encryption protocol used by the SMTP server when communicating the pass code• none – No encryption used. Use if no additional user authentication is needed beyond the required username and password combination.• SSL – Uses SSL encryption. This is the default setting.• STARTTLS – Uses STARTTLS encryptionusername <USER-NAME>Configures a username unique to this SMS guest management configuration. After configuring the username, specify the associated password. Ensure that the password is correctly provided to receive the pass code required for registering guest user credentials with SMS.• <USER-NAME> – Specify the username (should not exceed 100 characters).
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 289• email message <LINE>• email subject <LINE>Examplenx9500-6C8809(config-guest-management-test)#email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123nx9500-6C8809(config-guest-management-test)#show contextguest-management test email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123nx9500-6C8809(config-guest-management-test)#nx9500-6C8809(config-guest-management-test2)#email message Dear GM_Guest2, CR-NLYour internet access passcode is GM_Guest2. CR-NL Use this for internet access.nx9500-6C8809(config-guest-management-test2)#email subject GM_Guest2 Your internet access codenx9500-6C8809(config-guest-management-test2)#show contextguest-management test2 email subject GM_Guest2 Your internet access code email message Dear GM_Guest2,  CR-NL  Your internet access passcode is GM_Guest2.  CR-NL  Use this for internet access.nx9500-6C8809(config-guest-management-test2)#Related Commandspassword <PASSWORD>Configures the password associated with the specified SMTP user name• <PASSWORD> – Specify the password (should not exceed 63 characters).email Configures guest user e-mail notification contentmessage <LINE> Configures the content of the e-mail sent to the guest user notifying the pass code (should not exceed 1024 characters)• <LINE> – Specify the message content. When entering the message, use the following tags:GM-NAME – for the guest user’s nameGM_PASSCODE – for the pass codeCR-NL – to enter a new lineFor example: Dear GM_NAME, CR-NL your internet access pass code is GM_PASSCODE. CR-NL Use this for internet access.email Configures guest user e-mail notification subject linesubject <LINE> Configures the subject line of the e-mail sent to the guest user notifying the pass code (should not exceed 100 characters)• <LINE> – Specify the subject line content. When entering the subject line, use the following tag:GM-NAME – for the guest user’s nameFor example: GM_NAME, your internet access codeno Removes the e-mail settings used to send notification mails to the guest user
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2904.1.55.2.2 guest-database-backupguest-management-mode commandsEnables periodic backup of a captive portal’s guest registration user database. This option is enabled by default.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxguest-database-backup enable {<TIME>}Parameters• guest-database-backup enable {<TIME>}Examplenx9500-6C8809(config-guest-management-test)#guest-database-backup enable 12:30vnx9500-6C8809(config-guest-management-test)#show contextguest-management test guest-database-backup enable 12:30nx9500-6C8809(config-guest-management-test)#Related Commandsguest-database-backup enable <TIME>Enables periodic backup of a captive portal’s guest registration user database. This command also allows you to configure the time at which the system starts backing up the database. The default backup-start time is ‘00:00’ (midnight every day).• <TIME> – Optional. Resets the periodic database backup-start time to a user-defined value in the HH;MM format. When specified, the system starts periodic backup of the database, every day, at the specified time.no Disables periodic backup of a captive portal’s guest registration user database
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2914.1.55.2.3 guest-database-exportguest-management-mode commandsSchedules an export of the Guest Management user database to a specified external server. This option is enabled by default.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxguest-database-export <TIME> frequency <1-168> url-directory <URL> {(format [csv|json]|last-visit-within <1-168>)}Parameters• guest-database-export <TIME> frequency <1-168> url-directory <URL> {(format [csv|json]|last-visit-within <1-168>)}Examplenx9500-6C8809(config-guest-management-gm1)#guest-database-export 10:30 frequency 6 url-directory ftp://admin:xxxxxx@192.168.13.10/dbe_dir format json last-visit-within 168nx9500-6C8809(config-guest-management-test)#show contextguest-management test guest-database-export 12:30 frequency 20 url-directory ftp://admin:xxxxxx@192.168.13.10/dbe_dir format json last-visit-within 168nx9500-6C8809(config-guest-management-test)#Related Commandsguest-database-export <TIME>Schedules an export of the Guest Management User collection to an external server• <TIME> – Configures the start time of the export operation in the HH:MM formatfrequency <1-168> Configures the user collection export frequency in hours• <1-168> – Configures the frequency from 1 - 168 hours. If the frequency is set at 3 hours, the user database is exported once in every 3 hours. The default is 4 hours.url-directory <URL> Configures external server’s URL and directory to where the collection is exported• <URL> – Specify the external server’s URLformat [csv|json] Optional. Configures the file format• csv – Exports collection to the specified location in CSV format. This is the default setting.• json – Exports collection to the specified location in JSON formatlast-visit-within <1-168>Configures a filters guest users who have last visited within a specified period of time• <1-168> – Specify a time period from 1 - 168 hours. If for example, the last-visit-within value is set at 2 hours, then only the last two hours guest user collections will be exported. The default is 4 hours.no Reverts the guest database export parameters to default
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2924.1.55.2.4 smsguest-management-mode commandsConfigures guest user SMS notification settingsWhen configured, guest users can register themselves with their e-mail or mobile device ID as the primary key for authentication. The captive portal provides the pass code for registration. Guest users use their registered e-mail or mobile device ID and the received pass code for subsequent logins to the captive portal.SMS is similar to MAC address-based self registration, but in addition the captive portal sends an SMS message, containing an access code, to the user’s mobile phone number provided at the time of registration. The captive portal verifies the code, returns the Welcome page and provides access. This allows the administrator to verify the phone number provided and can be traced back to a specific individual should the need arise.The default gateway used with SMS is Clickatell. A pass code can be sent with SMS to the guest user directly using Clickatell, or the pass code can be sent via e-mail to the SMS Clickatell gateway server, and Clickatell sends the pass code SMS to the guest user.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsms [host|message]sms host clickatell username <USER-NAME> password <PASSWORD> api-id <ID> user-agent <PYCLICKATELL> {source-number <WORD>}sms message <LINE>Parameters• sms host clickatell username <USER-NAME> password <PASSWORD> api-id <ID> user-agent <PYCLICKATELL> {source-number <WORD>}NOTE: When using SMS, ensure that the WLAN’s mode of authentication is set to none and the mode of registration is set to user. In other words, captive portal authentication must always enforce guest registration.sms Configures guest user SMS notification settingshost clickatell By default, clickatell is the host SMS gateway server resource. Upon receiving the pass code e-mail, the SMS gateway sends the actual notification pass code SMS to the guest user.username <USER-NAME>Configures a username unique to this SMS guest management configuration. After configuring the username, specify the associated password. Ensure that the password is correctly provided to receive the pass code required for registering guest user credentials with SMS.• <USER-NAME> – Specify the username (should not exceed 32 characters).password <PASSWORD>Configures the password associated with the specified username • <PASSWORD> – Specify the password (should not exceed 63 characters).api-id <ID> Set a 32 character maximum API ID• <API-ID> – Specify the API ID (should not exceed 32 characters).
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 293• sms message <LINE>Examplenx9500-6C8809(config-guest-management-test)#sms host clickatell username guest1password guest1@123 api-id test user-agent pyclickatellnx9500-6C8809(config-guest-management-test)#sms message Dear guest1, Your passcode for internet access is GM-guest1nx9500-6C8809(config-guest-management-test)#show contextguest-management test email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 sms host clickatell username guest1 password guest1@123 api-id test user-agent pyclickatell sms message Dear guest1, Your passcode for internet access is GM-guest1nx9500-6C8809(config-guest-management-test)#Related Commandsuser-agent <PYCLICKATELL>Since the SMS service provider by default is Clickatell, set the user agent name to pyclickatell. The user-agent value ensures the Clickatell SMS gateway server and its related credentials, needed for sending the pass code to guest users, are configured.source-number <WORD>Optional. Configures the long-address or the from-number associated with this Clickatell user account• <WORD> – Specify the source number (should not exceed 32 characters).SMS Configures guest user SMS notification contentmessage <LINE> Configures the content of the SMS sent to the guest user notifying the pass code (should not exceed 1024 characters)• <LINE> – Specify the message content. When entering the message, use the following tags:GM-NAME – for the guest user’s nameGM_PASSCODE – for the pass codeFor example: Dear GM_NAME, your internet access pass code is GM_PASSCODE.no Removes the SMS settings used to send SMS to the guest user
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2944.1.55.2.5 sms-over-smtpguest-management-mode commandsConfigures an e-mail host server (for example: smtp.gmail.com) along with sender related credentials and the recipient gateway e-mail address to which the message is E-mailed. The gateway server converts the e-mail into SMS and sends the message to the guest users’s mobile device.When sending an e-mail, the e-mail client interacts with a SMTP server to handle the content transmission. The SMTP server on the host may have conversations with other SMTP servers to deliver the e-mail.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsms-over-smtp [host|message|subject]sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient <EMAIL-ADDRESS>sms-over-smtp message <LINE>sms-over-smtp subject <LINE>Parameters• sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient <EMAIL-ADDRESS>sms-over-smtp Configures guest user SMS over SMTP notification settingshost [<IP/HOSTNAME>|<HOST-ALIAS-NAME>]Configures the SMS gateway server resource’s IPv4 address or hostname used for guest management SMS over SMTP traffic, guest user credential validation and pass code reception. Optionally you can use an existing host alias to identify the SMS gateway server resource.• <IP/HOSTNAME> – Specify the SMTP gateway server resource’s IP address or hostname.• <HOST-ALIAS-NAME> – Specify the host alias name (should existing and configured). Consider providing the host as an alias. A host alias is a configuration item that maps the alias to a hostname. Once created, it can be used across different configuration modes. Where ever used the alias is replaced by the associated hostname.sender <EMAIL-ADDRESS>Configures the sender’s e-mail address. The sender here is the guest user receiving the pass code. Guest users require this pass code for registering their guest e-mail credentials using SMTP.• <EMAIL-ADDRESS> – Specify the e-mail address (should not exceed 64 characters).security [none|ssl|starttls]Configures the encryption protocol used by the SMTP server when communicating the pass code• none – No encryption used. Use if no additional user authentication is needed beyond the required username and password combination.• SSL – Uses SSL encryption. This is the default setting.• STARTTLS – Uses STARTTLS encryption
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 295• sms-over-smtp message <LINE>• sms-over-smtp subject <LINE>Examplenx9500-6C8809(config-guest-management-test3)#sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.comnx9500-6C8809(config-guest-management-test3)#show contextguest-management test3 sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.comnx9500-6C8809(config-guest-management-test3)#Related Commandsusername <USER-NAME>Configures a username unique to this SMTP guest management configuration. After configuring the username, specify the associated password. Ensure that the correct password is provided to receive the pass code required for registering guest user credentials with SMTP.• <USER-NAME> – Specify the username (should not exceed 64 characters).password <PASSWORD>Configures the password associated with the specified SMTP user name• <PASSWORD> – Specify the password (should not exceed 64 characters).recipient <EMAIL-ADDRESS>Configures the e-mail recipient's e-mail address• <EMAIL-ADDRESS> – Specify the recipient’s e-mail address (should not exceed 64 characters in length.sms-over-smtp Configures guest user SMS over SMTP notification message contentmessage <LINE> Configures the content of the SMS over SMTP sent to the guest user notifying the pass code (should not exceed 1024 characters)• <LINE> – Specify the message content. When entering the message, use the following tags:GM-NAME – for the guest user’s nameGM_PASSCODE – for the pass codeCR-NL – to enter a new lineFor example: Dear GM_NAME, CR-NL your internet access pass code is GM_PASSCODE. CR-NL Use this access code for internet access.sms-over-smtp Configures guest user e-mail notification subject line contentsubject <LINE> Configures the subject line of the SMS over SMTP sent to the guest user notifying the pass code (should not exceed 100 characters)• <LINE> – Specify the subject line content. When entering the subject line, use the following tag:GM-NAME – for the guest user’s nameFor example: GM_NAME, your internet access codeno Removes the SMS over SMTP settings used to send SMS to the guest user
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2964.1.55.2.6 noguest-management-mode commandsRemoves this guest management policy settingsSupported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [email|guest-database-backup|guest-database-export|sms|sms-over-smtp]no email [host|message|subject]no guest-database-backup enableno guest-database-exportno gmd report-generation enableno sms [host|message]no sms-over-smtp [host|message|subject]Parameters• no <PARAMETERS>Examplenx9500-6C8809(config-guest-management-test3)#show contextguest-management test3 sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.comnx9500-6C8809(config-guest-management-test3)#nx9500-6C8809(config-guest-management-test)#no sms-over-smtp hostnx9500-6C8809(config-guest-management-test3)#show contextguest-management test3nx9500-6C8809(config-guest-management-test3)#no <PARAMETERS> Removes this guest management policy settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2974.1.56 hostGlobal Configuration CommandsEnters the configuration context of a remote device using its hostnameSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhost <DEVICE-NAME>Parameters• host <DEVICE-NAME>Examplerfs4000-229D58(config)#host rfs4000-229D58rfs4000-229D58(config-device-00-23-68-22-9D-58)#<DEVICE-NAME> Specify the device’s hostname. All discovered devices are displayed when ‘Tab’ is pressed to auto complete this command.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 2984.1.57 inline-password-encryptionGlobal Configuration CommandsStores the encryption key in the startup configuration fileBy default, the encryption key is not stored in the startup-config file. Use the inline-password-encryption command to move the encrypted key to the startup-config file. This command uses the master key to encrypt the password, then moves it to the startup-config file.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinline-password-encryptionParametersNoneUsage GuidelinesWhen the configuration file is imported to a different device, it first decrypts the encryption key using the default key and then decrypts the rest of the configuration using the administrator configured encryption key.ExampleThe following command uses the specified password for encryption key and stores it outside of startup-config:rfs6000-81742D(config)#password-encryption secret 2 12345678rfs6000-81742D(config)#commit write memoryThe following command moves the same password to the startup-config and encrypts it with the master key:rfs6000-81742D(config)#inline-password-encryptionRelated Commandsno Disables storing of the encryption key in the startup configuration filepassword-encryption Enables password encryption
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2994.1.58 ipGlobal Configuration CommandsCreates a IP access control list (ACL) and/or a SNMP IP ACLAccess lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [access-list|snmp-access-list]ip access-list <IP-ACL-NAME>ip snmp-access-list <IP-SNMP-ACL-NAME>Parameters• ip access-list <IP-ACL-NAME>• ip snmp-access-list <IP-SNMP-ACL-NAME>access-list <IP-ACL-NAME>Creates an IP ACL and enters its configuration mode• <IP-ACL-NAME> – Specify the ACL name. If the access list does not exist, it is created.snmp-access-list <IP-SNMP-ACL-NAME>Creates a SNMP IP ACL and enters its configuration mode. An SNMP IP ACL is an access control mechanism that uses a combination of IP ACL and SNMP community string.SNMP performs network management functions using a data structure called a Management Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files.Use SNMP ACLs (firewalls) to help reduce SNMP’s vulnerabilities, as SNMP traffic can be easily exploited to produce a denial of service (DoS).• <IP-SNMP-ACL-NAME> – Specify the SNMP IP ACL name. If the access list does not exist, it is created. After creating the SNMP ACL, define the deny/permit rules based on the network and/or host IP addresses. Once created and configured, link this SNMP IP ACL with a SNMP community string.To link the SNMP community string with the SNMP IP ACL, in the management-policy-config-mode, use the following command: snmp-server > community <COMMUNITY-STRING> > [ro|rw] > ip-snmp-access-list <IP-SNMP-ACL-NAME>.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 300Examplerfs6000-81742D(config)#ip access-list testrfs6000-81742D(config-ip-acl-test)#?ACL Configuration commands:  deny     Specify packets to reject  disable  Disable rule if not needed  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-ip-acl-test)#rfs6000-81742D(config)#ip snmp-access-list SNMPAclrfs6000-81742D(config-ip-snmp-acl-SNMPAcl)#?SNMP ACL Configuration commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-ip-snmp-acl-SNMPAcl)#Related Commandsno Removes an IP access control listNOTE: For more information on access control lists, see Chapter 11, ACCESS-LIST.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3014.1.59 ipv6Global Configuration CommandsCreates a IPv6 ACLAn IPv6 ACL defines a set of rules that filter IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 access-list <IPv6-ACL-NAME>Parameters• ipv6 access-list <IPv6-ACL-NAME>Examplerfs4000-229D58(config)#ipv6 access-list IPv6ACLTestrfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#?IPv6 Access Control Mode commands:  deny     Specify packets to reject  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#Related Commandsaccess-list <IPv6-ACL-NAME>Configures an IPv6 access list and enters its configuration mode• <IPv6-ACL-NAME> – Specify the IPv6 ACL name. If the access list does not exist, it is created.no Removes an IPv6 access control listNOTE: For more information on access control lists, see Chapter 11, ACCESS-LIST.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3024.1.60 ipv6-router-advertisement-policyGlobal Configuration CommandsThe following table lists the IPv6 router advertisement (RA) policy configuration commands:Table 4.37 IPv6-Router-Advertisement-Policy-Config CommandsCommand Description Referenceipv6-router-advertisement-policyCreates a new IPv6 RA policy and enters its configuration mode page 4-303ipv6-router-advertisement-policy-mode commandsSummarizes the IPv6 RA policy configuration mode commands page 4-305
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3034.1.60.1 ipv6-router-advertisement-policyipv6-router-advertisement-policyCreates an IPv6 RA policy and enters its configuration modeAn IPv6 router policy allows routers to advertise their presence in response to solicitation messages. After receiving a neighbor solicitation message, the destination node sends an advertisement message. which includes the link layer address of the source node. After receiving the advertisement, the destination device replies with a neighbor advertisement message on the local link. After the source receives the advertisement it can communicate with other devices.Advertisement messages are also sent to indicate a change in link layer address for a node on the local link. With such a change, the multicast address becomes the destination address for advertisement messages.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6-router-advertisement-policy <POLICY-NAME>Parameters• ipv6-router-advertisement-policy <POLICY-NAME>Examplerfs4000-229D58(config)#ipv6-router-advertisement-policy testrfs4000-229D58(config-ipv6-radv-policy-test)#?IPv6 Router Advertisement Policy Mode commands:  advertise                        Option to advertise in router advertisement  assist-neighbor-discovery        Send the Source Link Layer address option                                   in Router Advertisement to assist in                                   neighbor discovery  check-ra-consistency             Check if the parameters advertised by other                                   routers on the link are in conflict with                                   those configured on this router. Conflicts                                   are logged.  dns-server                       DNS Server  domain-name                      Configure domain-name  managed-config-flag              Set the managed-address-configuration flag                                   in Router Advertisements. When set, it                                   indicates that the addresses are available                                   via DHCPv6  nd-reachable-time                Time that a node assumes a neighbor is                                   reachable after having received a                                   reachability confirmation  no                               Negate a command or set its defaults  ns-interval                      Time between retransmitted Neighbor                                   Solicitation messages  other-config-flag                Set the other-configuration flag in Router                                   Advertisements. When set, it indicates that                                   other configuration information isipv6-router-advertisement-policy <POLICY-NAME>Specify an IPv6 RA policy name. If the policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 304                                   available via DHCPv6.  ra                               Router Advertisements  router-lifetime                  Lifetime associated with the default router  router-preference                Preference of this router over other                                   routers  unicast-solicited-advertisement  Unicast the solicited Router Advertisements  clrscr                           Clears the display screen  commit                           Commit all changes made in this session  do                               Run commands from Exec mode  end                              End current mode and change to EXEC mode  exit                             End current mode and down to previous mode  help                             Description of the interactive help system  revert                           Revert changes  service                          Service Commands  show                             Show running system information  write                            Write running configuration to memory or                                   terminalrfs4000-229D58(config-ipv6-radv-policy-test)#Related Commandsno Removes the specified IPv6 RA policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3054.1.60.2 ipv6-router-advertisement-policy-mode commandsipv6-router-advertisement-policyThe following table summarizes IPv6 router advertisement policy configuration commands:Table 4.38 IPv6-Router-Advertisement-Policy-Config-Mode CommandsCommand Description Referenceadvertise Enables advertisement of IPv6 maximum transmission unit (MTU) and hop-count value in RAspage 4-306assist-neighbor-discoveryEnables advertisement of the source link layer address in RAs page 4-307check-ra-consistencyEnables checking of consistency in RA values advertised by this router with those advertised by other routers, if any, on the same linkpage 4-308dns-server Configures the DNS server’s IPv6 address and lifetime advertised in RAs page 4-309domain-name Configures the Domain name search label advertised in RAs page 4-310managed-config-flagSets the managed address configuration flag in RAs page 4-311nd-reachable-timeEnables advertisement of neighbor reachable time in RAs page 4-312no Removes or reverts router advertisement policy settings page 4-313ns-interval Configures the interval between two successive retransmitted neighbor solicitation (NS) messagespage 4-314other-config-flag Sets the other-configuration flag in RAs page 4-315ra Configures RA related parameters, such as the interval between two unsolicited successive RAspage 4-316router-lifetime Configures the default router’s lifetime, in seconds, advertised in RAs page 4-317router-preference Configures the router preference field value advertised in RAs page 4-318unicast-solicited-advertisementEnables unicasting of solicited RAs page 4-319
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3064.1.60.2.1 advertiseipv6-router-advertisement-policy-mode commandsEnables advertisement of IPv6 MTU and hop-count value in RAsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadvertise [hop-limit|mtu]Parameters• advertise [hop-limit|mtu]Examplerfs6000-81742D(config-ipv6-radv-policy-test)#advertise hop-limitrfs6000-81742D(config-ipv6-radv-policy-test)#advertise mturfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test advertise mtu advertise hop-limitrfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsadvertise [hop-limit|mtu]Enables advertisement of IPv6 MTU and hop-count value in RAs. Both these features are disabled by default.no Disables advertisement of IPv6 MTU and hop-count value in RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3074.1.60.2.2 assist-neighbor-discoveryipv6-router-advertisement-policy-mode commandsEnables advertisement of the source link layer address in RAs to facilitate neighbor discovery. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassist-neighbor-discoveryParametersNoneExamplerfs6000-81742D(config-ipv6-radv-policy-test)#assist-neighbor-discoveryRelated Commandsno Disables the advertisement of the source link layer address in RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3084.1.60.2.3 check-ra-consistencyipv6-router-advertisement-policy-mode commandsEnables checking of consistency in RA values advertised by this router with those advertised by other routers, if any, on the same link. If the values advertised are inconsistent, a conflict is logged.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcheck-ra-consistencyParametersNoneExamplerfs6000-81742D(config-ipv6-radv-policy-test)#check-ra-consistencyrfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistencyrfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsno Disables comparison of interface-specific parameters advertised by other routers, within the link, with those advertised with this router
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3094.1.60.2.4 dns-serveripv6-router-advertisement-policy-mode commandsConfigures the DNS server’s IPv6 address and lifetime. The configured values are advertised in RAs.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}Parameters• dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}Examplerfs6000-81742D(config-ipv6-radv-policy-test)#dns-server 2002::2 lifetime 3000rfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000rfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsdns-server <IPv6> Configures the DNS server’s IPv6 addressEnables the use of a DNS server to resolve host names to IPv6 addresses. When an IPv6 host is configured with the address of a DNS server, the host sends DNS name queries to the server for resolution.• <IPv6> – Specify the DNS server’s address. This address is advertised in RAs. A maximum of four (4) entries can be made per policy.lifetime [<4-3600>|expired|infinite]Optional. Configures the DNS server’s (identified by the <IPv6> parameter) lifetime• <4-3600> – Configures a lifetime in seconds. Specify a value form 4 - 3600 seconds. The default is 600 seconds.• expired – Advertises that this DNS server’s lifetime has expired and should not be used• infinite – Advertises that this DNS server’s lifetime is infiniteno Removes the DNS server settings advertised in RAs. Once removed these values are not advertised in RAs.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3104.1.60.2.5 domain-nameipv6-router-advertisement-policy-mode commandsConfigures the Domain name search label advertised in RAsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdomain-name <WORD> {lifetime [<4-3600>|expired|infinite]}Parameters• domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}Examplerfs6000-81742D(config-ipv6-radv-policy-test)#domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsdomain-name <WORD>Configures the Domain name search label advertised in RAsEnter a fully qualified domain name (FQDN), which is an unambiguous domain name available in a router advertisement resource. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com.• <WORD> – Specify the Domain name search label. A maximum of four (4) entries can be made per policy.lifetime [<4-3600>|expired|infinite]Optional. Configures the Domain name search label's lifetime• <4-3600> – Configures a lifetime in seconds. Specify a value form 4 - 3600 seconds. The default is 600 seconds.• expired – Advertises that this Domain name search label's lifetime has expired and should not be used• infinite – Advertises that this Domain name search label's lifetime is infiniteno Removes the Domain name settings advertised in RAs. Once removed these values are not advertised in RAs.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3114.1.60.2.6 managed-config-flagipv6-router-advertisement-policy-mode commandsSets the managed address configuration flag in RAs. When set, it indicates that IPv6 addresses are available through DHCPv6. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmanaged-config-flagParametersNoneExamplerfs6000-81742D(config-ipv6-radv-policy-test)#managed-config-flagrfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test managed-config-flag advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsno Removes the managed address configuration flag advertised in RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3124.1.60.2.7 nd-reachable-timeipv6-router-advertisement-policy-mode commandsEnables advertisement of neighbor discovery reachable time in RAs. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnd-reachable-time [<5000-3600000>|global]Parameters• nd-reachable-time [<5000-3600000>|global]Examplerfs6000-81742D(config-ipv6-radv-policy-test)#nd-reachable-time 6000rfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test managed-config-flag nd-reachable-time 6000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsnd-reachable-time [<5000-3600000>|global]Configures the interval, in milliseconds, that a node assumes a neighbor is reachable after receiving a reachability confirmation from the neighbor. Therefore, a neighbor is reachable, after being discovered, for a period specified here. This value is advertised in RAs. Use one of the following options:• <5000-3600000> – Configures an interface-specific value. Specify a value from 5000 - 3600000 milliseconds. The default is 5000 milliseconds.• global – Advertises the neighbor reachable time configured for the system. This is the value configured at the device configuration mode. For more information, see use.no Disables advertisement of neighbor reachable time in RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3134.1.60.2.8 noipv6-router-advertisement-policy-mode commandsRemoves or reverts router advertisement policy settings. Use the no command to remove or revert the interface-specific parameters that are advertised by link router.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [advertise [hop-limit|mtu]|assist-neighbor-discovery|check-ra-consistency|dns-server <IPv6>|domain-name <WORD>|managed-config-flag|nd-reachable-time|ns-interval|other-config-flag|ra [interval|suppress]|router-lifetime|unicast-solicited-advertisement]Parameters• no <PARAMETERS>Examplerfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test managed-config-flag nd-reachable-time global advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#rfs6000-81742D(config-ipv6-radv-policy-test)#no managed-config-flagrfs6000-81742D(config-ipv6-radv-policy-test)#no nd-reachable-timerfs6000-81742D(config-ipv6-radv-policy-test)#no check-ra-consistencyrfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test advertise mtu advertise hop-limit dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#no <PARAMETERS> Removes or reverts this IPv6 router advertisement policy’s settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3144.1.60.2.9 ns-intervalipv6-router-advertisement-policy-mode commandsConfigures the neighbor solicitation (NS) retransmit timer value advertised in RAs. This is the interval between two successive NS messages. When specified, it enables the sending of the specified value in RAs. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxns-interval [<1000-3600000>|global]Parameters• ns-interval [<1000-3600000>|global]Examplerfs6000-81742D(config-ipv6-radv-policy-test)#ns-interval 3000rfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test managed-config-flag nd-reachable-time global ns-interval 3000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsns-interval [<1000-3600000>|global]Configures the NS interval advertised in RAs. Use one of the following options:• <1000-3600000> – Specify a value from 1000 - 3600000 milliseconds. The default is 1000 milliseconds.• global – Advertises the NS interval configured for the system. This is configured on the device in the device configuration mode. For more information, see ipv6.no Disables advertisement of NS interval in RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3154.1.60.2.10 other-config-flagipv6-router-advertisement-policy-mode commandsSets the other-configuration flag in RAs. When set, it indicates that other configuration details, such as DNS-related information, are available through DHCPv6. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxother-config-flagParametersNoneExamplerfs6000-81742D(config-ipv6-radv-policy-test)#other-config-flagRelated Commandsno Removes the other-config-flag advertised on RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3164.1.60.2.11 raipv6-router-advertisement-policy-mode commandsConfigures RA related parameters, such as the interval between two unsolicited successive RAs. It also allows suppression of RAs.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxra [interval <3-1800>|suppress]Parameters• ra [interval <3-1800>|suppress]Examplerfs6000-81742D(config-ipv6-radv-policy-test)#ra interval 200rfs6000-81742D(config-ipv6-radv-policy-test)#ra suppressrfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsinterval <3-1800> Configures the interval, in seconds, between two unsolicited successive RAs• <3-1800> – Specify a value from 3 - 1800 seconds. The default is 300 seconds.The router-lifetime should be at least three times the specified router interval.suppress Enables the suppression of RAs. When enabled, the transmission of RAs in IPv6 packets is suppressed. This option is disabled by default. The no > ra > suppress command enables the sending of RAs.no Removes the RA interval, and enables the sending of RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3174.1.60.2.12 router-lifetimeipv6-router-advertisement-policy-mode commandsConfigures the default router’s lifetime, in seconds, advertised in RAsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouter-lifetime <0-9000>Parameters• router-lifetime <0-9000>Examplerfs6000-81742D(config-ipv6-radv-policy-test)#router-lifetime 2000rfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsrouter-lifetime <0-9000>Configures the default router’s lifetime• <0-9000> – Specify a value from 0 - 9000 seconds. The default value is 1500 seconds.A value of “0” indicates that this router is not the default router.no Removes the default router’s lifetime
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3184.1.60.2.13 router-preferenceipv6-router-advertisement-policy-mode commandsConfigures the router preference field value advertised in RAs. The options are high, medium, and low. This value is used to prioritize and select the default router when multiple routers are discovered.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouter-preference [high|medium|low]Parameters• router-preference [high|medium|low]Examplerfs6000-81742D(config-ipv6-radv-policy-test)#router-preference highrfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit router-preference high check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#router-preference [high|medium|low]Sets this router’s preference over other routers, in the link, to be the default router. The options are high, low, and medium. The default value is medium.The following points should be taken into consideration when configuring router preference:• For a router to be selected as a default router, the router’s lifetime should not be equal to “0”.• To enable default router selection, using router information contained in RAs, configure default router selection on that interface.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3194.1.60.2.14 unicast-solicited-advertisementipv6-router-advertisement-policy-mode commandsEnables unicasting of solicited RAs. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxunicast-solicited-advertisementParametersNoneExamplerfs6000-81742D(config-ipv6-radv-policy-test)#unicast-solicited-advertisementrfs6000-81742D(config-ipv6-radv-policy-test)#show contextipv6-router-advertisement-policy test ra suppress ra interval 200 unicast-solicited-advertisement managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit router-preference high check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infiniterfs6000-81742D(config-ipv6-radv-policy-test)#Related Commandsno Disables unicasting of solicited RAs
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3204.1.61 l2tpv3Global Configuration CommandsConfigures a Layer 2 Tunnel Protocol Version 3 (L2TPv3) tunnel policy, used to create one or more L2TPv3 tunnelsThe L2TPv3 policy defines the control and encapsulation protocols needed for tunneling layer 2 frames between two IP nodes. This policy enables creation of L2TPv3 tunnels for transporting Ethernet frames between bridge VLANs and physical GE ports. L2TPv3 tunnels can be created between any vendor devices supporting L2TPv3 protocol.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxl2tpv3 policy <L2TPV3-POLICY-NAME>Parameters• l2tpv3 policy <L2TPV3-POLICY-NAME>Examplerfs6000-81742D(config)#l2tpv3 policy L2TPV3Policy1rfs6000-81742D(config-l2tpv3-policy-L2TPV3Policy1)#?L2tpv3 Policy Mode commands:  cookie-size             Size of the cookie field present in each l2tpv3 data                          message  failover-delay          Time interval for re-establishing the tunnel after                          the failover (RF-Domain                          manager/VRRP-master/Cluster-master failover)  force-l2-path-recovery  Enables force learning of servers, gateways etc.,                          behind the l2tpv3 tunnel when the tunnel is                          established  hello-interval          Configure the time interval (in seconds) between                          l2tpv3 Hello keep-alive messages exchanged in l2tpv3                          control connection  no                      Negate a command or set its defaults  reconnect-attempts      Maximum number of attempts to reestablish the                          tunnel.  reconnect-interval      Time interval between the successive attempts to                          reestablish the l2tpv3 tunnel  retry-attempts          Configure the maximum number of retransmissions for                          signaling message  retry-interval          Time interval (in seconds) before the initiating a                          retransmission of any l2tpv3 signaling message  rx-window-size          Number of signaling messages that can be received                          without sending the acknowledgement  tx-window-size          Number of signaling messages that can be sent                          without receiving the acknowledgement  clrscr                  Clears the display screen  commit                  Commit all changes made in this sessionl2tpv3 policy <L2TPV3-POLICY-NAME>Configures an L2TPv3 tunnel policy• <L2TPV3-POLICY-NAME> – Specify a policy name. The policy is created if it does not exist. To modify an existing L2TPv3, specify its name.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 321  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs6000-81742D(config-l2tpv3-policy-L2TPV3Policy1)#Related Commandsno Removes an existing L2TPv3 tunnel policymint-policy Configures the global MiNT policyNOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3224.1.62 macGlobal Configuration CommandsConfigures a MAC ACLsAccess lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac access-list <MAC-ACL-NAME>Parameters• mac access-list <MAC-ACL-NAME>Examplerfs6000-81742D(config)#mac access-list testrfs6000-81742D(config-mac-acl-test)#?MAC Extended ACL Configuration commands:  deny     Specify packets to reject  disable  Disable rule if not needed  no       Negate a command or set its defaults  permit   Specify packets to forward  clrscr   Clears the display screen  commit   Commit all changes made in this session  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-mac-acl-test)#Related Commandsaccess-list <MAC-ACL-NAME>Configures a MAC access control list• <MAC-ACL-NAME> – Specify the MAC ACL name. If the access control list does not exist, it is created.no Removes a MAC access control listNOTE: For more information on MAC access control lists, see Chapter 11, ACCESS-LIST.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3234.1.63 management-policyGlobal Configuration CommandsConfigures a management policy. Management policies include services that run on a device, welcome messages, banners, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmanagement-policy <MANAGEMENT-POLICY-NAME>Parameters• management-policy <MANAGEMENT-POLICY-NAME>Example<DEVICE>(config)#management-policy test<DEVICE>(config-management-policy-test)#?Management Mode commands:  aaa-login                Set authentication for logins  allowed-locations        Add allowed locations  banner                   Define a login banner  ftp                      Enable FTP server  http                     Hyper Text Terminal Protocol (HTTP)  https                    Secure HTTP  idle-session-timeout     Configure idle timeout for a configuration session                           (GUI or CLI)  ipv6                     IPv6 Protocol  no                       Negate a command or set its defaults  passwd-retry             Lockout user if too many consecutive login failures  privilege-mode-password  Set the password for entering CLI privilege mode  rest-server              Enable rest server for device on-boarding                           functionality  restrict-access          Restrict management access to the device  snmp-server              SNMP  ssh                      Enable ssh  t5                       T5 configuration  telnet                   Enable telnet  user                     Add a user account  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminal<DEVICE>(config-management-policy-test)#<MANAGEMENT-POLICY-NAME>Specify the management policy name. If the policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 324Related Commandsno Removes an existing management policyNOTE: For more information on Management policy configuration, see Chapter 15, MANAGEMENT-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3254.1.64 meshpointGlobal Configuration CommandsCreates a new meshpoint and enters its configuration mode. Use this command to select and configure existing meshpoints.Supported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmeshpoint [<MESHPOINT-NAME>|containing <WORD>]Parameters• meshpoint [<MESHPOINT-NAME>|containing <WORD>]Examplerfs6000-81742D(config)#meshpoint TestMeshpointrfs6000-81742D(config-meshpoint-TestMeshpoint)#?Mesh Point Mode commands:  allowed-vlans  Set the allowed VLANs  beacon-format  The beacon format of this meshpoint  control-vlan   VLAN for meshpoint control traffic  data-rates     Specify the 802.11 rates to be supported on this meshpoint  description    Configure a description of the usage of this meshpoint  force          Force suboptimal paths  meshid         Configure the Service Set Identifier for this meshpoint  neighbor       Configure neighbor specific parameters  no             Negate a command or set its defaults  root           Set this meshpoint as root  security-mode  The security mode of this meshpoint  shutdown       Shutdown this meshpoint  use            Set setting to use  wpa2           Modify ccmp wpa2 related parameters  clrscr         Clears the display screen  commit         Commit all changes made in this session  do             Run commands from Exec mode  end            End current mode and change to EXEC mode  exit           End current mode and down to previous mode  help           Description of the interactive help system  revert         Revert changes  service        Service Commands  show           Show running system information  write          Write running configuration to memory or terminalrfs6000-81742D(config-meshpoint-TestMeshpoint)#Related Commands<MESHPOINT-NAME> Specify the meshpoint name. If the meshpoint does not exist, it is created.containing <WORD> Selects existing meshpoints containing the sub-string <WORD> in their namesno Removes an existing meshpoint
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 326NOTE: For more information on Meshpoint configuration, see Chapter 26, MESHPOINT.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3274.1.65 meshpoint-qos-policyGlobal Configuration CommandsConfigures a set of parameters that defines the meshpoint quality of service (QoS) policySupported in the following platforms:• Access Points — AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmeshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>Parameters• meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>Examplerfs6000-81742D(config)#meshpoint-qos-policy TestMeshpointQoSrfs6000-81742D(config-meshpoint-qos-TestMeshpointQoS)#?Mesh Point QoS Mode commands:  accelerated-multicast  Configure accelerated multicast streams address and                         forwarding QoS classification  no                     Negate a command or set its defaults  rate-limit             Configure traffic rate-limiting parameters on a                         per-meshpoint/per-neighbor basis  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-81742D(config-meshpoint-qos-TestMeshpointQoS)#Related Commands<MESHPOINT-QOS-POLICY-NAME>Specify the meshpoint QoS policy name. If the policy does not exist, it is created.no Removes an existing meshpoint QoS policyNOTE: For more information on Meshpoint QoS policy configuration, see Chapter 26, MESHPOINT.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3284.1.66 mint-policyGlobal Configuration CommandsConfigures the global MiNT policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmint-policy global-defaultParameters• mint-policy global-defaultExamplerfs6000-81742D(config)#mint-policy global-defaultrfs6000-81742D(config-mint-policy-global-default)#?Mint Policy Mode commands:  level    Mint routing level  lsp      LSP  mtu      Configure the global Mint MTU  no       Negate a command or set its defaults  router   Mint router  udp      Configure mint UDP/IP encapsulation  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-mint-policy-global-default)#Related Commandsglobal-default Configures the global default MiNT policyno Removes an existing MiNT policyNOTE: For more information on MiNT policy configuration, see Chapter 14, MINT-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3294.1.67 nac-listGlobal Configuration CommandsA Network Access Control (NAC) policy configures a list of devices that can access a network based on their MAC addresses.The following table lists NAC list configuration mode commands:Table 4.39 NAC-List Config CommandCommand Description Referencenac-list Creates a NAC list and enters its configuration mode page 4-330nac-list-mode commandsSummarizes NAC list configuration mode commands page 4-331
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3304.1.67.1 nac-listnac-listConfigures a NAC list that manages access to the networkSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnac-list <NAC-LIST-NAME>Parameters• nac-list <NAC-LIST-NAME>Examplerfs6000-81742D(config)#nac-list testrfs6000-81742D(config-nac-list-test)#?NAC List Mode commands:  exclude  Specify MAC addresses to be excluded from the NAC enforcement list  include  Specify MAC addresses to be included in the NAC enforcement list  no       Negate a command or set its defaults  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-nac-list-test)#Related Commands<NAC-LIST-NAME> Specify the NAC list name. If the NAC list does not exist, it is created.no Removes a NAC list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3314.1.67.2 nac-list-mode commandsnac-listThe following table summarizes NAC list configuration mode commands:Table 4.40 NAC-List-Mode CommandsCommand Description Referenceexclude Specifies the MAC addresses excluded from the NAC enforcement list page 4-332include Specifies the MAC addresses included in the NAC enforcement list page 4-333no Cancels an exclude or include NAC list rule page 4-334
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3324.1.67.2.1 excludenac-list-mode commandsSpecifies the MAC addresses excluded from the NAC enforcement listSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxexclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]Parameters• exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]Examplerfs6000-81742D(config-nac-list-test)#exclude 00-40-96-B0-BA-2A precedence 1rfs6000-81742D(config-nac-list-test)#show contextnac-list test exclude 00-40-96-B0-BA-2A 00-40-96-B0-BA-2A precedence 1rfs6000-81742D(config-nac-list-test)#<START-MAC>  Specifies a range of MAC addresses or a single MAC address to exclude from the NAC enforcement list• <START-MAC> – Specify the first MAC address in the range.Use this parameter to specify a single MAC address.<END-MAC> Specifies the last MAC address in the range (optional if a single MAC is added to the list)• <END-MAC> – Specify the last MAC address in the range.precedence <1-1000>Sets the rule precedence. Exclude entries are checked in the order of their rule precedence.• <1-1000> – Specify a value from 1 - 1000.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3334.1.67.2.2 includenac-list-mode commandsSpecifies the MAC addresses included in the NAC enforcement listSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxinclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]Parameters• include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]Examplerfs6000-81742D(config-nac-list-test)#include 00-15-70-38-06-49 precedence 2rfs6000-81742D(config-nac-list-test)#show contextnac-list test exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2rfs6000-81742D(config-nac-list-test)#<START-MAC>  Specifies a range of MAC addresses or a single MAC address to include in the NAC enforcement list• <START-MAC> – Specify the first MAC address in the range.Use this parameter to specify a single MAC address.<END-MAC> Specifies the last MAC address in the range (optional if a single MAC is added to the list)• <END-MAC> – Specify the last MAC address in the range.precedence <1-1000>Sets the rule precedence. Include entries are checked in the order of their rule precedence.• <1-1000> – Specify a value from 1 - 1000.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3344.1.67.2.3 nonac-list-mode commandsCancels an exclude or include NAC list ruleSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [exclude|include]no [exclude|include] <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]Parameters• no <PARAMETERS>ExampleThe following example shows the NAC list ‘test’ settings before the ‘no’ command is executed:rfs6000-81742D(config-nac-list-test)#show contextnac-list test exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2rfs6000-81742D(config-nac-list-test)#rfs6000-81742D(config-nac-list-test)#no exclude 00-40-96-B0-BA-2A precedence 1The following example shows the NAC list ‘test’ settings after the ‘no’ command is executed:rfs6000-81742D(config-nac-list-test)#show contextnac-list test include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2rfs6000-81742D(config-nac-list-test)#Related Commandsno <PARAMETERS> Removes or reverts this NAC list’s settings based on the parameters passedexclude Specifies MAC addresses excluded from the NAC enforcement listinclude Specifies MAC addresses included in the NAC enforcement list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3354.1.68 noGlobal Configuration CommandsNegates a command, or reverts configured settings to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [aaa-policy|aaa-tacacs-policy|alias|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|nx5500|nx75xx|nx9000|nx9600|application|application-group|application-policy|association-acl-policy|auto-provisioning-policy|bgp|bonjour-gw-discovery-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-policy|captive-portal|client-identity|client-identity-group|crypto-cmp-policy|customize|database-policy|device|device-categorization|dhcp-server-policy|dhcpv6-server-policy|dns-whitelist|event-system-policy|ex3500|ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|ex3524|ex3548|firewall-policy|global-association-list|guest-management|igmp-snoop-policy|inline-password-encryption|ip|ipv6|ipv6-router-advertisement-policy|l2tpv3|mac|management-policy|meshpoint|meshpoint-qos-policy|nac-list|nsight-policy|passpoint-policy|password-encryption|profile|radio-qos-policy|radius-group|radius-server-policy|radius-user-pool-policy|rf-domain|rfs4000|rfs6000|roaming-assist-policy|role-policy|route-map|routing-policy|rtl-server-policy|schedule-policy|t5|sensor-policy|smart-rf-policy|url-filter|url-list|vx9000|web-filter-policy|wips-policy|wlan|wlan-qos-policy|service]no alias [address-range <ADDRESS-RANGE-ALIAS-NAME>|host <HOST-ALIAS-NAME>|network <NETWORK-ALIAS-NAME>|network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]|network-service <NETWORK-SERVICE-ALIAS-NAME>|number <NUMBER-ALIAS-NAME>|string <STRING-ALIAS-NAME>|vlan <VLAN-ALIAS-NAME>]no [aaa-policy|aaa-tacacs-policy|application-policy|auto-provisioning-policy|auto-provisioning-policy|bonjour-gw-discovery-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-policy|database-policy|captive-portal|crypto-cmp-policy|device-categorization|dhcp-server-policy|dhcpv6-server-policy|dns-whitelist|event-system-policy|ex3500|ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy|firewall-policy|global-association-list|guest-management|igmp-snoop-policy|inline-password-encryption|ip|ipv6|ipv6-router-advertisement-policy|l2tpv3|mac|management-policy|meshpoint|meshpoint-qos-policy|nac-list|nsight-policy|passpoint-policy|radio-qos-policy|radius-group|radius-server-policy|radius-user-pool-policy|roaming-assist-policy|role-policy|routing-policy|rtl-server-policy|schedule-policy|sensor-policy|smart-rf-policy|web-filter-policy|wips-policy|wlan-qos-policy] <POLICY-NAME>no application <APPLICATION-NAME>no application-group <APPLICATION-GROUP-NAME>no [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000] <MAC>no client-identity <CLIENT-IDENTITY-NAME>no client-identity-group <CLIENT-IDENTITY-GROUP-NAME>
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 336no device {containing <WORD>} {(filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000])}no customize [hostname-column-width|show-wireless-client|show-wireless-client-stats|show-wireless-client-stats-rf|show-wireless-meshpoint|show-wireless-meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf|show-wireless-radio|show-wireless-radio-stats|show-wireless-radio-stats-rf]no password-encryption secret 2 <OLD-PASSPHRASE>no profile {ap6521|ap6522|ap6532|ap71xx|ap7502|ap7522|ap7532|ap7562|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|containing|filter|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000} <PROFILE-NAME>no wlan [<WLAN-NAME>|all|containing <WLAN-NAME-SUBSTRING>]no service set [command-history|reboot-history|upgrade-history] {on <DEVICE-NAME>}The following ‘no’ commands are specific to the RFS4000, RFS6000, and NX95XX platforms:no t5 <T5-DEVICE-MAC>The following ‘no’ commands are specific to the RFS4000, RFS6000, and NX95XX platforms:no bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list] <LIST-NAME>The following ‘no’ commands are specific to the NX95XX series service platforms:no route-map <ROUTE-MAP-NAME>The following ‘no’ commands are specific to the AP6522, AP6532, AP7161, AP7502, AP7522, AP7532, AP8132, RFS4000, RFS6000 platforms:no url-filter <URL-FILTER-NAME>no url-list <URL-LIST-NAME>no web-filter-name <WEB-FILTER-NAME>The following ‘no’ command is specific to the VX9000 virtual machine platform:no database-client-policy <POLICY-NAME>Parameters• no <PARAMETERS>Example<DEVICE>(config)#no ?  aaa-policy                          Delete a aaa policy  aaa-tacacs-policy                   Delete a aaa tacacs policy  alias                               Alias  ap650                               Delete an AP650 access point  ap6511                              Delete an AP6511 access point  ap6521                              Delete an AP6521 access point  ap6522                              Delete an AP6522 access point  ap6532                              Delete an AP6532 access point  ap6562                              Delete an AP6562 access point  ap71xx                              Delete an AP7161 access point  ap7502                              Delete an AP7502 access point  ap7522                              Delete an AP7522 access point  ap7532                              Delete an AP7532 access point  ap7562                              Delete an AP7562 access point  ap7602                              Delete an AP7602 access point  ap7612                              Delete an AP7612 access point  ap7622                              Delete an AP7622 access point  ap7632                              Delete an AP7632 access point  ap7662                              Delete an AP7662 access point  ap81xx                              Delete an AP81XX access pointno <PARAMETERS> Removes or resets settings, configurable in the global configuration mode, based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 337  ap82xx                              Delete an AP82XX access point  ap8432                              Delete an AP8432 access point  ap8533                              Delete an AP8533 access point  application                         Delete an application  application-group                   Delete an application-group  application-policy                  Delete an application policy  association-acl-policy              Delete an association-acl policy  auto-provisioning-policy            Delete an auto-provisioning policy  bgp                                 BGP Configuration  bonjour-gw-discovery-policy         Disable Bonjour Gateway discovery policy  bonjour-gw-forwarding-policy        Disable Bonjour Gateway Forwarding                                      policy  bonjour-gw-query-forwarding-policy  Disable Bonjour Gateway Query Forwarding                                      policy  captive-portal                      Delete a captive portal  client-identity                     Client identity (DHCP Device                                      Fingerprinting)  client-identity-group               Client identity group (DHCP Fingerprint                                      Database)  crypto-cmp-policy                   CMP policy  customize                           Restore the custom cli commands to                                      default  database-client-policy              Configure database policy  database-policy                     Configure database policy  device                              Delete multiple devices  device-categorization               Delete  device categorization object  dhcp-server-policy                  DHCP server policy  dhcpv6-server-policy                DHCPv6 server related configuration  dns-whitelist                       Delete a whitelist object  event-system-policy                 Delete a event system policy  ex3500                              EX3500 device  ex3500-management-policy            Delete a ex3500 management policy  ex3500-qos-class-map-policy         Delete a ex3500 qos class-map policy  ex3500-qos-policy-map               Delete a ex3500 qos policy-map  ex3524                              Delete an EX3524 wireless controller  ex3548                              Delete an EX3548 wireless controller  firewall-policy                     Configure firewall policy  global-association-list             Delete a global association list  guest-management                    Delete a guest management policy  igmp-snoop-policy                   Remove device onboard igmp snoop policy  inline-password-encryption          Disable storing encryption key in the                                      startup configuration file  ip                                  Internet Protocol (IP)  ipv6                                Internet Protocol version 6 (IPv6)  ipv6-router-advertisement-policy    IPv6 Router Advertisement related                                      configuration  l2tpv3                              Negate a command or set its defaults  mac                                 MAC configuration  management-policy                   Delete a management policy  meshpoint                           Delete a meshpoint object  meshpoint-qos-policy                Delete a mesh point QoS configuration                                      policy  nac-list                            Delete an network access control list  nsight-policy                       Delete a nsight policy  nx5500                              Delete an NX5500 wireless controller  nx75xx                              Delete an NX75XX wireless controller  nx9000                              Delete an NX9000 wireless controller  passpoint-policy                    Delete a passpoint configuration policy  password-encryption                 Disable password encryption in                                      configuration  profile                             Delete a profile and all its associated                                      configuration  radio-qos-policy                    Delete a radio QoS configuration policy  radius-group                        Local radius server group configuration  radius-server-policy                Remove device onboard radius policy  radius-user-pool-policy             Configure Radius User Pool  rf-domain                           Delete one or more RF-domains and all                                      their associated configurations
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 338  rfs4000                             Delete an RFS4000 wireless controller  rfs6000                             Delete an RFS6000 wireless controller  roaming-assist-policy               Delete a roaming-assist policy  role-policy                         Role based firewall policy  route-map                           Dynamic routing route map Configuration  routing-policy                      Policy Based Routing Configuration  rtl-server-policy                   Delete a rtl server policy  schedule-policy                     Delete a schedule policy  sensor-policy                       Delete a sensor policy  smart-rf-policy                     Delete a smart-rf-policy  t5                                  Delete an T5 wireless controller  url-filter                          Delete a url filter  url-list                            Delete a URL list  vx9000                              Delete an VX9000 wireless controller  web-filter-policy                   Delete a web filter policy  wips-policy                         Delete a wips policy  wlan                                Delete a wlan object  wlan-qos-policy                     Delete a wireless lan QoS configuration                                      policy  service                             Service Commands<DEVICE>(config)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3394.1.69 nsight-policyGlobal Configuration CommandsThe following table lists NSight policy configuration mode commands:Table 4.41 NSight-Policy Config CommandCommand Description Referencensight-policy Creates an NSight policy and enters its configuration mode page 4-340nsight-policy commandsSummarizes NSight policy configuration mode commands page 4-342
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3404.1.69.1 nsight-policynsight-policyCreates an NSight policy and enters its configuration modeThe NSight policy is an advance management, analytics, reporting, and troubleshooting tool, which when created and applied at the RF Domain level allows the RF Domain manager to send statistics (polled from devices within the RF Domain) to the NOC. The NOC, when enabled as the NSight server, stores this data in a locally or externally hosted database. This large, complex data is collated and presented on an NSight Dashboard that can be launched from the NSight-enabled NOC. For large networks, enabling NSight removes the inadequacies of the existing data collection, presentation, and analytics framework. It simplifies network monitoring, troubleshooting, and reporting.The NSight features include:• Network statistic and event visualization - Simplified and unified network views based on defined user roles• Custom dashboards - Live network health information in real-time to optimally assist network administrators• Live troubleshooting tools - Packet capture, wireless debug logs, TCP/IP ping and traceroute• Interactive floor maps with timeline views - Visualize and identify potential issues and problems areas• Real-time trend analysis - Simplify network growth planning• Exceptionally responsive interface - Any information the admin needs is three, or less, clicks awayThe WiNG NSight implementation consists of the following components:•An NSight server• A database. This database consists of AP statistics gathered by RF Domain managers.•An NSight UI portal• An NSight client hosted on the RF Domain manager, which periodically gathers statistics from APs and forwards to the NSight server.• Event history – Event details for all APs adopted by the NOC. These are events received by the Cfgd every 30 seconds and sent to the MART server. Each event consists of the RF Domain name, wireless client MAC if applicable, AP MAC, event mnemonic, event timestamp, and the event string itself.Supported in the following platforms:• Service Platforms — NX7500, NX9500, NX9510, NX9600, VX9000Syntaxnsight-policy <NSIGHT-POLICY-NAME>NOTE: NSight is a licensed feature, and can be enabled only on the application of an NSight license in the NSight server’s self mode.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 341Parameters• nsight-policy <NSIGHT-POLICY-NAME>Examplenx9500-6C8809(config)#nsight-policy testnx9500-6C8809(config-nsight-policy-test)#?Nsight Policy Mode commands:  enable              Enable this Nsight policy  event-history-size  Size of the event history collection  history-ttl         Time to live for historical data  no                  Negate a command or set its defaults  nsight-server       Enable Nsight server functionality  server              Configure Nsight server  clrscr              Clears the display screen  commit              Commit all changes made in this session  end                 End current mode and change to EXEC mode  exit                End current mode and down to previous mode  help                Description of the interactive help system  revert              Revert changes  service             Service Commands  show                Show running system information  write               Write running configuration to memory or terminalnx9500-6C8809(config-nsight-policy-test)#Related Commands<NSIGHT-POLICY-NAME>Specify the NSight policy name. If the policy does not exist, it is created.no Removes an existing NSight policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3424.1.69.2 nsight-policy commandsnsight-policyThe following table summarizes NSight policy configuration mode commands:Table 4.42 NSight-Policy-Config Mode CommandsCommand Description Referenceenable Enables this NSight policy page 4-343event-history-sizeConverts and sizes the NSight event history collection to a capped collectionpage 4-344history-ttl Configures the time-to-live (TTL), in days, for historical data related to clients and devicespage 4-345nsight-server Enables NSight server functionality and configures the SMTP report delivery settingspage 4-346server Configures the NSight server host. This configuration is used by the NSight client to identify the NSight server host.page 4-348no Removes this NSight policy settings page 4-349
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3434.1.69.2.1 enablensight-policy commandsEnables this NSight policy. The default setting is enabled.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000SyntaxenableParametersNoneExamplenx9510-6C8A5C(config-nsight-policy-test2)#enableRelated Commandsno Disables this NSight policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3444.1.69.2.2 event-history-sizensight-policy commandsConverts and sizes the NSight event history collection to a capped collection. The conversion occurs when upgrading. Use this command to define the NSight event history collection’s size and prevent its unbounded growth. Note, resizing the collection results in the collection contents being dropped.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxevent-history-size [high|low|medium]Parameters• event-history-size [high|low|medium]Examplenx9500-6C8809(config-nsight-policy-test)#event-history-size mediumnx9500-6C8809(config-nsight-policy-test)#show contextnsight-policy test event-history-size mediumnx9500-6C8809(config-nsight-policy-test)#Related Commandsevent-history-size [high|low|medium]Defines the size of the NSight event history collection. The options are:• high – Sets the size at approximately 10 M events• low – Sets the size at approximately 500 K events. This is the default setting.• medium – Sets the size at approximately 5 M eventsno Reverts the NSight event history collection size to default (5 M)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3454.1.69.2.3 history-ttlnsight-policy commandsConfigures the time-to-live (TTL), in days, for historical data related to clients, devices, and guest users. This is the duration for which clients, devices, or guest user related data is retained in the NSight database.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxhistory-ttl [clients|devices|guest-clients]history-ttl [clients|devices] <1-3650>history-ttl guest-clients <8-48>Parameters• history-ttl [clients|devices] <1-3650>• history-ttl guest-clients <8-48>Examplenx9500-6C8809(config-nsight-policy-test)#history-ttl clients 250nx9500-6C8809(config-nsight-policy-test)#show contextnsight-policy test history-ttl clients 250nx9500-6C8809(config-nsight-policy-test)#Related Commandshistory-ttl [client|devices] <1-3650>Configures the TTL for historical data related to clients and devices• clients – Configures the TTL for wireless clients related historical data• devices – Configures the TTL for devices (adopted access points or site controllers) related historical dataThe following is common to both the ‘clients’ and ‘devices’ keywords:• <1-3650> – Specify a value from 1 - 3650 days. The default for both (clients and de-vices) is 180 days.history-ttl guest-clients <8-48>Configures the TTL for historical data related to clients and devices• guest-clients – Configures the TTL for guest-client related historical data• <8-48> – Specify a value from 8 - 48 hours. The default is 8 hours.no Reverts the NSight clients or devices TTL duration to default (180 days)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3464.1.69.2.4 nsight-servernsight-policy commandsEnables NSight server functionality and configures the SMTP report delivery settings.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxnsight-server {smtp-report-delivery|standalone}nsight-server {smtp-report-delivery host <WORD> sender <EMAIL-ADD> [port <1-65535>|security [none|ssl|starttls]|username <USER-NAME> password [0|2|<WORD>]]}nsight-server {standalone}Parameters• nsight-server {smtp-report-delivery host <WORD> sender <EMAIL-ADD> [port <1-65535>|security [none|ssl|starttls]|username <USER-NAME> password [0|2|<WORD>]]}• nsight-server {standalone}nsight-server Enables NSight server functionality on the host using this NSight policysmtp-report-delivery host <WORD>Optional. Configures SMTP report delivery settings• host <WORD> – Configures the SMTP server host• <WORD> – Specify the SMTP server host’s IP address or hostname.sender <EMAIL-ADD>Optional. Configures the SMTP sender’s e-mail address• <EMAIL-ADD> – Specify the sender’s e-mail address.port <1-65535> Optional. Configures the SMTP server port• <1-65535> – Specify the port from 1 - 65535.security [none|ssl|starttls]Optional. Configures the encryption protocol used by the SMTP server. The options are:• none – Uses no encryption• ssl – Uses SSL encryption• starttls – Uses STARTTLS encryptionusername <USER-NAME> password [0|2|<WORD>]Optional. Configures the SMTP username• <USER-NAME> Specify the user name• password [0|2|<WORD>] – Configures the password associated with the above con-figured user• 0 – Configures a clear text password• 2 – Configures an encrypted password• <WORD> – Enter the password.nsight-server Enables NSight server functionality on the host using this NSight policystandalone Optional. Configures NSight server as standalone. Use this option in the split NSight deployment scenario where the NSight server and database are hosted on separate hosts.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 347Examplenx9510-6C8A5C(config-nsight-policy-test2)#nsight-servernx9510-6C8A5C(config-nsight-policy-test2)#show contextnsight-policy test2 nsight-servernx9510-6C8A5C(config-nsight-policy-test2)#Related Commandsno Disables NSight server functionality on this NSight policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3484.1.69.2.5 servernsight-policy commandsConfigures the NSight server host. This configuration is used by the NSight client to identify the NSight server host.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxserver host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}Parameters• server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}Examplenx9510-6C8A5C(config-nsight-policy-test2)#server host 172.22.0.153 httpnx9510-6C8A5C(config-nsight-policy-test2)#show contextnsight-policy test2 server host 172.22.0.153 http nsight-servernx9510-6C8A5C(config-nsight-policy-test2)#Related Commandsserver host [<IP>|<HOSTNAME>|<X:X::X:X>]Configures the NSight server host’s address. Use one of the following options to identify the NSight server host:• <IP> – Configures the NSight server’s IPv4 address• <HOSTNAME> – Configures the NSight server’s hostname• <X:X::X:X> – Configures the NSight server’s IPv6 address{http|https} Optional. Configures the protocol used to communicate with the NSight server• http – Optional. Uses HTTP to communicate• https – Optional. Uses HTTPS to communicate (this is the default setting) no Removes NSight server host settings from this NSight policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3494.1.69.2.6 nonsight-policy commandsRemoves NSight policy settingsSupported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxno [enable|event-history-size|history-ttl [clients|devices|guest-clients]|nsight-server {smtp-report-delivery}|server host [<IP>|<HOSTNAME>|<X:X::X:X>]]Parameters• no <PARAMETERS>ExampleThe following example shows the NSight policy ‘test2’ settings before the ‘no’ command is executed:nx9510-6C8A5C(config-nsight-policy-test2)#show contextnsight-policy test2 server host 172.22.0.153 http nsight-servernx9510-6C8A5C(config-nsight-policy-test2)#nx9510-6C8A5C(config-nsight-policy-test2)#no server host 172.22.0.153The following example shows the NSight policy ‘test2’ settings after the ‘no’ command is executed:nx9500-6C8809(config-nsight-policy-test2)#show contextnsight-policy test2 nsight-servernx9510-6C8A5C(config-nsight-policy-test2)#no <PARAMETERS> Removes NSight policy settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3504.1.70 passpoint-policyGlobal Configuration CommandsCreates a new passpoint policy and enters its configuration modeThe passpoint policy implements the Hotspot 2.0 Wi-Fi Alliance standard, enabling interoperability between clients, infrastructure, and operators. It makes a portion of the IEEE 802.11u standard mandatory and adds Hotspot 2.0 extensions that allow clients to query a network before actually attempting to join it.The passpoint policy allows a single or set of Hotspot 2.0 configurations to be global and referenced by the devices that use it. It is mapped to a WLAN. However, only primary WLANs on a BSSID will have their passpoint policy configuration used.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpasspoint-policy <POLICY-NAME>Parameters• passpoint-policy <POLICY-NAME>Examplerfs4000-229D58(config)#passpoint-policy testrfs4000-229D58(config-passpoint-policy-test)#?Passpoint Policy Mode commands:  3gpp                   Configure a 3gpp plmn (public land mobile network) id  access-network-type    Set the access network type for the passpoint  connection-capability  Configure the connection capability for the passpoint  domain-name            Add a domain-name for the passpoint  hessid                 Set a homogeneous ESSID value for the passpoint  internet               Advertise the passopint having internet access  ip-address-type        Configure the advertised ip-address-type  nai-realm              Configure a NAI realm for the passpoint  net-auth-type          Add a network authentication type to the passpoint  no                     Negate a command or set its defaults  operator               Add configuration related to the operator of the                         passpoint  osu                    Online signup  roam-consortium        Add a roam consortium for the passpoint  venue                  Set the venue parameters of the passpoint  wan-metrics            Set the wan-metrics of the passpoint  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system informationpasspoint-policy <POLICY-NAME>Specify the passpoint policy name. If a passpoint policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 351  write                  Write running configuration to memory or terminalrfs4000-229D58(config-passpoint-policy-test)#Related Commandsno Removes an existing passpoint policyNOTE: For more information on passpoint policy, see Chapter 27, PASSPOINT POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3524.1.71 password-encryptionGlobal Configuration CommandsEnables password encryption and configures the passphrase used to encrypt passwords. When enabled, passwords configured within the system are not displayed as clear text.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpassword-encryption secret 2 <LINE>Parameters• password-encryption secret 2 <LINE>Examplenx9500-6C8809(config)#password-encryption secret 2 test@123To confirm if password encryption is enabled, execute the following command:nx9500-6C8809(config)#show password-encryption statusPassword encryption is enablednx9500-6C8809(config)#The following example shows the privilege-mode-password as encrypted text. Note, the digit ‘1’ preceding the password implies that displayed text is the encrypted password and not clear text.nx9500-6C8809(config-management-policy-test)#show context include-factory | include privilege-mode-password privilege-mode-password 1 bc28e4d82bb11fa75a3c56346441d48f50f19c47184e2575a59a6a5d18e63925nx9500-6C8809(config-management-policy-test)#Related Commandssecret 2 <LINE> Encrypts passwords with a secret phrase• 2 – Specifies the encryption type as either SHA256 or AES256• <LINE> – Specify the encryption passphrase.no Disables password encryption
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3534.1.72 profileGlobal Configuration CommandsConfigures profile related commands. If no parameters are given, all profiles are selected.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxprofile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|containing|filter|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000}profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000} <DEVICE-PROFILE-NAME>profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx75xx|nx9000|vx9000]}profile {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}Parameters• profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000} <DEVICE-PROFILE-NAME>• profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}profile <DEVICE-TYPE> <DEVICE-PROFILE-NAME>Configures device profile commands. If no device profile is specified, the system configures all device profiles.• <DEVICE-TYPE> – Optional. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the device type, specify the profile name.• <DEVICE-PROFILE-NAME> – Specify the profile name.Select ‘anyap’ to configure a profile applicable to any access point.The NX9600 profile option is only available on an NX9600 device.profile Configures device profile commandscontaining <DEVICE-PROFILE-NAME>Optional. Configures profiles that contain a specified sub-string in the hostname• <DEVICE-PROFILE-NAME> – Specify a substring in the profile name to filter profiles.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 354• profile {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}Example<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME><DEVICE>(config-profile-<PROFILE-NAME>)#?Profile Mode commands:  adopter-auto-provisioning-policy-lookup  Use centralized auto-provisioning                                           policy when adopted by another                                           controller  adoption                                 Adoption configuration  alias                                    Alias  application-policy                       Application Policy configuration  area                                     Set name of area where the system                                           is located  arp                                      Address Resolution Protocol (ARP)  auto-learn                               Auto learning  autogen-uniqueid                         Autogenerate a unique id  autoinstall                              Autoinstall settings  bluetooth-detection                      Detect Bluetooth devices using the                                           Bluetooth USB module - there will                                           be interference on 2.4 Ghz radio in                                           wlan mode  bridge                                   Ethernet bridge  captive-portal                           Captive portal  cdp                                      Cisco Discovery Protocol  cluster                                  Cluster configuration  configuration-persistence                Enable persistence of configuration                                           across reloads (startup config                                           file)  controller                               WLAN controller configuration  critical-resource                        Critical Resource  crypto                                   Encryption related commands  database                                 Database command  device-onboard                           Device-onboarding configuration  device-upgrade                           Device firmware upgrade  diag                                     Diagnosis of packets  dot1x                                    802.1X  dpi                                      Enable Deep-Packet-Inspection                                           (Application Assurance)  dscp-mapping                             Configure IP DSCP to 802.1p                                           priority mapping for untaggedfilter type Optional. An additional filter used to configure a specific type of device profile. If no device type is specified, the system configures all device profiles.• type – Filters profiles by the device type. Select a device type from the following options: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.The NX9600 profile option is only available on an NX9600 device.profile Configures device profile commandsfilter type Optional. An additional filter used to configure a specific type of device profile. If no device type is specified, the system configures all device profiles.• type – Filters profiles by the device type. Select a device type from the following options: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.The NX9600 profile option is only available on an NX9600 device.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 355                                           frames  eguest-server                            Enable EGuest Server functionality  email-notification                       Email notification configuration  enforce-version                          Check the firmware versions of                                           devices before interoperating  environmental-sensor                     Environmental Sensors Configuration  events                                   System event messages  export                                   Export a file  file-sync                                File sync between controller and                                           adoptees  floor                                    Set the floor within a area where                                           the system is located  gre                                      GRE protocol  http-analyze                             Specify HTTP-Analysis configuration  interface                                Select an interface to configure  ip                                       Internet Protocol (IP)  ipv6                                     Internet Protocol version 6 (IPv6)  l2tpv3                                   L2tpv3 protocol  l3e-lite-table                           L3e lite Table  led                                      Turn LEDs on/off on the device  led-timeout                              Configure the time for the led to                                           turn off after the last radio state                                           change  legacy-auto-downgrade                    Enable device firmware to auto                                           downgrade when other legacy devices                                           are detected  legacy-auto-update                       Auto upgrade of legacy devices  lldp                                     Link Layer Discovery Protocol  load-balancing                           Configure load balancing parameter  logging                                  Modify message logging facilities  mac-address-table                        MAC Address Table  mac-auth                                 802.1X  management-server                        Configure management server address  memory-profile                           Memory profile to be used on the                                           device  meshpoint-device                         Configure meshpoint device                                           parameters  meshpoint-monitor-interval               Configure meshpoint monitoring                                           interval  min-misconfiguration-recovery-time       Check controller connectivity after                                           configuration is received  mint                                     MiNT protocol  misconfiguration-recovery-time           Check controller connectivity after                                           configuration is received  neighbor-inactivity-timeout              Configure neighbor inactivity                                           timeout  neighbor-info-interval                   Configure neighbor information                                           exchange interval  no                                       Negate a command or set its                                           defaults  noc                                      Configure the noc related setting  nsight                                   NSight  ntp                                      Ntp server WORD  offline-duration                         Set duration for which a device                                           remains unadopted before it                                           generates offline event  otls                                     Omnitrail Location Server  power-config                             Configure power mode  preferred-controller-group               Controller group this system will                                           prefer for adoption  preferred-tunnel-controller              Tunnel Controller Name this system                                           will prefer for tunneling extended                                           vlan traffic  radius                                   Configure device-level radius                                           authentication parameters  raid                                     RAID  remove-override                          Remove configuration item override                                           from the device (so profile value
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 356                                           takes effect)  rf-domain-manager                        RF Domain Manager  router                                   Dynamic routing  slot                                     PCI expansion Slot  spanning-tree                            Spanning tree  traffic-class-mapping                    Configure IPv6 traffic class to                                           802.1p priority mapping for                                           untagged frames  traffic-shape                            Traffic shaping  trustpoint                               Assign a trustpoint to a service  tunnel-controller                        Tunnel Controller group this                                           controller belongs to  use                                      Set setting to use  vrrp                                     VRRP configuration  vrrp-state-check                         Publish interface via OSPF/BGP only                                           if the interface VRRP state is not                                           BACKUP  wep-shared-key-auth                      Enable support for 802.11 WEP                                           shared key authentication  zone                                     Configure Zone name  clrscr                                   Clears the display screen  commit                                   Commit all changes made in this                                           session  do                                       Run commands from Exec mode  end                                      End current mode and change to EXEC                                           mode  exit                                     End current mode and down to                                           previous mode  help                                     Description of the interactive help                                           system  revert                                   Revert changes  service                                  Service Commands  show                                     Show running system information  write                                    Write running configuration to                                           memory or terminal<DEVICE>(config-profile-<PROFILE-NAME>)#Related Commandsno Removes a profile and its associated configurationsNOTE: For more information on profiles and how to configure profiles, see Chapter 7, PROFILES.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3574.1.73 radio-qos-policyGlobal Configuration CommandsConfigures a radio quality-of-service (QoS) policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradio-qos-policy <RADIO-QOS-POLICY-NAME>Parameters• radio-qos-policy <RADIO-QOS-POLICY-NAME>Examplerfs6000-81742D(config)#radio-qos-policy testrfs6000-81742D(config-radio-qos-test)#?Radio QoS Mode commands:  accelerated-multicast  Configure multicast streams for acceleration  admission-control      Configure admission-control on this radio for one or                         more access categories  no                     Negate a command or set its defaults  smart-aggregation      Configure smart aggregation parameters  wmm                    Configure 802.11e/Wireless MultiMedia parameters  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-81742D(config-radio-qos-test)#Related Commands<RADIO-QOS-POLICY-NAME>Specify the radio QoS policy name. If the policy does not exist, it is created.no Removes an existing Radio QoS policyNOTE: For more information on radio qos policy, see Chapter 17, RADIO-QOS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3584.1.74 radius-groupGlobal Configuration CommandsConfigures RADIUS user group parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius-group <RADIUS-GROUP-NAME>Parameters• radius-group <RADIUS-GROUP-NAME>Examplerfs6000-81742D(config)#radius-group testgrouprfs6000-81742D(config-radius-group-testgroup)#?Radius user group configuration commands:  guest       Make this group a Guest group  no          Negate a command or set its defaults  policy      Radius group access policy configuration  rate-limit  Set rate limit for group  clrscr      Clears the display screen  commit      Commit all changes made in this session  do          Run commands from Exec mode  end         End current mode and change to EXEC mode  exit        End current mode and down to previous mode  help        Description of the interactive help system  revert      Revert changes  service     Service Commands  show        Show running system information  write       Write running configuration to memory or terminalrfs6000-81742D(config-radius-group-testgroup)#Related Commands<RADIUS-GROUP-NAME>Specify a RADIUS user group name. The name should not exceed 64 characters. If the RADIUS user group does not exist, it is created.no Removes an existing RADIUS groupNOTE: For more information on RADIUS user group commands, see Chapter 16, RADIUS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3594.1.75 radius-server-policyGlobal Configuration CommandsCreates an onboard device RADIUS policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius-server-policy <RADIUS-SERVER-POLICY-NAME>Parameters• radius-server-policy <RADIUS-SERVER-POLICY-NAME>Examplerfs6000-81742D(config)#radius-server-policy testpolicyrfs6000-81742D(config-radius-server-policy-testpolicy)#?Radius Configuration commands:  authentication           Radius authentication  bypass                   Bypass Certificate Revocation List( CRL ) check  chase-referral           Enable chasing referrals from LDAP server  crl-check                Enable Certificate Revocation List( CRL ) check  ldap-agent               LDAP Agent configuration parameters  ldap-group-verification  Enable LDAP Group Verification setting  ldap-server              LDAP server parameters  local                    RADIUS local realm  nas                      RADIUS client  no                       Negate a command or set its defaults  proxy                    RADIUS proxy server  session-resumption       Enable session resumption/fast reauthentication by                           using cached attributes  termination              Enable Eap termination for proxy requests  use                      Set setting to use  clrscr                   Clears the display screen  commit                   Commit all changes made in this session  do                       Run commands from Exec mode  end                      End current mode and change to EXEC mode  exit                     End current mode and down to previous mode  help                     Description of the interactive help system  revert                   Revert changes  service                  Service Commands  show                     Show running system information  write                    Write running configuration to memory or terminalrfs6000-81742D(config-radius-server-policy-testpolicy)#Related Commands<RADIUS-SERVER-POLICY-NAME>Specify the RADIUS server policy name. If the policy does not exist, it is created.no Removes an existing RADIUS server policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 360NOTE: For more information on RADIUS server policy commands, see Chapter 16, RADIUS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3614.1.76 radius-user-pool-policyGlobal Configuration CommandsConfigures a RADIUS user poolSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius-user-pool-policy <RADIUS-USER-POOL-POLICY-NAME>Parameters• radius-user-pool-policy <RADIUS-USER-POOL-POLICY-NAME>Examplerfs6000-81742D(config)#radius-user-pool-policy testpoolrfs6000-81742D(config-radius-user-pool-testpool)#?Radius User Pool Mode commands:  duration  Set a guest user's access duration  no       Negate a command or set its defaults  user     Radius user configuration  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-81742D(config-radius-user-pool-testpool)#Related Commands<RADIUS-USER-POOL-POLICY-NAME>Specify the RADIUS user pool policy name. If the policy does not exist, it is created.no Removes an existing RADIUS user poolNOTE: For more information on RADIUS user group commands, see Chapter 16, RADIUS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3624.1.77 renameGlobal Configuration CommandsRenames and existing TLOSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrename tlo <TLO-NAME>Parameters• rename tlo <TLO-NAME> <NEW-TLO-NAME>ExampleThe following example shows the top level objects available for renaming:Enter rename and press Tab to list top level objects available for renaming.nx9500-6C8809(config)#renameaaa_policy                          aaa_tacacs_policyaddress_range_alias                 aif_policyap300                               app_groupapp_policy                          applicationassoc_acl                           auto_provisioning_policybgp_as_path_list                    bgp_community_listbgp_extcommunity_list               bgp_ip_access_listbgp_ip_prefix_list                  bonjour_gw_discovery_policybonjour_gw_forwarding_policy        bonjour_gw_query_forwarding_policybridging_policy                     captive_portalcentro_policy                       client_identityclient_identity_group               content_cache_policycontent_filter_policy               crypto_cmp_policydatabase_client_policy              database_policydevice_categorization               dhcp_server_policydhcpv6_server_policy                dns_whitelistdr_route_map                        encrypted_string_aliasevent_system_policy                 ex3500_ext_ip_aclex3500_management_policy            ex3500_qos_class_map_policyex3500_qos_policy_map               ex3500_std_ip_aclex3500_time_range                   firewall_policyglobal_assoc_list                   guest_managementhashed_string_alias                 host_aliasip_acl                              ip_snmp_aclipv6_acl                            ipv6_radv_policyl2tpv3_policy                       mac_aclmanagement_policy                   meshpointmeshpoint_qos                       mint_policymint_security_policy                nac_list--More--nx9500-6C8809(config)#rename tlo <TLO-NAME> <NEW-TLO-NAME>Renames an existing TLO object• <TLO-NAME> – Specify the TLO’s name. This is the TLO that is to be renamed.• <NEW-TLO-NAME> – Specify the new name for this TLO
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 363The following examples first clones the existing IP access list BROADCAST-MULTICAST-CONTROL, and then renames the cloned IP access list:nx9500-6C8809(config)#show context include-factory | include ip access-listip access-list BROADCAST-MULTICAST-CONTROLnx9500-6C8809(config)#nx9500-6C8809(config)#clone ip_acl BROADCAST-MULTICAST-CONTROL Test_IP_CLONEDnx9500-6C8809(config)#commitnx9500-6C8809(config)#show context include-factory | include ip access-listip access-list BROADCAST-MULTICAST-CONTROLip access-list Test_IP_CLONEDnx9500-6C8809(config)#rfs4000-229D58(config)#rename ip_acl TestIP_CLONED TestIP_RENAMEDrfs4000-229D58(config)#commitnx9500-6C8809(config)#rename ip_acl Test_IP_CLONED Test_IP_RENAMEDnx9500-6C8809(config)#nx9500-6C8809(config)#show context include-factory | include ip access-listip access-list BROADCAST-MULTICAST-CONTROLip access-list Test_IP_RENAMEDnx9500-6C8809(config)#Related Commandsclone Creates a replica of an existing TLO or device
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3644.1.78 replaceGlobal Configuration CommandsSelects an existing device by its MAC address or hostname and replaces it with a new device having a different MAC address. Internally, a new device is created with the new MAC address. The old device’s configuration is copied to the new device, and then removed from the controller’s configuration (i.e., the old device’s configuration is no longer staged on the controller).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxreplace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>Parameters• replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>Examplerfs4000-882A17(config)#replace device ap7131-4BF364 ?  AA-BB-CC-DD-EE-FF New device MAC addressrfs4000-882A17(config)#replace device ap7131-4BF364 00-15-0F-BB-98-30The following example shows an existing AP7502 (MAC: DD-AA-BB-88-12-43) configuration staged on a VX9000 controller:VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#show contextap7502 DD-AA-BB-88-12-43 use profile default-ap7502 use rf-domain default hostname ap7502-881243 interface radio1  wlan theMOZART bss 1 primary interface radio2  wlan theMOZART bss 1 primary interface ge1  switchport mode access  switchport access vlan 1 controller host 12.12.12.2VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#replace device Replaces an existing device with a new device, such that the old device’s configuration is copied on to the new device[<MAC-ADDRESS>|<HOSTNAME>]Identifies the device to replace by its MAC address or hostname• <MAC-ADDRESS> – Identifies the device to replace by its MAC address. Specify the device’s existing MAC address.• <HOSTNAME> – Identifies the device to replace by its hostname. Specify the device’s hostname.<NEW-MAC-ADDRESS>Specifies the new device’s MAC addressBoth the new and old devices should of the same model type.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 365The following example shows AP7502 (MAC: DD-AA-BB-88-12-43) replaced by another AP7502 having MAC address 11-22-33-44-55-66:Note that the new AP7502 device has the same configuration as the old AP7502 device. The HOSTNAME remains the same. Consequently, objects that refer to this particular hostname need not be updated. For example, an hostname alias identifying this particular device, and TLOs using this alias, such as IP/MAC ACLs, remain unchanged.VX9000-NOC-DE9D(config)#replace device DD-AA-BB-88-12-43 11-22-33-44-55-66VX9000-NOC-DE9D(config)#ap7502 11-22-33-44-55-66VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#show contextap7502 11-22-33-44-55-66 use profile default-ap7502 use rf-domain default hostname ap7502-881243 interface radio1  wlan theMOZART bss 1 primary interface radio2  wlan theMOZART bss 1 primary interface ge1  switchport mode access  switchport access vlan 1 controller host 12.12.12.2VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3664.1.79 rf-domainGlobal Configuration CommandsAn RF Domain groups devices that can logically belong to one network.The following table lists the RF Domain configuration mode commands:Table 4.43 RF-Domain Config CommandsCommand Description Referencerf-domain Creates a RF Domain policy and enters its configuration mode page 4-367rf-domain-mode commandsInvokes RF Domain configuration mode commands page 4-369
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3674.1.79.1 rf-domainrf-domainCreates an RF Domain or enters the RF Domain configuration context for one or more RF Domains. If the RF Domain does not exist, it is created.The configuration of controllers (wireless controllers, service platforms, and access points) comprises of RF Domains that define regulatory, location, and other relevant policies. At least one default RF Domain is assigned to each controller. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building, or site. Each RF Domain contains policies that set the Smart RF or WIPS configuration.RF Domains also enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to groups of access points servicing the global WLAN. This WLAN override eliminates the need to define and manage a large number of individual WLANs and profiles.A controller’s configuration contains:• A default RF Domain - Each controller utilizes a default RF Domain. Access Points are assigned to this default RF Domain as they are discovered by the controller. A default RF Domain can be used for single-site and multi-site deployments.• Single-site deployment – The default RF Domain can be used for single site deployments, where regional, regulatory, and RF policies are common between devices. • Multi-site deployment – A default RF Domain can omit configuration parameters to prohibit regulatory configuration from automatically being inherited by devices as they are discovered. This is desirable in multi-site deployments with devices spanning multiple countries. Omitting specific configuration parameters eliminates the risk of an incorrect country code from being automatically assigned to a device.• A user-defined RF Domain - Created by administrators. A user-defined RF Domain can be assigned to multiple devices manually or automatically. • Manually assigned – Use the CLI or UI to manually assign a user-defined RF Domain to controllers and service platforms.• Automatically assigned – Use a AP provisioning policy to automatically assign specific RF Domains to access points based on the access point’s model, serial number, VLAN, DHCP option, and IP address or MAC address. Automatic RF Domain assignments are useful in large deployments, as they enable plug-n-play access point deployments by automatically applying RF Domains to remote access points. For more information on auto provisioning policy, see AUTO-PROVISIONING-POLICY.Configure and deploy user-defined RF Domains for single or multiple sites where devices require unique regulatory and regional configurations, or unique Smart RF and WIPS policies. User-defined RF Domains can be used to:• Assign unique Smart RF or WIPS policies to access points deployed on different floors or buildings within in a site.• Assign unique regional or regulatory configurations to devices deployed in different states or countries.• Assign unique WLAN SSIDs and/or VLAN IDs to sites assigned a common WLAN without having to define individual WLANs for each site.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 368Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}Parameters• rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}Examplerfs6000-81742D(config)#rf-domain rfs6000rfs6000-81742D(config-rf-domain-rfs6000)#?RF Domain Mode commands:  alias               Alias  channel-list        Configure channel list to be advertised to wireless                      clients  contact             Configure the contact  control-vlan        VLAN for control traffic on this RF Domain  controller-managed  RF Domain manager for this domain will be an adopting                      controller  country-code        Configure the country of operation  geo-coordinates     Configure geo coordinates for this device  layout              Configure layout  location            Configure the location  location-server     LSENSE server configuration  mac-name            Configure MAC address to name mappings  no                  Negate a command or set its defaults  nsight-sensor       Enable sensor for Nsight  override-smartrf    Configured RF Domain level overrides for smart-rf  override-wlan       Configure RF Domain level overrides for wlan  sensor-server       AirDefense sensor server configuration  stats               Configure the stats related setting  timezone            Configure the timezone  tree-node           Configure tree node under which this rf-domain appears  use                 Set setting to use    clrscr              Clears the display screen  commit              Commit all changes made in this session  do                  Run commands from Exec mode  end                 End current mode and change to EXEC mode  exit                End current mode and down to previous mode  help                Description of the interactive help system  revert              Revert changes  service             Service Commands  show                Show running system information  write               Write running configuration to memory or terminalrfs6000-81742D(config-rf-domain-rfs6000)#rf-domain Creates a new RF Domain or enters its configuration context<RF-DOMAIN-NAME>Optional. Specify the RF Domain name (should not exceed 32 characters and should represent the intended purpose). Once created, the name cannot be edited.containing <RF-DOMAIN-NAME>Optional. Identifies an existing RF Domain that contains a specified sub-string in the domain name• <RF-DOMAIN-NAME> – Specify a sub-string of the RF Domain name.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3694.1.79.2 rf-domain-mode commandsrf-domainThis section describes the default commands under RF Domain.The following table summarizes RF Domain configuration commands:Table 4.44 RF-Domain-Mode CommandsCommand Description Referencealias Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc. at the RF Domain levelpage 4-370channel-list Configures the channel list advertised by radios page 4-377contact Configures network administrator’s contact information (needed in case of any problems impacting the RF Domain)page 4-378control-vlan Configures VLAN for traffic control on a RF Domain page 4-379controller-managedConfigures the adopting controller or service platform as this RF Domain’s managerpage 4-380country-code Configures the country of operation page 4-381geo-coordinates Configures the longitude and latitude of the RF Domain in order to fix its exact geographical location on a mappage 4-382layout Configures layout information page 4-383location Configures the physical location of a RF Domain page 4-385location-server Configures an LSENSE server on the selected RF Domain. This command is supported only on the NX95XX series service platforms.page 4-386mac-name Maps MAC addresses to names page 4-387no Negates a command or reverts configured settings to their default page 4-388override-smart-rf Configures RF Domain level overrides for Smart RF page 4-390override-wlan Configures RF Domain level overrides for a WLAN page 4-391sensor-server Configures an AirDefense sensor server on this RF Domain page 4-394stats Configures stats related settings on this RF Domain. These settings define how RF Domain statistics are updated.page 4-396timezone Configures a RF Domain’s geographic time zone page 4-397tree-node Configures the hierarchical (tree-node) structure under which this RF Domain appearspage 4-399use Enables the use of a specified Smart RF and/or WIPS policy page 4-401
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3704.1.79.2.1 aliasrf-domain-mode commandsConfigures network, VLAN, host, string, network-service, etc. aliases at the RF Domain levelFor information on aliases, see alias.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxalias [address-range|encrypted-string|hashed-string|host|network|network-group|network-service|number|string|vlan]alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>alias hashed-string <HASHED-STRING-ALIAS-NAME> 1 <LINE>alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>alias host <HOST-ALIAS-NAME> <HOST-IP>alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}alias number <NUMBER-ALIAS-NAME> <0-4294967295>alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}alias string <STRING-ALIAS-NAME> <LINE>alias vlan <VLAN-ALIAS-NAME> <1-4094>Parameters• alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>address-range <ADDRESS-RANGE-ALIAS-NAME>Creates a new address-range alias for this RF Domain. Or associates an existing address-range alias with this RF Domain. An address-range alias maps a name to a range of IP addresses.• <ADDRESS-RANGE-ALIAS-NAME> – Specify the address range alias name.Alias name should begin with ‘$’.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 371• alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>• alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE><STARTING-IP> to <ENDING-IP>Associates a range of IP addresses with this address range alias• <STARTING-IP> – Specify the first IP address in the range.• to <ENDING-IP> – Specify the last IP address in the range.Aliases defined at any given level can be overridden at the next lower level. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.encrypted-string <ENCRYPTED-STRING-ALIAS-NAME>Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.• <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias name.Alias name should begin with ‘$’.[0|2] <LINE> Configures the value associated with the alias name specified in the previous step• [0|2] <LINE> – Configures the alias valueNote, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:nx9500-6C8809(config)#show running-config!...............................alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//!--More--nx9500-6C8809In the above output, the ‘2’ displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text.However, if password-encryption is disabled the clear text is displayed as is:nx9500-6C8809(config)#show running-config!...............................!alias encrypted-string $enString 0 test11223344!--More--nx9500-6C8809For more information on enabling password-encryption, see password-encryption.hashed-string <HASHED-STRING-ALIAS-NAME>Creates an alias for a hashed string. Use this alias for configuration values that are hashed string, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-password.• <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias name.Alias name should begin with ‘$’.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 372• alias host <HOST-ALIAS-NAME> <HOST-IP>• alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>• alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]<LINE> Configures the hashed-string value associated with this alias.nx9500-6C8809(config)#show running-config!alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv!alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75--More--nx9500-6C8809In the above show > running-config output, the ‘1’ displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text.host <HOST-ALIAS-NAME>Creates a host alias for this RF Domain. Or associates an existing host alias with this RF Domain. A host alias maps a name to a single network host.• <HOST-ALIAS-NAME> – Specify the host alias name.Alias name should begin with ‘$’.<HOST-IP> Associates the network host’s IP address with this host alias• <HOST-IP> – Specify the network host’s IP address.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.network <NETWORK-ALIAS-NAME>Creates a network alias for this RF Domain. Or associates an existing network alias with this RF Domain. A network alias maps a name to a single network address.• <NETWORK-ALIAS-NAME> – Specify the network alias name.Alias name should begin with ‘$’.<NETWORK-ADDRESS/MASK>Associates a single network with this network alias• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.network-group <NETWORK-GROUP-ALIAS-NAME>Creates a network-group alias for this RF Domain. Or associates an existing network-group alias with this RF Domain.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name.Alias name should begin with ‘$’.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 373• alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}Associates a range of IP addresses with this network-group alias• <STARTING-IP> – Specify the first IP address in the range.• to <ENDING-IP> – Specify the last IP address in the range.• <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than one range of IPaddresses. A maximum of eight (8) IP address ranges can be configured.host <HOST-IP> {<HOST-IP>}Associates a single or multiple hosts with this network-group alias• <HOST-IP> – Specify the hosts’ IP address.• <HOST-IP> – Optional. Specifies more than one host. A maximum of eight (8) hostscan be configured.network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}Associates a single or multiple networks with this network-group alias• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.• <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one network. Amaximum of eight (8) networks can be configured.alias network-service <NETWORK-SERVICE-ALIAS-NAME>Creates a network-service alias for this RF Domain. Or associates an existing network-service alias with this RF Domain. A network-service alias maps a name to network services and the corresponding source and destination software ports.• <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service alias name.Alias name should begin with ‘$’.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp]Use one of the following options to associate an Internet protocol with this network-service alias:• <0-254> – Identifies the protocol by its number. Specify the protocol number from 0 - 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocol’s (UDP) designated number is 17.• <WORD> – Identifies the protocol by its name. Specify the protocol name.• eigrp – Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88.•gre – Selects Generic Routing Encapsulation (GRE). The protocol number is 47.• igmp – Selects Internet Group Management Protocol (IGMP). The protocol number is 2.•igp – Selects Interior Gateway Protocol (IGP). The protocol number is 9.•ospf – Selects Open Shortest Path First (OSPF). The protocol number is 89.• vrrp – Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 374• alias number <NUMBER-ALIAS-NAME> <0-4294967295>{(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.• <1-65535> – Optional. Configures a destination port number from 1 - 65535• <WORD> – Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22.• bgp – Optional. Configures the default Border Gateway Protocol (BGP) services port (179)• dns – Optional. Configures the default Domain Name System (DNS) services port (53)• ftp – Optional. Configures the default File Transfer Protocol (FTP) control services port (21)• ftp-data – Optional. Configures the default FTP data services port (20)• gopher – Optional. Configures the default gopher services port (70)• https – Optional. Configures the default HTTPS services port (443)• ldap – Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389)• nntp – Optional. Configures the default Newsgroup (NNTP) services port (119)• ntp – Optional. Configures the default Network Time Protocol (NTP) services port (123)• POP3 – Optional. Configures the default Post Office Protocol (POP3) services port (110)• proto – Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step.• sip – Optional. Configures the default Session Initiation Protocol (SIP) services port (5060)• smtp – Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25)• sourceport [<1-65535>|<WORD>] – Optional. After specifying the destination port, you may specify a single or range of source ports.• <1-65535> – Specify the source port from 1 - 65535.• <WORD> – Specify the source port range, for example 1-10.• ssh – Optional. Configures the default SSH services port (22)• telnet – Optional. Configures the default Telnet services port (23)• tftp – Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69)• www – Optional. Configures the default HTTP services port (80)alias number <NUMBER-ALIAS-NAME> <0-4294967295>Creates a new number alias or applies an existing number, identified by the <NUMBER-ALIAS-NAME> keyword, • <NUMBER-ALIAS-NAME> – Specify the number alias name.• <0-4294967295> – Specify the number, from 0 - 4294967295, assigned to thenumber alias created.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 375• alias string <STRING-ALIAS-NAME> <LINE>• alias vlan <VLAN-ALIAS-NAME> <1-4094>Examplerfs4000-229D58(config)#show context!! Configuration of RFS4000 version 5.9.1.0-008B!!version 2.5!!alias network-group $TestNetGrpAlias network 192.168.13.0/24 192.168.16.0/24alias network-group $TestNetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25!alias network $TestNetworkAlias 192.168.13.0/24!alias host $TestHostAlias 192.168.13.10!alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13!alias network-service $NetworkServAlias proto udp!alias network-service $kerberos proto tcp 749 750 80 proto udp 68 sourceport 67!Number aliases map a name to a numeric value. For example, ‘alias number $NUMBER 100’.• The number alias name is: $NUMBER• The value assigned is: 100The value referenced by alias $NUMBER, wherever used, is 100.alias string <STRING-ALIAS-NAME>Creates a string alias for this RF Domain. Or associates an existing string alias with this RF Domain. String aliases map a name to an arbitrary string value. For example, ‘alias string $DOMAIN test.example_company.com’. In this example, the string alias name is: $DOMAIN and the string value it is mapped to is: test.example_company.com. In this example, the string alias refers to a domain name.• <STRING-ALIAS-NAME> – Specify the string alias name.• <LINE> – Specify the string value.Alias name should begin with ‘$’.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.alias vlan <VLAN-ALIAS-NAME>Creates a VLAN alias for this RF Domain. Or associates an existing VLAN alias with this RF Domain. A VLAN alias maps a name to a VLAN ID.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name.Alias name should begin with ‘$’.<1-4094> Maps the VLAN alias to a VLAN ID• <1-4094> – Specify the VLAN ID from 1 - 4094.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 376alias vlan $TestVLANAlias 1--More--rfs4000-229D58(config)#In the following examples, the global aliases ‘$kerberos’ and ‘$TestVLANAlias’ are associated with the RF Domain ‘test’ and overrides applied:rfs4000-229D58(config-rf-domain-test)#alias network-service $kerberos proto tcp749 750 80rfs4000-229D58(config-rf-domain-test)#alias vlan $TestVLANAlias 10rfs4000-229D58(config-rf-domain-test)#show contextrf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80  alias vlan $TestVLANAlias 10rfs4000-229D58(config-rf-domain-test)#nx9500-6C8809(config-rf-domain-test)#alias string $test example_company.comnx9500-6C8809(config-rf-domain-test)#show contextrf-domain test no country-code alias string $test example_company.comnx9500-6C8809(config-rf-domain-test)#Example 1:In the following examples, the network-group alias ‘$test’ is configured to include hosts 192.168.1.10 and 192.168.1.11, networks 192.168.2.0/24 and 192.168.3.0/24 and address-range 192.168.4.10 to 192.168.4.20. rfs4000-229D58(config)#alias network-group $test host 192.168.1.10 192.168.1.11rfs4000-229D58(config)#alias network-group $test network 192.168.2.0/24 192.168.3.0/24rfs4000-229D58(config)#alias network-group $test address-range 192.168.4.10 to 192.168.4.20Associate this network-group alias ‘$test’ to the RF Domain ‘test’ and override the ‘host’ element of the alias.rfs4000-229D58(config-rf-domain-test)#alias network-group $test host 192.168.10.10rfs4000-229D58(config-rf-domain-test)#show contextrf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80  alias network-group $test host 192.168.10.10  alias network-group $test network 192.168.2.0/24 192.168.3.0/24  alias network-group $test address-range 192.168.4.10 to 192.168.4.20  alias vlan $TestVLANAlias 10rfs4000-229D58(config-rf-domain-test)#In the preceding example, the ‘host’ element of the network-group alias ‘$test’ has been overridden. But the ‘network’ and ‘address-range’ elements have been retained as is.Related Commandsno Removes a network, network-group, network-service, VLAN, or string alias from this RF Domain
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3774.1.79.2.2 channel-listrf-domain-mode commandsConfigures the channel list advertised by radios. This command also enables a dynamic update of a channel list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-list [2.4GHz|5GHz|dynamic]channel-list dynamicchannel-list [2.4GHz|5GHz] <CHANNEL-LIST>Parameters• channel-list dynamic• channel-list [2.4GHz|5GHz] <CHANNEL-LIST>Examplerfs6000-81742D(config-rf-domain-default)#channel-list 2.4GHz 1-10rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10rfs6000-81742D(config-rf-domain-default)#Related Commandsdynamic Enables a dynamic update of a channel list2.4GHz <CHANNEL-LIST>Configures the channel list advertised by radios operating in the 2.4 GHz mode• <CHANNEL-LIST> – Specify the list of channels separated by commas or hyphens.5GHz <CHANNEL-LIST>Configures the channel list advertised by radios operating in the 5.0 GHz mode• <CHANNEL-LIST> – Specify the list of channels separated by commas or hyphens.no Removes the list of channels configured on the selected RF Domain for 2.4 GHz and 5.0 GHz bands. Also disables dynamic update of a channel list.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3784.1.79.2.3 contactrf-domain-mode commandsConfigures the network administrator’s contact details. The network administrator is responsible for addressing problems impacting the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontact <WORD>Parameters• contact <WORD>Examplerfs6000-81742D(config-rf-domain-default)#contact Bob+14082778691rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10rfs6000-81742D(config-rf-domain-default)#Related Commandscontact <WORD> Specify contact details, such as name and number.no Removes a network administrator’s contact details
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3794.1.79.2.4 control-vlanrf-domain-mode commandsConfigures the VLAN designated for traffic control in this RF DomainSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontrol-vlan [<1-4094>|<VLAN-ALIAS-NAME>]Parameters• control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]Examplerfs6000-81742D(config-rf-domain-default)#control-vlan 1rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1rfs6000-81742D(config-rf-domain-default)#Related Commands[<1-4094>|<VLAN-ALIAS-NAME>]Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the control VLAN. If using a vlan-alias, ensure that the alias is existing and configured.no Disables the VLAN designated for controlling RF Domain traffic
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3804.1.79.2.5 controller-managedrf-domain-mode commandsConfigures the adopting controller (wireless controller, access point, or service platform) as this RF Domain’s manager. In other words, the RF Domain is controller managed, and the managing controller is the device managing the RF Domain.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontroller-managedParametersNoneExamplerfs4000-229D58(config-rf-domain-test)#controller-managedrfs4000-229D58(config-rf-domain-test)#commitrfs4000-229D58(config-rf-domain-test)#show contextrf-domain test country-code in controller-managed network-alias techPubs host 192.168.13.8 network-alias techPubs address-range 192.168.13.10 to 192.168.13.15 service-alias testing index 10 proto 9 destination-port range 21 21rfs4000-229D58(config-rf-domain-test)#Related Commandsno Removes the adopting controller or service platform as this RF Domain’s manager
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3814.1.79.2.6 country-coderf-domain-mode commandsConfigures a RF Domain’s country of operation. Since device channels transmit in specific channels unique to the country of operation, it is essential to configure the country code correctly or risk using illegal operation.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcountry-code <WORD>Parameters• country-code <WORD>Examplerfs6000-81742D(config-rf-domain-default)#country-code ?  WORD  The 2 letter ISO-3166 country code  ae    United Arab Emirates  ag    Antigua and Barbuda  ai    Anguilla  al    Albania  an    Dutch Antilles  ar    Argentina  at    Austria  au    Australia  ba    Bosnia-Herzegovina  bb    Barbados  bd    Bangladesh  be    Belgium  bf    Burkina Faso--More--rfs6000-81742D(config-rf-domain-default)#rfs6000-81742D(config-rf-domain-default)#country-code usrfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1rfs6000-81742D(config-rf-domain-default)#Related Commandscountry-code Configures the RF Domain’s country of operation<WORD> Specify the two (2) letter ISO-3166 country code.no Removes or resets this RF Domain’s configured country of operation
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3824.1.79.2.7 geo-coordinatesrf-domain-mode commandsConfigures the longitude and latitude of the RF Domain in order to fix its exact geographical location on a map. Use this command to define the geographical area where a common set of device configurations are deployed and managed by this RF Domain policy.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgeo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>Parameters• geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>Examplenx9500-6C8809(config-rf-domain-TechPubs)#geo-coordinates 12.971599 77.594563nx9500-6C8809(config-rf-domain-TechPubs)#show contextrf-domain TechPubs location Bangalore geo-coordinates 12.9716 77.5946 timezone Asia/Calcutta country-code in use database-policy default use nsight-policy AP-rfd control-vlan 1 controller-managed use license WEBFnx9500-6C8809(config-rf-domain-TechPubs)#Related Commandsgeo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>Configures the geo-coordinates of this RF Domain• <-90.0000-90.0000> – Specify the latitude from -90.0000 - 90.0000.• -180.0000-180.0000 – Specify the longitude from -180.0000 - 180.0000.no Removes or resets this RF Domain’s configured geo-coordinates
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3834.1.79.2.8 layoutrf-domain-mode commandsConfigures the RF Domain layout in terms of area, floor, and location on a map. It allows users to place APs across the deployment map. A maximum of 256 layouts is permitted.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlayout [area|description|floor|map-location] {(area|description|floor|map-location)}layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}Parameters• layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}layout Configures the RF Domain’s layout in terms of area, floor, and location on a mapThese are recursive parameters and you can configure one or all of these parameters.area <AREA-NAME> Configures the RF Domain’s layout in terms of the area of location• <AREA-NAME> – Specify the area name.After configuring the RF Domain’s area of functioning, optionally specify the floor name (and number), description, and/or the location on map.description <LINE> Configures a description for this RF Domain• <LINE> – Specify a description that enables you to identify the RF Domain. For a multi-worded string, use double quotes.floor <FLOOR-NAME> <1-4094>Configures the RF Domain’s layout in terms of the floor name and number• <FLOOR-NAME> – Specify the floor name.• <1-4094> – Optional. Specifies the floor number from 1 - 4094. The default floornumber is 1.After configuring the RF Domain’s floor name (and number), optionally specify the area name, description, and/or the location on map.map-location <URL> units [feet|meters]Configures the location of the RF Domain on the map• <URL> – Specify the URL to configure the map location.• units [feet|meters] – Configures the map units. The options are: feet or meters• feet – Configures the map units in terms of feet• meters – Configures the map units in terms of meterAfter configuring the location of the RF Domain on the map, optionally specify the area name, floor name (and number), and/or description.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 384Examplerfs6000-81742D(config-rf-domain-default)#layout map-location www.firstfloor.com units meters area HamiltonAve floor Floor1rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters control-vlan 1rfs6000-81742D(config-rf-domain-default)#Related Commandsno Removes the RF Domain layout details
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3854.1.79.2.9 locationrf-domain-mode commandsConfigures the RF Domain’s physical location’s name. The location could be as specific as the building name or floor number. Or it could be generic and include an entire site. The location defines the physical area where a set of devices with common configurations are deployed and managed by a RF Domain policy.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocation <WORD>Parameters• location <WORD>Examplerfs6000-81742D(config-rf-domain-default)#location SanJoserfs6000-81742D(config-rf-domain-default)#show contextrf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters control-vlan 1rfs6000-81742D(config-rf-domain-default)#Related Commandslocation <WORD> Configures the RF Domain location by specifying the area or building name• <WORD> – Specify the location.no Removes the RF Domain location
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3864.1.79.2.10 location-serverrf-domain-mode commandsConfigures the L-Sense server’s IP address or hostname on the selected RF Domain. When configured, the AP7522, AP7532, AP7562, AP8432 and AP8533 model access points, within the RF Domain, extract and forward client-location related data to the specified L-Sense server.  L-Sense is a highly scalable indoor locationing platform that gathers location-related analytics, such as visitor trends, peak and off-peak times, dwell time, heat-maps, etc. to enable entrepreneurs deeper visibility at a venue. To enable the location tracking system, the L-Sense server should be up and running and the RF Domain Sensor configuration should point to the L-sense server.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxlocation-server 1 ip <LSENSE-SERVER-IP/HOSTNAME> {port [443|<1-65535>]}Parameters• location-server 1 ip <LSENSE-SERVER-IP/HOSTNAME> {port [443|<1-65535>]}Examplenx9500-6C8809(config-rf-domain-test)#location-server 1 ip 192.168.13.20 port 200nx9500-6C8809(config-rf-domain-test)#show contextrf-domain test no country-code location-server 1 ip 192.168.13.20 port 200nx9500-6C8809(config-rf-domain-test)#Related Commandslocation-server 1 ip <LSENSE-SERVER-IP/HOSTNAME>Configures the LSENSE server parameters• 1 – Sets the server ID as 1. As of now only one L-Sense server can be configured.• ip <LSENSE-SERVER-IP/HOSTNAME> – Specify the server’s IPv4 address/host-name. This is the L-Sense server designated to receive RSSI scan data from a WiNGdedicated sensor.port [443|<1-65535>]Optional. Configures the port where the LSENSE server is reachable. The options are:• 443 – Configures port 443. This is the default setting.• <1-65535> – Alternately, specify a port as the LSENSE server port from 1 - 65535.no Removes the LSENSE server configurations
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3874.1.79.2.11 mac-namerf-domain-mode commandsConfigures a relevant name for each MAC address. Use this command to associate client names to specific connected client MAC addresses for improved client management.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-name <MAC> <NAME>Parameters• mac-name <MAC> <NAME>Examplerfs6000-81742D(config-rf-domain-default)#mac-name 11-22-33-44-55-66 TestDevicerfs6000-81742D(config-rf-domain-default)#show contextrf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 mac-name 11-22-33-44-55-66 TestDevice layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters control-vlan 1rfs6000-81742D(config-rf-domain-default)#Related Commandsmac-name <MAC> <NAME>Assigns a user-friendly name to this RF Domain’s member access point’s connected client to assist in its easy recognition• <MAC> – Specify the MAC address• <NAME> – Specify the client name for the specified MAC address. The name spec-ified here will be used in events and statistics.no Removes the MAC address to name mapping
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3884.1.79.2.12 norf-domain-mode commandsNegates a command or reverts configured settings to their default. When used in the config RF Domain mode, the no command negates or reverts RF Domain settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [alias|channel-list|contact|control-vlan|controller-managed|country-code|geo-coordinates|layout|location|location-server|mac-name|nsight-sensor|override-smartrf|override-wlan|sensor-server|stats|timezone|tree-node|use]no [adoption-mode|channel-list [2.4GHz|5GHz|dynamic]|contact|control-vlan|controller-managed|country-code|location|location-server 1|mac-name <MAC>||nsight-sensor|sensor-server <1-3>|stats update-interval|timezone|tree-node]no alias [address-range|host|network|network-group [address-range|host|network]|network-service|number|string|vlan] <ALIAS-NAME>no layout {(area <AREA-NAME>|floor <FLOOR-NAME>)}no override-smartrf channel-list [2.4GHz|5GHz]no override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool [<1-4094>|all]|wep128 [key <1-3>|transmit-key]|wpa-wpa2-psk]no use [database-policy|license|nsight-policy|smart-rf-policy|wips-policy]Parameters• no <PARAMETERS>ExampleThe following example shows the default RF Domain settings before the ‘no’ commands are executed:rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 mac-name 11-22-33-44-55-66 TestDevice layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters control-vlan 1rfs6000-81742D(config-rf-domain-default)#rfs6000-81742D(config-rf-domain-default)#no channel-list 2.4GHz 1-10rfs6000-81742D(config-rf-domain-default)#no mac-name 11-22-33-44-55-66rfs6000-81742D(config-rf-domain-default)#no locationrfs6000-81742D(config-rf-domain-default)#no control-vlanno <PARAMETERS> Removes or reverts this RF Domain’s settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 389The following example shows the default RF Domain settings after the ‘no’ commands are executed:rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 country-code us layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3904.1.79.2.13 override-smart-rfrf-domain-mode commandsEnables dynamic channel switching for Smart RF radios. This command allows you to configure an override list of channels that Smart RF can use for channel compensations on 2.4 GHz and 5.0 GHz radios.When a radio fails or is faulty, a Smart RF policy provides automatic recovery by instructing neighboring access points to increase their transmit power to compensate for the coverage loss. Once correct access point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events and can ensure availability of adequate detector coverage.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoverride-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>Parameters• override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>Examplerfs6000-81742D(config-rf-domain-default)#override-smartrf channel-list 2.4GHz 1,2,3rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 country-code us override-smartrf channel-list 2.4GHz 1,2,3 layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#Related Commandsoverride-smartrf Enables dynamic channel switching for Smart RF radioschannel-list Configures a list of channels for 2.4 GHz and 5.0 GHz Smart RF radios2.4GHz <CHANNEL-LIST>Selects the 2.4 GHz Smart RF radio channels• <CHANNEL-LIST> – Specify a list of channels separated by commas.5GHz <CHANNEL-LIST>Selects the 5.0 GHz Smart RF radio channels• <CHANNEL-LIST> – Specify a list of channels separated by commas.no Removes the override-smartrf list of channels configured for 2.4 GHz and 5.0 GHz radios
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3914.1.79.2.14 override-wlanrf-domain-mode commandsConfigures RF Domain level overrides for a WLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxoverride-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool|wep128|wpa-wpa2-psk]override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-pool <1-4094> {limit <0-8192>}]override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key <1-4>]Parameters• override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-pool <1-4094> {limit <0-8192>}]<WLAN-NAME> Configures the WLAN nameIf applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLAN’s coverage area. After creating the WLAN, configure its override parameters.shutdown Shuts down WLAN operation on all mapped radiosssid <SSID> Configures a override SSID associated with this WLAN• <SSID> – Specify the SSID (should not exceed 32 characters in length).Each WLAN provides associated wireless clients with a SSID. This has limitations, because it requires wireless clients to associate with different SSIDs to obtain QoS and security policies. However, a WiNG-managed RF Domain can have WLANs assigned and advertise a single SSID, and yet allow users to inherit different QoS or security policies.template <TEMPLATE-NAME>Configures a template name for this RF Domain• <TEMPLATE-NAME> – Specify the template name (should not exceed 32 characters in length).vlan-pool <1-4094> {limit <0-8192>}Configures the override VLANs available to this WLAN• <1-4094> – Specify the VLAN ID from 1 - 4094.• limit <0-8192> – Optional. Sets a limit to the number of users on this VLAN from 0 -8192. The default is 0.Controllers and service platforms allow the mapping of a WLAN to more than one VLAN. Wireless clients associating with a WLAN are assigned VLANs, from the pool representative of the WLAN, in a way that ensures proper load balancing across VLANs. Clients are tracked per VLAN, and assigned to the least used/loaded VLAN. Client VLAN usage is tracked on a per-WLAN basis. The maximum allowed client limit is 8192 per VLAN.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 392• override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]•  override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key <1-4>]<WLAN-NAME> Configures the WLAN nameIf applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLAN’s coverage area. After creating the WLAN, configure its override parameters.wpa-wpa2-psk <PASSPHRASE>Overrides a WLAN’s existing WPA-WPA2 pre-shared key or passphrase at the RF Domain level. WPA2 is a newer 802.11i standard that provides wireless security that is stronger than Wi-Fi Protected Access (WPA) and WEP.• <PASSPHRASE> – Specify a WPA-WPA2 key or passphrase. It is an alphanumeric string of 8 to 64 ASCII characters or 64 HEX characters as the primary string, which both the transmitting and receiving authenticators must share in this new override PSK. The alphanumeric string allows character spaces. The string is converted to a numeric value. This passphrase saves the you the necessity of entering the 256-bit key each time keys are generated.<WLAN-NAME> Configures the WLAN nameIf applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLAN’s coverage area. After creating the WLAN, configure its override parameters.wep128 Overrides a WLAN’s existing WEP128 keys at the RF Domain level (not the profile level). WEP128 uses a 104 bit key, which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP may be all a small-business user needs for the simple encryption of wireless data on the WLAN. However, networks that require more security are at risk from a WEP flaw. WEP is only recommended if there are client devices incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys.key <1-4> hex [0 <WORD>|2 <WORD>]Configures the WEP128 key.A total of four keys can be configured. • <1-4> – Select the key index from 1- 4.• hex – Configures a hexadecimal key• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted keyThe following parameter is common to both clear-text and encrypted key options:• <WORD> – Specify the WEP128/Keyguard key (should not exceed 26 hexadecimal characters in length).transmit-key <1-4>Configures transmit WEP/Keyguard key settings• <1-4> – Transmit the key identified by the key index specified here. Specify the index from 1 - 4.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 393Examplerfs6000-81742D(config-rf-domain-default)#override-wlan test vlan-pool 2 limit 20rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 country-code us override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#Related Commandsno Resets the override WLAN settings its default
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3944.1.79.2.15 sensor-serverrf-domain-mode commandsConfigures an AirDefense sensor server on this RF Domain. Sensor servers allow network administrators to monitor and download data from multiple sensors remote locations using Ethernet TCP/IP or serial communications. This enables administrators to respond quickly to interferences and coverage problems.The Wireless Intrusion Protection System (WIPS) protects the controller managed network, wireless clients and access point radio traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock wireless network security in a distributed environment. WIPS allows administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgement of a threat.In addition to dedicated AirDefense sensors, an access point radio can function as a sensor and upload information to a dedicated WIPS server (external to the controller). Unique WIPS server configurations can be used by RF Domains to ensure a WIPS server configuration is available to support the unique data protection needs of individual RF Domains.WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the access point radio(s) available to each controller managed WLAN. When an access point radio is functioning as a WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz bands. Sensor support requires a AirDefense WIPS Server on the network. Sensor functionality is not provided by the access point alone. The access point works in conjunction with a dedicated WIPS server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}Parameters• sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}sensor-server <1-3> Configures an AirDefense sensor server parameters• <1-3> – Select the server ID from 1 - 3. The server with the lowest defined ID is reached first. The default is 1.ip <IP/HOSTNAME> Configures the (non DNS) IPv4 address of the sensor server• <IP/HOSTNAME> – Specify the sensor server’s IPv4 address or hostname.port [443|<1-65535>] Optional. Configures the sensor server port. The options are:• 443 – Configures port 443, the default port used by the AirDefense server. This is the default setting.• <1-65535> – Allows you to select a WIPS/AirDefense sensor server port from 1 - 65535
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 395Examplerfs6000-81742D(config-rf-domain-default)#sensor-server 2 ip 172.16.10.3 port 443rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#Related Commandsno Disables an AirDefense sensor server parameters
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 3964.1.79.2.16 statsrf-domain-mode commandsConfigures stats settings that define how RF Domain statistics are updatedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstats update-intervalstats update-interval [<5-300>|auto]Parameters• stats update-interval [<5-300>|auto]Examplerfs6000-81742D(config-rf-domain-default)#stats update-interval 200rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 stats update-interval 200 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#Related Commandsstats Configures stats related settings on this RF Domainupdate-interval [<5-300>|auto]Configures the interval at which RF Domain statistics are updated. The options are:• <5-300> – Specify an update interval from 5 - 300 seconds.• auto – The RF Domain manager automatically adjusts the update interval based on the load. This is the default setting.no Resets stats related settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3974.1.79.2.17 timezonerf-domain-mode commandsConfigures the RF Domain’s geographic time zone. By default all WiNG devices are shipped with the time zone and time format set to Universal Time Coordinated (UTC) and 24-hour clock respectively. If the time zone is not reset, all devices within the RF Domain will display time relative to the UTC - Greenwich Time. Resetting the time zone is recommended, especially for RF Domains deployed across different geographical locations. The time zone can either be set on a specific device or on an RF Domain. When configured as RF Domain setting, it applies to all devices within the domain. For more information on configuring the time zone on a device, see timezone.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtimezone <TIMEZONE>Parameters• timezone <TIMEZONE>Examplerfs6000-81742D(config-rf-domain-default)#timezone America/Los_Angelesrfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 timezone America/Los_Angeles stats update-interval 200 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#The built-in WiNG timezones are:nx9500-6C8809(config-rf-domain-test)#timezone <TAB>Africa/     Asia/       Atlantic/   Australia/  CET         CST6CDTEET         EST5EDT     Etc/        Europe/     MST7MDT     Pacific/PST8PDT     US/         America/nx9500-6C8809(config-rf-domain-test)#Each of these time zones are further differentiated into sub time zones. For example, as shown in the following example:nx9500-6C8809(config-rf-domain-test)#timezone Africa/Africa/Cairo         Africa/Casablanca    Africa/HarareAfrica/Johannesburg  Africa/Lagos         Africa/Nairobinx9500-6C8809(config-rf-domain-test)#time <TIMEZONE> Specify the RF Domain’s time zone. The configured time zone will apply to all devices within the selected RF Domain.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 398Related Commandsno Removes a RF Domain’s time zone
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3994.1.79.2.18 tree-noderf-domain-mode commandsConfigures the hierarchical (tree-node) structure under which this RF Domain is locatedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtree-node [campus|city|country|region] {(campus|city|country|region)}Parameters• tree-node [campus|city|country|region] {(campus|city|country|region)}Usage GuidelinesThe following points need to be taken into consideration when creating the tree-node structure:• Adding a country first is a good idea since region, city, and campus can all be added as sub-nodes in the tree structure. However, the selected country is an invalid tree node until a RF Domain is mapped.• A city and campus can be added in the tree structure as sub-nodes under a region. An RF Domain can be mapped anywhere down the hierarchy for a region and not just directly under a country. For example, a region can have city, campus, and one RF Domain mapped.• Only a campus can be added as a sub-node under a city. The city is an invalid tree node until a RF Domain is mapped somewhere within the directory tree.• A campus is the last node in the hierarchy before a RF Domain, and it is not valid unless it has a RF Domain mapped.• After creating the tree structure do a commit and save for the tree configuration to take effect and persist across reboots.tree-node Configures the hierarchical tree structure defining the RF Domain’s location. The tree node hierarchy can be configured in any order, but will always appear as: country > region > city > campus. Further, a higher node, such as country, cannot be defined under a lower node, such as region. An RF Domain can be placed under any one of the tree nodes. But, an RF Domain at the country level may have all four nodes defined. Whereas, an RF Domain restricted to a campus, cannot have the country, city, and region nodes.At least one of these four nodes must be defined. This feature is disabled by default.campus Configures the campus name for this RF Domaincity Configures the city for this RF Domaincountry Configures the country for this RF Domainregion Configures the region for this RF Domain
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 400Examplerfs4000-229D58(config-rf-domain-test)#tree-node campus EcoSpace City Bangalorecountry India region Southrfs4000-229D58(config-rf-domain-test)#rfs4000-229D58(config-rf-domain-test)#show contextrf-domain test country-code in tree-node country India region South city Bangalore campus EcoSpacerfs4000-229D58(config-rf-domain-test)#Related Commandsno Removes the RF Domain’s tree-node configuration
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4014.1.79.2.19 userf-domain-mode commandsAssociates the following with an RF Domain: database policy, NSight policy, sensor policy, Smart RF policy, WIPS policy, RTL server policy, and Web filtering license.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [database-policy|license|nsight-policy|rtl-server-policy|sensor-policy|smart-rf-policy|wips-policy]use [database-policy <DATABASE-POLICY-NAME>|license <WEB-FILTERING-LICENSE>|nsight-policy <NSIGHT-POLICY-NAME>|rtl-server-policy <RTL-SERVER-POLICY-NAME>sensor-policy <SENSOR-POLICY-NAME>|smart-rf-policy <SMART-RF-POLICY-NAME>|wips-policy <WIPS-POLICY-NAME>]Parameters• use [database-policy <DATABASE-POLICY-NAME>|license <WEB-FILTERING-LICENSE>|nsight-policy <NSIGHT-POLICY-NAME>|rtl-server-policy <RTL-SERVER-POLICY-NAME>|sensor-policy <SENSOR-POLICY-NAME>|smart-rf-policy <SMART-RF-POLICY-NAME>|wips-policy <WIPS-POLICY-NAME>]use Associates the following policies with the RF Domain: database policy, NSight policy, sensor policy, Smart RF policy, WIPS policy. It also applies a Web filtering license to the selected RF Domain.database-policy <DATABASE-POLICY-NAME>Associates a database policy with the selected RF Domain• <DATABASE-POLICY-NAME> – Specify the database policy name (should be existing and configured).license <WEB-FILTERING-LICENSE>Obtains the specified Web filtering license from the adopting controller• <WEB-FILTERING-LICENSE> – Specify the WEBF license name.nsight-policy <NSIGHT-POLICY-NAME>Associates an NSight policy to this RF Domain• Specify the NSight policy name (should be existing and configured). When applied, it enables the RF Domain manager to gather statistical data from access points within the domain and forward to the NOC running the NSight server. For information on configuring NSight policy, see nsight-policy.rtl-server-policy <RTL-SERVER-POLICY-NAME>Associates an Real Time Locationing (RTL) server policy with the selected RF Domain• <RTL-SERVER-POLICY-NAME> – Specify the RTL server policy name (should be existing and configuredsensor-policy <SENSOR-POLICY-NAME>Associates a sensor policy with the selected RF Domain• <SENSOR-POLICY-NAME> – Specify the sensor policy name (should be existing and configured).
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 402Examplerfs6000-81742D(config-rf-domain-default)#use smart-rf-policy Smart-RF1rfs6000-81742D(config-rf-domain-default)#use wips-policy WIPS1rfs6000-81742D(config-rf-domain-default)#show contextrf-domain default contact Bob+14082778691 timezone America/Los_Angeles stats update-interval 200 country-code us use smart-rf-policy Smart-RF1 use wips-policy WIPS1 sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units metersrfs6000-81742D(config-rf-domain-default)#Related Commandssmart-rf-policy <SMART-RF-POLICY-NAME>Associates a Smart RF policy. When associated, the Smart RF policy provides automatic recovery from coverage loss (due to failed or faulty radio) by instructing neighboring access points to increase their transmit power.Once correct access point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events to ensure availability of adequate detector coverage.• <SMART-RF-POLICY-NAME> – Specify the Smart RF policy name (should be existing and configured). For more information on configuring smart RF policy, see SMART-RF-POLICY.wips-policy <WIPS-POLICY-NAME>Associates a WIPS policy. A WIPS policy provides protection against wireless threats and acts as a key layer of security complementing wireless VPNs, encryption and authentication. A WIPS policy uses a dedicated sensor for actively detecting and locating rogue AP devices. After detection, WIPS uses mitigation techniques to block the devices by manual termination, air lockdown, or port suppression.• <WIPS-POLICY-NAME> – Specify the WIPS policy name (should be existing and configured). For more information on configuring WIPS policy, see WIPS-POLICY.no Resets profiles used with this RF Domainsensor-server Configures an AirDefense sensor server on this RF Domainwips-policy Configures a WIPS policysmart-rf-policy Configures a Smart RF policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4034.1.80 rfs6000Global Configuration CommandsAdds a RFS6000 wireless controller to the networkSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrfs6000 <DEVICE-RFS6000-MAC>Parameters• rfs6000 <DEVICE-RFS6000-MAC>Examplerfs6000-81742D(config)#rfs6000 11-20-30-40-50-61rfs6000-81742D(config-device-11-20-30-40-50-61)#Related Commands<DEVICE-RFS6000-MAC>Specify the RFS6000’s MAC address.no Removes a RFS6000 wireless controller from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4044.1.81 rfs4000Global Configuration CommandsAdds an RFS4000 wireless controller to the networkSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrfs4000 <DEVICE-RFS4000-MAC>Parameters• rfs4000 <DEVICE-RFS4000-MAC>Examplerfs6000-81742D(config)#rfs4000 10-20-30-40-50-60rfs6000-81742D(config-device-10-20-30-40-50-60)#Related Commands<DEVICE-RFS4000-MAC>Specify the RFS4000’s MAC address.no Removes an RFS4000 wireless controller from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4054.1.82 nx5500Global Configuration CommandsAdds an integrated NX5500 series service platform to the network. If a profile for this service platform is not available, a new profile is created.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnx5500 <DEVICE-NX5500-MAC>Parameters• nx5500 <DEVICE-NX5500-MAC>Examplenx9500-6C8809(config)#nx5500 B4-C7-02-3C-FA-6Enx9500-6C8809(config-device-B4-C7-02-3C-FA-6E)#Related Commands<DEVICE-NX5500-MAC>Specifies the MAC address of a NX5500 series service platform.no Removes a NX5500 series service platform from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4064.1.83 nx75xxGlobal Configuration CommandsAdds an integrated NX75XX series service platform to the network. If a profile for service platform is not available, a new profile is created.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnx75xx <DEVICE-NX75XX-MAC>Parameters• nx75xx <DEVICE-NX75XX-MAC>Examplenx9500-6C8809(config)#nx75xx B4-C9-81-6C-FA-7Cnx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#show contextnx75xx B4-C9-81-6C-FA-7C use profile default-nx75xx use rf-domain default hostname nx75xx-6CFA7Cnx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#nx75xx-6CFA7C>show adoption statusAdopted by:Type          : nx9000System Name   : nx9500-6C8809MAC address   : B4-C7-99-6C-88-09MiNT address  : 19.6C.88.09Time          : 1 days 01:57:50 agoAdopted Devices:---------------------------------------------------------------------------------------DEVICE-NAME   VERSION       CFG-STAT    MSGS ADOPTED-BY   LAST-ADOPTION    UPTIME---------------------------------------------------------------------------------------ap7131-11E6C4 5.8.6.0-008B  configured  No  nx75xx-6CFA7C 1 days 01:49:44 1 days 01:59:34---------------------------------------------------------------------------------------Total number of devices displayed: 1nx75xx-6CFA7C>Related CommandsNOTE: In this guide, NX7500, NX7510, NX7520, and NX7530 are collectively represented as a NX75XX series service platform.<DEVICE-NX75XX-MAC>Specifies the MAC address of a NX75XX series service platform.no Removes a NX75XX series service platform from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4074.1.84 nx9000Global Configuration CommandsAdds a NX95XX series service platform to the networkSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnx9000 <DEVICE-NX95XX-MAC>Parameters• nx9000 <DEVICE-NX95XX-MAC>Examplenx9500-6C8809(config)#nx9000 B4-C7-89-7C-81-08nx9500-6C8809(config-device-B4-C7-89-7C-81-08)#Related Commands<DEVICE-NX95XX-MAC>Specifies the MAC address of a NX95XX series service platform.no Removes a NX95XX series service platform from the network
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4084.1.85 roaming-assist-policyGlobal Configuration CommandsConfigures a roaming assist policy that enables access points to assist wireless clients in making roaming decisions, such as which access point to connect, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxroaming-assist-policy <POLICY-NAME>Parameters• roaming-assist-policy <POLICY-NAME>Examplerfs6000-81742D(config)#roaming-assist-policy testPolicyrfs6000-81742D(config-roaming-assist-policy-testPolicy)#?Roaming Assist Mode commands:  action               Configure action - action is either to log / deauth  aggressiveness       Configure the roaming aggressiveness for a wireless                       client  detection-threshold  Configure the detection threshold - when exceeded,                       client monitoring starts  disassoc-time        Configure the disassociation time - time after which a                       disassociation is sent  handoff-count        Configure the handoff count - number of times client                       can exceed handoff threshold  handoff-threshold    Configure the handoff threshold - when exceeds an                       action is taken.  monitoring-interval  Configure the monitoring interval - interval at which                       client monitoring occurs  no                   Negate a command or set its defaults  sampling-interval    Configure the sampling interval - interval at which                       client rssi values are checked  clrscr               Clears the display screen  commit               Commit all changes made in this session  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-81742D(config-roaming-assist-policy-testPolicy)#Related Commands<POLICY-NAME> Specify the roaming assist policy name. If the policy does not exist, it is created.no Removes an existing roaming assist policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 409NOTE: For more information on roaming assist policy commands, see Chapter 30, ROAMING ASSIST POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4104.1.86 role-policyGlobal Configuration CommandsConfigures a role-based firewall policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrole-policy <ROLE-POLICY-NAME>Parameters• role-policy <ROLE-POLICY-NAME>Examplerfs6000-81742D(config)#role-policy role1rfs6000-81742D(config-role-policy-role1)#?Role Policy Mode commands:  default-role     Configuration for Wireless Clients not matching any role  ldap-deadperiod  Ldap dead period interval  ldap-query       Set the ldap query mode  ldap-server      Add a ldap server  ldap-timeout     Ldap query timeout interval  no               Negate a command or set its defaults  user-role        Create a role  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalrfs6000-81742D(config-role-policy-role1)#Related Commands<ROLE-POLICY-NAME>Specify the role policy name. If the policy does not exist, it is created.no Removes an existing role policyNOTE: For more information on role policy commands, see Chapter 18, ROLE-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4114.1.87 route-mapGlobal Configuration CommandsCreates a dynamic BGP route map and enters its configuration modeBGP route maps are used by network administrators to define rules controlling redistribution of routes between routers and routing processes. These route maps are also used to control and modify routing information.Supported in the following platforms:• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9600, VX9000Syntaxroute-map <ROUTE-MAP-NAME>Parameters• route-map <ROUTE-MAP-NAME>Examplenx9500-6C8809(config)#route-map testnx9500-6C8809(config-dr-route-map-test)#?Route Map Mode commands:  deny     Add a deny route map rule to deny set operations  no       Negate a command or set its defaults  permit   Add a permit route map rule to permit set operations  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalnx9500-6C8809(config-dr-route-map-test)#Related Commandsroute-map <ROUTE-MAP-NAME>Creates a new BGP route map and enters its configuration modeno Removes an existing dynamic BGP route mapNOTE: For more information on BGP route maps, see Chapter 28, BORDER GATEWAY PROTOCOL.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4124.1.88 routing-policyGlobal Configuration CommandsConfigures a routing policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrouting-policy <ROUTING-POLICY-NAME>Parameters• routing-policy <ROUTING-POLICY-NAME>Examplerfs6000-81742D(config)#routing-policy TestRoutingPolicyrfs6000-81742D(config-routing-policy-TestRoutingPolicy)#?Routing Policy Mode commands:  apply-to-local-packets  Use Policy Based Routing for packets generated by                          the device  logging                 Enable logging for this Route Map  no                      Negate a command or set its defaults  route-map               Create a Route Map  use                     Set setting to use  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  do                      Run commands from Exec mode  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs6000-81742D(config-routing-policy-TestRoutingPolicy)#Related Commands<ROUTING-POLICY-NAME>Specify the routing policy name. If the policy does not exist, it is created.no Removes an existing routing policyNOTE: For more information on routing policy commands, see Chapter 24, ROUTING-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4134.1.89 rtl-server-policyGlobal Configuration CommandsThe following table lists the Real Time Locationing (RTL) server policy configuration commands:Table 4.45 RTL-Server-Policy Config CommandCommand Description Referencertl-server-policy Configures an RTL server policy and enters its configuration mode page 4-414rtl-server-policy-mode commandsSummarizes RTL server policy configuration mode commands page 4-416
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4144.1.89.1 rtl-server-policyrtl-server-policyCreates an RTL server policy and enters its configuration mode. When configured and applied on an access point (AP7522, AP7532, AP8432, AP8533), this policy enables the sending of RSSI feeds from the access point to a third-party Euclid server. The RTL server policy provides the exact location (URL) of the Euclid server. The RSSI feeds sent are as per the sensor-policy configured and applied on the access point. Therefore, ensure that a sensor-policy, with the rssi-interval-duration specified, is existing, configured, and applied on the access points.To initiate RSSI feed posts to the Euclid locationing server, use the RTL server policy on the:•AP’s device/profile context, or•AP’s RF Domain context.Supported in the following platforms:• Access Points — AP7522, AP7532, AP8432, AP8533• Wireless Controllers — RFS4000• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxrtl-server-policy <RTL-POLICY-NAME>Parameters• rtl-server-policy <RTL-POLICY-NAME>Examplenx9500-6C8809(config)#rtl-server-policy testnx9500-6C8809(config-rtl-server-policy-test)#?RTL Server Policy Mode commands:  no       Negate a command or set its defaults  url      Configure the url to send the real time RSSI feed to  clrscr   Clears the display screen  commit   Commit all changes made in this session  do       Run commands from Exec mode  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalnx9500-6C8809(config-rtl-server-policy-test)#<RTL-SERVER-POLICY-NAME>Specify the RTL server policy name. If a RTL server policy with the specified name does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 415Related Commandsno Removes an existing RTL server policyuse (profile/device configuration mode command)Documents the ‘use’ command in a device’s profile or device configuration context. Use this option to associate this RTL server policy to an access point’s profile or device.use (RF Domain configuration mode command)Documents the ‘use’ command in the RF Domain configuration context. Use this option to associate this RTL server policy to an RF Domain. When associated, the policy is applied to all access points within the RF Domain.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4164.1.89.2 rtl-server-policy-mode commandsrtl-server-policyThe following table summarizes the RTL server policy configuration mode commands:Table 4.46 RTL-Server-Policy Mode CommandsCommand Description Referenceurl Configures the third-party Euclid RTL server’s URL page 4-417no Removes the Euclid RTL server’s URL configuration page 4-418
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4174.1.89.2.1 urlrtl-server-policy-mode commandsConfigures the third-party Euclid RTL server’s exact location. This is the URL at which the server can be reached.Supported in the following platforms:• Access Points — AP7522, AP7532, AP8432, AP8533• Wireless Controllers — RFS4000• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxurl <URL>Parameters• url <URL>Examplenx9500-6C8809(config-rtl-server-policy-test)#url https://testrtlsever.comnx9500-6C8809(config-rtl-server-policy-test)#show contextrtl-server-policy test url https://testrtlsever.comnx9500-6C8809(config-rtl-server-policy-test)#Related Commandsurl <URL> Configures the Euclid server’s URL• <URL> – Specify the URL.no Removes the Euclid server’s configured URL
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4184.1.89.2.2 nortl-server-policy-mode commandsRemoves the Euclid locationing server’s URL configurationSupported in the following platforms:• Access Points — AP7522, AP7532, AP8432, AP8533• Wireless Controllers — RFS4000• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxno urlParameters• no urlExampleThe following example displays the RTL server policy ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-rtl-server-policy-test)#show contextrtl-server-policy test url https://testrtlsever.comnx9500-6C8809(config-rtl-server-policy-test)#nx9500-6C8809(config-rtl-server-policy-test)#no urlThe following example displays the RTL server policy ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-rtl-server-policy-test)#show contextrtl-server-policy testnx9500-6C8809(config-rtl-server-policy-test)#no url Removes the Euclid server’s URL
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4194.1.90 schedule-policyGlobal Configuration CommandsThe following table summarizes the config schedule policy commands:Table 4.47 Schedule-Policy Config CommandsCommand Description Referenceschedule-policy Creates a schedule policy and enters its configuration mode page 4-420schedule-policy-mode commandsLists schedule policy configuration mode commands page 4-421
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4204.1.90.1 schedule-policyschedule-policyCreates a schedule policy and enters its configuration mode. A schedule policy strategically enforces application filter policy rules during administrator assigned intervals.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxschedule-policy <SCHEDULE-POLICY-NAME>Parameters• schedule-policy <SCHEDULE-POLICY-NAME>Examplenx9500-6C8809(config)#schedule-policy testnx9500-6C8809(config-schedule-policy-test)#?Schedule Policy Mode commands:  description  Schedule policy description  no           Negate a command or set its defaults  time-rule    Configure a time rule  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-schedule-policy-test)#Related Commandsschedule-policy <SCHEDULE-POLICY-NAME>Specify the Schedule policy name. If the policy does not exist, it is created. The name should not exceed 32 characters in length.no Removes an existing schedule policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4214.1.90.2 schedule-policy-mode commandsschedule-policyThe following table summarizes schedule-policy configuration mode commands:Table 4.48 Schedule-Policy-Config-Mode CommandsCommand Description Referencedescription Configures a description for this schedule policy that differentiates it from other policies with similar time rule configurationspage 4-422time-rule Configures a time rule specifying the days and optionally the start and end timespage 4-423no Removes the selected schedule policy’s settings page 4-425
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4224.1.90.2.1 descriptionschedule-policy-mode commandsConfigures a description for this schedule policy that differentiates it from other policies with similar time rule configurationsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <WORD>Parameters• description <WORD>Examplenx9500-6C8809(config-schedule-policy-test)#description "Denies social networking sites on weekdays."nx9500-6C8809(config-schedule-policy-test)#show contextschedule-policy test description "Denies social networking sites on weekdays."nx9500-6C8809(config-schedule-policy-test)#Related Commandsdescription <WORD> Configures this schedule policy’s description• <WORD> – Enter a description not exceeding 80 characters in length. The description should uniquely identify the policy from other policies with similar configuration.no Removes this schedule policy’s description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4234.1.90.2.2 time-ruleschedule-policy-mode commandsConfigures a time rule specifying the days and optionally the start and end times. When applied to an application-policy rule, the schedule policy defines the enforcement time of the rule. For more information, see application-policy.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtime-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}Parameters• time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}time-rule Configures a time rule in days and hours and minutesA schedule policy can have more than one non-overlapping time-rules. The following time-rules, having overlapping time periods, are invalid: ‘weekdays, start-time 9:30 am, end-time 11:30 pm’ and ‘all, start-time 12:00 am, end-time 12:00 pm’.days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays]Specifies the days on which the time rule is applicable• sunday – Applicable on Sundays only• monday – Applicable on Mondays only• tuesday – Applicable on Tuesdays only• wednesday – Applicable on Wednesdays only• thursday – Applicable on Thursdays only• friday – Applicable on Fridays only• saturday – Applicable on Saturdays only• weekends – Applicable on weekends only• weekdays – Applicable on weekdays only• all – Applicable on all daysstart-time <HH:MM> [end-time <HH:MM>]After specifying the days of enforcement, specify the following:• start-time – Optional. Specifies the enforcement start time• <HH:MM> – Specify the start time in hours and minutes in the HH:MM format.If no start time is specified, the time rule is enforced, on the specified days, at all time.• end-time – Specifies the enforcement end time• <HH:MM> – Specify the time in hours and minutes in the HH:MM format.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 424Examplenx9500-6C8809(config-schedule-policy-test)#time-rule days weekdays start-time 10:00 end-time 23:30nx9500-6C8809(config-schedule-policy-test)#show contextschedule-policy test description "Denies social networking sites on weekdays." time-rule days weekdays start-time 10:00 end-time 23:30nx9500-6C8809(config-schedule-policy-test)#Related Commandsno Removes the time-rule from the schedule policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4254.1.90.2.3 noschedule-policy-mode commandsRemoves the selected schedule policy’s settingsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [description|time-rule]no descriptionno time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays]Parameters• no <PARAMETERS>ExampleThe following example displays the schedule policy ‘test’ settings before the ‘no’ commands have been executed:nx9500-6C8809(config-schedule-policy-test)#show contextschedule-policy test description "Denies social networking sites on weekdays." time-rule days weekdays start-time 10:00 end-time 23:30nx9500-6C8809(config-schedule-policy-test)#The following example displays the schedule policy ‘test’ settings after the ‘no’ commands have been executed:nx9500-6C8809(config-schedule-policy-test)#no descriptionnx9500-6C8809(config-schedule-policy-test)#no time-rule days weekdaysnx9500-6C8809(config-schedule-policy-test)#show contextschedule-policy testnx9500-6C8809(config-schedule-policy-test)#no <PARAMETERS> Removes the schedule policy’s settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4264.1.91 selfGlobal Configuration CommandsDisplays the logged device’s configuration contextSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxselfParametersNoneExamplerfs6000-81742D(config)#selfrfs6000-81742D(config-device-00-15-70-37-FA-BE)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4274.1.92 sensor-policyGlobal Configuration CommandsThe following table summarizes the config sensor policy commands:0Table 4.49 Sensor-Policy Config CommandsCommand Description Referencesensor-policy Creates a sensor policy and enters its configuration mode page 4-428sensor-policy-mode commandsLists sensor policy configuration mode commands page 4-430
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4284.1.92.1 sensor-policysensor-policyIn addition to WIPS support, sensor functionality has now been added for the Extreme Network’s MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers, and access points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator defined interval and send to a dedicated MPact Server resource, as opposed to an ADSP server. The MPact Server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices for MPact administrators.Use this command to configure a policy defining the mode of scanning, the channels to scan (in case scan-mode is set to custom-scan), and the RSSI interval. For the sensor policy to take effect, use the policy either in the access point’s RF Domain context or in the access point’s device context.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxsensor-policy <SENSOR-POLICY-NAME>Parameters• sensor-policy <SENSOR-POLICY-NAME>Usage GuidelinesADSP WIPS/MPactAccess point radios, functioning as sensors, along with AirDefense WIPS servers protect networks from attacks and unauthorized access. These access point sensors scan legal channels and (based on a WIPS policy settings) identify events potential threats to the managed network. These events are reported to the AirDefense WIPS server, which determines the action taken.In addition to WIPS support, sensor functionality has now been added for the MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers and access points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator-defined interval and send to a dedicated MPact server resource, as opposed to an ADSP server. The MPact server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices. With the introduction of the MPact platform, the data collected by access point radios, functioning as sensors, is also used by the MPact server to provide real-time locationing services.NOTE: If a dedicated sensor is utilized with WIPS for rogue detection, any sensor policy used is discarded and not utilized by the sensor. To avoid this situation, use ADSP channel settings exclusively to configure the sensor and not the WiNG interface.sensor-policy <SENSOR-POLICY-NAME>Specify the Sensor policy name. If a sensor policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length. No character spaces are permitted within the name. Define a name unique to the policy’s channel and scan mode configuration to help differentiate it from other policies.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 429Examplenx9500-6C8809(config)#sensor-policy testnx9500-6C8809(config-sensor-policy-test)#?Sensor Policy Mode commands:  custom-scan             Channel configuration in Custom Scan channels  no                      Negate a command or set its defaults  rssi-interval-duration  Configure the periodicity of sensding RSSI info from                          sensor to server  scan-mode               Configure the Scan mode  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  do                      Run commands from Exec mode  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalnx9500-6C8809(config-sensor-policy-test)#Related Commandsno Removes an existing sensor policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4304.1.92.2 sensor-policy-mode commandssensor-policyThe following table summarizes sensor-policy configuration mode commands:Table 4.50 Sensor-Policy-Config-Mode CommandsCommand Description Referencecustom-scan Configures the channel scanning settings when the scan-mode is set to custom-scanpage 4-431rssi-interval-durationConfigures the interval at which dedicated sensors scan channels for RSSI assessments and send the collected data to a specified MPact server resourcepage 4-433scan-mode Configures the mode of scanning used by dedicated sensors (access point radios)page 4-434no Removes or reverts to default a sensor policy’s settings page 4-435
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4314.1.92.2.1 custom-scansensor-policy-mode commandsConfigures the channel scanning settings when the scan-mode is set to custom-scanSupported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcustom-scan channel-frequency <CHANNEL-FREQUENCY> width [20MHz|40MHz-Bth|40MHz-Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>Parameters• custom-scan channel-frequency <CHANNEL-FREQUENCY> width [20MHz|40MHz-Both|40MHz-Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>Examplenx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2412 width 20MHz scan-weight 1000nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2417 width 20MHz scan-weight 1000NOTE: If the mode of scanning is set to Custom-Scan, use this command to configure the channels to be scanned. To set the mode of scanning to custom-scan, use the scan-mode > Custom-Scan command. For more information, see scan-mode.custom-scan Configures the custom-scan channel frequency, channel width, and scan weightchannel-frequency <CHANNEL-FREQUENCY>Configures the channel frequency. A list of unique channels in the 2.4, 4.9, 5 and 6 GHzband can be collectively or individually enabled for customized channel scans and RSSI reporting.• <CHANNEL-FREQUENCY> – Specify a single or multiple, ‘comma-separated’ channel frequencies.width [20MHz|40MHz-Both|40MHz-Lower|40MHz-Upper|80MHz]Configures the channel width. When custom channels are selected for RSSI scans,each selected channel can have its own width defined. Numerous channels have their width fixed at 20MHz, 802.11a radios support 20 and 40 MHz channel widths.• 20MHz – Sets the channel width as 20 Mhz• 40Mhz-Both – Sets the channel width as 40Mhz-Both• 40Mhz-Lowe – Sets the channel width as 40Mhz-Lower• 40Mhz-Upper – Sets the channel width as 40Mhz-Upper• 80Mhz – Sets the channel width as 80Mhzscan-weight <SCAN-WEIGHT>Configures the scan-weight (scanning duration) for each of the selected channels. Each selected channel can have its weight prioritized in respect to the amount of time a scan is permitted within the defined RSSI scan interval.• <SCAN-WEIGHT> – Specify the scan weightage given to each selected channel.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 432nx9500-6C8809(config-sensor-policy-test)#show contextsensor-policy test scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000nx9500-6C8809(config-sensor-policy-test)#Related Commandsno Removes channels from the channels-to-scan list in case of scan-mode being set to Custom-Scan
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4334.1.92.2.2 rssi-interval-durationsensor-policy-mode commandsConfigures the interval, in seconds, at which dedicated sensors scan channels for RSSI assessments and send the RSSI data obtained to a specified server resourceSupported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrssi-interval-duration <1-60>Parameters• rssi-interval-duration <1-60>Examplenx9500-6C8809(config-sensor-policy-test)#rssi-interval-duration 30nx9500-6C8809(config-sensor-policy-test)#show contextsensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000nx9500-6C8809(config-sensor-policy-test)#Related Commandsrssi-interval-duration <1-60>Configures the RSSI interval duration in seconds. This is the interval at which the sensor scans channels for RSSI data and forwards the data to a dedicated server resource. The server calculates real-time locations of Wi-Fi devices based on the this data.• <1-60> – Specify the RSSI interval duration from 1 - 60 seconds. The default is 1 second.The channels scanned for RSSI assessment depends on the scan-mode selected. For more information, see scan-mode and custom-scan.Ensure that the server’s IP address or hostname has been configured in the access point sensor’s RF Domain context.no Resets the interval at which RSSI data is collected and sent by the sensor to the MPact server host to default (1 second)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4344.1.92.2.3 scan-modesensor-policy-mode commandsConfigures the mode of scanning used by dedicated sensors (access point radios)Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxscan-mode [Channel-Lock|Custom-Scan|Default-Scan]scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>scan-mode [Custom-Scan|Default-Scan]Parameters• scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>• scan-mode [Custom-Scan|Default-Scan]Examplenx9500-6C8809(config-sensor-policy-test)#scan-mode Custom-Scannx9500-6C8809(config-sensor-policy-test)#show contextsensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000nx9500-6C8809(config-sensor-policy-test)#Related Commandsscan-mode Configures the mode of scanning used by the sensors to scan system-defined or user-defined channels for RSSI assessments. The options are: Channel-Lock, Custom-Scan, and Default-Scan.Channel-Lock lock-frequency <LOCK-FREQUENCY>Configures the mode of scanning as Channel-Lock• lock-frequency <LOCK-FREQUENCY> – Locks scanning for RSSI data to one specific channel identified by the <LOCK-FREQUENCY> parameter. • <LOCK-FREQUENCY> – Specify the channel frequency in MHz. When specified, thesensor scans only this specified channel.scan-mode Configures the mode of scanning used by the sensor. The options are: channel-lock, custom-scan, and default-scan.Custom-Scan Configures the mode of scanning as Custom-ScanSelect this option to restrict scanning to user-defined channels. If selecting this option, use the custom-scan > channel-frequency command to configure the channels scanned by the dedicated sensor. For more information, see custom-scan.Default-Scan Configures the mode of scanning as Default-Scan. This is the default setting.By default the system has a fixed, built-in list of channels that are scanned. These channels are hard coded in a spread pattern of 1, 6, 11, 36, 40, 44, and 48. When selected, the dedicated sensor scans only these default channels.no Reverts the scan-mode to default (Default-Scan)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4354.1.92.2.4 nosensor-policy-mode commandsRemoves or reverts to default a sensor policy’s settingsSupported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [custom-scan|rss1-interval-duration|scan-mode]no custom-scan channel-frequency <CHANNEL-FREQUENCY-LIST>no rssi-interval-durationno scan-modeParameters• no <PARAMETERS>ExampleThe following example shows the sensor-policy ‘test’ settings before the ‘no’ commands are executed:nx9500-6C8809(config-sensor-policy-test)#show contextsensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000nx9500-6C8809(config-sensor-policy-test)#The scan-mode is reverted back to the default setting of 'Default-Scan', as show in the following output:nx9500-6C8809(config-sensor-policy-test)#no scan-modenx9500-6C8809(config-sensor-policy-test)#show contextsensor-policy test rssi-interval-duration 30 scan-mode Default-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000nx9500-6C8809(config-sensor-policy-test)#nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2412nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2417nx9500-6C8809(config-sensor-policy-test)#show contextsensor-policy test rssi-interval-duration 30 scan-mode Default-Scannx9500-6C8809(config-sensor-policy-test)#no <PARAMETERS> Removes or reverts to default a sensor policy settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4364.1.93 smart-rf-policyGlobal Configuration CommandsConfigures a Smart RF policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsmart-rf-policy <SMART-RF-POLICY-NAME>Parameters• smart-rf-policy <SMART-RF-POLICY-NAME>Examplerfs6000-81742D(config)#smart-rf-policy testrfs6000-81742D(config-smart-rf-policy-test)#?Smart RF Mode commands:  area                    Specify channel list/ power for an area  assignable-power        Specify the assignable power during power-assignment  avoidance-time          Time to avoid a channel once dfs/adaptivity                          avoidance is necessary  channel-list            Select channel list for smart-rf  channel-width           Select channel width for smart-rf  coverage-hole-recovery  Recover from coverage hole  enable                  Enable this smart-rf policy  group-by                Configure grouping parameters  interference-recovery   Recover issues due to excessive noise and                          interference  neighbor-recovery       Recover issues due to faulty neighbor radios  no                      Negate a command or set its defaults  sensitivity             Configure smart-rf sensitivity (Modifies various                          other smart-rf configuration items)  smart-ocs-monitoring    Smart off channel scanning  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or termrfs6000-81742D(config-smart-rf-policy-test)#Related Commands<SMART-RF-POLICY-NAME>Specify the Smart RF policy name. If the policy does not exist, it is created.no Removes an existing Smart RF policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 437NOTE: For more information on Smart RF policy commands, see Chapter 19, SMART-RF-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4384.1.94 t5Global Configuration CommandsInvokes the configuration mode of a t5 wireless controllerA T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxt5 <T5-DEVICE-MAC>Parameters• t5 <T5-DEVICE-MAC>t5 <T5-DEVICE-MAC> Specify the t5 device’s MAC address. The system enters the identified device’s configuration mode.A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.After logging on to the T5 device, use the ‘cpe’ keyword and configure the following mandatory settings:• vlan – Set a VLAN from 1 - 4,094 used as a virtual interface for connections betweenthe T5 controller and its managed CPE devices.• start ip – Set a starting IP address used in a range of addresses available to T5 con-troller connecting CPE devices.• end ip – Set an end IP address used in a range of addresses available to T5 controllerconnecting CPE devices.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 439Examplerfs6000-81742D(config)#t5 B4:C7:99:ED:5C:2Crfs6000-81742D(config-device-B4:C7:99:ED:5C:2C)#?T5 Device Mode commands:  adsp-sensor-server  Configure WIPS server  bridge              Sets MAC address expiration time in the bridge address                      table  clock               Configure clock options  cpe                 T5 CPE configuration  hostname            Set system's network name  interface           Select an interface to configure  ip                  Internet Protocol (IP)  no                  Negate a command or set its defaults  ntp                 Configure NTP  override-wlan       Configure RF Domain level overrides for wlan  password            T5 password configuration  qos                 QOS settings  radius-server       Radius server settings  t5                  T5 configuration  t5-logging          Modify message logging facilities  use                 Set setting to use  clrscr              Clears the display screen  commit              Commit all changes made in this session  do                  Run commands from Exec mode  end                 End current mode and change to EXEC mode  exit                End current mode and down to previous mode  help                Description of the interactive help system  revert              Revert changes  service             Service Commands  show                Show running system information  write               Write running configuration to memory or terminalrfs6000-81742D(config-device-B4:C7:99:ED:5C:2C)#Related Commandsno Removes the t5 wireless controller identified by the device’s MAC address
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4404.1.95 web-filter-policyGlobal Configuration CommandsThe following table lists commands that enable you to enter the Web Filter policy configuration mode:Table 4.51 Commands Creating a Web-Filter-PolicyCommand Description Referenceweb-filter-policy Creates a new Web Filter policy and enters its configuration mode page 4-552web-filter-policy-config-mode commandsSummarizes the Web Filter policy configuration mode commands page 4-443
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4414.1.95.1 web-filter-policyweb-filter-policyCreates a Web Filtering policy and enters its configuration mode. This policy defines rules managing the local classification database and the cached data. When configured and applied, this policy also enables caching of URL classification records in a local database in a controller-based, hierarchically managed (HM) deployment. Use this option to specify the following: classification server details, size of the local database, time for which records are cached in the database, the action taken in case the classification server is unavailable, etc.The Web filter policy is applied at the profile or device level.For more information on URL filtering, see url-filter.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxweb-filter-policy <WEB-FILTER-POLICY-NAME>Parameters• web-filter-policy <WEB-FILTER-POLICY-NAME>Examplenx9500-6C8809(config)#web-filter-policy testnx9500-6C8809(config-web-filter-policy-test)#?Content Filter Mode commands:  cache-max-recs       Configure the maximum number of records in local cache  cache-save-interval  Configure the time a record is saved in local cache  logging              Select logging method  no                   Negate a command or set its defaults  server-host          Configure URL classification server if it is not the                       adopted controller  server-unreachable   Permission to access website when classification server                       is unreachable (default is pass)  uncategorized-url    Permission to website when server fails to classify the                       URL request (default is pass)  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalnx9500-6C8809(config-web-filter-policy-test)#<WEB-FILTER-POLICY-NAME>Specify the Web filter policy name. If the policy does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 442Related Commandsno Removes an existing Web filter policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4434.1.95.2 web-filter-policy-config-mode commandsweb-filter-policyThe following table summarizes Web Filter policy configuration mode commands:Table 4.52 Web-Filter-Policy-Config-Mode CommandsCommand Description Referencecache-max-recs Configures the maximum number of records (URLs and Web pages) cached in the local databasepage 4-444cache-save-intervalConfigures the maximum time period for which a record (URL and Web page classification entry) is cached in the local databasepage 4-445logging Configures the method used to log Web filtering events page 4-446no Reverts the selected Web Filter policy settings to default page 4-447server-host Configures the URL classification server in case it is not the adopted controllerpage 4-448server-unreachableConfigures the action taken in case the classification server is unreachablepage 4-449uncategorized-url Configures the action taken in case the classification server fails to classify a URL/Websitepage 4-450
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4444.1.95.2.1 cache-max-recsweb-filter-policy-config-mode commandsConfigures the maximum number of records (URL and Web page classification entries) cached in the local databaseSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcache-max-recs <1-1000000>Parameters• cache-max-recs <1-1000000>Examplenx9500-6C8809(config-web-filter-policy-test)#cache-max-recs 9000nx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-max-recs 9000nx9500-6C8809(config-web-filter-policy-test)#Related Commandscache-max-recs <1-1000000>Specify the maximum number of records cached in the local database from 1 - 1000000.When configuring this value take into consideration the type of device using the Web Filter policy. The value should approximately be as per the following information:• NX95XX – <1-1000000> (default is 100000)• NX75XX – <1-100000> (default is 10000)• RFS Switches – <1-10000> (default is 1000)• Access Points – <1-1500> (default is 500)no Reverts the maximum number of stored records to default. Please see the parameter table for default values for the different device types.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4454.1.95.2.2 cache-save-intervalweb-filter-policy-config-mode commandsConfigures the maximum time period, in seconds, for which a record (URL and Web page classification entry) is cached in the local database. Once the specified time has expired the record is removed from the cache.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcache-save-interval <1-86400>Parameters• cache-save-interval <1-86400>Examplenx9500-6C8809(config-web-filter-policy-test)#cache-save-interval 1000nx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-max-recs 9000 cache-save-interval 1000nx9500-6C8809(config-web-filter-policy-test)#Related Commandscache-save-interval <1-86400>Specify the maximum time period, in seconds, for which a record is cached in the local database from 1 - 86400 seconds. The default is 60 seconds.no Reverts the maximum time period for which a record (URL and Web page classification entry) is cached in the local database to default (60)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4464.1.95.2.3 loggingweb-filter-policy-config-mode commandsConfigures the method used to log Web filtering eventsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlogging [logfile|syslog]Parameters• logging [logfile|syslog]Examplenx9500-6C8809(config-web-filter-policy-test)#logging logfilenx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test logging logfilenx9500-6C8809(config-web-filter-policy-test)#logging [logfile|syslog]Selects the method used to log Web filtering events. The options are:• logfile – Logs to a file.• syslog – Logs to the syslog server. This is the default setting.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4474.1.95.2.4 noweb-filter-policy-config-mode commandsReverts the selected Web Filter policy settings to default, based on the parameters passedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [cache-max-recs|cache-save-interval|server-host|server-unreachable|uncategorized-url]Parameters• no <PARAMETERS>ExampleThe following example shows the Web Filter policy ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-max-recs 9000 cache-save-interval 1000 uncategorized-url block server-unreachable block server-host ip-address 192.168.13.13nx9500-6C8809(config-web-filter-policy-test)#nx9500-6C8809(config-web-filter-policy-test)#no cache-max-recsnx9500-6C8809(config-web-filter-policy-test)#no server-unreachablenx9500-6C8809(config-web-filter-policy-test)#no uncategorized-urlThe following example shows the Web Filter policy ‘test’ settings after the ‘no’ command has been executed:nx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-save-interval 1000 server-host ip-address 192.168.13.13nx9500-6C8809(config-web-filter-policy-test)#no <PARAMETERS> Reverts the selected Web Filter policy settings to default, based on the parameters passed. Specify the parameters to revert back to default value.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4484.1.95.2.5 server-hostweb-filter-policy-config-mode commandsConfigures the URL classification server in case it is not the adopted controllerSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id <SERVER-MiNT-ID>]Parameters• server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id <SERVER-MiNT-ID>]Examplenx9500-6C8809(config-web-filter-policy-test)#server-host ip-address 192.168.13.13nx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-max-recs 9000 cache-save-interval 1000 server-host ip-address 192.168.13.13nx9500-6C8809(config-web-filter-policy-test)#Related Commandsserver-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id <SERVER-MiNT-ID>]Use one of the following options to identify the URL classification server:• host-name <SERVER-HOST-NAME> – Identifies the classification server by its hostname.• ip-address <SERVER-IPv4> – Identifies the classification server by its IP address.• mint-id <SERVER-MiNT-ID> – Identifies the classification server by its MiNT ID.no Removes the URL classification server’s configured details, such as hostname, ip-address, or MiNT ID.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4494.1.95.2.6 server-unreachableweb-filter-policy-config-mode commandsConfigures the action taken in case the classification server is unreachable. Based on the value configured the an end user’s request for a URL/Website is either blocked or passed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxserver-unreachable [block|pass]Parameters• server-unreachable [block|pass]Examplenx9500-6C8809(config-web-filter-policy-test)#server-unreachable blocknx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-max-recs 9000 cache-save-interval 1000 server-unreachable block server-host ip-address 192.168.13.13nx9500-6C8809(config-web-filter-policy-test)#Related Commandsserver-unreachable [block|pass]Configures the action taken in case the classification server is unreachable. The options are:• block – Denies access to the requested URL/Website• pass – Allows access to the requested URL/Website. This is the default value.no Reverts the action taken in case the classification server is unreachable to default (pass)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4504.1.95.2.7 uncategorized-urlweb-filter-policy-config-mode commandsConfigures the action taken in case the classification server fails to classify a URL/Website. Based on the value configured the an end user’s request for a non-classified URL/Website is either blocked or passed.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuncategorized-url [block|pass]Parameters• uncategorized-url [block|pass]Examplenx9500-6C8809(config-web-filter-policy-test)#uncategorized-url blocknx9500-6C8809(config-web-filter-policy-test)#show contextweb-filter-policy test cache-max-recs 9000 cache-save-interval 1000 uncategorized-url block server-unreachable block server-host ip-address 192.168.13.13nx9500-6C8809(config-web-filter-policy-test)#Related Commandsuncategorized-url [block|pass]Configures the action taken in case the classification server fails to classify a URL/Website. The options are:• block – Denies access to the requested non-classified URL/Website• pass – Allows access to the requested non-classified URL/Website. This is the default value.no Reverts the action taken in case the classification server fails to classify a URL/Website to default (pass)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4514.1.96 wips-policyGlobal Configuration CommandsConfigures a WIPS policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwips-policy <WIPS-POLICY-NAME>Parameters• wips-policy <WIPS-POLICY-NAME>Examplerfs6000-81742D(config)#wips-policy testrfs6000-81742D(config-wips-policy-test)#?Wips Policy Mode commands:  ap-detection               Rogue AP detection  enable                     Enable this wips policy  event                      Configure an event  history-throttle-duration  Configure the duration for which event duplicates                             are not stored in history  interference-event         Specify events which will contribute to smart-rf                             wifi interference calculations  no                         Negate a command or set its defaults  signature                  Signature to configure  use                        Set setting to use  clrscr                     Clears the display screen  commit                     Commit all changes made in this session  do                         Run commands from Exec mode  end                        End current mode and change to EXEC mode  exit                       End current mode and down to previous mode  help                       Description of the interactive help system  revert                     Revert changes  service                    Service Commands  show                       Show running system information  write                      Write running configuration to memory or terminalrfs6000-81742D(config-wips-policy-test)#Related Commands<WIPS-POLICY-NAME>Specify the WIPS policy name. If the policy does not exist, it is created.no Removes an existing WIPS policyNOTE: For more information on WIPS policy commands, see Chapter 20, WIPS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4524.1.97 wlanGlobal Configuration CommandsConfigures a Wireless Local Area Network (WLAN)The following table lists WLAN configuration mode commands:Table 4.53 WLAN-Policy Config CommandsCommand Description Referencewlan Creates a new wireless LAN and enters its configuration mode page 4-453wlan-mode commandsSummarizes WLAN configuration mode commands page 4-457
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4534.1.97.1 wlanwlanConfigures a WLAN and enters its configuration mode. Use this command to modify an existing WLAN’s settings.A WLAN is a data-communications system that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or Orthogonal Frequency Division Multiplexing (OFDM) modulation based technology. WLANs do not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one access point to another, like a cellular phone system. WLANs can therefore be configured around the needs of specific user groups, even when they are not in physical proximity.WLANs can provide an abundance of services, including data communications (allowing mobile devices to access applications), e-mail, file, and print services or even specialty applications (such as guest access control and asset tracking).Each WLAN configuration contains encryption, authentication and QoS policies and conditions for user connections. Connected access point radios transmit periodic beacons for each BSS. A beacon advertises the SSID, security requirements, supported data rates of the wireless network to enable clients to locate and connect to the WLAN.WLANs are mapped to radios on each access point. A WLAN can be advertised from a single access point radio or can span multiple access points and radios. WLAN configurations can be defined to provide service to specific areas of a site. For example, a guest access WLAN may only be mapped to a 2.4 GHz radio in a lobby or conference room providing limited coverage, while a data WLAN is mapped to all 2.4 GHz and 5.0 GHz radios at the branch site to provide complete coverage.The maximum number of WLANs supported by different devices is as follows:• RFS4000 and RFS6000 wireless controllers – 32 WLANs• NX95XX series service platforms – 1000 WLANs• Access Points – 16 WLANsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwlan {<WLAN-NAME>|containing <WLAN-NAME>}
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 454Parameters• wlan {<WLAN-NAME>|containing <WLAN-NAME>}Examplerfs6000-81742D(config)#wlan 1rfs6000-81742D(config-wlan-1)#?Wireless LAN Mode commands:  accounting                             Configure how accounting records are                                         created for this wlan  acl                                    Actions taken based on ACL                                         configuration [packet drop being one                                         of them]  answer-broadcast-probes                Include this wlan when responding to                                         probe requests that do not specify an                                         SSID  assoc-response                         Association response threshold    association-list                       Configure the association list for                                         the wlan  authentication-type                    The authentication type of this WLAN  bridging-mode                          Configure how packets to/from this                                         wlan are bridged  broadcast-dhcp                         Configure broadcast DHCP packet                                         handling  broadcast-ssid                         Advertise the SSID of the WLAN in                                         beacons  captive-portal-enforcement             Enable captive-portal enforcement on                                         the wlan  client-access                          Enable client-access (normal data                                         operations) on this wlan  client-client-communication            Allow switching of frames from one                                         wireless client to another on this                                         wlan  client-load-balancing                  Configure load balancing of clients                                         on this wlan  controller-assisted-mobility           Enable controller assisted mobility                                         to determine wireless clients' VLAN                                         assignment  data-rates                             Specify the 802.11 rates to be                                         supported on this wlan  description                            Configure a description of the usage                                         of this wlan  downstream-group-addressed-forwarding  Enable downstream group addressed                                         forwarding of packets  dpi                                    Deep-Packet-Inspection (Application                                         Assurance)  dynamic-vlan-assignment                Dynamic VLAN assignment configuration  eap-types                              Configure client access based on                                         eap-type used for authentication  encryption-type                        Configure the encryption to use on                                         this wlan  enforce-dhcp                           Drop packets from Wireless Clients                                         with static IP address  fast-bss-transition                    Configure support for 802.11r Fastwlan <WLAN-NAME>Configures a new WLAN• <WLAN-NAME> – Optional. Specify the WLAN name.The WLAN name could be a logical representation of its coverage area (for example, engineering, marketing, etc.).The name cannot exceed 32 characters.containing <WLAN-NAME>Optional. Configures an existing WLAN’s settings• <WLAN-NAME> – Specify a sub-string in the WLAN name. Use this parameter to filter a WLAN. This option allows you to select and enter the configuration mode of one or more WLANs.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 455                                         BSS Transition  http-analyze                           Enable HTTP URL analysis on the wlan  ip                                     Internet Protocol (IP)  ipv6                                   Internet Protocol version 6 (IPv6)  kerberos                               Configure kerberos authentication                                         parameters  mac-authentication                     Configure mac-authentication related                                         parameters  no                                     Negate a command or set its defaults  nsight                                 Nsight Server  opendns                                OpenDNS related config for this wlan  protected-mgmt-frames                  Protected Management Frames (IEEE                                         802.11w) related configuration (DEMO                                         FEATURE)  proxy-arp-mode                         Configure handling of ARP requests                                         with proxy-arp is enabled  proxy-nd-mode                          Configure handling of IPv6 ND                                         requests with proxy-nd is enabled  qos-map                                Support the 802.11u QoS map element                                         and frame  radio-resource-measurement             Configure support for 802.11k Radio                                         Resource Measurement  radius                                 Configure RADIUS related parameters  registration                           Enable dynamic registration of device                                         (or) user  relay-agent                            Configure dhcp relay agent info  shutdown                               Shutdown this wlan  ssid                                   Configure the Service Set Identifier                                         for this WLAN  t5-client-isolation                    Isolate traffic among clients  t5-security                            Configure encryption and                                         authentication  time-based-access                      Configure client access based on time  use                                    Set setting to use  vlan                                   Configure the vlan where traffic from                                         this wlan is mapped  vlan-pool-member                       Add a member vlan to the pool of                                         vlans for the wlan (Note:                                         configuration of a vlan-pool                                         overrides the 'vlan' configuration)  wep128                                 Configure WEP128 parameters  wep64                                  Configure WEP64 parameters  wing-extensions                        Enable support for WiNG-Specific                                         extensions to 802.11  wireless-client                        Configure wireless-client specific                                         parameters  wpa-wpa2                               Modify tkip-ccmp (wpa/wpa2) related                                         parameters  clrscr                                 Clears the display screen  commit                                 Commit all changes made in this                                         session  do                                     Run commands from Exec mode  end                                    End current mode and change to EXEC                                         mode  exit                                   End current mode and down to previous                                         mode  help                                   Description of the interactive help                                         system  revert                                 Revert changes  service                                Service Commands  show                                   Show running system information  write                                  Write running configuration to memory                                         or terminalrfs6000-81742D(config-wlan-1)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 456The following example shows how to use the ‘containing’ keyword to enter the configuration mode of an existing WLAN:rfs6000-81742D(config)#wlan containing wlan1rfs6000-81742D(config-wlan-{'containing': 'wlan1'})#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4574.1.97.2 wlan-mode commandswlanThis section documents the WLAN configuration mode commands in detail.Use the (config) instance to configure WLAN related parameters.To navigate to this instance, use the following command:<DEVICE>(config)#wlan <WLAN-NAME>The following table summarizes WLAN configuration mode commands:Table 4.54 WLAN-Mode CommandsCommand Description Referenceaccounting Defines a WLAN accounting configuration page 4-460acl Defines the actions based on an ACL rule configuration page 4-462answer-broadcast-probesAllows a WLAN to respond to probes for broadcast ESS page 4-464assoc-response Configures a minimum receive signal strength indication (RSSI) value, below which the WLAN does not send a response to a client’s association requestpage 4-465association-list Attaches an existing global association list to a WLAN page 4-466authentication-typeSets a WLAN’s authentication type page 4-467bridging-mode Configures how packets to/from this WLAN are bridged page 4-469broadcast-dhcp Configures broadcast DHCP packet handling page 4-470broadcast-ssid Advertises a WLAN’s SSID in beacons page 4-471captive-portal-enforcementConfigures a WLAN’s captive portal enforcement page 4-472client-access Enables WLAN client access (normal data operations) page 4-473client-client-communicationAllows the switching of frames from one wireless client to another on a WLANpage 4-474client-load-balancingEnables load balancing of WLAN clients page 4-475controller-assisted-mobilityEnables controller assisted mobility to determine wireless clients' VLAN assignmentpage 4-477data-rates Specifies the 802.11 rates supported on the WLAN page 4-478description Sets a WLAN’s description page 4-481downstream-group-addressed-forwardingEnables forwarding of downstream packets addressed to a group page 4-482dpi Enables extraction of metadata flows on the WLAN page 4-483dynamic-vlan-assignmentConfigures dynamic VLAN assignment on this WLAN page 4-485eap-types Configures client access based on eap-type used for authentication page 4-486encryption-type Sets a WLAN’s encryption type page 4-488
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 458enforce-dhcp Drops packets from clients with a static IP address page 4-489fast-bss-transition Configures support for 802.11r fast BSS transition on a WLAN page 4-490http-analyze Enables HTTP URL analysis on the WLAN page 4-491ip Configures IPv4 settings on this WLAN page 4-493ipv6 Configures IPv6 settings on this WLAN page 4-494kerberos Configures Kerberos authentication parameters page 4-495mac-authenticationConfigures MAC authentication parameters page 4-497no Negates a command or reverts settings to their default page 4-498nsight Enables retention of guest client history in the NSight database page 4-502opendns Configures the device ID, which is embedded in each DNS query packet going out from an access point, wireless controller, or service platform to the OpenDNS serverpage 4-503protected-mgmt-framesEnables and configures the WLAN's frame protection mode and security associationpage 4-505proxy-arp-mode Enables the proxy ARP mode for ARP requests page 4-507proxy-nd-mode Configures the proxy ND mode for this WLAN member clients as either strict or dynamicpage 4-508qos-map Enables support for 802.11u QoS map element and frames page 4-509radio-resource-measurementEnables support for 802.11k radio resource measurement page 4-510radius Configures RADIUS parameters page 4-511registration Configures settings enabling dynamic registration of devices. Use this command to specify the mode of registration and to configure corresponding parameters.page 4-513relay-agent Enables support for DHCP relay agent information (option 82) feature on this WLANpage 4-516shutdown Auto shuts down a WLAN page 4-518ssid Configures a WLAN’s SSID page 4-520t5-client-isolation Disallows clients connecting to the WLAN to communicate with one anotherpage 4-521t5-security Configures T5 PowerBroadband security settings page 4-522time-based-accessConfigures time-based client access page 4-524use Defines WLAN mode configuration settings page 4-525vlan Sets VLAN assignment for a WLAN page 4-529vlan-pool-memberAdds a member VLAN to the pool of VLANs for a WLAN page 4-530wep128 Configures WEP128 parameters page 4-532wep64 Configures WEP64 parameters page 4-534Table 4.54 WLAN-Mode CommandsCommand Description Reference
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 459wing-extensions Enables support for WiNG specific extensions to 802.11 page 4-536wireless-client Configures the transmit power for wireless clients transmission page 4-539wpa-wpa2 Modifies TKIP and CCMP (WPA/WPA2) related parameters page 4-542service Invokes service commands applicable in the WLAN configuration mode page 4-545Table 4.54 WLAN-Mode CommandsCommand Description Reference
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4604.1.97.2.1 accountingwlan-mode commandsDefines the WLAN’s accounting configurationAccounting is the method of collecting user data, such as start and stop times, executed commands (for example, PPP), number of packets and number of bytes received and transmitted. This data is sent to the security server for billing, auditing, and reporting purposes. Accounting enables wireless network administrators to track the services and network resources accessed and consumed by users. When enabled, this feature allows the network access server to report and log user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA policies.Accounting can be enabled and applied to access point, wireless controller, or service platform managed WLANs. Once enabled, it uniquely logs accounting events specific to the managed WLAN. Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to a location outside of the access point for periodic network and user permission administration.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxaccounting [radius|syslog|wait-client-ip]accounting [radius|wait-client-ip]accounting syslog [host|mac-address-format]accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper]Parameters• accounting [radius|wait-client-ip]accounting radius Enables support for WLAN RADIUS accounting messages. This option is disabled by default.When enabled, the WLAN uses an external RADIUS resource for accounting.Use the use > aaa-policy > <AAA-POLICY-NAME> command to associate an appropriate AAA policy with this WLAN. This AAA policy should be existing and should define the accounting, authentication, and authorization parameters.accounting wait-client-ipEnables waiting for client’s IP before commencing the accounting procedure
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 461• accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}• accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case [lower|upper]Examplerfs6000-81742D(config-wlan-test)#accounting syslog host 172.16.10.4 port 2 proxy-mode nonerfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2rfs6000-81742D(config-wlan-test)#Related Commandsaccounting syslog Enables support for WLAN syslog accounting messages in standard syslog format (RFC 3164). This option is disabled by default.host <IP/HOSTNAME>Configures a syslog destination hostname or IP address for accounting records• <IP/HOSTNAME> – Specify the IP address or name of the destination host.port <1-65535> Optional. Configures the syslog server’s UDP port (this port is used to connect to the server)• <1-65535> – Specify the port from 1 - 65535. Default port is 514.proxy-mode[none|through-controller|through-rf-domain-manager]Optional. Configures the request proxying mode• none – Requests are directly sent to the server from the device• through-controller – Proxies requests through the controller (access point, wireless controller, or service platform) configuring the device• through-rf-domain-manager – Proxies requests through the local RF Domain manageraccounting syslog Enables support for WLAN syslog accounting messagesmac-address-format Configures the MAC address format used in syslog messagesmiddle-hyphen Configures the MAC address format with middle hyphen (AABBCC-DDEEFF)no-delim Configures the MAC address format without delimitors (AABBCCDDEEFF)pair-colon Configures the MAC address format with pair-colon delimitors (AA:BB:CC:DD:EE:FF)pair-hyphen Configures the MAC address format with pair-hyphen deli mi tors (AA-BB-CC-DD-EE-FF). This is the default setting.quad-dot Configures the MAC address format with quad-dot delimitors (AABB.CCDD.EEFF)case [lower|upper] The following keywords are common to all:• case – Specifies MAC address case (upper or lower)• lower – Specifies MAC address is filled in lower case (for example, aa-bb-cc-dd-ee-ff)• upper – Specifies MAC address is filled in upper case (for example, AA-BB-CC-DD-EE-FF)no Disables sending of accounting message to the RADIUS server, disables syslog accounting, or disables waiting for client’s IP before sending accounting messages
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4624.1.97.2.2 aclwlan-mode commandsDefines the actions taken based on an ACL rule configurationUse the use > ip-access-list <IP-ACCESS-LIST-NAME> command to associate an ACL with the WLAN. The ACL rule is determined by the associated ACL’s configuration.A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms allowing and denying data traffic in respect to administrator defined rules. For an overview of firewalls, see FIREWALL-POLICY.WLANs use firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.Additionally, administrators can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic.Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxacl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|disassociate}Parameters•  acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|disassociate}acl exceed-rate Sets the action taken based on an ACL rule configuration (for example, drop a packet)• exceed-rate – Action is taken when the rate exceeds a specified value
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 463Examplerfs6000-81742D(config-wlan-test)#acl exceed-rate wireless-client-denied-traffic20 disassociaterfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociaterfs6000-81742D(config-wlan-test)#Related Commandswireless-client-denied-traffic <0-1000000>Sets the action to deny traffic to the wireless client when the rate exceeds the specified value• <0-1000000> – Specify a allowed rate threshold of disallowed traffic in packets/sec.If enabled, this option allows an associated client, exceeding the thresholds configured for storm traffic, to be either de-authenticated or blacklisted depending on the action selected. This option is disabled by default.blacklist <0-86400> Optional. When enabled, sets the time interval, in seconds, to blacklist a wireless client.• <0-86400> – Configures the blacklist duration from 0 - 86400 seconds. Offending clients are re-authenticated once the blacklist duration, configured here, has exceeded.disassociate Optional. When enabled, disassociates a wireless clientno Removes the action (de-authenticate or blacklist) to be taken when an associated client exceeds the thresholds configured for storm traffic
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4644.1.97.2.3 answer-broadcast-probeswlan-mode commandsAllows the WLAN to respond to probe requests that do not specify a SSID. These probes are for broadcast ESS. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxanswer-broadcast-probesParametersNoneExamplerfs6000-81742D(config-wlan-1)#answer-broadcast-probesrfs6000-81742D(config-wlan-1)#Related Commandsno Does not allow this WLAN to respond to probe requests that do not specify a SSID
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4654.1.97.2.4 assoc-responsewlan-mode commandsConfigures the deny-threshold and rssi-threshold values. These threshold values are considered when responding to a client’s association/authentication request.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]Parameters• assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]Examplenx9500-6C8809(config-wlan-test)#assoc-response rssi-threshold -60nx9500-6C8809(config-wlan-test)#assoc-response deny-threshold 4nx9500-6C8809(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none assoc-response rssi-threshold -60 assoc-response deny-threshold 4 registration user group-name guest expiry-time 2000 agreement-refresh 14400nx9500-6C8809(config-wlan-test)#Related Commandsassoc-response Configures the association response thresholdsdeny-threshold <1-12>Configures the number of times association/authentication request, from a client, is ignored if the RSSI is less than the configured RSSI threshold. This option is disabled by default.• <1-12> – Specify the deny-threshold from 1 - 12.rssi-threshold <-100--40>Configures an association response RSSI threshold value. If the RSSI is below the configured threshold value, the client’s association/authentication request is ignored. This option is disabled by default.• rssi-threshold <-100--40> – Specify a value from -100 - -40 dBm. no Removes the configured deny-threshold and rssi-threshold values
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4664.1.97.2.5 association-listwlan-mode commandsAttaches an existing global association list with this WLAN. For more information on global association lists, see global-association-list.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxassociation-list global <GLOBAL-ASSO-LIST-NAME>Parameters• association-list global <GLOBAL-ASSO-LIST-NAME>Examplerfs4000-229D58(config-wlan-test)#association-list global my-clientsrfs4000-229D58(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none association-list global my-clientsrfs4000-229D58(config-wlan-test)#Related Commandsassociation-list global <GLOBAL-ASSO-LIST-NAME>Attaches an existing global association list with this WLAN• <GLOBAL-ASSO-LIST-NAME> – Specify the global association list name (should be existing and configured).no Removes the global association list’s association with this WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4674.1.97.2.6 authentication-typewlan-mode commandsSets the WLAN’s authentication typeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication-type [eap|eap-mac|eap-psk|kerberos|mac|none]Parameters• authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none]authentication-type Configures a WLAN’s authentication typeThe authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, and none.eap Configures EAP authentication (802.1X)EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over controller managed WLANs.The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side of the access point. All other packet types are blocked until the authentication server (typically, a RADIUS server) verifies the client’s identity.If using EAP authentication ensure that a AAA policy is mapped to the WLAN.eap-mac Configures EAP or MAC authentication depending on client. (This setting is valid only with the None encryption type.EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may want to authenticate based on just the MAC address of the device.eap-psk Configures EAP authentication or pre-shared keys depending on client (This setting is only valid with Temporal Key Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption types).When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The controller and authenticating device must use the same authenticating algorithm and pass code during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP.If using eap-psk authentication ensure that a AAA policy is mapped to the WLAN.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 468Examplerfs6000-81742D(config-wlan-test)#authentication-type eaprfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociaterfs6000-81742D(config-wlan-test)#Related Commandskerberos Configures Kerberos authentication (encryption will change to WEP128 if it’s not already WEP128 or Keyguard)Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection.Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s).mac Configures MAC authentication (RADIUS lookup of MAC address)MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP.MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, Firewall policies and time and date restrictions.MAC authentication can only identify devices, not users.If using mac authentication ensure that an AAA policy is mapped to the WLAN.none No authentication is used or the client uses pre-shared keys. This is the default value.no Resets the authentication mode used with this WLAN to default (none/pre-shared keys)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4694.1.97.2.7 bridging-modewlan-mode commandsConfigures how packets are bridged to and from a WLANUse this command to define which VLANs are bridged, and how local VLANs are bridged between the wired and wireless sides of the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbridging-mode [local|tunnel]Parameters• bridging-mode [local|tunnel]Examplerfs6000-81742D(config-wlan-test)#bridging-mode localrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociaterfs6000-81742D(config-wlan-test)#bridging-mode Configures how packets are bridged to and from a WLAN. The options are local and tunnel.local Bridges packets between WLAN and local ethernet ports. This is the default mode.tunnel Tunnels packets to other devices (typically a wireless controller or service platform)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4704.1.97.2.8 broadcast-dhcpwlan-mode commandsConfigures broadcast DHCP packet handling parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbroadcast-dhcp validate-offerParameters• broadcast-dhcp validate-offerExamplerfs6000-81742D(config-wlan-test)#broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commandsvalidate-offer Enables validation of the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air. This option is disabled by default.no Disables validation of the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4714.1.97.2.9 broadcast-ssidwlan-mode commandsAdvertises the WLAN SSID in beacons. If a hacker tries to isolate and hack a SSID from a client, the SSID will display since the ESSID is in the beacon. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbroadcast-ssidParametersNoneExamplerfs6000-81742D(config-wlan-1)#broadcast-ssidrfs6000-81742D(config-wlan-1)#Related Commandsno Disables the broadcasting of the WLAN’s SSID in beacons
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4724.1.97.2.10 captive-portal-enforcementwlan-mode commandsConfigures the captive portal enforcement on this WLAN. When enabled, provides successfully authenticated guests temporary and restricted access to the network. If enforcing captive-portal authentication, specify the captive-portal policy to use. For more information, see use.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal-enforcement {fall-back}Parameters• captive-portal-enforcement {fall-back}Examplerfs6000-81742D(config-wlan-test)#captive-portal-enforcement fall-backrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commandscaptive-portal-enforcementEnables captive portal enforcement on a WLAN. This option is disabled by default.fall-back Optional. Enforces captive portal validation if WLAN authentication fails (applicable to EAP or MAC authentication only)no Disables captive portal enforcement
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4734.1.97.2.11 client-accesswlan-mode commandsEnables WLAN client access (for normal data operations)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-accessParametersNoneExamplerfs6000-81742D(config-wlan-1)#client-accessrfs6000-81742D(config-wlan-1)#Related Commandsno Disables WLAN client access
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4744.1.97.2.12 client-client-communicationwlan-mode commandsAllows frame switching from one client to another on a WLANThis option is enabled by default. It allows clients to exchange packets with other clients. It does not necessarily prevent clients on other WLANs from sending packets to this WLAN, but as long as this setting is also disabled on that WLAN, clients are not permitted to interoperate.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-client-communicationParametersNoneExamplerfs6000-81742D(config-wlan-1)#client-client-communicationrfs6000-81742D(config-wlan-1)#Related Commandsno Disables frame switching from one client to another on a WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4754.1.97.2.13 client-load-balancingwlan-mode commandsEnforces client load balancing on a WLAN’s access point radios. AP6522, AP6532, AP6562, AP81XX, and AP82XX models can support 256 clients per access point. AP6511 and AP6521 models can support up to 128 clients per access point. When enforced, loads are balanced by ignoring association and probe requests. Probe and association requests are not responded to, forcing a client to associate with another access point radio.This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxclient-load-balancing {allow-single-band-clients|band-discovery-intvl|capability-ageout-time|max-probe-req|probe-req-invl}client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-intvl <0-10000>|capability-ageout-time <0-10000>}client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>Parameters• client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-intvl <0-10000>|capability-ageout-time <0-10000>}• client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>client-load-balancing Configures client load balancing on a WLANallow-single-band-clients [2.4ghz|5ghz]Optional. Allows single band clients to associate even during load balancing• 2.4ghz – Enables load balancing across 2.4 GHz channels• 5ghz – Enables load balancing across 5.0 GHz channelsThis option is enabled by default for 2.4 and 5.0 GHz radios.band-discovery-intvl <0-10000>Optional. Configures the interval to discover a client's band capability before connection• <0-10000> – Specify a value from 0 - 10000 seconds. The default is 10 seconds.capability-ageout-time <0-10000>Optional. Configures a client's capability ageout interval. This is the time for which a client’s capabilities are retained in the device’s internal table. Once this time is exceeded the client’s capabilities are aged out.• <0-10000> – Specify a value from 0 - 10000 seconds. The default is 3600 seconds.client-load-balancing Configures WLAN client load balancingmax-probe-req [2.4ghz|5ghz] <0-10000>Optional. Configures client probe request interval limits for device association• 2.4ghz – Configures maximum client probe requests on 2.4 GHz radios• 5ghz – Configures maximum client probe requests on 5.0 GHz radios• <0-10000> – Specify a client probe request threshold from 0 - 10000. The defaultfor both 2.4 and 5.0 GHz radios is 60.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 476Examplerfs6000-81742D(config-wlan-test)#client-load-balancing band-discovery-intvl 2rfs6000-81742D(config-wlan-test)#client-load-balancing probe-req-intvl 5ghz 5rfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commandsprobe-req-intvl [2.4ghz|5ghz] <0-10000>Optional. Configures client probe request interval limits for device association• 2.4ghz – Configures the client probe request interval on 2.4 GHz radios• 5ghz – Configures the client probe request interval on 5.0 GHz radios• <0-10000> – Specify a value from 0 - 10000. The default for both 2.4 and 5.0 GHzradios is 10 seconds.no Disables client load balancing on a WLAN’s access point radios
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4774.1.97.2.14 controller-assisted-mobilitywlan-mode commandsEnables controller or service platform assisted mobility to determine a wireless client’s VLAN assignment. When enabled, a controller or service platform’s mobility database is used to assist in roaming between RF Domains. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontroller-assisted-mobilityParametersNoneExamplerfs4000-229D58(config-wlan-test)#controller-assisted-mobilityrfs4000-229D58(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none controller-assisted-mobilityrfs4000-229D58(config-wlan-test)#Related Commandsno Disables controller or service platform assisted mobility to determine a wireless client’s VLAN assignment
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4784.1.97.2.15 data-rateswlan-mode commandsSpecifies the 802.11 rates supported on a WLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdata-rates [2.4GHz|5GHz]data-rates 2.4GHz [b-only|bg|bgn|custom|default|g-only|gn]data-rates 2.4GHz custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs-2s|mcs-3s]data-rates 5GHz [a-only|an|custom|default]data-rates 5GHz custom [12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs2s|mcs3s]Parameters• data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]• data-rates 5GHz [a-only|an|default]• data-rates [2.4GHz|5GHz] custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs-2s|mcs-3s]data-rates Specifies the 802.11 rates supported when mapped to a 2.4 GHz radiob-only Uses rates that support only 11b clientsbg Uses rates that support both 11b and 11g clientsbgn Uses rates that support 11b, 11g and 11n clientsdefault Uses the default rates configured for a 2.4 GHz radiog-only Uses rates that support operation in 11g onlygn Uses rates that support 11g and 11n clientsdata-rates Specifies the 802.11 rates supported when mapped to a 5.0 GHz radioa-only Uses rates that support operation in 11a onlyan Uses rates that support 11a and 11n clientsdefault Uses default rates configured for a 5.0 GHzdata-rates [2.4GHz|5GHz]Specifies the 802.11 rates supported when mapped to a 2.4 GHz or 5.0 GHz radio
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 479custom Configures a data rates list by specifying each rate individually. Use 'basic-' prefix before a rate to indicate it is used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11').The data-rates for 2.4 GHz and 5.0 GHz channels are the same with a few exceptions. The 2.4 GHz channel has a few extra data rates: 1, 11, 2, and 5.5.1,11,2,5.5 The following data rates are specific to the 2.4 GHz channel:• 1 – 1-Mbps• 11 – 11-Mbps• 2 – 2-Mbps• 5.5 – 5.5-Mbps[12,18,24,36,48,54,6,9,basic-1,basic-11,basic-12,basic-18,basic-2,basic-36,basic-48,basic-5.5,basic-54,basic-6,basic-9,basic-mcs-1s,mcs-1s,mcs2s,mcs-3s]The following data rates are common to both the 2.4 GHz and 5.0 GHz channels:•12 – 12 Mbps•18 – 18-Mbps•24 – 24 Mbps• 36 – 36-Mbps• 48 – 48-Mbps• 54 – 54-Mbps•6 – 6-Mbps•9 – 9-Mbps• basic-1 – basic 1-Mbps• basic-11 – basic 11-Mbps• basic-12 – basic 12-Mbps• basic-18 – basic 18-Mbps• basic-2 – basic 2-Mbps• basic-36 – basic 36-Mbps• basic-48 – basic 48-Mbps• basic-5.5 – basic 5.5-Mbps• basic-54 – basic 54-Mbps• basic-6 – basic 6-Mbps• basic-9 – basic 9-Mbps• basic-mcs-1s – Modulation and coding scheme data rates for 1 Spatial Stream• mcs-1s – Applicable to 1-spatial stream data rates• mcs-2s – Applicable to 2-spatial stream data rates• mcs-3s – Applicable to 3-spatial stream data rates
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 480Examplerfs6000-81742D(config-wlan-test)#data-rates 2.4GHz gnrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commandsno Resets the 802.11 data rates supported on a WLAN for the 2.4 GHz or 5.0 GHz radios
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4814.1.97.2.16 descriptionwlan-mode commandsDefines the WLAN descriptionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <LINE>Parameters• description <LINE>Examplerfs6000-81742D(config-wlan-test)#description TestWLANrfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commands<LINE> Specify a WLAN descriptionThe WLAN’s description should help differentiate it from others with similar configurations. The description should not exceed 64 characters.no Removes a WLAN’s configured description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4824.1.97.2.17 downstream-group-addressed-forwardingwlan-mode commandsEnables forwarding of downstream broadcast/multicast (BC/MC) packets to a group on this WLAN. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdownstream-group-addressed-forwardingParametersNoneExamplerfs4000-229D58(config-wlan-test)#downstream-group-addressed-forwardingrfs4000-229D58(config-wlan-test)#Related Commandsno Disables forwarding of downstream BCMC packets to a group on this WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4834.1.97.2.18 dpiwlan-mode commandsEnables DPI on this WLAN. When enabled, all traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdpi metadata [http|ssl|tcp-rtt|voice-video]Parameters• dpi metadata [http|ssl|tcp-rtt|voice-video]dpi metadata [http|ssl|tcp-rtt|voice-video]Enables extraction of the following metadata flows:• http – Extracts HTTP flows. When enabled, administrators can track HTTP Websites accessed by both internal and guest clients and visualize HTTP data usage, hits, active time and total clients on the NSight application’s dashboard. This setting is disabled by default.• ssl – Extracts SSL flows. When enabled, administrators can track SSL Websites accessed by both internal and guest clients and visualize SSL data usage, hits, active time and total clients on the NSight application’s dashboard.This setting is disabled by default• tcp-rtt – Extracts Round Trip Time (RTT) information from Transmission Control Protocol (TCP) flows. However, this TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server is up and NSight analytics data collection is enabled.• voice-video – Extracts voice and video flows. When enabled, voice and video calls can be tracked by extracting parameters, such as packets transferred and lost, jitter, and application name. Most Enterprise VoIP applications like facetime, skype for business and VoIP terminals can be monitored for call quality and visualized on the NSight dashboard in manner similar to HTTP and SSL. Call quality and metrics can only be determined from calls established unencrypted. This setting is disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 484Examplerfs6000-81742D(config-wlan-test)#dpi metadata httprfs6000-81742D(config-wlan-test)#dpi metadata sslrfs6000-81742D(config-wlan-test)#dpi metadata voice-videorfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none dpi metadata voice-video dpi metadata http dpi metadata sslrfs6000-81742D(config-wlan-test)#Related Commandsno Disables extraction of metadata flows on the WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4854.1.97.2.19 dynamic-vlan-assignmentwlan-mode commandsEnables dynamic VLAN assignment on this WLAN, and adds or removes VLANs for the selected WLAN. Configure this feature to allow an override to the WLAN configuration. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS Access-Accept packet, and this feature is enabled, all client traffic is forward on that VLAN. If disabled, the RADIUS server returns VLAN-ID is ignored and the WLAN’s VLAN configuration is used. For more information, see vlan. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdynamic-vlan-assignment allowed-vlans <VLAN-ID>Parameters• dynamic-vlan-assignment allowed-vlans <VLAN-ID>Examplerfs4000-229D58(config-wlan-test)#dynamic-vlan-assignment allowed-vlans 10-20rfs4000-229D58(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none dynamic-vlan-assignment allowed-vlans 10-20rfs4000-229D58(config-wlan-test)#Related Commandsdynamic-vlan-assignment allowed-vlansEnables dynamic VLAN assignment and configures a list of VLAN IDs or VLAN alias allowed access to the WLAN<VLAN-ID> Specify the list of VLAN IDs or the VLAN alias names. For example, 10-20, 25, 30-35, $guest.For information on VLAN aliases, see alias.no Disables dynamic VLAN assignment on this WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4864.1.97.2.20 eap-typeswlan-mode commandsConfigures client access based on the EAP type usedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxeap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|tls|ttls)}Parameters• eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|tls|ttls)}eap-types [allow|deny]Configures a list of allowed or denied EAP types• allow – Configures a list of EAP types allowed for WLAN client authentication• deny – Configures a list of EAP types not allowed for WLAN client authentication[aka|all|fast|peap|sim|tls|ttls]The following EAP types are common to the ‘allow’ and ‘deny’ keywords:• aka – Configures EAP Authentication and Key Agreement (AKA) and EAP-AKA’ (AKA Prime). EAP-AKA is one of the methods in the EAP authentication framework. It uses Universal Mobile Telecommunications System (UMTS) and Universal Subscriber Identity Module (USIM) for client authentication and key distribution.• all – Allows or denies usage of all EAP types on the WLAN. This is the default setting.• fast – Configures EAP Flexible Authentication via Secure Tunneling (FAST). EAP-FAST establishes a Transport Layer Security (TLS) tunnel, to verify client credentials, using Protected Access Credentials (PAC).•peap – Configures Protected Extensible Authentication Protocol (PEAP). PEAP or Protected EAP uses encrypted and authenticated TLS tunnel to encapsulate EAP.• sim – Configures EAP Subscriber Identity Module (SIM). EAP-SIM uses Global System for Mobile Communications (GSMC) SIM for client authentication and key distribution.• tls – Configures EAP Transport Layer Security (TLS). EAP-TLS is an EAP authentication method that uses PKI to communicate with a RADIUS server or any other authentication server.• ttls – Configures Tunneled Transport Layer Security (TTLS). EAP-TTLS is an extension of TLS. Unlike TLS, TTLS does not require every client to generate and install a CA- signed certificate.These options are recursive, and more than one EAP type can be selected. The selected options are added to the allowed or denied EAP types list.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 487Examplerfs6000-81742D(config-wlan-test)#eap-types allow fast sim tlsrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none eap-types allow fast sim tlsrfs6000-81742D(config-wlan-test)#Related Commandsno Reverts to default setting - eap-types allow all
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4884.1.97.2.21 encryption-typewlan-mode commandsSets a WLAN’s encryption typeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxencryption-type [ccmp|keyguard|none|tkip-ccmp|wep128|web128-keyguard|wep64]Parameters• encryption-type [ccmp|keyguard|none|tkip-ccmp|wep128|web128-keyguard|wep64]Examplerfs6000-81742Dconfig-wlan-test)#encryption-type tkip-ccmprfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commandsencryption-type Configures the WLAN’s data encryption parametersccmp Configures Advanced Encryption Standard (AES) Counter Mode CBC-MAC Protocol (AES-CCM/CCMP)keyguard Configures Keyguard-MCM (Mobile Computing Mode)none No encryption used. This is the default setting.tkip-ccmp Configures the TKIP and AES-CCM/CCMP encryption modeswep128 Configures WEP with 128 bit keyswep128-keyguard Configures WEP128 as well as Keyguard-MCM encryption modeswep64 Configures WEP with 64 bit keys. A WEP64 configuration is insecure when two WLANs are mapped to the same VLAN, and one uses no encryption while the other uses WEP.no Resets the WLAN’s encryption type to default (none)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4894.1.97.2.22 enforce-dhcpwlan-mode commandsEnables dropping of packets from clients with a static IP address. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxenforce-dhcpParametersNoneExamplerfs6000-81742D(config-wlan-test)#enforce-dhcprfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offerrfs6000-81742D(config-wlan-test)#Related Commandsno Disables dropping of packets from clients with a static IP address
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4904.1.97.2.23 fast-bss-transitionwlan-mode commandsEnables support for 802.11r Fast-BSS Transition (FT) on the selected WLAN. This feature is disabled by default.802.11r is an attempt to undo the burden that security and QoS added to the handoff process, and restore it back to an original four message exchange process. The central application for the 802.11r standard is VOIP using mobile phones within wireless Internet networks. 802.11r FT redefines the security key negotiation protocol, allowing parallel processing of negotiation and requests for wireless resources.Enabling FT standards provides wireless clients fast, secure and seamless transfer from one base station to another, ensuring continuous connectivity. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfast-bss-transition {over-ds}Parameters• fast-bss-transition {over-ds}Examplerfs6000-81742D(config-wlan-test)#fast-bss-transitionrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none fast-bss-transitionrfs6000-81742D(config-wlan-test)#Related Commandsfast-bss-transition over-dsEnables 802.11r FT support on this WLAN• over-ds – Optional. Enables 802.11r client roaming over the Distribution System (DS). When enabled, all client communication with the target AP is via the current AP. This communication, carried in FT action frames, is first sent by the client to the current AP, then forwarded to the target AP through the controller.no Disables support for 802.11r Fast-BSS Transition (FT) on a WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4914.1.97.2.24 http-analyzewlan-mode commandsEnables HTTP URL analysis on the WLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttp-analyze [filter|syslog]http-analyze filter [images|post|query-string]http-analyze syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}Parameters• http-analyze filter [images|post|query-string]• http-analyze syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-controller|through-rf-domain-manager]}filter Filters URLs, based on the parameters set, before forwarding themimages Filters out URLs referring to images (does not forward URL requesting images)post Filters out URLs requesting POST (does not forward POST requests). This option is disabled by default.query-string Removes query strings from URLs before forwarding them (forwards requests and no data). This option is disabled by default.syslog host <IP/HOSTNAME>Forwards client and URL information to a syslog server• host <IP/HOSTNAME> – Specify the syslog server’s IP address or hostnameport <1-65535> Optional. Specifies the UDP port to connect to the syslog server from 1 - 65535proxy-mode [none|through-controller|through-rf-domain-manager]Optional. Specifies if the request is to be proxied through another device• none – Requests are sent directly to syslog server from device• through-controller – Proxies requests, to the syslog server, through the controller configuring the device• through-rf-domain-manager – Proxies requests, to the syslog server, through the local RF Domain manager
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 492Examplerfs4000-229D58(config-wlan-test)#http-analyze syslog host 192.168.13.10 port 21proxy-mode through-controllerrfs4000-229D58(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none http-analyze syslog host 192.168.13.10 port 21 proxy-mode through-controllerrfs4000-229D58(config-wlan-test)#Related Commandsno Disables HTTP URL analysis on the WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4934.1.97.2.25 ipwlan-mode commandsConfigures Internet Protocol (IP) settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [arp|dhcp]ip arp [header-mismatch-validation|trust]ip dhcp trustParameters• ip arp [header-mismatch-validation|trust]• ip dhcp trustExamplerfs6000-81742D(config-wlan-test)#ip dhcp trustrfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controllerrfs6000-81742D(config-wlan-test)#Related Commandsip arp Configures the IP settings for ARP packetsheader-mismatch-validationVerifies mismatch of source MAC address in the ARP and Ethernet headers. This option is enabled by default.trust Sets ARP responses as trusted for a WLAN/range. This option is disabled by default.ip dhcp Configures the IP settings for DHCP packetstrust Sets DHCP responses as trusted for a WLAN/range. This option is disabled by default.no Resets IP ARP or DHCP trust parameters to default. ARP trust is disabled, ARP mismatch verification is enabled, or DHCP trust is disabled.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4944.1.97.2.26 ipv6wlan-mode commandsSets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this WLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [dhcpv6|nd]ipv6 dhcpv6 trustipv6 nd [header-mismatch-validation|raguard|trust]Parameters• ipv6 dhcpv6 trust• ipv6 nd [header-mismatch-validation|raguard|trust]Examplerfs6000-81742D(config-wlan-test)#ipv6 dhcpv6 trustrfs6000-81742D(config-wlan-test)#ipv6 nd trustrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none ipv6 dhcpv6 trust ipv6 nd trustrfs6000-81742D(config-wlan-test)#Related Commandsipv6 dhcpv6 trust Enables DHCPv6 trust state for DHCPv6 responses on this WLAN. When enabled, all DHCPv6 responses received on this WLAN are trusted and forwarded. This option is disabled by default.ipv6 nd Sets the IPv6 ND settings for this WLANheader-mismatch-validationChecks for mismatch of source MAC address in the ICMPv6 ND message and Ethernet header (link layer option). This option is enabled by default.raguard Allows redirection of router advertisements (RAs) and ICMPv6 packets originating on this WLAN. This option is disabled by default.trust Enables trust state for ND requests received on this WLAN. When enabled, all ND requests on an IPv6 firewall, on this WLAN, are trusted. This option is disabled by default.no Resets IPv6 ND or DHCPv6 trust parameters to default. ND request trust is disabled, ND header mismatch verification is enabled, ND RA and ICMPv6 redirection is disabled, or DHCPv6 trust is disabled.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4954.1.97.2.27 kerberoswlan-mode commandsConfigures Kerberos authentication parameters on a WLANKerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection.Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s).Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxkerberos [password|realm|server]kerberos password [0 <LINE>|2 <LINE>|<LINE>]kerberos realm <REALM>kerberos server [primary|secondary|timeout]kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}kerberos server timeout <1-60>Parameters• kerberos password [0 <LINE>|2 <LINE>|<LINE>]• kerberos realm <REALM>kerberos Configures a WLAN’s Kerberos authentication parametersThe parameters are: password, realm, and server.password Configures a Kerberos KDC server password. The password should not exceed 127 characters. The password options are:• 0 <LINE> – Configures a clear text password• 2 <LINE> – Configures an encrypted password•<LINE> – Specify the password.kerberos Configures a WLAN’s Kerberos authentication parametersThe parameters are: password, realm, and server.realm <REALM> Configures a Kerberos KDC server realm. The REALM should not exceed 127 characters.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 496• kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}• kerberos server timeout <1-60>Examplerfs6000-81742D(config-wlan-test)#kerberos server timeout 12rfs6000-81742D(config-wlan-test)#kerberos server primary host 172.16.10.2 port 88rfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controllerrfs6000-81742D(config-wlan-test)#Related Commandskerberos Configures a WLAN’s Kerberos authentication parametersThe parameters are: password, realm, and server.server [primary|secondary]Configures the primary and secondary KDC server parameters• primary – Configures the primary KDC server parameters• secondary – Configures the secondary KDC server parametershost <IP/HOSTNAME> Sets the primary or secondary KDC server address• <IP/HOSTNAME> – Specify the IP address or name of the KDC server.port <1-65535> Optional. Configures the UDP port used to connect to the KDC server• <1-65535> – Specify the port from 1 - 65535. The default is 88.kerberos Configures a WLAN’s Kerberos authentication parametersThe parameters are: password, realm, and server.timeout <1-60> Modifies the Kerberos KDC server‘s timeout parameters• <1-60> – Specifies the wait time for a response from the Kerberos KDC server before retrying. Specify a value from 1 - 60 seconds.no Removes Kerberos authentication related parameters on a WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4974.1.97.2.28 mac-authenticationwlan-mode commandsEnables MAC authentication. When enabled, the system uses cached credentials (RADIUS server lookups are skipped) to authenticate clients.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-authentication [cached-credentials|enforce-always]Parameters• mac-authentication [cached-credentials|enforce-always]Examplerfs4000-229D58(config-wlan-test)#mac-authentication cached-credentialsrfs4000-229D58(config-wlan-test)#Related Commandsmac-authentication Enables MAC authentication on this WLAN and configures related parameterscached-credentials Uses cached credentials to skip RADIUS lookups. This option is disabled by default.enforce-always Enforces MAC authentication on this WLAN. When enabled, MAC authentication is enforced, each time a client logs in, even when the authentication type specified (using the authentication-type command) is not MAC authentication. This option is disabled by default.no Disables MAC authentication related parameters: Disables use of cached credentials to skip RADIUS lookups, or disables enforcement of MAC authentication on this WLAN.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 4984.1.97.2.29 nowlan-mode commandsNegates WLAN mode commands and reverts values to their defaultSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [accounting|acl|answer-broadcast-probes|assoc-response|association-list|authentication-type|broadcast-dhcp|broadcast-ssid|captive-portal-enforcement|client-access|client-client-communication|client-load-balancing|controller-assisted-mobility|data-rates|description|downstream-group-addressed-forwarding|dpi|dynamic-vlan-assignment|eap-types|encryption-type|enforce-dhcp|fast-bss-transition|http-analyze|ip|ipv6|kerberos|mac-authentication|nsight|opendns|protected-mgmt-frames|proxy-arp-mode|proxy-nd-mode|qos-map|radio-resource-measurement|radius|registration|relay-agent|shutdown|ssid|t5-client-isolation|t5-security|time-based-access|use|vlan|vlan-pool-member|wep128|wep64|wing-extensions|wireless-client|wpa-wpa2|service]no accounting [radius|syslog|wait-client-ip]no acl exceed-rate wireless-client-denied-trafficno [answer-broadcast-probes|association-list global|authentication-type|broadcast-dhcp validate-offer|broadcast-ssid|captive-portal-enforcement|client-access|client-client-communication|client-load-balancing allow-single-band-clients|controller-assisted-mobility|data-rates [2.4GHz|5GHz]|description|downstream-group-addressed-forwarding|dynamic-vlan-assignment allowed-vlans|eap-types|encryption-type|enforce-dhcp|fast-bss-transition over-ds|opendns device-id|protected-mgmt-frames {sa-query}|proxy-arp-mode|proxy-nd-mode|qos-map|ssid|t5-client-isolation|t5-security|vlan]no assoc-response [deny-threshold|rssi-threshold]no http-analyze {filter|syslog}no http-analyze {filter [images|post|query-string]}no ip [arp|dhcp]no ip arp [header-mismatch-validation|trust]no ip dhcp trustno dpi metadata [http|ssl|voice-video]no ipv6 [dhcpv6|nd]no ipv6 dhcpv6 trustno ipv6 nd [header-mismatch-validation|raguard|trust]no kerberos [password|realm|server]no kerberos server [primary host|secondary host|timeout]no mac-authentication [cached-credentials|enforce-always]no nsight client-historyno radio-resource-measurement {channel-report|neighbor-report {hybrid}}no radius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 499no registration {external}no relay-agent [dhcp-option82|dhcpv6-ldra]no shutdown {on-critical-resource|on-meshpoint-loss|on-primary-port-link-loss|on-unadoption}no time-based-access days [all|friday|monday|saturday|sunday|thursday|tuesday|wednesday|weekdays|weekends]no use [aaa-policy|association-acl-policy|bonjour-gw-discovery-policy|captive-portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-policy|roaming-assist-policy|url-filter|wlan-qos-policy]no vlan-pool-member [<1-40 95>|<VLAN-ALIAS-NAME>]no [wep128|wep64] [key {1-4}|transmit-key]no wing-extension [move-command|smart-scan|wing-load-information|wmm-load-information]no wireless-client [count-per-radio|cred-cache-ageout|hold-time|inactivity-timeout|max-firewall-sessions|reauthentication|roam-notification|t5-inactivity-timeout|tx-power|vlan-cache-ageout]Parameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs6000-81742D(config-wlan-test)#no ?  accounting                             Configure how accounting records are                                         created for this wlan  acl                                    Actions taken based on ACL                                         configuration [ packet drop being one                                         of them]  answer-broadcast-probes                Do not Include this wlan when                                         responding to probe requests that do                                         not specify an SSID  assoc-response                         Association response threshold  association-list                       Configure the association list for                                         the wlan  authentication-type                    Reset the authentication to use on                                         this wlan to default (none/Pre-shared                                         keys)  broadcast-dhcp                         Configure broadcast DHCP packet                                         handling  broadcast-ssid                         Do not advertise the SSID of the WLAN                                         in beacons  captive-portal-enforcement             Configure how captive-portal is                                         enforced on the wlan  client-access                          Disallow client access on this wlan                                         (no data operations)  client-client-communication            Disallow switching of frames from one                                         wireless client to another on this                                         wlan  client-load-balancing                  Disable load-balancing of clients on                                         this wlan  controller-assisted-mobility           Disable configure assisted mobilityno <PARAMETERS> Removes or reverts this WLAN’s settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 500  data-rates                             Reset data rate configuration to                                         default  description                            Reset the description of the wlan  downstream-group-addressed-forwarding  Disable downstream group addressed                                         forwarding of packets  dpi                                    Deep-Packet-Inspection (Application                                         Assurance)  dynamic-vlan-assignment                Dynamic VLAN assignment configuration  eap-types                              Allow all EAP types on this wlan  encryption-type                        Reset the encryption to use on this                                         wlan to default (none)  enforce-dhcp                           Drop packets from Wireless Clients                                         with static IP address  fast-bss-transition                    Disable support for 802.11r Fast BSS                                         Transition  http-analyze                           Enable HTTP URL analysis on the wlan  ip                                     Internet Protocol (IP)  ipv6                                   Internet Protocol version 6 (IPv6)  kerberos                               Configure kerberos authentication                                         parameters  mac-authentication                     Configure mac-authentication related                                         parameters  nsight                                 Nsight Server  opendns                                OpenDNS related config for this wlan  protected-mgmt-frames                  Disable support for Protected                                         Management Frames (IEEE 802.11w)  proxy-arp-mode                         Configure handling of ARP requests                                         with proxy-arp is enabled  proxy-nd-mode                          Configure handling of IPv6 ND                                         requests with proxy-nd is enabled  qos-map                                Disable the 802.11u QoS map element                                         and frame  radio-resource-measurement             Disable support for 802.11k Radio                                         Resource Measurement  radius                                 Configure RADIUS related parameters  registration                           Dynamic registration of device (or)                                         user  relay-agent                            Configure dhcp relay agent info  shutdown                               Enable the use of this wlan  ssid                                   Configure ssid  t5-client-isolation                    Do not Isolate traffic among clients  t5-security                            Configure encryption and                                         authentication  time-based-access                      Reset time-based-access parameters to                                         default  use                                    Set setting to use  vlan                                   Map the default vlan (vlan-id 1) to                                         the wlan  vlan-pool-member                       Delete a mapped vlan from this wlan  wep128                                 Reset WEP128 parameters  wep64                                  Reset WEP64 parameters  wing-extensions                        Disable support for WiNG-Specific                                         extensions to 802.11  wireless-client                        Configure wireless-client specific                                         parameters  wpa-wpa2                               Modify tkip-ccmp (wpa/wpa2) related                                         parameters  service                                Service to monitor to show no-service                                         page to userrfs6000-81742D(config-wlan-test)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 501The test settings before execution of the no command:rfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controllerrfs6000-81742D(config-wlan-test)#rfs6000-81742D(config-wlan-test)#no accounting syslogrfs6000-81742D(config-wlan-test)#no descriptionrfs6000-81742D(config-wlan-test)#no authentication-typerfs6000-81742D(config-wlan-test)#no encryption-typerfs6000-81742D(config-wlan-test)#no enforce-dhcprfs6000-81742D(config-wlan-test)#no kerberos server primary hostrfs6000-81742D(config-wlan-test)#no kerberos server timeoutrfs6000-81742D(config-wlan-test)#no data-rates 2.4GHzrfs6000-81742D(config-wlan-test)#no ip dhcp trustrfs6000-81742D(config-wlan-test)#no captive-portal-enforcementThe test settings after the execution of the no command:rfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer http-analyze controllerrfs6000-81742D(config-wlan-test)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5024.1.97.2.30 nsightwlan-mode commandsEnables retention of client-historyA typical NSight-server enabled, guest access environment may be visited by thousands of unique clients on a daily basis. Some of these guest clients are not regular visitors, accessing the network infrequently. However, by default, historical data of all guest clients, irrespective of their network access frequency, is retained by the NSight server for up to 180 days. This results in the database containing thousands if not millions of unique MAC addresses of infrequent guest clients. To address this potential problem it is recommended to disable client-history retention on a guest WLAN, and use the nsight-policy context to configure a separate timer (8 hours by default) specifying the guest client data lifespan in the database.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnsight client-historyParameters• nsight client-historyExampleOn a WLAN, the client-history option is enabled by default. When enabled, all client history (including guest-clients) is retained in the NSight server database for 180 days.To disable this option, execute the no > nsight > client-history command. When disabled, guest client history is retained only for 8 hours, which is the default setting defined by the NSight policy applied on the access point (through which the guest client accesses the WLAN) or the access point’s RF Domain. However, the default historical data retention duration for regular clients and devices (access point and controllers) remains unchanged (180 days) as per the NSight policy settings.nx9500-6C8809(config-wlan-test3)#no nsight client-historynx9500-6C8809(config-wlan-test3)#show contextwlan test3 ssid test3 bridging-mode local encryption-type none authentication-type none no nsight client-historynx9500-6C8809(config-wlan-test3)#Use the NSight policy context to define separate client-history retention time for regular clients, devices, and guest clients. For more information, see nsight-policy.Related Commandsnsight client-history Enables retention of client-history in the database. This option is enabled by default.no Disables client-history retention in the NSight database
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5034.1.97.2.31 opendnswlan-mode commandsConfigures the pre-fetched OpenDNS device_id. Once configured, all DNS queries originating from wireless clients associating with the WLAN are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. The device ID is a sixteen (16) character hex string representing a 64 bit unsigned integer and is fetched from the OpenDNS site.This command is part of a series of configurations that are required to integrate WiNG access points, wireless controllers, and service platforms with OpenDNS. When all the parameters have been configured, DNS queries from wireless clients, associating with the WLAN, are redirected to OpenDNS (208.67.220.220 OR 208.67.222.222). These OpenDNS resolvers act as proxy DNS servers that provide additional functionalities, such as Web filtering, reporting, and performance enhancement. For more information on the entire configuration, see opendns.This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxopendns device-id <DEVICE-ID>Parameters• opendns device-id <DEVICE-ID>ExampleThe following command fetches the device_id from the OpenDNS site.ap7131-E6D512#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073device_id = 0014AADF8EDC6C59ap7131-E6D512#Use this device_id in the WLAN configuration context.ap7131-E6D512(config)#wlan opendnsap7131-E6D512(config-wlan-opendns)#opendns device-id 0014AADF8EDC6C59ap7131-E6D512(config-wlan-opendns)#commitap7131-E6D512(config-wlan-opendns)#show contextwlan opendns ssid opendns vlan 1 bridging-mode local encryption-type none authentication-type none opendns device-id 0014AADF8EDC6C59ap7131-E6D512(config-wlan-opendns)#opendns device-id <DEVICE-ID>Configures the device ID to embed in DNS queries sent to OpenDNS• <DEVICE-ID> – Specify the device ID.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 504Related Commandsno Removes the device ID configured to be embedded in the DNS queries originating from the WiNG devices
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5054.1.97.2.32 protected-mgmt-frameswlan-mode commandsConfigures the WLAN's frame protection mode and security association (SA) query parameters802.11w provides protection for both unicast management frames and broadcast/multicast management frames. The ‘robust management frames’ are action, disassociation, and deauthentication frames. The standard provides one security protocol CCMP for protection of unicast robust management frames. Protected management frames (PMF) protocol only applies to robust management frames after establishment of RSNA PTK. Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol (BIP) for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxprotected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]]Parameters• protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]]protected-mgmt-framesEnables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frames are continually or optionally protected. Frame protection mode is disabled by default.mandatory Enforces protected management frames (PMF) on this WLAN (management frames are continually optionally protected)optional Provides PMF only for those clients that support PMF (management frames are optionally protected)sa-query [attempts <1-10>|timeout <100-1000>]Configures the following SA parameters:• attempts <1-10> – Configures the number of SA query attempts from 1 - 10. The default is 5.• timeout <100-1000> – Configures the interval, in milliseconds, used to timeout association requests that exceed the defined interval. Specify a value from 100 - 1000 milliseconds. The default value is 201 milliseconds.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 506Examplerfs6000-81742D(config-wlan-test)#protected-mgmt-frames mandatoryrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none protected-mgmt-frames mandatoryrfs6000-81742D(config-wlan-test)#Related Commandsno Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5074.1.97.2.33 proxy-arp-modewlan-mode commandsEnables proxy ARP mode for handling ARP requestsProxy ARP is the technique used to answer ARP requests intended for another system. By faking its identity, the access point accepts responsibility for routing packets to the actual destination.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-arp-mode [dynamic|strict]Parameters• proxy-arp-mode [dynamic|strict]Examplerfs6000-81742D(config-wlan-test)#proxy-arp-mode strictrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer http-analyze controllerrfs6000-81742D(config-wlan-test)#Related Commandsproxy-arp-mode Enables proxy ARP mode for handling ARP requests. The options available are dynamic and strict.dynamic Forwards ARP requests to the wireless side (for which a response could not be proxied). This is the default setting.strict Does not forward ARP requests to the wireless sideno Reverts the proxy ARP mode to default (dynamic)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5084.1.97.2.34 proxy-nd-modewlan-mode commandsConfigures the proxy ND mode for this WLAN member clients as either strict or dynamicND proxy is used in IPv6 to provide reachability by allowing a client to act as proxy. Proxy certificate signing can be done either dynamically (requiring exchanges of identity and authorization information) or statically when the network topology is defined.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxproxy-nd-mode [dynamic|strict]Parameters• proxy-nd-mode [dynamic|strict]Examplerfs6000-81742D(config-wlan-test)#proxy-nd-mode strictrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none wpa-wpa2 server-only-authentication proxy-nd-mode strict opendns device-id 44-55-66rfs6000-81742D(config-wlan-test)#Related Commandsproxy-nd-mode [dynamic|strict]Configures the proxy ND mode for this WLAN member clients. The options are: dynamic and strict• dynamic – Forwards ND request to wireless for which a response could not be proxied. This is the default value.• strict – Does not forward ND requests to the wireless sideno Reverts the proxy ND mode to default (dynamic)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5094.1.97.2.35 qos-mapwlan-mode commandsEnables support for 802.11u QoS map element and framesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxqos-mapParametersNoneExamplerfs6000-81742D(config-wlan-test)#qos-maprfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none qos-map wpa-wpa2 server-only-authentication proxy-nd-mode strict opendns device-id 44-55-66rfs6000-81742D(config-wlan-test)#Related Commandsno Disables support for 802.11u QoS map element and frames
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5104.1.97.2.36 radio-resource-measurementwlan-mode commandsEnables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN802.11k improves how traffic is distributed. In a WLAN, devices normally connect to the access point with the strongest signal. Depending on the number and location of clients, this arrangement can lead to excessive demand on one access point and under utilization of others, resulting in degradation of overall network performance. With 802.11k, if the access point with the strongest signal is loaded to its capacity, a client connects to an under-utilized access point. Even if the signal is weaker, the overall throughput is greater since it's an efficient use of the network's resources. This feature is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradio-resource-measurement {channel-report|neighbor-report {hybrid}}Parameters• radio-resource-measurement {channel-report|neighbor-report {hybrid}}Examplerfs4000-229D58(config-wlan-test)#radio-resource-measurementrfs4000-229D58(config-wlan-test)#show contextwlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none radio-resource-measurement controller-assisted-mobilityrfs4000-229D58(config-wlan-test)#Related Commandsradio-resource-measurementEnables support for 802.11k radio resource measurement capabilities channel-report Optional. Includes the channel-report element in beacons and probe responsesneighbor-report {hybrid}Optional. Enables responding to neighbor-report requests• hybrid – Optional. Uses the hybrid model of smart-rf neighbors and roaming frequency to neighborsno Disables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5114.1.97.2.37 radiuswlan-mode commandsConfigures RADIUS related parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxradius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|vlan-assignment]Parameters• radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|vlan-assignment]dynamic-authorization Enables support for disconnect and change of authorization messages (RFC5176)When enabled, this option extends the RADIUS protocol to support unsolicited messages from the RADIUS server. These messages allow administrators to issue change of authorization (CoA) messages, which affect session authorization, or disconnect messages (DM) that terminate a session immediately. This option is disabled by default.nas-identifier <NAS-ID>Configures the network access server (NAS) identifier attribute, a value that identifies the access point or controller where the RADIUS messages originate. The value specified here is included in the RADIUS NAS-Identifier field for WLAN authentication and accounting packets.• <NAS-ID> – Specify the NAS identifier attribute (should not exceed 256 characters in length).nas-port-id <NAS-PORT-ID>Configures the NAS port ID attribute, a value that identifies the port from where the RADIUS messages originate• <NAS-PORT-ID> – Specify the NAS port ID attribute (should not exceed 256 characters in length).The profile database on the RADIUS server consists of user profiles for each connected NAS port. Each profile is matched to a username representing a physical port. When authorizing users, it queries the user profile database using a username representative of the physical NAS port making the connection. Set the numeric port value from 0 - 4294967295.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 512Examplerfs6000-81742D(config-wlan-test)#radius vlan-assignmentrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 --More--rfs6000-81742D(config-wlan-test)#Related Commandsvlan-assignment Configures the VLAN assignment of a WLAN. RADIUS VLAN assignment is disabled by default.When enabled, this option assigns clients to the RADIUS server specified VLANs, overriding the WLAN configuration. This option is disabled by default. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on that VLAN. If disabled, the RADIUS server returned VLAN-ID is ignored and the VLAN specified using the vlan/vlan-pool-member options (in the WLAN config mode) is used.If both the RADIUS VLAN assignment and the post authentication VLAN options are enabled, then RADIUS VLAN assignment takes priority over post authentication VLAN configuration.no Disables support for disconnect and change of authorization messages. Disables the use of VLAN information received in RADIUS server responses, instead uses the VLAN provided in the WLAN configuration. Removes the NAS identifier and NAS port identifiers configured.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5134.1.97.2.38 registrationwlan-mode commandsConfigures settings enabling dynamic registration and validation of devices by their MAC addresses. When configured, this option registers a device’s MAC address, and allows direct access to a previously registered device.This command also configures the external guest registration and validation server details. If using an external server to perform guest registration, authentication and accounting, use this command to configure the external server’s IP address/hostname. When configured, access points and controllers forward guest registration requests to the specified registration server. In case of EGuest deployment, this external resource should point to the EGuest registration server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxregistration [device|device-OTP|external|user]registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-refresh <0-144000>|expiry-time <1-43800>}registration external [follow-aaa|host]registration external follow-aaa {send-mode [http|https|udp]}registration external host <IP/HOSTNAME> {proxy-mode|send-mode}registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|through-rf-domain-manager|through-centralized-controller]|send-mode [https|https|udp]}Parameters• registration external follow-aaa {send-mode [http|https|udp]}registration Enables dynamic guest-user registration and validation. This option is disabled by default.external Specifies that the guest registration is handled by an external resource. Access points/controllers send registration requests to the external registration server.follow-aaa Uses an AAA policy to point to the guest registration, authentication, and accounting server. When used, guest registration is handled by the RADIUS server specified in the AAA policy used in the WLAN context.In case of EGuest deployment, the RADIUS authentication and accounting server configuration in the AAA policy should point to the EGuest server. The use of ‘follow-aaa’ option is recommended in EGuest replica-set deployments.For more information on enabling the EGuest server, see eguest-server (VX9000 only).For more information on configuring an EGuest deployment, see configuring ExtremeGuest captive-portal.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 514• registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|through-rf-domain-manager|through-centralized-controller]|send-mode [https|https|udp]}• registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-refresh <0-144000>|expiry-time <1-43800>}send-mode [https|https|udp]Optional. Specifies the protocol used to forward registration requests to the external AAA policy servers. The options are;• HTTPS – Sends registration requests as HTTPS packet• HTTP – Sends registration requests as HTTP packet• UDP – Sends registration requests as UDP packet, using the UPD port 12322. This is the default setting.registration Configures dynamic guest registration and validation parameters. This option is disabled by default.external Specifies that the guest registration is handled by an external resource. Access points/controllers send registration requests to the external registration server.host <IP/HOSTNAME>Specifies the external registration server’s IP address or hostname. When configured, access points/ controllers forward guest registration requests to the external registration server specified here.proxy-mode{none|through-controller|through-rf-domain-manager|through-centralized-controller}Optional. Specifies the proxy mode. If a proxy is needed for connection, specify the proxy mode as through-controller, through-rf-domain. If no proxy is needed, select none.• none – Optional. Requests are sent directly to the controller from the requesting device• through-controller – Optional. Requests are proxied through the controller configuring the device• through-rf-domain-manager – Optional. Requests are proxied through the local RF Domain manager• through-centralized-controller – Optional. Request are proxied through one of the controllers in a cluster.that is operating as the designated forwarder. Select this option if capture and redirection is on a cluster of wireless controller/service platforms managing dependent/independent access points when redundancy is required.After specifying the proxy-mode, optionally specify the protocol used to send the requests to the external registration server host.send-mode [https|https|udp]Optional. Specifies the communication protocol used. The options are;• HTTPS – Sends registration requests as HTTPS packets• HTTP – Sends registration requests as HTTP packets• UDP – Sends registration requests as UDP packet, using the UPD port 12322. This is the default setting.registration Configures dynamic guest registration and validation parameters. This option is disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 515Examplenx9500-6C8809(config-wlan-test)#registration user group-name guest agreement-refresh 14400 expiry-time 2000nx9500-6C8809(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none registration user group-name guest expiry-time 2000 agreement-refresh 14400nx9500-6C8809(config-wlan-test)#Related Commands[device|device-OTP|user]Configures the mode used to register guest users of this WLAN. Options include device, external, user, and device-OTP• device-OTP – Registers a device by its MAC address. During registration, the user, using the registered device, has to provide the e-mail address, mobile number, or member id, and the one-time-passcode (OTP) sent to the registered e-mail id or mobile number to complete registration. On subsequent logins, the user has to enter the OTP. If the MAC address of the device attempting login and the OTP combination matches, the user is allowed access. If using this option, set the WLAN authentication type as MAC authentication.• device – Registers a device by its MAC address. On subsequent logins, already registered MAC addresses are allowed access. If using this option, set the WLAN authentication type as MAC authentication.• user – Registers guest users using one of the following options: e-mail address, mobile-number, or member-id.If using any one of the above modes of registration, specify the RADIUS group to which the registered device or user is to be assigned post authentication.group-name <RAD-GROUP-NAME>Configures the RADIUS group name to which registered users are associated. When left blank, users are not associated with a RADIUS group.• <RAD-GROUP-NAME> – Specify the RADIUS group name (should not exceed 64 characters).expiry-time <1-43800>Optional. Configures the amount of time, in hours, before registered addresses expire and must be re-entered• <1-43800> – Specify a value from 1 - 43800 hrs. The default is 1500 hrs.agreement-refresh <0-144000>Optional. Sets the time, in minutes, after which an inactive user has to refresh the WLAN’s terms of agreement. For example, if the agreement refresh period is set to 1440 minutes, a user, who has been inactive for more than 1440 minutes (1 day) is served the agreement page, and is allowed access only after refreshing the terms of agreement.• <0-100> – Specify a value from 0 - 144000. The default is 0 minutes.no Disables dynamic user registration and removes associated configurations. ALso disables forwarding of user information to an external device.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5164.1.97.2.39 relay-agentwlan-mode commandsEnables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-LDRA) feature on this WLAN. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxrelay-agent [dhcp-option82|dhcpv6-ldra]Parameters• relay-agent [dhcp-option82|dhcpv6-ldra]Examplerfs4000-229D58(config-wlan-test)#relay-agent dhcp-option82rfs4000-229D58(config-wlan-test)#show contextwlan test ssid test vlan 1 bridging-mode tunnel encryption-type none  authentication-type none radio-resource-measurement relay-agent dhcp-option82 controller-assisted-mobilityrfs4000-229D58(config-wlan-test)#rfs6000-81701D(config-wlan-test)#relay-agent dhcpv6-ldrarfs6000-81701D(config-wlan-test)#show contextwlan test ssid test bridging-mode tunnel encryption-type none authentication-type none relay-agent dhcpv6-ldrarfs6000-81701D(config-wlan-test)#relay-agent Enables support for the following DHCP and DHCPv6 options: option 82 and Lightweight DHCPv6 Relay Agent (LDRA) respectively. When enabled, this feature allows the DHCP/DHCPv6 relay agent to insert the relay agent information option (option 82, LDRA) in client requests forwarded to the DHCP/DHCPv6 server.This information provides the following:• circuit ID suboption – Provides the SNMP port interface index• remote ID – Provides the controller’s MAC addressdhcp-option82 Enables DHCP option 82. DHCP option 82 provides client physical attachment information. This option is disabled by default.dhcpv6-ldra Enables the DHCPv6 relay agent. The LDRA feature allows DHCPv6 messages to be transmitted on existing networks that do not currently support IPv6 or DHCPv6. This option is disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 517Related Commandsno Disables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-LDRA) feature on this WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5184.1.97.2.40 shutdownwlan-mode commandsAuto shuts down a WLANThe auto shutdown mechanism helps regulate the availability of a WLAN based on an administrator defined access period. Use this feature to shut down a WLAN on specific days and hours and restrict periods when the WLAN traffic is either not desired or cannot be properly administrated. The normal practice is to shut down WLANs when there are no users on the network, such as after hours, weekends or holidays. This allows administrators more time to manage mission critical tasks since the WLAN's availability is automated.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-link-loss|on-unadoption}Parameters• shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-link-loss|on-unadoption}Usage GuidelinesIf the shutdown on-meshpoint-loss feature is enabled, the WLAN status changes only if the meshpoint and the WLAN are mapped to the same VLAN. If the meshpoint is mapped to VLAN 1 and the WLAN is mapped to VLAN 2, then the WLAN status does not change on loss of the meshpoint.shutdown Auto shuts down the WLAN when specified events occur. Disabled by default.on-critical-resource <CR-NAME>Optional. Auto shuts down the WLAN when critical resource failure occurs. Disabled by default.• <CR-NAME> – Specifies the name of the critical resource being monitored for this WLAN.on-meshpoint-loss Optional. Auto shuts down the WLAN when the root meshpoint link fails (is unreachable). Disabled by default.on-primary-port-link-lossOptional. Auto shuts down the WLAN when a device losses its primary Ethernet port (ge1/up1) link. Disabled by default.on-unadoption Optional. Auto shuts down the WLAN when an adopted device becomes unadopted. Disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 519Examplerfs6000-81742D(config-wlan-test)#shutdown on-unadoptionrfs6000-81742D(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controllerrfs6000-81742D(config-wlan-test)#Related Commandsno Disables auto shut down WLAN. Use the optional keywords provided to disable auto shut down of the WLAN upon critical resource failure, when meshpoint links fail, when the primary Ethernet port (e1/up1) loses link, or when the WLAN gets unadopted.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5204.1.97.2.41 ssidwlan-mode commandsConfigures a WLAN’s SSIDSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxssid <SSID>Parameters• ssid <SSID>Examplerfs6000-81742D(config-wlan-test)#ssid testWLAN1rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controllerrfs6000-81742D(config-wlan-test)#Related Commands<SSID> Specify the WLAN’s SSID. The WLAN SSID is case sensitive and alphanumeric. Its length should not exceed 32 characters.no Removes the WLAN’s SSID
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5214.1.97.2.42 t5-client-isolationwlan-mode commandsDisallows clients connecting to the WLAN to communicate with one another. This setting applies exclusively to CPE devices managed by aT5 controller and is disabled by default.A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.Supported in the following platforms:• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxt5-client-isolationParametersNoneExamplenx9500-6C8809(config-wlan-test)#t5-client-isolationnx9500-6C8809(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none t5-client-isolationnx9500-6C8809(config-wlan-test)#Related CommandsNOTE: This setting is applicable only when this WLAN supports T5 controllers and their connected CPEs.no Allows clients connecting to the WLAN to communicate with one another
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5224.1.97.2.43 t5-securitywlan-mode commandsConfigures T5 PowerBroadband security settingsA T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use DSL as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.Supported in the following platforms:• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxt5-security [static-wep|wpa-enterprise|wpa-personal]t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase <STRING>]t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp] version [mixed|wpa|wpa2]Parameters• t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase <STRING>]•  t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp] version [mixed|wpa|wpa2]NOTE: This setting is applicable only when this WLAN supports T5 controllers and their connected CPEs.t5-security static-wep Configures the T5 WLAN security type as static-wepencryption-type [wep128|wep64]Applies one of the following encryption algorithms to the T5 support WLAN configuration: WEP64 or WEP128hex <STRING> Configures the hex password (used to derive the security key)• <STRING> – Specify the hex password (should not exceed the 10 - 26 characters).passphrase <STRING> Configures the passphrase shared by both transmitting and receiving authenticators• <STRING> – Specify the passphrase. It could either be an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters. The alphanumeric string allows character spaces. This string is converted to a numeric value. Configuring a passphrase saves you the need to create a 256-bit key each time keys are generated.t5-security [wpa-enterprise|wpa-personal]Configures the T5 WLAN security type as: wpa-enterprise OR wpa-personal
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 523Examplenx9500-6C8809(config-wlan-test)#t5-security wpa-enterprise encryption-type ccmpversion wpanx9500-6C8809(config-wlan-test)#show contextwlan test ssid test bridging-mode local encryption-type none authentication-type none t5-security wpa-enterprise encryption-type ccmp version wpa t5-client-isolationnx9500-6C8809(config-wlan-test)#Related Commandsencryption-type [ccmp|tkip|tkip-ccmp]The following parameters are common to the wpa-enterprise and wpa-personal keywords:Applies one of the following encryption algorithms to the T5 support WLAN configuration: CCMP, TKIP, or TKIP-CCMPversion [mixed|wpa|wpa2]The following parameters are common to the wpa-enterprise and wpa-personal keywords:• version – Applies one of the following encryption schemes to the T5 support WLAN configuration: WPA, WPA2, or mixed no Removes the configured T5 PowerBroadband security settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5244.1.97.2.44 time-based-accesswlan-mode commandsConfigures time-based client access to the network resourcesAdministrators can use this feature to assign fixed days and time of WLAN access for wireless clientsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtime-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]Parameters• time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]Examplerfs6000-81742D(config-wlan-test)#time-based-access days weekdays start 10:00 end 16:30rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 --More--rfs6000-81742D(config-wlan-test)#Related Commandsday <option> Specifies the day or days on which the client can access the WLAN• sunday – Allows access on Sundays only• monday – Allows access on Mondays only• tuesday – Allows access on Tuesdays only• wednesday – Allows access on Wednesdays only• thursday – Allows access on Thursdays only• friday – Allows access on Fridays only• saturday – Allows access on Saturdays only• weekends – Allows access on weekends only• weekdays – Allows access on weekdays only• all – Allows access on all daysstart <START-TIME> Optional. Specifies the access start time in hours and minutes (HH:MM)end <END-TIME> Specifies the access end time in hours and minutes (HH:MM)no Removes the configured time-based-access settings
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5254.1.97.2.45 usewlan-mode commandsThis command associates an existing captive portal with a WLAN.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [aaa-policy|application-policy|association-acl-policy|bonjour-gw-discovery-policy|captive-portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-policy|roaming-assist-policy|url-filter|wlan-qos-policy]use [aaa-policy <AAA-POLICY-NAME>|application-policy <POLICY-NAME>|association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-NAME>|captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>|wlan-qos-policy <WLAN-QOS-POLICY-NAME>]use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>Parameters• use [aaa-policy <AAA-POLICY-NAME>|application-policy <POLICY-NAME>|association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-NAME>|captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>|wlan-qos-policy <WLAN-QoS-POLICY-NAME>]aaa-policy <AAA-POLICY-NAME>Uses an existing AAA policy with a WLAN• <AAA-POLICY-NAME> – Specify the AAA policy name.application-policy <POLICY-NAME>Uses an existing application policy with a WLAN. An application policy defines actions to perform on a packet when it matches a specified set of pre-defined applications or application categories. For more information, see application-policy.• <POLICY-NAME> – Specify the policy name.association-acl <ASSOCIATION-POLICY-NAME>Uses an existing association ACL policy with a WLAN• <ASSOCIATION-POLICY-NAME> – Specify the association ACL policy name.bonjour-gw-discovery-policy <POLICY-NAME>Uses an existing Bonjour GW Discovery policy with a WLAN. When associated, the Bonjour GW Discovery policy defines a list of services clients can discover across subnets.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 526• use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>• use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>Bonjour enables discovery of services on a LAN. Bonjour allows the setting up a network (without any configuration) in which services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.• <POLICY-NAME> – Specify the Bonjour GW Discovery policy name (should be existing and configured).For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-policy.captive-portal <CAPTIVE-PORTAL-NAME>Specifies the captive-portal policy to use if enforcing captive-portal authentication on this WLAN• <CAPTIVE-PORTAL-NAME> – Specify the captive-portal policy name. Should be existing and configured.passpoint-policy<PASSPOINT-POLICY-NAME>Associates a passpoint policy (Hotspot2 configuration) with this WLAN• <PASSPOINT-POLICY-NAME> – Specify the Hotspot 2.0 policy name.For more information on passpoint policy, see passpoint-policy.Map a passpoint policy to a WLAN. Since the configuration gets applied to the radio by BSS, only the Hotspot 2.0 configuration of primary WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests from clients are identified by their destination MAC addresses and are handled by the passpoint policy from the primary WLAN on that BSS.Define one passpoint policy for every WLAN configured.roaming-assist-policy <POLICY-NAME>Associates an existing roaming assist policy with this WLAN• <POLICY-NAME> – Specify the Roaming Assist policy name.For more information on roaming assist policy, see roaming-assist-policy.url-filter <URL-FILTER-NAME>Associates an existing URL list with this WLAN• <URL-FILTER-NAME> – Specify the URL filter name.For more information on configuring a URL list, see url-list.wlan-qos-policy <WLAN-QOS-POLICY-NAME>Uses an existing WLAN QoS policy with a WLAN• <wlan-qos-policy-name> – Specify the WLAN QoS policy name.ip-access-list [in|out] <IP-ACCESS-LIST-NAME>Specifies the IP access list for incoming and outgoing packets• in – Applies the IP ACL to incoming packets• out – Applies IP ACL to outgoing packets• <IP-ACCESS-LIST-NAME> – Specify the IP access list name.ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>Specifies the IPv6 access list for incoming and outgoing packets• in – Applies the IPv6 ACL to incoming packets• out – Applies IPv6 ACL to outgoing packets• <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list name.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 527• use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>Usage GuidelinesIP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of conditions (rules) and the action taken in case of a match. The action can be permit, deny, or mark. Therefore, when a packet matches an ACE’s conditions, it is either forwarded, dropped, or marked depending on the action specified in the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule has a precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to WLAN packet traffic.Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.Examplerfs6000-81742D(config-wlan-test)#use aaa-policy testrfs6000-81742D(config-wlan-test)#use association-acl-policy testrfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controllerrfs6000-81742D(config-wlan-test)#mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>Specifies the MAC access list for incoming and outgoing packets.• in – Applies the MAC ACL to incoming packets• out – Applies MAC ACL to outgoing packets• <MAC-ACCESS-LIST-NAME> – Specify the MAC access list name.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 528rfs6000-81742D(config-wlan-ipad_clients)#use bonjour-gw-discovery-policy genericrfs6000-81742D(config-wlan-ipad_clients)#show contextwlan ipad_clients ssid ipad_clients vlan 41 bridging-mode local encryption-type none authentication-type none use bonjour-gw-discovery-policy genericrfs6000-81742D(config-wlan-ipad_clients)#Related Commandsno Removes the following policies associated with a WLAN: aaa-policy, application-policy, association-acl-policy, bonjour-gw-discovery-policy, captive-portal, ip-access-list, ipv6-access-list, mac-access-list, passpoint-policy, roaming-assist-policy, url-filter, or wlan-qos-policy.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5294.1.97.2.46 vlanwlan-mode commandsSets the VLAN where traffic from a WLAN is mappedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvlan [<1-4094>|<VLAN-ALIAS-NAME>]Parameters• vlan [<1-4094>|<VLAN-ALIAS-NAME>]Examplerfs6000-81742D(config-wlan-test)#vlan 4rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 vlan 4 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controllerrfs6000-81742D(config-wlan-test)#Related Commands<1-4094> Sets a WLAN’s VLAN ID. This command starts a new VLAN assignment for a WLAN index. All prior VLAN settings are erased.Use this command to assign just one VLAN to the WLAN. Utilizing a single VLAN per WLAN is a more typical deployment scenario than using a VLAN pool.<VLAN-ALIAS-NAME> Assigns a VLAN alias to the WLAN. The VLAN alias should to existing and configured.A VLAN alias maps a name to a VLAN ID. When applied to ports (for example GE ports) using the trunk mode, a VLAN alias denies or permits traffic, on the port, to and from the VLANs specified in the alias. For more information on aliases, see alias.no Removes a WLAN’s default VLAN mapping
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5304.1.97.2.47 vlan-pool-memberwlan-mode commandsAdds a member VLAN to a WLAN’s VLAN pool. Use this option to define the VLANs available to this WLAN. Additionally, define the number of wireless clients supported by each VLAN.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxvlan-pool-member <WORD> {limit <0-8192>}Parameters• vlan-pool-member <WORD> {limit <0-8192>}Examplerfs6000-81742D(config-wlan-test)#vlan-pool-member 1-10 limit 1rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30--More--rfs6000-81742D(config-wlan-test)#NOTE: Configuration of a VLAN pool overrides the 'vlan' configuration.vlan-pool-member Adds a member VLAN to a WLAN’s VLAN poolSince users belonging to separate VLANs can share the same WLAN, it is not necessary to create a new WLAN for every VLAN in the network.<WORD> Define the VLANs available to this WLAN. It is either a single index, or a list of VLAN IDs (for example, 1,3,7), or a range (for example, 1-10)limit <0-8192> Optional. Is ignored if the number of clients are limited and well within the limits of the DHCP pool on the VLAN• <0-8192> – Specifies the number of users allowed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 531Related Commandsno Removes the list of VLANs mapped to a WLAN
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5324.1.97.2.48 wep128wlan-mode commandsConfigures WEP128 parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwep128 [key|keys-from-passkey|transmit-key]wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]wep128 keys-from-passkey <WORD>wep128 transmit-key <1-4>Parameters• wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]• wep128 keys-from-passkey <WORD>• wep128 transmit-key <1-4>wep128 Configures WEP128 parameters. The parameters are: key, key-from-passkey, and transmit-key.key <1-4> Configures pre-shared hex keys• <1-4> – Configures a maximum of four key indexes. Select the key index from 1 - 4.ascii [0 <WORD>|2 <WORD>||<WORD>]Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128)• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted key• <WORD> – Configures keys as 13 ASCII characters converted to hex, or 26 hexadecimal charactershex [0 <WORD>|2 <WORD>|<WORD>]Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128)• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted key• <WORD> – Configures keys as 13 ASCII characters converted to hex, or 26 hexadecimal characterskeys-from-passkey <WORD>Specifies a passphrase from which keys are derived• <WORD> – Specify a passphrase from 4 - 32 characters.transmit-key <1-4> Configures the key index used for transmission from an AP to a wireless client or service platform• <1-4> – Specify a key index from 1 - 4.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 533Examplerfs6000-81742D(config-wlan-test)#wep128 keys-from-passkey example@123rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75 wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315 wep128 key 3 hex 0 1ebf3394431700194762ebd5b2 wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30--More--rfs6000-81742D(config-wlan-test)#Related Commandsno Resets the WEP128 PSK and transmission keys to factory-default values.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5344.1.97.2.49 wep64wlan-mode commandsConfigures WEP64 parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwep64 [key|keys-from-passkey|transmit-key]wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]wep64 keys-from-passkey <WORD>wep64 transmit-key <1-4>Parameters• wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]• wep64 keys-from-passkey <WORD>• wep64 transmit-key <1-4>wep64 Configures WEP64 parametersThe parameters are: key, key-from-passkey, and transmit-key.key <1-4> Configures pre-shared hex keys• <1-4> – Configures a maximum of four key indexes. Select a key index from 1 - 4.ascii [0 <WORD>|2 <WORD>|<WORD>]Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128)• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted key• <WORD> – Configures key (10 hex or 5 ASCII characters for WEP64, 26 hex or 13 ASCII characters for WEP128).hex [0 <WORD>|2 <WORD>|<WORD>]Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128)• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted key• <WORD> – Configures the key (10 hex or 5 ASCII characters for WEP64, 26 hex or 13 ASCII characters for WEP128)keys-from-passkey <WORD>Specifies a passphrase from which keys are derived• <WORD> – Specify a passphrase from 4 - 32 characters.transmit-key <1-4> Configures the key index used for transmission from an AP to a wireless client or service platform• <1-4> – Specify a key index from 1 - 4.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 535Examplerfs6000-81742D(config-wlan-test)#wep64 key 1 ascii test1rfs6000-81742D(config-wlan-test)#wep64 transmit-key 1rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wep64 key 1 hex 0 7465737431 radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test--More--rfs6000-81742D(config-wlan-test)#Related Commandsno Resets the WEP64 PSK and transmission keys to factory-default values
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5364.1.97.2.50 wing-extensionswlan-mode commandsEnables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards that potentially increase client roaming reliability and handshake speedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwing-extensions [ap-attributes-information {include-hostname}|coverage-hole-detection {11k-clients|offset <5-20>|threshold <-80--60}|ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|smart-scan|wing-load-information|wmm-load-information]Parameters• wing-extensions [ap-attributes-information {include-hostname}|coverage-hole-detection {11k-clients|offset <5-20>|offset <5-20>|threshold <-80--60}|ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|smart-scan|wing-load-information|wmm-load-information]wing-extensions Enables support for inclusion of WiNG-specific client extensions in radio transmissionsap-attributes-information {include-hostname}Enables support for AP attributes information element (IE)• include-hostname – Optional. When enabled, includes AP’s hostname, as a sub-element, in the AP attributes IE.The AP attributes IE is vendor-specific and, when enabled, is added to beacons and probe responses. Inclusion of AP attributes IE allows Extreme Networks terminals to:- Recognize Extreme APs- Determine if the AP supports PAN BU features, irrespective of whether these features are enabled or not.AP attributes IE is not added to beacons and probe responses by default.overage-hole-detection {11k-clients|offset <5-20>|threshold <-80--60>}Enables coverage hole detection (CHD) and configures CHD parameters. When enabled, allows clients (MUs) to inform an access point when it experiences a coverage hole. A coverage hole is an area of poor wireless coverage not supported by a WiNG managed access point radio. Enable radio resource measurement prior to enabling CHD. For enabling radio resource measurement, see radio-resource-measurement. CHD is disabled by default. After enabling CHD, optionally configure the following parameters:• 11k-clients – Optional. Provides coverage hole detection to 802.11k-only-capable clients. This is a reduced set of coverage hole detection capabilities (standard 11k messages and behaviors). This option is disabled by default.Contd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 537Examplerfs6000-81742D(config-wlan-test)#wing-extensions wmm-load-informationrfs6000-81742D(config-wlan-test)#show contextwlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 --More--rfs6000-81742D(config-wlan-test)#• offset <5-20> – Optional. Configures the offset added to the threshold to obtain the access point’s signal strength (as seen by the client) considered adequate.• <5-20> – Specify the offset value from 5 - 20. The default is 5.• threshold – Optional. Configures the access point’s signal strength threshold. When Radio Resource Measurement and CVG Hole are enabled, specify a threshold for the AP’s signal strength (as seen by the client) below which a coverage hole incident is reported by the client.• <-80--60> – Specify the threshold from -80 - -60 dBm. The default is -70 dBm.ft-over-ds-aggregate Enables fast-transition (FT) aggregation of action frames. When enabled, increases roaming speed by eliminating separate key exchange handshake frames with potential roam candidates. Enable fast transition to complete an initial FT over distribution system (DS) handshake with multiple roam candidates (up to 6) at once, eliminating the need to send separate FT over DS handshakes to each roam candidate.This option is disabled by default.move-command Enables use of Hyper Fast Secure Roaming (HFSR) for clients on this WLAN. This feature applies only to certain client devices. This option is disabled by default.scan-assist {channel-info-interval <6-9>}Enables support for scanning assist. When enabled, allows faster roams on Dynamic Frequency Selection (DFS) channels by eliminating passive scans. Clients get channel information directly from possible roam candidates. This option is disabled by default.• channel-info-interval <6-9> – Optional. Configures the interval at which channel information is periodically retrieved from potential roam candidates without requesting scan assist. • <6-9> – Specify the interval from 6 - 9 seconds. When enabled, the default value is8 seconds.smart-scan Enables a smart scan to refine a clients channel scans to just a few channels as opposed to all available channels. This option is disabled by default.wing-load-information Enables support for the WiNG load information element (Element ID 173) with legacy Symbol Technology clients, thus making them optimally interoperable with the latest Extreme Networks access points. This option is enabled by default.wmm-load-informationEnables support for WiNG Wi-Fi MultiMedia (WMM) Load Information Element in radio transmissions with legacy clients. This option is disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 538Related Commandsno Disables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards. Use the keywords provided to disable a specific wing-extension.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5394.1.97.2.51 wireless-clientwlan-mode commandsConfigures the transmit power indicated to clientsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwireless-client [count-per-radio|cred-cache-ageout|hold-time|inactivity-timeout|max-firewall-sessions|reauthentication|roam-notification|t5-inactivity-timeout|tx-power|vlan-cache-ageout]wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>|hold-time <1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>|reauthentication <30-86400>|t5-inactivity-timeout <60-86400>|tx-power <0-20>|vlan-cache-ageout <60-86400>]wireless-client roam-notification [after-association|after-data-ready|auto]Parameters•  wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>|hold-time <1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>|reauthentication <30-86400>|t5-inactivity-timeout <60-86400>|tx-power <0-20>|vlan-cache-out <60-86400>]wireless-client Configures the transmit power indicated to wireless clients for transmissioncount-per-radio<0-256>Configures the maximum number of clients allowed on this WLAN per radio• <0-256> – Specify a value from 0 - 256.cred-cache-ageout <60-86400>Configures the timeout period for which client credentials are cached across associations• <60-86400> – Specify a value from 60 - 86400 seconds.hold-time <1-86400> Configures the time period for which wireless client state information is cached post roaming• <1-86400> – Specify a value from 1 - 86400 seconds.inactivity-timeout <60-86400>Configures an inactivity timeout period in seconds. If a frame is not received from a wireless client for this period of time, the client is disassociated.• <60-86400> – Specify a value from 60 - 86400 seconds.max-firewall-sessions <10-10000>Configures the maximum firewall sessions allowed per client on a WLAN• <10-10000> – Specify the maximum number of firewall sessions allowed from 10 - 10000.reauthentication <30-86400>Configures periodic reauthentication of associated clients• <30-86400> – Specify the client reauthentication interval from 30 - 86400 seconds.t5-inactivity-timeout <60-86400>Configures and inactivity timeout, in seconds, for T5 devices. When configured, the T5 device is disassociated if the time lapsed after the last frame received from it exceeds the value specified here.• <60-86400> – Specify a value from 60 - 86400 seconds. The default is 60 seconds.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 540• wireless-client roam-notification [after-association|after-data-ready|auto]Examplerfs6000-81742D(config-wlan-test)#wireless-client cred-cache-ageout 65rfs6000-81742D(config-wlan-test)#wireless-client hold-time 200rfs6000-81742D(config-wlan-test)#wireless-client max-firewall-sessions 100rfs6000-81742D(config-wlan-test)#wireless-client reauthentication 35rfs6000-81742D(config-wlan-test)#wireless-client tx-power 12rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none wireless-client hold-time 200 wireless-client cred-cache-ageout 65 wireless-client max-firewall-sessions 100 protected-mgmt-frames mandatory wireless-client reauthentication 35 wep64 key 1 hex 0 7465737431 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75 wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315 wep128 key 3 hex 0 1ebf3394431700194762ebd5b2 wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information wireless-client tx-power 12 client-load-balancing probe-req-intvl 5ghz 5--More--rfs6000-81742D(config-wlan-test)#tx-power <0-20> Configures the transmit power indicated to clients• <0-20> – Specify a value from 0 - 20 dBm.vlan-cache-ageout <60-86400>Configures the timeout period for which client VLAN information is cached across associations.• <60-86400> – Specify a value from 60 - 86400 seconds.wireless-client Configures the transmit power indicated to wireless clients for transmissionroam-notification Configures when a roam notification is transmittedafter-association Transmits a roam notification after a client has associatedafter-data-ready Transmits a roam notification after a client is data-ready (after completion of authentication, handshakes, etc.)auto Transmits a roam notification upon client association (if the client is known to have authenticated to the network)
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 541Related Commandsno Removes or reverts to default configured wireless client related parameters
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5424.1.97.2.52 wpa-wpa2wlan-mode commandsModifies TKIP-CCMP (WPA/WPA2) related parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwpa-wpa2 [exclude-wpa2-tkip|handshake|key-rotation|opp-pmk-caching|pmk-caching|preauthentication|server-only-authentication|psk|tkip-countermeasures|use-sha256-akm]wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|server-only-authentication|use-sha256-akm]wpa-wpa2 handshake [attempts|init-wait|priority|timeout]wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|timeout <10-5000> {10-5000}]wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]wpa-wpa2 tkip-countermeasures holdtime <0-65535>Parameters• wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|server-only-authentication|use-sha256-akm]• wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|timeout <10-5000> {10-5000}]wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parametersexclude-wpa2-tkip Excludes the Wi-Fi Protected Access II (WPA2) version of TKIP. It supports the WPA version of TKIP only. This option is disabled by default.opp-pmk-caching Uses opportunistic key caching (same Pairwise Master Key (PMK) across APs for fast roaming with EAP.802.1x. This option is enabled by default.pmk-caching Uses cached pair-wise master keys (fast roaming with eap/802.1x). This option is enabled by default.preauthentication Uses pre-authentication mode (WPA2 fast roaming)server-only-authenticationUses online sign up server-only-authenticated encryption network. This option is disabled by default.use-sha256-akm Uses sha256 authentication key management suite. This option is disabled by default.wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parametershandshake Configures WPA/WPA2 handshake parametersattempts <1-5> Configures the total number of times a message is transmitted towards a non-responsive client• <1-5> – Specify a value from 1 - 5. The default is 2.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 543• wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>• wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]• wpa-wpa2 tkip-countermeasures holdtime <0-65535>init-wait <5-1000000>Configures a minimum wait-time period, in microseconds, before the first handshake message is transmitted from the AP. This option is disabled by default.• <5-1000000> – Specify a value from 5 - 1000000 microseconds.priority [high|normal]Configures the relative priority of handshake messages compared to other data traffic• high – Treats handshake messages as high priority packets on a radio. This is the default setting.• normal – Treats handshake messages as normal priority packets on a radiotimeout <10-5000><10-5000>Configures the timeout period, in milliseconds, for a handshake message to retire. Once this period is exceed, the handshake message is retired.• <10-5000> – Specify a value from 10 - 5000 milliseconds. The default is 500 milliseconds.• <10-5000> – Optional. Configures a different timeout between the second and third attemptswpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameterskey-rotation Configures parameters related to periodic rotation of encryption keys. The periodic key rotation parameters are broadcast, multicast, and unicast traffic.broadcast <30-86400>Configures the periodic rotation of keys used for broadcast and multicast traffic. This parameter specifies the interval, in seconds, at which keys are rotated. This option is disabled by default.• <30-86400> – Specify a value from 30 - 86400 seconds.unicast <30-86400> Configures a periodic interval for the rotation of keys, used for unicast traffic. This option is disabled by default.• <30-86400> – Specify a value from 30 - 86400 seconds.wpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) related parameterspsk Configures a pre-shared key. The key options are: 0, 2, and LINE0 <LINE> Configures a clear text key2 <LINE> Configures an encrypted key<LINE> Enter the pre-shared key either as a passphrase not exceeding 8 - 63 characters, or as a 64 character (256bit) hexadecimal valuewpa-wpa2 Modifies TKIP-CCMP (WPA/WPA2) parameterstkip-countermeasuresConfigures a hold time period for implementation of TKIP counter measuresholdtime <0-65535> Configures the amount of time a WLAN is disabled when TKIP counter measures are invoked• <0-65535> – Specify a value from 0 - 65535 seconds. The default is 60 seconds.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 544Examplerfs6000-81742D(config-wlan-test)#wpa-wpa2 tkip-countermeasures hold-time 2rfs6000-81742D(config-wlan-test)#show contextwlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none wireless-client hold-time 200 wireless-client cred-cache-ageout 65 wireless-client max-firewall-sessions 100 protected-mgmt-frames mandatory wireless-client reauthentication 35 wpa-wpa2 tkip-countermeasures hold-time 2 wep64 key 1 hex 0 7465737431 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75--More--rfs6000-81742D(config-wlan-test)#Related Commandsno Removes or reverts to default TKIP-CCMP (WPA/WPA2) related parameters
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5454.1.97.2.53 servicewlan-mode commandsInvokes service commands applicable in the WLAN configuration modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxservice [allow-ht-only|allow-open-passpoint|client-load-balancing|cred-cache|eap-mac-mode|eap-mac-multicopy|eap-mac-multikeys|eap-throttle|enforce-pmkid-validation|key-index|monitor|radio-crypto|reauthentication|session-timeout|tx-deauth-on-roam-detection|unresponsive-client|wpa-wpa2|show]service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|reauthentication seamless|session-timeout mac|tx-deauth-on-roam-detection|show cli]service eap-mac-mode [mac-always|normal]service eap-throttle <0-254>service key-index eap-wep-unicast <1-4>service monitor [aaa-server|adoption|captive-portal|dhcp|dns]service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|timeout <1-60>]service wpa-wpa2 exclude-ccmpParameters• service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|reauthentication seamless|session-timeout mac|tx-deauth-on-roam-detection|show cli]allow-ht-only Only allows clients capable of High Throughput (802.11n) data rates to associate. This option is disabled by default.allow-open-passpoint Enables non-WPA2 security for passpoint WLANs. This option is disabled by default.For more information on passpoint policy and configuration, see PASSPOINT POLICY.cred-cache [clear-on-4way-timeout|clear-on-disconnect]Clears credential cache based on the parameter passed• clear-on-4way-timeout – Clears cached client credentials after the 4way handshake with a client has timed out. This option is enabled by default.• clear-on-disconnect – Clears cached client credentials after the client has disconnected from the network. This option is disabled by default.eap-mac-multicopy Enables sending of multiple copies of broadcast and unicast messages. This option is disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 546• service eap-mac-mode [mac-always|normal]• service eap-throttle <0-254>• service key-index eap-wep-unicast <1-4>• service wpa-wpa2 exclude-ccmpeap-mac-multikeys Enables configuration of different key indices for MAC authentication. This option is disabled by default.enforce-pmkid-validationValidates the Predictive real-time pairwise master key identifier (PMKID) contained in a client’s association request against the one present in the wpa-wpa2 handshake. This option is enabled by default.This functionality is based on the Proactive Key Caching (PKC) extension of the 802.11i EEEE standard. Whenever a wireless client successfully authenticates with a AP it receives a pairwise master key (PMK). PKC allows clients to cache this PMK and reuse it for future re-authentications with the same AP. The PMK is unique for every client and is identified by the PMKID. The PMKID is a combination of the hash of the PMK, a string, the station and the MAC addresses of the AP.radio-crypto Uses radio hardware for encryption and decryption. This is applicable only for devices using Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) encryption mode. This option is enabled by default.reauthentication seamlessEnables seamless EAP client reauthentication without disconnecting client after the session has timed out. This option is enabled by default.session-timeout mac Enables reauthentication of MAC authenticated clients without disconnecting client after the session has timed out. This option is enabled by default.tx-deauth-on-roam-detectionTransmits a deauthentication on the air while disassociating a client because its roam is detected on the wired side. This option is disabled by default.show cli Displays the CLI tree of the current mode. When used in the WLAN mode, this command displays the WLAN CLI structure.eap-mac-mode Configures the EAP and/or MAC authentication mode used with this WLAN. This option is enabled by default.mac-always Enables both EAP and MAC authentication. MAC authentication is performed first, followed by EAP authentication. Clients are granted access based on the EAP authentication result. If a client does not have EAP, the MAC authentication result is used to grant access.normal Grants client access if the client clears either EAP or MAC authentication. This is the default setting.eap-throttle <0-254> Enables EAP request throttling. Use this command to specify the maximum number of parallel EAP sessions allowed on this WLAN. Once this specified value is exceeded, all incoming EAP session requests are throttled. This option is enabled by default.• <0-254> – Specify a value from 0 - 254. This default value is 0.key-index eap-wep-unicast <1-4>Configures an index with each key during EAP authentication with WEP. This option is enabled by default.• <1-4> – Select a index from 1 - 4. The default value is 1.wpa-wpa2 exclude-ccmpConfigures exclusion of CCMP requests when the authentication mode is set to tkip-ccmp. When enabled, it provides compatibility for client devices not compliant with tkip-ccmp. This option is disabled by default.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 547• service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]• service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>]monitor Enables critical resource monitoring. In a WLAN, service monitoring enables regular monitoring of external AAA servers, captive portal servers, access point adoption, DHCP and DNS servers. When enabled, it allows administrators to notify users of a service’s availability and make resource substitutions in case of unavailability of a service.aaa-server Enables external AAA server failure monitoring. When enabled monitors an external RADIUS server resource’s AAA activity and ensures its adoption and availability. This feature is disabled by default.adoption vlan <1-4094>Enables adoption failure monitoring on an adopted AP. Also configures a adoption failover VLAN. This feature is disabled by default.• VLAN <1-4094> – Specify the VLAN on which clients are placed when the connectivity between the AAP and the controller is lost.Configure a DHCP pool and gateway for the failover VLAN. Ensure the DHCP server is running on the AP. Also ensure that the DHCP pool is configured to have less lease time.When this feature is enabled on a WLAN, it allows adopted APs to monitor their connectivity with the controller. If and when this connectivity is lost, all new clients are placed in the configured adoption failover VLAN. They are served an IP by the DHCP server running on the AP. In this situation if a client tries to access a Web URL, the AP redirects the client to a page stating that the service is down.When the AAP’s link to the switch is restored, clients are placed back in the WLAN’s configured VLAN, and are served an IP from the corresponding configured DHCP server (external or on the AP/controller).captive-portal external-serverEnables external captive portal server failure monitoring. When enabled, monitors externally hosted captive portal activity, and user access to the controller or service platform managed network. This feature is disabled by default.When enabled, this feature enables APs to display, to an externally located captive portal’s user, the no-service page when the captive portal’s server is not reachable.monitor Enables DHCP and/or DNS server monitoring on this WLAN.dhcp Enables monitoring of a specified DHCP server. When the connection to the DHCP server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default.Use the crm keyword to specify the DHCP server to monitor.dns Enables monitoring of a specified DNS server. When the connection to the DNS server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default.Use the crm keyword to specify the DNS server to monitor.crm <RESOURCE-NAME>This keyword is common to the ‘dhcp’ and ‘dns’ parameters.• crm – Identifies the DHCP and/or DNS server to monitor• <RESOURCE-NAME> – Specify the name of the DHCP or DNS server.Once enabled, the CRM server monitors the DHCP/DNS server and updates their status as ‘up’ or ‘down’ depending on the availability of the resource. When either of these resources is down the wireless client is mapped to the failover VLAN and served with the ‘no-service’ page through the access point.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 548• service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|timeout <1-60>]Examplerfs4000-229D58(config-wlan-test)#service allow-ht-onlyrfs4000-229D58(config-wlan-test)#service monitor aaa-serverrfs4000-229D58(config-wlan-test)#show contextwlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none service monitor aaa-server service allow-ht-only controller-assisted-mobilityrfs4000-229D58(config-wlan-test)#Related Commandsvlan <1-4094> This keyword is common to the ‘dhcp’ and ‘dns’ parameters.After specifying the DHCP/DNS sever resource, specify the failover VLAN.• VLAN <1-4094> – Configures the failover VLAN from 1 - 4094.When the DHCP server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DHCP server configured that provides a pool of IP addresses with a lease time less than the main DHCP server.When this DNS server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DNS server configured that provides DNS address resolution until the main DNS server becomes available.eap-mac-mode Configures handling of unresponsive clientsattempts <1-1000> Configures the maximum number of successive packets that failed transmission• <1-1000> – Specify a value from 1 - 1000. The default is 7.ps-detect {threshold <1-1000>}Enables the detection of power-save mode clients, whose PS stats has not been updated on the AP. This option is enabled by default.• threshold – Optional. Configures the threshold at which power-save client detection is triggered• <1-1000> – Configures the number of successive unacknowledged packets received before power-save detection is triggered. Specify a value from 1 - 1000. Thedefault is 3.timeout <1-60> Configures the interval, in seconds, for successive packets not acknowledged by the client• <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds.no Removes or reverts to default WLAN settings configured using the ‘service’ command
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5494.1.98 wlan-qos-policyGlobal Configuration CommandsConfigures a WLAN QoS policySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwlan-qos-policy <WLAN-QOS-POLICY-NAME>Parameters• wlan-qos-policy <WLAN-QOS-POLICY-NAME>Examplerfs6000-81742D(config)#wlan-qos-policy testrfs6000-81742D(config-wlan-qos-test)#?WLAN QoS Mode commands:  accelerated-multicast  Configure accelerated multicast streams address assnd                         forwarding QoS classification  classification         Select how traffic on this WLAN must be classified                         (relative prioritization on the radio)  multicast-mask         Egress multicast mask (frames that match bypass the                         PSPqueue. This permits intercom mode operation                         without delay even in the presence of PSP clients)  no                     Negate a command or set its defaults  qos                    Quality of service  rate-limit             Configure traffic rate-limiting parameters on a                         per-wlan/per-client basis  svp-prioritization     Enable spectralink voice protocol support on this                         wlan  voice-prioritization   Prioritize voice client over other client (for                         non-WMM clients)  wmm                    Configure 802.11e/Wireless MultiMedia parameters  clrscr                 Clears the display screen  commit                 Commit all changes made in this session  do                     Run commands from Exec mode  end                    End current mode and change to EXEC mode  exit                   End current mode and down to previous mode  help                   Description of the interactive help system  revert                 Revert changes  service                Service Commands  show                   Show running system information  write                  Write running configuration to memory or terminalrfs6000-81742D(config-wlan-qos-test)#Related Commands<WLAN-QOS-POLICY-NAME>Specify the WLAN QoS policy name. If the policy does not exist, it is created.no Removes an existing WLAN QoS Policy
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 550NOTE: For more information on WLAN QoS policy commands, see Chapter 21, WLAN-QOS-POLICY.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5514.1.99 url-filterGlobal Configuration CommandsThe following table lists the commands that allow you to enter the URL filter configuration mode:Table 4.55 Commands Creating a URL FilterCommand Description Referenceurl-filter Creates a new URL filter and enters its configuration mode page 4-552url-filter-config-mode commandsSummarizes the URL filter configuration mode commands page 4-555
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5524.1.99.1 url-filterurl-filterCreates a new URL filter (Web filter) and enters its configuration mode. URL filtering is a licensed feature. When applied to a WiNG device the license allows you to enable URL filtering on the device, create and apply a URL filter defining the banned and/or allowed URLs. When enabled, the URL filter is applied to all user-initiated URL requests to determine if the requested URL is banned or allowed. Only if allowed is the user’s request (in the form of a HTTP request packet) forwarded to the Web server.URL filters can be applied at any of the following points: the user’s application (browser/email reader), the network’s gateway, at the Internet service provider’s (ISP) end, and also on a Web portal. For wireless clients, the WLAN infrastructure is the best place to implement these filters.A URL filter is a set of whitelist and/or blacklist rules. The whitelist allows access only to those Websites and URLs specified in it. All other Websites and URLs, apart from those specified in the whitelist, are banned. On the other hand, the blacklist bans all Websites and URLs specified in it. All other Websites and URLs, apart from those specified in the blacklist, are allowed.To simplify URL filter configuration, Websites have been classified into pre-defined category-types and categories. The system provides 12 category-types and 64 categories. To further simplify configuration, these 12 category-types have been grouped into five (5) pre-defined levels. (See Usage Guidelines section for the list of category-types, categories, and levels). The actual classification of URLs (on the basis of the pre-defined factors mentioned above) is done by the classification server. A local database also helps by caching URL records for a user-defined time period. The classification server host is specified in the Web filter policy. The Web filter policy also defines the URL database parameters. For more information, see web-filter-policy.The WiNG software also allows you to create URL lists. Each URL list contains a list of user-defined URLs. Use the URL list in a URL filter (whitelist or blacklist rule) to identify the URLs to ban or allow. For example, a URL list named SocialNetworking is created listing the following three sites: Facebook, Twitter, and LinkedIn. When applied to a URL filter’s blacklist these three sites are banned. Where as, when applied to a whitelist only these three sites are allowed. For more information on configuring a URL list, see url-list.Supported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxurl-filter <URL-FILTER-NAME>Parameters• url-filter <URL-FILTER-NAME>NOTE: URL filtering is a licensed feature. Procure and install the license in the device configuration mode. For more information, see license.<URL-FILTER-NAME>Creates a new URL filter and enters its configuration mode. Specify the URL filter name. If the filter does not exist, it is created.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 553Usage GuidelinesCategory Type Category1 Adult Content Alcohol & Tobacco, Dating & Personals, Gambling, Nudity, Pornography/Sexually Explicit, Sex Education, Weapons2 Business Web-based Email3 Communication Chat, Instant Messaging 4 Entertainment Streaming Media & Downloads5 File Sharing and BackupDownload Sites6 Gaming Games7News Sports and GeneralArts, Business, Computer & Technology, Education, Entertainment, Fashion & Beauty, Finance, Forum & Newsgroups, General, Government, Greeting Card, Health & Medicine, Information Security, Job Search, Leisure & Recreation, Network Errors, News, Non-Profits & NGO, Personal Sites, Politics, Private IP Addresses, Real Estates, Religion, Restaurants & Dinning, Search Engine & Portals, Shopping, Sports, Transportation, Translators, Travel8 Peer-to-Peer (P2P)Peer to Peer9 Questionable/UnethicalChild Abuse Images, Cults, Hacking, Hate & Intolerance, Illegal Drug, Illegal Sharing, Illegal Software, School Cheating, Tasteless, Violence10 Security Risk Advertisement & Pop-ups, Anonymizers, Botnets, Compromised, Criminal Activity, Malware, Parked Domains, Phishing & Fraud, Spam Sites11 Social and Photo SharingSocial Networking12 Software UpdateN/ALevel Description1 Basic Blocks sites/URL categorized as Security Risk2 Low Blocks sites/URL categorized as Adult Content + Basic3 Medium Blocks sites/URL categorized as File Sharing and Backup, P2P, Questionable / Unethical + Low4 Medium High Blocks sites/URL categorized as Gaming + Medium5 High Blocks sites/URL categorized as Communication, Entertainment, Social and Photo Sharing + Medium High
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 554Examplenx9500-6C8809(config-url-filter-test)#?URL Filter Mode commands:  blacklist    Block access to URL  blockpage    Configure blocking page parameters  description  Url filter description  no           Negate a command or set its defaults  whitelist    Allow access to URL  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-url-filter-test)#
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5554.1.99.2 url-filter-config-mode commandsurl-filterThe following table summarizes URL filter configuration mode commands:Table 4.56 URL-Filter-Config-Mode CommandsCommand Description Referenceblacklist Creates a blacklist rule defining a list of banned Websites and URLs page 4-556blockpage Configures the parameters that retrieve the page or content displayed by the client’s browser when a requested URL is blocked and cannot be viewedpage 4-559description Configures an appropriate description for this URL filter page 4-561no Removes this URL filter’s configured parameters page 4-562whitelist Creates a whitelist rule defining a list of Websites and URLs allowed access by clients.page 4-563
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5564.1.99.2.1 blacklisturl-filter-config-mode commandsCreates a blacklist rule. A blacklist is a list of Websites and URLs denied access by clients. Clients requesting blacklisted URLs are presented with a page displaying the ‘Web page blocked’ message. Parameters relating to this page are configured using the ‘blockpage’ option.URL filtering is based on the classification of Websites into pre-defined category-types. Some of the category-types are further divided into multiple categories. Currently available are 12 built-in category types, and 64 categories. These built-in category-types and categories cannot be modified.Use the available options to identify the URL category-types and categories to include in the blacklist.In addition to identifying URLs by the categories and category-types they are classified into, the system also provides five (5) levels of Web filtering (basic, high, low, medium, and medium-high). Each level identifies a specific set of URL categories to blacklist. For more information on category-types, categories, and URL filtering levels, see url-filter.Supported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxblacklist [category-type|level|url-list]blacklist category-type [adult-content|all|business|communication|entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}blacklist level [basic|high|low|medium|medium-high] precedence <1-500> {description <LINE>}blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}Parameters• blacklist category-type [adult-content|all|business|communication|entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}blacklist category-type <SELECT-CATEGORY-TYPE>Selects the category-type to blacklist. A category is a pre-defined URL list available in the WiNG software. Categories are based on an external database, and cannot be modified or removed. Custom categories can created with the URL List and added to the database.Websites have been classified into the following 12 category types:adult-content, business, communication, entertainment, file-sharing-backup, gaming, news-sports-general, p2p, questionable, security-risk, social-photo-sharing, and software-updatesContd..
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 557• blacklist level [basic|high|low|medium|medium-high] precedence <1-500> {description <LINE>}• blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}Examplerfs6000-81742D(config-url-filter-test)#blacklist level medium-high precedence 10rfs6000-81742D(config-url-filter-test)#blacklist category-type adult-content category alcohol-tobacco precedence 1rfs6000-81742D(config-url-filter-test)#blacklist category-type security-risk category botnets precedence 3Select ‘all’ to blacklist all category-types.Some of the category-types are further classified into categories. For example, the ‘adult-content’ category-type is differentiated into the following categories:• alcohol-tobacco, dating-personals, gambling, nudity, pornography-sexually-explicit, sex-education, and weapons.The system blocks all categories (URLs falling within their limits) within the selected category-type.precedence <1-500>Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first.description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule.blacklist level [basic|high|low|medium|medium-high]Configures the Web filtering level as basic, high, low, medium, or medium-high. Each of these filter-levels are pre-configured to use a set of category types and this mapping cannot be modified. precedence <1-500>Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first.description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule.blacklist url-list <URL-LIST-NAME>Associates a URL list with this URL filter. When associated with a blacklist rule, all URLs listed in the specified URL list are blacklisted.URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. For more information on configuring a URL list, see url-list.• <URL-LIST-NAME> – Enter URL list name (should be existing and configured)precedence <1-500>Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first.description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 558rfs6000-81742D(config-url-filter-test)#show contexturl-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1rfs6000-81742D(config-url-filter-test)#Related Commandsno Removes a blacklist rule from this URL filter. Specify the category-type, category, and precedence to identify the blacklist rule. The identified rule is removed form the URL filter.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5594.1.99.2.2 blockpageurl-filter-config-mode commandsConfigures the parameters that retrieve the page or content displayed by the client’s browser when a requested URL is blocked and cannot be viewedSupported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxblockpage [external|internal|path]blockpage path [external|internal]blockpage external url <URL>blockpage internal [content|footer|header|main-logo|org-name|org-signature|small-logo|title] <LINE/IMAGE-URL>Parameters• blockpage path [external|internal]• blockpage external url <URL>• blockpage internal [content|footer|header|main-logo|org-name|org-signature|small-logo|title] <LINE/IMAGE-URL>blockpage path [external|internal]Specifies if the location of the page displayed, to the client when a requested URL is blocked, is external or internal• external – Indicates the page displayed is hosted on an external Web server resource. If selecting this option, use the blockpage > external > url <URL> command to provide the path to the external Web server hosting the page.internal – Indicates the page displayed is hosted internally. This is the default setting. If selecting this option, use the blockpage > internal > <SELECT-PAGE-TYPE> > <LINE/IMAGE-URL> command to define the page configuration.blockpage external url <URL>Configures the URL of the external Web server hosting the page (displayed to the client when a requested URL is blocked). • url <URL> – Specify the URL of the Web server and the blocking page nameValid URLs should begin with http:// or https://The URL can contain query strings.Use '&' or '?' character to separate field-value pair.Enter 'ctrl-v' followed by '?' to configure query stringsblockpage internal [content|footer|header|main-logo|org-name|org-signature|small-logo|title] <LINE/IMAGE-URL>Configures the internally hosted blocking page parameters, such as the content displayed, page footer and header, organization (the organization enforcing the Web page blocking) details (name, signature, and logo), and page title• content – Configures the text (message) displayed on the blocking page• footer – Configures the text displayed as the blocking page footerContd...
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 560Examplerfs6000-81742D(config-url-filter-test)#blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"rfs6000-81742D(config-url-filter-test)#show contexturl-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"rfs6000-81742D(config-url-filter-test)#Related Commands• header – Configures the text displayed as the blocking page header• org-name – Configures the organization’s name displayed on the blocking page• org-signature – Configures the organization’s signature displayed on the blocking page• title – Configures the title of the blocking page.• main-logo – Configures the location of the main logo (organization’s large logo)• small-logo – Configures the location of the small logo (organization’s small logo)The following keyword is common to all of the above parameters:• <LINE/IMAGE-URL> – Specify the location of the logo (main and small) image file.The image is retrieved and displayed from the location configured here. If you are usingthis option to provide content, such as organization name, footer, header, etc. enter atext string not exceeding 255 characters in length.no Removes the blocking page configurations
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5614.1.99.2.3 descriptionurl-filter-config-mode commandsConfigures a description for this URL filter. Provide a description that enables you to identify the purpose of this URL filter.Supported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <LINE>Parameters• description <LINE>Examplerfs6000-81742D(config-url-filter-test)#description Blacklists sites inappropriate for children and are security risks.rfs6000-81742D(config-url-filter-test)#show contexturl-filter test description "Blacklists sites inappropriate for children and are security risks." blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"rfs6000-81742D(config-url-filter-test)#Related Commandsdescription <LINE> Enter an appropriate description for this URL filter. The description should identify the URL filter’s purpose and should not exceed 80 characters in length.no Removes this URL filter’s description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5624.1.99.2.4 nourl-filter-config-mode commandsUse the no command to remove this URL filter’s configured parametersSupported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [blacklist|blockpage|description|whitelist]no blacklist [category-type|level|url-list]no blacklist [category-type <SELECT-CATEGORY-TYPE>|level <SELECT-LEVEL>|url-list <URL-LIST-NAME>] precedence <1-500>no blockpage [external|internal [content|footer|header|main-logo|org-name|org-signature|small-logo|title]|path]no descriptionno whitelist [category-type|url-list]no whitelist [category-type <SELECT-CATEGORY-TYPE>|url-list <URL-LIST-NAME>] precedence <1-500>Parameters• no <PARAMETERS>ExampleThe following example displays the URL filter ‘test’ settings before the ‘no’ is executed:rfs6000-81742D(config-url-filter-test)#show contexturl-filter test description "Blacklists sites inappropriate for children and are security risks." blacklist level medium-high precedence 10 whitelist category-type communication category chat precedence 7 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"rfs6000-81742D(config-url-filter-test)#rfs6000-81742D(config-url-filter-test)#no descriptionrfs6000-81742D(config-url-filter-test)#no blacklist category-type adult-contentcategory alcohol-tobacco precedence 1rfs6000-81742D(config-url-filter-test)#no whitelist category-type communicationcategory chat precedence 7The following example displays the URL filter ‘test’ settings after the ‘no’ is executed:rfs6000-81742D(config-url-filter-test)#show contexturl-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"rfs6000-81742D(config-url-filter-test)#no <PARAMETERS> Removes this URL filter’s configured parameters based on the values passed here
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5634.1.99.2.5 whitelisturl-filter-config-mode commandsCreates a whitelist rule. A whitelist is a list of Websites and URLs allowed access by clients.URL filtering is based on the classification of Websites into pre-defined category-types. Some of the category-types are further divided into multiple categories. Currently available are 12 built-in category types, and 64 categories. These built-in category-types and categories cannot be modified.Use the available options to identify the category-types and categories to include in the whitelist.Supported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwhitelist [category-type|url-list]whitelist category-type [adult-content|all|business|communication|entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}Parameters• whitelist category-type [adult-content|all|business|communication|entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}whitelist category-type <SELECT-CATEGORY-TYPE>Selects the category-type to add to this whitelist. A category is a pre-defined URL list available in the WiNG software. Categories are based on an external database, and cannot be modified or removed. Custom categories can created with the URL List and added to the database.Websites have been classified into the following 12 category types: adult-content, business, communication, entertainment, file-sharing-backup, gaming, news-sports-general, p2p, questionable, security-risk, social-photo-sharing, and software-updates.Select ‘all’ to whitelist all category-types.Some of the category-types are further classified into categories. For example, the ‘adult-content’ category-type is differentiated into the following categories:• alcohol-tobacco, dating-personals, gambling, nudity, pornography-sexually-explicit, sex-education, and weapons.The system allows all categories (URLs falling within their limits) within the selected category-type.precedence <1-500>Configures the precedence value for this whitelist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first.description <LINE> Optional. Configures a description (not exceeding 80 characters) for this whitelist rule. Enter a description that allows you to identify the purpose of the rule.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 564• whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}Examplerfs6000-81742D(config-url-filter-test)#whitelist category-type communication category chat precedence 7rfs6000-81742D(config-url-filter-test)#show contexturl-filter test description "Blacklists sites inappropriate for children and are security risks." blacklist level medium-high precedence 10 whitelist category-type communication category chat precedence 7 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"rfs6000-81742D(config-url-filter-test)#Related Commandswhitelist url-list <URL-LIST-NAME>Associates a URL list with this URL filter. When associated with a whitelist rule, all URLs listed in the specified URL list are allowed access.URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. For more information on configuring a URL list, see url-list.• <URL-LIST-NAME> – Enter URL list name (should be existing and configured)precedence <1-500>Configures the precedence value for this whitelist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first.description <LINE> Optional. Configures a description (not exceeding 80 characters) for this whitelist rule. Enter a description that allows you to identify the purpose of the rule.no Removes a whitelist rule from this URL filter. Specify the category-type, category, and precedence to identify the blacklist rule. The identified rule is removed form the URL filter.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5654.1.100 url-listGlobal Configuration CommandsThe following table lists the commands that allow you to enter the URL list configuration mode:Table 4.57 Commands Creating a URL ListCommand Description Referenceurl-list Creates a new URL list and enters its configuration mode page 4-566url-list-config-mode commandsSummarizes the URL list configuration mode commands page 4-567
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5664.1.100.1 url-listurl-listCreates a URL list and enters its configuration mode. URL lists are a means of categorizing URLs on the basis of various criteria, such as frequently used, not-permitted, etc. It is used in URL filters to identify whitelisted/blacklisted URLs. Web requests are blocked or approved based on URL filter whitelist/blacklist rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklistSupported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxurl-list <URL-LIST-NAME>Parameters• url-list <URL-LIST-NAME>Examplenx9500-6C8809(config)#url-list URLlist1nx9500-6C8809(config-url-list-URLlist1)#?URL List Mode commands:  description  Description of the category  no           Negate a command or set its defaults  url          Add a URL entry  clrscr       Clears the display screen  commit       Commit all changes made in this session  do           Run commands from Exec mode  end          End current mode and change to EXEC mode  exit         End current mode and down to previous mode  help         Description of the interactive help system  revert       Revert changes  service      Service Commands  show         Show running system information  write        Write running configuration to memory or terminalnx9500-6C8809(config-url-list-URLlist1)#nx9500-6C8809(config-url-list-URLlist1)#url http://www.example_company.com depth 10nx9500-6C8809(config-url-list-test)#show contexturl-list test url http://www.example_company.com depth 10nx9500-6C8809(config-url-list-URLlist1)#<URL-LIST-NAME> Specify the URL list name. The URL list is created if another list with the same name does not exist.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5674.1.100.2 url-list-config-mode commandsurl-listThe following table summarizes URL list configuration mode commands:Table 4.58 URL-Filter-Config-Mode CommandsCommand Description Referencedescription Creates a blacklist rule defining a list of banned Web sites and URLs page 4-568url Adds URL entries to this URL list page 4-569no Removes this URL list’s settings page 4-570
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5684.1.100.2.1 descriptionurl-list-config-mode commandsConfigures a description for this URL list. The description should be unique and enable you to identify the type of URLs listed in the URL list.Supported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <LINE>Parameters• description <LINE>Examplenx9500-6C8809(config-url-list-test)#description “This URL list contains social media URLs”nx9500-6C8809(config-url-list-test)#show contexturl-list test description “This URL list contains social media URLs”nx9500-6C8809(config-url-list-test)#Related Commandsdescription <LINE> Provide a unique description for this URL list (should not exceed 500 characters in length)no Removes this URL list’s description
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5694.1.100.2.2 urlurl-list-config-mode commandsAdds URL entries to this URL listSupported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxurl <WORD> {depth <1-10>}Parameters• url <WORD> {depth <1-10>}Examplenx9500-6C8809(config-url-list-test)#url http://www.facebook.comnx9500-6C8809(config-url-list-test)#show contexturl-list test description “This URL list contains social communication URLS” url https://www.facebook.com depth 5nx9500-6C8809(config-url-list-test)#Related Commandsurl <WORD> {depth <1-10>}Adds a URL entry• <WORD> – Specify the URL to add.• depth – Optional. Sets number of levels to be cached. Since Web sites have differentparameters to uniquely identify specific content, the same content may be stored onmultiple origin servers. Smart caching uses subsets of these parameters to recognizethat the content is the same and serves it from cache.• <1-10> – Specify the depth from 1 - 10.no Removes a URL entry from this URL list
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 5704.1.100.2.3 nourl-list-config-mode commandsRemoves this URL list’s settingsSupported in the following platforms:• Access Points — AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [description|url]no descriptionno url <WORD>Parameters• no <PARAMETERS>ExampleThe following example displays the URL list ‘test’ settings before the ‘no’ command is executed:nx9500-6C8809(config-url-list-test)#show contexturl-list test description “This URL list contains social communication URLS” url https://www.facebook.com depth 5nx9500-6C8809(config-url-list-test)#nx9500-6C8809(config-url-list-test)#no url www.facebook.comThe following example displays the URL list ‘test’ settings after the ‘no’ command is executed:nx9500-6C8809(config-url-list-test)#show contexturl-list test description “This URL list contains social communication URLS”nx9500-6C8809(config-url-list-test)#no <PARAMETERS> Removes this URL’s settings based on the parameters passed
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5714.1.101 vx9000Global Configuration CommandsConfigures a Virtual WLAN Controller (V-WLC) in a virtual machine (VM) environment. V-WLC can be deployed on a shared, third-party server hardware, thereby reducing overhead costs of procuring and maintaining dedicated appliances. The external, third-party hardware needs to have installed hypervisors, such as VmWare, Xen, VirtualBox, KVM, Amazon EC2 or Hyper-V, enabling it to communicate with V-WLC software.The V-WLC controls and manages access points and other controllers (at NOC or as a site-controller) in the network. The traffic between the access points and the V-WLC is over the layer-3 MINT protocol.V-WLC is a licensed feature, and the WiNG software provides the following two new licenses:• VX – When installed, this license activates VM controller instance, and enables the V-WLC to trigger adoption process allowing access points to adopt to the V-WLC. The adoption capacity of the V-WLC is determined by the number of licenses installed on it.• VX-DEMO – This is a 60 day trial license. This license also activates VM controller instance, and enables the V-WLC to adopt access points. But, the access point adoption capacity is limited to 16. Having installed this license on a device, the only other license that you can install on it is the VX license. All existing installed licenses will continue to work as before. Since this license has a limited validity period, ensure that the system clock on the license generating tool and the device are in sync. preferably through NTP.To install the VX or VX-DEMO license on an existing V-WLC instance, use the license command. For more information, see the examples provided in this section.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600Syntaxvx9000 <MAC>Parameters• vx9000 <MAC>Examplenx9500-6C8809(config)#vx9000 11-22-33-44-55-66nx9500-6C8809(config-device-11-22-33-44-55-66)#?Device Mode commands:  adopter-auto-provisioning-policy-lookup  Use centralized auto-provisioning                                           policy when adopted by another                                           controller  adoption                                 Adoption configuration  adoption-site                            Set system's adoption site  adoption-mode                            Configure the adoption mode for the                                           access-points in this RF-Domain  alias                                    Alias  application-policy                       Application Poicy configuration  area                                     Set name of area where the system                                           is located  arp                                      Address Resolution Protocol (ARP)  auto-learn                               Auto learningvx <MAC> Configures a V-WLC and enters its configuration modeThe V-WLC configuration is the same as that of a normal controller.
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 572  autogen-uniqueid                         Autogenerate a unique id  autoinstall                              Autoinstall settings  bluetooth-detection                      Detect Bluetooth devices using the                                           Bluetooth USB module - there will                                           be interference on 2.4 Ghz radio in                                           wlan mode  bridge                                   Ethernet bridge  captive-portal                           Captive portal  cdp                                      Cisco Discovery Protocol  channel-list                             Configure channel list to be                                           advertised to wireless clients  cluster                                  Cluster configuration  configuration-persistence                Enable persistence of configuration                                           across reloads (startup configfile)  contact                                  Configure the contact  controller                               WLAN controller configuration  country-code                             Configure the country of operation  critical-resource                        Critical Resource  crypto                                   Encryption related commands  database                                 Database command  device-upgrade                           Device firmware upgrade  dot1x                                    802.1X  dpi                                      Enable Deep-Packet-Inspection                                           (Application Assurance)  dscp-mapping                             Configure IP DSCP to 802.1p                                           priority mapping for untagged                                           frames  email-notification                       Email notification configuration  enforce-version                          Check the firmware versions of                                           devices before interoperating  environmental-sensor                     Environmental Sensors Configuration  events                                   System event messages  export                                   Export a file  file-sync                                File sync between controller and                                           adoptees  floor                                    Set the floor within a area where                                           the system is located  geo-coordinates                          Configure geo coordinates for this                                           device  gre                                      GRE protocol  hostname                                 Set system's network name  http-analyze                             Specify HTTP-Analysis configuration  interface                                Select an interface to configure  ip                                       Internet Protocol (IP)  ipv6                                     Internet Protocol version 6 (IPv6)  l2tpv3                                   L2tpv3 protocol  l3e-lite-table                           L3e lite Table  layout-coordinates                       Configure layout coordinates for                                           this device  led                                      Turn LEDs on/off on the device  led-timeout                              Configure the time for the led to                                           turn off after the last radio state                                           change  legacy-auto-downgrade                    Enable device firmware to auto                                           downgrade when other legacy devices                                           are detected  legacy-auto-update                       Auto upgrade of legacy devices  license                                  License management command  lldp                                     Link Layer Discovery Protocol  load-balancing                           Configure load balancing parameter  location                                 Configure the location  logging                                  Modify message logging facilities  mac-address-table                        MAC Address Table  mac-auth                                 802.1X  mac-name                                 Configure MAC address to name                                           mappings  management-server                        Configure management server address  memory-profile                           Memory profile to be used on the
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 573                                           device  meshpoint-device                         Configure meshpoint device                                           parameters  meshpoint-monitor-interval               Configure meshpoint monitoring                                           interval  min-misconfiguration-recovery-time       Check controller connectivity after                                           configuration is received  mint                                     MiNT protocol  mirror                                   Mirroring  misconfiguration-recovery-time           Check controller connectivity after                                           configuration is received  mpact-server                             MPACT server configuration  neighbor-inactivity-timeout              Configure neighbor inactivity                                           timeout  neighbor-info-interval                   Configure neighbor information                                           exchange interval  no                                       Negate a command or set its                                           defaults  noc                                      Configure the noc related setting  nsight                                   NSight  ntp                                      Ntp server WORD  offline-duration                         Set duration for which a device                                           remains unadopted before it                                           generates offline event  override                                 Override a command  override-wlan                            Configure RF Domain level overrides                                           for wlan  power-config                             Configure power mode  preferred-controller-group               Controller group this system will                                           prefer for adoption  preferred-tunnel-controller              Tunnel Controller Name this system                                           will prefer for tunneling extended                                           vlan traffic  radius                                   Configure device-level radius                                           authentication parameters  raid                                     RAID  remove-override                          Remove configuration item override                                           from the device (so profile value                                           takes effect)  rf-domain-manager                        RF Domain Manager  router                                   Dynamic routing  rsa-key                                  Assign a RSA key to a service  sensor-server                            AirDefense sensor server                                           configuration  slot                                     PCI expansion Slot  spanning-tree                            Spanning tree  timezone                                 Configure the timezone  traffic-class-mapping                    Configure IPv6 traffic class to                                           802.1p priority mapping for                                           untagged frames  trustpoint                               Assign a trustpoint to a service  tunnel-controller                        Tunnel Controller group this                                           controller belongs to  use                                      Set setting to use  vrrp                                     VRRP configuration  vrrp-state-check                         Publish interface via OSPF/BGP only                                           if the interface VRRP state is not                                           BACKUP  wep-shared-key-auth                      Enable support for 802.11 WEP                                           shared key authentication  clrscr                                   Clears the display screen  commit                                   Commit all changes made in this                                           session  do                                       Run commands from Exec mode  end                                      End current mode and change to EXEC                                           mode  exit                                     End current mode and down to
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  4 - 574                                           previous mode  help                                     Description of the interactive help                                           system  revert                                   Revert changes  service                                  Service Commands  show                                     Show running system information  write                                    Write running configuration to                                           memory or terminalnx9500-6C8809(config-device-11-22-33-44-55-66)#vx-0099CC(config-device-00-0C-29-00-99-CC)~*#license ?  WORD  Feature name (AP/AAP/ADSEC/HTANLT/VX) for        which license is to be addedvx-0099CC(config-device-00-0C-29-00-99-CC)~*#license vx 80ee9649eddc94b48b5a35d7eaf8e73b376a51649291714d04c84769b0fc4b3766816878d2739c24vx-0099CC(config-device-00-0C-29-00-99-CC)~*#com wrJan 16 13:48:11 2014: vx-0099CC : %SYSTEM-6-CONFIG_COMMIT: Configuration commit by user 'root' (mapsh) from 'Console'Jan 16 13:48:11 2014: vx-0099CC : %SYSTEM-6-CONFIG_REVISION: Configuration revision updated to 9 from 8Jan 16 13:48:12 2014: vx-0099CC : %LICMGR-6-LIC_INSTALLED: VX license installed[OK]vx-0099CC(config-device-00-0C-29-00-99-CC)~*#Jan 16 13:48:12 2014: vx-0099CC : %SYSTEM-6-CONFIG_REVISION: Configuration revision updated to 10 from 9vx-0099CC(config-device-00-0C-29-00-99-CC)~*#vx-0099CC(config-device-00-0C-29-00-99-CC)~*#vx-0099CC(config-device-00-0C-29-00-99-CC)~*#sh licenses Serial Number : 000C290099CCC0A80001WARNING: Recommended minimum system resource requirements not met for the current license pack or cluster configs. Please check user guide and reconfigure the systemDevice Licenses:  AP-LICENSE    String     :                                                                 Value      : 10240  AAP-LICENSE    String     :                                                                 Value      : 10240  ADVANCED-SECURITY    String     : DEFAULT-ADV-SEC-LICENSE                                       VX-LICENSE    String     : 80ee9649eddc94b48b5a35d7eaf8e73b376a51649291714d04c84769b0fc4b3766816878d2739c24Cluster Licenses:  AP-LICENSE    Value      : 10240    Used       : 0  AAP-LICENSE    Value      : 10240    Used       : 0Cluster MAX AP Capacity:  Value        : 10240  Used         : 0Active Members:---------------------------------------------------------------------------------------------------MEMBER             SERIAL               LIC TYPE  VALUE     BORROWED  TOTAL     NO.APS   NO.AAPS  ---------------------------------------------------------------------------------------------------00-0C-29-00-99-CC  000C290099CCC0A80001 AP        10240     0         10240     0        0
GLOBAL CONFIGURATION COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 575 00-0C-29-00-99-CC  000C290099CCC0A80001 AAP       10240     0         10240     -        -        ---------------------------------------------------------------------------------------------------vx-0099CC(config-device-00-0C-29-00-99-CC)~*#Related Commandsno Removes a VX9000 wireless controller
5 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide5COMMON COMMANDSThis chapter describes the CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes.The PRIV EXEC command set contains commands available within the USER EXEC mode. Some commands can be entered in either mode. Commands entered in either the USER EXEC or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 25.1 Common CommandsCOMMON COMMANDSThe following table summarizes commands common to the User Exec, Priv Exec, and Global Config modes:Table 5.1 Commands Common to Controller CLI ModesCommand Description Referenceclrscr Clears the display screen page 5-3commit Commits (saves) changes made in the current session page 5-4exit Ends and exits the current mode and moves to the PRIV EXEC mode page 5-5help Displays the interactive help system page 5-6no Negates a command or reverts values to their default settings page 5-9revert Reverts changes to their last saved configuration page 5-12service Invokes service commands to troubleshoot or debug (config-if) instance configurationspage 5-13show Displays running system information page 5-58write Writes the system’s running configuration to memory or to the terminal page 5-60NOTE: The input parameter <HOSTNAME> cannot include an underscore character. In other words, a device’s hostname cannot contain an underscore.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 35.1.1 clrscrCommon CommandsClears the screen and refreshes the prompt, irrespective of the modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxclrscrParametersNoneExampleThe terminal window or screen before the clrscr command is executed:rfs4000-229D58#device-upgrade ?  DEVICE-NAME     Name/MAC address of device  all             Upgrade all devices  ap650           Upgrade AP650 Device  ap6511          Upgrade AP6511 Device  ap6521          Upgrade AP6521 Device  ap6522          Upgrade AP6522 Device  ap6532          Upgrade AP6532 Device  ap6562          Upgrade AP6562 Device  ap71xx          Upgrade AP7161 Device  ap7502          Upgrade AP7502 Device  ap7522          Upgrade AP7522 Device  ap7532          Upgrade AP7532 Device  ap7562          Upgrade AP7562 Device  ap81xx          Upgrade AP81XX Device  ap82xx          Upgrade AP82XX Device  ap8432          Upgrade AP8432 Device  ap8533          Upgrade AP8533 Device  cancel-upgrade  Cancel upgrading the device  load-image      Load the device images to controller for device-upgrades  rf-domain       Upgrade all devices belonging to an RF Domain  rfs4000         Upgrade RFS4000 Devicerfs4000-229D58#The terminal window or screen after the clrscr command is executed:rfs4000-229D58#
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 45.1.2 commitCommon CommandsCommits changes made in the active session. Use the commit command to save and invoke settings entered during the current transaction.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcommit {write}{memory}Parameters• commit {write}{memory}Examplenx9500-6C8809#commit write memory[OK]nx9500-6C8809#write Optional. Commits changes made in the current sessionmemory Optional. Writes to memory. This option ensures current changes persist across reboots.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 55.1.3 exitCommon CommandsThe exit command works differently in the User Exec, Priv Exec, and Global Config modes. In the Global Config mode, it ends the current mode and moves to the previous mode, which is Priv Exec mode. The prompt changes from (config)#  to #. When used in the Priv Exec and User Exec modes, the exit command ends the current session, and connection to the terminal device is terminated. If the current session has changes that have not been committed, the system prompts you to either do a commit or a revert before terminating the session.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxexitParametersNoneExamplenx9500-6C8809(config)#exitnx9500-6C8809#
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 65.1.4 helpCommon CommandsDescribes the interactive help systemUse this command to access the advanced help feature. Use “?” anytime at the command prompt to access the help topic.Two kinds of help are provided:• Full help is available when ready to enter a command argument• Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (for example 'show ve?').Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhelp {search}help {search <WORD>} {detailed|only-show|skip-no|skip-show}Parameters• help {search <WORD>} {detailed|only-show|skip-no|skip-show}search <WORD> Optional. Searches for CLI commands related to a specified target term• <WORD> – Specify a target term (for example, a feature or a configuration parameter). After specifying the term, select one of the following options: detailed, only-show, skip-no, or skip-show. The system displays information based on the option selected.detailed Optional. Searches and displays help strings in addition to mode and commandsonly-show Optional. Displays only “show” commands. Does not display configuration commandsskip-no Optional. Displays only configuration commands. Does not display “no” commandsskip-show Optional. Displays only configuration commands. Does not display “show” commands
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 7Examplenx9500-6C8809>help search crypto detailedfound more than 64 references, showing the first 64Context : CommandCommand : clear crypto ike sa (A.B.C.D|all)(|on DEVICE-NAME)           \ Clear            \ Encryption Module             \ IKE SA              \ Flush IKE SAs               \ Flush IKE SAs for a given peer                \ Flush all IKE SA                 \ On AP/Controller                  \ AP/Controller name        : clear crypto ipsec sa(|on DEVICE-NAME)                  \ Clear                  \ Encryption Module                  \ IPSec database                  \ Flush IPSec SAs                  \ On AP/Controller                  \ AP/Controller name        : crypto key export rsa WORD URL (passphrase WORD|) (background|) ...                  \ Encryption related commands--More--nx9500-6C8809>nx9500-6C8809>help search crypto only-showContext : CommandCommand : show crypto cmp request status(|on DEVICE-NAME)        : show crypto ike sa (version 1|version 2|)(peer A.B.C.D|) (detail...        : show crypto ipsec sa (peer A.B.C.D|) (detail|)  (|on DEVICE-NAME...        : show crypto key rsa (|public-key-detail) (|on DEVICE-NAME)        : show crypto pki trustpoints (WORD|all|)(|on DEVICE-NAME)nx9500-6C8809>nx9500-6C8809>help search service skip-showfound more than 64 references, showing the first 64Context : CommandCommand : service block-adopter-config-update        : service clear adoption history(|on DEVICE-NAME)        : service clear captive-portal-page-upload history (|(on DOMAIN-NA...        : service clear command-history(|on DEVICE-NAME)        : service clear device-upgrade history (|on DOMAIN-NAME)        : service clear noc statistics        : service clear reboot-history(|on DEVICE-NAME)        : service clear unsanctioned aps (|on DEVICE-OR-DOMAIN-NAME)        : service clear upgrade-history(|on DEVICE-NAME)        : service clear web-filter cache(|on DEVICE-NAME)        : service clear wireless ap statistics (|(AA-BB-CC-DD-EE-FF)) (|on...        : service clear wireless client statistics (|AA-BB-CC-DD-EE-FF) (|...        : service clear wireless controller-mobility-database        : service clear wireless dns-cache(|on DEVICE-OR-DOMAIN-NAME)        : service clear wireless radio statistics (|(DEVICE-NAME (|<1-3>))...        : service clear wireless wlan statistics (|WLAN) (|on DEVICE-OR-DO...        : service clear xpath requests (|<1-100000>)        : service show block-adopter-config-update        : service show captive-portal servers(|on DEVICE-NAME)        : service show captive-portal user-cache(|on DEVICE-NAME)        : service show cli--More--nx9500-6C8809>
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 8nx9500-6C8809>help search mint only-showFound 25 references for "mint"Context : CommandCommand : show debugging mint (|on DEVICE-OR-DOMAIN-NAME)        : show mint config(|on DEVICE-NAME)        : show mint dis (|details)(|on DEVICE-NAME)        : show mint id(|on DEVICE-NAME)        : show mint info(|on DEVICE-NAME)        : show mint known-adopters(|on DEVICE-NAME)        : show mint links (|details)(|on DEVICE-NAME)        : show mint lsp        : show mint lsp-db (|details AA.BB.CC.DD)(|on DEVICE-NAME)        : show mint mlcp history(|on DEVICE-NAME)        : show mint mlcp(|on DEVICE-NAME)        : show mint neighbors (|details)(|on DEVICE-NAME)        : show mint route(|on DEVICE-NAME)        : show mint stats(|on DEVICE-NAME)        : show mint tunnel-controller (|details)(|on DEVICE-NAME)        : show mint tunneled-vlans(|on DEVICE-NAME)        : show wireless mint client (|on DEVICE-OR-DOMAIN-NAME)        : show wireless mint client portal-candidates(|(DEVICE-NAME (|<1-3...        : show wireless mint client statistics (|on DEVICE-OR-DOMAIN-NAME)...        : show wireless mint client statistics rf (|on DEVICE-OR-DOMAIN-NA...        : show wireless mint detail (|(DEVICE-NAME (|<1-3>))) (|(filter {|...        : show wireless mint links (|on DEVICE-OR-DOMAIN-NAME)        : show wireless mint portal (|on DEVICE-OR-DOMAIN-NAME)        : show wireless mint portal statistics (|on DEVICE-OR-DOMAIN-NAME)...        : show wireless mint portal statistics rf (|on DEVICE-OR-DOMAIN-NA...nx9500-6C8809>
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 95.1.5 noCommon CommandsNegates a command or sets its default. Though the no command is common to the User Exec, Priv Exec, and Global Config modes, it negates a different set of commands in each mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno <PARAMETERS>Parameters• no <PARAMATERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.ExampleGlobal Config mode: No command optionsrfs6000-81742D(config)##no ?  aaa-policy                          Delete a aaa policy  aaa-tacacs-policy                   Delete a aaa tacacs policy  alias                               Alias  ap621                               Delete an AP621 access point  ap622                               Delete an AP622 access point  ap650                               Delete an AP650 access point  ap6511                              Delete an AP6511 access point  ap6521                              Delete an AP6521 access point  ap6522                              Delete an AP6522 access point  ap6532                              Delete an AP6532 access point  ap6562                              Delete an AP6562 access point  ap71xx                              Delete an AP71XX access point  ap7502                              Delete an AP7502 access point  ap7522                              Delete an AP7522 access point  ap7532                              Delete an AP7532 access point  ap7562                              Delete an AP7562 access point  ap81xx                              Delete an AP81XX access point  ap82xx                              Delete an AP82XX access point  ap8432                              Delete an AP8432 access point  ap8533                              Delete an AP8533 access point  application                         Delete an application  application-group                   Delete an application-group  application-policy                  Delete an application policy  association-acl-policy              Delete an association-acl policy  auto-provisioning-policy            Delete an auto-provisioning policy  bgp                                 BGP Configuration  bonjour-gw-discovery-policy         Disable Bonjour Gateway discovery policyno <PARAMETERS> The no command is common across all configuration modes and sub modes. It resets or reverts settings based on the mode in which executed. For example, when executed in the AAA policy configuration mode, it allows you to reset or revert a specific AAA policy settings. Similarly, when executed in the global configuration mode, it only resets or reverts settings configured in the global configuration mode.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 10  bonjour-gw-forwarding-policy        Disable Bonjour Gateway Forwarding                                      policy  bonjour-gw-query-forwarding-policy  Disable Bonjour Gateway Query Forwarding                                      policy  captive-portal                      Delete a captive portal  client-identity                     Client identity (DHCP Device                                      Fingerprinting)  client-identity-group               Client identity group (DHCP Fingerprint                                      Database)  crypto-cmp-policy                   CMP policy  customize                           Restore the custom cli commands to                                      default  device                              Delete multiple devices  device-categorization               Delete  device categorization object  dhcp-server-policy                  DHCP server policy  dhcpv6-server-policy                DHCPv6 server related configuration  dns-whitelist                       Delete a whitelist object  event-system-policy                 Delete a event system policy  ex3500                              Ex3500 device  ex3500-management-policy            Delete a ex3500 management policy  ex3500-qos-class-map-policy         Delete a ex3500 qos class-map policy  ex3500-qos-policy-map               Delete a ex3500 qos policy-map  ex3524                              Delete an EX3524 wireless controller  ex3548                              Delete an EX3548 wireless controller  firewall-policy                     Configure firewall policy  global-association-list             Delete a global association list  igmp-snoop-policy                   Remove device onboard igmp snoop policy  inline-password-encryption          Disable storing encryption key in the                                      startup configuration file  ip                                  Internet Protocol (IP)  ipv6                                Internet Protocol version 6 (IPv6)  ipv6-router-advertisement-policy    IPv6 Router Advertisement related                                      configuration  l2tpv3                              Negate a command or set its defaults  mac                                 MAC configuration  management-policy                   Delete a management policy  meshpoint                           Delete a meshpoint object  meshpoint-qos-policy                Delete a mesh point QoS configuration                                      policy  nac-list                            Delete an network access control list  nsight-policy                       Delete a nsight policy  passpoint-policy                    Delete a passpoint configuration policy  password-encryption                 Disable password encryption in                                      configuration  profile                             Delete a profile and all its associated                                      configuration  radio-qos-policy                    Delete a radio QoS configuration policy  radius-group                        Local radius server group configuration  radius-server-policy                Remove device onboard radius policy  radius-user-pool-policy             Configure Radius User Pool  rf-domain                           Delete one or more RF-domains and all                                      their associated configurations  rfs4000                             Delete an RFS4000 wireless controller  rfs6000                             Delete an RFS6000 wireless controller  roaming-assist-policy               Delete a roaming-assist policy  role-policy                         Role based firewall policy  route-map                           Dynamic routing route map Configuration  routing-policy                      Policy Based Routing Configuratino  rtl-server-policy                   Delete a rtl server policy  schedule-policy                     Delete a schedule policy  sensor-policy                       Delete a sensor policy  smart-rf-policy                     Delete a smart-rf-policy  t5                                  Delete an T5 DSL switch  url-filter                          Delete a url filter  url-list                            Delete a URL list  web-filter-policy                   Delete a web filter policy  wips-policy                         Delete a wips policy  wlan                                Delete a wlan object
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 11  wlan-qos-policy                     Delete a wireless lan QoS configuration                                      policy  service                             Service Commandsrfs6000-81742D(config)#Priv Exec mode: No command optionsrfs6000-81742D#no ?  adoption        Reset adoption state of the device (& all devices adopted to                  it)  captive-portal  Captive portal commands  cpe             T5 CPE configuration  crypto          Encryption related commands  debug           Debugging functions  logging         Modify message logging facilities  page            Toggle paging  service         Service Commands  terminal        Set terminal line parameters  upgrade         Remove a patch  wireless        Wireless Configuration/Statistics commandsrfs6000-81742D#user Exec mode: No command optionsrfs6000-81742D>no ?  adoption        Reset adoption state of the device (& all devices adopted to                  it)  captive-portal  Captive portal commands  crypto          Encryption related commands  debug           Debugging functions  logging         Modify message logging facilities  page            Toggle paging  service         Service Commands  terminal        Set terminal line parameters  wireless        Wireless Configuration/Statistics commandsrfs6000-81742D>
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 125.1.6 revertCommon CommandsReverts changes made, in the current session, to their last saved configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxrevertParametersNoneExamplenx9500-6C8809>revertnx9500-6C8809>
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 135.1.7 serviceCommon CommandsService commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode. The User Exec mode and Priv Exec mode commands provide same functionalities with a few minor changes. The Global Config service command sets the size of history files. It also enables viewing the current mode’s CLI tree.This section consists of the following sub-sections:•Syntax (User Exec Mode)•Syntax (Privilege Exec Mode)•Syntax (Privilege Exec Mode: NX9500 and NX9510)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntax (User Exec Mode)service [block-adopter-config-update|clear|cli-tables-skin|cluster|database|delete-offline-aps|force-send-config|force-update-vm-stats|guest-registration|load-balancing|load-ssh-authorized-keys|locator|nsight|radio|radius|request-full-config-from-adopter|set|show|smart-rf|ssm|snmp|syslog|wireless]service [block-adopter-config-update|request-full-config-from-adopter]service clear [adoption|captive-portal-page-upload|command-history|device-upgrade|diag|dpi|file-sync|noc|reboot-history|unsanctioned|upgrade-history|virtual-machine-history|web-filter|wireless|xpath]service clear adoption history {on <DEVICE-NAME>}service clear device-upgrade history {on <DOMAIN-NAME>}service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}service clear diag pktsservice clear file-sync history {on <DOMAIN-NAME>}service clear captive-portal-page-upload history {on <DOMAIN-NAME>}service clear [command-history|reboot-history|upgrade-history|virtual-machine-history] {on <DEVICE-NAME>}service clear noc statisticsservice clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}service clear web-filter cache {on <DEVICE-NAME>}service clear wireless [ap|client|controller-mobility-database|dns-cache|radio|wlan]service clear wireless controller-mobility-databaseservice clear wireless [ap|client] statistics {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}service clear wireless dns-cache on {(on <DEVICE-OR-DOMAIN-NAME)}service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>} {(on <DEVICE-OR-DOMAIN-NAME>)}service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-NAME)}service clear xpath requests {<1-100000>}service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8] {grid}
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 14service cluster force [active|configured-state|standby]service database [authentication|start-shell]service database authentication [create-user|delete-user]service database authentication create-user username <USER-NAME> password <PASSWORD>service database authentication delete-user username <USER-NAME>Note, the other service > database command options are documented latter in this section under the (Privilege Exec Mode) section.service database start-shellservice delete-offline-aps [all|offline-for]service delete-offline-aps offline-for days <0-999> {time <TIME>}service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}service force-update-vm-stats {on <DEVICE-NAME>}service guest-registration [backup|delete|export|import]service guest-registration backup [delete|restore]service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|offline-for days <1-999>|otp-incomplete-for days <1-999>|social [facebook|google]|wlan <WLAN-NAME>]service guest-registration export format [csv|json] <DEST-URL> {(rfdomain <DOMAIN-NAME>|time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-NAME>)}service guest-registration import format <JSON> <SOURCE-URL>service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}service locator {<1-60>} {(on <DEVICE-NAME>)}service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]service radio <1-3> [adaptivity|channel-switch|dfs]service radio <1-3> adaptivityservice radio <1-3> channel-switch <36-196> [160|20|40|80]service radio <1-3> dfs simulator-radar [extension|primary]service radius test [<IP>|<HOSTNAME>] [<WORD>|port]service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}service set validation-mode [full|partial] {on <DEVICE-NAME>}service show [block-adopter-config-update|captive-portal|cli|client-identity-defaults|command-history|configuration-revision|crash-info|dhcp-lease|diag|fast-switching|fib|fib6|guest-registration|info|ip-access-list|mac-vendor|mem|mint|noc|nsight|pm|process|reboot-history|rf-domain-manager|sites|snmp|ssh-authorized-keys|startup-log|sysinfo|top|upgrade-history|virtual-machine-history|watch-dog|wireless|xpath-history]
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 15service show block-adopter-config-updateservice show captive-portal [log-internal|servers|user-cache]service show captive-portal log-internalservice show captive-portal [servers|user-cache] {on <DEVICE-NAME>}service show [cli|client-identity-defaults|configuration-revision|mac-vendor <OUI/MAC>|noc diag|snmp session|xpath-history]service show [command-history|crash-info|info|mem|process|reboot-history|startup-log|ssh-authorized-keys|sysinfo|top|upgrade-history|watchdog] {on <DEVICE-NAME>}service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-DOMAIN-NAME>}service show dhcp-lease {<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1} (on <DEVICE-NAME>)}service show diag [fds|led-status|pkts|psu|stats]service show diag [fds|pkts]service show diag [led-status|psu|stats] {on <DEVICE-NAME>}service show fast-switching {on <DEVICE-NAME>}service show [fib|fib6] {table-id <0-255>}service show guest-registration [export-status|import-status|restore-status]service show mint [adopted-devices {on <DEVICE-NAME>}|ports]service show pm {history} {(on <DEVICE-NAME>)}service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}service show sitesservice show virtual-machine-history {on <DEVICE-NAME>}service show wireless [aaa-stats|adaptivity-status|client|config-internal|credential-cache|dns-cache|log-internal|meshpoint|neighbors|radar-status|radio-internal|reference|stats-client|vlan-usage]service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|radar-status|vlan-usage] {on <DEVICE-NAME>}service show wireless [config-internal|log-internal|neighbors]service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>} {{on <DEVICE-OR-DOMAIN-NAME>)}service show wireless radio-internal [radio1|radio2] <LINE>service show wireless reference [channels|frame|handshake|mcs-rates|reason-codes|status-codes]service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}service smart-rf [clear-config|clear-history|clear-interfering-aps|save-config]service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}service smart-rf [clear-history||clear-interfering-aps|save-config] {on <DOMAIN-NAME>}service snmp sysoid wing5
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 16service ssm [dump-core-snapshot|trace]service ssm trace pattern <WORD> {on <DEVICE-NAME>}service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]} {(on <DEVICE-NAME>)}service wireless [client|dump-core-snapshot|meshpoint|qos|trace|unsanctioned|wips]service wireless client [beacon-request|quiet-element|trigger-bss-transition|trigger-wnm]service wireless client beacon-request <MAC> mode [active|passive|table] ssid [<SSID>|any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}service wireless client quiet-element [start|stop]service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535>} {url <URL>} {on <DEVICE-OR-DOMAIN-NAME>}service wireless client trigger-wnm mac <MAC> type [deauth-imminent|subscription-remediation] {uri <WORD>}service wireless dump-core-snapshotservice wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|timeout <1-65535>}service wireless qos delete-tspec <MAC> tid <0-7>service wireless trace pattern <WORD> {on <DEVICE-NAME>}service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}service wireless wips [clear-client-blacklist|clear-event-history|dump-managed-config]service wireless wips clear-client-blacklist [all|mac <MAC>]service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME>}Parameters (User Exec Mode)service• service [block-adopter-config-update|request-full-config-from-adopter]• service clear adoption history {on <DEVICE-NAME>}block-adopter-config-updateBlocks the configuration updates sent from the NOC serverrequest-full-config-from-adopterConfigures a request for full configuration updates from the adopter deviceIn an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers. The second level consists of the site controllers that can be grouped to form clusters. The NOC controllers adopt and manage the site controllers. Access points within the network are adopted and managed by the site controllers. The adopted devices (access points and site controllers) are referred to as the adoptee. The devices adopting the adoptee are the ‘adopters’.clear adoption history Clears adoption history on this device and its adopted access points
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 17• service clear device-upgrade history {on <DOMAIN-NAME>}• service clear diag pkts• service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}• service clear file-sync history {on <DOMAIN-NAME>}• service clear captive-portal-page-upload history {on <DOMAIN-NAME>}on <DEVICE-NAME> Optional. Clears adoption history on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.clear device-upgrade historyClears device upgrade historyon <DOMAIN-NAME> Optional. Clears all firmware upgrade history in a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.clear diag pkts Clears the looped packets queue logged by the dataplane. The dataplane logs up to 16 looped packets at a time in a separate queue, which has to be manually cleared to make space for new packet logging.For more information on viewing logged looped packet information execute the service > show > diag > pkts command.clear dpi Clears Deep Packet Inspection (DPI) statisticsWhen enabled, DPI allows application and/or application category recognition. The DPI statistics are maintained by the system for every hit registered by the DPI engine.[all|app|app-category] statsUse the following filter options to clear all or specific DPI statistics:• all – Clears all DPI related (application and app-category) statistics• app – Clears only application related statistics• app-category – Clears only app-category related statisticson <DEVICE-OR-DOMAIN-NAME>Optional. Clears DPI statistics based on the parameters passed on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access point, controller, service platform, or RF Domain.clear file-sync history Clears client-bridge certificate synchronization statisticsWhen an AP6522/AP6562 access point is configured as a client bridge, the EAP-TLS X.509 (PKCS#12) certificate is synchronized between the staging-controller and adoptee AP6522/AP6562 client-bridge access points. This command allows you to clear client-bridge certificate synchronization statistics.on <DOMAIN-NAME> Optional. Clears file synchronization history on all devices within a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.clear captive-portal-page-upload historyClears captive portal page upload historyon <DOMAIN-NAME> Optional. Clears captive portal page upload history on a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 18• service clear [command-history|reboot-history|upgrade-history|virtual-machine-history] {on <DEVICE-NAME>}• service clear noc statistics• service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}• service clear wireless [ap|client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}• service clear wireless controller-mobility-database• service clear web-filter cache {on <DEVICE-NAME>}clear [command-history|reboot-history|upgrade-history]Clears command history, reboot history, or device upgrade historyclear virtual-machine-historyClears virtual-machine history on the logged device or a specified deviceThis command is applicable only on the NX9500 and NX9510 series service platforms.on <DEVICE-NAME> Optional. Clears history on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.When executing the clear virtual-machine-history command, provide the name of the service platform running the VMs.clear noc statistics Clears Network Operations Center (NOC) applicable statistics countersclear unsanctioned apsClears the unsanctioned APs liston <DEVICE-OR-DOMAIN-NAME>Optional. Clears the unsanctioned APs list on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.clear wireless [ap|client] statisticsClears wireless statistics counters based on the parameters passed• ap statistics – Clears applicable AP statistics counters• client statistics – Clears applicable wireless client statistics counters• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller,service platform, or RF Domain.<MAC> {on <DEVICE-OR-DOMAIN-NAME>}The following keywords are common to the ‘ap’ and ‘client’ parameters:• <MAC> – Optional. Clears statistics counters for a specified AP or client. Specify the AP/client MAC address.• on <DEVICE-OR-DOMAIN-NAME> – Optional. Clears AP/client statistics counterson a specified device or RF Domain. Specify the name of the AP, wireless controller,service platform, or RF Domain.clear wireless controller-mobility-databaseClears the controller assisted mobility databaseclear web-filter cache Clears the cache used for Web filtering
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 19• service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>} {(on <DEVICE-OR-DOMAIN-NAME>)}• service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}• service clear xpath requests {<1-100000>}• service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8] {grid}on <DEVICE-NAME> Optional. Clears the Web filtering cache on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.clear wireless radio statisticsClears applicable wireless radio statistics counters<MAC/HOSTNAME> <1-3>Optional. Specify the MAC address or hostname of the radio, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format.• <1-3> – Optional. Specify the radio interface index, if not specified as part of the radio ID.on <DEVICE-OR-DOMAIN-NAME> Optional. This is a recursive parameter, which clears wireless radio statistics on a specified device or RF Domain. Specify the name of the device.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.clear wireless wlan statisticsClears WLAN statistics counters<WLAN-NAME> Optional. Clears statistics counters on a specified WLAN. Specify the WLAN name.on <DEVICE-OR-DOMAIN-NAME>Optional. This is a recursive parameter, which clears WLAN statistics on a specified device or RF Domain. Specify the name of the device.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.clear xpath Clears XPATH related informationrequests Clears pending XPATH get requests<1-100000> Optional. Specifies the session number (cookie from show sessions)• <1-100000> – Specify the session number from 1 - 100000.Note: Omits clearing the current session’s pending XPATH get requests.cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|uf-8]Selects a formatting layout or skin for CLI tabular outputs• ansi – Uses ANSI characters for borders• hashes – Uses hashes (#) for borders• minimal – Uses one horizontal line between title and data rows• none – Displays space separated items with no decoration• percent – Uses the percent sign (%) for borders• stars – Uses asterisks (*) for borders• thick – Uses thick lines for bordersContd..
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 20• service cluster force [active|configured-state|standby]• service database authentication create-user username <USER-NAME> password <PASSWORD>• database authentication delete-user username <USER-NAME>• service database start-shell• service delete-offline-aps all• service delete-offline-aps offline-for days <0-999> {time <TIME>}• thin – Uses thin lines for borders• utf-8 – Uses UTF-8 characters for bordersgrid Optional. Uses a complete grid instead of just title linescluster Enables cluster protocol managementforce Forces action commands on a cluster (active, configured-state, and standby)active Changes the cluster run status to activeconfigured-state Restores a cluster to the configured statestandby Changes the cluster run status to standbydatabase Performs database related actionsThis command is supported only on the NX95XX, NX9600, and VX9000 platforms.authentication create-user username <USER-NAME> password <PASSWORD>Creates users having access rights to the database. Execute this command on the database host. However, before creating users, on the database, generate the database keyfile. For more information on generating the keyfile, see database.• username <USER-NAME> – Configures databse username• password <PASSWORD> – Configures a password for the username specifiedaboveIn the database-policy ensure that authentication is enabled and username and password is configured. The database-client-policy also should have the same username and password configured. For more information on database-policy and database-client-policy, see database-policy and database-client-policy.database Performs database related actionsThis command is supported only on the NX95XX, NX9600, and VX9000 platforms.database authentication delete-user username <USER-NAME>Deletes the username requires to access rights the captive-portal/NSight database• username <USER-NAME> – Deletes the username identified by the <USER-NAME> keywordOnce deleted, the database cannot be accessed using the specified combination of username and password.database Performs database related actionsThis command is supported only on the NX95XX, NX9600, and VX9000 platforms.start-shell Starts the database shelldelete-offline-aps all Deletes all off-line access pointsdelete-offline-aps Deletes off-line access points for a specified interval
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 21• service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}• service force-update-vm-stats {on <DEVICE-NAME>}• service guest-registration backup [delete|restore]• service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|offline-for days <1-999>|wlan <WLAN-NAME>|otp-incomplete-for days <1-999>|social [facebook|google]day <0-999> Deletes off-line access points for a specified number of days• <0-999> – Specify the number of off-line days from 0 - 999.time <TIME> Optional. Deletes off-line access points for a specified time• <TIME> – Specify the time in HH:MM:SS format.force-send-config Resends configuration to device(s)on <DEVICE-OR-DOMAIN-NAME>Optional. Resends configuration to a specified device or all devices in a specified RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.force-update-vm-stats Forcefully pushes VM statistics on to the NOCon <DEVICE-NAME> Optional. Executes the command on a specified device• <DEVICE-NAME> – Specify the name of the device.service guest-registration backup [delete|restore]Deletes or restores all guest registration backup snapshots based on the parameter passed• delete – Deletes all guest registration backup snapshots• restores – Restores all guest registration backup snapshotsNote: To view the status of the restore process, use the service > show > guest-registration > restore-status command.service guest-registration deleteDeletes a specified user or all user records from the guest-registration databaseTo delete a specific user, use one of the following options as an identification parameter: email, group, mac, mobile number, name, offline-for, wlan, otp-incomplete-for, or social.[all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>]|non-social|offline-for days <1-999>|wlan <WLAN-NAME>|otp-incomplete-for days <1-999>|social [facebook|google]Following are the user filtering options: The user identified by one of the following parameters is deleted from the guest-registration database.• email <EMAIL-ADD> – Identifies user by the e-mail address• <EMAIL-ADD> – Provide the user’s e-mail address.• mac <MAC> – Identifies user by the MAC address• <MAC> – Provide the user’s MAC address.• group <RAD-GROUP-NAME> – Identifies users by their RADIUS group association• <RAD-GROUP-NAME> – Specify the RADIUS group name.• mobile <MOBILE-NUMBER> – Identifies user by the registered mobile number• <MOBILE-NUMBER> – Provide the user’s mobile number.Contd..
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 22• service guest-registration export format [csv|json] <DEST-URL> {(rfdomain <DOMAIN-NAME>|time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-NAME>)}• name <CLIENT-FULL-NAME> – Identifies user by the registered full name• <CLIENT-FULL-NAME> – Provide the user’s full name.• non-social – Identifies users that have not registered through social authentication• offline-for days <1-999> – Filters users who have not accessed the network for a specified number of days• days <1-999> – Specify the number of days from 1 - 999.• wlan <WLAN-NAME> – Identifies users accessing a specified WLAN• <WLAN-NAME> – Specify the WLAN name.• otp-incomplete-for days <1-999> – Identifies records of users that have not used their one-time-password (OTP) to complete registration within a specified number of days• days <1-999> – Specify the number of days from 1 - 999.• social [facebook|google] – Identifies users using either Facebook or Google credentials to access the network• facebook – Identifies users using Facebook authentication• google – Identifies users using Google authenticationservice guest-registration exportExports guest registration user data files in the Comma-Separated Values (CSV) or JavaScript Object Notation (JSON) formatUse the ‘rfdomain’, ‘wlan’, and ‘time’ options to filter users for a specified RF Domain, WLAN, and/or time period. These are recursive parameters and you can apply all or any of these three filters.format [csv|json] Specifies the file format. The options are:• csv – Exports user data files in the CSV format• json – Exports user data files in the JSON format<DEST-URL> Configures the destination URL. The files are exported to the specified location. Both IPv4 and IPv6 address formats are supported.IPv4 URLs: tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/fileIPv6 URLs: tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/filerfdomain <DOMAIN-NAME>Optional. Filters user data based on RF Domain name. Only the filtered data are exported.• <DOMAIN-NAME> – Specify the RF Domain name.wlan <WLAN-NAME>Optional. Filters user data based on WLAN name. Only the filtered data are exported.• <WLAN-NAME> – Specify the WLAN name.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 23• service guest-registration import format json <SOURCE-URL>• service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}• service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]Optional. Filters user data for a specified time period. Only the filtered data are exported.• 1-Day – Filters and exports previous day’s data• 1-Month – Filters and exports previous month’s data• 1-Week – Filters and exports previous week’s data• 2-Hours – Filters and exports last 2 hours data• 30-Mins – Filters and exports last 30 minutes data• 5-Hours – Filters and exports last 5 hours data• all – Exports the entire databaseservice guest-registration importImports user data from a specified locationformat json Specifies the file format• json – Imports user data files in the JSON format<SOURCE-URL> Configures the Source URL. The files are imported from the specified location. Both IPv4 and IPv6 address formats are supported.IPv4 URLs: tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>:<passwd>@<hostname|IP>[:port]>/path/fileIPv6 URLs: tftp://<hostname|[IPv6]>[:port]/path/fileftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/filesftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/fileload-balancing Enables wireless load balancing by clearing client capability recordsclear-client-capability[<MAC>|all]Clears a specified client or all client’s capability records• <MAC> – Clears capability records of a specified client. Specify the client’s MAC address in the AA-BB-CC-DD-EE-FF format.• all – Clears the capability records of all clientson <DEVICE-NAME> Optional. Clears client capability records on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.load-ssh-authorized-keysLoads SSH public (client) key on a device<PUBLIC-KEY> Enter the public key. The public key should be in the OpenSSH rsa/dsa format.on <DEVICE-NAME> Optional. Loads the specified public key on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 24• service locator {<1-60>} {(on <DEVICE-NAME>)}• service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]• service radio <1-3> adaptivity• service radio <1-3> channel-switch <36-196> [160|20|40|80|80-80]• service radio <1-3> dfs simulate-radar [extension|primary]locator Enables LEDs<1-60> Sets LED flashing time from 1 - 60 seconds.on <DEVICE-NAME> The following keyword is recursive and common to the <1-60> parameter:• on <DEVICE-NAME> – Optional. Enables LEDs on a specified device• <DEVICE-NAME> – Specify name of the AP, wireless controller, or service plat-form.nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]Clears NSight data received from offline controllers, based on the parameters passed. Select one of the following options:• all – Clears NSight data received from all offline controllers• offline-for days <0-999> time <TIME> – Clears NSight data received from controllers that have been offline for a specified time period• days <0-999> – Specifies the number of days controllers have been offline• <0-999> – Specify the number of days from 0 - 999 days. Select “0” to identifycontrollers offline less than 24 hours.• time <TIME> – Optional. Specifies the total time for which controllers havebeen offline• <TIME> – Specify the time in HH:MM:SS format.Note: This command is applicable only to the NX95XX, NX9600, and VX9000 platforms.radio <1-3> Configures radio’s parameters• <1-3> – Specify the radio index from 1 - 3.adaptivity Simulates the presence of interference on the current channelradio <1-3> Configures radio’s parameters• <1-3> – Specify the radio index from 1 - 3.channel-switch <36-196> [160|20|40|80|80-80]Enables channel switching• <36-196> – Specifies the channel to switch to from 36 - 196.• 160|20|40|80|80-80] – Specifies the bandwidth for the above specified channel.Select the appropriate option.radio <1-3> Configures radio’s parameters• <1-3> – Specify the radio index from 1 - 3.dfs Enables Dynamic Frequency Selection (DFS)simulate-radar [extension|primary]Simulates the presence of a radar on a channel. Select the channel type from the following options:• extension – Simulates a radar on the radio’s current extension channel• primary – Simulates a radar on the radio’s current primary channel
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 25• service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}• service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}• service set validation-mode [full|partial] {on <DEVICE-NAME>}radius test Tests RADIUS server’s account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients.• test – Tests the RADIUS server’s account with user provided parameters[<IP>|<HOSTNAME>] Sets the RADIUS server’s IP address or hostname• <IP> – Specifies the RADIUS server’s IP address• <HOSTNAME> – Specifies the RADIUS server’s hostname<WORD> Specify the RADIUS server’s shared secret.<USERNAME> Specify username for authentication.<PASSWORD> Specify the password.wlan <WLAN-NAME> ssid <SSID>Optional. Tests the RADIUS server on the local WLAN. Specify the local WLAN name.• ssid <SSID> – Specify the local RADIUS server’s SSID.on <DEVICE-NAME> Optional. This is a recursive parameter also applicable to the WLAN parameter. Performs tests on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.radius test Tests a RADIUS server’s account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients.• test – Tests the RADIUS server’s account with user provided parameters[<IP>|<HOSTNAME>] Sets the IP address or hostname of the RADIUS server• <IP> – Specify the RADIUS server’s IP address.• <HOSTNAME> – Specify the RADIUS server’s hostname.port <1024-65535> Specify the RADIUS server port from 1024 - 65535. The default port is 1812.<WORD> Specify the RADIUS server’s shared secret.<USERNAME> Specify username for authentication.<PASSWORD> Specify the password.wlan <WLAN-NAME> ssid <SSID>Optional. Tests the RADIUS server on the local WLAN. Specify the local WLAN name.• ssid <SSID> – Specify the RADIUS server’s SSID.on <DEVICE-NAME> Optional. This is a recursive parameter also applicable to the WLAN parameter. Performs tests on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.set Sets the validation mode for running configuration validation
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 26• service show block-adopter-config-update• service show captive-portal log-internal• service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}• service show [cli|client-identity-defaults|configuration-revision|mac-user-import-status|mac-vendor <OUI/MAC>|noc diag|snmp session|xpath-history]validation-mode [full|partial]Sets the validation mode• full – Performs a full configuration validation• partial – Performs a partial configuration validationon <DEVICE-NAME> Optional. Performs full or partial configuration validation on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.show Displays running system statistics based on the parameters passedblock-adopter-config-updateDisplays NOC configuration blocking statusshow Displays running system statistics based on the parameters passedcaptive-portal Displays captive portal informationlog-internal Displays recent captive portal debug logs (information and above severity level)show Displays running system statistics based on the parameters passedcaptive-portal Displays captive portal informationservers Displays server information for active captive portalsuser-cache Displays cached user details for a captive portalon <DEVICE-NAME> Optional. Displays server information or cached user details on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.show Displays running system statistics based on the parameters passedcli Displays CLI tree of the current modeclient-identity-defaultsDisplays default client-identities and their configurationconfiguration-revision Displays current configuration revision numbermac-user-import-statusDisplays status of file import initiated by a MAC-usermac-vendor <OUI/MAC>Displays vendor name for a specified MAC address or Organizationally Unique Identifier (OUI) part of the MAC address• <OUI/MAC> – Specify the MAC address or its OUI. The first six digits of the MAC address is the OUI. Use the AABBCC or AA-BB-CC format to provide the OUI.noc diag Displays NOC diagnostic detailssnmp session Displays SNMP session detailsxpath-history Displays XPath history
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 27• service show [command-history|crash-info|info|mem|process|reboot-history|startup-log|ssh-authorized-keys|sysinfo|top|upgrade-history|watchdog] {on <DEVICE-NAME>}• service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-DOMAIN-NAME>}• service show dhcp-lease {<INTERFACE-NAME>|on|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}show Displays running system statistics based on the parameters passedcommand-history Displays command history (lists all commands executed)crash-info Displays information about core, panic, and AP dump filesinfo Displays snapshot of available support informationmem Displays a system’s current memory usage (displays the total memory and available memory)process Displays active system process information (displays all processes currently running on the system)reboot-history Displays the device’s reboot historystartup-log Displays the device’s startup logssh-authorized-keys Displays all devices (device hostnames) that have ssh authorized keys loadedsysinfo Displays system’s memory usage informationtop Displays system resource informationupgrade-history Displays the device’s upgrade history (displays details, such as date, time, and status of the upgrade, old version, new version, etc.)watchdog Displays the device’s watchdog statuson <DEVICE-NAME> The following keywords are common to all of the above:• on <DEVICE-NAME> – Optional. Displays information for a specified device. If no device is specified, the system displays information for logged device(s)• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.show ip-access-list Displays status of IP Access Control List (ACL) to WLAN mappings on a specified device or all devices within a specified RF Domain. This command also displays if IP ACLs are properly applied in the dataplane.wlan <WLAN-NAME> Specifies the WLAN, for which the IP ACL to WLAN mapping status is required• <WLAN-NAME> – Specify the WLAN name.status detail Displays only failed IP ACL to WLAN mappings• details – Optional. Displays all (failed as well as successful) IP ACL to WLAN mapping statuson <DEVICE-OR-DOMAIN-NAME>Optional. Specifies the device name or the RF Domain name.• <DEVICE-OR-DOMAIN-NAME> – Specify the device name or the RF Domain. When specified, the system displays IP ACL to WLAN mapping status on the specified device or all devices within the specified RF Domain.show Displays running system statistics based on the parameters passeddhcp-lease Displays DHCP lease information received from the server
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 28• service show diag [fds|pkts]• service show diag [led-status|psu|stats] {(on <DEVICE-NAME>)}<INTERFACE-NAME> Optional. Displays DHCP lease information for a specified router interface• <INTERFACE-NAME> – Specify the router interface name.on Optional. Displays DHCP lease information for a specified devicepppoe1 Optional. Displays DHCP lease information for a PPP over Ethernet interfacevlan <1-4094> Optional. Displays DHCP lease information for a VLAN interface• <1-4094> – Specify a VLAN index from 1 - 4094.wwan1 Optional. Displays DHCP lease information for a Wireless WAN interfaceon <DEVICE-NAME> The following keywords are common to all of the above:• on <DEVICE-NAME> – Optional. Displays DHCP lease information for a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.show diag Displays diagnostic statistics, such as LED status, fan speed, sensor temperature, open file descriptors, looped packets etc. fds Displays the number of file descriptors (fds) opened by key processes, such as the CFGD. When executed, the command displays only the file name and FD. pkts Displays details of looped packets captured by the dataplane and pushed to a separate queue. These queued packets are written to a log file (named loop_pkt_info.log) available at the /var2/log/ directory. Use the service > start-shell command and enter the path ‘cat /var2/log/’ to view if the loop_pkt_info.log file exists. However, looped packet logging has to be enabled in the profile/device context. For more information, see diag. The dataplane can log up to 16 looped packets at a time. Once the queue is full, no new loop packet is logged until the existing queue is cleared. To clear the logged looped packet queue execute the service > clear > diag > pkts command.Following are the loop codes and the corresponding loop reasons: (5) - "pkt looping in dataplane"(51) -  "loop in packet path"(367) - "wispe encapsulation loop"(432) - "mcx loop prevention"(532) - "Port loop detected"(536) - "packet loop detected by wireless bridge"(41) - "IPv4 TTL exceeded"(493) -  "IPv6 TTL exceeded"(540) - "mint TTL exceeded"show Displays running system statistics based on the parameters passeddiag Displays diagnostic statistics, such as LED status, fan speed, and sensor temperatureled-status Displays LED state variables and the current statepsu Displays power supply information
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 29• service show guest-registration [export-status|import-status|restore-status]• service show fast-switching {on <DEVICE-NAME>}• service show [fib|fib6] {table-id <0-255>}• service show mint [adopted-devices {on <DEVICE-NAME>}|ports]stats Displays fan speed and sensor temperature statisticson <DEVICE-NAME> Optional. Displays diagnostic statistics for a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.show Displays running system statistics based on the parameters passedguest-registration Displays status of the guest-registration database snapshot related processes (export, import, and restore)Note: To export, import, or restore a guest-registration database, use the service > guest-registration > [backup|export|import] command.]export-status Displays the status of the latest export process initiatedimport-status Displays the status of the latest import process initiatedexport-status Displays the status of the latest restore process initiatedshow Displays running system statistics based on the parameters passedfast-switching Displays fast switching state (enabled or disabled)on <DEVICE-NAME> Optional. Displays fast switching state for a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.show Displays running system statistics based on the parameters passedfib Displays entries in the Forwarding Information Base (FIB)fib6 Displays FIB IPv6 static routing entriesThe WiNG software allows the IPv6 FIB to maintain only IPv6 static and interface routes.FIB is a collection of routing entries. A route entry consists of IPv6 network (which can also be a host) address, the prefix length for the network (for IPv6 routes this is between 0 - 128), and the next hop’s (gateway) IPv6 address. Since a destination can be reached through multiple next hops, you can configure multiple routes to the same destination with multiple next hops.table-id <0-255> Optional. Displays FIB information maintained by the system based on the table ID• <0-255> – Specify the table ID from 0 - 255.show Displays running system statistics based on the parameters passedmint Displays MiNT protocol details
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 30• service show pm {history} {(on <DEVICE-NAME>)}• service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}• service show sites• service show virtual-machine-history {on <DEVICE-NAME>}• service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|radar-status|vlan-usage] {on <DEVICE-NAME>}adopted-deviceson <DEVICE-NAME>Displays adopted devices status in dpd2• on <DEVICE-NAME> – Optional. Displays MiNT protocol details for a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ports Displays MiNT ports used by various services and featuresshow Displays running system statistics based on the parameters passedpm Displays the Process Monitor (PM) controlled process detailshistory Optional. Displays process change history (the time at which the change was implemented, and the events that triggered the change)on <DEVICE-NAME> Optional. Displays process change history for a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.show Displays running system statistics based on the parameters passedrf-domain-manager Displays RF Domain manager informationdiag Displays RF Domain manager related diagnostics statisticsinfo The following keyword is common to the ‘diag’ and ‘info’ parameters:Displays RF Domain manager related information<MAC/HOSTNAME> Optional. Specify the MAC address or hostname of the RF Domain manager.on <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘diag’ and ‘info’ parameters:Optional. Displays diagnostics statistics on a specified device or domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.show Displays running system statistics based on the parameters passedsites Displays NOC sites related informationshow virtual-machine-historyDisplays virtual machine history based on the parameters passedThis command is applicable only to the NX9500, and NX9510 series service platforms. It is also available on the Privilege Executable Mode of these devices.on <DEVICE-NAME> Optional. Displays virtual machine history on a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the service platform.show Displays running system statistics based on the parameters passed
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 31• service show wireless [config-internal|log-internal|neighbors]• service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME)}wireless Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN assignment, etc.)aaa-stats Displays AAA policy statisticsadaptivity-status Displays the current list of channels (with interference levels exceeding the configured threshold resulting in adaptivity kicking in) and time when adaptivity kicked in on a devicecredential-cache Displays clients cached credentials statistics (VLAN, keys, etc.)dns-cache Displays cache of resolved names of servers related to wireless networkingradar-status Displays radar discovery status. This option displays following information:• If a radar has been discovered by the AP•The time of discoveryvlan-usage Displays VLAN statistics across WLANson <DEVICE-NAME> The following keywords are common to all of the above:• on <DEVICE-NAME> – Optional. Displays running system statistics on a specified device. If no device is specified, the system displays information for the logged device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.show Displays running system statistics based on the parameters passedwireless Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.)config-internal Displays internal configuration parameterslog-internal Displays recent internal wireless debug logs (info and above severity)neighbors Displays neighboring device statistics for roaming and flow migrationshow Displays running system statistics based on the parameters passedwireless Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.)client Displays WLAN client statisticsmeshpoint neighbor Displays meshpoint related proc entriesproc The following keyword is common to client and meshpoint neighbor parameters:• proc – Displays dataplane proc entries based on the parameter selectedNote: These proc entries provide statistics on each wireless client on the WLAN.Note: For the meshpoint parameter, it displays proc entries about neighbors.info This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domainstats This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 32• service show wireless radio-internal [radio1|radio2] <LINE>• service show wireless reference [channels|frame|handshake|mcs-rates|reason-codes|status-codes]• service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME)}• service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}<MAC> Displays information for a specified device (wireless client or neighbor) or RF Domainon <DEVICE-OR-DOMAIN-NAME>This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.show Displays running system statistics based on the parameters passedwireless Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.)radio-internal [radio1|radio2]Displays radio internal debug logs. Select the radio from the following options:•radio1 – Selects radio 1• radio2 – Selects radio 2.<LINE> Specify the radio internal debug command to enable.show Displays running system statistics based on the parameters passedwireless Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.)reference Displays look up reference information related to standards, protocols, etc.channels Displays 802.11 channels informationframe Displays 802.11 frame structurehandshake Displays a flow diagram of 802.11 handshakesmcs-rates Displays MCS rate informationreason-codes Displays 802.11 reason codes (for deauthentication, disassociation, etc.)status-codes Displays 802.11 status codes (for association response)show Displays running system statistics based on the parameters passedwireless Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.)stats-client Displays managed AP statistics<MAC/HOSTNAME> Optional. Specify the MAC address or hostname of the AP.on <DEVICE-OR-DOMAIN-NAME>Optional. Displays statistics on a specified AP, or all APs on a specified domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.smart-rf Enables Smart RF managementclear-config Clears WLAN Smart RF configuration on a specified device or on all devices
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 33• service smart-rf [clear-history|clear-interfering-aps|save-config] {on <DOMAIN-NAME>}• service snmp sysoid wing5• service ssm dump-core-snapshot• service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]} {(on <DEVICE-NAME>)}<MAC> Optional. Clears WLAN Smart RF configuration on a device identified by its MAC address. Specify the device’s MAC address in the AA-BB-CC-DD-EE-FF format.<DEVICE-NAME> Optional. Clears WLAN Smart RF configuration on a device identified by its hostname. Specify the device’s hostname.on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.smart-rf Enables Smart RF managementclear-history Clears WLAN Smart RF history on all devicesclear-interfering-aps Clears Smart-RF interfering APssave-config Saves the Smart RF configuration on all devices, and also saves the history on the RF Domain Manageron <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.snmp sysoid wing5 Configures a new sysObjectID (sysoid), in the MIB, for devices running WiNG 5.X devicesWhen configured, the SNMP manager returns sysoid for WiNG 5.X OS. Hardwares running the WiNG 4.X and WiNG 5.X images have different sysoids. For example, the sysoid for a RFS4000 using the WiNG 4.X image differs from another RFS4000 running the WiNG 5.X image.This command is applicable only to RFS4000 and RFS6000 platforms, since they have the same sysoid supported in WiNG 4.X and WiNG 5.X.The WiNG 4.X sysoids are:• RFS4000 – 1.3.6.1.4.1.388.18• RFS6000 – 1.3.6.1.4.1.388.16The WiNG 5.X sysoids are:• RFS4000 – 1.3.6.1.4.1.388.50.1.1.35• RFS6000 – 1.3.6.1.4.1.388.50.1.1.36ssm dump-core-snapshotTriggers a debug core dump of the SSM modulesyslog test Sends a test message to the syslog server to confirm server availability
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 34• service ssm trace pattern <WORD> {on <DEVICE-NAME>}• service wireless client beacon-request <MAC> mode [active|passive|table] ssid [<SSID>|any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}level Optional. Sets the logging level. In case syslog server is unreachable, an event is logged based on the logging level defined. This is an optional parameter, and the system configures default settings, if no logging severity level is specified.• <0-7> – Optional. Specify the logging severity level from 0-7. The various levels and their implications are as follows:• alerts – Optional. Immediate action needed (severity=1)• critical – Optional. Critical conditions (severity=2)• debugging – Optional. Debugging messages (severity=7)• emergencies – Optional. System is unusable (severity=0)• errors – Optional. Error conditions (severity=3)• informational – Optional. Informational messages (severity=6)• notifications – Optional. Normal but significant conditions (severity=5)• warnings – Optional. Warning conditions (severity=4). This is the default setting.on <DEVICE-NAME> Optional. Executes the command on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ssm trace Displays the SSM module trace based on parameters passedpattern <WORD> Configures the pattern to match• <WORD> – Specify the pattern to match.on <DEVICE-NAME> Optional. Displays the SSM module trace on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.wireless client beacon-requestsSends beacon measurement requests to a wireless client<MAC> Specify the wireless client’s MAC address.mode [active|passive|table]Specifies the beacon measurement mode. The following modes are available:• Active – Requests beacon measurements in the active mode• Passive – Requests beacon measurements in the passive mode• Table – Requests beacon measurements in the table modessid [<SSID>|any] Specifies if the measurements have to be made for a specified SSID or for any SSID• <SSID> – Requests beacon measurement for a specified SSID• any – Requests beacon measurement for any SSIDchannel-report [<CHANNEL-LIST>|none]Configures channel report in the request. The request can include a list of channels or can apply to all channels.• <CHANNEL-LIST> – Request includes a list of channels. The client has to send beacon measurements only for those channels included in the request• none – Request applies to all channelson <DEVICE-NAME> Optional. Sends requests on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 35• service wireless client quiet-element [start|stop]•  service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535} {url <URL>} {on <DEVICE-OR-DOMAIN-NAME>}• service wireless client trigger-wnm mac <MAC> type [deauth-imminent|subscription-remediation] {uri <WORD>}• service wireless dump-core-snapshot• service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|timeout <1-65535>}wireless client quiet-elementEnables the quite-element information in beacons sent to wireless clientsstart Enables the quite-element information in beacons sent to wireless clients. This is the interval for which all wireless clients are to remain quiet.stop Disables the quite-element information in beacons sent to wireless clients. Once disabled, this information is no longer included in beacons.wireless client trigger-bss-transitionSends a 80211v-Wireless Network Management BSS transition request to a clientmac <MAC> Specifies the wireless client’s MAC addresstimeout <0-65535> Specifies the time remaining, for this client. before BSS transition is initiated. In other words on completion of the specified time period, BSS transition is triggered.• <0-65535> – Specify a time from 0 -65535 seconds.url <URL>  Optional. Specifies session termination URLon <DEVICE-OR-DOMAIN-NAME>Optional. Sends request on a specified device• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless client trigger-wnmSends a WNM notification (action frame) to a wireless clientmac <MAC> Specifies the wireless client’s MAC addresstype [deauth-imminent|subscription-remediation]Configures the WNM notification type• deauth-imminent – Sends a de-authentication imminent frame• subscription-remediation – Sends a subscription remediation needed frameuri <WORD>  Optional. Specifies the unique resource identifier (URI)wireless client dump-core-snapshotTriggers a debug core dump of the wireless moduleservice wireless meshpoint zlTriggers a zonal level debug of a specified meshpoint’s modules<MESHPOINT-NAME> Specify the meshpoint nameon <DEVICE-NAME> Triggers zonal level debug of a specified meshpoint’s modules on a specified device• <DEVICE-NAME> – Specify the name of the device (AP, wireless controller, or service platform)
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 36• service wireless qos delete-tspec <MAC> tid <0-7>• service wireless trace pattern <WORD> {on <DEVICE-NAME>}• service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}• service wireless wips clear-client-blacklist [all|mac <MAC>]• service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME}<ARGS> Optional. Specifies the zonal arguments. These zonal arguments represent the meshpoint modules identified by the zonal and subzonal arguments passed here. Also specify the debug level from 0 -7. Please see the Examples section, at the end of this topic, for more information.timeout <1-65535> Optional. Specifies a timeout value from 1 - 65535 seconds. When specified, meshpoint logs are debugged for the time specified here.wireless qos delete-tspecSends a delete TSPEC request to a wireless client<MAC> Specify the MAC address of the wireless client.tid <0-7> Deletes the Traffic Identifier (TID)• <0-7> – Select the TID from 0 - 7.wireless trace Displays the wireless module trace based on parameters passedpattern <WORD> Configures the pattern to match• <WORD> – Specify the pattern to match.on <DEVICE-NAME> Optional. Displays the wireless module trace on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.wireless unsanctioned ap air-terminateEnables unsanctioned access points termination<MAC> Configures the unsanctioned access points’ BSSID (MAC address)on <DOMAIN-NAME> Optional. Specifies the RD Domain of the access point• <DOMAIN-NAME> – Specify the name of the RF Domain.wireless wips Enables management of WIPS parametersclear-client-blacklist [all|mac <MAC>]Removes a specified client or all clients from the blacklist• all – Removes all clients from the blacklist• mac <MAC> – Removes a specified client form the blacklist• <MAC> – Specify the wireless client’s MAC address.wireless wips Enables WIPS managementclear-event-history Clears event historyon <DEVICE-OR-DOMAIN-NAME>Optional. Clears event history on a device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 37Syntax (Privilege Exec Mode)serviceservice [block-adopter-config-updates|clear|cli-tables-skin|cluster|copy|database|delete|delete-offline-aps|force-send-config|force-update-vm-stats|guest-registration|load-balancing|locator|mint|pktcap|pm|radio|radius|request-full-config-from-adopter|restore|set|show|signal|smart-rf|snmp|ssm|start-shell|syslog|trace|wireless]service clear crash-info {on <DEVICE-NAME>}service copy [stats-report|tech-support]service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>)service copy tech-support [<FILE>|<URL>]service database [authentication|compact|drop|maintenance-mode|primary-stepdown|remove-all-files|replica-set|server|start-shell]service database authentication [create-user|delete-user]service database authentication create-user username <USER-NAME> password <PASSWORD>service database authentication delete-user username <USER-NAME>service database compact [all|captive-portal|nsight]service database drop [captive-portal|nsight] collection <COLLECTION-NAME>service database [maintenance-mode|primary-stepdown|remove-all-files|start-shell]service database replica-set [add|delete]service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]service database replica-set delete member [<IP>|<FQDN>]service database server [restart|start|stop]service delete sessions <SESSION-COOKIES>service mint [clear|debug-log|expire|flood]service mint [clear [lsp-db|mlcp]|debug-log [flash-and-syslog|flash-only]|expire [lsp|spf]|flood [csnp|lsp]]service pktcap on [bridge|deny|drop|ext-vlan|interface|radio|rim|router|vpn|wireless]service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}service pktcap on interface [<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}NOTE: The “service” command of the Priv Exec Mode is the same as the service command in the User Exec Mode. There a few modifications that have been documented in this section. For the syntax and parameters of the other commands refer to the (User Exec Mode) syntax and (User Exec Mode) parameters sections of this chapter.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 38service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}service pm stop {on <DEVICE-NAME>}service restore analytics-support [<FILE>|<URL>]service show last-passwdservice signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]service start-shellservice trace <PROCESS-NAME> {summary}Parameters (Privilege Exec Mode)service• service copy tech-support [<FILE>|<URL>]• service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>)• service clear crash-info {on <DEVICE-NAME>}copy tech-support Copies extensive system information used for troubleshooting<FILE> Specify the location to copy file using the following format:•usbX:/path/file<URL> Specify the location URL to copy file. Both IPv4 andIPv6 address formats are supported.tftp://<hostname|IPv4/IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/filesftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/filecopy stats-report Copies extensive statistical data useful for troubleshooting[global|rf-domain <DOMAIN-NAME>]Identifies the RF Domain to copy statistical data• global – Copies extensive statistical data of all configured RF Domains• rf-domain <DOMAIN-NAME> – Copies extensive statistical data of a specified RF Domain. Specify the domain name.<FILE> Specify the location to copy file using the following format:•usbX:/path/file<URL> Specify the location URL to copy file. Both IPv4 andIPv6 address formats are supported.tftp://<hostname|IPv4/IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/filesftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/fileclear crash-info Clears all crash fileson <DEVICE-NAME> Optional. Clears crash files on a specified device. These crash files are core, panic, and AP dump.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 39• service database authentication create-user username <USER-NAME> password <PASSWORD>• database authentication delete-user username <USER-NAME>• service database compact [all|captive-portal|nsight]• service database drop [captive-portal|nsight] collection <COLLECTION-NAME>database Performs captive-portal/NSight database related actionsThis command is supported only on the NX95XX, NX9600, and VX9000 platforms.database authentication create-user username <USER-NAME> password <PASSWORD>Creates the username and password required to access the database. Execute this command on the database host. However, before creating users, on the database, generate the database keyfile. For more information on generating the keyfile, see database.• username <USER-NAME> – Configures a database username• password <PASSWORD> – Configures a password for the username createdaboveIn the database-policy context, enable authentication and configure this username and password. The database-client-policy also should have the same user credentials configured. For more information on database-policy and database-client-policy, see database-policy and database-client-policy.database Performs database related actionsThis command is supported only on the NX95XX, NX9600, and VX9000 platforms.database authentication delete-user username <USER-NAME>Deletes existing users having access rights to the database• username <USER-NAME> – Identifies the user to delete by the username• <USER-NAME> – Specify the user name.Once deleted, the database cannot be accessed using the specified combination of username and password.database Performs database related actionsNote: This command is supported only on the NX95XX, NX9600, and VX9000 platforms.compact [all|captive-portal|nsight]Compacts collections within the database. Each database (captive-portal and NSight) contains one or more collection, where each collection is a set of records. Use this command to make a single compact set of all collections within a database.• all – Compacts collections within all databases (captive-portal and NSight) being maintained• captive-portal – Compacts all collections within the captive portal database only• nsight – Compacts all collections within the NSight database onlydatabase Performs database related actionsNote: This command is supported only on the NX95XX, NX9600, and VX9000 platforms.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 40• service database [maintenance-mode|primary-stepdown|remove-all-files|start-shell]• service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]drop [captive-portal|nsight] collection <COLLECTION-NAME>Drops the specified collection from the selected database. Select the database type and specify the collection.• captive-portal – Drops a captive portal database collection• nsight – Drops an NSight database collectionThe following keyword is common to both the ‘captive-portal’ and ‘NSight’ databases:• collection <COLLECTION-NAME> – Drops the collection identified by the <COL-LECTION-NAME> parameter.• <COLLECTION-NAME> – Specify the collection name.database Performs database related actionsNote: This command is supported only on the NX95XX, NX9600, and VX9000 platforms.maintenance-mode Places the database server in the maintenance modeprimary-stepdown Requests the primary replica-set to step down. For more information on replica-sets and its creation, see database-policy.remove-all-files Removes all database-server related files (captive-portal and NSight). Use in a scenario where complete removal of all database related files is necessary, such as when downgrading to 5.8.1 or 5.8.0 version. Extreme caution is recommended when using this command.start-shell Starts the database shelldatabase Performs database related actionsNote: This command is supported only on the NX95XX, NX9600, and VX9000 platforms.replica-set Adds members to the database replica set. A replica set is a group of devices running the database instances that maintain the same data set. Replica sets provide redundancy and high availability, and are the basis for all production deployments. The replica set can contain a maximum of fifty (50) members, with each member (with the exception of the arbiter) hosting an instance of the database. For more information on creating replica sets, see database-policy.add member [<IP>|<FQDN>]Adds members to the database replica set• <IP> – Identifies the member by its IP address. Specify the member’s IP address.• <FQDN> – Identifies the member by its Fully Qualified Domain Name (FQDN). Specify the member’s FQDN address.Note: Ensure that the identified members have the database instance running prior to being added to the replica set.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 41• service database replica-set delete member [<IP>|<FQDN>]• service database server [restart|start|stop]• service delete sessions <SESSION-COOKIES>• service mint [clear [lsp-dp|mlcp]|debug-log [flash-and-syslog|flash-only]|expire [lsp|spf]|flood [csnp|lsp]][arbiter|priority <0-255>]After identifying the new member, optionally specify if the member is the arbiter or not. If not the arbiter, specify the member’s priority value.• arbiter – Identifies the new member as the arbiter. The arbiter does not maintain a data set and is added to the replica set to facilitate the election of the fall-back primary member. It provides that one extra vote required in the election of the primary member.• priority <0-255> – Identifies the new member as not being the arbiter and configures its priority value.• <0-255> – Specify the priority value from 0 - 255. Not applicable for the arbiter.The priority value determines the member’s position within the replica set as primary or secondary. It also helps in electing the fall-back primary member in the eventuality of the current primary member being unreachable.All identified members should have the database instances running prior to being added to the replica set.database Performs database related actionsNote: This command is supported only on the NX95XX, NX9600, and VX9000 platforms.replica-set Allows deletion of members in a database replica set. For each database a single three-member replica-set can be created and maintained. For more information on creating replica sets, see database-policy.delete member [<IP>|<FQDN>]Deletes members from an existing database replica set• <IP> – Identifies the member by its IP address. Specify the member’s IP address.• <FQDN> – Identifies the member by its FQDN. Specify the member’s FQDN address.database Performs database related actionsNote: This command is supported only on the NX95XX, NX9600, and VX9000 platforms.server [restart|start|stop]Performs the following actions on the database server:• restart – Restarts the server• start – Starts the server• stop – Stops the serverdelete sessions <SESSION-COOKIES>Deletes session cookies• <SESSION-COOKIES> – Provide a list of cookies to delete.mint Enables MiNT protocol management (clears LSP database, enables debug logging, enables running silence, etc.)clear [lsp-dp|mlcp] Clears LSP database and MiNT Link Control Protocol (MLCP) links• lsp-dp – Clears MiNT Label Switched Path (LSP) database• mlcp – Clears MLCP links
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 42• service pm stop {on <DEVICE-NAME>}• service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}debug-log [flash-and-syslog|flash-only]Enables debug message logging• flash-and-syslog – Logs debug messages to the flash and syslog files• flash-only – Logs debug messages to the flash file onlyexpire [lsp|spf] Forces expiration of LSP and recalculation of Shortest Path First (SPF)• lsp – Forces expiration of LSP• spf – Forces recalculation of SPFflood [csnp|lsp] Floods control packets• csnp – Floods our Complete Sequence Number Packets (CSNP)• lsp – Floods our LSPpm Stops the Process Monitor (PM)stop Stop the PM from monitoring all daemonson <DEVICE-NAME> Optional. Stops the PM on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.pktcap on Captures data packets crossing at a specified location• on – Defines the packet capture locationbridge Captures packets transiting through the Ethernet bridgedeny Captures packets denied by an Access Control List (ACL)drop Captures packets at the drop locationsext-vlan Captures packets forwarded to or from an extended VLANrim Captures packets at the Radio Interface Module (RIM)router Captures packets transiting through an IP routervpn Captures packets forwarded to or from a VPN linkwireless Captures packets forwarded to or from a wireless deviceacl-name <ACL> Optional. Specify the ACL that matches the acl-name for the 'deny' locationcount <1-1000000> Optional. Limits the captured packet count. Specify a value from 1 -1000000.direction [any|inbound|outbound]Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 43filter [<LINE>|arp|capwap|cdp|dot11|dropreason|dst|ether|failed|host|icmp|icmp6|igmp|ip|ipv6|l2|l3|l4|lldp|mint|net|not|port|priority|radio|rssi|src|stp|tcp|tcp6|udp|udp6|vlan|wlan]Optional. Filters packets based on the option selected (must be used as a last option)The filter options are:• <LINE> – Defines user defined packet capture filter• arp – Matches ARP packets• capwap – Matches CAPWAP packets• cdp – Matches CDP packets• dot11 – Matches 802.11 packets• dropreason – Matches packet drop reason• dst – Matches IP destination• ether – Matches Ethernet packets• failed – Matches failed 802.11 transmitted frames• host – Matches host destination• icmp – Matches ICMP packets• icmp6 – Matches ICMPv6 frames• ip – Matches IPV4 packets• ipv6 – Matches IPV6 packets• l2 – Matches L2 header• l3 – Matches L3 header•l4 – Matches L4 header• mint – Matches MiNT packets• lldp – Matches LLDP packets• net – Matches IP in subnet• not – Filters out any packet that matches the filter criteria (For example, if not TCP is used, all tcp packets are filtered out)• port – Matches TCP or UDP port• priority – Matches packet priority•radio – Matches radio•rssi – Matches Received Signal Strength Indication (RSSI) of received radio signals• src – Matches IP source•stp – Matches STP packets•tcp – Matches TCP packets• tcp6 – Matches TCP over IPv6 packets• udp – Matches UDP packets• udp6 – Matches UDP over IPv6 packets•vlan – Matches VLAN•wlan – Matches WLANhex Optional. Provides binary output of the captured packetsrate <1-100> Optional. Specifies the packet capture rate• <1-100> – Specify a value from 1 - 100 seconds.snap <1-2048> Optional. Captures the data length• <1-2048> – Specify a value from 1 - 2048 characters.tcpdump Optional. Decodes tcpdump. The tcpdump analyzes network behavior, performance, and infrastructure. It also analyzes applications that generate or receive traffic.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 44• service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}verbose Optional. Displays full packet bodywrite Captures packets to a specified file. Specify the location to capture file:FILE – flash:/path/fileusbX:/path/filevram:startup-configURL – Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported.tftp://<hostname|IPv4/IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/filesftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/filetzsp – Tazman Sniffer Protocol (TZSP) host. Specify the TZSP host’s IP address or hostname.pktcap on radio Captures data packets on a radio (802.11)<1-1024> Captures data packets on a specified radio• <1-1024> – specify the radio index from 1 - 1024.all Captures data packets on all radiosacl-name <ACL> Optional. Specify the ACL that matches the ACL name for the 'deny' locationcount <1-1000000> Optional. Sets a specified number of packets to capture• <1-1000000> – Specify a value from 1 - 1000000.direction [any|inbound|outbound]Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound.filter <LINE> Optional. Filters packets based on the option selected (must be used as a last option)• <LINE> – Define a packet capture filter or select any one of the available options.hex Optional. Provides binary output of the captured packetsrate <1-100> Optional. Specifies the packet capture rate• <1-100> – Specify a value from 1 - 100 seconds.snap <1-2048> Optional. Captures the data length• <1-2048> – Specify a value from 1 - 2048 characters.tcpdump Optional. Decodes the TCP dumpverbose Optional. Provides verbose output
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 45• service pktcap on interface [<INTERFACE>|ge <1-4>|me|port-channel <1-2>|vlan <1-4094>] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}write Captures packets to a specified file. Specify the location to capture file:FILE – flash:/path/fileusbX:/path/filenvram:startup-configURL – Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported.tftp://<hostname|IPv4/IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/filesftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/filetzsp – The TZSP host. Specify the TZSP host’s IP address or hostname.pktcap on Captures data packets at a specified interface• on – Specify the capture location.interface [<INTERFACE>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>]Captures packets at a specified interface. The options are:• <INTERFACE> – Specify the interface name.• ge <1-4> – Selects a GigabitEthernet interface index from 1 - 4• me1 – Selects the FastEthernet interface• port-channel <1-2> – Selects a port-channel interface index from 1- 2• vlan <1-4094> – Selects a VLAN ID from 1 - 4094acl-name <ACL> Optional. Specify the ACL that matches the ACL name for the 'deny' locationcount <1-1000000> Optional. Sets a specified number of packets to capture• <1-1000000> – Specify a value from 1 - 1000000.direction [any|inbound|outbound]Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound.filter <LINE> Optional. Filters packets based on the option selected (must be used as a last option)• <LINE> – Define a packet capture filter or select any one of the available options.hex Optional. Provides binary output of the captured packetsrate <1-100> Optional. Specifies the packet capture rate• <1-100> – Specify a value from 1 - 100 seconds.snap <1-2048> Optional. Captures the data length• <1-2048> – Specify a value from 1 - 2048 characters.tcpdump Optional. Decodes the TCP dumpverbose Optional. Provides verbose output
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 46• service show last-passwd• service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]• service start-shell• service trace <PROCESS-NAME> {summary}Syntax (Privilege Exec Mode: NX9500 and NX9510)serviceThe following service commands are specific to the NX9500 and NX9510 series service platforms:service copy analytics-support [<FILE>|<URL>]Parameters (Privilege Exec Mode: NX9500 and NX9510)• service copy analytics-support [<FILE>|<URL>]write Captures packets to a specified file. Specify the location to capture file:FILE – flash:/path/fileusbX:/path/filenvram:startup-configURL – Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported.tftp://<hostname|IPv4/IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/filesftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/filetzsp – The TZSP host. Specify the TZSP host’s IP address or hostname.show Displays running system statistics based on the parameters passedlast-passwd Displays the last password used to enter shellsignal Sends a signal to a process• tech-support – Copies extensive system information useful for troubleshootingabort Sends an abort signal to a process, and forces it to dump to core• <PROCESS-NAME> – Specify the process name.kill Sends a kill signal to a process, and forces it to terminate without a core• <PROCESS-NAME> – Specify the process name.start-shell Provides shell accesstrace Traces a process for system calls and signals<PROCESS-NAME> Specifies the process namesummary Optional. Generates summary report of the specified processcopy analytics-supportEnables copying of analytics information to a specified. Use one of the following options to specify the file:This information is useful to troubleshoot issues by the Technical Support team.<FILE> Specify the file name and location using one of the following formats:usb1:/path/fileusb2:/path/file
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 47Usage GuidelinesThe NX9500 and NX9510 model service platforms (NOC) provide granular and robust analytic reporting for a RFS4000 or RFS6000 device managed network. The data analyzed is collected at intervals specified by the administrator.To enable data analytics, procure and apply a separate hot spare analytics license at the NOC. The license restricts the number of access point streams processed at the NOC or forwarded to partner systems for further processing. The analytics feature can be turned on at select APs by enabling them in configuration. This way the customer can enable analytics on a select set of APs and not the entire system as long as the number of APs on which it is enabled is less than or equal to the total number of AP analytics licenses available at the NOC controller.In an NOC managed network, the analytics engine parses and processes Smart RF events as they are received. The analytics engine parses the new channel and power information from the Smart RF event, as opposed to retrieving the event from the devices themselves.Syntax (Global Config Mode)serviceservice [set|show cli]service set [command-history <10-300>|upgrade-history <10-100>|reboot-history <10-100>|virtual-machine-history <10-200>] {on <DEVICE-NAME>}service show cliParameters (Global Config Mode)• service set [command-history <10-300>|upgrade-history <10-100>|reboot-history <10-100>|virtual-machine-history <10-200>] {on <DEVICE-NAME>}<URL> Specify the location URL to copy file. Both IPv4 and IPv6 formats are supported.tftp://<hostname|IPv4/IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/filesftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/fileset Sets the size of history filescommand-history <10-300>Sets the size of the command history file• <10-300> – Specify a value from 10 - 300. The default is 200.upgrade-history <10-100>Sets the size of the upgrade history file• <10-100> – Specify a value from 10 - 100. The default is 50.reboot-history <10-100>Sets the size of the reboot history file• <10-100> – Specify a value from 10 - 100. The default is 50.virtual-machine-history <10-200>Sets the size of the virtual-machine history file• <10-200> – Specify a value from 10 - 200. The default is 100.This command is applicable only to the NX9500 and NX9510 series service platforms. Use the no > service > set > virtual-machine-history > {on <DEVICE-NAME>} command to revert the history file size to 100.on <DEVICE-NAME> Optional. Sets the size of history files on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 48• service show cliExamplerfs6000-81742D>service show cliCommand mode:  +-do+-help [help]  +-search    +-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]      +-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]+-show  +-commands [show commands]  +-adoption    +-log      +-adoptee [show adoption log adoptee(|on DEVICE-NAME)]        +-on          +-DEVICE-NAME [show adoption log adoptee(|on DEVICE-NAME)]      +-adopter [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME)]        +-mac          +-AA-BB-CC-DD-EE-FF [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME)]            +-on              +-DEVICE-NAME [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME)]--More--rfs6000-81742D>rfs6000-81742D#service signal abort testprocessSending an abort signal to testprocessrfs6000-81742D#nx9500-6C8809*#service show crash-info--------------------------------------------------------------------------------                CRASH FILE                  SIZE          LAST MODIFIED--------------------------------------------------------------------------------  cfgd.log_NX9500_5.9.0.0-014D.error.1     8369     Tue Apr 12 03:54:54 2017--------------------------------------------------------------------------------nx9500-6C8809*#rfs6000-81742D#service show command-historyConfigured size of command history is 200  Date & Time          User      Location           Command=====================================================================Apr 12 09:31:41 2017   admin     192.168.13.10 22      rf-domain testApr 11 03:00:56 2017   admin     192.168.13.10 93      reload forceApr 11 03:00:35 2017   admin     192.168.13.10 93      write memoryApr 11 03:00:31 2017   admin     192.168.13.10 93      commitApr 11 03:00:24 2017   admin     192.168.13.10 93      no cluster nameApr 10 21:29:50 2017   admin     192.168.13.10 93      commitApr 10 21:29:48 2017   admin     192.168.13.10 93      use rf-domain TechPubsApr 10 21:29:44 2017   admin     192.168.13.10 93      selfApr 10 21:29:40 2017   admin     192.168.13.10 93      write memoryApr 10 21:29:34 2017   admin     192.168.13.10 93      commitApr 10 21:29:27 2017   admin     192.168.13.10 93       use license WEBFApr 10 21:29:27 2017   admin     192.168.13.10 93       controller-managedApr 10 21:29:27 2017   admin     192.168.13.10 93       control-vlan 1--More--rfs6000-81742D#show cli Displays running system configuration details• cli – Displays the CLI tree of the current mode
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 49rfs6000-81742D#service show diag statsfan 1 (fan 1) current speed: 0 min_speed: 2000 hysteresis: 250fan 2 (fan 2) current speed: 10320 min_speed: 2000 hysteresis: 250fan 3 (fan 3) current speed: 10620 min_speed: 2000 hysteresis: 250fan 4 (fan 4) current speed: 10740 min_speed: 2000 hysteresis: 250Sensor 1 (upwind of CPU) Temperature 31.0 CSensor 2 (CPU die) Temperature 47.0 CSensor 3 (left side) Temperature 37.0 CSensor 4 (by FPGA) Temperature 31.0 CSensor 5 (front right) Temperature 30.0 CSensor 6 (front left) Temperature 31.0 Crfs6000-81742D#rfs6000-81742D#service show info7.7M out of 8.0M available for logs.32.9M out of 34.0M available for history.20.4M out of 84.0M available for crashinfo.List of Files:adopts.log                              1.7K    Apr 12 11:20anald.log                               1.1K    Apr 12 11:20cfgd.log                                48.8K   Apr 12 12:35dpd2.log                                40.1K   Apr 12 12:07messages.log                            22.4K   Apr 12 12:27startup.log                             6.0K    Apr 11 09:08upgrade.log                             60.9K   Apr 12 11:40vlan-usage.log                          0       Apr 12 12:18command.history                         10.5K   Apr 12 09:31reboot.history                          1.1K    Apr 11 09:07ugrade.history                          116     Apr 11 09:05Please export these files or delete them for more space.rfs6000-81742D#rfs6000-81742D#service show mac-vendor B4-C7-99-6C-88-09B4-C7-99 : Extreme Networksrfs6000-81742D#nx9500-6C8809>service show upgrade-historyConfigured size of upgrade history is 50  Date & Time            Old Version     New Version     Status Date & Time            Old Version     New Version     Status=====================================================================Apr 11 07:57:33 2017 5.9.0.0-012D 5.9.0.0-014D SuccessfulMar 30 15:00:48 2017 5.9.0.0-010D 5.9.0.0-012D SuccessfulMar 22 13:35:20 2017 5.9.0.0-009D 5.9.0.0-010D SuccessfulMar 22 11:54:25 2017 5.8.6.0-010R 5.9.0.0-009D SuccessfulFeb 21 08:40:22 2017 5.8.6.0-009R 5.8.6.0-010R SuccessfulFeb 21 08:22:45 2017 5.8.6.0-009R 5.8.6.0-009R Failure in openssl. Verification failure.Feb 15 10:55:00 2017 5.8.6.0-007B 5.8.6.0-009R SuccessfulFeb 15 10:45:40 2017 5.8.6.0-007B 5.8.6.0-008B SuccessfulFeb 15 10:45:07 2017 5.8.6.0-007B 5.8.6.0-007B Unable to get update file. ftpget: unexpected server response to RETR: 550 LatestBuilds/W586/NX9000.img: The system cannot find the file specified.Feb 11 12:26:20 2017 5.8.6.0-007B 5.8.6.0-008B SuccessfulFeb 11 12:21:04 2017 5.8.6.0-007B 5.8.6.0-008B SuccessfulFeb 11 12:20:34 2017 5.8.6.0-007B 5.8.6.0-007B Unable to get update file. ftpget: bad address '1921.68.13.10'---More--nx9500-6C8809>
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 50rfs6000-81742Drfs6000-81742D#service show wireless reference reason-codes CODE  DESCRIPTION  0    Success  1    Unspecified Reason  2    Previous authentication no longer valid  3    Deauth because sending STA is leaving IBSS or ESS  4    Disassoc due to inactivity  5    Disassoc because AP is unable to handle all currently assoc STA  6    Class 2 frame received from non-authenticated STA  7    Class 3 frame received from nonassociated STA  8    Disassoc because STA is leaving BSS  9    STA requesting association is not authentication with corresponding STA 10    Disassoc because info in the power capability elem is unacceptable--More--rfs6000-81742D#rfs6000-81742D#service show wireless reference status-codes CODE  DESCRIPTION  0   Successful  1   Unspecified failure 2-9  Reserved 10   Cannot support all requested capabilities in the Capability Information field 11   Reassociation denied due to inability to confirm that association exists 12   Association denied due to reason outside the scope of this standard 13   Responding STA does not support the specified authentication algorithm 14   Received an auth frame with authentication transaction seq number out of expected sequence 15   Authentication rejected because of challenge failure--More--rfs6000-81742D#nx9500-6C8809>service show wireless config-internal! Startup-Config-Playback Completed: Yesno debug wirelesscountry-code innx9500-6C8809>nx9500-6C8809>service show wireless log-internal08:16:45.901: wlan:Starting credcache checkup/sync (credcache.c:1536)07:56:41.900: wlan:Starting credcache checkup/sync (credcache.c:1536)07:36:40.899: wlan:Starting credcache checkup/sync (credcache.c:1536)07:16:32.898: wlan:Starting credcache checkup/sync (credcache.c:1536)06:56:31.898: wlan:Starting credcache checkup/sync (credcache.c:1536)06:36:24.897: wlan:Starting credcache checkup/sync (credcache.c:1536)06:16:22.897: wlan:Starting credcache checkup/sync (credcache.c:1536)05:56:18.896: wlan:Starting credcache checkup/sync (credcache.c:1536)05:16:09.895: wlan:Starting credcache checkup/sync (credcache.c:1536)04:56:01.894: wlan:Starting credcache checkup/sync (credcache.c:1536)04:35:58.893: wlan:Starting credcache checkup/sync (credcache.c:1536)04:34:41.63: config:commit done in cfgd (config.c:5382)04:15:55.893: wlan:Starting credcache checkup/sync (credcache.c:1536)03:55:54.891: wlan:Starting credcache checkup/sync (credcache.c:1536)03:20:30.397: config:commit done in cfgd (config.c:5382)03:19:50.188: config:commit done in cfgd (config.c:5382)--More--nx9500-6C8809>nx9500-6C8809#service show xpath-history*********************************************************************************************************************************************        DATE&TIME         *           USER          *                                 XPATH                                 * DURATION(MS)********************************************************************************************************************************************** Wed Apr 12 12:45:28 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-6C-88-09/_internal/feature_license_request * 0           *
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 51* Wed Apr 12 12:45:24 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-6C-88-09/_internal/feature_license_request * 0           ** Wed Apr 12 12:45:13 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-6C-88-09/_internal/feature_license_request * 0           ** Wed Apr 12 12:45:02 2017 * system                  * wing-stats/device/B4-C7-99-6C-88-09/_internal/feature_license_request * 0           *--More--nx9500-6C8809#The following example shows the service > show > virtual-machine-history output on a NX9500 service platform:nx9500-6C874D>service show virtual-machine-historyConfigured size of virtual machine history is 100  Date & Time        Virtual Machine  Event=====================================================Jan 16 05:39:46 2017  Domain-0         autostart Jan 10 03:47:09 2017  Domain-0         autostartJan 02 05:53:48 2017  Domain-0         autostartDec 27 10:52:59 2016  Domain-0         autostartOct 14 05:56:14 2016  Domain-0         autostartOct 14 03:01:48 2016  Domain-0         autostartOct 12 04:11:52 2016  Domain-0         autostartSep 30 04:41:08 2016  Domain-0         autostart--More--nx9500-6C874D>rfs4000-229D58#service show fib6-------------------------------------------------------------------------------Route Table ID : 254  ::1/128    Next Hop: ::              Interface: lo               Route Type: ROUTE_TYPE_CONNECT   Route Status: ROUTE_STATUS_KERNEL  Metric: 0 Distance: 0  fe80::/64    Next Hop: ::              Interface: vlan2            Route Type: ROUTE_TYPE_CONNECT   Route Status: ROUTE_STATUS_KERNEL  Metric: 256 Distance: 0  2001::/64    Next Hop: 2001::6         Interface:                  Route Type: ROUTE_TYPE_STATIC    Route Status: ROUTE_STATUS_PENDING Metric: 256 Distance: 1rfs4000-229D58#Examples for the service > wireless > meshpoint command.The following example displays meshpoint modules:ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C       | SUBZONE       | 0    1    2    3    4    5    6    7-------+-----------------------------------------  ZONE |       | GEN  TX   RX   BEA  TXF 2-LLC | 0    0    0    0    0       | GEN  TX   RX   NBR  LQM  LSA 3-ND  | 0    0    0    0    0    0       | GEN 4-ORL | 0       | GEN  TX   RX   HEL  PRO 5-LQ  | 0    0    0    0    0       | GEN 6-PS  | 0       | GEN  ROOT NBR  REC 7-RS  | 0    0    0    0       | GEN 8-IA  | 0       | GEN  SET  GET11-MGT | 0    0    0       | GEN  RX   TX   R0   LMST LSUP LKEY KEY13-LSA | 0    0    0    0    0    0    0    0
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 52       | GEN  SCAN TRIG14-ACS | 0    0    0       | GEN15-EAP | 0       | GEN16-L2P | 0ROOT1-ap81xx-71174C#In the preceding example,• The meshpoint name is mesh_root• The device on which the command is executed is ROOT1-ap81xx-71174C• The vertical ZONE column represents meshpoint modules. For example, 3-ND presents the Neighbor Discovery module.• The SUBZONE 0 to 7 represents the available processes for each of the zonal modules.• Debugging is disabled for all modules for the mesh-root meshpoint. A value of 0 (Zero) represents debugging disabled.To enable meshpoint module debugging, specify the module number and the process number separated by a period (.). And then specify the debugging level from 0 - 7.ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 3.2 7In the preceding command,• The meshpoint module number provided is 3 (ND)• The process number provided is 2 (RX - Received signals from neighbors)• The debugging level provided is 7 (highest level - warning)ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C       | SUBZONE       | 0    1    2    3    4    5    6    7-------+-----------------------------------------  ZONE |       | GEN  TX   RX   BEA  TXF 2-LLC | 0    0    0    0    0       | GEN  TX   RX   NBR  LQM  LSA 3-ND  | 0    0    7(D) 0    0    0       | GEN 4-ORL | 0       | GEN  TX   RX   HEL  PRO 5-LQ  | 0    0    0    0    0       | GEN 6-PS  | 0       | GEN  ROOT NBR  REC 7-RS  | 0    0    0    0       | GEN 8-IA  | 0       | GEN  SET  GET11-MGT | 0    0    0       | GEN  RX   TX   R0   LMST LSUP LKEY KEY13-LSA | 0    0    0    0    0    0    0    0       | GEN  SCAN TRIG14-ACS | 0    0    0       | GEN15-EAP | 0       | GEN16-L2P | 0ROOT1-ap81xx-71174C#In the preceding example, level 7 debugging has been enabled only for the ND module’s received signals. Note that debugging for all other modules and processes are still disabled.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 53To disable debugging for all modules, specify 0 (zero) in the command. For example:ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 0To enable debugging for all modules, specify the debugging level number. For example:ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 5ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C       | SUBZONE       | 0    1    2    3    4    5    6    7-------+-----------------------------------------  ZONE |       | GEN  TX   RX   BEA  TXF 2-LLC | 5(N) 5(N) 5(N) 5(N) 5(N)       | GEN  TX   RX   NBR  LQM  LSA 3-ND  | 5(N) 5(N) 5(N) 5(N) 5(N) 5(N)       | GEN 4-ORL | 5(N)       | GEN  TX   RX   HEL  PRO 5-LQ  | 5(N) 5(N) 5(N) 5(N) 5(N)       | GEN 6-PS  | 5(N)       | GEN  ROOT NBR  REC 7-RS  | 5(N) 5(N) 5(N) 5(N)       | GEN 8-IA  | 5(N)       | GEN  SET  GET11-MGT | 5(N) 5(N) 5(N)       | GEN  RX   TX   R0   LMST LSUP LKEY KEY13-LSA | 5(N) 5(N) 5(N) 5(N) 5(N) 5(N) 5(N) 5(N)       | GEN  SCAN TRIG14-ACS | 5(N) 5(N) 5(N)       | GEN15-EAP | 5(N)       | GEN16-L2P | 5(N)ROOT1-ap81xx-71174C#rfs4000-1BE644#service show ssh-authorized-keys'extreme@extreme-quadcore'rfs4000-1BE644#rfs4000-1BE644#service load-ssh-autorized-keys "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPERY9aTibRYlFMnERTYP2iyylJ00YElxjUElY7Zm9Ky2yeSmg15UKerJ+IP161Gdm0AoEfXyeheRntK+Z6NWHa341RWJ0UrQMcp7hSEE5jbDpLKJOuEoW22Ag45BZzMV7EnM7lHowboNsQhSzX5uBBlVViWlBxBqDroX4BcuB/CFugezHTt95UQ2ZRUfHvePS6jQdOArf1alwk0Slcsz4HNSl5KDutJ4VY+6vRvlf5Gy/3GNehMwNsmsRKK4UVKV5RpuuKIjkbZE+goPFAKYVPNmZngjaOyDfvNGE7JIwmYlti/AId6tv2zAbM4qSomWAgUOO0hkXS9m4m74FnHPr extreme@extreme-quadcore"Successfully added the ssh keyrfs4000-1BE644#rfs4000-1BE644#no service load-ssh-autorized-keys rfs4000-1BE644Successfully removed the ssh keyrfs4000-1BE644#nx9500-6C8809#service show diag fdsProcess  open fdscfgd      86nx9500-6C8809#nx9500-6C8809#service show diag pktsDate: 11-4-2016, Time: 8:41:08.501033, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 54Loop reason: Unknown(540)TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytesDate: 11-4-2016, Time: 8:41:08.707631, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1Loop reason: Unknown(540)TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytesDate: 11-4-2016, Time: 8:41:08.830963, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1Loop reason: Unknown(540)TRUNCATED BB-7C-4D-83-30-A4 > 10-01-00-42-68-99 at 64 bytes--More--nx9500-6C8809#nx9500-6C8809#service clear diag pktsnx9500-6C8809#service show diag pktsnx9500-6C8809#nx9500-6C8809#service show diag psuPSU1 (upper): status unpluggedPSU2 (lower): status normalnx9500-6C8809#The following examples show the purging of users from the guest-registration database:nx7500-112233#service guest-registration delete ?  all                 Delete all users  email               Email address  group               Group  mac                 MAC address  mobile              Mobile phone number  name                Full name  offline-for         Specify minimum amount of time offline  otp-incomplete-for  Specify minimum amount of time registration with                      one-time-passcode incomplete  social              Social site used to log in  wlan                Wireless LANnx7500-112233#Purges users belonging to a specified RADIUS group.nx7500-112233#service guest-registration delete group mac_reg_gr1delete user status: delete users matching a group will take time, please waitnx7500-112233#Purges users using social-site (Facebook or Google) credentials to login.nx7500-112233#service guest-registration delete social facebook delete user status: delete users matching a social category will take time, please waitnx7500-112233#Purges users inactive for a specified time period.nx7500-112233#service guest-registration delete offline-for days 5delete user status: Deleting users offline for minimum 5 days. This will take time, please waitnx7500-112233#Purges users who have failed to complete registration using the one-time-passcode (OTP) within a specified time period.nx7500-112233#service guest-registration delete otp-incomplete-for days 5
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 55delete user status: Deleting registration with one-time-passcode incomplete for minimum 5 days. This will take time, please waitnx7500-112233#The following example displays IP ACLs to WLAN mapping summary on the ‘TechPubs’ RF Domain:nx9500-6C8809#service show ip-access-list wlan TechPubs statusReporting Device: ap7131-99BB7C - successReporting Device: ap7532-80C2AC - successReporting Device: ap7562-84A224 - successReporting Device: nx9500-6C8809 - successReporting Device: ap8132-74B45C - successTotal reporting devices: 5nx9500-6C8809#Consider an RF Domain (name guest-domain) with 3 APs adopted to a controller. The CLI output for the service > show > ip-access-list command in this set up varies for different scenarios, as shown in the following examples:Scenario 1: Executing the command on a device (access point).AP01#service show ip-access-list wlan statusReporting Device: AP01 - failWLAN: XPO-Guest-PSK  use ip-access-list in guest_access_inbound : failTotal reporting devices: 1AP01#AP01#service show ip-access-list wlan status detail================================================================================Reporting Device: AP01--------------------------------------------------------------------------------WLAN: XPO-Guest-PSK  use ip-access-list in guest_access_inbound : fail  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------WLAN: PartnerNet  use ip-access-list in default : success  use ip-access-list out default : success--------------------------------------------------------------------------------Total reporting devices: 1AP01#Scenario 2: IP ACL to WLAN mapping is successful for all APs in a specified RF Domain.SW01#service show ip-access-list wlan status on guest-domainReporting Device: AP01 - successReporting Device: AP02 - successReporting Device: AP03 - successTotal reporting devices: 3SW01#Scenario 3: IP ACL has failed in dataplane due to unknown reasons.SW01#service show ip-access-list wlan status on guest-domainReporting Device: AP01 - failWLAN: XPO-Guest-PSK  use ip-access-list in guest_access_inbound : failReporting Device: AP02 - successReporting Device: AP03 - successTotal reporting devices: 3SW01#service show ip-access-list wlan status detail on guest-domain================================================================================Reporting Device: AP01--------------------------------------------------------------------------------
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 56WLAN: XPO-Guest-PSK  use ip-access-list in guest_access_inbound : fail  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------WLAN: PartnerNet  use ip-access-list in guest_access_inbound : success  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------================================================================================Reporting Device: AP02--------------------------------------------------------------------------------WLAN: PartnerNet  use ip-access-list in guest_access_inbound : success  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------================================================================================Reporting Device: AP03--------------------------------------------------------------------------------WLAN: PartnerNet  use ip-access-list in guest_access_inbound : success  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------Total reporting devices: 3SW01#Scenario 4: AP in RF Domain is unreachable or does not support this functionality.SW01#service show ip-access-list wlan status on guest-domainReporting Device: AP01 - unreachableReporting Device: AP02 - successReporting Device: AP03 - successTotal reporting devices: 3SW01# SW01#service show ip-access-list wlan status detail on guest-domain================================================================================Reporting Device: AP01Timed out waiting for remote device: xpath=wing-stats/device/00-23-68-0B-86-38/firewall/ip_acl_intf_status/wlan[mac='*']================================================================================Reporting Device: AP02--------------------------------------------------------------------------------WLAN: PartnerNet  use ip-access-list in guest_access_inbound : success  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------================================================================================Reporting Device: AP03--------------------------------------------------------------------------------WLAN: PartnerNet
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 57  use ip-access-list in guest_access_inbound : success  use ip-access-list out BC-MC-CONTROL : success--------------------------------------------------------------------------------Total reporting devices: 3
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 585.1.8 showCommon CommandsDisplays specified system component settings. There are a number of ways to invoke the show command:• When invoked without any arguments, it displays information about the current context. If the current context contains instances, the show command (usually) displays a list of these instances.• When invoked with the display parameter, it displays information about that component.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow <PARAMETERS>Parameters• show <PARAMATERS>Examplenx9500-6C8809#show ?  adoption                    Adoption related information  bluetooth                   Bluetooth Configuration/Statistics commands  bonjour                     Bonjour Gateway related commands  boot                        Display boot configuration.  captive-portal              Captive portal commands  captive-portal-page-upload  Captive portal internal and advanced page upload  cdp                         Cisco Discovery Protocol  classify-url                Query the category of an URL  clock                       Display system clock  cluster                     Cluster Protocol  cmp-factory-certs           Display the CMP certificate status  commands                    Show command lists  context                     Information about current context  critical-resources          Critical Resources  crypto                      Encryption related commands  database                    Database  debug                       Debugging functions  debugging                   Debugging functions  device-upgrade              Device Upgrade  dot1x                       802.1X  dpi                         Deep Packet Inspection  eguest                      Registration EGuest process  environmental-sensor        Display Environmental Sensor Module status  event-history               Display event history  event-system-policy         Display event system policy  ex3500                      EX3500 device details  extdev                      External device (T5, Ex3500..)  file                        Display filesystem information  file-sync                   File sync between controller and adoptees  firewall                    Wireless Firewallshow <PARAMETERS> The show command displays configuration details based on the configuration mode, in which the command is executed, and the parameters passed. For example, when executed in the AAA policy configuration mode, it displays the logged AAA policy’s current settings. The example below shows the configuration details that can be viewed in the Priv Executable mode.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 59  global                      Global-level information  gre                         Show l2gre tunnel info  guest-notification-config   Show guest-notification information  guest-registration          Guest registration commands  interface                   Interface Configuration/Statistics commands  ip                          Internet Protocol (IP)  ip-access-list              IP ACL  ipv6                        Internet Protocol version 6 (IPv6)  ipv6-access-list            IPV6 ACL  l2tpv3                      L2TPv3 information  lacp                        LACP commands  ldap-agent                  LDAP Agent Configuration  licenses                    Show installed licenses and usage  lldp                        Link Layer Discovery Protocol  logging                     Show logging information  mac-access-list             MAC ACL  mac-address-table           Display MAC address table  mac-auth                    MAC authentication  mac-auth-clients            MAC authenticated clients  mint                        MiNT protocol  mirroring                   Show mirroring sessions  nsight                      Nsight Server Module  ntp                         Network time protocol  password-encryption         Pasword encryption  pppoe-client                PPP Over Ethernet client  privilege                   Show current privilege level  radius                      RADIUS statistics commands  raid                        Show RAID status  reload                      Scheduled reload information  remote-debug                Show details of remote debug sessions  rf-domain-manager           Show RF Domain Manager selection details  role                        Role based firewall  route-maps                  Display Route Map Statistics  rtls                        RTLS Statistics  running-config              Current operating configuration  session-changes             Configuration changes made in this session  session-config              This session configuration  sessions                    Display sessions  site-config-diff            Difference between site configuration on the NOC                              and actual site configuration  slot                        Expansion slots stats  smart-rf                    Smart-RF Management Commands  spanning-tree               Display spanning tree information  startup-config              Startup configuration  t5                          Display T5 inventory information  terminal                    Display terminal configuration parameters  timezone                    The timezone  traffic-shape               Display traffic shaping  upgrade-status              Display last image upgrade status  version                     Display software & hardware version  virtual-machine             Virtual Machine  vrrp                        VRRP protocol  web-filter                  Web filter  what                        Perform global search  wireless                    Wireless commands  wwan                        Display wireless WAN Statusnx9500-6C8809#NOTE: For more information on the show command, see Chapter 6, SHOW COMMANDS.
COMMON COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  5 - 605.1.9 writeCommon CommandsWrites the system running configuration to memory or terminalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxwrite [memory|terminal]Parameters• write [memory|terminal]Examplenx9500-6C8809>write memory[OK]nx9500-6C8809>memory Writes to the non-volatile (NV) memoryterminal Writes to the terminal
6 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide6SHOW COMMANDSShow commands display configuration settings or statistical information. Use this command to view the current running configuration as well as the start-up configuration. The show command also displays the current context’s configuration.This chapter describes the ‘show’ CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. Commands entered in either USER EXEC mode or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode.This chapter also describes the ‘show’ commands in the ‘GLOBAL CONFIG’ mode. The commands can be entered in all three modes, except commands like file, IP access list statistics, MAC access list statistics, and upgrade statistics, which cannot be entered in the USER EXEC mode.NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 26.1 show commandsSHOW COMMANDSThe following table summarizes show commands:Table 6.1 Show CommandsCommand Description Referenceshow Displays settings for the specified system component page 6-5adoption Displays information related to adoption page 6-10bluetooth Displays Bluetooth radio statistics for RF Domain member access pointspage 6-14boot Displays a device boot configuration page 6-16bonjour Displays the configured Bonjour services available on local and remote sitespage 6-17captive-portal Displays WLAN hotspot functions page 6-18captive-portal-page-uploadDisplays captive portal page related information page 6-20cdp Displays a Cisco Discovery Protocol (CDP) neighbor table page 6-22classify-url Queries a specified global data center or a pre-configured classification server for the category of a specified URL.page 6-24clock Displays the software system clock page 6-25cluster Displays cluster commands page 6-26cmp-factory-certsDisplays factory installed CMP certificates page 6-28commands Displays command list page 6-29context Displays information about the current context page 6-30critical-resources Displays critical resource information page 6-31crypto Displays encryption mode information page 6-32database Displays database-related statistics and status page 6-35device-upgrade Displays device firmware upgradation information for devices adopted by a wireless controller or access pointpage 6-37dot1x Displays dot1x information on interfaces page 6-39dpi Displays statistics for all configured and canned applications page 6-41eguest Displays EGuest server status and EGuest registration statistics page 6-44environmental-sensorDisplays environmental sensor’s historical data (applicable only to AP8132)page 6-45event-history Displays event history page 6-48event-system-policyDisplays event system policy configuration information page 6-49ex3500 Displays EX3500-related statistical data page 6-50extdev Displays external device (T5 or EX3500) configuration error history page 6-53
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 3file-sync Displays file synchronization settings and status on a controller. The file-sync command syncs trustpoint/wireless-bridge certificate between the staging-controller and its adopted access pointspage 6-54firewall Displays wireless firewall information page 6-56global Displays global information for network devices based on the parameters passedpage 6-60gre Displays GRE tunnel related information page 6-62guest-registrationDisplays guest registration statistics based on the option and time enteredpage 6-63interface Displays interface status page 6-71ip Displays IP related information page 6-75ip-access-list Displays IP access list statistics page 6-82ipv6 Displays IPv6 related information page 6-84ipv6-access-list Displays IPv6 access list statistics page 6-88l2tpv3 Displays Layer 2 Tunnel Protocol Version 3 (L2TPV3) information page 6-89lacp Displays Link Aggregation Control Protocol (LACP) related information page 6-92ldap-agent Displays an LDAP agent’s join status (join status to a LDAP server domain)page 6-95licenses Displays installed licenses and usage information page 6-96lldp Displays Link Layer Discovery Protocol (LLDP) information page 6-99logging Displays logging information page 6-100mac-access-list Displays MAC access list statistics page 6-101mac-address-tableDisplays MAC address table entries page 6-102mac-auth Displays details of wired ports that have MAC address-based authentication enabledpage 6-103mac-auth-clients Displays MAC-authenticated clients based on the parameters passed page 6-105mint Displays MiNT protocol configuration commands page 6-107nsight Displays NSight module related statistics and also displays the database server status (reachable or not)page 6-111ntp Displays Network Time Protocol (NTP) information page 6-112password-encryptionDisplays password encryption status page 6-114pppoe-client Displays Point to Point Protocol over Ethernet (PPPoE) client informationpage 6-115privilege Displays current privilege level information page 6-116radius Displays the amount of access time consumed and the access time remaining for all guest users configured on a RADIUS serverpage 6-117reload Displays scheduled reload information page 6-119Table 6.1 Show CommandsCommand Description Reference
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 4rf-domain-managerDisplays RF Domain manager selection details page 6-120role Displays role-based firewall information page 6-121route-maps Display route map statistics page 6-122rtls Displays Real Time Location Service (RTLS) statistics of access points page 6-123running-config Displays configuration file contents  page 6-125session-changes Displays configuration changes made in this session page 6-132session-config Displays a list of currently active open sessions on the device page 6-133sessions Displays CLI sessions page 6-134site-config-diff Displays the difference between site configuration available on NOC and the actual site configurationpage 6-135smart-rf Displays Smart RF management commands page 6-136spanning-tree Displays spanning tree information page 6-140startup-config Displays complete startup configuration script on the console page 6-142t5 Displays adopted T5 controller details. This command is applicable only on the RFS4000, RFS6000, NX9500, NX9510, and VX9000.page 6-143terminal Displays terminal configuration parameters page 6-151timezone Displays timezone information for the system and managed devices page 6-152traffic-shape Displays traffic-shaping related configuration details and statistics page 6-153upgrade-status Displays image upgrade status page 6-155version Displays a device’s software and hardware version page 6-156vrrp Displays Virtual Router Redundancy Protocol (VRRP) protocol details page 6-157web-filter Displays pre-configured, in-built Web filter options available. These options are: category (URL category), category-types, filter-level, etc. This command also displays Web filter statistics and status.page 6-159what Displays details of a specified search phrase page 6-161wireless Displays wireless configuration parameters page 6-162wwan Displays the wireless WAN status page 6-185virtual-machine Displays the virtual-machine (VM) configuration, logs, and statistics page 6-186raid Displays Redundant Array of Independent Disks (RAID) related information, such as array status, consistency check status, and RAID log.page 6-189Table 6.1 Show CommandsCommand Description Reference
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 56.1.1 showshow commandsThe show command displays following information:• A device’s current configuration• A device’s start-up configuration• A device’s current context configuration, such as profiles and policiesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow <PARAMETERS>Parameters• show <PARAMATERS>ExampleThe following examples list the show commands in the User Exec, Priv Exec, and Global Config modes:GLOBAL CONFIG Mode<DEVICE>(config)#show ?  adoption                    Adoption related information  bluetooth                   Bluetooth Configuration/Statistics commands  bonjour                     Bonjour Gateway related commands  boot                        Display boot configuration.  captive-portal              Captive portal commands  captive-portal-page-upload  Captive portal internal and advanced page upload  cdp                         Cisco Discovery Protocol  classify-url                Query the category of an URL  clock                       Display system clock  cluster                     Cluster Protocol  cmp-factory-certs           Display the CMP certificate status  commands                    Show command lists  context                     Information about current context  critical-resources          Critical Resources  crypto                      Encryption related commands  database                    Database  debug                       Debugging functions  debugging                   Debugging functions  device-upgrade              Device Upgrade  dot1x                       802.1X  dpi                         Deep Packet Inspection  eguest                      ExtremeGuest  environmental-sensor        Display Environmental Sensor Module status  event-history               Display event historyshow <PARAMETERS> The show command displays configuration details based on the configuration mode, in which the command is executed, and the parameters passed. For example, when executed in the AAA policy configuration mode, it displays the logged AAA policy’s current settings. The examples below show the configuration parameters that can be viewed in the User Executable, Priv Executable, and Global Configurable modes.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 6  event-system-policy         Display event system policy  ex3500                      EX3500 device details  extdev                      External device (T5, Ex3500..)  file                        Display filesystem information  file-sync                   File sync between controller and adoptees  firewall                    Wireless Firewall  global                      Global-level information  gre                         Show l2gre tunnel info  guest-notification-config   Show guest-notification information  guest-registration          Guest registration commands  interface                   Interface Configuration/Statistics commands  ip                          Internet Protocol (IP)  ip-access-list              IP ACL  ipv6                        Internet Protocol version 6 (IPv6)  ipv6-access-list            IPV6 ACL  l2tpv3                      L2TPv3 information  lacp                        LACP commands  ldap-agent                  LDAP Agent Configuration  licenses                    Show installed licenses and usage  lldp                        Link Layer Discovery Protocol  logging                     Show logging information  mac-access-list             MAC ACL  mac-address-table           Display MAC address table  mac-auth                    MAC authentication  mac-auth-clients            MAC authenticated clients  mint                        MiNT protocol  mirroring                   Show mirroring sessions  nsight                      Nsight Server Module  ntp                         Network time protocol  password-encryption         Pasword encryption  pppoe-client                PPP Over Ethernet client  privilege                   Show current privilege level  radius                      RADIUS statistics commands  raid                        Show RAID status  reload                      Scheduled reload information  remote-debug                Show details of remote debug sessions  rf-domain-manager           Show RF Domain Manager selection details  role                        Role based firewall  route-maps                  Display Route Map Statistics  rtls                        RTLS Statistics  running-config              Current operating configuration  session-changes             Configuration changes made in this session  session-config              This session configuration  sessions                    Display sessions  site-config-diff            Difference between site configuration on the NOC                              and actual site configuration  slot                        Expansion slots stats  smart-rf                    Smart-RF Management Commands  spanning-tree               Display spanning tree information  startup-config              Startup configuration  t5                          Display T5 inventory information  terminal                    Display terminal configuration parameters  timezone                    The timezone  traffic-shape               Display traffic shaping  upgrade-status              Display last image upgrade status  version                     Display software & hardware version  virtual-machine             Virtual Machine  vrrp                        VRRP protocol  web-filter                  Web filter  what                        Perform global search  wireless                    Wireless commands  wwan                        Display wireless WAN Status<DEVICE>(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 7rfs6000-81742D(config)#show clock2017-04-06 15:49:10 ISTrfs6000-81742D(config)#PRIVILEGE EXEC Mode<DEVICE>#show ?  adoption                    Adoption related information  bluetooth                   Bluetooth Configuration/Statistics commands  bonjour                     Bonjour Gateway related commands  boot                        Display boot configuration.  captive-portal              Captive portal commands  captive-portal-page-upload  Captive portal internal and advanced page upload  cdp                         Cisco Discovery Protocol  classify-url                Query the category of an URL  clock                       Display system clock  cluster                     Cluster Protocol  cmp-factory-certs           Display the CMP certificate status  commands                    Show command lists  context                     Information about current context  critical-resources          Critical Resources  crypto                      Encryption related commands  database                    Database  debug                       Debugging functions  debugging                   Debugging functions  device-upgrade              Device Upgrade  dot1x                       802.1X  dpi                         Deep Packet Inspection  eguest                      ExtremeGuest  environmental-sensor        Display Environmental Sensor Module status  event-history               Display event history  event-system-policy         Display event system policy  ex3500                      EX3500 device details  extdev                      External device (T5, Ex3500..)  file                        Display filesystem information  file-sync                   File sync between controller and adoptees  firewall                    Wireless Firewall  global                      Global-level information  gre                         Show l2gre tunnel info  guest-notification-config   Show guest-notification information  guest-registration          Guest registration commands  interface                   Interface Configuration/Statistics commands  ip                          Internet Protocol (IP)  ip-access-list              IP ACL  ipv6                        Internet Protocol version 6 (IPv6)  ipv6-access-list            IPV6 ACL  l2tpv3                      L2TPv3 information  lacp                        LACP commands  ldap-agent                  LDAP Agent Configuration  licenses                    Show installed licenses and usage  lldp                        Link Layer Discovery Protocol  logging                     Show logging information  mac-access-list             MAC ACL  mac-address-table           Display MAC address table  mac-auth                    MAC authentication  mac-auth-clients            MAC authenticated clients  mint                        MiNT protocol  mirroring                   Show mirroring sessions  nsight                      Nsight Server Module  ntp                         Network time protocol  password-encryption         Pasword encryption  pppoe-client                PPP Over Ethernet client  privilege                   Show current privilege level  radius                      RADIUS statistics commands  raid                        Show RAID status  reload                      Scheduled reload information  remote-debug                Show details of remote debug sessions  rf-domain-manager           Show RF Domain Manager selection details
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 8  role                        Role based firewall  route-maps                  Display Route Map Statistics  rtls                        RTLS Statistics  running-config              Current operating configuration  session-changes             Configuration changes made in this session  session-config              This session configuration  sessions                    Display sessions  site-config-diff            Difference between site configuration on the NOC                              and actual site configuration  slot                        Expansion slots stats  smart-rf                    Smart-RF Management Commands  spanning-tree               Display spanning tree information  startup-config              Startup configuration  t5                          Display T5 inventory information  terminal                    Display terminal configuration parameters  timezone                    The timezone  traffic-shape               Display traffic shaping  upgrade-status              Display last image upgrade status  version                     Display software & hardware version  virtual-machine             Virtual Machine  vrrp                        VRRP protocol  web-filter                  Web filter  what                        Perform global search  wireless                    Wireless commands  wwan                        Display wireless WAN Status<DEVICE>#rfs6000-81742D#show terminalTerminal Type: xtermLength: 24     Width: 80rfs6000-81742D#USER EXEC Mode<DEVICE>>show ?  adoption                    Adoption related information  bluetooth                   Bluetooth Configuration/Statistics commands  bonjour                     Bonjour Gateway related commands  boot                        Display boot configuration.  captive-portal              Captive portal commands  captive-portal-page-upload  Captive portal internal and advanced page upload  cdp                         Cisco Discovery Protocol  classify-url                Query the category of an URL  clock                       Display system clock  cluster                     Cluster Protocol  cmp-factory-certs           Display the CMP certificate status  commands                    Show command lists  context                     Information about current context  critical-resources          Critical Resources  crypto                      Encryption related commands  database                    Database  debug                       Debugging functions  debugging                   Debugging functions  device-upgrade              Device Upgrade  dot1x                       802.1X  dpi                         Deep Packet Inspection  eguest                      ExtremeGuest  environmental-sensor        Display Environmental Sensor Module status  event-history               Display event history  event-system-policy         Display event system policy  ex3500                      EX3500 device details  extdev                      External device (T5, Ex3500..)  file-sync                   File sync between controller and adoptees  firewall                    Wireless Firewall  global                      Global-level information  gre                         Show l2gre tunnel info  guest-notification-config   Show guest-notification information
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 9  guest-registration          Guest registration commands  interface                   Interface Configuration/Statistics commands  ip                          Internet Protocol (IP)  ipv6                        Internet Protocol version 6 (IPv6)  lacp                        LACP commands  licenses                    Show installed licenses and usage  lldp                        Link Layer Discovery Protocol  logging                     Show logging information  mac-address-table           Display MAC address table  mac-auth                    MAC authentication  mac-auth-clients            MAC authenticated clients  mint                        MiNT protocol  mirroring                   Show mirroring sessions  nsight                      Nsight Server Module  ntp                         Network time protocol  password-encryption         Pasword encryption  pppoe-client                PPP Over Ethernet client  privilege                   Show current privilege level  radius                      RADIUS statistics commands  raid                        Show RAID status  rf-domain-manager           Show RF Domain Manager selection details  role                        Role based firewall  route-maps                  Display Route Map Statistics  rtls                        RTLS Statistics  running-config              Current operating configuration  session-changes             Configuration changes made in this session  session-config              This session configuration  sessions                    Display sessions  site-config-diff            Difference between site configuration on the NOC                              and actual site configuration  slot                        Expansion slots stats  smart-rf                    Smart-RF Management Commands  spanning-tree               Display spanning tree information  startup-config              Startup configuration  t5                          Display T5 inventory information  terminal                    Display terminal configuration parameters  timezone                    The timezone  traffic-shape               Display traffic shaping  version                     Display software & hardware version  virtual-machine             Virtual Machine  vrrp                        VRRP protocol  web-filter                  Web filter  what                        Perform global search  wireless                    Wireless commands  wwan                        Display wireless WAN Status<DEVICE>>nx9500-6C8809(config)#show wireless ap configured--------------------------------------------------------------------------------------- IDX       NAME               MAC              PROFILE       RF-DOMAIN        ADOPTED-BY---------------------------------------------------------------------------------------  1    ap7532-80C2AC    84-24-8D-80-C2-AC   default-ap7532    TechPubs    B4-C7-99-6C-88-09  2    ap8132-711728    B4-C7-99-71-17-28   default-ap81xx    TechPubs    B4-C7-99-6D-B5-D4  3    t5-ED7C6C        B4-C7-99-ED-7C-6C   default-t5        TechPubs    B4-C7-99-6C-88-09  4    rfs4000-880DA7   00-23-68-88-0D-A7   default-rfs4000   TechPubs    B4-C7-99-6C-88-09  5    ap7131-99BB7C    00-23-68-99-BB-7C   default-ap71xx    TechPubs    B4-C7-99-6C-88-09--More--nx9500-6C8809(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 106.1.2 adoptionshow commandsDisplays adoption related information, and is common to the User Exec, Priv Exec, and Global Config modes.In an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers. The second level consists of the site controllers. that can be grouped to form clusters. The NOC controllers adopt and manage the site controllers. Access points within the network are adopted and managed by the site controllers.Use this command to confirm if a device is an adoptee or an adopter. This command also allows you to determine the devices adopted by an adopter device. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow adoption [config-errors|controllers|history|info|log|offline|pending|status|timeline]show adoption offlineshow adoption config-errors <DEVICE-NAME>show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}show adoption [controllers {include-ipv6}|history|info|pending|status {summary}|timeline] {on <DEVICE-NAME>}Parameters• show adoption offline• show adoption config-errors <DEVICE-NAME>• show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}NOTE: A NOC controller’s capacity is equal to or higher than a site controller’s capacity. The following devices can be deployed at NOC and sites:• NOC controller – RFS6000, NX65XX, NX9500, NX9510, or NX9600.• Site controller – RFS6000 or RFS4000.adoption Displays adoption related information. It also displays configuration errors.offline Displays non-adopted status of the logged device and its adopted access pointsadoption Displays adoption related information. It also displays configuration errors.config-errors <DEVICE-NAME>Displays configuration errors for a specified adopted device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.adoption Displays adoption related information. It also displays configuration errors.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 11• show adoption [history|controllers {include-ipv6}|info|pending|status {summary}|timeline] {on <DEVICE-NAME>}log [adoptee|adopter {MAC}] {on <DEVICE-NAME>}Displays adoption logs, for the specified device. If no device name is specified, the system displays logs for the logged device.• adoptee – Displays adoption logs for adoptee devices (APs, wireless controllers, and service platforms). To view logs for a specified adoptee, specify the device’s name. If no device name is specified, the system displays logs for the logged device. If the logged device is not an adoptee, the system states that the device is a controller. For example, 2013-01-19 22:00:13:MLCP_TAG_CLUSTER_MASTER not present and this device is a controller. Ignoring• on <DEVICE-NAME> – Optional. Displays adoptee status and details for the deviceidentified by the <DEVICE-NAME> keyword• <DEVICE-NAME> – Specify the device’s name.• adopter – Displays adoption logs for adopter devices (APs, wireless controllers, and service platforms). To view logs for a specified adopter, specify the device’s name. If no device name is specified, the system displays logs for the logged device.• <MAC> – Optional. Filters adopters by the adoptee device’s MAC address. Specifythe adoptee device’s MAC address. The system displays logs for the device that hasadopted the device identified by the <MAC> keyword.• on <DEVICE-NAME> – Optional. Displays adopter status and details for the deviceidentified by the <DEVICE-NAME> keyword.• <DEVICE-NAME> – Specify the adopter device’s name.A wireless controller or service platform cannot be configured as an adoptee and an adopter simultaneously. In other words, an adopted wireless controller or service platform cannot be configured to adopt another device and vice versa.adoption Displays adoption related information. It also displays configuration errors.controllers {include-ipv6}Displays information about adopted controllers. This is applicable in a Hierarchically managed network, where site controllers are adopted by the NOC controllers.• include-ipv6 – Optional. Displays the controller’s IPv6 address, if assigned, in the outputhistory Displays adoption history of the logged device and its adopted access pointsinfo Displays adopted device informationpending Displays information for devices pending adoptionstatus {summary} Displays adoption status for the logged device. When executed without using the ‘on <DEVICE-NAME>’ parameter, this command displays detailed information of all devices adopted by the device on which the command is executed.• summary – Optional. Displays a summary of all devices adopted by the logged device.timeline Displays the logged device’s adoption timeline. It also shows the adoption time for logged device’s adopted APs. To view the adoption timeline of a specific device, use the on <device-name> option to specify the device.on <DEVICE-NAME> The following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Displays a device’s adoption information, based on the parameter passed.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 12Usage GuidelinesIn a device’s Global Config mode, use the customize > show-adoption-status command to customize the show > adoption > status command output. The following columns can be added to the output:nx9500-6C8809(config)#customize show-adoption-status ?  adopted-by     Device name to which the AP is adopted  ap-name        Host-name of the adopted AP  cdp-lldp-info  Cdp/lldp info of the Adopted AP  config-status  Configuration status of the adopted AP  last-adoption  Last known adoption time  msgs           Messages status  uptime         Uptime of the adopted AP  version        Current version of the adopted APnx9500-6C8809(config)#For more information on the customise command, see customize.ExampleThe following example displays details of the:• device to which the logged device (rfs6000-81742D) is adopted, and•devices adopted (ap7532-A2A4B0, ap7532-80C2AC, ap7562-84A224, etc.) by the logged device.rfs6000-81742D(config)#show adoption statusAdopted by:Type          : nx9000System Name   : nx9500-6C8809MAC address   : B4-C7-99-6C-88-09MiNT address  : 19.6C.88.09Time          :   7 days 01:02:34 agoAdopted Devices:---------------------------------------------------------------------------------------------------------------DEVICE-NAME       VERSION         CFG-STAT         MSGS ADOPTED-BY        LAST-ADOPTION                  UPTIME---------------------------------------------------------------------------------------------------------------ap7532-A2A4B0     5.9.1.0-012D    configured       No   rfs6000-81742D      0 days 23:42:11     0 days 23:46:12Snap004...ssPoint 5.9.1.0-012D    configured       No   rfs6000-81742D      1 days 00:25:33     1 days 02:30:57ap7532-80C2AC     5.9.1.0-012D    error            Yes  rfs6000-81742D      1 days 00:10:00     1 days 00:11:40ap7562-84A224     5.9.1.0-012D    configured       No   rfs6000-81742D      1 days 00:23:12     1 days 02:13:48-More--rfs6000-81742D(config)#nx9500-6C8809#show adoption info----------------------------------------------------------------------------------------------------              HOST-NAME                 MAC       TYPE               MODEL           SERIAL-NUMBER----------------------------------------------------------------------------------------------------         rfs6000-81742D   00-15-70-81-74-2D    rfs6000    RFS-6010-1000-WR          7295520400121              t5-ED7C6C   B4-C7-99-ED-7C-6C         t5          TS-0524-WR         14213522400004----------------------------------------------------------------------------------------------------Total number of devices displayed: 2nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 13nx9500-6C8809#show adoption status---------------------------------------------------------------------------------------------------------------DEVICE-NAME       VERSION         CFG-STAT         MSGS ADOPTED-BY        LAST-ADOPTION                  UPTIME---------------------------------------------------------------------------------------------------------------rfs6000-81742D    5.9.1.0-012D    configured       No   nx9500-6C8809       7 days 01:06:02     7 days 01:08:45t5-ED7C6C         5.4.2.0-010R    configured       No   nx9500-6C8809       7 days 01:22:09   114 days 04:37:10----------------------------------------------------------------------------------------------------------------Total number of devices displayed: 2nx9500-6C8809#nx9500-6C8809#show adoption offline-----------------------------------------MAC               HOST-NAME          TYPE     RF-DOMAIN            TIME OFFLINE         CONNECTED-TO---------------------------------------------------------------------------------------00-23-68-11-E6-C4 ap71xx-11E6C4        ap71xx   TechPubs             unknown              None00-23-68-9C-63-D4 ap7131-9C63D4        ap71xx   default              unknown              None5C-0E-8B-A6-57-80 ap650-A65780         ap650    default              unknown              None5C-0E-8B-A6-ED-14 ap650-A6ED14         ap650    default              unknown              None84-24-8D-16-01-C4 ap7532-1601C4        ap7532   default              unknown              NoneB4-C7-99-4B-F3-64 ap7131-4BF364        ap71xx   default              unknown              None---------------------------------------------------------------------------------------Total number of devices displayed: 6nx9500-6C8809#rfs6000-81742D#show adoption log adoptee on ap7532-80C2AC2017-04-05 10:19:56:Received OK from cfgd, adoption complete to 70.81.74.2D2017-04-05 10:19:56:Waiting for cfgd OK, adopter should be 70.81.74.2D2017-04-05 10:19:56:Adoption state change: 'Connecting to adopter' to 'Waiting for Adoption OK'2017-04-05 10:19:56:Adoption state change: 'Adoption failed' to 'Connecting to adopter'2017-04-05 10:19:56:Try to adopt to 70.81.74.2D (cluster master 70.81.74.2D in adopters)2017-04-05 10:19:27:Ignoring MLCP Offer, vlan_state MLCP_DONE != MLCP_DISCOVERING / MLCP_STP_WAITING--More--rfs6000-81742D#nx9500-6C8809#show adoption controllers include-ipv6----------------------------------------------------------------------------------------------------------------------------------                   NAME      RF-DOMAIN                 MAC       MINT-ID                IP              IPV6          ADOPTED-BY----------------------------------------------------------------------------------------------------------------------------------         rfs6000-81742D       TechPubs   00-15-70-81-74-2D   70.81.74.2D     192.168.13.24                ::        nx9500-6C8809----------------------------------------------------------------------------------------------------------------------------------Total number of devices displayed: 1nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 146.1.3 bluetoothshow commandsDisplays Bluetooth radio statistics for RF Domain member access pointsAP8432 and AP8533 model access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP8432 and AP8533 models support both Bluetooth classic and Bluetooth low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm.AP8432 and AP8533 model access points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The access point’s Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets periodically. These advertisement packets are short and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards.Supported in the following platforms:• Access Points — AP8432, AP8533Syntaxshow bluetooth radio {detail|on}show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac <BT-RADIO-MAC>}} {(on <DEVICE-OR-DOMAIN-NAME>)}Parameters• show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac <BT-RADIO-MAC>}} {(on <DEVICE-OR-DOMAIN-NAME>)}NOTE: AP8132 model access points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the BLE beaconing functionality available for AP8432 and AP8533 model access points described in this section.bluetooth radio Displays Bluetooth radio utilization statistics based on the parameters passeddetail <DEVICE-NAME> <1-1>Optional. Displays detailed Bluetooth radio utilization statistics. Optionally, to view detailed information for a specific access point’s Bluetooth radio, specify the access point’s and the radio’s MAC addresses.• <DEVICE-NAME> <1-1> – Optional. Specify the access point’s hostname or MAC address.• <1-1> – Specify the bluetooth radio interface index number from 1 - 1. As of now onlyone Bluetooth radio interface is supported. The Interface index number is appendedto the AP’s hostname or MAC address in the following format: ap8533-06FBE1:B1 OR74-67-F7-06-FB-E1:B1The following information is displayed:• access point’s hostname as its network identifier•access point’s alias. If an alias has been defined for the access point its listed here. The alias value is expressed in the form of <hostname>:B<Bluetooth_radio_number>. If the access point has a administrator assigned hostname, it is used in place of the access point’s default hostname.Contd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 15Examplenx9500-6C8809(config)#show bluetooth radio on ap8533-06F808----------------------------------------------------------------------------- BLUETOOTH RADIO      RADIO MAC           MODES                     STATE-----------------------------------------------------------------------------ap8533-06F808:B1  74-67-F7-08-A3-B0    BLE-Beacon                  On-----------------------------------------------------------------------------Total number of Bluetooth radios displayed: 0nx9500-6C8809(config)#nx9500-6C8809(config)#show bluetooth radio detail 74-67-F7-06-F8-08 1Radio: 74-67-F7-06-F8-08:B1, alias ap8533-06F808:B1 STATE          : Off [shutdown in cfg] PHY INFO       : MAC: 74-67-F7-08-A3-B0 ACCESS POINT   : Name: ap8533-06F808  Location: default  Placement: Indoor ENABLED MODES  : BLE-Beacon BEACON TYPES   : Eddystone-URL BEACON PERIOD  : 1000ms Last error     :  nx9500-6C8809(config)#contd.. • access point’s factory encoded MAC address• access point and bluetooth radio’s administrator assigned area of deployment (the AP’s geographical location)• bluetooth radio’s state (on/off)• bluetooth radio’s reason for inactivity (in case the radio is off)• bluetooth radio’s factory encoded MAC address serving as this device’s hardware identifier on the network• bluetooth radio’s functional mode: bt-sensor or le-beacon• bluetooth radio’s beacon period• bluetooth radio’s beacon type• descriptive text on any error that’s preventing the Bluetooth radio from operatingfilter bluetooth-radio-mac <BT-RADIO-MAC>Optional. Specifies additional filters to get table values. Filters data based on the Bluetooth radio’s MAC address.• <BT-RADIO-MAC> – Specify the Bluetooth radio’s MAC address. The system only displays statistics related to the specified Bluetooth radio.on <DEVICE-OR-DOMAIN-NAME>The following keywords are recursive and common to all of the above.• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays Bluetooth radio statistics on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the device or RF Domain. Ifthe device name is explicitly given, the results display data for the specified AP only.If the RF Domain is explicitly given, the results display data for all APs within the spec-ified RF Domain.If no device/RF Domain is specified, the results include data for all Bluetooth radios within the controller’s RF Domain.If the controller is in the “on rf-domain all” mode, the results include data for all Bluetooth radios for all APs in each domain known to the controller.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 166.1.4 bootshow commandsDisplays a device’s boot configuration. Use this command to view the primary and secondary image details, such as Build Date, Install Date, and Version. This command also displays the current boot and next boot information.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow boot {on <DEVICE-NAME>}Parameters• show boot {on <DEVICE-NAME>}Examplenx9500-6C8809#show boot--------------------------------------------------------------------------------     IMAGE            BUILD DATE             INSTALL DATE          VERSION--------------------------------------------------------------------------------  Primary       05/31/2017 22:24:22     06/02/2017 14:22:51     5.9.0.0-029R  Secondary     05/27/2017 01:00:26     05/30/2017 10:35:55     5.9.0.0-028B--------------------------------------------------------------------------------Current Boot       : PrimaryNext Boot          : PrimarySoftware Fallback  : EnabledVM support         : Not presentnx9500-6C8809#nx9500-6C8809#show boot on TechPubs/rfs6000-6DB5D4--------------------------------------------------------------------------------     IMAGE            BUILD DATE             INSTALL DATE          VERSION--------------------------------------------------------------------------------  Primary       05/31/2017 22:24:22     06/02/2017 14:22:51     5.9.0.0-029R  Secondary     05/27/2017 01:00:26     05/30/2017 10:35:55     5.9.0.0-028B--------------------------------------------------------------------------------Current Boot       : PrimaryNext Boot          : PrimarySoftware Fallback  : EnabledVM support         : Not presentnx9500-6C8809#boot  Displays primary and secondary image boot configuration details (build date, install date, version, and the image used to boot the current session)on <DEVICE-NAME> Optional. Displays a specified device’s boot configuration• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.Note: Use the on <DEVICE-NAME> option to view a remote device’s boot configuration.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 176.1.5 bonjourshow commandsDisplays the configured Bonjour services available on local and remote sitesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow bonjour services {on <DEVICE-NAME>}Parameters• show bonjour services {on <DEVICE-NAME>}Examplerfs6000-81742D#show bonjour services on ap7131-11E6C4------------------------------------------------------------------------------------------------------------------------------------------------------            SERVICE_NAME                            INSTANCE_NAME                        IP:PORT        VLAN-ID VLAN_TYPE            EXPIRY------------------------------------------------------------------------------------------------------------------------------------------------------  _pdl-datastream._tcp.local        Brother MFC-8510DN._pdl-datastream._tcp.local   172.110.0.146:9100   110     Local     Tue Sep 12 02:07:44 2017  _universal._sub._ipp._tcp.local   Brother MFC-8510DN._ipp._tcp.local              172.110.0.146:631    110     Local     Tue Sep 12 02:36:13 2017  _ipp._tcp.local                   Brother MFC-8510DN._ipp._tcp.local              172.110.0.146:631    110     Local     Tue Sep 12 02:36:13 2017------------------------------------------------------------------------------------------------------------------------------------------------------------------------------rfs6000-81742D#bonjour services Displays the configured Bonjour services available on local and remote siteson <DEVICE-NAME> Optional. Displays Bonjour services available on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 186.1.6 captive-portalshow commandsDisplays WLAN captive portal information. Use this command to view a configured captive portal’s client information.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|statistics} {(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|ip [<IPv4>|not <IPv4>]|ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not [pending|success]|vlan [<VLAN-ID>|not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-NAME>]])}Parameters• show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|statistics} {(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|ip [<IPv4>|not <IPv4>]|ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not [pending|success]|vlan [<VLAN-ID>|not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-NAME>]])}captive-portal sessionsDisplays active captive portal client session detailsinclude-ipv6 Optional. Includes IPv6 address (if known) of captive portal clientsBy default the system only displays IPv4 addresses. The include-ipv6 parameter includes IPv6 address (if known) of each client.statistics Optional. Displays statistical information regarding client sessionson <DEVICE-OR-DOMAIN-NAME>Optional. Displays active captive portal session details on a specified device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.filter This parameter is recursive and can be used with any of the above parameters to define additional filters.Optional. Defines additional filters. Use one of the following options: captive-portal, ip, ipv6, state, vlan, or wlan.captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]Optional. Displays captive portal client and client session information, based on the captive portal name passed• <CAPTIVE-PORTAL> – Specify the captive portal name. Displays client details for the specified captive portal.• not <CAPTIVE-PORTAL> – Inverts the match selection. Displays client details for all captive portals other than the specified captive portal.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 19Examplerfs4000-229D58#show captive-portal sessions=======================================================================================CLIENT               IPv4     CAPTIVE-PORTAL   WLAN/PORT    VLAN  STATE SESSION  TIME---------------------------------------------------------------------------------------00-26-55-F4-5F-79  192.168.3.99 cappo     rfs4000-229D58:ge2    400     Success     23:58:35=======================================================================================Total number of captive portal sessions displayed: 1rfs4000-229D58#ip [<IPv4>|not <IPv4>]Optional. Displays captive portal client/client sessions information, based on the IPv4 address passed• <IPv4> – Specify the client’s IPv4 address. Displays information of the client identified by the <IPv4> parameter• not <IPv4> – Inverts the match selection. Displays client details for all clients other than the one identified by the <IPv4> parameter.ipv6 [<IPv6>|not <IPv6>]This filter option is available only for the ‘include-ipv6’ keyword.Optional. Displays captive portal client/client sessions information, based on the IPv6 address passed• <IPv6> – Specify the client’s IPv6 address. Displays information of the client identified by the <IPv6> parameter• not <IPv6> – Inverts the match selection. Displays client details for all clients other than the one identified by the <IPv6> parameter.state [pending|success|not [pending|success]]Optional. Filters clients/client sessions based on the client’s authentication state• pending – Displays information of clients redirected for authentication• success – Displays information of successfully authenticated clients• not [pending|success] – Inverts match selection• pending – Displays information of successfully authenticated clients (opposite ofpending authentication)• success – Displays information of clients redirected for authentication (opposite ofsuccessful authentication)vlan [<VLAN-ID>|not <VLAN-ID>]Optional. Displays captive portal client/client sessions information based on the VLAN ID passed• <VLAN-ID> – Specify the VLAN ID. Displays client details for the specified VLAN.• not <VLAN-ID> – Inverts match selection. Displays client details for all VLANs other than the one identified by the <VLAN-ID> parameter.wlan [<WLAN-NAME>|not <WLAN-NAME>]Optional. Displays captive portal client/client sessions information based on the WLAN name passed• <WLAN-NAME> – Specify the WLAN name. Displays client details for the specified WLAN.• not <WLAN-NAME> – Inverts match selection. Displays client details for all WLANs other than the one identified by the <WLAN-NAME> parameter.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 206.1.7 captive-portal-page-uploadshow commandsDisplays captive portal page information, such as upload history, upload status, and page file download statusSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow captive-portal-page-upload [history|list-files|load-image-status|status]show captive-portal-page-upload load-image-statusshow captive-portal-page-upload history {on <RF-DOMAIN-NAME>}show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-MANAGER>]}show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>Parameters• show captive-portal-page-upload load-image-status• show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}• show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-MANAGER>]}• show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>load-image-status Displays captive portal advanced page file download status on the logged devicehistory {on <RF-DOMAIN-NAME>}Displays captive portal page upload history• on <RF-DOMAIN-NAME> – Optional. Displays captive portal page upload history within a specified RF Domain. Specify the RF Domain name.status {on <RF-DOMAIN-NAME>|on <RF-DOMAIN-MANAGER>}Displays captive portal page upload status• on <RF-DOMAIN-NAME> – Optional. Displays captive portal page upload status within a specified RF Domain. Specify the RF Domain name.• on <RF-DOMAIN-MANAGER> – Optional. Displays captive portal page upload status for a specified RF Domain Manager. Specify the RF Domain Manager name.list-files <CAPTIVE-PORTAL-NAME>Displays a list of all captive portal Web page files, of a specified captive portal, uploaded (internal and advanced page files) • <CAPTIVE-PORTAL-NAME> – Specify the captive portal name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 21Examplenx7500-7F2C13#captive-portal-page-upload CP-BW all--------------------------------------------------------------------------------         CONTROLLER             STATUS                   MESSAGE--------------------------------------------------------------------------------  84-24-8D-7F-2C-13         Success         Added 1 APs to upload queue--------------------------------------------------------------------------------nx7500-7F2C13#nx7500-7F2C13#show captive-portal-page-upload load-file-statusDownload of CP-BW page file is completenx7500-7F2C13#nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW--------------------------------------------------------------------------------       NAME                   SIZE                LAST MODIFIED--------------------------------------------------------------------------------  CP-BW-1.tar.gz              6133              2016-05-16 10:38:40  CP-BW.tar.gz                3370              2016-05-16 10:45:44--------------------------------------------------------------------------------nx7500-7F2C13#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 226.1.8 cdpshow commandsDisplays the Cisco Discovery Protocol (CDP) neighbor tableSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}Parameters• show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}ExampleThe following example shows detailed CDP neighbors table:nx9500-6C8809#show cdp neighbors detail-------------------------Device ID: ap8132-74B45CEntry address(es):  IP Address: 192.168.13.26Platform: AP-8132-66040-WR, Capabilities: Router SwitchInterface: ge1, Port ID (outgoing port): ge1Hold Time: 165 secadvertisement version: 2Native VLAN: 1Duplex: fullVersion :5.8.6.0-008B-------------------------Device ID: ap7532-80C2ACEntry address(es):  IP Address: 192.168.13.28Platform: AP-7532-67040-WR, Capabilities: Router SwitchInterface: ge1, Port ID (outgoing port): ge1Hold Time: 169 sec--More--nx9500-6C8809#cdp [neighbors|report] Displays CDP neighbors table or aggregated CDP neighbors tabledetail {on <DEVICE-NAME>}Optional. Displays detailed CDP neighbors table or aggregated CDP neighbors table• on <DEVICE-NAME> – Optional. Displays table details on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.on <DEVICE-NAME> Optional. Displays table details on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 23The following example shows a non-detailed CDP neighbors table:rfs6000-81742D#show cdp neighbors--------------------------------------------------------------------------------     Device ID           Platform        Local Interface    Port ID     Duplex-------------------------------------------------------------------------------- nx9500-6C8809     NX-9500-100R0-WR     ge2                ge1        full rfs6000-81742D    RFS-6010-1000-WR     ge2                ge1        full rfs4000-880DA7    RFS-4011-11110-US    ge2                ge1        full ap6521-42936C     AP-6521E-60020-WR    ge2                ge1        full--------------------------------------------------------------------------------rfs6000-81742D#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 246.1.9 classify-urlshow commandsDisplays a specified URL’s category. Use this command to query the category of a specific URL. The query is sent to a configured classification server. This option is available only if a valid URL filter license is available.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]Parameters• show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]Examplenx9500-6C8809#show classify-url www.google.com  Categories: search-engines-portals,  Custom Categories:nx9500-6C8809#nx9500-6C8809#show classify-url www.ndtv.com  Categories: news,  Custom Categories: list1,nx9500-6C8809#classify-url Queries the category of a specified URL<URL-TO-QUERY> Specify the URL to query. The query is sent to the configured classification server.datacenter <URL-TO-QUERY>The query is sent to a global classification datacenter• <URL-TO-QUERY> – Specify the URL to query.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 256.1.10 clockshow commandsDisplays a selected system’s clockSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow clock {on <DEVICE-NAME>}Parameters• show clock {on <DEVICE-NAME>}Examplerfs6000-81742D#show clock2017-04-06 15:50:42 ISTrfs6000-81742D#clock Displays a system’s clockon <DEVICE-NAME> Optional. Displays system clock on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 266.1.11 clustershow commandsDisplays cluster information (cluster configuration parameters, members, status, etc.)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow cluster [configuration|history|members|status]show cluster [configuration|history {on <DEVICE-NAME>}|members {detail}|status]Parameters• show cluster [configuration|members {detail}|status]Examplerfs6000-380649(config)#show cluster configurationCluster Configuration Information Name                         : SiteConRFS6k Configured Mode              : Active Master Priority              : 128 Force configured state       : Disabled Force configured state delay : 5 minutes Handle STP                   : Disabled Radius Counter DB Sync Time  : 5 minutesrfs6000-380649(config)#rfs6000-380649(config)#show cluster members detail---------------------------------------------------------------------------------------       ID              MAC           MODE   AP COUNT AAP COUNT AP LICENSE AAP LICENSE      VERSION---------------------------------------------------------------------------------------70.38.06.49   00-15-70-38-06-49  Active   0        1         0          0           5.8.6.0-008B70.81.74.2D   00-15-70-81-74-2D  Active   0        0         1          0           5.8.6.0-008B---------------------------------------------------------------------------------------rfs6000-380649(config)#cluster Displays cluster informationconfiguration Displays cluster configuration detailshistory on <DEVICE-NAME>Displays cluster history status• <DEVICE-NAME> – Optional. Specify the controller or access point name. If the device name is not specified, the system displays all cluster history.members {detail} Displays cluster members configured on the logged device• detail – Optional. Displays detailed information of known cluster membersstatus Displays cluster status
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 27rfs6000-380649(config)#show cluster statusCluster Runtime Information Protocol version             : 1 Cluster operational state    : active AP license                   : 1 AAP license                  : 0 AP count                     : 0 AAP count                    : 1 Max AP adoption capacity     : 256 Number of connected member(s): 1rfs6000-380649(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 286.1.12 cmp-factory-certsshow commandsDisplays factory installed CMP certificatesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow cmp-factory-certs {all}Parameters• show cmp-factory-certs {all}Examplenx9500-6C8809>show cmp-factory-certsNo CMP factory certificate existnx9500-6C8809>cmp-factory-certs {all}Displays factory installed CMP certificates on the logged device. Optionally use the ‘all’ keyword to view certificate details.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 296.1.13 commandsshow commandsDisplays commands available for the current modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow commandsParametersNoneExamplerfs4000-880DA7(config)#show commands  help  help search WORD (|detailed|only-show|skip-show|skip-no)  show commands  show adoption log adoptee(|on DEVICE-NAME)  show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME)  show adoption info (|on DEVICE-NAME)  show adoption status (|on DEVICE-NAME)  show adoption status summary (|on DEVICE-NAME)  show adoption config-errors DEVICE-NAME  show adoption offline  show adoption pending (|on DEVICE-NAME)  show adoption history (|on DEVICE-NAME)  show adoption timeline (|on DEVICE-NAME)  show adoption controllers (|on DEVICE-NAME)  show adoption controllers include-ipv6(|on DEVICE-NAME)  show debugging (|on DEVICE-OR-DOMAIN-NAME)  show debugging cfgd(|on DEVICE-NAME)  show debugging fib(|on DEVICE-NAME)  show debugging adoption (|on DEVICE-OR-DOMAIN-NAME)  show debugging wireless (|on DEVICE-OR-DOMAIN-NAME)  show debugging snmp (|on DEVICE-NAME)  show debugging ssm (|on DEVICE-NAME)  show debugging voice (|on DEVICE-OR-DOMAIN-NAME)--More--rfs4000-880DA7(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 306.1.14 contextshow commandsDisplays the current context detailsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, NX7500, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow context {include-factory|session-config {include-factory}}Parameters• show context {include-factory|session-config {include-factory}}Examplerfs4000-880DA7(config)#show context!! Configuration of RFS4000 version 5.9.1.0-015D!!version 2.5!!client-identity-group default load default-fingerprints!ip snmp-access-list default permit any!firewall-policy default no ip dos tcp-sequence-past-window!!mint-policy global-default!radio-qos-policy default!auto-provisioning-policy 4K!--More--rfs4000-880DA7(config)#include-factory Optional. Includes factory defaultssession-config {include-factory}Optional. Displays running system information in the current context• include-factory – Optional. Includes factory defaults
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 316.1.15 critical-resourcesshow commandsDisplays critical resource information. Critical resources are resources vital to the network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow critical-resources {on <DEVICE-NAME>}Parameters• show critical-resources {on <DEVICE-NAME>}Examplerfs4000-229D58(config)#show critical-resources--------------------------------------------------------------------------CRITICAL RESOURCE IP        VLAN          PING-MODE            STATE-------------------------------------------------------------------------- 172.168.1.103                1             arp-icmp             up--------------------------------------------------------------------------rfs4000-229D58(config)#critical-resources Displays critical resources informationon <DEVICE-NAME> Optional. Displays critical resource information on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 326.1.16 cryptoshow commandsDisplays encryption mode informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow crypto [cmp|ike|ipsec|key|pki]show crypto cmp request statusshow crypto ike sa {detail|on|peer|version}show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}show crypto ipsec sa {detail|on|peer}show crypto ipsec sa {detail} {on <DEVICE-NAME>}show crypto ipsec sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}show crypto key rsa {on|public-key-detail}show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}show crypto pki trustpoints {<TRUSTPOINT-NAME>|all|on}show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}Parameters• show crypto cmp request status• show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}crypto cmp request statusDisplays current status of in-progress certificate management protocol (CMP) requestsFor more information, see CRYPTO-CMP-POLICY.crypto ike sa Displays Internet Key Exchange (IKE) security association (SA) statisticsdetail Displays detailed IKE SA statisticspeer <IP> Optional. Displays IKE SA statistics for a specified peer• <IP> – Specify the peer’s IP address in the A.B.C.D formaton <DEVICE-NAME> Optional. Displays IKE SA statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 33• show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}• show crypto ipsec sa {detail} {on <DEVICE-NAME>}• show crypto sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}• show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}• show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}crypto ike sa Displays IKE SA detailsversion [1|2] Optional. Displays IKE SA version statistics•1 – Displays IKEv1 statistics• 2 – Displays IKEv2 statisticspeer <IP> Optional. Displays IKE SA version statistics for a specified peer• <IP> – Specify the peer’s IP address in the A.B.C.D formaton <DEVICE-NAME> The following keyword is recursive and common to the ‘peer ip’ parameter:• on <DEVICE-NAME> – Optional. Displays IKE SA statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.crypto ipsec sa Displays Internet Protocol Security (IPSec) SA statistics. The IPSec encryption authenticates and encrypts each IP packet in a communication sessiondetail Optional. Displays detailed IPSec SA statisticson <DEVICE-NAME> Optional. Displays IPSec SAs on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.crypto ipsec sa Displays IPSec SA statistics. The IPSec encryption authenticates and encrypts each IP packet in a communication sessionpeer <IP> detail Optional. Displays IPSec SA statistics for a specified peer• <IP> – Specify the peer’s IP address in the A.B.C.D format.• detail – Displays detailed IPSec SA statistics for the specified peeron <DEVICE-NAME> The following keyword is recursive:• on <DEVICE-NAME> – Optional. Displays IPSec SAs on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.crypto key rsa Displays RSA public keyspublic-key-detail Optional. Displays public key in the Privacy-Enhanced Mail (PEM) formaton <DEVICE-NAME> The following keyword is recursive:• on <DEVICE-NAME> – Optional. Displays public key on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.crypto pki Displays PKI related informationtrustpoints Displays WLAN trustpointsThis command displays all trustpoints including CMP-generated trustpoints.<TRUSTPOINT-NAME> Optional. Displays a specified trustpoint details. Specify the trustpoint name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 34Examplenx9500-6C8809(config)#show crypto key rsa public-key-detailRSA key name: ting        Key-length: 2048-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLj11yR38+/mcInGRlrw3DaasuTJhKsWg7kcSVkM7RLd/Wq/mPZEsqwFLnvFIm4rVIke+mVdWBqV4oGE1TUmZ4YqKtzlANSAG7EZREr3MXEIHd49NHYeK8U+1EAmHN9F21XCxTO+yRMngKDJeHfzZa2/64PdBsnRlV4nqCGMGHbbaaCwGe5X0aRSA key name: default_rsa_key        Key-length: 2048-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hyJDk9aMk97X3PhoyMb6nufFLFUkpF9YwSqO2fNyp9SutqpoML/VAMHHotmaa6SsxPURF8mC66bT7De32r7wwPd7pIWwALTscwCzd3CrB1jY8s2OQ7ZHGCH6MLau+LeoNPE0c+uH3tNLloTAvSGxtUAHfwFa4rM6vlzs/ejJ4InnboI8i4uIAnx9500-6C8809(config)#nx9500-6C8809(config)#show crypto key rsa--------------------------------------------------------------------------------         #                      KEY NAME                     KEY LENGTH--------------------------------------------------------------------------------  1                  ting                             2048  2                  default_rsa_key                  2048--------------------------------------------------------------------------------nx9500-6C8809(config)#nx9500-6C8809(config)#show crypto pki trustpoints allTrustpoint Name: default-trustpoint        (self signed)-------------------------------------------------------------------------------  CRL present: no  Server Certificate details:    Key used: default_rsa_key    Serial Number: 051d    Subject Name:      /CN=NX9500-B4-C7-99-6C-88-09    Issuer Name:      /CN=NX9500-B4-C7-99-6C-88-09    Valid From : Thu Dec  5 04:15:59 2013 UTC    Valid Until: Sun Dec  3 04:15:59 2023 UTCnx9500-6C8809(config)#nx9500-6C8809>show crypto cmp request statusCMP Request Status: ir-req-resetnx9500-6C8809>all Optional. Displays details of all trustpointson <DEVICE-NAME> The following keyword is recursive and common to the ‘trustpoint-name’ and ‘all’ parameters:• on <DEVICE-NAME> – Optional. Displays trustpoints configured on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 356.1.17 databaseshow commandsDisplays database-related statistics and statusSupported in the following platforms:• Service Platforms — NX9500, NX9510, VX9000Syntaxshow database [backup-status|keyfile|restore-status|statistics|status|users] {on <DEVICE-NAME>}Parameters• show database [backup-status|keyfile|restore-status|statistics|status|users] {on <DEVICE-NAME>}Examplevx9000-D031F2(config)#show database backup-status detailLast Database Backup Status : Failed(Error in ftp: 1)Last Database Backup Time   : 2017-04-11 08:03:10-----------------------------------------------Starting backup of mart ...connected to: 127.0.0.12015-05-20T14:02:46.340+0530 DATABASE: mart         to         dump/mart2015-05-20T14:02:46.341+0530         mart.system.indexes to dump/mart/system.indexes.bson2015-05-20T14:02:46.341+0530                  61 documents2015-05-20T14:02:46.341+0530         mart.wlan_info to dump/mart/wlan_info.bson2015-05-20T14:02:46.341+0530                  5 documents2015-05-20T14:02:46.342+0530         Metadata for mart.wlan_info to dump/mart/wlan_info.metadata.json2015-05-20T14:02:46.342+0530         mart.rf_domain_info to dump/mart/rf_domain_info.bson2015-05-20T14:02:46.342+0530                  21 documents2015-05-20T14:02:46.342+0530         Metadata for mart.rf_domain_info to dump/mart/rf_domain_info.metadata.json--More--vx9000-D031F2(config)#database Displays all configured database-related statistics and statusbackup-status Displays the last database backup statuskeyfile Displays the keyfiles generated on the database host to enable authenticated database accessback-restore Displays the last database restore statusstatistics Displays database-related statistics, such as name of the database (NSight or captive portal), data size, storage size, free disk space available, etc.status Displays database status, such as online time.users Displays database users created. These are the users that can access the databases.on <DEVICE-NAME> Optional. Displays database-related information on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 36vx9000-D031F2(config)#show database status--------------------------------------------------------------------------------        MEMBER             STATE                     ONLINE TIME--------------------------------------------------------------------------------  localhost           PRIMARY           2 days 3 hours 45 min 24 sec-------------------------------------------------------------------------------- Authentication: Disabled                Authentication User: None--------------------------------------------------------------------------------[*] indicates this device.vx9000-D031F2(config)#vx9000-D031F2(config)#show database statistics--------------------------------------------------------------------------------       DATABASE        STORAGE SIZE   DATA SIZE     INDEX SIZE     DISK FREE--------------------------------------------------------------------------------  admin               32k             335          48k           594.5G  captive-portal      4k              0            24k           594.5G  nsightcache         96k             2.0k         264k          594.5G  nsight              26.1M           136.6M       18.9M         594.5G--------------------------------------------------------------------------------vx9000-D031F2(config)#nx9500-6C8809#show database keyfileSLz6lVXyi9vyTCChUKs04THRo3mWOjZheM58Dt6NC0MDkdgV+5+wWN9/IT6zfy1sKPut4BPpUWyM8MEaRmapg4kRrN/SMSMlH6sPITMGTLMu6wRYFEUgKgO01Wn/BohE5n+uuhY0xiZQsN0LS7IaA8Yb9rX859YRQ7v9By5aEpi1NIDR4KX09Xs3TqIB+5v2jE3vv7OsKK+LX63bCIoYo35MX251T2pHdL+fMdLfKPMt8ZbzYzx2b22Yvukfg0gmxHsMCB+bLAsfkjeCPgHCAq/WWi3Kxna6ysFjp8J4US2Bm+GL1COvALbCQBwkPPN+o7M90qT40AubibBkeID2S9rkQkKcXqGESbL5xG6ip+26jIxiLv7GP6/SQZGFOqC/ZZEkCNhGhkiyktiOIxBfoXwoy66sqQ4KBwLF449eqBe7Svel/dzpFPNfYZpW8SMYLD6iLTPR9BddjsBBej8kGGc5R+M0R6lgQFEew2WX6Rqz45YTGEcfOkl8c9wl3taDxn4imhI/esjMppFDu5muxRHF5RHa5RncTGnsMfc7ndvUl78QaGHLZvDqjNLBUnuPc8QmyohEnKf70TYx/ruG9Vb2AP0Jw5OODTNh2lmaoFjicKYQr+xIHUJpHc0qY43C5WzlWf84CK67cu7kOPiJoaxvufzSXhJB18BiCXTuv40+ZZ6e3PcisZuIrPXxCZupGJ3KpuHq61IJyVCydFd5zl4Fho+RGaQ9dlDIlaLjbW+YT4CEH1bTiUmreUt+D/X2zcB9nec77wIIAcdfl2qysgGIqmkI3jRI89d3XM5Y7Kc2TuXBVZOazYldPj+qE/yiEgVWcbtvyS834jit35MGbVXhvQ2d45qgo42WZwdTVLXC9memzoKa3YIZoj32uP3UiOrzD8E1gMte4gDE/KmGkYya+hsWswBmKC1v0gj5NQ6TejYS4z+nefqLHUSVXbQ8NxRel1huGi8P1ns4dWCwClWp8GpxUTa7GuN1DySA7/l2OJM=nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 376.1.18 device-upgradeshow commandsDisplays device firmware upgradation information for devices adopted by a wireless controller or access pointSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow device-upgrade [history|load-image-status|status|versions]show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|versions {on <DEVICE-OR-DOMAIN-NAME>}show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|summary {on <DOMAIN-NAME>}}Parameters• show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|versions {on <DEVICE-OR-DOMAIN-NAME>}]• show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|summary {on <DOMAIN-NAME>}}]device-upgrade Displays device upgrade information based on the parameters passedhistory {on <DOMAIN-NAME>}Displays device upgrade history• on <DOMAIN-NAME> – Optional. Displays upgrade history for all devices within a specified RF Domain. Specify the RF Domain name.load-image-status Displays firmware image loading status. The output displays the <DEVICE> image loading status in percentage.For example:#show device-upgrade load-image-status Download of ap81xx firmware file is 47 percent completeversions {on <DEVICE-OR-DOMAIN-NAME>}Displays firmware image versions• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays firmware image versions loaded on specified device or RF Domain. Specify the name of the AP, wireless controller, service platform, or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the AP, wireless controller, service plat-form, or RF Domain name.device-upgrade Displays device upgrade information based on the parameters passedstatus Displays in progress device upgrade statuson [<DOMAIN-NAME>|rf-domain-manager]Optional. Displays in progress upgrade status of all devices within a specified RF Domain, or all devices upgraded by the RF Domain manager. Use this option to view upgrade status of multiple devices.• <DOMAIN-NAME> – Specify the RF Domain name.• rf-domain-manager – Select to view devices upgraded by the RF Domain manager.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 38Examplenx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/RFS6000-LEAN.imgnx9500-6C8809#show device-upgrade load-image-statusDownload of rfs6000 firmware file is completenx9500-6C8809#nx9500-6C8809#show device-upgrade statusNumber of devices currently being upgraded : 0Number of devices waiting in queue to be upgraded : 1Number of devices currently being rebooted : 0Number of devices waiting in queue to be rebooted : 0Number of devices failed upgrade : 0---------------------------------------------------------------------------------------------------------      DEVICE        STATE   UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR   UPGRADED BY---------------------------------------------------------------------------------------------------------  rfs6000-81742D   waiting   immediate    immediate   0        0       -              nx9500-6C8809---------------------------------------------------------------------------------------------------------nx9500-6C8809#summary {on <DOMAIN-NAME>}Displays a summary of in-progress upgrade processes• on <DOMAIN-NAME> – Optional. Displays in-progress upgrade processes within a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 396.1.19 dot1xshow commandsDisplays dot1x information on interfacesDot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a dot1X-enabled device automatically connects and authenticates without needing to manually login.However, dot1x-enabled devices can be configured either as:• supplicants only – Devices seeking network access• authenticators only – Devices authenticating the supplicants, or• supplicants as well authenticatorsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow dot1x {all|interface|on}show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>} {on <DEVICE-NAME>}Parameters• show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}NOTE: Dot.1x supplicant configuration is supported on the following platforms:• Access Points – AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers – RFS4000• Service Platforms – NX5500, NX7500NOTE: Dot.1x authenticator configuration is supported on the following platforms:• Access Points – AP6521, AP6522, AP6562, AP7161, AP7502, AP81XX• Wireless Controllers – RFS4000, RFS6000• Service Platforms – NX5500, NX7500dot1x all{on <DEVICE-NAME>}Optional. Displays dot1x information for all interfaces• on <DEVICE-NAME> – Optional. Displays dot1x information for all interfaces on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 40• show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>]} {on <DEVICE-NAME>}Examplerfs6000-81742D#show dot1x all802.1X information------------------------------  SysAuthControl : disabled  Guest-Vlan     : disabled  AAA-Policy     : none  Holdtime       : 60802.1X information for interface GE1--------------------------------------Supplicant MAC N/A  Auth SM State : FORCE AUTHORIZED  Bend SM State : REQUEST  Port Status   : AUTHORIZED  Host Mode     : SINGLE  Auth Vlan     : None  Guest Vlan    : None802.1X information for interface GE2--------------------------------------Supplicant MAC N/A  Auth SM State : FORCE AUTHORIZED  Bend SM State : REQUEST  Port Status   : AUTHORIZED--More--rfs6000-81742D#rfs6000-81742D#show dot1x interface ge 1802.1X information for interface GE1--------------------------------------Supplicant MAC N/A  Auth SM State : FORCE AUTHORIZED  Bend SM State : REQUEST  Port Status   : AUTHORIZED  Host Mode     : SINGLE  Auth Vlan     : None  Guest Vlan    : Nonerfs6000-81742D#dot1x {on <DEVICE-NAME>}Optional. Displays dot1x information for interfaces on a specified device• <DEVICE-NAME> – Specify the name of AP, wireless controller, or service platform.dot1x interface Optional. Displays dot1x information for a specified interface or interface type<INTERFACE-NAME> Displays dot1x information for the layer 2 (Ethernet port) interface specified by the <INTERFACE-NAME> parameterge <1-4> Displays dot1x for a specified GigabitEthernet interface• <1-4> – Select the interface index from 1 - 4.port-channel <1-2> Displays dot1x for a specified port channel interface• <1-2> – Select the interface index from 1 - 2.on <DEVICE-NAME> The following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Displays dot1x interface information on a specified device• <DEVICE-NAME> – Specify the name of AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 416.1.20 dpishow commandsDisplays Deep Packet Inspection (DPI) statistics for all configured and canned applications. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When DPI is enabled, packets of all flows are subjected to DPI to get accurate results. DPI identifies applications (such as, Netflix, Twitter, Facebook, etc.) and also extracts metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall.Supported in the following platforms:• Access Points — AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow dpi [app|app-category|application|application-policy|per-category]show dpi app wireless-clients stats <MAC> {on <DEVICE-OR-DOMAIN-NAME>}show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all] {on <DEVICE-OR-DOMAIN-NAME>}show dpi application-policy stats <APPLICATION-POLICY-NAME> {on <DEVICE-OR-DOMAIN-NAME>}show dpi application briefshow dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes] {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show dpi app wireless-clients stats <MAC> {<DEVICE-OR-DOMAIN-NAME>}NOTE: The show > dpi command returns results only if executed on a device that supports DPI and has DPI logging enabled. DPI logging can be enabled either on the device or on the profile applied to the device. For more information, see dpi.dpi app wireless-clients <MAC>Displays application-related statistics for all or a specified wireless clients• <MAC> – Displays statistics for a specified wireless client. Specify the client’s MAC address.on <DEVICE-OR-DOMAIN-NAME>Optional. Displays statistical data on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access point, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 42• show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all] {on <DEVICE-OR-DOMAIN-NAME>}• show dpi application-policy stats <APPLICATION-POLICY-NAME> {on <DEVICE-OR-DOMAIN-NAME>}• show dpi application brief• show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes] {on <DEVICE-OR-DOMAIN-NAME>}dpi [app|app-category] statsDisplays statistics for a application or application category• app – Displays statistics for a specified application or all applications• app-category – Displays statistics for a specified application category or all categories.Note: The applications are the RF Domain member allowed applications whose data (bytes) are passing through the WiNG managed network. And, the application categories are existing WiNG or user defined application groups (video, streaming, mobile, audio, etc.) that assist administrators to permit or deny forwarding of application data.[<APPLICATION/APP-CATEGORY-NAME>|all]This parameter is common to the ‘app’ and ‘app-category’ keywords.• <APPLICATION/APP-CATEGORY-NAME> – Displays statistics for a specified application or application category, depending on the option selected in the previous step. Specify the application name or application category name.• all – Displays statistics for all applications or application categories, depending on the option selected in the previous stepon <DEVICE-OR-DOMAIN-NAME>Optional. Displays statistical data on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access point, wireless controller, service platform, or RF Domain.dpi application-policy statsDisplays statistics for an existing application policy<APPLICATION-POLICY-NAME>Displays statistics for a specified application-policy. Specify the application-policy name.on <DEVICE-OR-DOMAIN-NAME>Optional. Displays application-policy related statistical data on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access point, wireless controller, service platform, or RF Domain.dpi application brief Displays a brief summary of applications their status and configurationdpi per-category statsDisplays statistics for the top ten applications based on the application category and the Sort ID specified. The Sort ID options are: bytes-in, bytes-out or total-bytes.<APP-CATEGORIES> Specify the application category name. The system displays statistics for the top ten applications in this category.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 43Examplenx9500-6C8809>show dpi application brief    1-clickshare-com        This application recognizes DirectDownloadLink 1-clickshare        traffic        Application Category   : filetransfer        Predefined Application : Yes    1-upload-com        This application recognizes DirectDownloadLink 1-upload-com        traffic        Application Category   : filetransfer        Predefined Application : Yes    1-upload-to        This application recognizes DirectDownloadLink 1-upload-to        traffic        Application Category   : filetransfer        Predefined Application : Yes    10upload-com        This application recognizes DirectDownloadLink 10upload-com        traffic        Application Category   : filetransfer        Predefined Application : Yes    123upload-pl        This application recognizes DirectDownloadLink 123upload-pl        traffic--More--nx9500-6C8809>[bytes-in|bytes-out|total-bytes]Filters and displays statistical data for the top ten utilized applications in respect to the following:• bytes-in – Displays total data bytes uploaded through the controller managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).• bytes-out – Displays total data bytes downloaded through the controller managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority).• total-bytes – Displays total data bytes (uploaded and downloaded) through the controller managed network. These are only the administrator allowed applications approved for proliferation within the managed network.on <DEVICE-OR-DOMAIN-NAME>Optional. Displays statistical data on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the access point, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 446.1.21 eguestshow commandsDisplays EGuest server status and EGuest registration statisticsSupported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxeguest [registration statistics|status]Parameters• eguest [registration statistics|status]Examplevx-eguest-primary#show eguest status-----------------------------------pid                 process-----------------------------------2521                 gmd2529                 regserver2539                 acct_server2569                 guest_manager2636                 acct_server2642                 acct_server2643                 acct_server2649                 acct_server2655                 acct_server2708                 acct_server-helper2770                 guest_manager2776                 guest_manager2777                 guest_manager2783                 guest_manager3628                 gmd3630                 gmd3631                 gmd3632                 gmd3633                 gmd3634                 gmd5729                 radiusd-----------------------------------Database server is localDatabase server is reachablevx-eguest-primary#vx-eguest-primary#show eguest registration statisticsmsg_received    - number of registration messages receiveduser_try_to_add - number of database add attemptsuser_added      - number of messages succesfully added to dbuser_failed     - number of messages failed adding to db------------------------------------------------------------------------msg_received      user_try_to_add          user_added      user_failed------------------------------------------------------------------------189                  11                         11            0vx-eguest-primary#registration statisticsDisplays the EGuest registration statisticsstatus Displays the current status of EGuest servers
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 456.1.22 environmental-sensorshow commandsDisplays environmental sensor’s recorded data. The environmental sensor has to be enabled and configured in order to collect data related to humidity, light, motion, and temperature.Supported in the following platforms:• Access Points — AP8132Syntaxshow environmental-sensor [history|humidity|light|motion|summary|temperature|version]show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}show environmental-sensor [humidity|light|motion|summary|temperature|version]Parameters• show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}• show environmental-sensor [humidity|light|motion|summary|temperature|version]NOTE: The environmental senor is supported only on an AP8132. When executed on any controller (other than an AP8132), the show > environmental-sensor > <parameters> command displays environmental-sensor details for adopted AP8132s (if any).environmental-sensor historyDisplays environmental sensor history once in every hour, 20 minutes, or 24 hoursHistory includes the humidity, light, motion, and temperature data recorded by the sensor at specified time interval.1-hour Optional. Displays environmental sensor history once in every 1 (one) hour20-minute Optional. Displays environmental sensor history once in every 20 minutes24-hour Optional. Displays environmental sensor history once in every 24 hoursenvironmental-sensorDisplays environmental sensor’s recorded data, based on the parameters passed. The system displays the specified recorded data.The environmental sensor records data at the following intervals: 20 minutes, 1 hour, and 24 hours.humidity Displays the minimum, average, and maximum humidity recorded light Displays the minimum, average, and maximum light recordedmotion Displays the minimum, average, and maximum motion recordedtemperature Displays the minimum, average, and maximum temperature recordedversion Displays the hardware and firmware versionssummary Displays a summary of the data recorded at following intervals:
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 46Exampleap8132-711728#show environmental-sensor summaryMaat Device uptime: 0 days 15:25:11ERROR: Maat device is offline!threshold polling-interval: 5historical data polled 0 times per 2-minutes interval since Maat onlinemotion-sensor: Enabled(Demo)  current value: 0 detected  -------------------------------                motion detected  -------------------------------  20-minute           0  1-hour              0  6-hour              0  24-hour             0temperature-sensor: Enabled(Demo)  current value: -40.00 deg. C  -------------------------------                min/average/max  -------------------------------  20-minute         0/0/0  1-hour            0/0/0  6-hour            0/0/0  24-hour           0/0/0light-sensor: Enabled  threshold-high:+400.00 threshold-low:+200.00 holdtime:11  action radio-shutdown: radio-1 and radio-2  light-on:1  light-on/off event sent:0/0  current value: 0.00 lux  -------------------------------                min/average/max  -------------------------------  20-minute         0/0/0  1-hour            0/0/0  6-hour            0/0/0  24-hour           0/0/0humidity-sensor: Enabled(Demo)  current value: 0.00 %  -------------------------------                min/average/max  -------------------------------  20-minute         0/0/0  1-hour            0/0/0  6-hour            0/0/0  24-hour           0/0/0ap8132-711728#ap8132-711634#show env-sensor historyCurrent Time: 2015-06-20 14:08:01 UTC-------------------------------------------------------------------------------     Sample-Interval          Motion    Temperature     Light       Humidity                                          (deg. C)      (lux)         (%)                                       ----------- min/average/max -------------------------------------------------------------------------------------------20-minute                       1         64/65/66      77/80        58/60/611-hour                          24        63/67/70      75/81        57/59/616-hour                          128       60/62/69      71/79        52/56/7124-hour                         188       54/58/70      15/45        49/57/73ap8132-711634#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 47ap8132-711634#show env-sensor history 20-min---------------------------------------------------------------------------------timestamp                 Motion    Temperature    Light        Humidity---------------------------------------------------------------------------------2015-11-20 13:51:35 UTC     0           66          79            592015-11-20 13:53:35 UTC     0           66          79            592015-11-20 13:55:35 UTC     0           65          79            582015-11-20 13:57:35 UTC     1           66          80            592015-11-20 13:59:35 UTC     0           66          79            592015-11-20 14:02:35 UTC     0           65          79            602015-11-20 14:03:35 UTC     0           64          79            602015-11-20 14:05:35 UTC     2           66          80            602015-11-20 14:07:35 UTC     0           66          80            612015-11-20 14:09:35 UTC     0           66          80            61ap8132-711634#ap8132-711634#show env-sensor history 1-hr----------------------------------------------------------------------------------timestamp                 Motion    Temperature    Light        Humidity----------------------------------------------------------------------------------2015-11-20 13:51:35 UTC     0           66          79            592015-11-20 13:53:35 UTC     0           66          79            592015-11-20 13:55:35 UTC     0           65          79            582015-11-20 13:57:35 UTC     1           66          80            592015-11-20 13:59:35 UTC     0           66          79            592015-11-20 14:01:35 UTC     0           65          79            602015-11-20 14:03:35 UTC     0           64          79            602015-11-20 14:05:35 UTC     2           66          80            602015-11-20 14:07:35 UTC     0           66          80            612015-11-20 14:09:35 UTC     0           66          80            612015-11-20 14:42:35 UTC     0           65          81            602015-11-20 14:43:35 UTC     0           64          80            592015-11-20 14:45:35 UTC     3           66          80            60ap8132-711634#<DEVICE-NAME>#show env-sensor history 24-hr----------------------------------------------------------------------------------timestamp                 Motion    Temperature    Light        Humidity----------------------------------------------------------------------------------2015-11-20 10:10:20 UTC    27           66          80             602015-11-20 10:30:20 UTC    17           66          80             602015-11-20 10:50:20 UTC    17           66          81             602015-11-20 11:10:20 UTC    25           66          81             602015-11-20 11:30:20 UTC    24           66          81             602015-11-20 11:50:20 UTC    26           66          81             602015-11-21 08:10:20 UTC     9           65          80             592015-11-21 08:30:20 UTC     7           65          80             592015-11-21 08:50:20 UTC    12           65          80             602015-11-21 09:10:20 UTC    10           65          80             602015-11-21 09:30:20 UTC    15           65          80             602015-11-21 09:50:20 UTC    19           66          80             60<DEVICE-NAME>#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 486.1.23 event-historyshow commandsDisplays event history reportSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow event-history {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show event-history {on <DEVICE-OR-DOMAIN-NAME>}Examplenx9500-6C8809#show event-historyGenerated on '2016-09-21 05:19:55 UTC' by 'admin'2017-06-06 10:40:19 nx9500-6C8809  SYSTEM     LOGIN                Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'2017-06-06 10:38:36 nx9500-6C8809  SYSTEM     LOGOUT               Logged out user 'admin' with privilege 'superuser' from '192.168.100.214'2017-06-06 10:27:34 nx9500-6C8809  SYSTEM     LOGIN                Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'2017-06-06 10:27:34 nx9500-6C8809  SYSTEM     LOGOUT               Logged out user 'admin' with privilege 'superuser' from '192.168.100.214'2016-09-20 23:52:49     nx9500-6C8809  SYSTEM     LOGIN                Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'2016-09-20 05:39:01     nx9500-6C8809  SYSTEM     LOGOUT               Logged out user 'admin' with privilege 'superuser' from '192.168.100.165'2016-09-20 05:08:54     nx9500-6C8809  SYSTEM     LOGIN                Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'--More--nx9500-6C8809#event-history Displays event history reporton <DEVICE-OR-DOMAIN-NAME>Optional. Displays event history report on a device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 496.1.24 event-system-policyshow commandsDisplays detailed event system policy configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>Parameters• show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>Examplerfs6000-81742D(config)#show event-system-policy config testpolicy--------------------------------------------------------------------------MODULE          EVENT            SYSLOG    SNMP   FORWARD        EMAIL--------------------------------------------------------------------------aaa       radius-discon-msg      on        on      on         default--------------------------------------------------------------------------rfs6000-81742D(config)#event-system-policy Displays event system policy configurationconfig Displays configuration for a specified policydetail Displays detailed configuration for a specified policy<EVENT-SYSTEM-POLICY-NAME>Specify the event system policy name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 506.1.25 ex3500show commandsDisplays EX3500-related statistical dataSupported in the following platforms:• Service Platforms — NX7500, NX9500Syntaxshow ex3500 [dir|interfaces|system|upgrade|version|whichboot]show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>} {on <EX3500-DEVICE-NAME>}show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|ext-if-table stats|if-table stats|portUtil stats|rmon stats] {on <EX3500-DEVICE-NAME>}show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}Parameters• show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>} {on <EX3500-DEVICE-NAME>}• show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|ext-if-table stats|if-table stats|portUtil stats|rmon stats] {on <EX3500-DEVICE-NAME>}ex3500 dir Displays EX3500 directory information based on the option selected. The options are: boot-rom, config, opcodeNote: If none of the specified options is selected, all EX3500 system-related information is displayed.boot-rom Optional. Displays only the Boot-ROM informationconfig Optional. Displays only the configuration fileopcode Optional. Displays only the run-time operation code<FILE-NAME> Displays the contents of a specified file identified by the <FILE-NAME> keyword. This is the name of configuration file or code image.on <EX3500-DEVICE-NAME>Optional. Executes the command on a specified EX3500 device• <DEVICE-NAME> – Specify the device’s name.ex3500 interfaces countersDisplays EX3500 interface counter information based on the option selected. The options are: ether-like, ethernet, ext-if-table, if-table, portUtil, rmonether-like stats Displays Managed Information Base (MIB) object statistics for Ethernet-like interfacesethernet <1-1> <1-52> Displays the Ethernet port statistics based on the unit identifier and port number selected• <1-1> – Specify the EX3500 unit’s identifier from 1 - 1.• <1-52> – Specify the port number from 1 - 52. This range varies for the EX3524 (1-28) and EX3548 (1-52) devices.Note: This option displays the following for the selected Ethernet interface: extended interface table stats, interface table stats, port utilization information, and remote monitoring stats.ext-if-table stats Displays only the extended interface table statistics
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 51• show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}Examplenx9500-6C8809#show ex3500 interfaces counters ethernet 1 17Ethernet 1/ 17===== IF table Stats =====2166458 Octets Input14734059 Octets Output14707 Unicast Input19806 Unicast Output0 Discard Input0 Discard Output0 Error Input0 Error Output0 Unknown Protocols Input0 QLen Output===== Extended Iftable Stats =====23 Multi-cast Input5525 Multi-cast Output170 Broadcast Input11 Broadcast Output===== Ether-like Stats =====0 Alignment Errors0 FCS Errors0 Single Collision Frames0 Multiple Collision Frames0 SQE Test Errors0 Deferred Transmissions0 Late Collisions0 Excessive Collisions0 Internal Mac Transmit Errors0 Internal Mac Receive Errors0 Frames Too Long0 Carrier Sense Errors0 Symbol Errors0 Pause Frames Input0 Pause Frames Output===== RMON Stats =====0 Drop Events16900558 Octets40243 Packetsif-table stats Displays only the interface table statisticsportUtil stats Displays only the port utilization informationrmon stats Displays only remote monitoring (RMon) statisticson <EX3500-DEVICE-NAME>Optional. Executes the command on a specified EX3500 device• <DEVICE-NAME> – Specify the device’s name.ex3500 Displays the following information for a specified EX3500 device or all EX3500 devices in the managed networksystem Displays EX3500 system information, such as device description, OID string, up time, name, location, contact, MAC address, etc. Some of these information (example, system name) are configurable items, and if not configured are left blank.upgrade Displays the opcode upgrade configuration settingsversion Displays hardware and software version information for a EX3500 systemwhichboot Displays boot informationon <EX3500-DEVICE-NAME>Optional. Executes the command on a specified EX3500 device• <DEVICE-NAME> – Specify the device’s name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 52170 Broadcast PKTS23 Multi-cast PKTS0 Undersize PKTS0 Oversize PKTS0 Fragments0 Jabbers0 CRC Align Errors0 Collisions21065 Packet Size <= 64 Octets3805 Packet Size 65 to 127 Octets2448 Packet Size 128 to 255 Octets797 Packet Size 256 to 511 Octets2941 Packet Size 512 to 1023 Octets9187 Packet Size 1024 to 1518 Octets===== Port Utilization (recent 300 seconds) =====0 Octets Input in kbits per second0 Packets Input per second0.00 % Input Utilization0 Octets Output in kbits per second0 Packets Output per second0.00 % Output Utilizationnx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 536.1.26 extdevshow commandsDisplays external device (T5 or EX3500) configuration error historySupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX9500, NX9510Syntaxshow extdev error history {on <T5/EX3500-DEVICE-NAME>}Parameters• show extdev error history {on <T5/EX3500-DEVICE-NAME>}Examplenx9500-6C8809#show extdev error history on t5-ED5EAC%% No History for this devicenx9500-6C8809#extdev error history Displays external device error history. This command is applicable only to the external devices T5, and EX3500 series switches. Use this command to view configuration error history for all or a specified external device adopted and managed by a WiNG NX9500 series service platform.on <T5/EX3500-DEVICE-NAME>Optional. Displays configuration error history on a specified T5 or EX3500 device• <T5/EX3500-DEVICE-NAME> – Specify the name of the device.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 546.1.27 file-syncshow commandsDisplays file synchronization settings and status on a controllerThe file-sync command syncs wireless-bridge certificate and trustpoint between the staging-controller and its adopted access points. The show > file-sync command displays information related to this process.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxshow file-sync [configuration|history|load-file-status|status] {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show file-sync [configuration|history|load-file-status|status] {on <DEVICE-OR-DOMAIN-NAME>}file-sync Displays the following file-synchronization (trustpoint and wireless-bridge certificate) related information: configuration, history, load-file-status, and statusconfiguration Displays the following file-synchronization configuration details:• automatic file-syncing enabled or disabled. The default setting is disabled.The X.509 certificate needs synchronization only if the access point’s radio2 is configured to use EAP-TLS authentication. In which case PKCS#12 certificate needs to be pushed on AP adoption. To enable automatic file syncing, in the controller’s device/profile configuration mode, execute the file-sync > auto command. For more information, see file-sync.• Number of access points to which the certificate can be simultaneously uploaded. The default is 10.To modify the number of simultaneous uploads, in the controller’s device/profile configuration mode, execute the file-sync > count <1-20> command. For more information, see file-sync.• Scheduled certificate upload, if any, details, such time and date of upload.To schedule certificate upload, use the file-sync > wireless-certificate command. For more information, see file-sync.history Displays file synchronization history. Use this option to view statistical data relating to wireless-bridge certificate synchronization between staging controller and its access points. When executed, a list of all certificate transfers made to the APs is displayed, with the latest transfer listed at the top.load-file-status Displays the status of the file upload to the controller. Use this command to view the status of a in-progress certificate upload, For more information on initiating a PKCS#12 certificate upload, see file-sync.status Displays status of the file synchronization between the controller and its adopted access point.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 55Examplenx9500-6C8809#show file-sync configurationFile Sync Configuration Information  Auto                           : Disabled  Simultaneous Upload Count      : 128  Wireless Bridge Cert Load Time : Thu May 29 23:23:35 2015nx9500-6C8809#nx9500-6C8809#show file-sync load-file-statusDownload of wireless_bridge certificate is completenx9500-6C8809#nx9500-6C8809#show file-sync history-------------------------------------------------------------------------------------     AP       RESULT          TIME    RETRIES    SYNCED-BY         LAST-SYNC-ERROR-------------------------------------------------------------------------------------AP6522-491220   done    2015-05-27 01:37:32   B4-C7-99-6C-88-09       -ME733ANACBMOT21 done    2015-05-27 02:02:51   0 B4-C7-99-6C-88-09     -nx9500-6C8809#on <DEVICE-OR-DOMAIN- NAME>Optional. Displays file synchronization settings and status on a specified device or RF Domain• <DEVICE-OR-DOMAIN- NAME> – Specify the name of the controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 566.1.28 firewallshow commandsDisplays wireless firewall information, such as Dynamic Host Configuration Protocol (DHCP) snoop table entries, denial of service statistics, active session summaries, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow firewall [dhcp|flows|neighbors]show firewall dhcp snoop-table {on <DEVICE-NAME>}show firewall flows {filter|management|on|stats|wireless-client}show firewall flows {filter} {(dir|dst port <1-65535>|ether|flow-type|icmp|icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|wireless-client <MAC>|on <DEVICE-NAME>}show firewall neighbors snoop-table {on <DEVICE-NAME>}Parameters• show firewall dhcp snoop-table {on <DEVICE-NAME>}• show firewall flows {filter} {(dir|dst|ether|flow-type|icmp|icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}firewall dhcp snoop-tableDisplays DHCP snoop table entries• snoop-table – Displays DHCP snoop table entriesDHCP snooping acts as a firewall between non-trusted hosts and the DHCP server. Snoop table entries contain MAC address, IP address, lease time, binding type, and interface information of non-trusted interfaces.on <DEVICE-NAME> The following keyword is common to the ‘DHCP snoop table’ and ‘DoS stats’ parameters:• on <DEVICE-NAME> – Optional. Displays snoop table entries, or DoS stats on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.firewall flows Notifies a session has been establishedfilter Optional. Defines additional firewall flow filter parametersdir [wired-wired|wired-wireless|wireless-wired|wireless-wireless] Optional. Matches the packet flow direction• wired-wired – Wired to wired flows• wired-wireless – Wired to wireless flows• wireless-wired – Wireless to wired flows• wireless-wireless – Wireless to wireless flows
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 57dst port <1-65535>Optional. Matches the destination port with the specified port• port <1-65535> – Specifies the destination port number from 1 - 65535ether [dst <MAC>|host <MAC>|src <MAC>|vlan <1-4094>]Optional. Displays Ethernet filter options• dst <MAC> – Matches only the destination MAC address• host <MAC> – Matches flows containing the specified MAC address• src <MAC> – Matches only the source MAC address• vlan <1-4094> – Matches the VLAN number of the traffic with the specified value. Specify a value from 1- 4094.flow-type [bridged|natted|routed|wired|wireless]Optional. Matches the traffic flow type• bridged – Bridged flows•natted – Natted flows•routed – Routed flows• wired – Flows belonging to wired hosts• wireless – Flows containing a mobile uniticmp {code|type} Optional. Matches flows with the specified Internet Control Message Protocol (ICMP) version 4 code and type• code – Optional. Matches flows with the specified ICMPv4 code• type – Optional. Matches flows with the specified ICMPv4 typeicmpv6 {code|type} Optional. Matches flows with the specified ICMP version 6 code and type• code – Optional. Matches flows with the specified ICMPv6 code• type – Optional. Matches flows with the specified ICMPv6 typeigmp Optional.Matches Internet Group Management Protocol (IGMP) flowsip [dst <IP>|host <IP>|proto <0-254>|src <IP>] Optional. Filters firewall flows based on the IPv4 parameters passed• dst <IP> – Matches destination IP address• host <IP> – Matches flows containing IPv4 address• proto <0-254> – Matches the IPv4 protocol number with the specified number• src <IPv4> – Matches source IP addressipv6 [dst <IPv6>|host <IPv6>|proto <0-254>|src <IPv6>]Optional. Filters firewall flows based on the IPv6 parameters passed• dst <IPv6> – Matches destination IPv6 address• host <IPv6> – Matches flows containing IPv6 address• proto <0-254> – Matches the IPv6 protocol number with the specified number• src <IPv6> – Matches source IPv6 addressmax-idle<1-4294967295>Optional. Filters firewall flows idle for at least the specified duration. Specify a max-idle value from 1 - 4294967295 bytes.min-bytes<1-4294967295>Optional. Filters firewall flows with at least the specified number of bytes. Specify a min-bytes value from 1 - 4294967295 bytes.min-idle<1-4294967295>Optional. Filters firewall flows idle for at least the specified duration. Specify a min-idle value from 1 - 4294967295 bytes.min-pkts<1-4294967295>Optional. Filters firewall flows with at least the given number of packets. Specify a min-bytes value from 1 - 4294967295 bytes.not Optional. Negates the filter expression selected
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 58• show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|wireless-client <MAC>|on <DEVICE-NAME>}• show firewall neighbors snoop-table {on <DEVICE-NAME>}Examplerfs6000-81742D(config)#show fifile-sync  firewall   filerfs6000-81742D(config)#show firewall dhcp snoop-tableSnoop Binding <192.168.13.24, 00-15-70-81-74-2D, Vlan 1>Type switch-SVI, Touched 427779 seconds ago-------------------------------------------------------------------------------rfs6000-81742D(config)#port <1-65535> Optional. Matches either the source or destination port. Specify a port from 1 - 65535.src <1-65535> Optional. Matches only the source port with the specified port. Specify a port from 1 - 65535.tcp Optional. Matches TCP flowsudp Optional. Matches UDP flowsfirewall flows Notifies a session has been establishedmanagement {on <DEVICE-NAME>}Optional. Displays management traffic firewall flows• on <DEVICE-NAME> – Optional. Displays firewall flows on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.stats {on <DEVICE-NAME>}Optional. Displays active session summary• on <DEVICE-NAME> – Optional. Displays active session summary on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.wireless-client <MAC> Optional. Displays wireless clients firewall flows• <MAC> – Specify the MAC address of the wireless client.on <DEVICE-NAME> Optional. Displays all firewall flows on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.firewall neighbors snoop-tableDisplays IPv6 neighbors snoop table entrieson <DEVICE-NAME> Optional. Displays IPv6 neighbors snoop table entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 59rfs6000-81742D(config)#show firewall dos stats--------------------------------------------------------------------------------            ATTACK TYPE                 COUNT             LAST OCCURENCE--------------------------------------------------------------------------------  udp-short-hdr                      0             Never  multicast-icmpv6                   0             Never  icmp-router-solicit                0             Never  tcp-xmas-scan                      0             Never  ascend                             0             Never  twinge                             0             Never  tcp-post-syn                       0             Never  land                               0             Never  broadcast-multicast-icmp           0             Never  ftp-bounce                         0             Never  spoof                              0             Never  source-route                       0             Never  tcp-null-scan                      0             Never  tcp-fin-scan                       0             Never  ipv6-hop-limit-zero                0             Never  tcp-bad-sequence                   97            0 days 02:24:32 ago  fraggle                            0             Never  router-advt                        0             Never  snork                              0             Never  raguard                            0             Never--More--rfs6000-81742D(config)#rfs6000-81742D(config)#show firewall flows management========== Flow# 1 Summary ==========Forward:IPv4 Vlan 1, TCP 192.168.13.10 port 1646 > 192.168.13.24 port 22 00-02-B3-28-D1-55 > 00-15-70-81-74-2D, ingress port up1 Egress port: <local>, Egress interface: vlan1, Next hop: <local> (00-15-70-81-74-2D) 1170 packets, 99960 bytes, last packet 0 seconds agoReverse:IPv4 Vlan 1, TCP 192.168.13.24 port 22 > 192.168.13.10 port 1646 00-15-70-81-74-2D > 00-02-B3-28-D1-55, ingress port local Egress port: up1, Egress interface: vlan1, Next hop: 192.168.13.10 (00-02-B3-28-D1-55) 873 packets, 98797 bytes, last packet 0 seconds agoTCP state: EstablishedFlow times out in 1 hour 30 minutesrfs6000-81742D(config)#rfs6000-81742D(config)#show firewall flows statsActive Flows       2TCP/IPv4 flows     2UDP/IPv4 flows     0DHCP/IPv4 flows    0ICMP/IPv4 flows    0IPsec/IPv4 flows   0TCP/IPv6 flows     0UDP/IPv6 flows     0DHCP/IPv6 flows    0ICMP/IPv6 flows    0IPsec/IPv6 flows   0L3/Unknown flows   0rfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 606.1.29 globalshow commandsDisplays global information for network devices based on the parameters passedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow global [device-list|domain]show global device-list {filter {offline|online|rf-domain}}show global device-list {filter {offline|online}}show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}show global domain managersParameters• show global device-list {filter {offline|online}}• show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}• show global domain managersglobal device-list Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain.filter {offline|online} Optional. Specifies additional filters• offline – Optional. Displays global information for offline devices only• online – Optional. Displays global information for online devices onlyglobal device-list Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain.filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]Optional. Specifies additional filters• rf-domain – Optional. Displays global information for all devices in a specified RF Domain• <DOMAIN-NAME> – Optional. Displays information of all devices within the domainidentified by the <DOMAIN-NAME> keyword• not <DOMAIN-NAME> – Optional. Displays information of all devices in domains notmatching the <DOMAIN-NAME> keywordglobal domain managersDisplays global information for all RF Domains and managers in the network
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 61Examplerfs6000-81742D(config)#show global device-list filter rf-domain TechPubs--------------------------------------------------------------------------------------------------------------           MAC      HOST-NAME       TYPE          CLUSTER        RF-DOMAIN        ADOPTED-BY     ONLINE-------------------------------------------------------------------------------------------------------------- 00-15-70-81-74-2D   rfs6000-81742D  rfs6000     SiteConRFS6k         TechPubs B4-C7-99-6C-88-09   online--------------------------------------------------------------------------------------------------------------Total number of clients displayed: 1rfs6000-81742D(config)#rfs6000-81742D(config)#show global domain managers-----------------------------------------------------------------------------------------------------                    RF-DOMAIN                              MANAGER          HOST-NAME  APS  CLIENTS-----------------------------------------------------------------------------------------------------                        default   ? rf-domain manager 00-15-70-38-03-E7 not in configuration                       TechPubs                    00-15-70-81-74-2D     rfs6000-81742D    0        0-----------------------------------------------------------------------------------------------------Total number of RF-domain displayed: 2rfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 626.1.30 greshow commandsDisplays layer 2 Generic Routing Encapsulation (GRE) tunnel traffic flow informationGRE is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow gre info {detail} {(on <DEVICE-NAME>)}Parameters• show gre info {detail} {(on <DEVICE-NAME>)}Examplerfs6000-81742D#show gre infoGre Tunnel info: Tunnel info not foundrfs6000-81742D#gre info Displays GRE tunnel informationdetail Optional. Displays GRE tunnel information in detail, such as tunnel state, tunnel’s remote-end peer device’s IP address, session ID of an operational tunnel, total number of packets received and transmitted through the tunnel, and the number of dropped packets during tunneled exchanges between access point and a peer at the remote end of the tunnel.on <DEVICE-NAME> Optional. Executes the command on a specified device• <DEVICE-NAME> – Specify the name of the access point, controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 636.1.31 guest-registrationshow commandsDisplays information on the performance of clients using guest access permissions to obtain network resources within the WiNG network. The reporting timeline can be adjusted as needed, as can the RF Domain(s) and WLAN(s) used to filter and report guest client statistics.Supported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxshow guest-registration [age-range|backup-snapshots|browsers|client|devices|gender|loyalty-app-status|notification-status|os|social|user-trends|visitors] {on <DEVICE-NAME>}show guest-registration backup-snapshotsshow guest-registration [age-range|browsers|devices|gender|os|user-trends|visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}show guest-registration client [email|mac|member|mobile|name|time]show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-ID>|mobile <MOBILE-NUMBER>|name <NAME>]show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|30-Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}show guest-registration notification-statusshow guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}Parameters• show guest-registration backup-snapshots• show guest-registration [age-range|browsers|devices|gender|os|user-trends|visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}guest-registration Displays guest registration statistics based on the parameters passedbackup-snapshots Displays a list of periodically backed up snapshots of the database. By default, the system maintains a snapshot of the database on a daily basis.Note: Use the service > guest-registration > backup [delete|restore] command to delete these snapshots and to restore deleted snapshots. For more information, see service.guest-registration Displays guest registration statistics based on the parameters and time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords to view guest registration statistics for a specified RF Domain and/or WLAN.age-range Displays the age ranges of logged guest users for a selected time periodbrowsers Displays the browsers used by guest users logged in within a selected time perioddevices Displays the device types used by guest users logged in within a selected time period
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 64• show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-ID>|mobile <MOBILE-NUMBER>|name <NAME>] gender Displays the gender of guest users logged in within a selected time periodos Displays the operating system (OS) of devices logged in within a selected time perioduser-trends Displays guest user login trends for a selected time period. It displays statistical data, such as number of new users, number of return users, and total of number users.visitors Displays type of visitors logged in within a selected time periodtime [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]Displays guest registration statistics, for a specified time period. The stats displayed depends on the option selected in the previous step. Specify the time period using one of the following options:• 1-Day – Displays previous day’s statistics• 1-Month – Displays previous month’s statistics• 1-Week – Displays previous week’s statistics• 2-Hours – Displays last 2 hours statistics• 30-Mins – Displays last 30 minutes statistics• 5-Hours – Displays last 5 hours statistics• all – Displays statistics from the day the database was created[rfdomain <DOMAIN-NAME|wlan <WLAN-NAME>]Use the following options as additional filters:• rfdomain <DOMAIN-NAME> – Optional. Displays guest registration statistics for a specified RF Domain.• <DOMAIN-NAME> – Specify the RF Domain name.• wlan <WLAN-NAME> – Optional. Displays guest registration statistics for a specified WLAN.• <WLAN-NAME> – Specify the WLAN name.guest-registration Displays guest registration statistics based on the parameters and time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords to view guest registration statistics for a specified RF Domain and/or WLAN.client Displays statistical data for a specific client. Use the e-mail, mac, member, mobile, name to provide a match criteria.email <EMAIL-ADDRESS>Displays statistical data for the client with e-mail address matching the <EMAIL-ADDRESS> parameter• <EMAIL-ADDRESS> – Specify the client’s e-mail address.mac <MAC> Displays statistical data for the client with MAC address matching the <MAC> parameter• <MAC> – Specify the client’s MAC addressmember <MEMBER-ID>Displays statistical data for the client with member ID matching the <MEMBER-ID> parameter• <MEMBER-ID> – Specify the client’s member ID.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 65• show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|30-Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}• show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}mobile <MOBILE-NUMBER>Displays statistical data for the client with mobile number matching the <MOBILE-NUMBER> parameter• <MOBILE-NUMBER> – Specify the client’s mobile number.name <NAME> Displays statistical data for the client with name matching the <NAME> parameter• <MOBILE-NUMBER> – Specify the client’s name.guest-registration Displays guest registration statistics based on the parameters and time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords to view guest registration statistics for a specified RF Domain and/or WLAN.client Displays statistical data for all clients logged in within a specified time periodtime [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]Use one of the following options to specify the time period:• 1-Day – Displays previous day’s statistics• 1-Month – Displays previous month’s statistics• 1-Week – Displays previous week’s statistics• 2-Hours – Displays last 2 hours statistics• 30-Mins – Displays last 30 minutes statistics• 5-Hours – Displays last 5 hours statistics• all – Displays entire statistics, from the day the database was created[rfdomain <DOMAIN-NAME|wlan <WLAN-NAME>]Use the following options as additional filters:• rfdomain <DOMAIN-NAME> – Optional. Displays guest registration statistics for a specified RF Domain.• <DOMIAIN-NAME> – Specify the RF Domain name.• wlan <WLAN-NAME> – Optional. Displays guest registration statistics for a specified WLAN.• <WLAN-NAME> – Specify the WLAN name.guest-registration Displays guest registration statistics based on the parameters and time enteredloyalty-app-status Displays captive portal clients’ Loyalty Application analytics, such as the number of guest clients with loyalty application detection enabled, associating with the captive portal’s access point during a specified time periodLoyalty application detection occurs on the access point to which the guest client is associated, allowing a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal.For more information on enabling loyalty application detection on a captive portal, see report-loyalty-application.time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]Specifies the time period, using one of the following options:• 1-Day – Displays previous day’s captive portal clients’ Loyalty Application analytics• 1-Month – Displays previous month’s captive portal clients’ Loyalty Application analyticsContd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 66• show guest-registration notification-status• show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}• 1-Week – Displays previous week’s captive portal clients’ Loyalty Application analytics• 2-Hours – Displays last 2 hours captive portal clients’ Loyalty Application analytics• 30-Mins – Displays last 30 minutes captive portal clients’ Loyalty Application analytics• 5-Hours – Displays last 5 hours captive portal clients’ Loyalty Application analytics• all – Displays the entire Loyalty Application analytics, from the day the database was created{rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}Optional. Specifies the ‘rfdomain’ and/or ‘wlan’ to view guest registration statistics for a specified RF Domain and/or WLAN• rfdomain <RF-DOMAIN-NAME> – Displays Loyalty App analytics for a specified RF Domain• <RF-DOMAIN-NAME> – Specify the RF Domain name.• wlan <WLAN-NAME> – Displays Loyalty App analytics for a specified WLAN• <WLAN-NAME> – Specify the WLAN name.guest-registration Displays guest registration statistics based on the parameters and time entered. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords to view guest registration statistics for a specified RF Domain and/or WLAN.notification-status Displays guest registration notification statusguest-registration social Displays the social sites used by guests to register. Optionally, use the ‘rfdomain’ and/or ‘wlan’ keywords to view social site used by guests of a specified RF Domain and/or WLAN.time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]Displays social site statistics for a specified time period. Use one of the following time options:• 1-Day – Displays previous day’s statistics• 1-Month – Displays previous month’s statistics• 1-Week – Displays previous week’s statistics• 2-Hours – Displays last 2 hours statistics• 30-Mins – Displays last 30 minutes statistics• 5-Hours – Displays last 5 hours statistics• all – Displays the entire databasefacebook Displays guest users using Facebook to log inrfdomain <DOMAIN-NAME>Displays guest users for a specific RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.wlan <WLAN-NAME> Displays guest users for a specific WLAN• <WLAN-NAME> – Specify the WLAN name.google Displays guest users using Google to log in
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 67Examplenx9500-6C8809#show guest-registration age-range time allTimeline: all                                                                                                                                                                                                 ---------------------------------AGE RANGE                 COUNT---------------------------------less_than_18             0 (  0%)18_to_24                 1 ( 20%)25_to_34                 0 (  0%)35_to_44                 1 ( 20%)45_to_54                 1 ( 20%)55_to_64                 2 ( 40%)greater_than_64          0 (  0%)---------------------------------nx9500-6C8809#nx9500-6C8809#show guest-registration browsers time 1-Day rfdomain Test-rfdomain-10RF Domain: Test-rfdomain-10  Timeline: 1-Day                                                                                                                                                                  -----------------------------------                                                                                                                                                                             BROWSER                            COUNT                                                                                                                                                                                -----------------------------------                                                                                                                                                                           Safari            1 ( 50%)Chrome            1 ( 50%)nx9500-6C8809#nx9500-6C8809#show guest-registration devices time 30-Mins wlan Test-ssid-9WLAN: Test-ssid-9  Timeline: 30-Mins-------------------------------  DEVICE             COUNT-------------------------------Windows PC           1 (100%)  nx9500-6C8809#nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain Test-rfdomain-10RF Domain: Test-rfdomain-10  WLAN: Test-ssid-10  Timeline: all---------------------------------------------  GENDER           COUNT---------------------------------------------                                                                                                                                                                 Male               1 ( 50%)Female             1 ( 50%)Other              0 (  0%)nx9500-6C8809#nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain Test-rfdomain-9%% No guests registered for specified inputs.nx9500-6C8809#nx9500-6C8809#show guest-registration os time 1-Day Timeline: 1-Day-------------------------------    OS               COUNT-------------------------------Windows 7            3 ( 30%)Apple iOS            3 ( 30%)Macintosh            3 ( 30%)Windows 8            1 ( 10%)nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 68nx9500-6C8809#show guest-registration social time 30-MinsTimeline: 30-Mins---------------------------------------------  SOCIAL            ONLINE          TOTAL---------------------------------------------google               1 (100%)       1 ( 10%)Local                0 (  0%)       9 ( 90%)nx9500-6C8809#nx9500-6C8809#show guest-registration user-trends time allTimeline: all----------------------------------------------------------------------------            SAMPLE RANGE                    NEW USERS   RETURN USERS   TOTAL----------------------------------------------------------------------------2014-2-16 - 2014-4-17                        0 (  0%)       0 (  0%)       02014-4-17 - 2014-6-16                        0 (  0%)       0 (  0%)       02014-6-16 - 2014-8-15                        0 (  0%)       0 (  0%)       02014-8-15 - 2014-10-14                       0 (  0%)       0 (  0%)       02014-10-14 - 2014-12-13                      0 (  0%)       0 (  0%)       02014-12-13 - 2015-2-11                      10 (100%)       0 (  0%)      10----------------------------------------------------------------------------nx9500-6C8809#nx9500-6C8809#show guest-registration user-trends time 1-DayTimeline: 1-Day----------------------------------------------------------------------------            SAMPLE RANGE                    NEW USERS   RETURN USERS   TOTAL----------------------------------------------------------------------------23:16 - 3:16                                 0 (  0%)       0 (  0%)       03:16 - 7:16                                  0 (  0%)       0 (  0%)       07:16 - 11:16                                 0 (  0%)       0 (  0%)       011:16 - 15:16                                0 (  0%)       0 (  0%)       015:16 - 19:16                                0 (  0%)       0 (  0%)       019:16 - 23:16                                0 (  0%)       0 (  0%)       0----------------------------------------------------------------------------nx9500-6C8809#nx9500-6C8809#show guest-registration visitors time 30-MinsTimeline: 30-Mins-----------------------------------  VISITORS        COUNT-----------------------------------New Users                7 ( 70%)Return Users             3 ( 30%)nx9500-6C8809#nx9500-6C8809#show guest-registration client time 30-Mins email Guest_9@abc.com-----------------------------------ATTRIBUTE      VALUE-----------------------------------city           Brooklynwlan           Test-ssid-10name           Guest_9zip            11204mobile         9131373709gender         femalellogintime     2015-01-20 19:11:14.001000mobileok       ondevtype        Windows PCcreatetime     2015-01-20 18:27:14.001000email          Guest_9@abc.commac            10-00-00-10-00-09reg_type       otprfd            Test-rfdomain-10
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 69agerange       <18group          mac_reg_gr1mid            1234100009os             Windows 7exptime        2015-11-16 19:21:14.001000browser        Safari-----------------------------------nx9500-6C8809#nx9500-6C8809#show guest-registration client time 30-Mins rfdomain Test-rfdomain-8-----------------------------------ATTRIBUTE      VALUE-----------------------------------loggedin       yeswlan           Test-ssid-8name           Guest_1locale         en_USllogintime     2015-01-20 19:15:14devtype        Macintoshexptime        2015-11-16 19:21:14lname          Guest_100000source         googlemac            10-00-00-10-00-01email          Guest_1@abc.comid             657669862939196reg_type       devicefname          Test-Guest_1rfd            Test-rfdomain-8agerange       35-44timezone       7profilePic     https://www.google.com/user_id/657669862939196/os             Macintoshcreatetime     2015-01-20 18:45:14group          mac_reg_gr1browser        Chrome-----------------------------------city           Santa Cruzgroup          mac_reg_gr1name           Guest_2zip            95062mobile         3700870747mid            1234100001llogintime     2015-01-20 19:18:14mobileok       ondevtype        Apple iPadexptime        2015-11-16 19:21:14createtime     2015-01-20 19:11:14mac            10-00-00-10-00-02reg_type       otprfd            Test-rfdomain-8agerange       55-64wlan           Test-ssid-8os             Apple iOSemail          Guest_2@abc.combrowser        Chrome-----------------------------------city           Los Angelesgroup          mac_reg_gr1name           Guest_5zip            90001mobile         9129618672mid            1234100005llogintime     2015-01-20 19:20:14devtype        Macintoshexptime        2015-11-16 19:21:14createtime     2015-01-20 19:05:14
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 70mac            10-00-00-10-00-05reg_type       devicerfd            Test-rfdomain-8agerange       18-24wlan           Test-ssid-8os             Macintoshemail          Guest_5@abc.combrowser        Chrome-----------------------------------nx9500-6C8809#nx7500-112233#show guest-registration loyalty-app-status time allTimeline: all---------------------------------------------  LOYALTY APP STATUS             COUNT---------------------------------------------Loyalty App Users                  491 ( 49%)Others                             510 ( 51%)nx7500-112233#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 716.1.32 interfaceshow commandsDisplays configured system interfaces and their statusSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow interface {<INTERFACE-NAME>|brief|counters|ge|me1|port-channel|pppoe1|switchport|vlan|wwan1}show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-2>|pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}Parameters• show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-2>|pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}interface Optional. Displays system interface status based on the parameters passed<INTERFACE-NAME> Optional. Displays status of the interface specified by the <INTERFACE-NAME> parameter. Specify the interface name.brief Optional. Displays a brief summary of the interface status and configurationcounters Optional. Displays interface Tx or Rx countersge <1-4> Optional. Displays Gigabit Ethernet interface status and configuration• <1-4> – Select the Gigabit Ethernet interface index from 1 - 4.me1 Optional. Displays Fast Ethernet interface status and configurationport-channel <1-2> Optional. Displays port channel interface status and configuration• <1-2> – Specify the port channel index from 1 - 2.pppoe1 Optional. Displays PPP over Ethernet interface status and configurationswitchport Optional. Displays layer 2 interface statusvlan <1-4094> Optional. Displays VLAN interface status and configuration• <1-4094> – Specify the Switch Virtual Interface (SVI) VLAN ID from 1 - 4094.wwan1 Optional. Displays Wireless WAN interface status, configuration, and counterson <DEVICE-NAME> The following keywords are common to all of the above interfaces:• on <DEVICE-NAME> – Optional. Displays interface related information on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 72ExampleFollowing interfaces are available on a RFS6000 controller:rfs6000-81742D(config)#show interface ?  WORD          Interface name  brief         Brief summary of interface status and configuration  counters      Interface tx/rx counters  ge            GigabitEthernet interface  me1           FastEthernet interface  on            On AP/Controller  port-channel  Port-Channel interface  pppoe1        PPP Over Ethernet interface  switchport    Status of Layer2 interfaces  up1           WAN Ethernet interface  vlan          Switch VLAN interface  wwan1         Wireless WAN interface  |             Output modifiers  >             Output redirection  >>            Output redirection appending  <cr>rfs6000-81742D(config)#rfs6000-81742D(config)#show interface  switchport--------------------------------------------------------------------------------------- INTERFACE          STATUS   MODE     VLAN(S)                                   --------------------------------------------------------------------------------------- ge1                DOWN     access   1                                          ge2                DOWN     access   1                                          ge3                DOWN     access   1                                          ge4                DOWN     access   1                                          ge5                DOWN     access   1                                          ge6                DOWN     access   1                                          ge7                DOWN     access   1                                          ge8                DOWN     access   1                                          up1                UP       access   1                                         --More--rfs6000-81742D(config)#rfs6000-81742D(config)#show interface ge 1Interface ge1 is DOWN  Hardware-type: ethernet, Mode: Layer 2, Address: 00-15-70-81-74-2E  Index: 2001, Metric: 1, MTU: 1500  Speed: Admin Auto, Operational n/a, Maximum 1G  Duplex: Admin Auto, Operational n/a  Active-medium: n/a  Switchport settings: access, access-vlan: 1    Input packets 0, bytes 0, dropped 0    Received 0 unicasts, 0 broadcasts, 0 multicasts    Input errors 0, runts 0, giants 0    CRC 0, frame 0, fragment 0, jabber 0    Output packets 0, bytes 0, dropped 0    Sent 0 unicasts, 0 broadcasts, 0 multicasts    Output errors 0, collisions 0, late collisions 0    Excessive collisions 0rfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 73rfs6000-81742D(config)#show interface  counters--------------------------------------------------------------------------------------------------------------    INTF            MAC           RX-PKTS     RX-BYTES     RX-DROP     TX-PKTS     TX-BYTES       TX-DROP-------------------------------------------------------------------------------------------------------------- me1        00-15-70-81-74-36   0           0            0           0           0            0 vlan1      00-15-70-81-74-2D   1578154     279596323    0           82096       14710688     0 ge1        00-15-70-81-74-2E   0           0            0           0           0            0 ge2        00-15-70-81-74-2F   0           0            0           0           0            0 ge3        00-15-70-81-74-30   0           0            0           0           0            0 ge4        00-15-70-81-74-31   0           0            0           0           0            0 ge5        00-15-70-81-74-32   0           0            0           0           0            0 ge6        00-15-70-81-74-33   0           0            0           0           0            0 --More--rfs6000-81742D(config)#rfs6000-81742D(config)#show interface  vlan 1Interface vlan1 is UP  Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-74-2D  Index: 5, Metric: 1, MTU: 1500  IP-Address: 192.168.13.24/24    input packets 1578392, bytes 279625825, dropped 0, multicast packets 0    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0    output packets 82159, bytes 14717966, dropped 0    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0    collisions 0  IPv6 mode is disabledrfs6000-81742D(config)#nx9500-6C8809(config)#show interface switchport--------------------------------------------------------------------------------------- INTERFACE          STATUS   MODE     VLAN(S)                                   --------------------------------------------------------------------------------------- ge1                UP       access   1                                          ge2                DOWN     access   1                                         ---------------------------------------------------------------------------------------A '*' next to the VLAN ID indicates the native vlan for that trunk portnx9500-6C8809(config)#nx9500-6C8809(config)#show interface vlan 1Interface vlan1 is UP  Hardware-type: vlan, Mode: Layer 3, Address: B4-C7-99-6C-88-09  Index: 5, Metric: 1, MTU: 1500  IP-Address: 192.168.13.13/24    input packets 4623946, bytes 568905032, dropped 0, multicast packets 0    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0    output packets 458235, bytes 90317187, dropped 0    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0    collisions 0  IPv6 mode is disablednx9500-6C8809(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 74nx9500-6C8809(config)#show interface ge 1Interface ge1 is UP  Hardware-type: ethernet, Mode: Layer 2, Address: 00-1E-67-4B-BF-BC  Index: 2001, Metric: 1, MTU: 1500  Speed: Admin Auto, Operational 1G, Maximum 1G  Duplex: Admin Auto, Operational Full  Active-medium: n/a    Input packets 2326745, bytes 348775278, dropped 0    Received 2326745 unicasts, 4367 broadcasts, 1219173 multicasts    Input errors 0, runts 0, giants 0    CRC 0, frame 0, fragment 0, jabber 0    Output packets 1080901, bytes 244595966, dropped 0    Sent 1080901 unicasts, 392 broadcasts, 132573 multicasts    Output errors 0, collisions 0, late collisions 0    Excessive collisions 0nx9500-6C8809(config)#nx9500-6C8809(config)#show interface counters--------------------------------------------------------------------------------------------------------------    INTF            MAC           RX-PKTS     RX-BYTES     RX-DROP     TX-PKTS     TX-BYTES       TX-DROP-------------------------------------------------------------------------------------------------------------- vlan1      B4-C7-99-6C-88-09   2571193     341672167    0           625888      90924957     0 ge1        00-1E-67-4B-BF-BC   2326629     348759017    0           1080855     244588229    0 ge2        00-1E-67-4B-BF-BD   0           0            0           0           0            0 port..nel1 00-1E-67-4B-BF-BC   2326631     348759243    0           1080857     244588673    0--------------------------------------------------------------------------------------------------------------nx9500-6C8809(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 756.1.33 ipshow commandsDisplays IP related informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow ip [arp|bgp|ddns|default-gateways|dhcp|dhcp-vendor-options|domain-name|extcommunity-list|igmp|interface|name-server|nat|ospf|route|routing]show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|paths|prefix-list|regexp|route-map|state|summary}show ip ddns bindings {on <DEVICE-NAME>}show ip dhcp [binding|networks|status]show ip dhcp binding {manual} {(on <DEVICE-NAME>)}show ip dhcp [networks|status] {on <DEVICE-NAME>}show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|routing] {on <DEVICE-NAME>}show ip extcommunity-list [<1-500>|<NAME>]show ip igmp snooping [mrouter|querier|vlan]show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}show ip interface {<INTERFACE-NAME>|brief|on}show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}show ip nat translations verbose {on <DEVICE-NAME>}show ip route {<INTERFACE-NAME>|ge|me1|on|port-channel|pppoe1|vlan|wwan1}show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|pppoe1|wwan1} {(on <DEVICE-NAME>)}show ip ospf {border-router|interface|neighbor|on|route|state}show ip ospf {border-router|neighbor|route|on|state} {on <DEVICE-NAME>}show ip ospf {interface} {vlan|on}show ip ospf {interface} {vlan <1-4094>} {(on <DEVICE-NAME>)}Parameters• show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}NOTE: The show ip ospf command is also available under the ‘profile’ and ‘device’ modes.ip arp Displays Address Resolution Protocol (ARP) mappings<VLAN-NAME> Optional. Displays ARP mapping on a specified VLAN. Specify the VLAN name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 76• show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|paths|prefix-list|regexp|route-map|state|summary}on <DEVICE-NAME>The following keyword is recursive and common to the ‘vlan-name’ parameter:• on <DEVICE-NAME> – Optional. Displays ARP configuration details on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip bgp Displays BGP routing table statistics based on the match criteria specified here. Routes matching the specified criteria are filtered. Use available options to filter the information displayed.This command is applicable to the RFS4000, RFS6000, NX9XXX model devices.<IP> Optional. Filters routes matching the specified IP address<IP/M> Optional. Filters routes matching the specified networkcommunity Optional. Filters routes based on the community attribute specified. The options are:• AA:NN – Filters routes based on the community number (AA: is the autonomous system number (ASN), NN: is the community number within the specified ASN)• local-as – Filters routes carrying the local-as attribute (these routes are not sent outside the local AS)• no-advertise – Filters routes carrying the no-advertise attribute (these routes are not advertised to any peers)• no-export – Filters routes carrying no-export attribute (these routes are not exported to next AS)community-list Optional. Displays routes that are members of communities included in the specified BGP community-list• <1-500> – Specify the community-list number.• <WORD> – Specify the community-list name.filter-list Optional. Filters routes having AS-path matching the specified AS-path access list. Specify the AS-path ACL name.neighbors Optional. Displays BGP neighbor details. Specify the IP address, to view a specific neighbor details. Use one of the following options to filter information:• advertised-routes – Displays route information for routes advertised to the selected neighbor device• received-routes – Displays route information for routes received from the selected neighbor device• routes – Displays the route information for routes learned from the selected neighbor deviceIf no neighbor IP address is specified, the system displays all neighbor-related routes on the logged device.on <DEVICE-NAME> Optional. Displays BGP routing table statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.paths Optional. Displays BGP path detailsprefix-list <PREFIX-LIST-NAME>Optional. Displays routes confirming to the specified prefix-list• <PREFIX-LIST-NAME> – Specify the prefix list name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 77• show ip ddns bindings {on <DEVICE-NAME>}• show ip dhcp [networks|status] {on <DEVICE-NAME>}• show ip dhcp binding {manual} {(on <DEVICE-NAME>)}• show ip extcommunity-list [<1-500>|<NAME>]• show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|routing] {on <DEVICE-NAME>}regexp <LINE> Optional. Displays routes matching the specified AS path regular expression• <LINE> – Specify the regular expression.route-map <ROUTE-MAP-NAME>Optional. Displays routes matching the specified route map• <ROUTE-MAP-NAME> – Specify the route map name.ip ddns Displays Dynamic Domain Name Server (DDNS) configuration detailsbindings {on <DEVICE-NAME>}Displays DDNS address bindings• on <DEVICE-NAME> – Optional. Displays address bindings on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip dhcp Displays DHCP server related details, such as network and statusnetworks Displays DHCP server network detailsstatus Displays DHCP server statuson <DEVICE-NAME> The following keyword is common to all of the above parameters:• on <DEVICE-NAME> – Optional. Displays server status and network details on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip dhcp Displays the DHCP server configuration detailsbindings Displays DHCP address bindingsmanual Optional. Displays static DHCP address bindingson <DEVICE-NAME> The following keyword is recursive and common to the ‘manual’ parameter:• on <DEVICE-NAME> – Optional. Displays DHCP address bindings on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip extcommunity-list [<1-500>|<NAME>]Displays the specified extended community list details• <1-500> – Specify the extended community number from 1 - 500.• <NAME> – Specify the extended community name.This command is applicable to the RFS4000, RFS6000, NX95XX model devices.ip default-gateways Displays all learnt default gatewaysip dhcp-vendor-optionsDisplays DHCP 43 parameters received from the DHCP server. This output includes the interface from which the option was learned.ip domain-name Displays the DNS default domain
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 78• show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}• show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}• show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}• show ip nat translations verbose {on <DEVICE-NAME>}ip name-server Displays the DNS name server detailsip routing Displays routing statuson <DEVICE-NAME> The following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Displays IP related information, based on the parameters passed, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip igmp snooping Displays the IGMP snooping configurationmrouter Displays the IGMP snooping multicast router (mrouter) configurationquerier Displays the IGMP snooping multicast querier configurationvlan <1-4095> {on <DEVICE-NAME>}Displays the IGMP snooping multicast router configuration for a VLAN• <1-4095> – Specify the VLAN ID from 1 - 4095.• on <DEVICE-NAME> – Optional. Displays the IGMP snooping mrouter configuration on a specified device• <DEVICE-NAME> – Specify the name of the AP or wireless controller.ip igmp snooping Displays the IGMP snooping configurationvlan <1-4095> Displays the VLAN IGMP snooping configuration• <1-4095> – Specify the VLAN ID from 1 - 4095.<IP> Optional. Specifies the multicast group IP addresson <DEVICE-NAME> The following keyword is recursive and common to the ‘ip’ parameter:• on <DEVICE-NAME> – Optional. Displays configuration details on a specified device• <DEVICE-NAME> – Specify the name of the AP or wireless controller.ip interface Displays an administrative and operational status of all layer 3 interfaces or a specified layer 3 interface<INTERFACE-NAME> Optional. Displays a specified interface status. Specify the interface name.brief Optional. Displays a brief summary of all interface status and configurationon <DEVICE-NAME> The following keyword is recursive and common to the ‘interface-name’ and ‘brief’ parameters:• on <DEVICE-NAME> – Optional. Displays interface status and summary, based on the parameters passed, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip nat translations Displays Network Address Translation (NAT) translationsverbose Displays detailed NAT translations• on <DEVICE-NAME> – Optional.Displays NAT translations on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 79• show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|pppoe1|wwan1} {(on <DEVICE-NAME>)}• show ip ospf {border-router|interface|neighbor|route|on|state} {on <DEVICE-NAME>}ip route Displays route table details. The route tables use flags to distinguish between routes. The different flags are:•C – Connected•G – Gateway•O – OSPF route•S – Static routeNote: Flags ‘S’ and ‘O’ identify static learned routes and dynamic learned routes respectively.<INTERFACE-NAME> Optional. Displays route table details for a specified interface. Specify the interface namege <1-4> Optional. Displays GigabitEthernet interface route table details• <1-4> – Specify the GigabitEthernet interface index from 1 - 4.me1 Optional. Displays FastEthernet interface route table detailsport-channel <1-2> Optional. Displays port channel interface route table details. Specify the port channel index from 1 - 2.vlan <1-4094> Optional. Displays VLAN interface route table details. Select the VLAN interface ID from 1 - 4094.pppoe1 Optional. Displays Point-to-point Protocol over Ethernet (PPPoE) interface route table detailswwan1 Optional. Displays Wireless WAN route table detailson <DEVICE-NAME> The following keywords are recursive and common to all of the above parameters:• on <DEVICE-NAME> – Displays route table details, based on the parameters passed, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.ip ospf Displays overall OSPF informationborder-router Optional. Displays details of all the border routers connectedinterface {on| vlan <1-4094>} {on <DEVICE-NAME>}Optional. Displays details of all the interfaces with OSPF enabled• on <DEVICE-NAME> – Optional. Displays specified device details• vlan <1-4094> – Displays VLAN interface details• <DEVICE-NAME> – Specify the name of the AP or wireless controller.neighbor Optional. Displays an OSPF neighbors listroute Optional. Displays OFPS routes informationon <DEVICE-NAME> Optional. Displays overall OSPF information on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.state Optional. Displays an OSPF process state
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 80Examplerfs6000-81742D(config)#show ip arp--------------------------------------------------------------------------------          IP                    MAC              INTERFACE           TYPE--------------------------------------------------------------------------------  192.168.13.10        00-02-B3-28-D1-55        vlan1          dynamic  192.168.13.13        B4-C7-99-6C-88-09        vlan1          dynamic  192.168.13.2         00-0F-8F-19-BA-4C        vlan1          dynamic--------------------------------------------------------------------------------rfs6000-81742D(config)#rfs6000-81742D(config)#show ip interface brief------------------------------------------------------------------------------- INTERFACE          IP-ADDRESS/MASK            TYPE        STATUS   PROTOCOL------------------------------------------------------------------------------- me1                unassigned                 n/a         UP       down vlan1              192.168.13.24/24           primary     UP       up-------------------------------------------------------------------------------rfs6000-81742D(config)#rfs6000-81742D(config)#show ip route--------------------------------------------------------------------------------     DESTINATION         GATEWAY       FLAGS   INTERFACE   METRIC    DISTANCE--------------------------------------------------------------------------------  default             192.168.13.2     S       vlan1       0        1  192.168.13.0/24     0.0.0.0          C       vlan1       0        0--------------------------------------------------------------------------------Flags:  C - Connected G - Gateway O - OSPF  B - BGP  S - StaticGateway: N - Normalized Gateway Addressrfs6000-81742D(config)#rfs6000-81701D(config)#show ip route port-channel 1--------------------------------------------------------------------------------DESTINATION       GATEWAY        FLAGS    INTERFACE    METRIC  DISTANCE--------------------------------------------------------------------------------192.168.0.0/24    direct          C         me1         0        0172.18.0.0/24     direct          C         vlan1       0        010.2.0.0/24       172.18.0.1      S         vlan1       0        1default           192.168.13.2    S         vlan192     0        1192.168.13.0/24   direct          C         vlan192     0        0--------------------------------------------------------------------------------Flags:  C - Connected G - Gateway O - OSPF  B - BGP  S - StaticGateway: N - Normalized Gateway Addressrfs6000-81701D(config)#nx9500-6C8809(config)#show ip routing on rfs6000-81742DIP routing is enabled.nx9500-6C8809(config)#on <DEVICE-NAME> The following keywords are recursive and common to all of the above parameters:• on <DEVICE-NAME> – Optional. Displays overall OSPF information, based on the parameters passed, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 81nx9500-6C8809(config)#show ip dhcp statusState of DHCP server: not-runningnx9500-6C8809(config)#rfs6000-81701D(config)#show ip ospf state Maximum number of OSPF routes allowed: 9216   Number of OSPF routes received: 0   Ignore-count allowed: 5, current ingore-count: 0   Ignore-time 60 seconds, reset-time 360 seconds   Current OSPF process state: Runningrfs6000-81701D(config)#rfs6000-81742D(config)#show ip route on ap7532-A2A56C--------------------------------------------------------------------------------    DESTINATION         GATEWAY      FLAGS   INTERFACE   METRIC     DISTANCE--------------------------------------------------------------------------------  169.254.0.0/16     0.0.0.0         C       vlan1       0        0  default            192.168.9.2     CG      vlan1       0        1  192.168.9.0/24     0.0.0.0         C       vlan1       0        0--------------------------------------------------------------------------------Flags:  C - Connected G - Gateway O - OSPF  B - BGP  S - StaticGateway: N - Normalized Gateway Addressrfs6000-81742D(config)#rfs6000-81742D(config)#show ip dhcp-vendor-options--------------------------------------------------------------------------------                  ITEM                        VALUE             INTERFACE--------------------------------------------------------------------------------  Server Info                            n/a               vlan1  Firmware Image File                    n/a               vlan1  Config File                            n/a               vlan1  Legacy Adoption Info                   n/a               n/a  AP Adoption Info                       n/a               n/a  Controller Adoption Info               n/a               n/a--------------------------------------------------------------------------------rfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 826.1.34 ip-access-listshow commandsDisplays IP access list statisticsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail|on}show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}Parameters• show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}Examplerfs6000-81742D(config)#show ip-access-list statsIP Access-list: # Restrict Management ACL #  permit tcp any any eq ftp rule-precedence 1        Hitcount: 0  permit tcp any any eq www rule-precedence 2        Hitcount: 4  permit tcp any any eq ssh rule-precedence 3        Hitcount: 448  permit tcp any any eq https rule-precedence 4        Hitcount: 0  permit udp any any eq snmp rule-precedence 5        Hitcount: 0  permit tcp any any eq telnet rule-precedence 6        Hitcount: 4rfs6000-81742D(config)#NOTE: This command is not available in the USER EXEC Mode.ip-access-list stats Displays IP access list statistics<IP-ACCESS-LIST-NAME>Optional. Displays statistics for a specified IP access list. Specify the IP access list name.detail <IP-ACCESS-LIST-NAME>Optional. Displays detailed statistics for a specified IP access list. Specify the IP access list name.on <DEVICE-NAME> The following keyword is recursive and common to the ‘IP-ACCESS-LIST-NAME’ and ‘detail’ parameters:• on <DEVICE-NAME> – Optional. Displays all or a specified IP access list statistics on a specified device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 83The following example displays the ‘auto-tunnel-acl’ IP ACL configuration:rfs4000-229D58(config)#ip access-list auto-tunnel-aclrfs4000-229D58(config-ip-acl-auto-tunnel-acl)#show contextip access-list auto-tunnel-aclpermit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2permit ip host 200.200.200.99 any rule-precedence 3rfs4000-229D58(config-ip-acl-auto-tunnel-acl)#The following example displays the statistics for the ‘auto-tunnel-acl’ ACL:rfs4000-229D58#show ip-access-list statsIP Access-list: auto-tunnel-acl  permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2        Hitcount: 0  permit ip host 200.200.200.99 any rule-precedence 3        Hitcount: 0rfs4000-229D58#nx9500-6C8809#show ip-access-list stats scaleacl | i 125  permit ip host 125.1.1.1 any rule-precedence 125        Hitcount: 893        Hardware Hitcount: 3120  permit ip host 125.2.1.1 any rule-precedence 346        Hitcount: 0        Hardware Hitcount: 0nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 846.1.35 ipv6show commandsDisplays IPv6 related informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow ipv6 [default-gateways|delegated-prefix|dhcp|hop-limit|interface|mld|name-server|neighbors|route]show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server] {on <DEVICE-NAME>}show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-4095>] {on <DEVICE-NAME>}show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}Parameters• show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server] {on <DEVICE-NAME>}• show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}ipv6 Displays IPv6 related informationdefault-gateways Displays all learnt default gatewaysdelegated-prefix Displays prefix delegation informationhop-limit Displays the configured IPv6 hop count valuename-server Displays DNS name serverson <DEVICE-NAME> This parameter is common to all of the above keywords.• on <DEVICE-NAME> – Optional. Displays the specified information on a device (access point, wireless controller, or service platform)• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ipv6 Displays IPv6 related informationdhcp Displays DHCPv6 related informationclient received-options Displays DHCP options received from clientsrelay status Displays the DHCPv6 relay agent’s running statusstatus Displays the DHCPv6 stateless server daemon’s status. In case the DHCPv6 server is up and running, it also displays interface names.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 85• show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}• show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-4095>] {on <DEVICE-NAME>}• show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}• show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}on <DEVICE-NAME> This parameter is common to all of the above keywords.• on <DEVICE-NAME> – Optional. Displays the specified information on a device (access point, wireless controller, or service platform)<DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ipv6 Displays IPv6 related informationinterface {<IF-NAME>|brief}Displays IPv6 status and configuration on a specified interface related information• <IF-NAME> – Optional. Specify the interface name.• brief – Optional. Displays a brief summary of IPv6 status and configuration on the specified interfaceon <DEVICE-NAME> This parameter is common to all of the above keywords.• on <DEVICE-NAME> – Optional. Displays the specified information on a device (access point, wireless controller, or service platform)<DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ipv6 Displays IPv6 related informationmld snooping Displays Multicast Listener Discovery Protocol (MLD) snooping related informationmrouter vlan <1-4095>Displays IPv6 multicast router information on the specified VLANquerier vlan <1-4095>Displays IPv6 multicast querier information on the specified VLANvlan <1-4095> Displays MLD snooping related information on the specified VLANon <DEVICE-NAME> This parameter is common to all of the above keywords.• on <DEVICE-NAME> – Optional. Displays the specified information on a device (access point, wireless controller, or service platform)<DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ipv6 Displays IPv6 related informationneighbors <VLAN-NAME>Displays IPv6 neighbors on the specified VLANon <DEVICE-NAME> Optional. Displays IPv6 neighbors on a specified device (access point, wireless controller, or service platform)<DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.ipv6 Displays IPv6 related information
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 86Examplerfs6000-81742D(config)#show ipv6 dhcp client received-optionsDHCPv6 Client received options: Interface:                None Server Identifier:                None Client Identifier:                None DNS Servers:                None Domain Name:                None Sip Servers:                None Sip Domain Name:                None Refresh Time:                None Server Preference:                None Vendor Options:                Nonerfs6000-81742D(config)#route Displays IPv6 route table<IF-NAME> Optional. Displays IPv6 route table for the interface identified by the <IF-NAME> keywordge <1-X> Optional. Displays IPv6 route table for the selected GigabitEthernet interfaceme1 Optional. Displays IPv6 route table for the FastEthernet interfaceport-channel <1-2> Optional. Displays IPv6 route table for the selected port-channel interfacepppoe1 Optional. Displays IPv6 route table for the PPP over Ethernet interfacevlan <1-4095> Optional. Displays IPv6 route table for the selected VLAN interfaceup Optional. Displays IPv6 route table for the WAN Ethernet interfacewwan1 Optional. Displays IPv6 route table for the wireless WAN interfacexge <1-4> Optional. Displays IPv6 route table for the selected TenGigabitEthernet interfaceApplicable only for the NX9500 and NX9510 service platforms.on <DEVICE-NAME> This parameter is common to all of the above keywords.• on <DEVICE-NAME> – Optional. Displays the specified information on a device (access point, wireless controller, or service platform)<DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 87rfs4000-229D58(config)#show ipv6 route--------------------------------------------------------------------------------      DESTINATION            GATEWAY           FLAGS            INTERFACE--------------------------------------------------------------------------------      2000:abcd::/64       fe80::300:1       S                vlan300      default              fe80::11:1        R                vlan11      4444:1111::/64       direct            C                vlan1--------------------------------------------------------------------------------Flags:  C - Connected G - Gateway S - Static R - IPv6-RArfs4000-229D58(config)#rfs4000-229D58#show ipv6 default-gateways-------------------------------------------------------------------------------- Source: IPv6-RA                  Gateway-address : fe80::100:1         Preference: medium           Status      : not-monitored         Insatlled : NO               Interface   : vlan100         Remaining Lifetime: 1471 sec  -------------------------------------------------------------------------------- Source: IPv6-RA                  Gateway-address : fe80::1:2         Preference: low              Status      : not-monitored         Insatlled : NO               Interface   : vlan1         Remaining Lifetime: 1488 sec -------------------------------------------------------------------------------- Source: Static-Route             Gateway-address : fe80::2000:1         Preference: NA               Status      : unreachable         Insatlled : NO               Interface   : vlan2000         Remaining Lifetime: forever -------------------------------------------------------------------------------- Source: IPv6-RA                  Gateway-address : fe80::11:1         Preference: high             Status      : reachable         Insatlled : YES              Interface   : vlan11         Remaining Lifetime: 1471 sec --------------------------------------------------------------------------------rfs4000-229D58#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 886.1.36 ipv6-access-listshow commandsDisplays IPv6 access list statisticsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}Parameters• show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}Examplerfs6000-81742D#show ipv6-access-list statsIPV6 Access-list: test  deny ipv6 any any rule-precedence 20        Hitcount: 4rfs6000-81742D#NOTE: This command is not available in the USER EXEC Mode.ipv6-access-list stats Displays IPv6 access list statistics<IPv6-ACCESS-LIST-NAME>Optional. Displays statistics for a specified IPv6 access list. Specify the IPv6 access list name.If IPv6 ACL name is not provided, the system displays statistics for all ACLs configured and applied.on <DEVICE-NAME> Optional. Displays all or a specified IPv6 access list statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 896.1.37 l2tpv3show commandsDisplays a Layer 2 Tunnel Protocol Version 3 (L2TPV3) session informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxl2tpv3 {on|tunnel|tunnel-summary}l2tpv3 {on <DEVICE-NAME>}l2tpv3 {tunnel <L2TPV3-TUNNEL-NAME>} {session <L2TPV3-SESSION-NAME>} {(on <DEVICE-NAME>)}l2tpv3 {tunnel-summary} {down|on|up}l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}Parameters• l2tpv3 {on <DEVICE-NAME>}• l2tpv3 {tunnel <L2TPV3-TUNNEL-NAME>} {session <L2TPV3-SESSION-NAME>} {(on <DEVICE-NAME>)}NOTE: This command is not available in the USER EXEC mode.l2tpv3{on <DEVICE-NAME>}Displays a L2TPv3 tunnel and session details or summary• on <DEVICE-NAME> – Optional. Displays L2TPv3 information on a specified access point or wireless controller• <DEVICE-NAME> – Specify the name of AP, wireless controller, or service plat-form.l2tpv3 Displays a L2TPv3 tunnel and session details or summarytunnel <L2TPV3-TUNNEL-NAME>Optional. Displays a specified L2TPv3 tunnel information• <L2TPV3-TUNNEL-NAME> – Specify the L2TPv3 tunnel name.session <L2TPV3-SESSION-NAME>Optional. Displays a specified L2TPv3 tunnel session information• <L2TPV3-SESSION-NAME> – Specify the session name.on <DEVICE-NAME> The following keyword is recursive and common to the ‘session <L2TPV3-SESSION-NAME>’ parameter.• on <DEVICE-NAME> – Optional. Displays a L2TPv3 tunnel and session details, based on the parameters passed, on a specified device.• <DEVICE-NAME> – Specify the name of AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 90• l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}• l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}Exampleap7131-11E6C4#show l2tpv3 tunnel-summary---------------------------------------------------------------------------------------Sl No  Tunnel Name      Tunnel State            Estd/Total  Sessions   Encapsulation Protocol---------------------------------------------------------------------------------------1      testTunnel     Established (secured by ipsec)       1/1              IPTotal Number of Tunnels 1ap7131-11E6C4#ap7131-11E6C4#show l2tpv3-------------------------------------------------------------------------------Tunnel Name : testTunnel  Control connection id : 2238970979  Peer Address : 30.1.1.1  Local Address : 30.1.1.30  Encapsulation Protocol : IP  MTU : 1460  Peer Host Name : rfss  Peer Vendor Name : Example Company  Peer Control Connection ID : 322606389  Tunnel State : Established (secured by ipsec)  Establishment Criteria : always  Sequence number of the next msg to the peer : 29  Expected sequence number of the next msg from the peer :42  Sequence number of the next msg expected by the peer : 29  Retransmission count : 0  Reconnection count : 0  Uptime : 0 days 1 hours 2 minutes 47 seconds  -------------------------------------------------------------------------------  Session Name : session1    VLANs : 30    Pseudo Wire Type : Ethernet_VLAN    Serial number for the session : 6l2tpv3 Displays L2TPv3 tunnel and session details or summaryFor an L2TPv3 tunnel over Auto IPSec, the tunnel status is displayed as: Established (secured by ipsec)tunnel-summary{on <DEVICE-NAME>}Optional. Displays L2TPv3 tunnel summary• on <DEVICE-NAME> – Optional. Displays a L2TPv3 tunnel summary on a specified device• <DEVICE-NAME> – Specify the name of AP, wireless controller, or service plat-form.l2tpv3 Displays a L2TPv3 tunnel and session details or summarytunnel-summary Optional. Displays a L2TPv3 tunnel summary, based on the parameters passeddown Optional. Displays un-established tunnels summaryup Optional. Displays established tunnels summaryon <DEVICE-NAME> The following keyword is common to the ‘down’ and ‘up’ parameters:• on <DEVICE-NAME> – Optional. Displays summary, for un-established or established tunnels, on a specified device• <DEVICE-NAME> – Specify the name of AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 91    Local Session ID : 129538998    Remote Session ID : 8151374    Size of local cookie (0, 4 or 8 bytes) : 0    First word of local cookie : 0    Second word of local cookie : 0    Size of remote cookie (0, 4 or 8 bytes) : 0    First word of remote cookie : 0    Second word of remote cookie : 0    Session state : Established    Remote End ID : 444    Trunk Session : 1    Native VLAN tagged : Enabled    Native VLAN ID : 0    Number of packets received : 0    Number of bytes received : 0    Number of packets sent : 0    Number of bytes sent : 0    Number of packets dropped : 0ap7131-11E6C4#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 926.1.38 lacpshow commandsDisplays Link Aggregation Control Protocol (LACP) related informationSupported in the following platforms:• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow lacp [<1-4>|counters|details|sys-id]show lacp <1-4> ([counters|details])show lacp sys-idParameters• show lacp <1-4> ([counters|details])• show lacp sys-idNOTE: For more information on enabling dynamic LACP, see lacp, lacp-channel-group, and lacp.show lacp <1-4> Shows the LACP related information for a specified port-channel or all port-channels using LACP• <1-4> – Select the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels. Where as the other model service platforms support four (4) port-channels.If the port-channel index number is not specified, the system displays LACP counters and details for all port-channels configured on the device.counters Shows LACP counters for LACP-enabled port-channels. When passed without the <1-4> keyword, the system displays LACP counters for all configured port-channels. However, if the port-channel index number is specified, the system displays LACP counters only for the specified port-channel.details Shows details for LACP-enabled port-channels. When passed without the <1-4> keyword, the system displays LACP details for all configured port-channels. However, if the port-channel index number is specified, the system displays LACP details only for the specified port-channel.show lacp sys-id Shows the LACP related information for all LACP-enabled port-channels• sys-id – Shows the LACP system identifier and priority. This is the identifier assigned to the LACP peers (devices).
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 93ExampleNOC-controller#show interface port-channel 1Interface port-channel1 is UP  Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C8  Index: 2018, Metric: 1, MTU: 1500  Speed: Admin Auto, Operational 20G, Maximum 20G  Duplex: Admin Auto, Operational Full  Active-medium: n/a  Channel-members: xge1 xge2  Switchport settings: trunk, access-vlan: n/a    Input packets 5121052, bytes 807510883, dropped 0    Received 5121052 unicasts, 0 broadcasts, 516544 multicasts    Input errors 0, runts 0, giants 0    CRC 0, frame 0, fragment 0, jabber 0    Output packets 4804420, bytes 1053174746, dropped 0    Sent 4804420 unicasts, 0 broadcasts, 0 multicasts    Output errors 0, collisions 0, late collisions 0    Excessive collisions 0 NOC-controller#NOC-controller#show interface port-channel 4Interface port-channel4 is UP  Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C4  Index: 2016, Metric: 1, MTU: 1500  Speed: Admin Auto, Operational 4G, Maximum 4G  Duplex: Admin Auto, Operational Full  Active-medium: n/a  Channel-members: ge2 ge3 ge4 ge5  Switchport settings: trunk, access-vlan: n/a    Input packets 5848499493, bytes 8772550780653, dropped 0    Received 5848499493 unicasts, 0 broadcasts, 120167 multicasts    Input errors 0, runts 0, giants 0    CRC 0, frame 0, fragment 0, jabber 0    Output packets 362245, bytes 33129264, dropped 0    Sent 362245 unicasts, 0 broadcasts, 0 multicasts    Output errors 0, collisions 0, late collisions 0    Excessive collisions 0 NOC-controller#NOC-controller#show lacp countersPort-Channel     Interface                  LACPDU                Marker             Packet error                                        Sent       Recv       Sent       Recv       Sent       Recvpc1              xge1                  11548      12479          0          0          0          0pc1              xge2                  11550      12469          0          0          0          0pc4              ge2                   14081      14041          0          0          0          0pc4              ge3                   15877      15874          0          0          0          0pc4              ge4                   15875      15874          0          0          0          0pc4              ge5                   14064      14052          0          0          0          0NOC-controller#NOC-controller#show lacp detailsPort-Channel pc1 Interface xge1:  Actor admin port key                : 1  Actor oper port key                 : 1  Actor port priority                 : 32768  Actor port number                   : 2011  Actor admin port state              : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted  Actor oper port state               : ActiveLACP LongTimeout Aggregatable IN_SYNC Collecting Distributing  Partner admin system ID             : 32768, 00-00-00-00-00-00  Partner oper system ID              : 32768, 44-03-A7-BF-00-00  Partner admin key                   : 0  Partner oper key                    : 1
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 94  Partner admin port priority         : 0  Partner oper port priority          : 32768  Partner admin port number           : 0  Partner oper port number            : 286  Partner admin port state            : PassiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted  Partner oper port state             : ActiveLACP LongTimeout Aggregatable IN_SYNC Collecting Distributing  Receive machine state               : Current  Periodic transmission machine state : Slow periodic  Mux machine state                   : Collecting/DistributingPort-Channel pc1 Interface xge2:  Actor admin port key                : 1  Actor oper port key                 : 1  Actor port priority                 : 32768  Actor port number                   : 2012  Actor admin port state              : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted --More--NOC-controller#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 956.1.39 ldap-agentshow commandsDisplays an LDAP agent’s join status (join status to a LDAP server domain)Use this command When LDAP is specified the external resource (as opposed to local RADIUS resources) to validate PEAP-MS-CHAP v2 authentication requests, user credentials, and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents (primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow ldap-agent join-status {on <DEVICE-NAME>}Parameters• show ldap-agent join-status {on <DEVICE-NAME>}Examplerfs6000-81701D#show ldap-agent join-statusPrimary LDAP Server's agent join-status : Joined domain TEST.Secondary LDAP Server's agent join-status : Not Configuredrfs6000-81701D#NOTE: This command is not available in the USER EXEC Mode.ldap-agent Displays LDAP agent related configurationjoin-status Displays if the LDAP agent has successfully joined a LDAP server’s domainon <DEVICE-NAME> Optional. Displays if the LDAP agent has successfully joined a specified LDAP server’s domain.• <DEVICE-NAME> – Specify the name of the device running the LDAP server (access point, wireless controller, or service platform).
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 966.1.40 licensesshow commandsDisplays installed licenses and usage informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow licenses {borrowed|lent}Parameters• show licenses {borrowed|lent}Usage GuidelinesThe WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC and the site controllers constitute the first and second tiers of the hierarchy respectively. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. The site controllers may or may not be grouped to form clusters.At the time of adoption, access points and adaptive access points are provided license by the adopting controller. These license packs can be installed on both the NOC and site controllers. When a AP/AAP is adopted by a controller, the controller pushes a license on to the device. At this point the various possible scenarios are:• AP/AAP license packs installed on the NOC controller only.The NOC controller provides the site controllers with the AP licenses, ensuring that per platform limits are not exceeded.• AP/AAP license packs installed on the NOC and site controllers.The site controller uses its installed licenses and, in case of a shortage, the site controller borrows additional licenses from the NOC. If the NOC controller is unable to allocate sufficient licenses, the site controller unadopts some of the AP/AAPs.• AP/AAP license packs installed on one controller within a cluster.The site controller shares its installed and borrowed licenses with other cluster controllers.licenses {borrowed|lent}Displays installed licenses and usage information• borrowed – Optional. Displays information on licenses borrowed• lent – Optional. Displays information on licenses lent
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 97Examplerfs4000-229D58#show licensesSerial Number : 9184521800027Device Licenses:  AP-LICENSE    String     : DEFAULT-6AP-LICENSE    Value      : 6    Borrowed   : 0    Total      : 6    Used       : 0  AAP-LICENSE    String     :    Value      : 0    Borrowed   : 0    Total      : 0    Used       : 0  ADVANCED-SECURITY    String     : DEFAULT-ADV-SEC-LICENSErfs4000-229D58#The following example shows the show > licenses command output on a NOC controller:nx9500-6C8809#show licensesSerial Number : B4C7996C8809Device Licenses:  AP-LICENSE    String     :    Value      : 0    Lent       : 0    Total      : 0    Used       : 0  AAP-LICENSE    String     : 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1    Value      : 10250    Lent       : 0    Total      : 10250    Used       : 7  HOTSPOT-ANALYTICS    String     : 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497Total Licenses Including Licenses in Adopted Controllers:  AP-LICENSE    Value      : 14    Used       : 1  AAP-LICENSE    Value      : 10250    Used       : 7nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 98In the following example, the ‘VALIDITY(HRS)’ column specifies the validity period, in days and hours, of a lent license. On a NOC controller, a ‘VALIDITY(HRS)’ value of ‘current’ implies that the site controller is currently adopted. Whereas, a numerical ‘VALIDITY(HRS)’ value indicates the days and hours the lent license is valid for a site controller that is not reachable.nx9500-6C8809#show licenses lent------------------------------------------------------------------------------------------------------------ MAC                HOST-NAME          TYPE  LENT  BORROWER-MAC       BORROWER-HOST-NAME  VALIDITY------------------------------------------------------------------------------------------------------------ B4-C7-99-6C-88-09  nx9500-6C8809      AAP   5     00-15-70-81-74-2D  rfs6000-81742D      current B4-C7-99-6C-88-09  nx9500-6C8809      AAP   9     B4-C7-99-6D-CD-4B  rfs7000-6DCD4B      97 days, 21 hours------------------------------------------------------------------------------------------------------------nx9500-6C8809#rfs4000-881E4B#show licenses borrowed -----------------------------------------------------------------------------MAC                HOST-NAME          TYPE      BORROWED  VALIDITY           -----------------------------------------------------------------------------00-15-70-37-FD-89  rfs7000-37FD89     AAP       2         99 days, 23 hours  00-15-70-81-70-1D  rfs6000-81701D     AP        1         99 days, 23 hours  -----------------------------------------------------------------------------rfs4000-881E4B#The following examples show the ‘show > licenses’ output on the devices participating in the process:nx9500-6C8809>show licenses lent------------------------------------------------------------------------------------------------------------ MAC                HOST-NAME          TYPE  LENT  BORROWER-MAC       BORROWER-HOST-NAME  VALIDITY------------------------------------------------------------------------------------------------------------ B4-C7-99-6C-88-09  nx9500-6C8809      AAP   1     00-15-70-81-74-2D  rfs6000-81742D      current B4-C7-99-6C-88-09  nx9500-6C8809      AAP   9     B4-C7-99-6D-CD-4B  rfs7000-6DCD4B      99 days, 23 hours------------------------------------------------------------------------------------------------------------nx9500-6C8809>rfs6000-81742D(config)#show licenses borrowed----------------------------------------------------------------------------- MAC                HOST-NAME          TYPE      BORROWED  VALIDITY----------------------------------------------------------------------------- B4-C7-99-6C-88-09  nx9500-6C8809      AAP       1         current-----------------------------------------------------------------------------rfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 996.1.41 lldpshow commandsDisplays Link Layer Discovery Protocol (LLDP) informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow lldp [neighbors|report]show lldp neighbors {on <DEVICE-NAME>}show lldp report {detail|on}show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}Parameters• show lldp neighbors {on <DEVICE-NAME>}• show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}Examplenx9500-6C8809#show lldp neighbors-------------------------Chassis ID: 00-18-71-D0-0B-00System Name: TechPubs-ProCurve-SwitchPlatform: ProCurve J8697A Switch 5406zl, revision K.12.1X, ROM K.11.03 (/sw/code/build/btm(sw_esp1))Capabilities: Bridge  RouterEnabled Capabilities: BridgeLocal Interface: ge1, Port ID(Port Description) (outgoing port): 5(A5)TTL: 113 secManagement Addresses: 192.168.13.40nx9500-6C8809#lldp Displays an LLDP neighbors table or aggregated LLDP neighbors tableneighbors Displays an LLDP neighbors tableon <DEVICE-NAME> Optional. Displays an LLDP neighbors table on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.lldp Displays an LLDP neighbors table or aggregated LLDP neighbors tablereport detail Displays an aggregated LLDP neighbors table• detail – Optional. Displays detailed aggregated LLDP neighbors tableNote: If the ‘on’ keyword is used without the ‘detail’ keyword, the system displays LLDP neighbors table summary on the specified device or RF Domain.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘report detail’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Displays an aggregated LLDP neighbors table on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller,service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1006.1.42 loggingshow commandsDisplays the network’s activity logSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow logging {on <DEVICE-NAME>}Parameters• show logging {on <DEVICE-NAME>}Examplenx9500-6C8809#show loggingLogging module: enabled    Aggregation time: disabled    Console logging: level debugging    Monitor logging: disabled    Buffered logging: level warnings    Syslog logging: level warnings        Facility: local7Log Buffer (1666269 bytes):May 14 05:30:23 2015: nx9500-6C8809 : %DIAG-4-PWRSPLY_FAIL: Power supply failure, no longer redundantMay 14 05:30:13 2015: nx9500-6C8809 : %DEVICE-4-OFFLINE: Device B4-C7-99-74-B4-5C(ap8132-74B45C) is offline, last seen:10 minutes ago on switchport rfs6000-6DB5D4:ge1May 14 05:20:16 2015: nx9500-6C8809 : %DIAG-4-PWRSPLY_FAIL: Power supply failure, no longer redundantMay 14 05:19:43 2015: nx9500-6C8809 : %DEVICE-4-OFFLINE: Device B4-C7-99-74-B4-5C(ap8132-74B45C) is offline, last seen:10 minutes ago on switchport rfs6000-380649:ge1--More--nx9500-6C8809#logging {on <DEVICE-NAME>}Displays logging information on a specified device• on <DEVICE-NAME> – Optional. Executes the command on a specified device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1016.1.43 mac-access-listshow commandsDisplays MAC access list statisticsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow mac-access-list stats {<MAC-ACCESS-LIST-NAME>|on}show mac-access-list stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}Parameters• show mac-access-list stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}Examplenx9500-6C8809#show mac-access-list stats scalemacacl | i 311  permit D0-67-E5-3F-C0-00 FF-FF-FF-FF-F0-00  host 00-1E-EC-F2-0A-76 rule-precedence 311        Hitcount: 0        Hardware Hitcount: 0nx9500-6C8809#NOTE: This command is not present in USER EXEC mode.mac-access-list stats Displays MAC access list statistics<MAC-ACCESS-LIST> Optional. Displays statistics for a specified MAC access list. Specify the MAC access list name.Note: The system displays all configured ACL statistics if no ACL name is specified.on <DEVICE-NAME> Optional. Displays all or a specified MAC access list statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1026.1.44 mac-address-tableshow commandsDisplays MAC address table entriesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow mac-address-table {on <DEVICE-NAME>}Parameters• show mac-address-table {on <DEVICE-NAME>}Examplerfs6000-81742D(config)#show mac-address-table-------------------------------------------------------- BRIDGE VLAN PORT             MAC               STATE-------------------------------------------------------- 1      1    up1              00-02-B3-28-D1-55 forward 1      1    up1              00-0F-8F-19-BA-4C forward 1      1    up1              84-24-8D-80-C2-AC forward 1      1    up1              84-24-8D-80-BF-34 forward 1      1    up1              1C-7E-E5-18-FA-67 forward 1      1    up1              84-24-8D-83-30-A4 forward 1      1    up1              B4-C7-99-DD-31-C8 forward 1      1    up1              B4-C7-99-6C-88-09 forward 1      1    up1              00-18-71-D0-1B-F3 forward 1      1    up1              B4-C7-99-71-17-28 forward 1      1    up1              FC-0A-81-42-93-6C forward 1      1    up1              B4-C7-99-6D-CD-4B forward 1      1    up1              84-24-8D-84-A2-24 forward 1      1    up1              3C-CE-73-F4-47-83 forward 1      1    up1              B4-C7-99-74-B4-5C forward--------------------------------------------------------Total number of MACs displayed: 15rfs6000-81742D(config)#mac-address-table Displays MAC address table entrieson <DEVICE-NAME> Optional. Displays MAC address table entries on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1036.1.45 mac-authshow commandsDisplays details of wired ports that have MAC address authentication enabledUse this command to view MAC authentication configuration and authentication state. The command displays the current authentication state of the wired host, the authorization state of the Ge1 port, and the wired hosts’ MAC address. The port status displays as Authorized if the wired host has successfully authenticated and Not Authorized if the wired host has not authenticated or has failed MAC authentication.For more information on enabling MAC address authentication on a wired port, see mac-auth.Supported in the following platforms:• Access Points — AP6511• Wireless Controllers — RFS4000, RFS6000Syntaxshow mac-auth {all|interface|on}show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1 <1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}Parameters• show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1 <1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}mac-auth Displays MAC authentication related information for all interfaces or all interfacesall Optional. Displays MAC authentication related information for all interfacesinterface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1 <1-4>|up <1-2>|xge <1-4>]Optional. Displays MAC authentication related information for a specified interface. Specify the interface using one of the following options:• <INTERFACE-NAME> – Selects the interface identified by the <INTERFACE-NAME> keyword• ge <1-5> – Selects the GigabitEthernet interface identified by the index number• port-channel <1-3> – Selects the port channel interface identified by the index number• t1e1 <1-4> – Selects the layer 2 interface (Ethernet port)• up <1-2> – Selects the WAN Ethernet interface identified by the index number• xge <1-4> – Selects the TenGigabitEthernet interface identified by the index numberon <DEVICE-NAME> The following keywords are common to the ‘all’ and ‘interface’ parameters:• on <DEVICE-NAME> – Optional. Displays MAC authentication related information on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.Note: When the ‘on’ keyword is used exclusively, without the ‘all’ and ‘interface’ options, the system displays MAC authentication related information for interfaces configured on the specified device.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 104Examplerfs4000-229D58(config)#show mac-auth allAAA-Policy is noneMac Auth info for interface GE1----------------------------------- Mac Auth Enabled Mac Auth Not AuthorizedMac Auth info for interface GE2----------------------------------- Mac Auth Disabled Mac Auth Not AuthorizedMac Auth info for interface GE3----------------------------------- Mac Auth Disabled Mac Auth Not AuthorizedMac Auth info for interface GE4----------------------------------- Mac Auth Disabled Mac Auth AuthorizedMac Auth info for interface GE5----------------------------------- Mac Auth Disabled Mac Auth Not AuthorizedMac Auth info for interface UP1----------------------------------- Mac Auth Disabled Mac Auth Not Authorizedrfs4000-229D58(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1056.1.46 mac-auth-clientsshow commandsDisplays MAC authenticated clientsSupported in the following platforms:• Access Points — AP6511• Wireless Controllers — RFS4000, RFS6000Syntaxshow mac-auth-clients [all|interface]show mac-auth-clients all {on <DEVICE-NAME>}show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-4>}Parameters• show mac-auth-clients all {on <DEVICE-NAME>}• show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-4>}mac-auth-clients Displays MAC authenticated clients based on the parameters passed. The options are: all and interface.all Displays MAC authenticated clients for all interfaceson <DEVICE-NAME> Optional. Displays MAC authenticated clients for all interfaces on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.mac-auth-clients Displays MAC authenticated clients based on the parameters passed. The options are: all and interface.interface [<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-4>]Displays MAC authenticated clients for the specified interface. Select the interface type from the following options:• <INF-NAME> – Optional. Displays MAC authenticated clients for the interface identified by the <INF-NAME> keyword. Specify the layer 2 (ethernet port) interface name.• ge <1-X> – Optional. Displays MAC authenticated clients for the selected GigabitEthernet interface. Specify the GE interface index from 1 - X. This will vary for different device types.• port-channel <1-2> – Optional. Displays MAC authenticated clients for the selected port channel interface. Specify the port channel interface index from 1 - 2.• xge <1-4> – Optional. Displays MAC authenticated clients for the selected TenGigabitEthernet interface. Specify the interface index from 1 - 4.on <DEVICE-NAME> Optional. Displays MAC authenticated clients for the specified interface on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 106Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show mac-auth-clients interface ge 1----------------------------------------------- MAC               STATE            INTERFACE----------------------------------------------------------------------------------------------Total number of MACs displayed: 0nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1076.1.47 mintshow commandsDisplays MiNT protocol related statisticsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow mint [config|dis|id|info|known-adopters|links|lsp|lsp-db|mlcp|neighbors|route|stats|tunnel-controller|tunneled-vlans]show mint [config|id|info|known-adopters|route|stats|tunneled-vlans] {on <DEVICE-NAME>}show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}show mint lspshow mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}show mint mlcp {history} {(on <DEVICE-NAME>)}Parameters• show mint [config|id|info|known-adopters|route|stats|tunneled-vlans] {on <DEVICE-NAME>}•  show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}mint Displays MiNT protocol information based on the parameters passedconfig Displays MiNT configurationid Displays local MiNT IDinfo Displays MiNT statusknown-adopters Displays known, possible, or reachable adoptersroute Displays MiNT route table detailsstats Displays MiNT related statisticstunneled-vlans Displays MiNT tunneled VLAN detailson <DEVICE-NAME> The following keywords are common to all of the above parameters:• on <DEVICE-NAME> – Optional. Displays MiNT protocol details on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.mint Displays MiNT protocol information based on the parameters passeddis Displays MiNT network Designated Intermediate Systems (DISes) and Ethernet Virtualization Interconnects (EVISes)links Displays MiNT networking link detailsneighbors Displays adjacent MiNT peer details
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 108• show mint lsp• show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}• show mint mlcp {history} {(on <DEVICE-NAME>)}Examplenx9500-6C8809#show mint stats9 Level-1 neighborsLevel-1 LSP DB size 26 LSPs (4 KB)Last Level-1 SPFs took 0.000sLevel-1 SPF (re)calculated 818 times.26 Level-1 paths.0 Level-2 neighborsLevel-2 LSP DB size 0 LSPs (0 KB)Last Level-2 SPFs took 0.000sLevel-2 SPF (re)calculated 0 times.0 Level-2 paths.nx9500-6C8809#tunnel-controller Displays details of MiNT VLAN network tunnel wireless controllers for extended VLAN load balancingdetails {(on <DEVICE-NAME>)}The following keywords are common to the ‘dis’, ‘links’, ‘neighbors’, and ‘tunnel-controller’ parameters:• details – Optional. Displays detailed MiNT information• on <DEVICE-NAME> – Optional. This is a recursive parameter, which displays MiNTinformation on a specified device.• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.mint Displays MiNT protocol information based on the parameters passedlsp Displays this router's MiNT Label Switched Paths (LSPs)mint Displays MiNT protocol information based on the parameters passedlsp-db Displays MiNT LSP database entriesdetails <MINT-ADDRESS>Optional. Displays detailed MiNT LSP database entries• <MINT-ADDRESS> – Specify the MiNT address in the AA.BB.CC.DD format.on <DEVICE-NAME> The following keyword is recursive and common to the ‘details’ parameter:• on <DEVICE-NAME> – Optional. Displays MiNT LSP database entries on a specified device• <DEVICE-NAME> – Specify the name of the AP or wireless controllermint Displays MiNT protocol information based on the parameters passedThis command displays the ‘hello-interval’ and ‘hold-time’ default values for both IP and VLAN links.mlcp Displays IPv4 and IPv6 MiNT Link Creation Protocol (MLCP) statushistory Optional. Displays MLCP client history• on <DEVICE-NAME> – Optional. Displays MLCP client history on a specified deviceon <DEVICE-NAME> The following keyword is recursive and common to the ‘history’ parameter:• on <DEVICE-NAME> – Optional. Displays MLCP client history on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 109nx9500-6C8809#show mint lspid 19.6C.88.09, level 1, 9 adjacencies, 0 extended-vlansseqnum 1476782, expires in 29 minutes, republish in 1362 seconds161 bytes, can-adopt: True, adopted-by: 00.00.00.00, dis-priority 5, Level-2-gateway: Falsehostname "nx9500-6C8809"cluster id "TechPubs"rf-domain "TechPubs", priority vector: 0x60dc0000adjacent to 4D.83.30.A4, cost 10adjacent to 4D.84.A2.24, cost 10adjacent to 19.74.B4.5C, cost 10adjacent to 19.6D.CD.4B, cost 10adjacent to 19.DD.31.C8, cost 10adjacent to 4D.80.C2.AC, cost 10adjacent to 4D.80.BF.34, cost 10adjacent to 19.71.17.28, cost 10adjacent to 70.81.74.2D, cost 10nx9500-6C8809#nx9500-6C8809#show mint lsp-db26 LSPs in LSP-db of 19.6C.88.09:LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 9 adjacencies, seqnum 1476782LSP 19.6C.8A.49 at level 1, hostname "nx9500-6C8A49pp", 9 adjacencies, seqnum 67397LSP 19.6D.CD.4B at level 1, hostname "rfs7000-6DCD4B", 9 adjacencies, seqnum 1143297LSP 19.71.17.28 at level 1, hostname "ap8132-711728", 9 adjacencies, seqnum 837272LSP 19.72.D4.F4 at level 1, hostname "ap650-72D4F4", 2 adjacencies, seqnum 107768LSP 19.72.D5.44 at level 1, hostname "ap4600-72D544", 9 adjacencies, seqnum 10889LSP 19.72.E6.C4 at level 1, hostname "ap6532-72E6C4", 2 adjacencies, seqnum 109985LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 9 adjacencies, seqnum 1659590LSP 19.DD.31.C8 at level 1, hostname "rfs4000-DD31C8", 25 adjacencies, seqnum 1787045LSP 1A.7C.D5.A4 at level 1, hostname "ap8222-7CD5A4", 9 adjacencies, seqnum 440488LSP 1A.7E.79.E8 at level 1, hostname "ap8122-7E79E8", 9 adjacencies, seqnum 100282LSP 1A.B1.9C.40 at level 1, hostname "ap7131-B19C40", 9 adjacencies, seqnum 95001LSP 4D.80.BF.34 at level 1, hostname "Rajeev-AP", 9 adjacencies, seqnum 232516LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 9 adjacencies, seqnum 842369LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 9 adjacencies, seqnum 478482LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 9 adjacencies, seqnum 562219LSP 4D.8A.15.C8 at level 1, hostname "AP1", 1 adjacencies, seqnum 92687LSP 68.88.10.D1 at level 1, hostname "rfs4000-8810D1", 9 adjacencies, seqnum 115580LSP 70.38.03.E7 at level 1, hostname "rfs7000-3803E7", 9 adjacencies, seqnum 947279LSP 70.81.74.2D at level 1, hostname "rfs6000-81742D", 9 adjacencies, seqnum 487287LSP 75.A2.A4.90 at level 1, hostname "ap7532-A2A490", 4 adjacencies, seqnum 181692LSP 75.A2.A4.B0 at level 1, hostname "ap7532-A2A4B0", 4 adjacencies, seqnum 180804LSP 75.A2.A5.54 at level 1, hostname "ap7532-A2A554", 4 adjacencies, seqnum 156084LSP 75.A2.A5.6C at level 1, hostname "Snap004-AceessPoint", 4 adjacencies, seqnum 169181LSP 75.D1.AA.7A at level 1, hostname "ap7622-D1AA7A", 9 adjacencies, seqnum 5471LSP 75.D1.B2.68 at level 1, hostname "ap7602-D1B268", 9 adjacencies, seqnum 6054nx9500-6C8809#nx9500-6C8809#show mint routeDestination : Next-Hop(s)4D.84.A2.24 : 4D.84.A2.24 via vlan-11A.7C.D5.A4 : 19.DD.31.C8 via vlan-168.88.10.D1 : 19.DD.31.C8 via vlan-119.72.E6.C4 : 19.DD.31.C8 via vlan-175.A2.A5.54 : 19.DD.31.C8 via vlan-11A.B1.9C.40 : 19.DD.31.C8 via vlan-170.81.74.2D : 70.81.74.2D via vlan-119.6C.8A.49 : 19.DD.31.C8 via vlan-119.74.B4.5C : 19.74.B4.5C via vlan-119.6D.CD.4B : 19.6D.CD.4B via vlan-119.72.D5.44 : 19.DD.31.C8 via vlan-175.D1.AA.7A : 19.DD.31.C8 via vlan-175.A2.A4.B0 : 19.DD.31.C8 via vlan-119.71.17.28 : 19.71.17.28 via vlan-1
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 11070.38.03.E7 : 19.DD.31.C8 via vlan-14D.80.C2.AC : 4D.80.C2.AC via vlan-119.6C.88.09 : 19.6C.88.09 via self75.A2.A4.90 : 19.DD.31.C8 via vlan-11A.7E.79.E8 : 19.DD.31.C8 via vlan-119.DD.31.C8 : 19.DD.31.C8 via vlan-175.A2.A5.6C : 19.DD.31.C8 via vlan-119.72.D4.F4 : 19.DD.31.C8 via vlan-14D.83.30.A4 : 4D.83.30.A4 via vlan-14D.80.BF.34 : 4D.80.BF.34 via vlan-14D.8A.15.C8 : 19.DD.31.C8 via vlan-175.D1.B2.68 : 19.DD.31.C8 via vlan-1nx9500-6C8809#nx9500-6C8809#show mint known-adopters19.6C.8A.49nx9500-6C8809#nx9500-6C8809#show mint known-adopters19.6C.8A.49nx9500-6C8809#nx9500-6C8809#show min configBase priority 5DIS priority 5Control priority 220UDP/IP Mint encapsulation port 24576Global Mint MTU 1500nx9500-6C8809#ap7532-15E6E4#show mint mlcpMLCP VLAN state: MLCP_DONE  Potential VLAN links: 1  All VLANs were scanned 2 timesLink created on VLAN 1MLCP IP state: MLCP_DISCOVERING  Potential L3 Links:    192.168.1.43MCLP IP Hello Interval: 15s(default), Adjacency hold time: 46s(default)MCLP VLAN Hello Interval: 4s(default), Adjacency hold time: 13s(default)ap7532-15E6E4#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1116.1.48 nsightshow commandsDisplays NSight related information and also displays the database server status (reachable or not)Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxshow nsight statusParameters• show nsight statusExamplenx9500-6C8809(config)#show nsight statusNsight is enabled Nsight report and aggregation daemon is running Nsight alarm daemon is running Nsight server daemon is running Database server is local Database server is reachablenx9500-6C8809(config)#nsight Displays the NSight module related status, such as:• NSight is enabled or not on the device• NSight report and aggregation daemon is running or not• NSight alarm daemon is running or not• NSight server daemon is running or not• Database server is reachable or not
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1126.1.49 ntpshow commandsDisplays Network Time Protocol (NTP) information. NTP enables clock synchronization within a network.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow ntp [associations|status]show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]Parameters• show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]ntp associations {detail|on}Displays existing NTP associations. The interaction between the controller or service platform and a SNTP server constitutes an association. SNTP associations are of two kinds:- peer associations - where a controller or service platform synchronizes to another system or allows another system to synchronize to it, or - server associations - where only the controller or service platform synchronizes to the SNTP resource, not the other way around.• detail – Optional. Displays detailed NTP associations• on <DEVICE-NAME> – Optional. Displays NTP associations on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.Note: If the ‘on’ keyword is used without the ‘detail’ keyword, the system displays a summary of existing NTP associations on the specified device or RF Domain.ntp status {on <DEVICE-NAME>}Displays the performance (status) information relative to the NTP association status. Use this command to view the access point, controller, or service platform’s current NTP resource.• on <DEVICE-NAME> – Optional. Displays NTP association status on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 113Examplenx9500-6C8809#show ntp associations------------------------------------------------------------------------------------------------------------------- STATUS NTP SERVER IP ADDR REF CLOCK IP ADDR STRATUM   WHEN     POLL     REACH     DELAY     OFFSET    DISPERSION-------------------------------------------------------------------------------------------------------------------   ~     12.12.12.12        INIT              16      -        1024     0         0.0       0.0       15937.5   ~     11.11.11.11        INIT              16      -        1024     0         0.0       0.0       15937.5---------------------------------------------------------------------------------------STATUS Notation: * master (synced), # master (unsynced), + selected, - candidate, ~ configurednx9500-6C8809#nx9500-6C8809#show ntp status--------------------------------------------------------------------------------           ITEM                                   VALUE--------------------------------------------------------------------------------  Leap                     Clock is unsynchronized  Stratum                  16  Reference                INIT  Frequency                0.0000 Hz  Precision                2^-20  Reference time           00000000.00000000 (Feb 07 11:58:16 UTC 2036)  Clock Offset             0.000 msec  Root delay               0.000 msec  Root Dispersion          0.000 msec--------------------------------------------------------------------------------nx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1146.1.50 password-encryptionshow commandsDisplays password encryption status (enabled/disabled)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow password-encryption statusParameters• show password-encryption statusExamplerfs6000-81742D(config)#show password-encryption statusPassword encryption is enabledrfs6000-81742D(config)#password-encryption statusDisplays password encryption status (enabled/disabled)
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1156.1.51 pppoe-clientshow commandsDisplays Point-to-Point Protocol over Ethernet (PPPoE) client informationUse this command to view PPPoE statistics derived from access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables point-to-points connection to an ISP over existing Ethernet interface.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow pppoe-client [configuration|status] {on <DEVICE-NAME>}Parameters• show pppoe-client [configuration|status] {on <DEVICE-NAME>}Examplenx9500-6C8809#show pppoe-client configuration PPPoE Client Configuration:+-------------------------------------------|  Mode          : Disabled|  Service Name  :|  Auth Type     : pap|  Username      :|  Password      : fJx5O+5duPjaOaPuXmtLDQAAAAAmvgEXcQ1+eUK4ByHK4aRi|  Idle Time     : 600|  Keepalive     : Disabled|  Local n/w     : vlan1|  Static IP     : __wing_internal_not_set__|  MTU           : 1492+-------------------------------------------nx9500-6C8809#pppoe-client Displays PPPoE client information (configuration and status)configuration Displays detailed PPPoE client configurationstatus Displays detailed PPPoE client statuson <DEVICE-NAME> The following keywords are common to ‘configuration’ and ‘status’ parameters:• on <DEVICE-NAME> – Optional. Displays detailed PPPoE client status or configuration on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1166.1.52 privilegeshow commandsDisplays a device’s existing privilege levelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow privilegeParametersNoneExamplerfs6000-81742D(config)#show privilegeCurrent user privilege: superuserrfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1176.1.53 radiusshow commandsDisplays the amount of access time consumed and the amount of access time remaining for all guest users configured on a RADIUS serverEvery captive portal guest user can access the captive portal for a specified duration. This results in following three scenarios:• Scenario 1: Access duration not specified (in this case the default of 1440 minutes is applied)• Scenario 2: Access duration is specified and is greater than 0• Scenario 3: Access duration is specified and equals to 0 (in this case the guest user has unlimited access)In all the three scenarios the access time consumed is the duration for which the guest user has logged.But the access time remaining varies. It is calculated as follows:• Scenarios 1 & 2 - It is the lesser of the following two values: difference between the configured access duration and the time consumed AND the time until user account expiration.• Scenario 3 - It is the time until user account expirationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow radius [guest-users|server]show radius guest-users {brief|<GUEST-USER-NAME>}show radius serverParameters• show radius guest-users {brief|<GUEST-USER-NAME>}radius guest-users {brief|<GUEST-USER-NAME>}Displays RADIUS server’s guest user’s access details: total time for which the user has logged in, and the amount of access time remaining.• brief – Displays the total number of guest users provided RADIUS access• <GUEST-USER-NAME> – Optional. Provide the name of the guest user (whose access details are to be viewed). If no name is provided, the system displays details of all guest users who have successfully logged in at least once.Use this command in the captive-portal context to view time and data statistics for guest user(s) having bandwidth-based or time-based vouchers configured. In such a scenario, the system displays the following information: data configured, data remaining, configured and current bandwidths (for both downlink and uplink), time configured, and time remaining. Contd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 118• show radius serverExamplerfs4000-229D58#show radius guest-users         TIME (min:sec)       USED    REMAINING   GUEST USER       0:00         9:00   time9       0:00         5:00   time5       0:00        15:00   time15       0:00    305416:35   notime       2:31         7:29   time10rfs4000-229D58#The following example shows a RADIUS user pool with guest users having bandwidth-based, time-based, bandwidth and time based, and no bandwidth or time based vouchers:rfs4000-229D58(config-captive-portal-wdws)#show contextradius-user-pool-policy wdws user time_and_data password 0 both group wdws guest expiry-time 12:00 expiry-date 12/31/2015 access-duration  8000 data-limit  500 committed-downlink  3000 committed-uplink  2000 reduced-downlink  1000 reduce4 user neither password 0 nine group wdws guest expiry-time 12:00 expiry-date 12/31/2015 user data_only password 0 data group wdws guest expiry-time 12:00 expiry-date 12/31/2015 data-limit  125 committed-downlink  1000 committed-uplink  800 reduced-downlink  500 reduced-uplink  400rfs4000-229D58(config-captive-portal-wdws)#The following example shows the captive portal access details for the above mentioned RADIUS user pool users:rfs4000-229D58(config-captive-portal-wdws)#show radius guest-users                       TIME (DD:HH:MM:SS)            DATA (kilobytes)                BANDWIDTH (kbps) GUEST USER          CONFIGURED     REMAINING    CONFIGURED    REMAINING    CFGD DN  CURR DN  CFGD UP  CURR UPtime_and_data       5:13:20:00    5:12:00:50        512000       433727       3000        0     2000        0neither            till expiry  221:19:44:54     unlimited    unlimiteddata_only          till expiry  221:19:44:54        128000       127587       1000        0      800        0time_only           3:11:20:00    3:11:19:47     unlimited    unlimitedCurrent time: 17:15:07rfs4000-229D58(config-captive-portal-wdws)#If bandwidth-based voucher is not applicable to a guest user, the data configured and data remaining values are displayed as ‘unlimited’. The bandwidth columns are blank. If time-based voucher is not applicable to a guest user, the only value displayed is the time remaining (which is the time till the expiration of the guest user’s account).Note: For more information on configuring bandwidth-based and time-based vouchers, see user.show radius server Displays RADIUS server related statistical data
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1196.1.54 reloadshow commandsDisplays scheduled reload information for a specific deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow reload {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show reload {on <DEVICE-OR-DOMAIN-NAME>}Examplerfs6000-81742D(config)#show reloadNo reload is scheduled.rfs6000-81742D(config)#NOTE: This command is not present in the USER EXEC mode.reload {on <DEVICE-OR-DOMAIN-NAME>}Displays scheduled reload information for a specified device• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays configuration on a specified device• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller,service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1206.1.55 rf-domain-managershow commandsDisplays RF Domain manager selection detailsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}Examplenx9500-6C8809#show rf-domain-manager RF Domain TechPubs RF Domain Manager:    ID: 19.6C.88.09 Controller Managed Device under query:    Priority: 220    Has IP MiNT links    Has wired MiNT linksnx9500-6C8809#rf-domain-manager Displays RF Domain manager selection detailson <DEVICE-OR-DOMAIN-NAME>Optional. Displays RF Domain manager selection details on a specified device or domain• <DEVICE-OR-DOMAIN-NAME> – specify the name of the AP, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1216.1.56 roleshow commandsDisplays role based firewall informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow role [ldap-stats|wireless-clients]show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}Parameters• show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}Examplenx9500-6C8809(config)#show role wireless-clientsNo ROLE statistics found.nx9500-6C8809(config)#role ldap-stats Displays LDAP server status and statisticsrole wireless-clients Displays clients associated with roleson <DEVICE-NAME> The following parameters are common to the ‘ldap-stats’ and ‘wireless-clients’ keywords:• on <DEVICE-NAME> – Optional. Displays clients associated with roles on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, and serviceplatform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1226.1.57 route-mapsshow commandsDisplays route map statistics for defined device routesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow route-maps {on <DEVICE-NAME>}Parameters• show route-maps {on <DEVICE-NAME>}Examplenx9500-6C8809(config)#show route-mapsnx9500-6C8809(config)#route-maps Displays configured route map statistics for all defined routesFor more information on route maps, see route-map.on <DEVICE-NAME> Optional. Displays route map statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1236.1.58 rtlsshow commandsDisplays Real Time Location Service (RTLS) statistics for access points contributing locationing informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}Parameters• show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}Examplerfs4000-229D58(config)#show rtls aeroscout Aeroscout Engine IP: 0.0.0.0 Port: 0 Send Count           : 0 Recv Count           : 0 Tag Reports          : 0 Nacks                : 0 Acks                 : 0 Lbs                  : 0 AP Status            : 0 AP Notif             : 0 Send Err             : 0 Errmsg Count         : 0Total number of APs displayed: 1rfs4000-229D58(config)#rtls Displays access point RTLS statisticsaeroscout Displays access point Aeroscout statisticsekahau Displays access point Ekahau statisticsomnitrail Displays access point Omnitrail statistics<MAC/HOSTNAME> Optional. Displays Aeroscout or Ekahau statistics for a specified access point. Specify the MAC address or hostname of the access point.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to ‘Aeroscout’ and ‘Ekahau’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays Aeroscout or Ekahau statistics on a specified device or domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 124ap8533-84A224##show rtls omnitrailEngine IP: 157.235.90.41 Control Port: 8890 Otls 2.4 GHz Engine status: CONNECTED Otls 5 GHz Engine status: CONNECTED Data Port configured for forwarding 2.4GHz Radio detected beacons: 8888 Data Port configured for forwarding 5GHz Radio detected beacons:8889 Heart beats sent for 2.4GHz Port : 1 Heart beats sent for 5GHz Port : 0 Beacon tags received on 2.4GHz Radio and forwarded: 6883 Beacon tags received on 5GHz Radio and forwarded: 0 Beacon tags received on Sensor Radio (2.4GHz Band) and forwarded: 5187 Beacon tags received on Sensor Radio (5Ghz Band) and forwarded: 0Total number of APs displayed: 1ap8533-84A224#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1256.1.59 running-configshow commandsDisplays configuration files (where all configured MAC and IP access lists are applied to an interface)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow running-config {aaa-policy|application|application-group|application-policy|association-acl-policy|auto-provisioning-policy|captive-portal-policy|device|database-client-policy|database-policy|device|device-overrides|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|exclude-devices|firewall-policy|flag-unwritten-changes|guest-management-policy|hide-encrypted-values|include-factory|interface|ip-access-list|ipv6-access-list|mac-access-list|management-policy|meshpoint|nsight-policy|profile|radio-qos-policy|rf-domain|roaming-assist-policy|rtl-server-policy|schedule-policy|smart-rf-policy|url-filter|url-list|web-filter-policy|wlan|wlan-qos-policy}show running-config {aaa-policy|application-policy|association-acl-policy|auto-provisioning-policy|captive-portal-policy|database-client-policy|database-policy|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|guest-management-policy|firewall-policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|rtl-server-policy|schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-policy} <POLICY-NAME> {include-factory}show running-config {flag-unwritten-changes}show running-config {application <APPLICATION-NAME>|application-group <APPLICATION-GROUP-NAME>}show running-config exclude-devicesshow running-config {device [<MAC>|self]} {include-factory}show running-config {device-overrides {brief}}show running-config {hide-encrypted-values {exclude-devices|include-factory}}show running-config {include-factory}show running-config {interface} {<INTERFACE-NAME>|ge|include-factory|me|port-channel|pppoe1|vlan|wwan1}show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-factory|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}show running-config {profile [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600] <PROFILE-NAME>} {include-factory}
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 126show running-config {rf-domain <DOMAIN-NAME>} {include-factory}show running-config {wlan <WLAN-NAME>} {include-factory}show running-config url-filter <URL-FILTER-NAME>show running-config url-list <URL-LIST-NAME> {include-factory}Parameters• show running-config {flag-unwritten-changes}• show running-config {aaa-policy|application-policy|association-acl-policy|auto-provisioning-policy|captive-portal-policy|database-client-policy|database-policy|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|guest-management-policy|firewall-policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|rtl-server-policy|schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-policy} <POLICY-NAME> {include-factory}running-config flag-unwritten-changesFlags unsaved changes in the show > running-config command output. Optionally use the flag-unwritten-changes keyword to view changes that have been committed but not saved in the startup configuration. When used, all unsaved changes are marked with a “===” marker, as shown in the following show > running-config > flag-unwritten-changes output:nx9500-6C8809(config)#show running-config flag-unwritten-changes!! Configuration of NX9500 version 5.9.1.0-017D!!version 2.5!!client-identity-group default load default-fingerprints!client-identity-group test2 load default-fingerprints!===alias encrypted-string $WRITE 2 o5gA2zqj/q/REWi8rTa7vQAAAAh4yA1YNBjqTVf4mMBsGA4i!===alias encrypted-string $enAlias2 2 JI4lPuMaCdMMx7rfBeyIAwAAAAoZ6tR1FfTlFXWvSicTMVZc!--More--nx9500-6C8809(config)#Execute the write > memory command to save these changes.running-config Displays current running configurationOptionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name.Note: If the command is executed without a keyword, the system displays the entire running configuration.<POLICY-TYPE> <POLICY-NAME>Optional. Select the policy type, for example, aaa-policy, auto-provisioning-policy, captive-portal-policy, etc. and then specify the policy name. The system displays the selected policy’s configuration.• <POLICY-NAME> – Specify the name of the policy (should be existing and configured).
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 127• show running-config {application <APPLICATION-NAME>|apllication-group <APPLICATION-GROUP-NAME>}• show running-config {device [<MAC>|self]} {include-factory}• show running-config {hide-encrypted-values {exclude-devices|include-factory}}include-factory The following keyword is common to all policies:• include-factory – Optional. Includes factory defaultsrunning-config Displays current running configurationOptionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name.If the command is executed without a keyword, the system displays the entire running configuration.application <APPLICATION-NAME>Displays an application’s configuration. The application can be system-provided or user-defined.• <APPLICATION-NAME> – Specify the application name (should be existing).application-group <APPLICATION-GROUP-NAME>Displays an application-group’s configuration• <APPLICATION-GROUP-NAME> – Specify the application-group name (should be existing and configured).running-config Displays current running configurationOptionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name.If the command is executed without a keyword, the system displays the entire running configuration.device [<MAC>|self] Optional. Displays device configuration• <MAC> – Displays a specified device configuration. Specify the MAC address of the device.• self – Displays the logged device’s configurationinclude-factory The following keyword is common to the ‘<MAC>’ and ‘self’ parameters:• Optional. Displays factory defaultsrunning-config Displays current running configurationOptionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name.If the command is executed without a keyword, the system displays the entire running configuration.hide-encrypted-values {exclude-devices|include-factory}Optional. Replaces all encrypted passwords with the standard characters ****** in the show > running-config output• exclude-devices – Optional. Excludes devices from the running configuration displayed• include-factory – Optional. Includes factory default values in the running configuration displayed
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 128• show running-config {device-overrides {brief}}• show running-config {exclude-devices}• show running-config {include-factory}• show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-factory|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}• show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}running-config Displays current running configurationdevice-overrides brief Optional. Displays overrides applied at the device’s configuration• brief – Optional. Displays a brief summary of device overridesrunning-config Displays current running configurationexclude-devices Optional. Excludes device configuration details from the running configuration displayedrunning-config Displays current running configurationinclude-factory Optional. Includes factory defaultsrunning-config Displays current running configurationinterface Optional. Displays interface configuration<INTERFACE-NAME> Optional. Displays a specified interface configuration. Specify the interface name.ge <1-4> Optional. Displays GigabitEthernet interface configuration• <1-4> – Specify the GigabitEthernet interface index from 1 - 4.me1 Optional. Displays FastEthernet interface configurationport-channel <1-2> Optional. Displays port channel interface configuration• <1-2> – Specify the port channel interface index from 1 - 2.pppoe1 Optional. Displays PPP over Ethernet interface configurationvlan <1-4094> Displays VLAN interface configuration• <1-4094> – Specify the VLAN interface number from 1 - 4094.wwan1 Optional. Displays Wireless WAN interface configurationinclude-factory The following keyword is common to all interfaces:• Optional. Includes factory defaultsrunning-config Displays current running configurationOptionally, you can execute the command along with one of the associated keywords to view the running configuration for that top-level object. To view a access-list and its configuration, specify the ACL type and provide the ACL name.Note: If the command is executed without a keyword, the system displays the entire running configuration.<ACL-TYPE> <IP/IPv6/MAC-ACL-NAME>Optional. Select the ACL type, for example, ip-access-list, ipv6-access-list, or mac-access-list, and then specify the ACL name. The system displays the selected ACL’s configuration.• <IP/IPv6/MAC-ACL-NAME> – Specify the name of the ACL (should be existing and configured).
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 129• show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}• show running-config {profile [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600] <PROFILE-NAME>} {include-factory}• show running-config {rf-domain <DOMAIN-NAME>} {include-factory}• show running-config {wlan <WLAN-NAME>} {include-factory}• show running-config url-filter <URL-FILTER-NAME>include-factory The following keyword is common to the ‘ip-access-list’ and ‘mac-access-list’ parameters:• Optional. Includes factory defaultsrunning-config Displays current running configurationmeshpoint <MESHPOINT-NAME>Optional. Displays meshpoint configuration• <MESHPOINT-NAME> – Specify the meshpoint nameinclude-factory Optional. Includes factory defaults along with running configuration detailsrunning-config Displays current running configurationprofile <DEVICE-TYPE> <PROFILE-NAME>Optional. Displays current configuration for a specified profile. Select the device type, and then specify the profile name.• <DEVICE-TYPE> – Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.• <PROFILE-NAME> – Specify the profile name for the selected <DEVICE-TYPE>.Note: Select the ‘anyap’ option to view the running configuration of any type of device.include-factory Optional. This parameter is common to all profiles. When selected, it includes factory defaults in the output.running-config Displays current running configurationrf-domain <DOMAIN-NAME>Optional. Displays current configuration for a RF Domain• <DOMAIN-NAME> – Displays current configuration for a specified RF Domain. Specify the RF Domain name.include-factory Optional. Includes factory defaultsrunning-config Displays current running configurationwlan <WLAN-NAME> Optional. Displays current configuration for a WLAN• <WLAN-NAME> – Displays current configuration for a specified WLAN. Specify the WLAN name.include-factory Optional. Includes factory defaultsrunning-config Displays current running configurationurl-filter <URL-FILTER-NAME>Optional. Displays current configuration for the URL filter identified by the <URL-FILTER-NAME> keyword• <URL-FILTER-NAME> – Specify the URL filter’s name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 130• show running-config url-list <URL-LIST-NAME> {include-factory}Examplerfs6000-81742D#show running-config device self!version 2.5!!ip snmp-access-list default permit any!firewall-policy default no ip dos tcp-sequence-past-window!!mint-policy global-default!!management-policy default no telnet no http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all--More--rfs6000-81742D#rfs6000-81742D#show running-config profile ap81xx default-ap81xxprofile ap81xx default-ap81xx autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface radio1 interface radio2 interface radio3 interface ge1--More--rfs6000-81742D#nx9500-6C8809#show running-config url-filter URL_FILTER_Shopping include-factoryurl-filter URL_FILTER_Shopping no description blacklist category-type p2p precedence 20 description description blacklist category-type news-sports-general category shopping precedence 10 description description blockpage path internal blockpage internal org-name Your Organization Namerunning-config Displays current running configurationurl-list <URL-LIST-NAME>Optional. Displays current configuration for the URL list identified by the <URL-LIST-NAME> keyword• <URL-FILTER-NAME> – Specify the URL list’s name.include-factory Optional. Includes factory defaults
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 131 blockpage internal org-signature Your Organization Name, All Rights Reserved. blockpage internal title This URL may have been filtered. blockpage internal header The requested URL could not be retrieved. blockpage internal footer If you have any questions please contact your IT department. blockpage internal content The site you have attempted to reach may be considered inappropriate for access. no blockpage internal main-logo no blockpage internal small-logo no blockpage externalnx9500-6C8809#nx9500-6C8809#show running-config url-list AllowedShoppingurl-list AllowedShopping url ebay.com depth 10 url amazon.com depth 10nx9500-6C8809#nx9500-6C8809#show running-config application Bingapplication Bing app-category streaming use url-list Bingnx9500-6C8809#nx9500-6C8809#sho running-config application-group amazonapplication-group amazon application amazon_cloud application amazon_shop application amazon-prime-music application amazon-prime-videonx9500-6C8809#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1326.1.60 session-changesshow commandsDisplays configuration changes made in the current sessionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow session-changesParametersNoneExamplerfs6000-81742D(config)#show session-changesNo changes in this sessionrfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1336.1.61 session-configshow commandsLists active open sessions on a deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow session-config {exclude-devices|include-factory}Parameters• show session-config {exclude-devices|include-factory}Examplenx9500-6C8809(config)#show session-config!! Configuration of NX9500 version 5.9.1.0-017D!!version 2.5!!client-identity-group default load default-fingerprints!ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies" deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios" deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast" deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast" permit ip any any rule-precedence 100 rule-description "permit all IP traffic"!mac access-list PERMIT-ARP-AND-IPv4 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 tra--More--nx9500-6C8809(config)#session-config {exclude-devices|include-factory}Displays current session configuration• exclude-devices – Optional. Excludes device configuration details from the output• include-factory – Optional. Includes factory defaults
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1346.1.62 sessionsshow commandsDisplays CLI sessions initiated on a deviceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow sessions all {on <DEVICE-NAME>}Parameters• show sessions all {on <DEVICE-NAME>}Examplenx9500-6C8809#show sessionsINDEX   COOKIE  NAME            START TIME              FROM                  ROLE1       2       snmp            2017-06-02 14:31:23     127.0.0.1             superuser2       3       snmp2           2017-06-02 14:31:23     127.0.0.1             superuser3       18      admin           2017-06-06 10:38:36     192.168.13.17         superusernx9500-6C8809#sessions Displays CLI sessions initiated on a deviceall Displays all sessions including internalon <DEVICE-NAME> Optional. This is a recurring keyword and is common to the ‘all’ parameter. Displays CLI sessions on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1356.1.63 site-config-diffshow commandsDisplays the difference in site configuration available on the NOC and a site.The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy.NOC controllers possess default site configuration details. Overrides applied at the site level result in a mismatch of configuration at the site and the default site configuration available on the NOC controller. Use this command to view this difference.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow site-config-diff <SITE-NAME>Parameters• show site-config-diff <SITE-NAME>Examplenx9500-6C874D#show site-config-diff 5C-0E-8B-18-06-F4---- Config diff for switch 5C-0E-8B-18-06-F4 ----rfs6000 5C-0E-8B-18-06-F4interface pppoe1  no shutdownnx9500-6C874D#site-config-diff <SITE-NAME>Displays the configuration difference for the specified site• <SITE-NAME> – Specify the site name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1366.1.64 smart-rfshow commandsDisplays Self-Monitoring At Run Time (Smart RF) statistical history to assess adjustments made to device configurations to compensate for detected coverage holes or device failuresWhen invoked by an administrator, Smart RF instructs access point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-planned deployment, any RF Domain member access point radio should be reachable by at least one other radio. Smart RF records signals received from its neighbors as well as signals from external, un-managed radios. AP-to-AP distance is recorded in terms of signal attenuation. The information from external radios is used during channel assignment to minimize interference.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow smart-rf [ap|channel-distribution|history|history-timeline|interfering-ap|interfering-neighbors|radio]show smart-rf ap {<MAC>|<DEVICE-NAME>|activity|energy|neighbors|on <DOMAIN-NAME>}show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}show smart-rf ap (activity|energy|neighbors} [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-NAME>)}show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-NAME>}show smart-rf radio {<MAC>|activity|all-11an|all-11bgn|channel|energy|neighbors|on <DOMAIN-NAME>}show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}show smart-rf radio {activity|neigbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-NAME>}show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|threshold <50-100>}Parameters• show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}smart-rf Displays Smart RF related informationap Displays access point related Smart RF information<MAC> Optional. Uses MAC addresses to identify access points. Displays all access points, if no MAC address is specified.<DEVICE-NAME> Optional. Uses an administrator defined name to identify an access pointon <DOMAIN-NAME> Optional. Displays access point details on a specified RF Domain• <DOMAIN-NAME> – Specify the domain name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 137• show smart-rf ap (activity|energy|neighbors} [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-NAME>)}• show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-NAME>}smart-rf Displays Smart RF related informationap Displays AP related Smart RF informationactivity Optional. Displays Smart RF activity related informationUse this option to view the following:• Time-period – Lists the frequency Smart RF activity is trended for the RF Domain. Trending periods include the current hour, last 24 hours, or the last seven days. Comparing Smart RF adjustments versus the last seven days enables an administrator to assess whether periods of interference and poor performance were relegated to just specific periods.• Power changes – Displays the number of Smart RF initiated power level changes needed for RF Domain member devices during each of the three trending periods. Determine whether power compensations were relegated to known device outages or if compensations were consistent over the course of a day or week.• Channel changes – Lists the number of Smart RF initiated channel changes needed for RF Domain member devices during each of the three trending periods. Determine if channel adjustments were relegated to known device count increases or decreases over the course of a day or week.• Coverage changes – Displays the number of Smart RF initiated coverage changes needed for RF Domain member devices during each of the three trending periods. Determine if coverage changes were relegated to known device failures or known periods of interference over the course of a day or week.energy Optional. Displays AP energy for a specified AP or all APsUse this option to view an RF Domain member access point’s operating channels, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing access points.neighbors Optional. Displays AP neighborsUse this option to view attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios.{<MAC>|<DEVICE-NAME>}The following keywords are common to all of the above parameters:• <MAC> – Displays all of the above mentioned information for a specified AP, identified by its MAC address. Specify the AP’s MAC address.• <DEVICE-NAME> – Displays all of the above mentioned information for a specified AP, identified by its hostname. Specify the AP’s hostname.on <DOMAIN-NAME> Optional.Displays access point details on a specified RF Domain• <DOMAIN-NAME> – Specify the domain name.smart-rf Displays Smart RF related informationchannel-distribution Displays Smart RF channel distribution information. This provides an overview of how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 138• show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}• show smart-rf radio {activity|neighbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-NAME>}• show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}history Displays Smart RF calibration historyUse this option to view description and types of Smart RF events impacting RF Domain member devices.history-timeline Displays extended Smart RF calibration history on an hourly or daily timelineUse this option to view the time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain.on <DOMAIN-NAME> The following keyword is common to all of the above parameters:• on <DOMAIN-NAME> – Optional. Displays Smart RF configuration, based on the parameters passed, on a specified RF Domain• on <DOMAIN-NAME> – Specify the RF Domain name.smart-rf Displays Smart RF related informationradio Displays radio related commands<MAC> Optional. Displays details of a specified radio. Specify the radio’s MAC address in the AA-BB-CC-DD-EE-FF format.all-11an Optional. Displays all 11a radios currently in the configurationall-11bgn Optional. Displays all 11bg radios currently in the configurationenergy {<MAC>} Optional. Displays radio energy• <MAC> – Optional. Specify the radio’s MAC address in the AA-BB-CC-DD-EE-FF format.Use this option to view an RF Domain member access point radio’s operating channel, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios.on <DOMAIN-NAME> The following keyword is common to all of the above parameters:• on <DOMAIN-NAME> – Optional. Displays radio details on a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.smart-rf Displays Smart RF related informationradio Displays Smart RF radio related commandsactivity Optional. Displays changes related to radio power, number of radio channels, or coverage holes. Use additional filters to view specific details.<MAC> Optional. Displays radio activity for a specified radio• <MAC> – Specify the radio’s MAC address.all-11an Optional. Displays radio activity of all 11a radios in the configurationall-11bgn Optional. Displays radio activity of all 11bg radios in the configurationon <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.smart-rf Displays Smart RF related informationinterfering-ap Displays interfering access points (requiring potential isolation) information
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 139• show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|threshold <50-100>}Examplerfs6000-81742D(config)#show smart-rf calibration-statusNo calibration currently in progressrfs6000-81742D(config)#rfs6000-81742D(config)#show smart-rf history---------------------------------------------------------------------------------------      TIME                     EVENT                      DESCRIPTION------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total number of history entries displayed: 0rfs6000-81742D(config)#<MAC> Optional. Displays information of a specified interfering access point• <MAC> – Specify the access point’s MAC address.Note: Considers all APs if this parameter is omitted<DEVICE-NAME> Optional. Displays interfering access point information on a specified device• <DEVICE-NAME> – Specify the device name.Note: Considers all APs if this parameter is omittedon <DOMAIN-NAME> Optional. Displays all interfering access point information within a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.smart-rf Displays Smart RF related informationinterfering-ap Displays interfering neighboring access point information<MAC> Optional. Displays interfering neighboring access point information• <MAC> – Specify the access point’s MAC address.Considers all APs if this parameter is omitted<DEVICE-NAME> Optional. Displays all interfering neighboring access point information on a specified device• <DEVICE-NAME> – Specify the device name.Considers all APs if this parameter is omittedthreshold <50-100> Optional. Specifies the maximum attenuation threshold of interfering neighbors. • <50-100> – Specify a value from 50 -100 dB.Attenuation is a measure of the reduction of signal strength during transmission. Attenuation is the opposite of amplification, and is normal when a signal is sent from one point to another. If the signal attenuates too much, it becomes unintelligible. Attenuation is measured in decibels. on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1406.1.65 spanning-treeshow commandsDisplays spanning tree utilization informationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow spanning-tree mst {configuration|detail|instance|on <DEVICE-NAME>}show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}show spanning-tree mst {detail} {interface|on}show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>} {(on <DEVICE-NAME>)}Parameters• show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}• show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}spanning-tree Displays spanning tree utilization informationmst Displays Multiple Spanning Tree (MST) related informationconfiguration {on <DEVICE-NAME>}Optional. Displays MST configuration• on <DEVICE-NAME> – Optional. Displays MST configuration on a specified device• <DEVICE-NAME> – Specify the name of the AP or wireless controller.Note: If the ‘on’ keyword is used without any of the other options, the system displays a summary of spanning tree utilization information on the specified device.spanning-tree Displays spanning tree informationmst Displays MST configurationdetail Optional. Displays detailed MST configuration, based on the parameters passedinterface [<INTERFACE>|ge <1-4>|me1|port-channel <1-2>|pppoe1|vlan <1-4094>wwan1]Displays detailed MST configuration for a specified interface• <INTERFACE> – Displays detailed MST configuration for a specified interface. Specify the interface name.• ge <1-4> – Displays GigabitEthernet interface MST configuration• <1-4> – Select the GigabitEthernet interface index from 1 - 4.• me1 – Displays FastEthernet interface MST configuration• port-channel – Displays port channel interface MST configuration• <1-2> – Select the port channel interface index from 1 - 2.Contd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 141• show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>} {(on <DEVICE-NAME>)}Examplerfs6000-81742D#show spanning-tree mst configuration%%%  MSTP Configuration Information for bridge 1 :%%------------------------------------------------------%  Format Id      : 0%  Name           : My Name%  Revision Level : 0%  Digest         : 0xac36177f50283cd4b83821d8ab26de62%%------------------------------------------------------rfs6000-81742D#rfs6000-81742D#show spanning-tree mst detail interface ge 1% Bridge up - Spanning Tree Disabled% CIST Root Path Cost 0  - CIST Root Port 0 - CIST Bridge Priority 32768% Forward Delay 15 - Hello Time 2 - Max Age 20 - Max hops 20% 1: CIST Root Id 800000157081742e% 1: CIST Reg Root Id 800000157081742e% 1: CIST Bridge Id 800000157081742e% portfast bpdu-filter disabled% portfast bpdu-guard disabled% portfast portfast errdisable timeout disabled% portfast errdisable timeout interval 300 sec% cisco interoperability not configured - Current cisco interoperability off%   ge1: Port 2001 - Id 87d1 - Role Disabled - State Forwarding%   ge1: Designated External Path Cost 0 - Internal Path Cost 0%--More--rfs6000-81742D#• pppoe1 – Displays PPP over Ethernet interface MST configuration• vlan – Displays VLAN interface MST configuration• <1-4094> – Select the SVI VLAN ID from 1 - 4094.• wwan1 – Displays Wireless WAN interface MST configurationon <DEVICE-NAME> The following keyword is common to all interfaces:• on <DEVICE-NAME> – Optional. Displays detailed MST configuration on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.spanning-tree Displays spanning tree informationmst Displays MST configuration. Use additional filters to view specific details.instance <1-15> Optional. Displays information for a particular MST instance• <1-15> – Specify the instance ID from 1 - 15.interface <INTERFACE-NAME>Optional. Displays MST configuration for a specific interface instance. The options are:• <INTERFACE-NAME> – Displays MST configuration for a specified interface. Specify the interface name.on <DEVICE-NAME> Optional. Displays MST configuration on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1426.1.66 startup-configshow commandsDisplays complete startup configuration scriptSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow startup-config {include-factory}Parameters• show startup-config {include-factory}Examplenx9500-6C8809#show startup-config!! Configuration of NX9500 version 5.9.1.0-017D!!version 2.5!password-encryption-version 1.0inline-password-encryptionpassword-encryption-key secret 2 2cd258b63fa0e16a753394d779cbc5a20000002065d2c29edf373ed42131fa410426d5cb8b0296ffea49331cb72e122e421acc9c!client-identity-group default load default-fingerprints!client-identity-group test2 load default-fingerprints!alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24!alias network $NetworkAlias 192.168.13.0/24!--More--nx9500-6C8809#startup-config include-factoryDisplays startup configuration script• include-factory – Optional. Includes factory defaults
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1436.1.67 t5show commandsDisplays adopted T5 controller statisticsSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7510, NX7520, NX9500, NX9510, NX9600, VX9000Syntaxshow t5 [boot|clock|cpe|interface|mac|system|temperature|uptime|version|wireless] {on <T5-DEVICE-NAME>}show t5 [boot|clock|system|temperature|uptime|version] {on <T5-DEVICE-NAME>}show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version] {on <T5-DEVICE-NAME>}show t5 interface [dsl|fe|ge|radio]show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization] {on <T5-DEVICE-NAME>}show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses] {on <T5-DEVICE-NAME>}show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>] {on <T5-DEVICE-NAME>}]show t5 wireless [client|wlan]show t5 wireless client {filter name [association-status|authentication-status|bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}Parameters• show t5 [boot|clock|system|temperature|uptime|version] {on <T5-DEVICE-NAME>}NOTE: This command is applicable only on WiNG controllers with adopted and managed T5 controllers.t5 Displays adopted T5 controller statisticsboot Displays the T5 device’s boot details. Use this option to view the primary and secondary image files available to use for booting up.clock Displays the T5 controller’s system time, as reported from the controller itself or its remote NTP time resourcesystem Displays T5 controller’s system information, which includes the T5 controller’s hostname, MAC address, RF Domain, system clock, uptimetemperature Displays T5 controller’s current temperatureuptime Displays the T5 controller’s uptime (the time it has been actively deployed and operational)
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 144• show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version] {on <T5-DEVICE-NAME>}• show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization] {on <T5-DEVICE-NAME>}version Displays the T5 controller’s primary and secondary firmware imageson <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticscpe Displays the T5 controller managed Customer Premises Equipment (CPE) statistics based on the parameters passed. Use this command to verify each CPE address credentials and whether currently disconnected or ready for radio coverage area support.address Displays each linked CPE's current IP address used as its network identifierboot Displays the primary and secondary firmware versions available to each CPE, along with status of the most recent upgrade operation detailsether port status Displays Ethernet port statusled Displays whether the CPEs currently have their LEDs enabled or disabled. In places like hospitals, its not uncommon for access points to be operational, but their LEDs off as to not disturb patients.reset Displays the number times a CPE has been resetsystem Displays device hardware and SKU information for each CPE. Use this information to assess whether a controller is managing the correct CPE devices out of the total number of CPEs available.uptime Displays the time each CPE device has been actively deployed and operationalversion Displays the application and boot versions utilized by the CPE deviceson <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticsinterface Displays T5 interface-related statistics based on the interface selected[dsl|fe|ge|radio] [counter|description|errors|status|utilization]Select the interface type. The options are: dsl, fe, ge.• dsl – Displays Digital Subscriber Line (DSL) interface related information•fe – Displays Fast Ethernet (FE) interface related information• ge – Displays Gigabit Ethernet (GE) interface related informationThe system displays the following information for the DSL, GE, and FE ports:• counter – Displays the following:• Number of octets (bytes) received and transmitted on this port• Number of data packets received and transmitted on this port• Number of flow control (layer 2) packets received and transmitted on this portContd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 145• show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses] {on <T5-DEVICE-NAME>}contd.. • description – Displays the following:•The selected port’s name• The numeric index assignable to each port• The 64 character maximum, unique, administrator-assigned description to eachport• errors – Displays the following DSL interface related errors:• The name of the DSL utilized by each T5 controller connected CPE device.• The number of FECs detected in the downstream direction.Forward Error Correction (FEC) or channel coding is used for controlling errors overunreliable or noisy communication channels.• The number of CPE DSL coding violations (badly coded packets) detected in thedownstream direction.• The number of FECs detected in the upstream direction.• The number of CPE DSL coding violations (badly coded packets) detected in theupstream direction.• status – Displays the following:•The selected port’s name• Whether the port is currently up or down as a T5 controller transmit and receiveresource• The port's current speed in MB• Whether pause packet utilization is currently off or on for the selected port• Whether each listed port is enabled or disabled by the administrator• utilization – Displays the following:•The selected port’s name• The port’s receive and transmit data rates (in Kbps)• The packet per second port receive and transmit rates (p/s)• Each port's receive and transmit direction utilization as a percentage of the totaltransmit bandwidth available.on <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticsinterface Displays T5 interface-related statistics based on the interface selecteddsl Selects A T5 controller’s DSL interface. A T5 controller uses the operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPE’s physical wallplate connection and phone jack.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 146• show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}custom [avg|dses|dsses|peak|uses|usses]Displays following custom CPE DSL data:• avg – Each DSL's average response time in microseconds• dses – The number of seconds downstream DSL transmissions were negatively impacted by code violations.• dsses – The number of seconds downstream DSL transmissions were severely negatively impacted by code violations.• peak – Each DSL's maximum (best to date since the screen was refreshed) response time in microseconds.• uses – The number of seconds upstream DSL transmissions were negatively impacted by code violations.• usses – The number of seconds upstream DLS transmissions were severely negatively impacted by code violations.on <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticsinterface Displays T5 interface-related statistics based on the interface selectedradio [stats|status|wlan-map]Displays following radio interface related information:• stats – Displays T5 radio interface statistics. A T5 controller uses the operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5’s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the operating system. Use this option to view the following:• name – The administrator assigned name of each listed CPE radio as its uniqueidentifier• Rx (Kbps) – The listed CPE radio's receive data rate (in Kbps). Use this informationto assess RF activity versus other T5 managed CPE radios in the same radio cover-age area.• Rx Octets – The number of octets (bytes) received with no errors by the listed T5controller managed CPE radio.• Rx Packets – The number of data packets received for the listed T5 managed CPEradio since this screen was last refreshed.• Tx (Kbps) – The listed CPE radio's transmit data rate (in Kbps). Use this informa-tion to assess RF activity versus other T5 managed CPE radios in the same radiocoverage area.• Tx Octets – Displays the number of octets (bytes) transmitted with no errors bythe listed T5 controller managed CPE radio.• Tx Packets – The number of data packets transmitted from the listed T5 managedCPE radio since this screen was last refreshed.Contd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 147• show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>] {on <T5-DEVICE-NAME>}• show t5 wireless client {filter name [association-status|authentication-status|bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}contd.. • status – Displays T5 radio interface status information• name – The administrator assigned name of each listed CPE radio as its uniqueidentifier.• Operational status – The radio interface’s operational status (enabled/disabled).• mac – The T5 radio interface's MAC address.• transmit power – The T5 radio interface’s transmit power.• Channel – The T5 radio interface’s channel of operation.• wlan-map – Displays WLAN map membership data for T5 controller managed CPE radio devices. Use this option to view the following:• name – The administrator assigned name of each listed CPE radio as its uniqueidentifier.• status – Whether a CPE radio is currently enabled or disabled as a radio resourcefor the WLAN(s) the CPE radio has been mapped to.• wlan-radio-mapping – The managed WLAN(s) each listed radio has beenmapped to.on <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticsmac table [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>]Displays T5 MAC address table. The T5 MAC table displays a dynamic list of MAC addresses learned by the T5 controller over its ethernet interfaces. Use this information to identify devices and the interfaces on which they can be found.Use the following additional filters to filter on the basis of the VLAN or DSL interface:• dsl <1-24> – Filters information on the basis of the selected DSL port• ge <1-2> – Filters information on the basis of the selected GE port• vlan <1-4094 – Filters information on the basis of the selected VLAN port• wlan <1-24> – Filters on the basis of the selected CPEon <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticswireless client Displays the T5 wireless client and WLAN related statistics• client – Displays read-only device information for wireless clients associated with the selected T5 controller and its connected CPE device radios. Use this information to assess if configuration changes are required to improve client performance.Use the additional filters available to view specific client-related information. The options are:• association-statusContd..
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 148• show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}ExampleThe following examples are for show commands executed on the ‘t5-ED7C6C’ controller adopted by the ‘nx9500-6C8809’ wireless controller:nx9500-6C8809(config)#show t5 boot on t5-ED7C6CPrimary Version:  5.4.2.0-010RSecondary Version:  5.4.2.0-006BNext Boot: PrimaryUpgrade Status: noneUpgrade Progress %:  0nx9500-6C8809(config)#nx9500-6C8809(config)#show t5 version on t5-ED7C6CBootloader Version:   5.4.2.0-010RApplication Version:  5.4.2.0-010Rnx9500-6C8809(config)#• authentication-status•bss• retry-percentage• rssi-valueon <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.t5 Displays adopted T5 controller statisticswireless wlan [qos|rate|size]Displays the T5 wireless WLAN related statistics• wlan – Displays following T5 controller traffic counter statistics:• qos – T5 controller WLAN QoS utilization. Displays the number of background(low priority) and best-effort packets received and transmitted on each listed T5controller managed WLANs• rates – Displays T5 controller's WLAN utilization data rate statistics• Lists the number of data packets received and transmitted in the WLAN thathave been relegated to a 1 Mbps data rate• Lists the number of data packets received and transmitted in the WLAN by T5 controller connected devices at 54Mbps• size – Displays the number of data packets received and transmitted, in each listed WLAN, greater than 1024 byteson <T5-DEVICE-NAME>Optional. Executes the command on a specified T5 device• <T5-DEVICE-NAME> – Specify the T5 device’s hostname. An error message is displayed if no T5 device name is specified.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 149nx9500-6C8809(config)#show t5 system on t5-ED7C6CSerial Number           14213522400004SKU                     TS-0524-WRHardware Rev            5Mac Address             B4-C7-99-ED-7C-6CDescription             24-port PowerBroadband VDSL2 Switch Version 5.4.2.0-010RContact                 NULLName                    t5-ED7C6CLocation                NULLnx9500-6C8809(config)#nx9500-6C8809(config)#show t5 clock on t5-ED7C6CTime 6-6-2017 17:14:30 UTCnx9500-6C8809(config)#nx9500-6C8809(config)#show t5 interface ge counter on t5-ED7C6C------------------------------------------------------------------------------------------------------------------- INTERFACE RECEIVE OCTETS RECEIVE PACKETS RECEIVE PAUSE PKTS TRANSMIT OCTETS TRANSMIT PACKETS TRANSMIT PAUSE PKTS-------------------------------------------------------------------------------------------------------------------  ge1       711128918     89636040         0                  2558110037     133720283         0  ge2       2515775064    133311355        0                  3422167586     78735853          0-------------------------------------------------------------------------------------------------------------------nx9500-6C8809(config)#nx9500-6C8809(config)#show t5 uptime on t5-ED7C6CUp Time 0 days 1 day, 3:19:43nx9500-6C8809(config)#nx9500-6C8809(config)#show t5 temperature on t5-ED7C6C============ Temperature  ============-------------------------------------------------------------------- INDEX CURRENT (C) FANS @ FULL SPEED (C) FANS @ VARIABLE SPEED (C)-------------------------------------------------------------------- 1      39          70                    60--------------------------------------------------------------------nx9500-6C8809(config)#nx9500-6C8809(config)#show t5 cpe address on t5-ED7C6C--------------------------------------------------------------------------------            DEVICE             STATUS             IP ADDRESS                MAC ADDRESS--------------------------------------------------------------------------------             cpe1             ready             192.168.13.32            00-C0-23-69-80-CD cpe2             ready             192.168.13.33            74-6F-F7-40-16-62 cpe3             disconnected      0.0.0.0                  00-00-00-00-00-00 cpe4             disconnected      0.0.0.0                  00-00-00-00-00-00 cpe5             disconnected      0.0.0.0                  00-00-00-00-00-00--More--nx9500-6C8809(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 150nx9500-6C8809(config)#show t5 cpe led on t5-ED7C6C--------------------------------------------------------------------------------------- DEVICE                                 LED STATUS             ----------------------------------------------------------------------------------- cpe1                                    enable                                       cpe2                                    enable                                       cpe3                                    enable                                       cpe4                                    enable                                       cpe5                                    enable                                      --More--nx9500-6C8809(config)#nx9500-6C8809(config)#show t5 mac table filter name vlan 1 on t5-ED7C6C---------------------------------------------------------------------------------------        T5-MAC       VLAN          ADDRESS             INTERFACE                VENDOR--------------------------------------------------------------------------------------- B4-C7-99-ED-7C-6C   1              00-02-B3-28-D1-55    ge1                    Intel Corp B4-C7-99-ED-7C-6C   1              00-1E-67-4B-BF-BD    ge1                    Intel Corp B4-C7-99-ED-7C-6C   1               00-23-68-11-E6-C4    ge1                    Extreme Tech B4-C7-99-ED-7C-6C   1               00-23-68-88-0D-A7    ge1                    Extreme Tech B4-C7-99-ED-7C-6C   1               00-23-68-99-BB-7C    ge1                    Extreme Tech B4-C7-99-ED-7C-6C   1               00-A0-F8-68-D5-70    ge1                    Extreme Tech B4-C7-99-ED-7C-6C   1             00-C0-23-69-80-CD    dsl1                   00-C0-23  B4-C7-99-ED-7C-6C   1              1C-7E-E5-18-FA-67     ge1                    D-Link Corp B4-C7-99-ED-7C-6C   1                3C-CE-73-F4-47-83     ge1                    Cisco Systems B4-C7-99-ED-7C-6C   1               74-6F-F7-40-16-62     dsl2                   Wistron Corp--More--nx9500-6C8809(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1516.1.68 terminalshow commandsDisplays terminal configuration parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow terminalParametersNoneExamplerfs6000-81742D(config)#show terminalTerminal Type: xtermLength: 24     Width: 200rfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1526.1.69 timezoneshow commandsDisplays a device’s timezoneSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow timezoneParametersNoneExamplerfs6000-81742D(config)#show timezoneTimezone is America/Los_Angelesrfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1536.1.70 traffic-shapeshow commandsDisplays traffic-shaping related configuration details and statisticsTraffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote target’s interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict.Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, ACL rules take precedence for the traffic shaping class. Using traffic shaping, an application takes precedence over an application category.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530Syntaxshow traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-NAME>}Parameters• show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-NAME>}traffic-shape Displays traffic-shaping related configuration details and statisticspriority-map Displays the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings.statistics class <1-4> Displays traffic-shaping related statistics for all traffic shaper classes or for a selected class• class <1-4> – Optional. Specify the traffic class from 1 - 4. The system displays traffic shaping statistics for the selected class. If not selected, the system statistics for all classes.status Displays the controller or service platform’s traffic shaping status (whether running or not)on <DEVICE-NAME> Optional. Displays traffic-shaping related configuration details and statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 154Exampleap7532-DEB9B0#show traffic-shape priority-map----------------------------------------  DOT1P-PRIORITY    TX-SHAPER-PRIORITY---------------------------------------- 0                2 1                0 2                1 3                3 4                4 5                5 6                6 7                7----------------------------------------ap7532-DEB9B0#ap7532-DEB9B0#show traffic-shape statusState of Traffic shaper:  runningap7532-DEB9B0#ap7532-DEB9B0#show traffic-shape statisticsTraffic shaper class : 1Class 1 is not configured:Traffic shaper class : 3Class 3 is not configured:Traffic shaper class : 2Rate: 1500 Kbps--------------------------------------------------------------------------------------- PRIORITY  PKTS-SENT  PKTS-DELAYED PKTS-DROPPED CURRENT-QUEUE-LEN  CURRENT-LATENCY(IN USECS)---------------------------------------------------------------------------------------  1        0           0            0            0                 0  0        0           0            0            0                 0  3        0           0            0            0                 0  2        152153035   151924251    1508343      11                33447  5        0           0            0            0                 0  4        0           0            0            0                 0  7        0           0            0            0                 0  6        0           0            0            0                 0---------------------------------------------------------------------------------------Traffic shaper class : 4Class 4 is not configured:ap7532-DEB9B0#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1556.1.71 upgrade-statusshow commandsDisplays the last image upgrade statusSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow upgrade-status {detail|on}show upgrade-status {detail} {(on <DEVICE-NAME>)}Parameters• show upgrade-status {detail} {(on <DEVICE-NAME>)}Examplenx9500-6C8809#show upgrade-statusLast Image Upgrade Status :In_Progress(17 percent completed)Last Image Upgrade Time   : 2017-02-11 12:26:29nx9500-6C8809#nx9500-6C8809#show upgrade-status detailLast Image Upgrade Status : SuccessfulLast Image Upgrade Time   : 2017-06-02 14:22:51-----------------------------------------------Running from partition /dev/sda8var2 is 1 percent full/tmp is 4 percent fullFree Memory 33357504 kBFWU invoked via Linux shellValidating image file headerRemoving other partitionTue May 30 10:43:36 IST 2017debug: cmdline -C /boot/lilo.conf -R 5.9.0.0-028B -P fixLILO version 22.6-CCB, Copyright (C) 1992-1998 Werner Almesberger--More--nx9500-6C8809#NOTE: This command is not available in the USER EXEC Mode.upgrade-status Displays last image upgrade status and logdetail Optional. Displays last image upgrade status in detailon <DEVICE-NAME> The following keyword is recursive and common to the ‘detail’ parameter:• on <DEVICE-NAME> – Optional. Displays last image upgrade status on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.Note: If the ‘on’ keyword is used without the ‘detail’ keyword, the system displays a summary of upgrade status and log on the specified device.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1566.1.72 versionshow commandsDisplays a device’s software and hardware versionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow version {on <DEVICE-NAME>}Parameters• show version {on <DEVICE-NAME>}Examplenx9500-6C8809#show versionNX9500 version 5.9.0.0-029RCopyright (c) 2004-2017 Extreme Networks, Inc. All rights reserved.Booted from primarynx9500-6C8809 uptime is 3 days, 20 hours 49 minutesCPU is Intel(R) Xeon(R) CPU           E5645  @ 2.40GHz, No. of CPUs 24Base ethernet MAC address is B4-C7-99-6C-88-09System serial number is B4C7996C8809Model number is NX-9500-100R0-WRnx9500-6C8809#version {on <DEVICE-NAME>}Displays software and hardware versions on all devices or a specified device• on <DEVICE-NAME> – Optional. Displays software and hardware versions on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1576.1.73 vrrpshow commandsDisplays the following Virtual Router Redundancy Protocol (VRRP) related statistics: configuration error, router redundancy information in brief and detail. VRRP configuration errors include mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow vrrp [brief|details|error-stats|stats]show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}show vrrp error-stats {on <DEVICE-NAME>}Parameters• show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}• show vrrp error-stats {on <DEVICE-NAME>}vrrp Displays VRRP related statistics in brief or in detail depending on the option selectedbrief Displays virtual router information in briefdetails  Displays virtual router information in detailstats Displays virtual router statistics<1-255> The following keyword is common to all of the above parameters:• <1-255> – Optional. Displays information for a specified Virtual Router. Specify the router's ID from 1 - 255.on <DEVICE-NAME> The following keyword is recursive and common to the ‘<1-255>’ parameter:• on <DEVICE-NAME> – Optional. Displays specified router information on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.vrrp Displays VRRP related statistics in brief or in detail depending on the option selectederror-stats{on <DEVICE-NAME>}Displays global error statistics• on <DEVICE-NAME> – Optional. Displays global error statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service plat-form.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 158Examplerfs6000-81742D(config)#show vrrp error-statsLast protocol error reason: noneIP TTL errors: 0Version mismatch: 0Packet Length error: 0Checksum error: 0Invalid virtual router id: 0Authentication mismatch: 0Invalid packet type: 0rfs6000-81742D(config)#rfs6000-81742D(config)#show vrrp detailsVRRP Group 1:  version 2  interface none  configured priority 1  advertisement interval 1 sec  preempt enable, preempt-delay 0  virtual mac address 00-00-5E-00-01-01  sync group disablerfs6000-81742D(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1596.1.74 web-filtershow commandsDisplays Web filtering related information Use this command to view information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected controller or service platform. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist.Supported in the following platforms:• Access Points — AP6522, AP6532, AP7161, AP7502, AP7522, AP7532, AP7562, AP8132• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow web-filter [category|category-type|config|filter-level [basic|high|low|medium|medium-high]|statistics {on <DEVICE-NAME>}|status]Parameters• show web-filter [category|category-type|config|filter-level [basic|high|low|medium|medium-high]|statistics {on <DEVICE-NAME>}|status]web-filter Displays an existing and configured Web filter detailscategory Displays Web filter categories. A category is a pre-defined URL list available in the WiNG software.category-type Displays the Web filter category types. This is a pre-configured list of categories and sub-categories in to which commonly accessed URLs have been classified.config Displays all existing Web filters and their configuration detailsfilter-level [basic|high|low|medium|medium-high]Displays category types for the selected filter-level. Each filter level is pre-configured to use a set of category types. You cannot change the categories in the category types used for these pre-configured filter-level setting. Nor can you add, modify, or remove the category types mapped to a filter-level setting.The options are:• basic – Displays all category types configured for the basic filter-level• high – Displays all category types configured for the high filter-level• low – Displays all category types configured for the low filter-level• medium – Displays all category types configured for the medium filter-level• medium-high – Displays all category types configured for the medium-high filter-levelstatistics {on <DEVICE-NAME>}Displays Web filter statistics on a specified device• on <DEVICE-NAME> – Optional. Specifies the device name• <DEVICE-NAME> – Specify the name of the AP, controller, or service platform.Note: Web filtering is a licensed feature, and only when enforced can the system display Web filtering statistics.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 160Examplenx9500-6C8809(config)#show web-filter category    advertisement-popups        Sites that provide advertising graphics or other ad content        files such as banners and pop-ups.    alcohol-tobacco        Sites that promote or sell alcohol- or tobacco-related        products or services.    anonymizers        Sites and proxies that act as an intermediary for surfing to        other websites in an anonymous fashion, whether to        circumvent web filtering or for other reasons.    arts        Sites with artistic content or relating to artistic        institutions such as theaters, museums, galleries, dance        companies, photography, and digital graphic resources.    botnets        Sites that use bots (zombies) including command-and-control        sites.--More--nx9500-6C8809(config)#nx9500-6C8809(config)#show web-filter configURL filters configured for this device are:    WebFilter_ShoppingSites        Blacklisted categories:            shopping,        Whitelisted categories:            <AllowedShopping>,nx9500-6C8809(config)#status {on <DEVICE-NAME>}Displays Web filter status on a specified device• on <DEVICE-NAME> – Optional. Specifies the device name• <DEVICE-NAME> – Specify the name of the AP, controller, or service platform.Note: Web filtering is a licensed feature, and only when enforced can the system display Web filtering status.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1616.1.75 whatshow commandsDisplays details of a specified search phrase (performs global search)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}Examplerfs4000-229D58#show what contain default----------------------------------------------------------------------------------------------------------------------------------------------------NO. CATEGORY             MATCHED                        OTHER KEY INFO (1)             OTHER KEY INFO (2)             OTHER KEY INFO (3)                                  NAME/VALUE                     NAME/VALUE                     NAME/VALUE                     NAME/VALUE----------------------------------------------------------------------------------------------------------------------------------------------------                         https-trustpoint               type                           mac                            rf_domain_name             1   device-cfg           default-trustpoint             rfs4000                        00-23-68-22-9D-58              default                                             __obj_name__                   name                                                                                     2   firewall_policy      default                        default                                                                                                           __obj_name__                   name                           https                          idle_session_timeout       3   management_policy    default                        default                        True                           30                                                  qos_policy                     name                           control_vlan                   beacon_format              --More--rfs4000-229D58#contain <WORD> Searches on all the items that contain a specified word• <WORD> – Specify a word to search (for example, MAC address, hostname, etc.).is <WORD> Searches on an exact match• <WORD> – Specify a word to search (for example, MAC address, hostname, etc.).on <DEVICE-OR-DOMAIN-NAME>Optional. Performs global search on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1626.1.76 wirelessshow commandsDisplays wireless configuration parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow wireless [ap|bridge|client|coverage-hole-incidents|meshpoint|mint|mobility-database|radio|regulatory|rf-domain|sensor-server|unsanctioned|wips|wlan]show wireless ap {configured|detail|load-balancing|on <DEVICE-NAME>}show wireless ap {configured}show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless ap {load-balancing} {client-capability|events|neighbors} {(on <DEVICE-NAME>)}show wireless bridge {candidate-ap|certificate|config|hosts|on|statistics}show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac <RADIO-MAC>)} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless bridge {certificate} status {on <DEVICE-NAME>}show wireless bridge {config}show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless client {association-history|detail|filter|include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|statistics|tspec}show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless client {filter [ip|on|state|wlan]}show wireless client {filter} {ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}show wireless client {filter} {on <DEVICE-OR-DOMAIN-NAME>}show wireless client {filter} {state [data-ready|not [data-ready|roaming]|roaming]} {on <DEVICE-OR-DOMAIN-NAME>}show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-OR-DOMAIN-NAME>}show wireless client {include-ipv6} {detail|on|filter}show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}show wireless client {statistics} {detail|on|rf|window-data}
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 163show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless client {tspec <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless coverage-hole-incidents [detail|on|summary]show wireless coverage-hole-incidents detail {filter [ap <MAC/HOSTNAME>|client-mac <MAC>]|summary} {(on <DOMAIN-NAME>)}]show wireless meshpoint {config|detail|multicast|neighbor|on|path|proxy|root|security|statistics|tree|usage-mappings}show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>]}show wireless meshpoint {detail} {<MESHPOINT-NAME>}show wireless meshpoint {on <DEVICE-OR-DOMAIN-NAME>}show wireless meshpoint {multicast|path|proxy|root|security|statistics} [<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}show wireless meshpoint neighbor [<MESHPOINT-NAME>|detail|statistics {rf}] {on <DEVICE-OR-DOMAIN-NAME>}show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}show wireless meshpoint {usage-mappings}show wireless mobility-database {on <DEVICE-NAME>}show wireless mint [client|detail|links|portal]show wireless [client|detail] {on|portal-candidates {<DEVICE-NAME>|filter <RADIO-MAC>}|statistics} (<DEVICE-OR-DOMAIN-NAME>)show wireless mint links {on <DEVICE-OR-DOMAIN-NAME>}show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}show wireless radio {detail|on <DEVICE-OR-DOMAIN-NAME>|statistics|tspec|wlan-map}show wireless radio {detail} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>}show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless radio {statistics} {detail|on|rf|windows-data}show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-DOMAIN-NAME>}}show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-3>|filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>|option}show wireless radio {wlan-map} {on <DEVICE-OR-DOMAIN-NAME>}show wireless regulatory [channel-info <WORD>|country-code <WORD>|device-type]show wireless regulatory device-type [ap6521|ap6522|ap6532|ap6562|ap7131|ap7161|ap7181|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap8132|ap8163|ap82xx|ap8432|ap8533|rfs4000] <WORD>show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 164show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}show wireless unsanctioned aps {detail|statistics} {(on <DEVICE-OR-DOMAIN-NAME>)}show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}show wireless wlan {config|detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|statistics|usage-mappings}show wireless wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-mappings}show wireless {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}}show wireless wlan statistics {<WLAN>|detail|traffic} {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show wireless ap {configured}• show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless ap {load-balancing} {client-capability|events|neighbors} {(on <DEVICE-NAME)}wireless Displays wireless configuration parametersap Displays managed access point informationconfigured Optional. Displays configured AP information, such as name, MAC address, profile, RF Domain, and adoption statuswireless Displays wireless configuration parametersap Displays managed access point informationdetail <MAC/HOST-NAME>Optional. Displays detailed information for all APs or a specified AP• <MAC/HOST-NAME> – Optional. Displays information for a specified AP. Specify the AP’s MAC address.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘detail <MAC/HOST-NAME>’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays information on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersap Displays managed access point informationload-balancing {client-capability|events|neighbors}Optional. Displays load balancing status. Use additional filters to view specific details.• client-capability – Optional. Displays client band capability• events – Optional. Displays client events• neighbors – Optional. Displays neighboring clientson <DEVICE-NAME> The following keyword is recursive and common to the ‘client-capability’, ‘events’, and ‘neighbors’ parameters:• on <DEVICE-NAME> – Optional. Displays load balancing information, based on the parameters passed, on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or serviceplatform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 165• show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac <RADIO-MAC>)} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless bridge {certificate} status {on <DEVICE-NAME>}• show wireless bridge {config}• show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}wireless Displays wireless configuration statisticsbridge candidate-apOptional. Displays information about the candidate infrastructure access points as well as the infrastructure access point that the client-bridge radio has selectedNote: When enabled, the client-bridge radio scans its defined channels to locate the best candidate access point servicing the infrastructure WLAN.<MAC/HOSTNAME> <1-3>Optional. Specify the client-bridge access point’s hostname or MAC address. Optionally append the radio interface’s number to form client-bridge in the form of AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX.• <1-3> – Optional. Radio interface index if not specified as part of mesh ID.filter radio-mac <RADIO-MAC>This is a recursive parameter and common to all of the above options.• filter radio-mac – Optional. Provides additional filters to specifically identify the radio by its MAC address• <RADIO-MAC> – Specify the radio’s MAC address.on <DEVICE-OR-DOMAIN-NAME>This is a recursive parameter and common to all of the above options.• on <DEVICE-OR-DOMAIN-NAME> – Optional. Executes the command on a specified device or devices within a specified RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the AP, controller, service platform, orRF Domain name.wireless Displays wireless configuration statisticsbridge certificate status Optional. Displays all client bridges in configuration and the status of their PKCS#12 certificateson <DEVICE-NAME> Optional. Executes the command on a specified device• <DEVICE-NAME> – Specify the AP, controller, service platform name.wireless Displays wireless configuration statisticsbridge config Optional. Displays all client bridges in configurationThe output displays the configured client-bridges’ hostname, MAC address, profile, RF Domain, SSID, band, encryption, authentication, and EAP username.wireless Displays wireless configuration statisticsbridge hosts Optional. Displays the client bridge host informationThe output displays the configured client-bridges’ host’s MAC Address, bridge MAC address, IPv4 address, bridging status, and activityNote: The HOST MAC column displays real MAC addresses of wired hosts, while the BRIDGE MAC column displays the translated MAC addresses. The BRIDGE MAC column is based on the radio 2 base MAC address and increments by 1 for each wired host connected to the client bridges Ge1 port.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 166• show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}• show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless client {filter ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}on <DEVICE-OR-DOMAIN-NAME>Optional. Executes the command on a specified device or devices within a specified RF Domain• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the AP, controller, service platform, or Domain name.wireless Displays wireless configuration statisticsbridge statistics Optional. Displays the client-bridge related statisticsrf Optional. Displays the client-bridge related RF statisticsThe output displays the signal, noise, SNR, TX/RX rates, retries, and errors.traffic Optional. Displays the client-bridge related traffic statisticsThe output displays TX/RX bytes, TX/RX packets, TX/RX bits/second, and dropped packets.on <DEVICE-OR-DOMAIN-NAME>Optional. Executes the command on a specified device or devices within a specified RF Domain• on <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the AP, controller, service platform, or Domain name.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passedassociation-history <MAC>Optional. Displays association history for a specified client• <MAC> – Specify the MAC address of the client.on <DEVICE-OR-DOMAIN-NAME>Optional. Displays association history on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passeddetail <MAC> Optional. Displays detailed wireless client(s) information• <MAC> – Optional. Displays detailed information for a specified wireless client. Specify the MAC address of the client.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘detail <MAC>’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed information on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passed
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 167• show wireless client {filter} {state [data-ready|not [data-ready|roaming]|roaming]} {on <DEVICE-OR-DOMAIN-NAME>}• show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-OR-DOMAIN-NAME>}• show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}filter IP [<IP>|not <IP>]Optional. Uses IP addresses to filter wireless clients• <IP> – Selects clients with IP address matching the <IP> parameter• not <IP> – Inverts the match selectionon <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘IP’ and ‘not IP’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays selected wireless client information on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passedfilter state [data-ready|not [data-ready|roaming]|roaming]Optional. Filters clients based on their state• data-ready – Selects wireless clients in the data-ready state• not [data-ready|roaming] – Inverts match selection. Selects wireless clients neither ready nor roaming• Roaming – Selects roaming clientson <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘ready’, ‘not’, and ‘roaming’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays selected client details on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passedfilter wlan [<WLAN-NAME>|not <WLAN-NAME>]Optional. Filters clients on a specified WLAN• <WLAN-NAME> – Specify the WLAN name.• not <WLAN-NAME> – Inverts the match selectionon <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘WLAN and ‘not’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Filters clients on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passed
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 168• show wireless client {tspec} {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}statistics {detail <MAC>|rf|window-data <MAC>}Optional. Displays detailed client statistics. Use additional filters to view specific details.• detail <MAC> – Optional. Displays detailed client statistics• <MAC> – Optional. Displays detailed statistics for a specified client. Specify theclient’s MAC address.• rf – Optional. Displays detailed client statistics on a specified device or RF Domain• window-data <MAC> – Optional. Displays historical data, for a specified client• <MAC> – Optional. Specify the client’s MAC addresson <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘detail <MAC>’, ‘RF’, and ‘window-data <MAC>’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays client statistics, based on the parameters passed, on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passedtspec <MAC> Optional. Displays detailed traffic specification (TSPEC) information for all clients or a specified client• <MAC> – Optional. Displays detailed TSPEC information for a specified client. Specify the MAC address of the client.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘tspec <MAC>’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed TSPEC information for wireless clients on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays client information based on the parameters passedinclude-ipv6 Includes IPv6 address (if known) of wireless clientsdetail <MAC> Optional. Displays detailed wireless client(s) information• <MAC> – Optional. Displays detailed information for a specified wireless client. Specify the MAC address of the client.on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘detail <MAC>’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed information on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersclient Displays wireless client information based on the parameters passed
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 169• show wireless coverage-hole-incidents {detail} {filter [ap <MAC/HOSTNAME>|client-mac <MAC>]|summary} {(on <DOMAIN-NAME>)}include-ipv6 {filter} Optional. Includes IPv6 address (if known) of wireless clients• filter – Optional. Defines additional filters. Use one of the following options to filter clients: ip, ipv6, state, and wlanBy default the system only displays the IPv4 address of clients. The include-ipv6 parameter includes the known IPv6 address of each client.ip [<IPv4>|not <IPv4>] Optional. Displays wireless client information based on the IPv4 address passed• <IPv4> – Displays information of the client identified by the <IPv4> parameter• not <IPv4> – Inverts the match selectionipv6 [<IPv6>|not <Pv6>]Optional. Displays wireless client information based on the IPv6 address passed• <IPv6> – Displays information of the client identified by the <IPv6> parameter• not <IPv6> – Inverts the match selectionfilter state [data-ready|not [data-ready|roaming]|roaming]Optional. Filters wireless client information based on their state• data-ready – Displays information of wireless clients in the data-ready state• not [data-ready|roaming] – Inverts match selection. Displays information of wireless clients neither ready nor roaming• Roaming – Displays information of roaming clientswlan [<WLAN-NAME>|not <WLAN-NAME>]Optional. Displays wireless client information based on the WLAN name passed• <WLAN-NAME> – Specify the WLAN name.• not <WLAN-NAME> – Inverts match selectionwireless Displays wireless configuration parameters. Use this option to view coverage-hole related incidents encountered by wireless clients and reported to associated access points.coverage-hole-incidents Displays coverage-hole related statisticsdetail filters[ap <MAC/HOSTNAME>|client-mac <MAC>]Optional. Displays detailed coverage-hole related statistics• filters – Optional. Displays detailed coverage-hole related statistics on a per access point or wireless-client basis• ap <MAC/HOSTNAME> – Displays detailed coverage-hole related statistics fora specified access point• <MAC/HOSTNAME> – Specify the access point’s device name or MAC ad-dress.• client-mac <MAC> – Displays detailed coverage-hole related statistics encoun-tered by a specified wireless client• <MAC> – Specify the wireless client’s MAC addressNote: If the command is executed without any parameters being included, the system displays all coverage-hole related statistics.summary Optional. Displays a summary of coverage-hole related statisticson <DOMAIN-NAME> This parameter is recursive and is common to the ‘detail’ and ‘summary’ keywords:• on <DOMAIN-NAME> – Optional. Displays detailed or summary coverage-hole related statistics on a specified RF Domain• <DOMAIN-NAME> – Specify the domain name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 170• show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>]}• show wireless meshpoint {detail} {<MESHPOINT-NAME>}• show wireless meshpoint {multicast|path|proxy|root|security|statistics} [<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}wireless Displays wireless configuration parameters. Use this option to view detailed statistics on each Mesh-capable client available within controller’s adopted access point’s radio coverage area.A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes.meshpoint Displays meshpoint related informationconfig Optional. Displays all meshpoint configurationfilters[device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>]Optional. Provides additional filter options, such as device name and RF Domain name.• device <DEVICE-NAME> – Displays meshpoints applied to a specified device• <DEVICE-NAME> – Specify the device name.• rf-domain – <DOMAIN-NAME> – Displays meshpoints applied to a specified RF Domain• <DOMAIN-NAME> – Specify the domain name.wireless Displays wireless configuration parametersmeshpoint Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controller’s adopted access point’s radio coverage area.A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes.detail<MESHPOINT-NAME>Optional. Displays detailed information for all meshpoints or a specified meshpoint• <MESHPOINT-NAME> – Optional. Displays detailed information for a specified meshpoint. Specify the meshpoint name.wireless Displays wireless configuration parameters
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 171• show wireless meshpoint {neighbor} [<MESHPOINT-NAME>|detail|statistics {rf}] {on <DEVICE-OR-DOMAIN-NAME>}meshpoint Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controller’s adopted access point’s radio coverage area.A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes.multicast Optional. Displays meshpoint multicast informationpath Optional. Displays meshpoint path informationproxy Optional. Displays meshpoint proxy informationroot Optional. Displays meshpoint root informationsecurity Optional. Displays meshpoint security informationstatistics Optional. Displays meshpoint statistics[<MESHPOINT-NAME>|detail]The following keywords are common to all of the above parameters:• <MESHPOINT-NAME> – Displays meshpoint related information for a specified meshpoint. Specify the meshpoint name.• detail – Displays detailed multicast information for all meshpointson <DEVICE-OR-DOMAIN-NAME>The following keyword is common to all of the above parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed multicast information on a specified device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersmeshpoint Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controller’s adopted access point’s radio coverage area.A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes.neighbor Optional. Displays meshpoint neighbor information, based on the parameters passed[<MESHPOINT-NAME>|detail|statistics {rf}]Select one of the following parameter to view neighbor related information• <MESHPOINT-NAME> – Displays detailed multicast information for a specified meshpoint. Specify the meshpoint name.• detail – Displays detailed multicast information for all meshpoints• statistics – Displays neighbors related statistics• rf – Optional. Displays RF related statistics for neighbors
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 172• show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}• show wireless meshpoint {usage-mappings|on <DEVICE-OR-DOMAIN-NAME>}• show wireless mobility-database {on <DEVICE-NAME>}• show wireless mint [client|detail] {portal-candidates {<DEVICE-NAME>|filter <RADIO-MAC>}|statistics} (on <DEVICE-OR-DOMAIN-NAME>)on <DEVICE-OR-DOMAIN-NAME>The following keyword is common to all of the above parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays meshpoint neighbor information, based on the parameters passed, on a specified device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersmeshpoint Displays meshpoint related informationNote: The show > wireless > meshpoint > tree command can be executed only from a wireless controller.tree Optional. Displays meshpoint network treeon <DEVICE-OR-DOMAIN-NAME>Optional. Displays meshpoint network tree on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name of AP, wireless controller, service platform, or RF Domainwireless Displays wireless configuration parametersmeshpoint Displays meshpoint related informationusage-mappings Optional. Lists all devices and profiles using the meshpointon <DEVICE-OR-DOMAIN-NAME>Optional. Displays meshpoint applied to a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name of AP, wireless controller,service platform, or RF Domainwireless Displays wireless configuration parametersmobility-database Displays controller-assisted mobility databaseon <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘filter <RADIO-MAC>’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed radio operation status for all or a specified radio on a specified device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless mint [client|detail]Displays radio MiNT-mesh related statistics• client – Displays MiNT-mesh client related information. Use the ‘client’ option to view detailed statistics on each Mesh capable client available within the selected access point’s radio coverage area.• detail – Displays detailed MiNT-mesh related informationportal-candidates Displays detailed information about portal candidates for a MiNT-mesh. Mesh points connected to an external network and forwarding traffic in and out are Mesh portals. Mesh points must find paths to a portal to access the Internet. When multiple portals exist, the mesh point must select one.Use the additional filter option to view specific portal candidate details.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 173• how wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}• show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}• show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}statistics This option is common to the ‘client’ and ‘detail’ keyword.Displays MiNT-mesh client statistical dataon <DEVICE-OR-DOMAIN-NAME>This option is common to the ‘client’ and ‘detail’ keyword.Displays MiNT-mesh client related information on a specific device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the access point, controller, or RF Domain name.wireless mint Displays radio MiNT-mesh related statisticslinks Displays MiNT-mesh links related information. MiNT Links are automatically created between controllers and access points during adoption using MLCP (MiNT Link Creation Protocol). They can also be manually created between a controller and access point (or) between access points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other access points. Level 2 MiNT links also provide partitioning, between access points deployed at various remote sites. on <DEVICE-OR-DOMAIN-NAME>Displays MiNT-mesh links on a specific device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the access point, controller, or RF Domain name.wireless mint Displays radio MiNT-mesh related statisticsportal Displays legacy client on MiNT-mesh portalon <DEVICE-OR-DOMAIN-NAME>Displays legacy client on MiNT-mesh portal on a specific device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the access point, controller, or RF Domain name.wireless Displays wireless configuration parametersradio Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically.A radio’s RF Mode displays as:• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN service• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service• bridge – If it is configured to provide client-bridge operationdetail Optional. Displays detailed radio operation status<DEVICE-NAME> Optional. Displays detailed information for a specified radio. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 174• show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-DOMAIN-NAME>}}<1-3> Optional. Specify the radio interface index from 1 - 3 (if not specified as part of the radio ID)filter <RADIO-MAC> Optional. Provides additional filters• <RADIO-MAC> – Optional. Filters based on the radio MAC addresson <DEVICE-OR-DOMAIN-NAME>Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parametersradio Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically.A radio’s RF Mode displays as:• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN service• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service• bridge – If it is configured to provide client-bridge operationdetail Optional. Displays detailed radio operation statusfilter<RADIO-MAC>Optional. Provides additional filter options• <RADIO-MAC> – Uses MAC address to filter radioson <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘filter <RADIO-MAC>’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays detailed radio operation status for all or a specified radio on a specified device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parametersradio Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and SNR. This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically.A radio’s RF Mode displays as:• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN service• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service• bridge – If it is configured to provide client-bridge operationstatistics Optional. Displays radio traffic and RF statistics
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 175• show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-3>|filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}• show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>|option}on <DEVICE-OR-DOMAIN-NAME>Optional. Displays traffic and RF related statistics on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.rf {on <DEVICE-OR-DOMAIN-NAME>}Optional. Displays RF statistics on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parametersradio Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and SNR. This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically.A radio’s RF Mode displays as:• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN service• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service• bridge – If it is configured to provide client-bridge operationstatistics {detail|window-data}Optional. Displays radio traffic and RF statistics. Use additional filters to view specific details. The options are: are:• detail – Displays detailed traffic and RF statistics of all radios• window-data – Displays historical data over a time window<DEVICE-NAME> The following keywords are common to the ‘detail’ and ‘window-data’ parameters:• <DEVICE-NAME> – Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format.<1-3> Optional. Specify the radio interface index from 1- 3, if not specified as part of the radio ID using the preceding parameter.filter <RADIO-MAC> Optional. Provides additional filters• <RADIO-MAC> – Optional. Filters based on the radio MAC addresson <DEVICE-OR-DOMAIN-NAME>Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parameters
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 176• show wireless regulatory [channel-info <WORD>|county-code <WORD>]• show wireless regulatory device-type [ap6521|ap6522|ap6532|ap6562|ap7131|ap7161|ap7181|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap8132|ap8163|ap82xx|ap8432|ap8533|rfs4000] <WORD>• show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}radio Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically.A radio’s RF Mode displays as:• 2.4GHz-wlan – If it is configured to provide 2.4 GHz WLAN service• 5GHz-wlan – If it is configured to provide 5.0 GHz WLAN service• bridge – If it is configured to provide client-bridge operationtspec Optional.Displays TSPEC information on a radio<DEVICE-NAME> Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format.filter Optional. Provides additional filters• <RADIO-MAC> – Optional. Filters based on the radio MAC addresson <DEVICE-OR-DOMAIN-NAME>Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.wireless Displays wireless configuration parametersregulatory Displays wireless regulatory informationchannel-info <WORD> Displays channel information• <WORD> – Specify the channel number.country-code <WORD> Displays country code to country name information• <WORD> – Specify the two letter ISO-3166 country code.wireless Displays wireless configuration parametersregulatory Displays wireless regulatory informationdevice-type <DEVICE-TYPE> <WORD>Displays wireless regulatory information based on the device type selected. Select the device type. The options are:AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8132, AP8163, AP8232, AP8432, AP8533 and RFS4000.After specifying the device type, specify the country code.• <WORD> – Specify the two letter ISO-3166 country code.wireless Displays wireless configuration parametersrf-domain statistics Displays RF Domain statisticsdetails Optional. Displays detailed RF Domain statistics
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 177• show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}• show wireless unsanctioned aps {detailed|statistics} {(on <DEVICE-OR-DOMAIN-NAME>)}•  show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}• show wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-mappings}on <DEVICE-OR-DOMAIN-NAME>The following keyword is recursive and common to the ‘detail’ parameter:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays RF Domain statistics on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parameterssensor- server {on <DEVICE-OR-DOMAIN-NAME>}Displays AirDefense sensor server configuration details• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays AirDefense sensor server configuration on a specified device or RF Domainwireless Displays wireless configuration parametersunsanctioned aps Displays unauthorized APs. Use additional filters to view specific details.detailed Optional. Displays detailed unauthorized APs informationstatistics Optional. Displays channel statisticson <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘detailed’ and ‘statistics’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Specify the name of the AP, wireless controller, service platform, or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parameterswips [client-blacklist|event-history]Displays the WIPS details• client-blacklist – Displays blacklisted clients• event-history – Displays event historyon <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘client-blacklist’ and ‘event-history’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays the WIPS details on a specified device or RF Domain.• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.wireless Displays wireless configuration parameterswlan Displays WLAN related information based on the parameters passeddetail <WLAN> Optional. Displays WLAN configuration• <WLAN> – Specify the WLAN name.on <DEVICE-OR-DOMAIN-NAME>Optional. Displays WLAN configuration on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless controller, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 178• show wlan {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}• show wlan {statistics {<WLAN>|detail} {(on <DEVICE-OR-DOMAIN-NAME>)}Usage GuidelinesThe customize command enables you to customize the show > wireless command output.rfs6000-81742D(config)#customize ?  cdp-lldp-info-column-width                     Customize cdp-lldp-info                                                 column width  hostname-column-width                          Customize hostname column width  show-adoption-offline                          Customize the output of (show                                                 adoption offline) command  show-adoption-status                           Customize the output of (show                                                 adoption status) command  show-wireless-bridge                           Customize the output of (show                                                 wireless bridge) command  show-wireless-bridge-hosts                     Customize the output of (show                                                 wireless bridge hosts)                                                 command  show-wireless-bridge-stats                     Customize the output of (show                                                 wireless bridge stats)                                                 command  show-wireless-bridge-stats-rf                  Customize the output of (show                                                 wireless bridge stats rf)                                                 command  show-wireless-bridge-stats-traffic             Customize the output of (show                                                 wireless bridge stats)                                                 command  show-wireless-client                           Customize the output of (show                                                 wireless client) command  show-wireless-client-stats                     Customize the output of (show                                                 wireless client stats) command  show-wireless-client-stats-rf                  Customize the output of (showpolicy-mappings Optional. Displays WLAN policy mappingsusage-mappings Optional. Lists all devices and profiles using the WLANwireless Displays wireless configuration parameterswlan Displays WLAN related information based on the parameters passedconfig filter Optional. Filters WLAN information based on the device name or RF Domaindevice <DEVICE-NAME> Optional. Filters WLAN information based on the device name• <DEVICE-NAME> – Specify the device name.rf-domain <DOMAIN-NAME>Optional. Filters WLAN information based on the RF Domain• <DOMAIN-NAME> – Specify the RF Domain name.wireless Displays wireless configuration parameterswlan Displays WLAN related information based on the parameters passedstatistics {<WLAN>|detail}Optional. Displays WLAN statistics. Use additional filters to view specific details• <WLAN> – Optional. Displays WLAN statistics. Specify the WLAN name.• detail – Optional. Displays detailed WLAN statisticson <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘WLAN’ and ‘detail’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays WLAN statistics on a specified device or RF Domain• <DEVICE-OR-DOMAIN-NAME> – Specify the name of the AP, wireless control-ler, service platform, or RF Domain.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 179                                                 wireless client stats rf)  show-wireless-legacy-mesh-client-stats         Customize the output of (show                                                 wireless mint client stats)                                                 command  show-wireless-meshpoint                        Customize the output of (show                                                 wireless meshpoint) command  show-wireless-meshpoint-accelerated-multicast  Customize the output of (show                                                 wireless meshpoint                                                 accelerated-multicast)                                                 command  show-wireless-meshpoint-neighbor-stats         Customize the output of (show                                                 wireless meshpoint neighbor                                                 stats) command  show-wireless-meshpoint-neighbor-stats-rf      Customize the output of (show                                                 wireless meshpoint neighbor stats                                                 rf) command  show-wireless-mint-client                      Customize the output of (show                                                 wireless mint client)  show-wireless-mint-client-stats                Customize the output of (show                                                 wireless mint client stats)                                                 command  show-wireless-mint-client-stats-rf             Customize the output of (show                                                 wireless mint client stats                                                 rf) command  show-wireless-mint-portal                      Customize the output of (show                                                 wireless mint portal)  show-wireless-mint-portal-stats                Customize the output of (show                                                 wireless mint portal stats)                                                 command  show-wireless-mint-portal-stats-rf             Customize the output of (show                                                 wireless mint portal stats                                                 rf) command  show-wireless-radio                            Customize the output of (show                                                 wireless radio) command  show-wireless-radio-stats                      Customize the output of (show                                                 wireless radio stats) command  show-wireless-radio-stats-rf                   Customize the output of (show                                                 wireless radio stats rf) commandrfs6000-81742D(config)#The default setting for the show > wireless > client command is as follows:rfs6000-81742D(config)#show wireless client---------------------------------------------------------------------------------------MAC           IPv4    VENDOR             RADIO-ID             WLAN                 VLAN         STATE------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Total number of wireless clients displayed: 0rfs6000-81742D(config)#The above output can be customized, using the customize > show-wireless-client command, as follows:rfs6000-81742D(config)#customize show-wireless-client mac ip vendor vlan radio-id state wlan location radio-alias radio-typerfs6000-81742D(config)#commitrfs6000-81742D(config)#show wireless client------------------------------------------------------------------------------------------------------------------------------------------------------------------MAC                IP    VENDOR             VLAN  RADIO-ID             STATE WLAN                 AP-LOCATION     RADIO                RADIO-TYPE------------------------------------------------------------------------------------------------------------------------------------------------------------------
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 180------------------------------------------------------------------------------------------------------------------------------------------------------------------Total number of wireless clients displayed: 0rfs6000-81742D(config)#Examplenx9500-6C8809(config)#show wireless wlan config--------------------------------------------------------------------------------  NAME   ENABLE   SSID   ENCRYPTION   AUTHENTICATION   VLAN     BRIDGING MODE--------------------------------------------------------------------------------  test   Y        test   wep64        none             1      local--------------------------------------------------------------------------------nx9500-6C8809(config)#nx9500-6C8809(config)#show wireless wips client-blacklistNo wireless clients blacklistednx9500-6C8809(config)#rfs6000-81742D#show wireless regulatory channel-info 36Center frequency for channel 36 is 5180MHzrfs6000-81742D#nx9500-6C8809(config)#show wireless regulatory country-code--------------------------------------------------------------------------------            ISO CODE                                  NAME--------------------------------------------------------------------------------  gt                             Guatemala  co                             Colombia  cn                             China  cm                             Cameroon  cl                             Chile--More--nx9500-6C8809(config)#nx9500-6C8809(config)#show wireless regulatory device-type ap7502 us----------------------------------------------------------------------------------------------------  #  Channel Set Power(mW) Power (dBm)    Placement          DFS       CAC(mins)        TPC----------------------------------------------------------------------------------------------------  1   1-11        4000      36          Indoor/Outdoor   NA             NA        NA  2   36-48       4000      36          Indoor/Outdoor   Not Required   0         Not Required  3   52-64       500       27          Indoor/Outdoor   Required       1         Not Required  4   52-64       1000      30          Indoor/Outdoor   Required       1         Required  5   100-140     500       27          Indoor/Outdoor   Required       1         Not Required  6   100-140     1000      30          Indoor/Outdoor   Required       1         Required  7   149-165     4000      36          Indoor/Outdoor   Not Required   0         Not Required----------------------------------------------------------------------------------------------------nx9500-6C8809(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 181rfs6000-81742D#show wire ap detailAP: 84-24-8D-84-A2-24 AP Name              : ap7562-84A224 Location             : Bangalore RF-Domain            : TechPubs Type                 : ap7562 Model                : AP-7562-67040-US IP                   : 192.168.13.29 IPv6                 : :: Num of radios        : 2 Num of clients       : 0 Last Smart-RF time   : not done Stats update mode    : auto Stats interval       : 30 Radio Modes          :     radio-1          : wlan     radio-2          : wlan Country-code         : not-set Site-Survivable      : True Last error           : in [India] not supported on hardware model AP-7562-67040-US Fault Detected       : False Power management information for ap7562:--More--rfs6000-81742D#nx9500-6C8809#show wireless ap load-balancing on rfs6000-81742D  Column Name Reference:  Ap-Ld             : Load of the AP as reported by it.  Avg-Ld            : Average AP load in the AP's neighborhood.  2.4g-Ld           : 2.4GHz band load in the AP's neighborhood.  5g-Ld             : 5GHz band load in the AP's neighborhood.  Ap-2.4g-Ch-Ld     : Load in the AP's 2.4GHz channel in its neighborhood.  Avg-2.4g-Ch-Ld    : Average load of a 2.4GHz channel in AP's neighborhood.  Ap-5g-Ch-Ld       : Load in the AP's 5GHz channel in its neighborhood.  Avg-5g-Ch-Ld      : Average load of a 5GHz channel in AP's neighborhood.  Allow-2.4g-Req    : AP responds to client requests on 2.4ghz radio  Allow-5g-Req      : AP responds to client requests on 5ghz radio--------------------------------------------------------------------------------------------------------------------------------  No.      Ap-Name            Ap-     Avg-    2.4g-   5g-     Band    Cfgd-   Ap-     Ap-     Avg-    Avg-    Allow    Allow                              Load    Load    Load    Load    Ratio   Band    2.4g-   5g-     2.4g-   5g-     2.4g-    5g-                                                                      Ratio   Ch-Ld   Ch-Ld   Ch-Ld   Ch-Ld   Req      Req--------------------------------------------------------------------------------------------------------------------------------  1        rfs6000-81742D     0%      0%      0%      0%      0:0     0:1     182%    240%    0%      70%     yes     yes--------------------------------------------------------------------------------------------------------------------------------nx9500-6C8809#nx9600-7F5124#show wireless meshpoint tree on PTP-APIn progress .......1:PTP-Radio2 [7 MPs(2 roots, 5 bound)]|-ap7562-84A484-ROOT1| |-ap7562-84A2CC-VMM| |-ap7532-80C28C-NR| |-ap7532-82CCA4-NR| |-ap7562-84A22C-NR2| |-ap7532-160114|-ap7562-84A280-ROOT2Total number of meshes displayed: 1nx9600-7F5124#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 182ap6532-000001#show wireless meshpoint multicast detailMulticast Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]--------------------------------------------------------------------------------      Group-Addr      Subscriber Name    Subscriber MPID     Timeout (mSecs)--------------------------------------------------------------------------------01-00-5E-01-01-01   ap6532-000001     00-23-68-2E-64-B2   N/A--------------------------------------------------------------------------------Total number of meshpoint displayed: 1ap6532-000001#ap6532-000001#show wireless meshpoint neighbor detailNeighbors @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]-----------------------------------------------------------------------------------------------------------------------------------------------------------Neighbor Name          Neighbor MPID.IFID         Root Name     Root MPID     RMet Hops  Type      Interface       Auth-State Resourced Rank LQ% LMet Age-----------------------------------------------------------------------------------------------------------------------------------------------------------               5C-0E-8B-21-76-22.5C-0E-8B-21-74-40           00-23-68-2E-97-60 115  1    Fixed 00-23-68-00-00-01:R2 Enabled    Yes       0    97  87   20               00-23-68-30-F7-82.00-23-68-30-F8-F0           00-23-68-2E-97-60 99   1    Fixed 00-23-68-00-00-01:R2 Init       Yes       0    97  86   30               00-23-68-30-F7-82.00-23-68-30-F7-82           00-23-68-2E-97-60 99   1    Fixed 00-23-68-00-00-01:R1 Enabled    Yes       0    96  94   0               5C-0E-8B-21-76-22.5C-0E-8B-21-76-22           00-23-68-2E-97-60 115  1    Fixed 00-23-68-00-00-01:R1 Enabled    Yes       0    96  93   30               00-23-68-2E-AB-50.00-23-68-2E-AB-50           00-23-68-2E-AB-50 0    0    Root  00-23-68-00-00-01:R2 Enabled    Yes       7    96  87   40               00-23-68-2E-97-60.00-23-68-2E-97-60           00-23-68-2E-97-60 0    0    Root  00-23-68-00-00-01:R2 Enabled    Yes       8    94  90   10-----------------------------------------------------------------------------------------------------------------------------------------------------------Total number of meshpoint displayed: 1ap6532-000001#ap6532-000001#show wireless meshpoint proxy detailProxies @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]--------------------------------------------------------------------------------  Destination Addr   Owner Name      Owner MPID     Persist  VLAN      Age--------------------------------------------------------------------------------00-23-68-00-00-01 ap6532-000001 00-23-68-2E-64-B2 Permanent 101  18065431000-1E-E5-A6-66-E2 ap6532-000001 00-23-68-2E-64-B2 Untimed   103  231920--------------------------------------------------------------------------------Total number of meshpoint displayed: 1ap6532-000001#ap6532-000001#show wireless meshpoint multicast mesh1Multicast Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]--------------------------------------------------------------------------------      Group-Addr      Subscriber Name    Subscriber MPID     Timeout (mSecs)--------------------------------------------------------------------------------01-00-5E-01-01-01   ap6532-000001     00-23-68-2E-64-B2   -1--------------------------------------------------------------------------------Total number of meshpoint displayed: 1ap6532-000001#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 183ap6532-000001#show wireless meshpoint path detailPaths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]-------------------------------------------------------------------------------------------------------------------------------------------------Destination Name  Destination Addr Next Hop Name   Next Hop IFID   State Hops Type Binding Metric Timeout Path-Timeout Sequence     MiNT ID -------------------------------------------------------------------------------------------------------------------------------------------------                  00-23-68-2E-AB-50               00-23-68-2E-AB-50 Valid 1    Root Bound   89     8730    0            23847    68.31.19.58                   00-23-68-2E-97-60               00-23-68-2E-97-60 Valid 1    Root Unbound 92     5200    0            3481     68.31.1A.80 -------------------------------------------------------------------------------------------------------------------------------------------------ap6532-000001#rfs4000-22A24E#show wireless client-----------------------------------------------------------------------------------------------------------------Report start on RF-Domain: qs1MAC                         IP    VENDOR             RADIO-ID             WLAN                 VLAN     STATE -----------------------------------------------------------------------------------------------------------------Report end on RF-Domain: qs1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Report start on RF-Domain: Store-1MAC                         IP    VENDOR             RADIO-ID             WLAN                 VLAN         STATE -----------------------------------------------------------------------------------------------------------------00-01-02-03-04-10        2.3.4.16 3Com Corp          00-01-02-03-04-00:R1 sim-wlan-1           1       Data-Ready 00-01-02-03-05-10        2.3.5.16 3Com Corp          00-01-02-03-04-00:R2 sim-wlan-1           1       Data-Ready Report end on RF-Domain: Store-1----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Report start on RF-Domain: default  database not availableReport end on RF-Domain: default-----------------------------------------------------------------------------------------------------------------Total number of clients displayed: 2rfs4000-22A24E#The following examples show client-bridge related information:NX9500(config)#show adoption status---------------------------------------------------------------------------------------DEVICE-NAME      VERSION    CFG-STAT  MSGS  ADOPTED-BY  LAST-ADOPTION      UPTIME---------------------------------------------------------------------------------------ap6562-167598 5.9.1.0-017DB  configured   No    NX9500  0 days 00:01:59  0 days 00:03:22---------------------------------------------------------------------------------------Total number of devices displayed: 1NX9500(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 184NX9500(config)#show wireless bridge on ap6562-167598-------------------------------------------------------------------------------------------------LOCAL RADIO       LOCAL BSSID      SELECTED AP    RF-BAND CHANNEL STATE    UP TIME      ACTIVITY (sec ago)-------------------------------------------------------------------------------------------------ap6562-167598:R2 FC-0A-81-16-69-50  B4-C7-99-CA-A1-F0 5GHz   104  Selected 0 days 00:01:55   00:00:00-------------------------------------------------------------------------------------------------Total number of radios displayed: 1NX9500(config)#NX9500(config)#show wireless bridge config-------------------------------------------------------------------------------------------------------------------------------------------- IDX       NAME              MAC             PROFILE       RF-DOMAIN    SSID        BAND      ENCRYPTION   AUTHENTICATION    EAP-USERNAME--------------------------------------------------------------------------------------------------------------------------------------------  1   ap6562-167598   FC-0A-81-16-75-98   default-ap6562   default     inf_ap   2.4GHz/5GHz   ccmp         eap              hoabeo--------------------------------------------------------------------------------------------------------------------------------------------NX9500(config)#NX9500(config)#show wireless bridge hosts-----------------------------------------------------------------------------HOST MAC             BRIDGE MAC         IP             BRIDGING STATUS ACTIVITY                                                                   (sec ago)-----------------------------------------------------------------------------FC-0A-81-16-75-98    FC-0A-81-16-69-50 172.16.34.55    UP           00:00:00-----------------------------------------------------------------------------Total number of hosts displayed: 1NX9500(config)#NX9500(config)#show wireless bridge statistics---------------------------------------------------------------------------------------LOCAL RADIO           CONNECTED AP     SIGNAL   SNR TX-RATE RX-RATE     Tx      Rx  RETRY                                       (dbm)    db  (Mbps)  (Mbps)     bps     bps   AVG---------------------------------------------------------------------------------------ap6562-167598:R2     B4-C7-99-CA-A1-F0   -52    50      53      36     1 k     3 k    10---------------------------------------------------------------------------------------Total number of radios displayed: 1NX9500(config)#NX9500(config)#show wireless bridge candidate-ap on ap6562-167598 Client Bridge Candidate APs:  AP-MAC             BAND    CHANNEL SIGNAL(dbm) STATUS  B4-C7-99-CA-A1-F0  5 GHz   104     -39         selectedTotal number of candidates displayed: 1NX9500(config)#NX9500(config)#show wireless bridge certificate status on ap6562-167598Certificate Last Updated Status: Thu Jul 23 11:41:40 2017NX9500(config)#
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1856.1.77 wwanshow commandsDisplays wireless WAN statusSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxshow wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}Parameters• show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}Examplerfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan configuration>>> WWAN Configuration:+-------------------------------------------|  Access Port Name : isp.cingular|  User Name        : testuser|  Cryptomap        : map1+-------------------------------------------rfs4000-229D58(config-device-00-23-68-22-9D-58)#rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan status>>> WWAN Status:+-------------------------------------------|  State : ACTIVE|  DNS1  : 209.183.54.151|  DNS2  : 209.183.54.151+-------------------------------------------rfs4000-229D58(config-device-00-23-68-22-9D-58)#wwan  Displays wireless WAN configuration and status detailsconfiguration Displays wireless WAN configuration informationstatus Displays wireless WAN status informationon <DEVICE-OR-DOMAIN-NAME>The following keyword is common to the ‘configuration’ and ‘status’ parameters:• on <DEVICE-OR-DOMAIN-NAME> – Optional. Displays configuration or status details on a specified device or RF Domain<DEVICE-OR-DOMAIN-NAME> – Specify the AP, wireless controller, service platform, or RF Domain name.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 1866.1.78 virtual-machineshow commandsDisplays the virtual-machine (VM) configuration, logs, and statisticsSupported in the following platforms:• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510Syntaxshow virtual-machine [configuration|debugging|export|statistics]show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|team-vowlan} {(on <DEVICE-NAME>)}show virtual-machine debugging {level|on}show virtual-machine debugging {level [debug|error|info|warning]} {on <DEVICE-NAME>}show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}Parameters• show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|team-vowlan} {(on <DEVICE-NAME>)}• show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}{(on <DEVICE-NAME>)}virtual-machine Displays the following VM-related information: configuration or statistics configuration  Displays detailed VM configurationstatistics Displays VM statistics[<VM-NAME>|team-urc|team-rls|team-vowlan]The following keywords are common to the ‘configuration’ and ‘statistics’ parameters:• <VM-NAME> – Optional. Displays VM configuration or statistics for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name.• team-urc – Optional. Displays TEAM-URC (IP-PBX) VM configuration/statistics• team-rls – Optional. Displays TEAM-RLS (Radio Link Server) VM configuration/statistics• team-vowlan – Optional. Displays TEAM-VoWLAN (Voice over WLAN) VM configuration/statisticson <DEVICE-NAME> Optional. Specifies the name of the device on which the command is executed• <DEVICE-NAME> – Specify the name of the service platform.virtual-machine Displays the following VM-related information: configuration or statistics configuration  Displays detailed VM configurationstatistics Displays VM statistics
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 187• show virtual-machine debugging {level[debug|error|info|warning]} {on <DEVICE-NAME>}• show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}[<VM-NAME>|adsp|team-cmt]The following keywords are common to the ‘configuration’ and ‘statistics’ parameters:• <VM-NAME> – Optional. Displays VM configuration or statistics for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name.• adsp – Optional. Displays Air-Defense Services Platform (ADSP) VM configuration/statistics• team-cmt – Optional. Displays TEAM-CMT VM configuration/statisticsThese keywords are specific to the NX9500 and NX9510 service platforms.on <DEVICE-NAME> Optional. Specifies the name of the device on which the command is executed• <DEVICE-NAME> – Specify the name of the service platform.virtual-machine Displays the following VM-related information: configuration or statistics debugging  Displays VM logslevel [debug|error|info|warning]Optional. Displays VM logs based on the level selected. The available options are:• debug – Displays VM logs of level debug and above• error – Displays VM logs of level error• info – Displays VM logs of level Info and above• warning – Displays logs of level warning and aboveThe NX9500 and NX9510 series service platforms will display ADSP and TEAM-CMT VM debugging logs.on <DEVICE-NAME> Optional. Specifies the name of the device on which the command is executed• <DEVICE-NAME> – Specify the name of the service platform.virtual-machine Displays the following VM-related information: configuration or statistics export Displays VM configuration export related information<VM-NAME> Displays VM configuration export related information for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name.The NX9500 and NX9510 series service platforms will display ADSP and TEAM-CMT VM configuration export informationon <DEVICE-NAME> Optional. Specifies the name of the device on which the command is executed• <DEVICE-NAME> – Specify the name of the service platform.
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide  6 - 188Examplenx9500-6C874D#show virtual-machine statistics--------------------------------------------------------------------------------       NAME         STATE   VCPUS MEM (MB)    BRIDGE-IF             IP--------------------------------------------------------------------------------  WiNG             -         -     18432    -               -  adsp             Halted    -     -        unknown         -  team-cmt         Halted    -     -        unknown         ---------------------------------------------------------------------------------nx9500-6C874D#nx9500-6C874D#show virtual-machine configuration--------------------------------------------------------------------------------           NAME               AUTOSTART         MEMORY(MB)          VCPUS--------------------------------------------------------------------------------  WiNG                     -                 18432              -  adsp                     ignore            12000              12  team-cmt                 ignore            1024               1--------------------------------------------------------------------------------nx9500-6C874D#nx9500-6C874D>show virtual-machine statistics adsp VM name: adsp Base Version    : unknown Install Status  : not_installednx9500-6C874D>
SHOW COMMANDSAccess Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1896.1.79 raidshow commandsDisplays Redundant Array of Independent Disks (RAID) related information, such as array status, consistency check status, and RAID log. Use this command to assess the RAID array’s drive utilization and whether the drives are currently online. Since there is only one RAID array controller reporting status to the service platform, it is important to know if other drive s house hot spare drives as additional resources should one of the dedicated drives fail. This command also displays whether a physical within the RAID array has a drive installed, and whether the drive is currently online.Supported in the following platforms:•Service Platforms — NX9500Syntaxshow raid {on <DEVICE-NAME>}Parameters• show raid {on <DEVICE-NAME>}Examplenx9500-6C874D(config)#show raidLogical drive info: Size 930 GB, State optimal Alarm enabled Last check: Sat Aug 10 02:56:54 2013 Last check result: endingPhysical drive info:Drive  0: onlineDrive  1: onlineDrive  2: not-installedDrive  3: not-installedDrive  4: not-installednx9500-6C874D(config)#raid Displays the RAID array status and statisticson <DEVICE-NAME> Optional. Displays RAID status and statistics on a specified device• <DEVICE-NAME> – Specify the name of the AP, wireless controller, or service platform.
7 - 1Access Point, Wireless Controller and Service Platform CLI Reference Guide7PROFILESProfiles enable administrators to assign a common set of configuration parameters, policies, and WLANs to service platforms, controllers, and access points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support.The service platforms, wireless controllers, and access points support both default and user-defined profiles. Each default and user-defined profile contains policies and configurations that are applied to devices assigned to the profile. Changes made to these configurations are automatically inherited by the devices. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations.Default profiles are system maintained and are automatically applied to service platforms and wireless controllers. The default AP profile is automatically applied to a AP (discovered by a wireless controller or service platform), unless an AP auto-provisioning policy is defined specifically to assign APs to a user-defined profile. After adoption, changes made to a profile’s parameters are reflected across all devices using the profile. Default profiles are ideal for single site deployments where service platforms, wireless controllers, and access points share a common configuration.User-defined profiles, on the other hand, are manually created for each supported service platform, wireless controller, and access point model. User-defined profiles are recommended for larger deployments using centralized controllers and service platforms when groups of devices on different floors, buildings or sites share a common configuration. These user-defined profiles can be manually, or automatically assigned to through an auto provisioning policy. An auto provisioning policy provides the means to assign profiles to access points based on model, serial number, VLAN ID, DHCP options, IP address (subnet) and MAC address. For more information, see AUTO-PROVISIONING-POLICY.Each default and user-defined profile contains policies and configuration parameters. A user defined profile can be created for each of the following device type:• AP6521 – Adds an AP6521 access point profile• AP6522 – Adds an AP6522 access point profile• AP6532 – Adds an AP6532 access point profile• AP6562 – Adds an AP6562 access point profile• AP7161 – Adds an AP7161 access point profile• AP7502 – Adds an AP7502 access point profile• AP7522 – Adds an AP7522 access point profile• AP7532 – Adds an AP7532 access point profile• AP7562 – Adds an AP7562 access point profile• AP7602 – Adds an AP7602 access point profile• AP7612 – Adds an AP7612 access point profile• AP7622 – Adds an AP7622 access point profile• AP7632 – Adds an AP7632 access point profile• AP7662 – Adds an AP7662 access point profile• AP81XX – Adds an AP81XX access point profile supporting the AP8132 and AP8163 models• AP8232 – Adds an AP8232 access point profile• AP8432 – Adds an AP8432 access point profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2• AP8533 – Adds an AP8533 access point profile• EX3524 – Adds an EX3524 wireless controller profile• EX3548 – Adds an EX3548 wireless controller profile• RFS4000 – Adds an RFS4000 wireless controller profile• RFS6000 – Adds an RFS6000 wireless controller profile• NX5500 – Adds an NX5500 wireless controller profile• NX7500 – Adds an NX75XX series service platform profile supporting the NX7510, NX7520, and NX7530 models• NX9000 – Adds an NX95XX series service platform profile supporting the NX9500 and NX9510 models• NX9600 – Adds an NX96XX series service platform profile supporting the NX9600 and NX9610 models. Supported only on an NX96XX model device.• VX9000 – Adds a VX9000 wireless controller profile• T5 – Adds a T5 controller profileAlthough profiles assign a common set of configuration parameters across devices, individual devices can still be assigned unique configuration parameters that follow the flat configuration model. As individual device updates are made, these devices no longer share the profile based configuration they originally supported. Therefore, changes made to a profile are not automatically inherited by devices who have had their configuration customized. These devices require careful administration, as they cannot be tracked as profile members. Their customized configurations overwrite their profile configurations until the profile is re-applied.This chapter is organized into the following topics:•Profile Config Commands•Device Config Commands•T5 Profile Config Commands•EX3524 & EX3548 Profile/Device Config CommandsTo view the list of device profiles supported, use the following command:<DEVICE>(config)#profile ?  anyap       Any access point profile  ap650       AP650 access point profile  ap6511      AP6511 access point profile  ap6521      AP6521 access point profile  ap6522      AP6522 access point profile  ap6532      AP6532 access point profile  ap6562      AP6562 access point profile  ap71xx      AP7161 access point profile  ap7502      AP7502 access point profile  ap7522      AP7522 access point profile  ap7532      AP7532 access point profile  ap7562      AP7562 access point profileNOTE: A T5 profile can be created only on the following platforms: RFS4000, RFS6000, NX9500, NX9510, and NX9600.NOTE: The commands present under ‘Profiles’ are also available under the ‘Device mode’. The additional commands specific to the ‘Device mode’ are listed separately.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3  ap81xx      AP81XX access point profile  ap82xx      AP8232 access point profile  ap8432      AP8432 access point profile  ap8533      AP8533 access point profile  containing  Specify profiles that contain a sub-string in the profile name  ex3524      EX3524 wireless controller profile  ex3548      EX3548 wireless controller profile  filter      Specify addition selection filter  nx5500      NX5500 wireless controller profile  nx75xx      NX75XX wireless controller profile  nx9000      NX9000 wireless controller profile  nx9600      NX9600 wireless controller profile  rfs4000     RFS4000 wireless controller profile  rfs6000     RFS6000 wireless controller profile  rfs7000     RFS7000 wireless controller profile  t5          T5 wireless controller profile  vx9000      VX9000 wireless controller profile<DEVICE>(config)#rfs6000-37FABE(config)#profile rfs6000 default-rfs6000rfs6000-37FABE(config-profile-default-rfs6000)#rfs6000-37FABE(config)#profile ap71xx default-ap71xxrfs6000-37FABE(config-profile-default-ap71xx)#<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME><DEVICE>(config-profile-<PROFILE-NAME>)#<DEVICE>(config-profile-<PROFILE-NAME>)#?Profile Mode commands:adopter-auto-provisioning-policy-lookup  Use centralized auto-provisioning                                           policy when adopted by another                                           controller  adoption                                 Adoption configuration  adoption-mode                            Configure the adoption mode for the                                           access-points in this RF-Domain  alias                                    Alias  application-policy                       Application Poicy configuration  area                                     Set name of area where the system                                           is located  arp                                      Address Resolution Protocol (ARP)  auto-learn                               Auto learning  autogen-uniqueid                         Autogenerate a unique id  autoinstall                              Autoinstall settings  bridge                                   Ethernet bridge  captive-portal                           Captive portal  cdp                                      Cisco Discovery Protocol  cluster                                  Cluster configuration  configuration-persistence                Enable persistence of configuration                                           across reloads (startup config                                           file)  controller                               WLAN controller configuration  critical-resource                        Critical Resource  crypto                                   Encryption related commands  database                                 Database command  device-onboard                           Device-onboarding configuration  device-upgrade                           Device firmware upgrade  diag                                     Diagnosis of packets  dot1x                                    802.1X  dpi                                      Enable Deep-Packet-Inspection                                           (Application Assurance)  dscp-mapping                             Configure IP DSCP to 802.1p                                           priority mapping for untagged                                           frames  eguest-server                            Enable ExtremeGuest Server                                           functionality  email-notification                       Email notification configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 4  enforce-version                          Check the firmware versions of                                           devices before interoperating  environmental-sensor                     Environmental Sensors Configuration  events                                   System event messages  export                                   Export a file  file-sync                                File sync between controller and                                           adoptees  floor                                    Set the floor within a area where                                           the system is located  gre                                      GRE protocol  http-analyze                             Specify HTTP-Analysis configuration  interface                                Select an interface to configure  ip                                       Internet Protocol (IP)  ipv6                                     Internet Protocol version 6 (IPv6)  l2tpv3                                   L2tpv3 protocol  l3e-lite-table                           L3e lite Table  led                                      Turn LEDs on/off on the device  led-timeout                              Configure the time for the led to                                           turn off after the last radio state                                           change  legacy-auto-downgrade                    Enable device firmware to auto                                           downgrade when other legacy devices                                           are detected  legacy-auto-update                       Auto upgrade of legacy devices  lldp                                     Link Layer Discovery Protocol  load-balancing                           Configure load balancing parameter  logging                                  Modify message logging facilities  mac-address-table                        MAC Address Table  mac-auth                                 802.1X  management-server                        Configure management server address  memory-profile                           Memory profile to be used on the                                           device  meshpoint-device                         Configure meshpoint device                                           parameters  meshpoint-monitor-interval               Configure meshpoint monitoring                                           interval  min-misconfiguration-recovery-time       Time interval to check controller                                           connectivity after configuration is                                           received  mint                                     MiNT protocol  misconfiguration-recovery-time           Check controller connectivity after                                           configuration is received  neighbor-inactivity-timeout              Configure neighbor inactivity                                           timeout  neighbor-info-interval                   Configure neighbor information                                           exchange interval  no                                       Negate a command or set its                                           defaults  noc                                      Configure the noc related setting  nsight                                   NSight  ntp                                      Ntp server WORD  offline-duration                         Set duration for which a device                                           remains unadopted before it                                           generates offline event  otls                                     Omnitrail Location Server  power-config                             Configure power mode  preferred-controller-group               Controller group this system will                                           prefer for adoption  preferred-tunnel-controller              Tunnel Controller Name this system                                           will prefer for tunneling extended                                           vlan traffic  radius                                   Configure device-level radius                                           authentication parameters  raid                                     RAID  remote-debug                             Configure remote debug parameters  remove-override                          Remove configuration item override                                           from the device (so profile value                                           takes effect)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5  rf-domain-manager                        RF Domain Manager  router                                   Dynamic routing  slot                                     PCI expansion Slot  spanning-tree                            Spanning tree  traffic-class-mapping                    Configure IPv6 traffic class to                                           802.1p priority mapping for                                           untagged frames  traffic-shape                            Traffic shaping  trustpoint                               Assign a trustpoint to a service  tunnel-controller                        Tunnel Controller group this                                           controller belongs to  use                                      Set setting to use  vrrp                                     VRRP configuration  vrrp-state-check                         Publish interface via OSPF/BGP only                                           if the interface VRRP state is not                                           BACKUP  wep-shared-key-auth                      Enable support for 802.11 WEP                                           shared key authentication  zone                                     Configure Zone name  clrscr                                   Clears the display screen  commit                                   Commit all changes made in this                                           session  do                                       Run commands from Exec mode  end                                      End current mode and change to EXEC                                           mode  exit                                     End current mode and down to                                           previous mode  help                                     Description of the interactive help                                           system  revert                                   Revert changes  service                                  Service Commands  show                                     Show running system information  write                                    Write running configuration to                                           memory or terminal<DEVICE>(config-profile-<PROFILE-NAME>)#<DEVICE>(config-profile-<T5-PROFILE-NAME>)#?T5 Profile Mode commands:  cpe            T5 CPE configuration  interface      Select an interface to configure  ip             Internet Protocol (IP)  no             Negate a command or set its defaults  ntp            Configure NTP  override-wlan  Configure RF Domain level overrides for wlan  t5             T5 configuration  t5-logging     Modify message logging facilities  use            Set setting to use  clrscr         Clears the display screen  commit         Commit all changes made in this session  do             Run commands from Exec mode  end            End current mode and change to EXEC mode  exit           End current mode and down to previous mode  help           Description of the interactive help system  revert         Revert changes  service        Service Commands  show           Show running system information  write          Write running configuration to memory or terminal<DEVICE>(config-profile-<T5-PROFILE-NAME>)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 6<DEVICE>(config-profile-<EX3524/EX3548-PROFILE-NAME>)#?EX3500 Profile Mode commands:  interface  Select an interface to configure  ip         Internet Protocol (IP)  no         Negate a command or set its defaults  power      Ex3500 Power over Ethernet Command  upgrade    Configures upgrade option for ex3500 system  use        Set setting to use  clrscr     Clears the display screen  commit     Commit all changes made in this session  do         Run commands from Exec mode  end        End current mode and change to EXEC mode  exit       End current mode and down to previous mode  help       Description of the interactive help system  revert     Revert changes  service    Service Commands  show       Show running system information  write      Write running configuration to memory or terminal<DEVICE>(config-profile-<EX3524/EX3548-PROFILE-NAME>)#NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 77.1 Profile Config CommandsPROFILESThe following table summarizes profile configuration mode commands:Command Description Referenceadopter-auto-provisioning-policy-lookupEnables the use of a centralized auto provisioning policy on this profile page 7-11adoption Configures a minimum and maximum delay time in the initiation of the device adoption processpage 7-13alias Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc. at the profile levelpage 7-15application-policyAssociates a RADIUS server provided application policy with this profile. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane.page 7-22area Sets the system’s area of location (the area name) page 7-24arp Configures static address resolution protocol page 7-25auto-learn Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a device’s host name via DHCP options.page 7-27autogen-uniqueidAuto-generates a unique local ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device.page 7-28autoinstall Configures the automatic install feature page 7-30bridge Configures bridge specific parameters page 7-31captive-portal Configures captive portal advanced Web page upload on a device profilepage 7-62cdp Enables Cisco Discovery Protocol (CDP) on a device page 7-63cluster Configures a cluster name page 7-64configuration-persistenceEnables persistence of configuration across reloads page 7-67controller Configures a wireless controller or service platform page 7-68critical-resource Monitors resources that are critical to the health of the service platform, wireless controller, or access point managed network. These critical resources are identified by their configured IP addresses.page 7-72crypto Configures data encryption related protocols and settings page 7-80database Backs up captive-portal and/or NSight database to a specified location and file and configures a low-disk-space threshold valuepage 7-143device-onboard Configures the logo image file name and title displayed on the EGuest device-onboarding portal. This is the portal a vendor-admin user uses to onboard devices.page 7-144device-upgrade Configures device firmware upgrade settings on this profile page 7-145diag Enables looped packet logging page 7-147
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 8dot1x Configures 802.1x standard authentication controls page 7-148dpi Enables Deep Packet Inspection (DPI) on this profile page 7-150dscp-mapping Configures an IP DSCP to 802.1p priority mapping for untagged frames page 7-153eguest-server (VX9000 only)Enables the EGuest daemon when executed without the ‘host’ option page 7-154eguest-server (NOC Only)Points to the EGuest server, when executed along with the ‘host’ option page 7-155email-notificationConfigures e-mail notification settings page 7-156enforce-version Enables checking of a device’s firmware version before attempting adoption or clusteringpage 7-158environmental-sensorConfigures the environmental sensor settings on this profile (applicable to AP8132 model access point only)page 7-159events Enables system event logging and message generation. This command also configures event message forwarding settings.page 7-161export Enables export of startup.log file after every boot page 7-162file-sync Configures parameters enabling synching of trustpoint and/or wireless-bridge certificate between the staging-controller and adopted access pointpage 7-163floor Sets the floor name where the system is located page 7-164gre Enables Generic Routing Encapsulation (GRE) tunneling on this profile page 7-165http-analyze Configures HTTP analysis settings page 7-177interface Configures an interface (VLAN, radio, GE, etc.) page 7-180ip Configures IPv4 components page 7-348ipv6 Configures IPv6 components page 7-358l2tpv3 Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling layer 2 payloads using Virtual Private Networks (VPNs)page 7-362l3e-lite-table Configures L3e Lite Table with this profile page 7-364led Turns device LEDs on or off page 7-365led-timeout Configures LED-timeout timer. This command is specific to the NX95XX series service platforms.page 7-366legacy-auto-downgradeAuto downgrades a legacy device firmware page 7-368legacy-auto-updateAuto upgrades a legacy device firmware page 7-369lldp Configures Link Layer Discovery Protocol (LLDP)  page 7-370load-balancing Configures load balancing parameters page 7-372logging Modifies message logging settings page 7-377mac-address-tableConfigures the MAC address table page 7-379mac-auth Enables 802.1x user authentication protocol on this profile page 7-381Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 9management-serverConfigures a management server with this profile page 7-384memory-profile Configures the memory profile used on the device page 7-385meshpoint-deviceConfigures a meshpoint device parameters page 7-386meshpoint-monitor-intervalConfigures meshpoint monitoring interval page 7-388min-misconfiguration-recovery-timeConfigures the minimum device connectivity verification time page 7-389mint Configures MiNT protocol settings page 7-390misconfiguration-recovery-timeVerifies device connectivity after a configuration is received page 7-397neighbor-inactivity-timeoutConfigures neighbor inactivity timeout page 7-398neighbor-info-intervalConfigures neighbor information exchange interval page 7-399no Removes or reverts settings to their default. The no command, when used in the profile configuration mode, removes the selected profile’s settings or reverts them to their default.page 7-400noc Configures NOC settings page 7-402nsight Configures NSight database related parameters page 7-403ntp Configures NTP server settings page 7-408otls Configures support for detection and forwarding of OmniTrail beacon tagspage 7-411offline-duration Sets the duration, in minutes, for which a device remains un-adopted before it generates offline eventpage 7-414power-config Configures the power mode page 7-415preferred-controller-groupSpecifies the wireless controller or service platform group preferred for adoptionpage 7-417preferred-tunnel-controllerConfigures the tunnel wireless controller or service platform preferred by the system to tunnel extended VLAN trafficpage 7-418radius Configures device-level RADIUS authentication parameters page 7-419raid Enables alarm on the array. This command is supported only on the NX9500 and NX9510 series service platform profile/device config modes.page 7-493rf-domain-managerEnables devices using this profile to be elected as RF Domain manager. Also sets the priority value for devices using this profile in the RF Domain manager election process.page 7-420router Configures dynamic router protocol settings page 7-421spanning-tree Configures spanning tree related settings page 7-423traffic-class-mappingMaps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p prioritypage 7-426Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 10traffic-shape Enables traffic shaping and configures traffic shaping parameters page 7-428trustpoint (profile-config-mode)Configures the trustpoint assigned for validating a CMP auth Operator page 7-434tunnel-controller Configures the name of tunneled WLAN (extended VLAN) wireless controller or service platformpage 7-436use Uses pre configured policies with this profile page 7-437vrrp Configures Virtual Router Redundancy Protocol (VRRP) group settings page 7-443vrrp-state-check Publishes interface via OSPF or BGP based on VRRP status page 7-447virtual-controller Enables an access point as a virtual-controller (VC) or dynamic virtual controller (DVC). Note, DVC is supported only on the AP7522, AP7532, and AP7562 model access points.page 7-448wep-shared-key-authEnables support for 802.11 WEP shared key authentication page 7-450service Service commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode.page 7-451zone Configures the zone for devices using this profile. The zone can also be configured on the device’s self context.page 7-456Command Description ReferenceNOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 117.1.1 adopter-auto-provisioning-policy-lookupProfile Config CommandsEnables the use of a centralized auto provisioning policy on this profile. When enabled, the auto-provisioning policy applied on the NOC gets precedence over the one applied at the site controller level. Optionally, use the ‘evaluate-always’ option to set flag to run centralized auto-provisioning policy every time a device (access point/controller) is adopted. The device’s previous adoption status is not taken into consideration.This command is also applicable in the device configuration context.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadopter-auto-provisioning-policy-lookup {evaluate-always}Parameters• adopter-auto-provisioning-policy-lookup {evaluate-always}Examplerfs6000-81742D(config-profile-default-rfs6000)#adopter-auto-provisioning-policy-lookup evaluate-alwaysrfs6000-81742D(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 interface wwan1 interface pppoe1 use firewall-policy defaultadopter-auto-provisioning-policy-lookup {evaluate-always}Enables the use of a centralized auto provisioning policy on this profile or device• evaluate-always – Optional. Sets flag to run centralized auto-provisioning policy every time a device (access point/controller) is adopted.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 12 logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgprfs6000-81742D(config-profile-default-rfs6000)#Related Commandsno Disables the application of centralized auto provisioning policy on this profile or device
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 137.1.2 adoptionProfile Config CommandsConfigures a minimum and maximum delay time in the initiation of the device adoption process. When configured, devices do not attempt adoption immediately on coming up. The process is initiated after the lapse of a specified period of time (configured using this command as the start-delay minimum time).Once configured and applied, this setting is applicable on all devices using this profile. This option is also available in the device-configuration mode.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxadoption start-delay min <0-30> max <0-30>Parameters• adoption start-delay min <0-30> max <0-30>Examplerfs6000-81742D(config-profile-default-rfs6000)#adoption start-delay min 10 max 30rfs6000-81742D(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8adoption start-delay min <0-30> max <0-30>Delays start of device adoption process• min <0-30> – Configures the minimum time to lapse before a device attempts adoption. Specify a value from 0 - 30 seconds. A device, on coming up, attempts adoption only after the lapse of the time specified here. The default is 5 seconds.• max <0-30> – Configures the maximum time to lapse before a device attemptsadoption. Specify a value from 0 - 30 seconds. The default is 20 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 14 interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp adoption start-delay min 10 max 30rfs6000-81742D(config-profile-default-rfs6000)#Related Commandsno Removes the configured minimum start-delay value. When removed, devices attempt adoption immediately on coming up.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 157.1.3 aliasProfile Config CommandsConfigures network, VLAN, and service aliases. The aliases defined on this profile applies to all devices using this profile. Aliases can be also defined at the device level.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxalias [address-range|encrypted-string|hashed-string|host|network|network-group|network-service|number|string|vlan]alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>alias host <HOST-ALIAS-NAME> <HOST-IP>alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}alias number <NUMBER-ALIAS-NAME> <0-4294967295>alias string <STRING-ALIAS-NAME> <LINE>alias vlan <VLAN-ALIAS-NAME> <1-4094>Parameters• alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>NOTE: You can apply overrides to aliases at the device level. Overrides applied at the device level take precedence. For more information on aliases, see alias.address-range <ADDRESS-RANGE-ALIAS-NAME>Creates a new address-range alias for this profile. Or associates an existing address-range alias with this profile. An address-range alias maps a name to a range of IP addresses. Use this option to create unique address-range aliases for different deployment scenarios. Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 16• alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location’s network range is 172.16.13.20 through 172.16.13.110, the remote location’s ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location.• <ADDRESS-RANGE-ALIAS-NAME> – Specify the address range alias name.Note: Alias name should begin with ‘$’.<STARTING-IP> to <ENDING-IP>Associates a range of IP addresses with this address range alias• <STARTING-IP> – Specify the first IP address in the range.• to <ENDING-IP> – Specify the last IP address in the range.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.encrypted-string <ENCRYPTED-STRING-ALIAS-NAME>Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.• <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias name.Alias name should begin with ‘$’.[0|2] <LINE> Configures the value associated with the alias name specified in the previous step• [0|2] <LINE> – Configures the alias valueNote, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:nx9500-6C8809(config)#show running-config!...............................alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//!--More--nx9500-6C8809In the above output, the ‘2’ displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text.However, if password-encryption is disabled the clear text is displayed as is:nx9500-6C8809(config)#show running-config!...............................!alias encrypted-string $enString 0 test11223344!--More--nx9500-6C8809For more information on enabling password-encryption, see password-encryption.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 17• alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>• alias host <HOST-ALIAS-NAME> <HOST-IP>• alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>hashed-string <HASHED-STRING-ALIAS-NAME>Creates an alias for a hashed string. Use this alias for configuration values that are hashed string, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-password.• <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias name.Alias name should begin with ‘$’.<LINE> Configures the hashed-string value associated with this alias.nx9500-6C8809(config)#show running-config!alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv!alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75--More--nx9500-6C8809In the above show > running-config output, the ‘1’ displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text.host <HOST-ALIAS-NAME> Creates a new host alias for this profile. Or associates an existing host alias with this profile. A host alias configuration is for a particular host device’s IP address. Use this option to create unique host aliases for different deployment scenarios. For example, if a central network DNS server is set a static IP address, and a remote location’s local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements.• <HOST-ALIAS-NAME> – Specify the host alias name.Alias name should begin with ‘$’.<HOST-IP> Associates the network host’s IP address with this host alias• <HOST-IP> – Specify the network host’s IP address.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.network <NETWORK-ALIAS-NAME>Creates a new network alias for this profile. Or associates an existing network alias with this profile. A network alias configuration is utilized for an IP address on a particular network. Use this option to create unique Network aliases for different deployment scenarios. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location’s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement.At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements.• <NETWORK-ALIAS-NAME> – Specify the network alias name.Alias name should begin with ‘$’.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 18• alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]• alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}<NETWORK-ADDRESS/MASK>Associates a single network with this network alias• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.network <NETWORK-GROUP-ALIAS-NAME>Creates a new network-group alias for this profile. Or associates an existing network-group alias with this profile.• <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name.Alias name should begin with ‘$’.The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-group alias elements at the device or profile level.After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}Associates a range of IP addresses with this network-group alias• <STARTING-IP> – Specify the first IP address in the range.• to <ENDING-IP> – Specify the last IP address in the range.• <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than one range of IPaddresses. A maximum of eight (8) IP address ranges can be configured.host <HOST-IP> {<HOST-IP>}Associates a single or multiple hosts with this network-group alias• <HOST-IP> – Specify the hosts’ IP address.• <HOST-IP> – Optional. Specifies more than one host. A maximum of eight (8) hostscan be configured.network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}Associates a single or multiple networks with this network-group alias• <NETWORK-ADDRESS/MASK> – Specify the network’s address and mask.• <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one network. Amaximum of eight (8) networks can be configured.alias network-service <NETWORK-SERVICE-ALIAS-NAME>Creates a new network-service alias for this profile. Or associates an existing network-service alias with this profile. A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias.• <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service alias name.Alias name should begin with ‘$’.Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 19The network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-service alias elements at the device or profile level.Note: Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.proto [<0-254>|<WORD>|eigrp|gre|igmp|igp|ospf|vrrp]Use one of the following options to associate an Internet protocol with this network-service alias:• <0-254> – Identifies the protocol by its number. Specify the protocol number from 0 - 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocol’s (UDP) designated number is 17.• <WORD> – Identifies the protocol by its name. Specify the protocol name.• eigrp – Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88.•gre – Selects Generic Routing Encapsulation (GRE). The protocol number is 47.• igmp – Selects Internet Group Management Protocol (IGMP). The protocol number is 2.•igp – Selects Interior Gateway Protocol (IGP). The protocol number is 9.•ospf – Selects Open Shortest Path First (OSPF). The protocol number is 89.• vrrp – Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112.{(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.• <1-65535> – Optional. Configures a destination port number from 1 - 65535• <WORD> – Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22.• bgp – Optional. Configures the default Border Gateway Protocol (BGP) services port (179)• dns – Optional. Configures the default Domain Name System (DNS) services port (53)• ftp – Optional. Configures the default File Transfer Protocol (FTP) control services port (21)• ldap – Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389)• ftp-data – Optional. Configures the default FTP data services port (20)• gopher – Optional. Configures the default gopher services port (70)• https – Optional. Configures the default HTTPS services port (443)• nntp – Optional. Configures the default Newsgroup (NNTP) services port (119)• ntp – Optional. Configures the default Network Time Protocol (NTP) services port (123)• proto – Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step.• sip – Optional. Configures the default Session Initiation Protocol (SIP) services port (5060).Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 20• alias number <NUMBER-ALIAS-NAME> <0-4294967295>• alias string <STRING-ALIAS-NAME> <LINE>• alias vlan <VLAN-ALIAS-NAME> <1-4094>• sourceport [<1-65535>|<WORD>] – Optional. After specifying the destination port, you may specify a single or range of source ports.• <1-65535> – Specify the source port from 1 - 65535.• <WORD> – Specify the source port range, for example 1-10.• ssh – Optional. Configures the default SSH services port (22)• telnet – Optional. Configures the default Telnet services port (23)• tftp – Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69)• www – Optional. Configures the default HTTP services port (80)alias number <NUMBER-ALIAS-NAME> <0-4294967295>Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, ‘alias number $NUMBER 100’• The number alias name is: $NUMBER• The value assigned is: 100The value referenced by alias $NUMBER, wherever used, is 100.• <NUMBER-ALIAS-NAME> – Specify the number alias name.• <0-4294967295> – Specify the number, from 0 - 4294967295, assigned to thenumber alias created.Alias name should begin with ‘$’.alias string <STRING-ALIAS-NAME>Creates a new string alias for this profile. Or associates an existing string alias with this profile. String aliases map a name to an arbitrary string value. Use this option to create unique string aliases for different deployment scenarios. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.• <VLAN-ALIAS-NAME> – Specify the string alias name.• <LINE> – Specify the string value.Alias name should begin with ‘$’.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.alias vlan <VLAN-ALIAS-NAME>Creates a new VLAN alias for this profile. Or associates an existing VLAN alias with this profile. A VLAN alias maps a name to a VLAN ID. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. Use this option to create unique VLANs aliases for different deployment scenarios. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. Contd..
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 21ExampleThe following example shows the global aliases configured. Note the network-service alias ‘$kerberos’ settings.nx9500-6C8809(config)#show running-config | include aliasalias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24alias network $NetworkAlias 192.168.13.0/24alias host $HostAlias 192.168.13.10alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13alias network-service $kerberos proto tcp 23 22 proto udp 25alias vlan $VlanAlias 1alias string $AREA Ecospacealias string $IN-Blr-EcoSpace-Floor-4 IBEF4alias encrypted-string $READ 2 CdO6glQ9w29hybKxfbd6JwAAAAa7lKMBMk9EiDQfFRf9kegOalias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75nx9500-6C8809(config)#The following examples show the overrides applied to the network-service alias ‘$kerberos’ at the profile level:nx9500-6C8809(config-profile-testRFS4k)#alias network-service $kerberos proto tcp 88 proto udp 389nx9500-6C8809(config-profile-testRFS4k)#The following example shows the overrides applied to the network-service alias ‘$kerberos’ at the profile level:nx9500-6C8809(config-profile-testRFS4k)#show running-config | include aliasalias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24alias network $NetworkAlias 192.168.13.0/24alias host $HostAlias 192.168.13.10alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13alias network-service $kerberos proto tcp 23 22 proto udp 25alias vlan $VlanAlias 1alias string $AREA Ecospacealias string $IN-Blr-EcoSpace-Floor-4 IBEF4alias encrypted-string $READ 2 /Mfbt1Et8XRhybKxfbd6JwAAAAZ9yrIYq7mNl4+gNNiiMIZIalias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75alias network-service $kerberos proto tcp 88 proto udp 389nx9500-6C8809(config-profile-testRFS4k)#Related CommandsAt the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name.Alias name should begin with ‘$’.<1-4094> Maps the VLAN alias to a VLAN ID• <1-4094> – Specify the VLAN ID from 1 - 4094.Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.no Removes the use of centralized auto provisioning policy on this profile or device
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 227.1.4 application-policyProfile Config CommandsAssociates a RADIUS server provided application policy with this profile. This command is also applicable to the device configuration mode. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane.An application policy defines the actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. The following are the actions that can be applied in an application policy:• Allow - Allows packets for a specific application and its defined category type (for e.g., social networking)• Deny - Denies (restricts) packets to a specific application and its defined category type• Mark - Marks recognized packets with DSCP/8021p value• Rate-limit - Rate limits packets from specific application typeFor more information on configuring an application policy, see application-policy.Supported in the following platforms:• Access Points — AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 • Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxapplication-policy radius <APP-POLICY-NAME>Parameters• application-policy radius <APP-POLICY-NAME>Examplenx9500-6C8809(config)#show context include-factory | include application-policyapplication-policy Bing  no use application-policy  no use application-policy  no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy  no use application-policynx9500-6C8809(config)#nx9500-6C8809(config-profile-testNX9500)#application-policy radius Bingnx9500-6C8809(config-profile-testNX9500)#show context include-factory | include application-policy application-policy radius Bingnx9500-6C8809(config-profile-testNX9500)#application-policy radius <APP-POLICY-NAME>Associates a RADIUS server provided application policy with this profile• <APP-POLICY-NAME> – Specify the application policy name (should be existing and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 23nx9500-6C8809(config-application-Bing)#Show contextapplication Bing app-category streaming use url-list Bingnx9500-6C8809(config-application-Bing)#Related Commandsno Removes the RADIUS-server provided application policy associated with this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 247.1.5 areaProfile Config CommandsSets the system’s area of location (the physical area of deployment)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxarea <WORD>Parameters• area <WORD>Examplerfs6000-37FABE(config-profile-default-rfs6000)#area Ecospacerfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  ip igmp snooping  ip igmp snooping querier area Ecospace autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsarea <WORD> Sets the system’s area of location• <WORD> – Specify the area name (should not exceed 64 characters).no Resets the configured area name
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 257.1.6 arpProfile Config CommandsAdds a static Address Resolution Protocol (ARP) IP address in the ARP cacheThe ARP protocol maps an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions.When an incoming packet destined for a host arrives, ARP finds a physical host or MAC address that matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet can be converted to the right packet length, formatted, and sent to its destination. If no entry is found for the IP address, ARP broadcasts a request packet in a special format on the LAN to locate a device that recognizes the IP address. A device that recognizes the IP address as its own returns a reply indicating it. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxarp [<IP>|timeout]arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-4> <1-1> <1-1>] {dhcp-server|router}arp timeout <15-86400>Parameters• arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-4> <1-1> <1-1>] {dhcp-server|router}arp <IP> Adds a static ARP IPv4 address in the ARP cache• <IP> – Specify the static IP address.<MAC> Specify the MAC address associated with the IP and the Switch Virtual Interface (SVI).arpa Sets ARP encapsulation type to ARPA<L3-INTERFACE-NAME>Configures static ARP entry for a specified router interface• <L3-INTERFACE-NAME> – Specify the router interface name.pppoe1 Configures static ARP entry for PPP over Ethernet interfacevlan <1-4094> Configures static ARP entry for a VLAN interface• <1-4094> – Specify a SVI VLAN ID from 1 - 4094.wwan1 Configures static ARP entry for Wireless WAN interface{dhcp-server|router} The following keywords are common to all off the above interface types:• dhcp-server – Optional. Sets ARP entries for a DHCP server• router – Optional. Sets ARP entries for a router
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 26• arp timeout <15-86400>Examplerfs6000-37FABE(config-profile-default-rfs6000)#arp timeout 2000rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier arp timeout 2000 crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1  ip dhcp trust  qos trust dscp  qos trust 802.1p interface ge2  ip dhcp trust--More--rfs6000-37FABE(config-profile-default-rfs7000)#Related Commandsarp timeout <15-86400>Sets ARP entry timeout• <TIME> – Sets the ARP entry timeout in seconds. Specify a value from 15 - 86400 seconds. The default is 3600 seconds.no Removes an entry from the ARP cache
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 277.1.7 auto-learnProfile Config CommandsEnables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a device’s host name via DHCP options.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauto-learn [host-name-via-dhcp <WORD>|staging-config]Parameters• auto-learn [host-name-via-dhcp <WORD>|staging-config]Examplenx9500-6C8809(config-profile-test)#auto-learn staging-confignx9500-6C8809(config-profile-test)#show context include-factory | include auto-learn auto-learn staging-config no auto-learn host-name-via-dhcpnx9500-6C8809(config-profile-test)#Related Commandsauto-learn [host-name-via-dhcp <WORD>|staging-config]Enables auto-learning of:• host-name-via-dhcp – A device’s host name via DHCP option.• <WORD> – Provide the optional template with substitution token. For example,'outdoor-$DHCP[1:3]-ap', where the $DHCP token references DHCP Option value re-ceived by the adopting device. The $DHCP token should be present. This option is dis-abled by default.• staging-config – The network configuration of devices requesting adoption. Thisoption is enabled by default. For dependent access points that are pre-staged priorto deployment, it is recommended that the auto-learn-staging-config parameter re-mains enabled so that hostnames, VLAN and IP addressing configuration can bemaintained upon initial adoption. However, if dependent access points are to be cen-trally managed and configured, it is recommended that the auto-learn-staging-configparameter be disabled.no Disables automatic recognition of devices’ hostname and devices pending adoption
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 287.1.8 autogen-uniqueidProfile Config CommandsAuto-generates a unique ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device. A device’s unique ID is a combination of a user-defined string (prefix, suffix, or both) and a substitution token. The WiNG implementation provides two built-in substitution tokens: $SN and $MiNT-ID that represent the device’s serial number and MiNT-ID respectively. The value referenced by these substitution tokens are internally retrieved and combined with the user-defined string to auto generate a unique identity for the device.The general format of this command is: <PREFIX><SUBSTITUTION-TOKEN><SUFFIX>. You can provide both (prefix and suffix) or just a prefix or suffix.For example, given the following set of inputs:• user-defined prefix – TestAP6522• substitution token – $SNThe unique ID is generated using TestAP6522$SN, where $SN is replaced with the device’s serial number.When executed on an AP6522 (having serial number B4C7996C8809), the autogen-uniqueid TestAP6522$SN command generates the unique ID: TestAP6522B4C7996C8809. When configured on an AP6522 profile, all AP6522s using the profile auto-generate a unique ID in which the device’s serial number is preceded by the string ‘TestAP6522’.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxautogen-uniqueid <WORD>Parameters• autogen-uniqueid <WORD>autogen-uniqueid <WORD>Auto-generates a device’s unique ID (not exceeding 64 characters in length)The ID generated is a combination of the text provided and the value referenced through the substitution token $SN or $MiNT-ID. Where ever the autogen-uniqueid is used the device’s serial number OR MiNT-ID is referenced depending on the substitution token used.• <WORD> – Specify a auto generate unique ID format using one of the following substitution tokens:Available tokens:          $SN             - references SERIAL NUMBER of the device          $MINT-ID    - references MINT-ID of the deviceFor example, Test-$SN-TechPubs. In this example ‘Test’ and ‘TechPubs’ represent the user-defined prefix and suffix respectively. And $SN is the substitution token.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 29Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#autogen-uniqueid Test-$MiNT-ID-TechPubsnx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show contextnx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain TechPubs hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 timezone Asia/Calcutta use database-policy default use nsight-policy noc autogen-uniqueid Test-$MiNT-ID-TechPubs ip default-gateway 192.168.13.2 device-upgrade auto rfs6000 ap81xx ap71xx ap7562 ap7532 interface ge1  switchport mode access  switchport access vlan 1 interface ge2 --More--nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#Related Commandsno When executed in the device configuration mode, removes the device’s autogen-uniqueid. When executed in the profile configuration mode, removes the autogen-uniqueid on all devices using the profile.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 307.1.9 autoinstallProfile Config CommandsAutomatically installs firmware image and startup configuration parameters on to the selected device.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxautoinstall [configuration|firmware|start-interval <WORD>]Parameters• autoinstall [configuration|firmware|start-interval <WORD>]Examplerfs6000-37FABE(config-profile-default-rfs6000)#autoinstall configurationrfs6000-37FABE(config-profile-default-rfs6000)#autoinstall firmwarerfs7000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  bridging-mode isolated-tunnel  ip igmp snooping  ip igmp snooping querier arp timeout 2000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1  ip dhcp trust--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsconfiguration Autoinstalls startup configuration. Setup parameters are automatically configured on devices using this profile. This option is disabled by default.firmware Autoinstalls firmware image. Firmware images are automatically installed on devices using this profile. This option is disabled by default.start-interval<WORD>Configures the interval between system boot and start of autoinstall process (this is the time, from system boot, after which autoinstall should start)• <WORD> – Specify the interval in minutes. The default is 10 minutes.Note: Zero (0) implies firmware or startup configuration installation can start any time.no Disables the auto install settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 317.1.10 bridgeProfile Config CommandsThe following table summarizes Ethernet bridge configuration commands:Command Description Referencebridge Enables Ethernet bridge configuration context page 7-32bridge-vlan-mode commandsSummarizes bridge VLAN configuration mode commands page 7-35
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 327.1.10.1  bridgebridgeConfigures VLAN Ethernet bridging parameters. Use this command to configure a Bridge NAT or Bridge VLAN settingsConfiguring bridge Network Address Translation (NAT) parameters, allows management of Internet traffic originating at a remote site. In addition to traditional NAT functionality, bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using bridge NAT, a tunneled VLAN (extended VLAN) is created between the NOC and a remote location. When a remote client needs to access the Internet, Internet traffic is routed to the NOC, and from there routed to the Internet. This increases the access time for the end user on the client. To resolve latency issues, bridge NAT identifies and segregates traffic heading towards the NOC and outwards towards the Internet. Traffic towards the NOC is allowed over the secure tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet.A Virtual LAN (VLAN) is a separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined within wireless controllers or service platforms to allow control of broadcast, multicast, unicast, and unknown unicast within a layer 2 device. For example, say several computers are used in conference room X and some in conference Y. The systems in conference room X can communicate with one another, but not with the systems in conference room Y. The VLAN enables the systems in conference rooms X and Y to communicate with one another even though they are on separate physical subnets. The systems in conference rooms X and Y are managed by the same single wireless controller or service platform, but ignore the systems that are not using the same VLAN ID. Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device, which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the bridge VLAN forwards the data frame on the appropriate port(s). VLANs are useful to set separate networks to isolate some computers from others, without actually having to have separate cabling and Ethernet switches. Controllers can do this on their own, without need for the computer or other gear to know itself what VLAN it is on (this is called port-based VLAN, since it is assigned by port of the switch). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security, or quality of service.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Switch Note: For more information on the interface types and the devices support-ing them, see interface.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 33Syntaxbridge [nat|vlan]bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface [<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address|interface|overload|pool <NAT-POOL-NAME>)]bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]Parameters• bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface [<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address|interface|overload|pool <NAT-POOL-NAME>)]• bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]Usage GuidelinesCreating customized filter schemes for bridged networks limits the amount of unnecessary traffic processed and distributed by the bridging equipment.If a bridge does not hear Bridge Protocol Data Units (BPDUs) from the root bridge within the specified interval, defined in the max-age (seconds) parameter, assume the network has changed and recomputed the spanning-tree topology.nat Configures bridge NAT parameterssource Configures NAT source addresseslist <IP-ACCESS-LIST-NAME>precedence <1-500>Associates an access control list (ACL) with this bridge NAT policy. The ACL specifies the IP address permit/deny rules applicable to this bridge NAT policy.• <IP-ACCESS-LIST-NAME> – Specify access list name.• precedence <1-500> – Specifies a precedence value for this bridge NAT policy.interface[<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1]Selects one of the following as the primary interface (between the source and destination points):• <LAYER3-INTERFACE-NAME> – A router interface. Specify interface name.• pppoe1 – A PPP over Ethernet interface.• vlan <1-4094> – A VLAN interface. Specify the VLAN interface index from 1 - 4094.• wwan1 – A Wireless WAN interface.[(address|interface|overload|pool <NAT-POOL-NAME>)]The following keywords are recursive and common to all interface types:• address – Configures the interface IP address used for NAT• interface – Configures the failover interface (default setting)• overload – Enables use of one global address for multiple local addresses (terminates command)• pool <NAT-POOLNAME> – Configures the NAT pool used with this bridge NAT policy. Specify the NAT pool name. For more information on configuring a NAT pool, see nat-pool-config-instance.vlan <1-4094> Configures the numerical identifier for the Bridge VLAN when it was initially created.• <1-4094> – Specify a VLAN index from 1 - 4094.vlan <VLAN-ALIAS-NAME>Configures the VLAN alias (should be existing and configured) identifying the bridge VLAN• <VLAN-ALIAS-NAME> – Specify a VLAN alias name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 34Examplerfs6000-37FABE(config-profile-default-rfs6000)#bridge vlan 1rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#?Bridge VLAN Mode commands:  Bridge VLAN Mode commands:  bridging-mode                              Configure how packets on this                                             VLAN are bridged  captive-portal                             Captive Portal  captive-portal-enforcement                 Enable captive-portal enforcement                                             on this extended VLAN  description                                Vlan description  edge-vlan                                  Enable edge-VLAN mode  firewall                                   Enable vlan firewall(IPv4)  http-analyze                               Forward URL and Data to                                             controller  ip                                         Internet Protocol (IP)  ipv6                                       Internet Protocol version 6                                             (IPv6)  l2-tunnel-broadcast-optimization           Enable broadcast optimization  l2-tunnel-forward-additional-packet-types  Forward additional packet types                                             not normally forwarded by l2                                             broadcast optimization  mac-auth                                   Enable mac-auth for this bridge                                             vlan  no                                         Negate a command or set its                                             defaults  stateful-packet-inspection-l2              Enable stateful packet inspection                                             in layer2 firewall  tunnel                                     Vlan tunneling settings  tunnel-over-level2                         Tunnel extended VLAN traffic over                                             level 2 MiNT links  use                                        Set setting to use  clrscr                                     Clears the display screen  commit                                     Commit all changes made in this                                             session  do                                         Run commands from Exec mode  end                                        End current mode and change to                                             EXEC mode  exit                                       End current mode and down to                                             previous mode  help                                       Description of the interactive                                             help system  revert                                     Revert changes  service                                    Service Commands  show                                       Show running system information  write                                      Write running configuration to                                             memory or terminalrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 357.1.10.2  bridge-vlan-mode commandsbridgeThe following table summarizes bridge VLAN configuration mode commands:Command Description Referencebridging-mode Configures how packets on this VLAN are bridged page 7-36captive-portal Enables IP packet snooping on wired captive portals, and also configures the subnet to snooppage 7-38captive-portal-enforcementEnables auto-enforcement of captive portal rules on this extended VLAN interfacepage 7-39description Configures VLAN bridge description page 7-40edge-vlan Enables edge VLAN mode page 7-41firewall Enables firewall on this bridge VLAN interface page 7-42http-analyze Enables the analysis of URLs and data traffic on this Bridge VLAN page 7-43ip Configures IP components page 7-44ipv6 Configures IPv6 components page 7-47l2-tunnel-broadcast-optimizationEnables broadcast optimization page 7-50l2-tunnel-forward-additional-packet-typesEnables forwarding of Wireless Network Management Protocol (WNMP) packets across L2 tunnels. These WNMP packets are normally not forwarded if L2 tunnel broadcast optimization is enabled.page 7-53mac-auth Enables MAC authentication for Extended VLAN and Tunneled traffic page 7-51no Negates a command or reverts settings to their default page 7-54stateful-packet-inspection-l2Enables stateful packet inspection in the layer 2 fire wall page 7-56tunnel Enables tunneling of unicast messages to unknown MAC destinations, on the selected VLAN bridgepage 7-57tunnel-over-level2 Enables extended VLAN traffic over level 2 MiNT links page 7-59use Associates a captive-portal, access control list (IP, IPv6, or MAC), and a URL filter with this bridge VLANpage 7-60
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 367.1.10.2.1 bridging-modebridge-vlan-mode commandsConfigures how packets are bridged on the selected VLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxbridging-mode [auto|isolated-tunnel|local|tunnel]Parameters• bridging-mode [auto|isolated-tunnel|local|tunnel]Usage GuidelinesACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes.bridging-mode Configures the VLAN bridging modeauto Automatically selects the bridging mode to match the WLAN, VLAN and bridging mode configurations. When selected, the controller or access point determines the best bridging mode for the VLAN. (default setting)isolated-tunnel Bridges packets between local Ethernet ports and local radios, and passes tunneled packets through without de-tunnelingSelect this option for a dedicated tunnel for bridging VLAN traffic.local Bridges packets normally between local Ethernet ports and local radios (if any)Local mode is typically configured in remote branch offices where traffic on remote private LAN segments need to be bridged locally. Local mode implies that traffic, wired and wireless, is to be bridged locally.tunnel Bridges packets between local Ethernet ports, local radios, and tunnels to other APs, wireless controllers, or service platformsSelect this option to use a shared tunnel for bridging VLAN traffic.In tunnel mode, the traffic at the AP is always forwarded through the best path. The APs decide the best path to reach the destination and forward packets accordingly. Setting the VLAN to tunnel mode ensures packets are bridged between local Ethernet ports, any local radios, and tunnels to other APs, wireless controllers, and service platforms.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 37Examplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#bridging-mode isolated-tunnelrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querierrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsno Resets bridging mode to auto
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 387.1.10.2.2 capti ve - po r talbridge-vlan-mode commandsEnables IP (IPv4 and IPv6) packet snooping on wired captive portals, and also configures the subnet to snoop. When enabled, IP packets received from wired captive portal clients, on the specified subnet, are snooped to learn IP to MAC mapping.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-address <IPv4|IPv6>}Parameters• captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-address <IPv4|IPv6>}Examplenx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#show context bridge vlan 4  captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#Related Commandscaptive-portal [ipv4-snooping|ipv6-snooping]Enables snooping of IPv4 or IPv6 packets (based on the option selected) for wired captive portal clientssubnet <IPv4/M|IPv6/M>Enables IPv4 or IPv6 packet snooping on a specified subnet• <IPv4/M|IPv6/M> – Specify the subnet address in the A.B.C.D/M or X:X::X:X/M format to identify an IPv4 or IPv6 subnet respectively. When specified, this is the IPv4/IPv6 subnet on which IP packets are to be snooped.excluded-address <IPv4|IPv6>Optional. Configures the IPv4 or IPv6 address excluded from snooping within the specified IPv4|IPv6 subnet.• <IPv4|IPv6> – Specify the IPv4 or IPv6 address. Use this parameter to configure the gateway’s address.no Disables IP packet snooping on wired captive portals
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 397.1.10.2.3 captive-portal-enforcementbridge-vlan-mode commandsEnables auto-enforcement of captive portal rules on this extended VLAN interface. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal-enforcement {fall-back}Parameters• captive-portal-enforcement {fallback}Examplenx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#show context  bridge vlan 20  captive-portal-enforcement  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#Related Commandscaptive-portal-enforcementEnables auto-enforcement of captive portal access permission rules to data transmitted over this extended VLAN interface. When enforced, wired network users can pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user is allowed access.A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals capture and re-direct a wired/wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the network.fall-back Optional. If enabling source MAC authentication for Extended VLAN and tunneled traffic on this bridge VLAN, use this option to enforce captive-portal authentication as the fall-back mode of authentication in case MAC authentication fails.no Disables auto-enforcement of captive portal rules on this extended VLAN interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 407.1.10.2.4 descriptionbridge-vlan-mode commandsConfigures this extended VLAN’s descriptionSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7632, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription <WORD>Parameters• description <WORD>Examplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#description “This is a description for the bridged VLAN”rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description "This is a description for the bridged VLAN" bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querierrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsdescription <WORD> Configures a description for this VLAN bridge• <WORD> – Enter a description. The description should be unique to the VLAN’s specific configuration to help differentiate it from other VLANs with similar configurations.no Removes VLAN’s description
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 417.1.10.2.5 edge-vlanbridge-vlan-mode commandsEnables the edge VLAN mode. In the edge VLAN mode, a protected port does not forward traffic to another protected port on the same wireless controller or service platform. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxedge-vlanParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#edge-vlanrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsno Disables the edge VLAN mode
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 427.1.10.2.6 firewallbridge-vlan-mode commandsEnables IPv4 firewall on this bridge VLAN interface. This feature is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxfirewallParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#firewallrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsno Disables firewall on this bridge VLAN interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 437.1.10.2.7 http-analyzebridge-vlan-mode commandsEnables the analysis of URLs and data traffic on this Bridge VLAN. When enabled, URLs and data are forwarded to the controller running the HTTP analytics engine.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttp-analyze {filter [images|post|query-string]}Parameters• http-analyze {filter [images|post|query-string]}Examplerfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#http-analyze filter imagesrfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#show context bridge vlan 4  http-analyze filter imagesrfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#Related Commandshttp-analyze filter [images|post|query-string]Enables URL and HTTP data analysis. Optionally use the filter keyword to filter out specific URLs• filter – Optional. Filters out specific URLs• images – Filters out URLs referring to images• post – Filters out URLs referring to POSTs• query-string – Filters out query strings received from URLsno Disables forwarding of URLs and data to the controller running the HTTP analytics engine
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 447.1.10.2.8 ipbridge-vlan-mode commandsConfigures VLAN bridge IP componentsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [arp|dhcp|igmp]ip [arp|dhcp] trustip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count|mrouter|querier}ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count <1-7>}ip igmp snooping {mrouter [interface|learn]}ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}ip igmp snooping {querier} {address|max-response-time|timer|version}ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|timer expiry <60-300>|version <1-3>}Parameters• ip [arp|dhcp] trust• ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count <1-7>}ip Configures the VLAN bridge IP parametersarp trust Configures the ARP trust parameter. Trusted ARP packets are used to update the DHCP snoop table to prevent IP spoof and arp-cache poisoning attacks. This option is disabled by default.• trust – Trusts ARP responses on the VLAN bridgedhcp trust Configures the DHCP trust parameter. Uses DHCP packets, from a DHCP server, as trusted and permissible within the access point, wireless controller, or service platform managed network. DHCP packets are used to update the DHCP snoop table to prevent IP spoof attacks. This feature is enabled by default.• trust – Trusts DHCP responses on the VLAN bridgeip Configures the VLAN bridge IP parametersigmp snooping Configures Internet Group Management Protocol (IGMP) snooping parameters. IGMP snooping is enabled by default.IGMP establishes and maintains multicast group memberships for interested members. Multicasting allows a networked device to listen to IGMP network traffic and forward IGMP multicast packets to radios on which the interested hosts are connected. The device also maintains a map of the links that require multicast streams, there by reducing unnecessary flooding of the network with multicast traffic.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 45• ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}• ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|timer expiry <60-300>|version <1-3>}fast-leave Optional. Enables fast leave processing. When enabled, layer 2 LAN interfaces are removed from the IGMP snooping forwarding table entry without initially sending IGMP group-specific queries to the interface. When receiving a group specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. This option is disabled by default.This feature is supported only on the AP7502, AP8232, AP8533 model access points.forward-unknown-multicastOptional. Enables forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This option is enabled by default.last-member-query-count <1-7>Optional. Configures the last member query count used in determining the number of group-specific queries sent before removing the snoop entry• <1-7> – Specify the count from 1 - 7. The default value is 2.ip Configures the VLAN bridge IP parametersigmp snooping Configures the IGMP snooping parametersmrouter Optional. Configures the multicast router parametersinterface <INTERFACE-LIST>Configures the multicast router interfaces. This option is disabled by default.• <INTERFACE-LIST> – Specify a comma-separated list of interface names.learn pim-dvmrp Configures the multicast router learning protocols. This option is disabled by default.• pim-dvmrp – Enables Protocol-Independent Multicast (PIM) and Distance-Vector Multicast Routing Protocol (DVMRP) snooping of packetsip Configures the VLAN bridge IP parametersigmp snooping Configures the IGMP snooping parametersquerier Optional. Configures the IGMP querier parameters. This option is disabled by default.Enables IGMP querier. IGMP snoop querier keeps host memberships alive. It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present. The access point, wireless controller, or service platform performs the IGMP querier role. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port.address <IP> Optional. Configures the IGMP querier source IP address. This address is used as the default VLAN querier IP address.• <IP> – Specify the IGMP querier source IP address.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 46Examplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip arp trustrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip dhcp trustrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping mrouter interface ge1 ge2rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping mrouter learn pim-dvmrprfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier max-response-time 24rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier timer expiry 100rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier version 2rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show contextbridge vlan 1  description “This is a description for the bridged VLAN”  ip arp trust  ip dhcp trust  ip igmp snooping  ip igmp snooping querier  ip igmp snooping querier version 2  ip igmp snooping querier max-response-time 24  ip igmp snooping querier timer expiry 100  ip igmp snooping mrouter interface ge2 ge1rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsmax-response-time <1-25>Optional. Configures the IGMP querier maximum response time. This option is disabled by default.• <1-25> – Specify the maximum response time from 1 - 25 seconds.The access point, wireless controller, or service platform forwards multicast packets only to radios present in the snooping table. IGMP reports from wired ports are forwarded to the multicast router ports.If no reports are received from a radio, it is removed from the snooping table. The radio then stops receiving multicast packets.timer expiry <60-300> Optional. Configures the IGMP querier expiry time. The value specified is used as the timeout interval for other querier resources. This option is disabled by default.• expiry – Configures the IGMP querier timeout• <60-300> – Specify the IGMP querier timeout from 60 - 300 seconds.version <1-3> Optional. Configures the IGMP version. This option is disabled by default.• <1-3> – Specify the IGMP version. The versions are 1- 3.no Disables or reverts the VLAN Ethernet bridge parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 477.1.10.2.9 ipv6bridge-vlan-mode commandsConfigures this VLAN bridge’s IPv6 componentsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [dhcpv6|firewall|mld|nd]ipv6 dhcpv6 trustipv6 firewallipv6 mld snooping {forward-unknown-multicast|mrouter|querier}ipv6 mld snooping {forward-unknown-multicast}ipv6 mld snooping {mrouter [interface|learn]}ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}ipv6 mld snooping {querier} {max-response-time|timer|version}ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>|version <1-2>}ipv6 nd raguardParameters• ipv6 dhcpv6 trust• ipv6 firewall• ipv6 mld snooping {forward-unknown-multicast}ipv6 Configures the VLAN bridge IPv6 parametersdhcpv6 trust Enables the DHCPv6 trust option. When enabled all DHCPv6 responses are trusted on this bridge VLAN. This option is enabled by default.• trust – Trusts DHCPv6 responses on this bridge VLANipv6 Configures the VLAN bridge IPv6 parametersfirewall Enables IPv6 firewall on this bridge VLAN. This option is enabled by default.Devices utilizing IPv6 addressing require firewall protection unique to IPv6 traffic.IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. Routers respond to such a request with a router advertisement (RA) packet that contains Internet layer configuration parameters.ipv6 Configures the VLAN bridge IPv6 parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 48• ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}• ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>|version <1-2>}mld snooping Configures Multicast Listener Discovery Protocol (MLD) snooping parametersMLD snooping enables a access point, wireless controller, or service platform to examine MLD packets and make forwarding decisions based on the content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups.MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or access point VLANs. When enabled, MLD messages between hosts and multicast routers are examined to identify the hosts receiving multicast group traffic. The access point, wireless controller, or service platform forward multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces.This option is enabled by default.forward-unknown-multicastOptional. Enables forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This option is enabled by default.ipv6 Configures the VLAN bridge IPv6 parametersmld snooping Configures MLD snooping parameters. This option is enabled by default.mrouter Optional. Configures the multicast router parameters, such as interfaces and learning protocol used.interface <INTERFACE-LIST>Configures the multicast router interfaces. This option is disabled by default.• <INTERFACE-LIST> – Specify a comma-separated list of interface names.learn pim-dvmrp Configures the multicast router learning protocols. This option is disabled by default.• pim-dvmrp – Enables PIM and DVMRP snooping of packetsipv6 Configures the VLAN bridge IPv6 parametersmld snooping Configures IPv6 MLD snooping parameters. This option is disabled by default.querier Optional. Enables and configures the MLD querier parameters. When enabled, the device (access point, wireless controller, and service platform) sends query messages to discover which network devices are members of a given multicast group. This option is disabled by default.max-response-time <1-25000>Optional. Configures the IPv6 MLD querier’s maximum response time. This option is disabled by default.• <1-25000> – Specify the maximum response time from 1 - 25000 milliseconds.timer expiry <60-300> Optional. Configures the IPv6 MLD other querier’s timeout. This option is disabled by default.• <60-300> – Specify the MLD other querier’s timeout from 60 - 300 seconds.version <1-2> Optional. Configures the IPv6 MLD querier version. This option is disabled by default.• <1-2> – Specify the MLD version. The versions are 1- 2.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 49• ipv6 nd raguardExamplerfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 dhcpv6 trustrfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 firewallrfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping forward-unknown-multicastrfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter interface ge1 ge2rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter learn pim-dvmrprfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier max-response-time 20000rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier timer expiry 200rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier version 2rfs7000-37FABE(config-profile test-bridge-vlan-2)#show context bridge vlan 2  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping querier  ipv6 mld snooping mrouter interface ge2 ge1  ipv6 mld snooping querier version 2  ipv6 mld snooping querier max-response-time 20000  ipv6 mld snooping querier timer expiry 200rfs7000-37FABE(config-profile test-bridge-vlan-2)#Related Commandsipv6 Configures the VLAN bridge IPv6 parametersnd raguard Allows router advertisement (RA) or ICMPv6 redirects on this VLAN bridge. This option is enabled by default.no Disables or reverts the VLAN Ethernet bridge IPV6 parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 507.1.10.2.10 l2-tunnel-broadcast-optimizationbridge-vlan-mode commandsEnables broadcast optimization on this bridge VLAN. L2 Tunnel Broadcast Optimization prevents flooding of ARP packets over the virtual interface. Based on the learned information, ARP packets are filtered at the wireless controller level.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxl2-tunnel-broadcast-optimizationParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#l2-tunnel-broadcast-optimizationrfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1  description “This is a description for the bridged VLAN”  l2-tunnel-broadcast-optimization  bridging-mode isolated-tunnel  ip arp trust  ip dhcp trust  ip igmp snooping  ip igmp snooping querier  ip igmp snooping mrouter interface ge2 ge1  ip igmp snooping querier version 2  ip igmp snooping querier max-response-time 24  ip igmp snooping querier timer expiry 100rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsno Disables L2 tunnel broadcast optimization
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 517.1.10.2.11 mac-a u t hbridge-vlan-mode commandsEnables source MAC authentication for Extended VLAN and tunneled traffic (MiNT and L2TPv3) on this bridge VLANSupported in the following platforms:• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-auth {attempts <1-5>|throttle <0-255>}Parameters• mac-auth {attempts <1-5>|throttle <0-255>}]Usage Guidelines Applying AAA Policy for MAC AuthenticationTo enable MAC authentication, • Create an AAA policy.nx9500-6C8809(config)#aaa-policy MAC-Auth• Use the AAA policy on the device for MAC Authentication.nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#mac-auth use aaa-policy MAC-Auth• In the bridge VLAN context, enable MAC Authentication,nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth• Optionally, configure the following MAC Authentication parameters. If not specified, default values are applied.nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth attempts 2nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth throttle 100Usage Guidelines Enabling Fall-back Captive Portal AuthenticationTo enable fall-back captive-portal authentication on the bridge VLAN, • apply a captive-portal policy to the bridge VLAN.nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#use captive-portal testNOTE: If enabling MAC authentication, ensure that an AAA policy is configured and for enforcing MAC Authentication.mac-auth Enables MAC Authenticationattempts <1-5> Optional. Configures the maximum number of retries allowed for MAC authentication requests.• <1-5> – Specify the maximum allowed authentication retries from 1 - 5. The default is 3.throttle <0-255> Optional. Configures the throttle value for MAC authentication requests• <0-255> – Specify the MAC authentication request throttle value from 0 -255. The default is 64.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 52• enable captive-portal authentication as the fall-back authentication mode.nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#captive-portal-enforcement fall-backExamplenx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth attempts 2nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth throttle 80nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#show context bridge vlan 20  mac-auth attempts 2  mac-auth throttle 80  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#Related Commandsno Disables MAC authentication for Extended VLAN and Tunneled traffic on this bridge VLAN
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 537.1.10.2.12 l2-tunnel-forward-additional-packet-typesbridge-vlan-mode commandsEnables forwarding of Wireless Network Management Protocol (WNMP) packets across L2 tunnels. Under normal circumstances, if L2 tunnel broadcast optimization is enabled. WNMP packets are not forwarded across the L2 tunnels. Use this option to enable the forwarding of only WNMP packets.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxl2-tunnel-forward-additional-packet-types wnmpParametersNoneExamplenx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#l2-tunnel-forward-additional-packet-types wnmpnx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#show context bridge vlan 1  l2-tunnel-broadcast-optimization  l2-tunnel-forward-additional-packet-types wnmp  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#Related Commandsno Disables WNMP packet forwarding across L2 tunnel
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 547.1.10.2.13 nobridge-vlan-mode commandsNegates a command or reverts settings to their default. The no command, when used in the bridge VLAN mode, negates the VLAN bridge settings or reverts them to their default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [bridging-mode|captive-portal|captive-portal-enforcement|description|edge-vlan|firewall|http-analyze|ip|ipv6|l2-tunnel-broadcast-optimization|l2-tunnel-forward-additional-packet-types|mac-auth|stateful-packet-inspection-l2|tunnel|tunnel-over-level2|use]no [bridging-mode|captive-portal-enforcement|description|edge-vlan|firewall|l2-tunnel-broadcast-optimization|l2-tunnel-forward-additional-packet-types|mac-auth|stateful-packet-inspection-l2|tunnel-over-level2]no captive-portal [ip-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-address <IPv4|IPv6>}no http-analyze {filter [images|post|query-string]}no ip [arp|dhcp|igmp]no ip [arp|dhcp] trustno ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count|mrouter|querier}no ip igmp snooping {forward-unknown-multicast}no ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}no ip igmp snooping {querier} {address|max-response-time|timer expiry|version}no ipv6 [dhcpv6|firewall|mld|nd]no ipv6 dhcpv6 trustno ipv6 firewallno ipv6 mld snooping {forward-unknown-multicast}no ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}no ipv6 mld snooping {querier} {max-response-time|timer expiry|version}no ipv6 nd raguardno tunnel [rate-limit level2|unknown-unicast]no use [application-policy|captive-portal|ip-access-list|ipv6-access-list|mac-access-list|url-list] tunnel outParameters• no <PARAMETERS>no <PARAMETERS> Resets or reverts this bridge VLAN’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 55ExampleThe following example displays bridge VLAN 20 settings before the ‘no’ commands are executed:nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context bridge vlan 20  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ip igmp snoopingnx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ipv6 mld snoopingThe following example displays bridge VLAN 20 settings after the ‘no’ commands are executed:nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context bridge vlan 20  no ip igmp snooping  ip igmp snooping querier  no ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show contextbridge vlan 20  mac-auth attempts 2  mac-auth throttle 80  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#no mac-authnx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context bridge vlan 20  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping  ipv6 mld snooping queriernx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 567.1.10.2.14 stateful-packet-inspection-l2bridge-vlan-mode commandsEnables a stateful packet inspection (SPI) at the layer 2 firewall. SPI, also referred to as dynamic packet filtering, is a security feature that tracks the operating state and characteristics of network connections traversing it. It distinguishes legitimate packets for different types of connections, and only allows packets matching a known active connection to pass.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxstateful-packet-inspection-l2ParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#stateful-packet-insinspection-l2rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandsno Disables stateful packet inspection at the layer 2 firewall
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 577.1.10.2.15 tunnelbridge-vlan-mode commandsEnables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridgeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtunnel [rate-limit|unknown-unicast]tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}tunnel unknown-unicastParameters• tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}• tunnel unknown-unicasttunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024>Configures a rate-limit parameters (max-burst-size and rate) for tunneled VLAN traffic over level 2 MiNT links• rate – Optional. Configures the data rate, in kilobits per second, for the incoming and outgoing extended VLAN traffic tunneled over MiNT level 2 links• <50-1000000> – Specify a value from 50 - 1000000 Kbps. The default is 5000Kbps.• max-burst-size – Optional. Configures the maximum burst size• <2-1024> – Specify the maximum burst size from 2 - 1024 kbytes. The de-fault is 320 kbytes.After specifying the max-burst-size, optionally specify the red-threshold value for the different traffic types. The red-threshold is configured as a % of the specified max-burst-size.• red-threshold – Optional. Configures the random early detection (red) threshold for the different traffic types• background – Configures the red-threshold for low priority traffic from 0 - 100. Thedefault is 50% of the specified max-burst-size.• best-effort – Configures the red-threshold for normal priority traffic from 0 - 100.The default is 50% of the specified max-burst-size.• video – Configures the red-threshold for video traffic from 0 - 100. The default is25% of the specified max-burst-size.• voice – Configures the red-threshold for voice traffic from 0 - 100. The default is 0%of the specified max-burst-size.tunnel unknown-unicastEnables tunneling of unicast packets destined for unknown MAC addresses
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 58Examplerfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#tunnel unknown-unicastrfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#no tunnel unknown-unicastrfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#show context bridge vlan 1  ip igmp snooping  ip igmp snooping querier  no tunnel unknown-unicastrfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#Related Commandsno Disables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 597.1.10.2.16 tunnel-over-level2bridge-vlan-mode commandsEnables extended VLAN (tunneled VLAN) traffic over level 2 MiNT links. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtunnel-over-level2ParametersNoneExamplerfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#tunnel-over-level2rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#show context bridge vlan 1  description “This is a description for the bridged VLAN”  l2-tunnel-broadcast-optimization  bridging-mode isolated-tunnel  tunnel-over-level2  ip arp trust  ip dhcp trust  ip igmp snooping  ip igmp snooping querierrfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#Related Commandsno Disables extended VLAN traffic over level 2 MiNT links
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 607.1.10.2.17 usebridge-vlan-mode commandsAssociates a captive-portal, access control list (IPv4, IPv6, or MAC), and/or a URL filter with this bridge VLANSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [application-policy|captive-portal|ip-access-list|ipv6-access-list|mac-access-list|url-filter]use application-policy <APP-POLICY-NAME>use captive-portal <CAPTIVE-PORTAL-NAME>use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/ipv6/MAC-ACCESS-LIST-NAME>use url-filter <URL-FILTER-NAME>Parameters• use application-policy <APP-POLICY-NAME>• use captive-portal <CAPTIVE-PORTAL-NAME>• use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/IPv6/MAC-ACCESS-LIST-NAME>use application-policy <APP-POLICY-NAME>Enforces application detection on this VLAN bridge• <APP-POLICY-NAME> – Specify the application policy name (should be existing and configured).• For more information on application definitions and application policies, see application and application-policy.use captive-portal Applies an existing captive portal configuration to restrict access to the bridge VLAN configurationA captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional terms and agreement, welcome, fail, and no-service pages provide the administrator with a number of options on captive portal screen flow and user appearance.• <CAPTIVE-PORTAL-NAME> – Specify the captive portal name.use Sets this VLAN bridge policy to use an IPv4/IPv6 access list or a MAC access listip-access-list Associates a pre-configured IPv4 access list with this VLAN-bridge interfaceipv6-access-list Associates a pre-configured IPv6 access list with this VLAN-bridge interfacemac-access-list Associates a pre-configured MAC access list with this VLAN- bridge interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 61• use url-filter <URL-FILTER-NAME>Examplerfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#use mac-access-list tunnel out PERMIT-ARP-AND-IPv4rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1  ip igmp snooping  ip igmp snooping querier  use mac-access-list tunnel out PERMIT-ARP-AND-IPv4rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#Related Commandstunnel out <IP/IPv6/MAC-ACCESS-LIST-NAME>The following keywords are common to the ‘IPv4/IPv6 access list’ and ‘MAC access list’ parameters:• tunnel – Applies IPv4/IPv6 access list or MAC access list to all packets going into the tunnel• out – Applies IPv4/IPv6 access list or MAC access list to all outgoing packets• <IP/IPv6/MAC-ACCESS-LIST-NAME> – Specify the IP/IPv6 access list or MACaccess list name.use url-filter Sets this VLAN bridge to use a URL filter<URL-FILTER-NAME> Specify the URL filter name. It should be existing and configured.This option enforces URL filtering on the VLAN bridge.no Disables or reverts VLAN Ethernet bridge settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 627.1.11 captive-portalProfile Config CommandsConfigures captive portal advanced Web page uploads on this profileA captive portal is a means of providing guests temporary and restrictive access to the controller managed wireless network. A captive portal provides secure authenticated controller access by capturing and re-directing a wireless user’s Web browser session to a captive portal login page, where the user must enter valid credentials. Once the user is authenticated and logged into the controller managed network, additional agreement, welcome, and fail pages provide the administrator with options to control the captive portal’s screen flow and user appearance.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal page-upload count <1-20>Parameters• captive-portal page-upload count <1-20>Examplenx9500-6C8809(config-profile-testNX9500)#captive-portal page-upload count 15nx9500-6C8809(config-profile-testNX9500)#show context include-factory | includecaptive-portal captive-portal page-upload count 15  no captive-portal-enforcement  no captive-portal-enforcement  no captive-portal-enforcement  no captive-portal-enforcement  no captive-portal-enforcement  no captive-portal-enforcement service captive-portal-server connections-per-ip 3nx9500-6C8809(config-profile-testNX9500)#page-upload Enables captive portal advanced Web page uploadcount <1-20> Sets the maximum number of APs that can be uploaded concurrently• <1-20> – Set a value from 1 - 20. The default is 10.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 637.1.12 cdpProfile Config CommandsEnables Cisco Discovery Protocol (CDP), a proprietary data link layer network protocol implemented in Cisco networking equipment and used to share network information amongst different vendor wireless devicesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcdp [holdtime|run|timer]cdp [holdtime <10-1800>|run|timer <5-900>]Parameters• cdp [holdtime <10-1800>|run|timer <5-900>]Examplerfs6000-37FABE(config profile-default-rfs6000)#cdp runrfs6000-37FABE(config profile-default-rfs6000)#cdp holdtime 1000rfs7000-37FABE(config profile-default-rfs6000)#cdp timer 900rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  no edge-vlan  l2-tunnel-broadcast-optimization .............................................................  qos trust 802.1p interface pppoe1 use firewall-policy default cdp holdtime 1000 cdp timer 900 service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsholdtime <10-1800> Specifies the holdtime after which transmitted packets are discarded• <10-1800> – Specify a value from 10 - 1800 seconds. The default is 180 seconds.run Enables CDP sniffing and transmit globally. This feature is enabled by default.timer <5-900> Specifies the interval, in seconds, between successive CDP packet transmission• <5-900> – Specify a value from 5 - 900 seconds. The default is 60 seconds.no Disables CDP on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 647.1.13 clusterProfile Config CommandsSets the cluster configurationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcluster [force-configured-state|force-configured-state-delay|handle-stp|master-priority|member|mode|name|radius-counter-db-sync-time]cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp|master-priority <1-255>]cluster member [ip|vlan]cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]cluster mode [active|standby]cluster name <CLUSTER-NAME>cluster radius-counter-db-sync-time <1-1440>Parameters• cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp|master-priority <1-255>]force-configured-state Forces adopted APs to auto revert when a failed wireless controller or service platform (in a cluster) restartsWhen an active controller (wireless controller, or service platform) fails, a standby controller in the cluster takes over APs adopted by the failed active controller. If the failed active controller were to restart, it starts a timer based on the ‘force-configured-state-delay’ interval specified. At the expiration of this interval, the standby controller releases all adopted APs and goes back to a monitoring mode. If the active controller fails during this interval, the ‘force-configured-state-delay’ timer is stopped. The timer restarts as soon as the active controller comes back up.This feature is disabled by default.force-configured-state-delay <3-1800>Forces cluster transition to the configured state after a specified interval• <3-1800> – Specify a delay from 3 - 1800 minutes. The default is 5 minutes.This is the interval a standby controller waits before releasing adopted APs when a failed primary controller becomes active again.handle-stp Enables Spanning Tree Protocol (STP) convergence handling. This feature is disabled by default.In layer 2 networks, this protocol is enabled to prevent network looping. If enabled, the network forwards data only after STP convergence. Enabling STP convergence delays the redundancy state machine execution until the STP convergence is completed (the standard protocol value for STP convergence is 50 seconds). Delaying the state machine is important to load balance APs at startup.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 65• cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]• cluster mode [active|standby]• cluster name <CLUSTER-NAME>• cluster radius-counter-db-sync-time <1-1440>master-priority <1-255>Configures cluster master priority• <1-255> – Specifies cluster master election priority. Assign a value from 1 - 255. Higher the value higher is the precedence. The default is 128.In a cluster environment one device from the cluster is elected as the cluster master. A device’s master priority value decides the device’s priority to become cluster master.member Adds a member to the cluster. It also configures the cluster VLAN where members can be reached.ip <IP> level [1|2] Adds IP address of the new cluster member• <IP> – Specify the IP address.• level – Optional. Configures routing level for the new member. Select one of the fol-lowing routing levels:• 1 – Level 1, local routing• 2 – Level 2, In-site routingvlan <1-4094> Configures the cluster VLAN where members can be reached•<1-4094> – Specify the VLAN ID from 1- 4094.mode [active|standby] Configures cluster member’s mode as active or standby• active – Configures cluster mode as active. This is the default setting.• standby – Configures cluster mode as standbyA member can be in either an Active or Standby mode. All active member controllers can adopt access points. Standby members only adopt access points when an active member has failed or sees an access point not adopted by a controller.name <CLUSTER-NAME>Configures the cluster name• <CLUSTER-NAME> – Specify the cluster name.radius-counter-db-sync-time <1-1440>Configures the interval, in minutes, at which the RADIUS counter database is synchronized with the dedicated NTP server resource.• <1-1440> – Specify a value from 1 - 1440 minutes. The default is 5 minutes.Use the show > cluster > configuration command to view RADIUS counter DB sync time.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 66Examplerfs6000-37FABE(config-profile-default-rfs6000)#cluster name cluster1rfs6000-37FABE(config-profile-default-rfs6000)#cluster member ip 172.16.10.3 rfs6000-37FABE(config-profile-default-rfs6000)#cluster mode activerfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  description Vlan1 ....................................................................... cluster name cluster1 cluster member ip 172.16.10.3 cluster member vlan 1rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsno Removes cluster member
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 677.1.14 configuration-persistenceProfile Config CommandsEnables configuration persistence across reloads. This option is enabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxconfiguration-persistence {auto|secure}Parameters• configuration-persistence {auto|secure}Examplerfs6000-37FABE(config-profile-default-rfs6000)#configuration-persistence securerfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 bridge vlan 1  no edge-vlan  ip igmp snooping  no ip igmp snooping unknown-multicast-fwd  no ip igmp snooping mrouter learn pim-dvmrp  autoinstall configuration autoinstall firmware .......................................................................... cluster name cluster1 cluster member ip 1.2.3.4 level 2 cluster member ip 172.16.10.3 cluster member vlan 4094 cluster handle-stp cluster force-configured-state  holdtime 1000  timer 900 configuration-persistence securerfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsauto Optional. Assigns default value based on the device typesecure Optional. Ensures parts of a file that contain security information are not written during a reloadno Disables automatic write up of startup configuration file
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 687.1.15 controllerProfile Config CommandsConfigures the WiNG controller (wireless controller or service platform) adoption settingsAdoption is the process a controller or service platform uses to discover available access points and/or peer controllers/service platforms, establish an association and provision the adopted device. Adoption settings are configurable and supported within a profile and applied to all devices supported by the profile.Use this command to add a controller to a pool and group. This command also enables and disables adoption on controllers, and specifies the device types that can be adopted by a controller.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcontroller [adopted-devices|adoption|group|hello-interval|vlan|host]controller adopted-devices [aps {controllers}|controllers {aps}|external-devices|external-devices-monitoring-only]helcontroller adoptioncontroller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]controller hello-interval <1-120> adjacency-hold-time <2-600>controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure|level|pool|remote-vpn-client}controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]} {ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}Parameters• controller adopted-devices [aps {controllers}|controllers {aps}|external-devices|external-devices-monitoring-only]controller Configures the WLAN’s controller adoption settingsadopted-devices Configures the types of device (AP/controller) this controller can adoptaps {controllers} Enables the adoption of network access points by this controller. This option is enabled by default.• controllers – Optional. Enables the adoption of peer controllers by this controllerAll adopted devices (referred to as adoptee) receive complete configuration from the adopting controller (referred to as adopter).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 69• controller adoption• controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]• controller hello-interval <1-120> adjacency-hold-time <2-600>•  controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}controllers {aps} Enables the adoption of peer controllers by this controllers• aps – Optional. Enables the adoption of network access points by this controllerA controller cannot be configured as an adoptee and an adopter simultaneously. In other words, an adopted controller (adoptee) cannot be configured to adopt another controller.Use the no > controller > adopted-devices command to remove this setting.external-devices Enables adoption of external devices by this controller. This option is disabled by default.When enabled, a WiNG controller can adopt and manage T5 controllers and EX3500 switches (using the IPX operating system) within a WiNG managed device subnet. This setting is disabled by default.To disable T5 or EX3500 adoption, use the no > controller > external-devices command.This feature is supported only on RFS4000, NX9500, NX9510, NX9600, and VX9000 platforms.external-devices-monitoring-onlyEnables only monitoring of external devices by this controller or service platform. This option is disabled by default.controller adoption Enables the adoption of the logged device (wireless controller or service platform) by other controllers. This option is disabled by default.Use the no > controller > adoption command to disable adoption.controller Configures the WLAN’s controller adoption settingsgroup <CONTROLLER-GROUP-NAME>Configures the wireless controller or service platform group• <CONTROLLER-GROUP-NAME> – Specify the wireless controller or service platform group name.vlan <1-4094> Configures the wireless controller or service platform VLAN• <1-4094> – Specify the VLAN ID from 1 - 4094.controller Configures the WLAN’s controller settingshello-interval <1-120> Configures the hello-interval in seconds. This is the interval between consecutive hello packets exchanged between AP and wireless controller or service platform.• <1-120> – Specify a value from 1 - 120 seconds.adjacency-hold-time<2-600>Configures the adjacency hold time in seconds. This is the time since the last received hello packet, after which the adjacency between wireless controller or service platform and AP is lost, and the link is re-established.• <2-600> – Specify a value from 2 - 600 seconds.controller Configures the WLAN’s controller adoption settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 70• controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]} {ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}host [<IPv4>|<IPv6>|<HOSTNAME>]Configures wireless controller or service platform’s IPv4/IPv6 address or hostname• <IPv4> – Configures wireless controller or service platform’s IPv4 address• <IPv6> – Configures wireless controller or service platform’s IPv6 address• <HOSTNAME> – Configures wireless controller or service platform’s hostnameipsec-secure {gw [<IP>|<HOSTNAME>]}Optional. Enables Internet Protocol Security (IPSec) peer authentication on the connection (link) between the adopting devices. This option is disabled by default.• gw – Optional. Specifies a IPSec gateway other than the wireless controller or service platform• <IP> – Use this option to specify the IPSec gateway’s IP address.• <HOSTNAME> – Use this option to specify the IPSec gateway’s hostname.If the gateway’s IP address or hostname is not specified, the system assumes the logged controller as the IPSec gateway.controller Configures the WLAN’s controller adoption settingshost [<IPv4>|<IPv6>|<HOSTNAME>]Configures wireless controller or service platform’s IPv4/IPv6 address or name• <IPv4> – Configures wireless controller or service platform’s IPv4 address• <IPv6> – Configures wireless controller or service platform’s IPv6 address• <HOSTNAME> – Configures wireless controller or service platform’s namelevel [1|2] The following keywords are common to the ‘IP’, ‘IPv6’, and ‘hostname’ parameters:Optional. After providing the wireless controller or service platform’s address, optionally select one of the following routing levels:• 1 – Optional. Level 1, local routing• 2 – Optional. Level 2, inter-site routingNote: After specifying the routing level, you can, optionally enable IPSec Secure authentication and remote VPN client.pool <1-2> level [1|2] The following keywords are common to the ‘IP’, ‘IPv6’, and ‘hostname’ parameters:Optional. Sets the wireless controller or service platform’s pool• <1-2> – Select either 1 or 2 as the pool. The default is 1. After selecting the pool, optionally select one of the following two routing levels:• 1 – Optional. Level 1, local routing• 2 – Optional. Level 2, inter-site routing{ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}After specifying the routing level and or device’s pool, you can optionally specify the following:• ipsec-secure – Optional. Enables IPSec peer authentication on the connection (link) between the adopting devices. This option is disabled by default.• gw – Optional. Specifies a IPSec gateway other than the wireless controller or service platform• <IP> – Use this option to specify the IPSec gateway’s IP address.• <HOSTNAME> – Use this option to specify the IPSec gateway’s hostname.Note: If the gateway’s IP address or hostname is not specified, the system assumes the logged controller as the IPSec gateway.Contd....
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 71• controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}Examplerfs6000-37FABE(config-profile-default-rfs6000)controller group testrfs6000-37FABE(config-profile-default-rfs6000)#controller host 1.2.3.4 pool 2rfs7000-37FABE(config-profile-default-rfs7000)#show contextprofile rfs6000 default-rfs6000 no autoinstall configuration no autoinstall firmware crypto isakmp policy default crypto ipsec transform-set default esp-aes-256 esp-sha-hmac.......................................................... interface ge4  ip dhcp trust  qos trust dscp  qos trust 802.1p use firewall-policy default controller host 1.2.3.4 pool 2 controller group test service pm sys-restart--More--rfs6000-37FABE(config-profile-default-rfs6000)#rfs4000-229D58(config-profile-testRFS4000)#controller adopted-devices aps controllersrfs4000-229D58(config-profile-testRFS4000)#show contextprofile rfs4000 testRFS4000 autoinstall configuration....................................................................  logging on service pm sys-restart router ospf controller adopted-devices aps controllersrfs4000-229D58(config-profile-testRFS4000)#Related Commands• remote-vpn-client – Forces MiNT link creation protocol (MLCP) to use remote VPN connection on the controllerThe controller uses remote VPN tunnel for this traffic. If multiple controller hosts are configured, either all the hosts should use remote-vpn-client or none.When enabled, an MLCP connection is not initiated until remote VPN connection is UP and virtual IP, DNS server, source route, etc. are installed on the AP.controller Configures the WLAN’s controller settingshost [<IPv4>|<IPv6>|<HOSTNAME>]Configures wireless controller or service platform’s IPv4/IPv6 address or hostname• <IP> – Configures wireless controller or service platform’s IPv4 address• <IPv6> – Configures wireless controller or service platform’s IPv6 address• <HOSTNAME> – Configures wireless controller or service platform’s nameremote-vpn-client Forces MLCP to use remote VPN connection on the controllerThe controller uses remote VPN tunnel for this traffic. If multiple controller hosts are configured, either all the hosts should use remote-vpn-client or none.When enabled, an MLCP connection is not initiated until remote VPN connection is UP and virtual IP, DNS server, source route, etc. are installed on the AP. no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 727.1.16 critical-resourceProfile Config CommandsEnables monitoring of resources critical to the health of the service platform, wireless controller, or access point managed network. These critical resources are identified by their configured IP addresses. When enabled, the system monitors these devices regularly and logs their status. Use this command to create a critical resource monitoring (CRM) policy.A critical resource can be a gateway, AAA server, WAN interface, any hardware, or a service on which the stability of the network depends. Monitoring these resources is therefore essential. When enabled, this feature pings critical resources regularly to ascertain their status. If there is a connectivity issue, an event is generated stating a critical resource is unavailable. By default, there is no enabled critical resource policy and one needs to be created and implemented.Critical resources can be monitored directly through the interfaces on which they are discovered. For example, a critical resource on the same subnet as an AP8132 access point can be monitored by its IP address. However, a critical resource located on a VLAN must continue to be monitored on that VLAN.Critical resource monitoring can be enabled on service platforms, wireless controllers, and access points through their respective device profiles.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcritical-resource [<CR-NAME>|monitor|retry-count]critical-resource <CR-NAME> [monitor|monitor-using-flows]critical-resource <CR-NAME> monitor [direct|via]critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>]{<IP/HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-NAME>|pppoe1|vlan|wwan1]critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>] {<IP/HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}critical-resource <CR-NAME> monitor-using-flows [all|any] [criteria|dhcp|dns|sync-adoptees]critical-resource <CR-NAME> monitor-using-flows [all|any] criteria [all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}critical-resource <CR-NAME> monitor-using-flows [all|any] dhcp vlan <1-4094> {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 73critical-resource <CR-NAME> monitor-using-flows [all|any] dns <IP/HOST-ALIAS-NAME> {dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}critical-resource <CR-NAME> monitor-using-flows [all|any] sync-adoptees criteria [all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}critical-resource monitor interval <5-86400>critical-resource retry-count <0-10>Parameters•  critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>] {<IP/HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}<CR-NAME> Identifies the critical resource to be monitored. Provide the name of the critical resource.monitor Enables critical resource(s) monitoringdirect [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees]Monitors critical resources using the default routing engine• all – Monitors all resources that are going down (generates an event when all specified critical resources are unreachable)• any – Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)• <IP/HOST-ALIAS-NAME> – Configures the IP address of the critical resourcebeing monitored (for example, the DHCP or DNS server). Specify the IP address inthe A.B.C.D format. You can use a host-alias to identify the critical resource. If us-ing a host-alias, ensure that the host-alias is existing and configured.• sync-adoptees – Syncs adopted access points with the controller. In the stand-alone AP scenario, where the CRM policy is running on the AP, the AP is directlyintimated in case a critical resource goes down. On the other hand, when an AP isadopted to a controller (running the CRM policy), it is essential to enable the sync-adoptees option in order to sync the AP with the controller regarding the latest CRM status.arp-onlyvlan [<1-4094>|<VLAN-ALIAS-NAME>]{<IP/HOST-ALIAS-NAME>|port [<LAYER2-IFNAME>|ge|port-channel]}The following keywords are common to the ‘all’ and ‘any’ parameters:• arp-only vlan <1-4094> – Optional. Uses ARP to determine if the IP address is reachable (use this option to monitor resources that do not have IP addresses). ARP is used to resolve hardware addresses when only the network layer address is known.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Specifies the VLAN ID on which tosend the probing ARP requests. Specify the VLAN ID from 1 - 4094. Alternately,use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias isexisting and configured.• <IP/HOST-ALIAS-NAME> – Optional. Limits ARP to a device specified by the<IP> parameter. You can use a host-alias to specify the IP address. If using ahost-alias, ensure that the host-alias is existing and configured.• port [<LAYER2-IF-NAME>|ge|port-channel] – Optional. Limits ARP to aspecified port
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 74• critical-resource <CRM-POLICY-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>] {<IP>|port [<LAYER2-IFNAME>|ge|port-channel]}}<CR-NAME> Identifies the critical resource to be monitored. Provide the name of the critical resource.monitor Enables critical resource(s) monitoringvia Specifies the interface or next-hop via which the ICMP pings should be sent.Configures the interface or next-hop via which ICMP pings are sent. This does not apply to IP addresses configured for arp-only. For interfaces which learn the default-gateway dynamically (like DHCP clients and PPP interfaces), use an interface name for VIA, or use an IP address.<IP/HOST-ALIAS-NAME> Specify the IP address of the next-hop via which the critical resource(s) are monitored. Configures up to four IP addresses for monitoring. All the four IP addresses constitute critical resources. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured.<LAYER3-INTERFACE-NAME>Specify the layer 3 Interface name (router interface)pppoe1 Specifies PPP over Ethernet interfacevlan [<1-4094>|<VLAN-ALIAS-NAME>]Specifies the wireless controller or service platform’s VLAN interface. Specify VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.wwan1 Specifies Wireless WAN interface[all|any] [<IP/HOST-ALIAS-NAME>|sync-adoptees]Monitors critical resources using the default routing engine• all – Monitors all resources that are going down (generates an event when all specified critical resource IP addresses are unreachable)• any – Monitors any resource that is going down (generates an event when any one of the specified critical resource IP address is unreachable)• <IP/HOST-ALIAS-NAME> – Configures the IP address of the critical resourcebeing monitored (for example, the DHCP or DNS server). Specify the IP address inthe A.B.C.D format. You can use a host-alias to specify the IP address. If using ahost-alias, ensure that the host-alias is existing and configured.• sync-adoptees – Syncs adopted access points with the controller. In the stand-alone AP scenario, where the CRM policy is running on the AP, the AP is directlyintimated in case a critical resource goes down. On the other hand, when an AP isadopted to a controller (running the CRM policy), it is essential to enable the sync-adoptees option in order to sync the AP with the controller regarding the latestCRM status.arp-onlyvlan [<1-4094>|<VLAN-ALIAS-NAME>]{<IP/HOST-ALIAS-NAME>|port [<LAYER2-IFNAME>|ge|port-channel]}The following keywords are common to the ‘all’ and ‘any’ parameters:• arp-only vlan <1-4094> – Optional. Uses ARP to determine if the IP address is reachable (use this option to monitor resources that do not have IP addresses). ARP is used to resolve hardware addresses when only the network layer address is known.Contd....
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 75• critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] criteria [all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Specifies the VLAN ID to send theprobing ARP requests. Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing andconfigured.• <IP’HOST-ALIAS-NAME> – Optional. Limits ARP to a device specified by the<IP> parameter. You can use a host-alias to specify the IP address. If using ahost-alias, ensure that the host-alias is existing and configured.• port [<LAYER2-IF-NAME>|ge|port-channel] – Optional. Limits ARP to aspecified port<CR-NAME> Identifies the critical resource to be monitored. Provide the name of the critical resource.monitor-using-flows Enables critical resource(s) monitoring using message flows for DHCP or DNS (DHCP discover, DHCP offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network.[all|any] Configures how critical resource event messages are generated. Options include all and any.• all – Monitors all resources that are going down (generates an event when all specified critical resources are unreachable)• any – Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)criteria [all|cluster-master|rf-domain-manager]Configures the resource that will monitor critical resources and update the rest of the devices in a group. Options include all, rf-domain-manager, or cluster-master.• all – Configures all devices within a group (cluster or RF Domain) as the monitoring resource• cluster-master – Configures the cluster master as the monitoring resource• rf-domain-manager – Configures the RF Domain manager as the monitoring resourcedhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]The following parameters are recursive and common to the ‘all’, ‘cluster-master’, and ‘rf-domain-manager’ keywords:• dhcp – Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which thecritical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use avlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.dns <IP/HOST-ALIAS-NAME>The following parameters are recursive and common to the ‘all’, ‘cluster-master’, and ‘rf-domain-manager’ keywords:• dns – Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the crit-ical resource. Specify the IPv4 address or host alias name (should be existing andconfigured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 76• critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>] {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}{dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}The ‘dhcp’ and ‘dns’ parameters are recursive and you can optionally configure multiple VLANs and critical resource IPv4 addresses (or host alias names).• dhcp – Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which thecritical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use avlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existingand configured.• dns – Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the crit-ical resource. Specify the IPv4 address or host alias name (should be existing andconfigured).<CR-NAME> Identifies the critical resource to be monitored. Provide the name of the critical resource.monitor-using-flows Enables critical resource(s) monitoring using message flows for DHCP or DNS (DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network.[all|any] Configures how critical resource event messages are generated. Options include all and any.• all – Monitors all resources that are going down (generates an event when all specified critical resources are unreachable)• any – Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. • vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.{dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}The following parameters are recursive and optional. Use them to configure multiple VLANs and critical resource IPv4 addresses (or host alias names):• dhcp – Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which thecritical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use avlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existingand configured.Contd...
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 77• critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dns <IP/HOST-ALIAS-NAME> {dhcp vlan [<1-4094><VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}•  critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] sync-adoptees criteria [all|cluster-master|rf-domain-manager] (dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}• dns – Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the crit-ical resource. Specify the IPv4 address or host alias name (should be existing andconfigured).<CR-NAME> Identifies the critical resource to be monitored. Provide the name of the critical resource.monitor-using-flows Enables critical resource(s) monitoring using message flows for DHCP or DNS (DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network.[all|any] Configures how critical resource event messages are generated. Options include all and any.• all – Monitors all resources that are going down (generates an event when all specified critical resources are unreachable)• any – Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)dns <IP/HOST-ALIAS-NAME>Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability. • <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured).{dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>|dns <IP/HOST-ALIAS-NAME>}The following parameters are recursive and optional. Use them to configure multiple VLANs and critical resource IPv4 addresses (or host alias names):• dhcp – Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which thecritical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use avlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existingand configured.• dns – Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existingand configured).<CR-NAME> Identifies the critical resource to be monitored. Provide the name of the critical resource.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 78monitor-using-flows Enables critical resource(s) monitoring using message flows for DHCP or DNS (DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network.[all|any] Configures how critical resource event messages are generated. Options include all and any.• all – Monitors all resources that are going down (generates an event when all specified critical resources are unreachable)• any – Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)syn-adoptees Syncs adopted access points with the controller. In the stand-alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-adoptees option in order to sync the AP with the controller regarding the latest CRM status.criteria [all|cluster-master|rf-domain-manager]Configures the resource that will monitor critical resources and update the rest of the devices in a group. Options include all, rf-domain-manager, or cluster-master.• all – Configures all devices within a group (cluster or RF Domain) as the monitoring resource• cluster-master – Configures the cluster master as the monitoring resource• rf-domain-manager – Configures the RF Domain manager as the monitoring resourcedhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]The following parameters are recursive and common to the ‘all’, ‘cluster-master’, and ‘rf-domain-manager’ keywords:• dhcp – Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. • vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which thecritical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use avlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.dns <IP/HOST-ALIAS-NAME>The following parameters are recursive and common to the ‘all’, ‘cluster-master’, and ‘rf-domain-manager’ keywords:• dns – Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existingand configured).{dhcp vlan {<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}The ‘dhcp’ and ‘dns’ parameters are recursive and you can optionally configure multiple VLANs and critical resource IPv4 addresses (or host alias names).• dhcp – Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Configures the VLAN on which thecritical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use avlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.Contd...
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 79• critical-resource monitor interval <5-86400>• critical-resource retry-count <0-10>Examplenx9500-6C8809(config-device-B4-C7-99-6C-88-09)#critical-resource test monitor direct all 192.168.13.10 arp-only vlan 1nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#critical-resource monitor interval 40nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show contextrfs6000 B4-C7-99-6D-B5-D4 use profile default-rfs6000 use rf-domain default hostname rfs6000-6DB5D4 license AP 6c781f42a3638757d8849c38268b4ea48e483e2f986ae392ebbcdd6a8f6f309443e93ad3123c3d76 mint mlcp ip ip default-gateway 192.168.13.2 interface vlan1  ip address 192.168.13.16/24  ip dhcp client request options all cluster mode standby cluster member ip 192.168.13.16 level 1 controller host 192.168.13.13 critical-resource monitor interval 40 critical-resource test monitor direct all 192.168.13.10 arp-only vlan 1nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#• dns – Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.• <IP/HOST-ALIAS-NAME> – Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existingand configured).monitor interval <5-86400>Configures the critical resource monitoring frequency. This is the interval between two successive pings to the critical resource being monitored.• <5-86400> – Specifies the frequency in seconds. Specify the time from 5 - 86400 seconds. The default is 30 seconds.retry-count <0-10>  Configures the maximum number of failed attempts allowed to connect to a critical resource, using DHCP/DNS message flows, before marking it as down• <0-10> – Specifies the maximum number of retries from 0 - 10. The default value is 3 attempts.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 807.1.17 cryptoProfile Config CommandsUse the crypto command to define a system-level local ID for Internet Security Association and Key Management Protocol (ISAKMP) negotiation and to enter the ISAKMP policy, ISAKMP client, or ISAKMP peer command set.The following table summarizes crypto configuration mode commands:Command Description Referencecrypto Invokes commands used to configure ISAKMP policy, ISAKMP client, and ISAKMP peerpage 7-81crypto-auto-ipsec-tunnel commandsCreates an auto IPSec VPN tunnel and enters its configuration mode page 7-87crypto-ikev1/ikev2-policy commandsCreates a crypto IKEv1/IKEv2 policy and enters its configuration mode page 7-94crypto-ikev1/ikev2-peer commandsCreates a IKEv1/IKEv2 peer and enters its configuration mode page 7-103crypto-map-config-commandsCreates a crypto map and enters its configuration mode page 7-111crypto-remote-vpn-client commandsCreates a remote VPN client and enters its configuration mode page 7-136
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 817.1.17.1  cryptocryptoUse the crypto command to define a system-level local ID for ISAKMP negotiation and enter the ISAKMP policy, ISAKMP client, or ISAKMP peer configuration mode.A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the ordered list).When a non-secured packet arrives on an interface, the crypto map associated with that interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is discarded.When a packet is transmitted on an interface, the crypto map associated with that interface is processed. The first crypto map entry that matches the packet is used to secure the packet. If a suitable Security Association (SA) exists, it is used for transmission. Otherwise, IKE is used to establish a SA with the peer. If no SA exists (and the crypto map entry is “respond only”), the packet is discarded.When a secured packet arrives on an interface, its Security Parameter Index (SPI) is used to look up a SA. If a SA does not exist (or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is forwarded normally.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec|load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client]crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]crypto ike-version [ikev1-only|ikev2-only]crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]crypto ipsec [df-bit|security-association|transform-set]crypto ipsec df-bit [clear|copy|set]crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-sha256-hmac]crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]crypto pki import crl <TRUSTPOINT-NAME> URL <1-168>crypto plain-text-deny-acl-scope [global|interface]
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 82crypto remote-vpn-clientParameters• crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]• crypto ike-version [ikev1-only|ikev2-only]• crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]• crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-NAME>|remote-vpn]auto-ipsec-secure Configures the Auto IPSec Secure parameter settings. For Auto IPSec tunnel configuration commands, see crypto-auto-ipsec-tunnel commands.enable-ike-uniqueids Enables Internet Key Exchange (IKE) unique ID checkFor more information on IKE unique IDs, see remotegw.load-management Configures load management for platforms using software cryptographyike-version [ikev1-only|ikev2-only]Selects and starts the IKE daemon• ikev1-only – Enables support for IKEv1 tunnels only• ikev2-only – Enables support for IKEv2 tunnels onlyikev1 Configures the IKE version 1 parametersdpd-keepalive <10-3600>Sets the global Dead Peer Detection (DPD) keep alive interval from 10 - 3600 seconds. This is the interval between successive IKE keep alive messages sent to detect if a peer is dead or alive. The default is 30 seconds.dpd-retries <1-1000> Sets the global DPD retries count from 1 - 1000. This is the number of keep alive messages sent to a peer before the tunnel connection is declared as dead. The default is 5.nat-keepalive <10-3600>Sets the global NAT keep alive interval from 10 - 3600 seconds. This is the interval between successive NAT keep alive messages sent to detect if a peer is dead or alive. The default is 20 seconds.peer <IKEV1-PEER> Specify the name/Identifier for the IKEv1 peer. For IKEV1 peer configuration commands, see crypto-ikev1/ikev2-peer commands.policy <IKEV1-POLICY-NAME>Configures an ISKAMP policy. Specify the name of the policy.The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations.For IKEV1 policy configuration commands, see crypto-ikev1/ikev2-policy commands.remote-vpn Specifies the IKEV1 remote-VPN server configuration (responder only)ikev2 Configures the IKE version 2 parameterscookie-challenge-threshold <1-100>Starts the cookie challenge mechanism after the number of half open IKE SAs exceeds the specified limit. Specify the limit from 1 - 100. The default is 5. dpd-keepalive <10-3600>Sets the global DPD keepalive interval from 10 - 3600 seconds. The default is 30 seconds.dpd-retries <1-100> Sets the global DPD retries count from 1 - 100. The default is 5.nat-keepalive <10-3600>Sets the global NAT keepalive interval from 10 - 3600 seconds. The default is 20 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 83• crypto ipsec df-bit [clear|copy|set]• crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]• crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-sha256-hmac]peer <IKEV2-PEER> Specify the name/Identifier for the IKEv2 peerpolicy <IKEV2-POLICY-NAME>Configures an ISKAMP policy. Specify the policy name.The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations.remote-vpn Specifies an IKEv2 remote-VPN server configuration (responder only)ipsec Configures the IPSec policy parametersdf-bit [clear|copy|set] Configures Don’t-Fragment (DF) bit handling for encapsulating header. The options are:• clear – Clears the DF bit in the outer header and ignores in the inner header• copy – Copies the DF bit from the inner header to the outer header. This is the default setting.• set – Sets the DF bit in the outer headeripsec Configures the IPSec policy parameterssecurity-association Configures the IPSec SAs parameterslifetime [kilobyte |seconds]Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA lifetime ends it is renegotiated as a security measure.• kilobytes – Specifies a volume-based key duration (minimum is 500 KB and maximum is 2147483646 KB)• <500-2147483646> – Specify a value from 500 - 2147483646 KB. The default is4608000 KB.• seconds – Specifies a time-based key duration (minimum is 120 seconds and maximum is 86400 seconds)• <120-86400> – Specify a value from 120 - 86400 seconds. The default is 3600seconds.The security association lifetime can be overridden under crypto maps.ipsec Configures the IPSec policy parameterstransform-set <TRANSFORM-SET-TAG>Defines the transform set configuration (authentication and encryption) for securing data. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic.• <TRANSFORM-SET-TAG> – Specify the transform set name.After specifying the transform set used by the IPSec transport connection, set the encryption method and the authentication scheme used with the transform set.The encryption methods are: DES, 3DES, AES, AES-192 and AES-256.Note: The authentication schemes available are: esp-md5-hmac and esp-sha-hmac.esp-3des Configures the ESP transform using 3DES cipher (168 bits). The transform set is assigned to a crypto map using the map’s set > transform-set command.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 84• crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]• crypto pki import crl <TRUSTPOINT-NAME> <URL> <1-168>esp-aes Configures the ESP transform using Advanced Encryption Standard (AES) cipher. The transform set is assigned to a crypto map using the map’s set > transform-set command.esp-aes-192 Configures the ESP transform using AES cipher (192 bits). The transform set is assigned to a crypto map using the map’s set > transform-set command.esp-aes-256 Configures the ESP transform using AES cipher (256 bits). The transform set is assigned to a crypto map using the map’s set > transform-set command. This is the default setting.esp-des Configures the ESP transform using Data Encryption Standard (DES) cipher (56 bits). The transform set is assigned to a crypto map using the map’s set > transform-set command.esp-null Configures the ESP transform with no encryption[esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-sha256-hmac]The following keywords are common to all of the above listed transform sets.After specifying the transform set type, configure the authentication scheme used to validate identity credentials. The options are:• esp-aes-xcbc-mac – Configures ESP transform using AES-XCBC authorization• esp-md5-hmac – Configures ESP transform using HMAC-MD5 authorization• esp-sha-hmac – Configures ESP transform using HMAC-SHA authorization. This is the default setting.• esp-sha256-hmac – Configures ESP transform using HMAC-SHA256 authorizationmap <CRYPTO-MAP-TAG>Configures the crypto map, a software configuration entity that selects data flows that require security processing. The crypto map also defines the policy for these data flows.• <CRYPTO-MAP-TAG> – Specify a name for the crypto map. The name should not exceed 32 characters. For crypto map configuration commands, see crypto-map-ipsec-manual-instance.<1-1000> Defines the crypto map entry sequence. Each crypto map uses a list of entries, each entry having a specific sequence number. Specifying multiple sequence numbers within the same crypto map provides the flexibility to connect to multiple peers from the same interface. Specify a value from 1 - 1000.ipsec-isakmp {dynamic}Configures IPSEC w/ISAKMP.• dynamic – Optional. Configures dynamic map entry (remote VPN configuration) for XAUTH with mode-config or ipsec-l2tp configurationipsec-manual Configures IPSEC w/manual keying. Remote configuration is not allowed for manual crypto map.pki Configures certificate parameters. The Public Key Infrastructure (PKI) protocol creates encrypted public keys using digital certificates from certificate authorities.import Imports a trustpoint related configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 85• crypto plain-text-deny-acl-scope [global|interface]• crypto remote-vpn-clientExamplerfs6000-37FABE(config-profile-default-rfs6000)#crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmacrfs6000-37FABE(config-profile-default-rfs6000)#crypto map map1 10 ipsec-isakmp dynamicrfs6000-37FABE(config-profile-default-rfs6000)#crypto plain-text-deny-acl-scope interfacerfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000  bridge vlan 1  tunnel-over-level2  ip igmp snooping  ip igmp snooping querier no autoinstall configuration no autoinstall firmware device-upgrade persist-images crypto ikev1 dpd-retries 1 crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac crypto map map1 10 ipsec-isakmp dynamic crypto ikev1 remote-vpncrl <TRUSTPOINT-NAME>Imports a Certificate Revocation List (CRL). Imports a trustpoint including either a private key and server certificate or a certificate authority (CA) certificate or both.A CRL is a list of revoked certificates that are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.• <TRUSTPOINT-NAME> – Specify the trustpoint name.<URL> Specify the CRL source address in the following format. Both IPv4 and IPv6 address formats are supported.tftp://<hostname|IPv4 or IPv6>[:port]/path/fileftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]/path/filesftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]>/path/filehttp://<hostname|IPv4 or IPv6>[:port]/path/filecf:/path/fileusb<n>:/path/file<1-168> Sets command replay duration from 1 - 168 hours. This is the interval (in hours) after which devices using this profile copy a CRL file from an external server and associate it with a trustpoint.plain-text-deny-acl-scopeConfigures plain-text-deny-acl-scope parametersglobal Applies the plain text deny ACL globally. This is the default setting.interface Applies the plain text deny ACL to the interface onlyremote-vpn-client Configures remote VPN client settings. For more information, see crypto-remote-vpn-client commands.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 86 crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto plain-text-deny-acl-scope interface interface radio1 interface radio2 interface uprfs6000-37FABE(config-profile-default-rfs6000)#rfs6000-37FABE(config-profile-default-rfs6000)#crypto ipsec transform-set tag1 esp-null esp-md5-hmacrfs6000-37FABE(config-profile-default-rfs6000-transform-set-tag1)#?Crypto Ipsec Configuration commands:  mode     Encapsulation mode (transport/tunnel)  no       Negate a command or set its defaults  clrscr   Clears the display screen  commit   Commit all changes made in this session  end      End current mode and change to EXEC mode  exit     End current mode and down to previous mode  help     Description of the interactive help system  revert   Revert changes  service  Service Commands  show     Show running system information  write    Write running configuration to memory or terminalrfs6000-37FABE(config-profile-default-rfs6000-transform-set-tag1)#Related Commandsno Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 877.1.17.2  crypto-auto-ipsec-tunnel commandscryptoCreates an auto IPSec VPN tunnel and changes the mode to auto-ipsec-secure mode for further configurationAuto IPSec tunneling provides a secure tunnel between two networked peer controllers or service platforms and associated access points that are within a range of valid IP addresses. You can define which packets are sent within the tunnel, and how they are protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination or associated access point.Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP).The IKE protocol is a key management protocol used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables secure communications without time consuming manual pre-configuration for auto IPSec tunneling.rfs7000-37FABE(config-profile-default-rfs7000)#crypto auto-ipsec-securerfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)#?Crypto Auto IPSEC Tunnel commands:  groupid       Local/Remote identity and Authentication credentials for Auto                IPSec Secure IKE negotiation  ike-lifetime  Set lifetime for ISAKMP security association  ikev2         IKEv2 configuration commands  ip            Internet Protocol config commands  no            Negate a command or set its defaults  remotegw      Auto IPSec Secure Remote Peer IKE  clrscr        Clears the display screen  commit        Commit all changes made in this session  do            Run commands from Exec mode  end           End current mode and change to EXEC mode  exit          End current mode and down to previous mode  help          Description of the interactive help system  revert        Revert changes  service       Service Commands  show          Show running system information  write         Write running configuration to memory or terminalrfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)#The following table summarizes the crypto IPSec auto tunnel configuration mode commands:Command Description Referencegroupid Specifies the identity string used for IKE authentication page 7-88ip Enables the controller or service platform to uniquely identify APs and the hosts present in the AP’s subnetpage 7-89ike-lifetime Configures the IKE SA’s key lifetime in seconds page 7-90ikev2 Enables the forced re-authentication of IKEv2 peer page 7-91remotegw Defines the IKE version used for an auto IPSec tunnel using secure gatewayspage 7-92no Removes or reverts the crypto auto IPSec tunnel settings page 7-93
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 887.1.17.2.1 groupidcrypto-auto-ipsec-tunnel commandsSpecifies the identity string used for IKE authenticationSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgroupid <WORD> [psk|rsa]groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]Parameters• groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]Examplerfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#groupid testgroup@123 rsarfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure  groupid testgroup@123 rsarfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#<WORD> Specify a string not exceeding 64 characters. This is the group identity used for IKE exchange for auto IPSec secure peers. After providing a group ID, specify the authentication method used to authenticate peers on the auto IPSec secure tunnel. The options are: psk and rsa.psk [0 <WORD>|2 <WORD>|<WORD>]Configures the pre-shared key (PSK) as the authentication type for secure peer authentication on the auto IPSec secure tunnel• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted key• <WORD> – Specify a string value from 8 - 21 characters.rsa Configures the Rivest-Shamir-Adleman (RSA) key.RSA is an algorithm for public key cryptography. It is the first algorithm known to be suitable for signing, as well as encryption. This is the default setting.NOTE: Only one group ID is supported on the controller or service platform. All APs, controllers, and service platform must use the same group ID.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 897.1.17.2.2 ipcrypto-auto-ipsec-tunnel commandsEnables the controller to uniquely identify APs and the hosts present in the AP’s subnet. This allows the controller to correctly identify the destination host and create a dynamic site-to-site VPN tunnel between the host and the private network behind the controller.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip nat cryptoParameters• ip nat cryptoExamplerfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#ip nat cryptorfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure  remotegw ike-version ikev2 uniqueid  ip nat cryptorfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#ip nat crypto Enables unique identification of APs and the hosts present in each AP’s subnetProviding a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two (or more) different routers have the same IP address. Further, the same subnet exists behind these APs.For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP ‘A’ is behind router ‘1’. And AP ‘B’ is behind router ‘2’. Both these APs have the same IP address (192.168.13.8). The subnet behind APs A and B is also the same (100.1.1.0/24). In such a scenario the controller fails to uniquely identify the hosts present in either AP’s subnet.For more information, see remotegw and crypto.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 907.1.17.2.3 ike-lifetimecrypto-auto-ipsec-tunnel commandsConfigures the IKE SA’s key lifetime in secondsThe lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if they do not, there is some clutter for a superseded connection on the peer defining the lifetime as longer.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxike-lifetime <600-86400>Parameters• ike-lifetime <600-86400>Examplerfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ike-lifetime 800rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure  ike-lifetime 800rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ike-lifetime <600-86400>Sets the IKE SA’s key lifetime in seconds• <600-86400> – Specify a value fro m 600 - 86400 seconds. The default is 8600 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 917.1.17.2.4 ikev2crypto-auto-ipsec-tunnel commandsEnables the forced IKEv2 peer re-authentication. This option is disabled by default.In most IPSec tunnel configurations, the lifetime of IKE SAs between peers is limited. Once the IKE SA key expires it is renegotiated. In such a scenario, the IKEv2 tunnel peers may or may not re-authenticate themselves. When enabled, IKE tunnel peers have to re-authenticate each time the IKE SA is renegotiated.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxikev2 peer reauthParameters• ikev2 peer reauthExamplerfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ikev2 peer reauthikev2 peer reauth Enables IKEv2 peer re-authentication. When enabled, IKE tunnel peers are forced to re-authenticate each time the IKE key is renegotiated.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 927.1.17.2.5 remotegwcrypto-auto-ipsec-tunnel commandsDefines the IKE version used for auto IPSEC tunnel negotiation with the IPSec remote gateway other than the controllerSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxremotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}Parameters• remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}Examplerfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#remotegw ike-version ikev2 uniqueidrfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure  remotegw ike-version ikev2 uniqueidrfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#remotegw ike-versionConfigures the IKE version used for initiating auto IPSec tunnel with secure gateways other than the controllerikev1-aggr Aggregation mode is used by the auto IPSec tunnel initiator to set up the connectionikev1-main Main mode is used by the auto IPSec tunnel initiator to establish the connectionikev2 IKEv2 is the preferred method when wireless controller/AP only is useduniqueid This keyword is common to all of the above parameters.• uniqueid – Optional. Enables the assigning of a unique ID to APs (using this profile) behind a router by prefixing the MAC address to the group IDProviding a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two (or more) different routers have the same IP address. For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP ‘A’ is behind router ‘1’. And AP ‘B’ is behind router ‘2’. Both these APs have the same IP address (192.168.13.8). In such a scenario, the controller fails to establish an Auto IPSec VPN tunnel to either APs, because it is unable to uniquely identify them.After enabling unique ID assignment, enable IKE unique ID check. For more information, see crypto.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 937.1.17.2.6 nocrypto-auto-ipsec-tunnel commandsRemoves or resets this auto IPSec tunnel settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [groupid|ike-lifetime|ikev2 peer reauth|ip nat crypto]Parameters• no <PARAMETERS>ExampleThe following example shows the Auto IPSec VLAN bridge settings before the ‘no’ command is executed:rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure  groupid testpassword@123 rsarfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#no groupidThe following example shows the Auto IPSec VLAN bridge settings after the ‘no’ command is executed:rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-securerfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#no <PARAMETERS> Removes or resets this auto IPSec tunnel’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 947.1.17.3  crypto-ikev1/ikev2-policy commandscryptoDefines crypto-IKEv1/IKEv2 commands in detailIKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs and enables secure communications without time consuming manual pre-configuration.Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands.To navigate to the IKEv1/IKEv2 policy config instance, use the following commands:<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME><DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 policy <IKEV1/IKEV2-POLICY-NAME>rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev1 policy ikev1-testpolicyrfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-ikev1-testpolicy)#?Crypto IKEv1 Policy Configuration commands:  dpd-keepalive    Set Dead Peer Detection interval in seconds  dpd-retries      Set Dead Peer Detection retries count  isakmp-proposal  Configure ISAKMP Proposals  lifetime         Set lifetime for ISAKMP security association  mode             IKEv1 mode (main/aggressive)  no               Negate a command or set its defaults  clrscr           Clears the display screen  commit           Commit all changes made in this session  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalrfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-ikev1-testpolicy)#rfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)#?Crypto IKEv2 Policy Configuration commands:  dpd-keepalive    Set Dead Peer Detection interval in seconds  isakmp-proposal  Configure ISAKMP Proposals  lifetime         Set lifetime for ISAKMP security association  no               Negate a command or set its defaults  sa-per-acl       Setup single SA for all rules in the ACL (ONLY APPLICABLE                   FOR SITE-TO-SITE VPN)  clrscr           Clears the display screen  commit           Commit all changes made in this session  do               Run commands from Exec mode  end              End current mode and change to EXEC mode  exit             End current mode and down to previous mode  help             Description of the interactive help system  revert           Revert changes  service          Service Commands  show             Show running system information  write            Write running configuration to memory or terminalrfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 95The following table summarizes crypto IKEv1/iKEv2 configuration mode commands:NOTE: IKEv2 being an improved version of the original IKEv1 design, is recommended in most deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall traversal, attack resistance, etc.Command Description Referencedpd-keepalive Sets DPD keep alive packet interval page 7-96dpd-retries Sets the maximum number of attempts for sending DPD keep alive packets (applicable only to the IKEv1 policy)page 7-97isakmp-proposalConfigures ISAKMP proposals page 7-98lifetime Specifies how long an IKE SA is valid before it expires page 7-100mode Sets the mode of the tunnels (applicable only to the IKEv1 policy) page 7-101no Removes or reverts IKEv1/IKEv2 policy settings page 7-102
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 967.1.17.3.1 dpd-keepalivecrypto-ikev1/ikev2-policy commandsSets the DPD keep-alive packet intervalSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdpd-keepalive <10-3600>Parameters• dpd-keepalive <10-3600>Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)# dpd-keepalive 11rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-testpolicy)#show context crypto ikev1 policy testpolicy  dpd-keepalive 11  isakmp-proposal default encryption aes-256 group 2 hash sharfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-testpolicy)#<10-3600> Specifies the interval, in seconds, between successive DPD keep alive packets.The IKE keep alive message is used to detect a dead peer on the remote end of the IPSec VPN tunnel. Specify the time from 10 - 3600 seconds. The default is 30 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 977.1.17.3.2 dpd-retriescrypto-ikev1/ikev2-policy commandsSets the maximum number of times DPD keep-alive packets are sent to a peer. Once this value is exceeded, without a response from the peer, the VPN tunnel connection is declared dead. This option is available only for the IKEv1 policy.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdpd-retries <1-100>Parameters• dpd-retries <1-100>Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#dpd-retries 10rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#show context crypto ikev1 policy testpolicy  dpd-keepalive 11  dpd-retries 10  isakmp-proposal default encryption aes-256 group 2 hash sharfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#<1-100> Declares a peer dead after the specified number of retries. Specify a value from 1 - 100. The default is 5.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 987.1.17.3.3 isakmp-proposalcrypto-ikev1/ikev2-policy commandsConfigures ISAKMP proposals and their parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxisakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [aes-xcbc-mac|md5|sha|sha256]Parameters•  isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash [aes-xcbc-mac|md5|sha|sha256]<WORD> Assigns the target peer (tunnel destination) a 32 character maximum name to distinguish it from others with a similar configuration.encryption [3des|aes|aes-192|aes-256]Configures the encryption method used by the tunneled peers to securely inter-operate• 3des – Configures triple data encryption standard• aes – Configures AES (128 bit keys)• aes-192 – Configures AES (192 bit keys)• aes-256 – Configures AES (256 bit keys). This is the default setting.group [14|2|5] Specifies the Diffie-Hellman (DH) group identifier used by VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14.• 14 – Configures DH group 14• 2 – Configures DH group 2. This is the default setting.• 5 – Configures DH group 5hash [maes-xcbc-mac|md5|sha|sha256]Specifies the hash algorithm used to authenticate data transmitted over the IKE SA. The hash algorithm specified here is used by VPN peers to exchange credential information.• aes-xcbc-mac – Uses AES XCBC Auth hash algorithm. This option is applicable only to the IKEv2 policy configuration context.•md5 – Uses Message Digest 5 (MD5) hash algorithm• sha – Uses Secure Hash Authentication (SHA) hash algorithm. This is the default setting.• sha256 – Uses Secure Hash Standard 2 algorithm
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 99Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)# isakmp-proposal testproposal encryption aes group 2 hash sharfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#show context crypto ikev1 policy testpolicy  dpd-keepalive 11  dpd-retries 10  isakmp-proposal default encryption aes-256 group 2 hash sha  isakmp-proposal testpraposal encryption aes group 2 hash sharfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1007.1.17.3.4 lifetimecrypto-ikev1/ikev2-policy commandsSpecifies how long an IKE SA (encryption/authentication keys) is valid. The value specified is the validity period of the IKE SA from successful key negotiation to expiration.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlifetime <600-86400>Parameters• lifetime <600-86400>Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#lifetime 655rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#show context crypto ikev1 policy testpolicy  dpd-keepalive 11  dpd-retries 10  lifetime 655  isakmp-proposal default encryption aes-256 group 2 hash sha  isakmp-proposal testpraposal encryption aes group 2 hash sharfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#lifetime <600-86400> Specifies how many seconds an IKE SA lasts before it expires. Set a time stamp from 600 - 86400 seconds.• <600-86400> – Specify a value from 600 - 86400 seconds. The default is 86400 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1017.1.17.3.5 modecrypto-ikev1/ikev2-policy commandsConfigures the IPSec mode of operation for the IKEv1 policy. This option is not available for IKEv2 policy.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmode [aggresive|main]Parameters• mode [aggresive|main]Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#mode aggressiverfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#show context crypto ikev1 policy testpolicy  dpd-keepalive 11  dpd-retries 10  lifetime 655  isakmp-proposal default encryption aes-256 group 2 hash sha  isakmp-proposal testpraposal encryption aes group 2 hash sha  mode aggressiverfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#mode [aggresive|main] Sets the mode of the tunnels• aggressive – Initiates the aggressive mode• main – Initiates the main modeIf configuring the IKEv1 IPSec policy, define the IKE mode as either main or aggressive. In the aggressive mode, 3 messages are exchanged between the IPSec peers to setup the SA. On the other hand, in the main mode, 6 messages are exchanged. The default setting is main.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1027.1.17.3.6 nocrypto-ikev1/ikev2-policy commandsRemoves or reverts IKEv1/IKEv2 policy settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dpd-keepalive|dpd-retries|isakmp-proposal <WORD>|lifetime|mode]Parameters• no <PARAMETERS>ExampleThe following example shows the IKEV1 Policy settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#show context crypto ikev1 policy testpolicy  dpd-keepalive 11  dpd-retries 10  lifetime 655  isakmp-proposal default encryption aes-256 group 2 hash sha  isakmp-proposal testpraposal encryption aes group 2 hash sha  mode aggressiverfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no moderfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no dpd-keepaliverfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no dpd-retriesThe following example shows the IKEV1 Policy settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#show context crypto ikev1 policy testpolicy  lifetime 655  isakmp-proposal default encryption aes-256 group 2 hash sha  isakmp-proposal testpraposal encryption aes group 2 hash sharfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no <PARAMETERS> Removes or reverts this IKEv1/IKEv2 policy settings based on parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1037.1.17.4  crypto-ikev1/ikev2-peer commandscryptoUse the (config) instance to configure IKEv1/IKEv2 peer configuration commands. To navigate to the IKEv1/IKEv2 peer config instance, use the following commands:<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME><DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 peer <IKEV1/IKEV2-PEER-NAME>rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev1 peer peer1rfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)#?Crypto IKEV1 Peer Configuration commands:  authentication  Configure Authentication credentials  ip              Configure peer address/fqdn  localid         Set local identity  no              Negate a command or set its defaults  remoteid        Configure remote peer identity  use             Set setting to use  clrscr          Clears the display screen  commit          Commit all changes made in this session  end             End current mode and change to EXEC mode  exit            End current mode and down to previous mode  help            Description of the interactive help system  revert          Revert changes  service         Service Commands  show            Show running system information  write           Write running configuration to memory or terminalrfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)#rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev2 peer peer1rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#?Crypto IKEV2 Peer Configuration commands:  authentication  Configure Authentication credentials  ip              Configure peer address/fqdn  localid         Set local identity  no              Negate a command or set its defaults  remoteid        Configure remote peer identity  use             Set setting to use  clrscr          Clears the display screen  commit          Commit all changes made in this session  do              Run commands from Exec mode  end             End current mode and change to EXEC mode  exit            End current mode and down to previous mode  help            Description of the interactive help system  revert          Revert changes  service         Service Commands  show            Show running system information  write           Write running configuration to memory or terminalrfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 104The following table summarizes crypto IPSec IKEv1/IKEv2 peer configuration mode commands:Command Description Referenceauthentication Configures a peer’s authentication mode and the pre-shared key page 7-105ip Configures the peer’s IP address page 7-106localid Configures a peer’s local identity details page 7-107remoteid Configures a remote peer’s identity details page 7-108use Associates an IKEv1 policy and IKEv2 policy with the IKEv1 and IKEv2 peer respectivelypage 7-109no Negates a command or reverts settings to their default. The no command, when used in the ISAKMP policy mode, defaults the ISAKMP protection suite settings.page 7-110
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1057.1.17.4.1 authenticationcrypto-ikev1/ikev2-peer commandsConfigures IKEv1/IKEv2 peer’s authentication mode and the pre-shared keySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxauthentication [psk|rsa]authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}authentication rsaParameters• authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}• authentication rsaExamplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#authentication rsarfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#authenticationpsk 0 key@123456rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1  authentication psk 0 key@123456 local  authentication psk 0 key@123456 remoterfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}Configures the authentication mode as pre-shared key (PSK). The PSK is a string, 8 - 12 characters long. It is shared by both ends of the VPN tunnel connection. If using IKEv2, both a local and remote string must be specified for handshake validation at both ends (local and remote) of the VPN connection.• 0 <WORD> – Configures a clear text key• 2 <WORD> – Configures an encrypted key• <WORD> – Configures the pre-shared keyThe following keywords are available only in the IKEv2 peer configuration mode:• local – Optional. Uses the specified key for local peer authentication only• remote – Optional. Uses the specified key for remote peer authentication onlyNote: In case the peer type is not specified, this string is used for authenticating both local and remote peers.rsa Configures the authentication mode as Rivest, Shamir, and Adleman (RSA) This is the default setting (for both IKEv1 and IKEv2).RSA is the first known public-key cryptography algorithm designed signing and encryption. If configuring the IKEv2 peer, the ‘rsa’ option allows you to enable authentication at both ends of the VPN connection (local and remote).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1067.1.17.4.2 ipcrypto-ikev1/ikev2-peer commandsSets the IP address or Fully Qualified Domain Name (FQDN) of the IPSec VPN peer used in the tunnel setup Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [address <IP>|fqdn <WORD>]Parameters• ip [address <IP>|fqdn <WORD>]Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#ip address 172.16.10.12rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1  ip address 172.16.10.12rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#ip address 192.168.10.6rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1  ip address 192.168.10.6  authentication psk 0 test@123456 local  authentication psk 0 test@123456 remoterfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#address <IP> Specify the peer device’s IP address.fqdn <WORD> Specify the peer device’s FQDN hostname.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1077.1.17.4.3 localidcrypto-ikev1/ikev2-peer commandsSets a IKEv1/IKEv2 peer’s local identity. This local identifier is used with this peer configuration for an IKE exchange with the target VPN IPSec peer.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocalid [address|autogen-uniqueid|dn|email|fqdn|string]localid [address <IP>|autogen-uniqueid <WORD>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]Parameters• localid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#localid email bob@examplecompany.comrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1  ip address 172.16.10.12  localid email bob@examplecompany.comrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#address <IP> Configures the peer’s IP address. The IP address is used as local identity.autogen-uniqueid <WORD>Generates a localid using the device's unique identity. The system prefixes the device's unique identity to the string provided here. The device’s unique identity should be existing and configured. For more information on configuring a device’s unique identity, see autogen-uniqueid.• <WORD> – Provide the string.dn <WORD> Configures the peer’s distinguished name. (for example,  "C=us ST=<state> L=<location> O=<organization> OU=<org unit>". The maximum length is 128 characters.email <WORD> Configures the peer’s e-mail address. The maximum length is 128 characters.fqdn <WORD> Configures the peer’s FQDN. The maximum length is 128 characters.string <WORD> Configures the peer’s identity string. The maximum length is 128 characters. This is the default setting.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1087.1.17.4.4 rem o tei dcrypto-ikev1/ikev2-peer commandsConfigures a IKEv1/IKEV2 peer’s remote identity. This remote identifier is used with this peer configuration for an IKE exchange with the target VPN IPSec peer.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxremoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]Parameters• remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#remoteid dn SanJoserfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1  ip address 172.16.10.12  remoteid dn SanJose  localid email bob@examplecompany.comrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#remoteid address 157.235.209.63rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1  remoteid address 157.235.209.63rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#address <IP> Configures the remote IKEv1/IKEV2 peer’s IP address. The IP address is used as the peer’s remote identity.dn <WORD> Configures the remote peer’s distinguished name. For example, "C=us ST=<state> L=<location> O=<organization> OU=<org unit>". The maximum length is 128 characters.email <WORD> Configures the remote peer’s e-mail address. The maximum length is 128 characters.fqdn <WORD> Configures a peer’s FQDN. The maximum length is 128 characters.string <WORD> Configures a peer’s identity string. The maximum length is 128 characters.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1097.1.17.4.5 usecrypto-ikev1/ikev2-peer commandsAssociates IKEv1/IKEv2 policy with the IKEv1/IKEv2 peer respectivelySupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse ikev1-policy <IKEV1-POLICY-NAME>use ikev2-policy <IKEV2-POLICY-NAME>Parameters• use ikev1-policy <IKEV1-POLICY-NAME>• use ikev2-policy <IKEV2-POLICY-NAME>Examplerfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#use ikev1-policy test-ikev1policyrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1  ip address 172.16.10.12  remoteid dn SanJose  localid email bob@examplecompany.com  use ikev1-policy test-ikev1policyrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#use ikev2-policy test-ikev2policyrfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1  remoteid address 157.235.209.63  use ikev2-policy test-ikev2policyrfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#use ikev1-policy <IKEV1-POLICY-NAME>Specify the IKEv1 policy name.The local IKEv1 policy and the peer IKEv1 policy must have matching group settings for successful negotiations.use ikev2-policy <IKEV2-POLICY-NAME>Specify the IKEv2 policy name.The local IKEv2 policy and the peer IKEv2 policy must have matching group settings for successful negotiations.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1107.1.17.4.6 nocrypto-ikev1/ikev2-peer commandsRemoves or reverts IKEv1/IKEv2 peer settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [authentication|ip|localid|remoteid|use <IKEv1/IKEv2-POLICY-NAME>]Parameters• no <PARAMETERS>ExampleThe following example shows the Crypto IKEV1 peer1 settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1  ip address 172.16.10.12  remoteid dn SanJose  localid email bob@examplecompany.com  use ikev1-policy test-ikev1policyrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#no localidrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#no remoteidThe following example shows the Crypto IKEV1 peer1 settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1  ip address 172.16.10.12  use ikev1-policy test-ikev1policyrfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#The following example shows the Crypto IKEV2 peer1 settings before the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1  remoteid address 157.235.209.63  use ikev2-policy testrfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#The following example shows the Crypto IKEV2 peer1 settings after the ‘no’ commands are executed:rfs6000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#no use ikev2-policyrfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1  remoteid address 157.235.209.63rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#no <PARAMETERS> Removes or reverts IKEv1/IKEv2 peer settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1117.1.17.5  crypto-map-config-commandscryptoThis section explains crypto map configuration mode commands in detail.A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index (used to sort the ordered list).IPSec VPN provides a secure tunnel between two networked peers. Administrators can define which packets are sent within the tunnel, and how they're protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP).IKE is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-configuration.Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPSec peer, however for remote VPN deployments one crypto map is used for all the remote IPSec peers.Use the (config) instance to enter the crypto map configuration mode. To navigate to the crypto-map configuration instance, use the following commands:In the device-config mode:<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]In the profile-config mode:<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]There are three different configurations defined for each listed crypto map: site-to-site manual (ipsec-manual), site-to-site-auto tunnel (ipsec-isakmp), and remote VPN client (ipsec-isakmp dynamic). With site-to-site deployments, an IPSec tunnel is deployed between two gateways, each at the edge of two different remote networks. With remote VPN, an access point located at remote branch defines a tunnel with a security gateway. This facilitates the end points in the branch office to communicate with the destination endpoints (behind the security gateway) in a secure manner.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 112Each crypto map entry is given an index (used to sort the ordered list).rfs6000-37FABE(config-profile-default-rfs6000)#crypto map map1 1 ipsec-manualrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#?Manual Crypto Map Configuration commands:  local-endpoint-ip     Use this IP as local tunnel endpoint address, instead                        of the interface IP (Advanced Configuration)  mode                  Set the tunnel mode  no                    Negate a command or set its defaults  peer                  Set peer  security-association  Set security association parameters  session-key           Set security session key parameters  use                   Set setting to use  clrscr                Clears the display screen  commit                Commit all changes made in this session  do                    Run commands from Exec mode  end                   End current mode and change to EXEC mode  exit                  End current mode and down to previous mode  help                  Description of the interactive help system  revert                Revert changes  service               Service Commands  show                  Show running system information  write                 Write running configuration to memory or terminalrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#The following table summarizes crypto map configuration mode commands:Command Description Referencecrypto-map auto-vpn-tunnel/remote-vpn-client instanceConfigures an auto site-to-site VPN or remote VPN client page 7-113crypto-map-ipsec-manual-instanceConfigures a manual site-to-site VPN page 7-127
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1137.1.17.5.1 crypto-map auto-vpn-tunnel/remote-vpn-client instancecrypto-map-config-commandsTo navigate to the auto site-to-site VPN tunnel configuration instance, use the following command:In the device-config mode:<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-isakmpIn the profile-config mode:<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-isakmprfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 1 ipsec-isakmprfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#?Site to Site Crypto Map Configuration commands:  ip                    Internet Protocol config commands  local-endpoint-ip     Use this IP as local tunnel endpoint address, instead                        of the interface IP (Advanced Configuration)  no                    Negate a command or set its defaults  peer                  Add a remote peer  pfs                   Specify Perfect Forward Secrecy  security-association  Security association parameters  transform-set         Specify IPSec transform to use  use                   Set setting to use  clrscr                Clears the display screen  commit                Commit all changes made in this session  do                    Run commands from Exec mode  end                   End current mode and change to EXEC mode  exit                  End current mode and down to previous mode  help                  Description of the interactive help system  revert                Revert changes  service               Service Commands  show                  Show running system information  write                 Write running configuration to memory or terminalrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#To navigate to the remote VPN client configuration instance, use the following command:In the device-config mode:<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-isakmp {dynamic}In the profile-config mode:<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-isakmp {dynamic}rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 2 ipsec-isakmp dynamicrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#?Dynamic Crypto Map Configuration commands:  local-endpoint-ip     Use this IP as local tunnel endpoint address, instead                        of the interface IP (Advanced Configuration)  modeconfig            Set the mode config method  no                    Negate a command or set its defaults  peer                  Add a remote peer  pfs                   Specify Perfect Forward Secrecy  remote-type           Set the remote VPN client type  security-association  Security association parameters  transform-set         Specify IPSec transform to use  use                   Set setting to use  clrscr                Clears the display screen  commit                Commit all changes made in this session
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 114  do                    Run commands from Exec mode  end                   End current mode and change to EXEC mode  exit                  End current mode and down to previous mode  help                  Description of the interactive help system  revert                Revert changes  service               Service Commands  show                  Show running system information  write                 Write running configuration to memory or terminalrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#The following table lists the IPSec-Auto-VPN/Remote-VPN tunnel configuration commands:Command Description Referenceip Enables this setting to utilize IP/Port NAT on the VPN tunnel. This command is applicable only to the site-to-site VPN tunnel.page 7-115local-endpoint-ipUses the configured IP as local tunnel endpoint address, instead of the interface IP. This command is applicable to the site-to-site VPN tunnel and remote VPN client.page 7-116modeconfig Configures the mode config method (pull or push) associated with the remote VPN client. This command is applicable only to the remote VPN client.page 7-117peer Configures the IKEv1 or IKEv2 peer for the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client.page 7-118pfs Configures the Perfect Forward Secrecy (PFS) for the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client.page 7-119remote-type Configures the remote VPN client type as either None or XAuth. This command is applicable only to the remote VPN client.page 7-120security-associationDefines this automatic VPN tunnel’s IPSec SA settings. This command is applicable to the site-to-site VPN tunnel and remote VPN client.page 7-121transform-set Applies a transform set (encryption and hash algorithms) to the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client.page 7-123use Applies an existing and configured IP access list to the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client.page 7-124no Removes or reverts site-to-site VPN tunnel or remote VPN client settings page 7-125
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1157.1.17.5.2 ipcrypto-map auto-vpn-tunnel/remote-vpn-client instanceEnables this setting to utilize IP/Port NAT on this auto site-to-site VPN tunnel. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip nat cryptoParameters• ip nat cryptoExamplerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#ip nat crypto Enables this setting to utilize IP/Port NAT on the site-to-site VPN tunnel. This setting is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1167.1.17.5.3 local-endpoint-ipcrypto-map auto-vpn-tunnel/remote-vpn-client instanceUses the configured IP as local tunnel endpoint address, instead of the interface IPSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal-endpoint-ip <IP>Parameters• local-endpoint-ip <IP>ExampleSite-to-site VPN tunnel:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#local-endpoint-ip 192.168.13.10rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  local-endpoint-ip 192.168.13.10  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#Remote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#local-endpoint-ip 157.235.204.62rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  local-endpoint-ip 157.235.204.62rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#local-endpoint-ip <IP>Configures the local VPN tunnel’s (site-to-site VPN tunnel or remote VPN client) endpoint IP address• <IP> – Specify the IP address. The specified IP address must be available on the interface.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1177.1.17.5.4 mod e conf i gcrypto-map auto-vpn-tunnel/remote-vpn-client instanceConfigures the mode config method (pull or push) associated with the remote VPN clientSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmodeconfig [pull|push]Parameters• modeconfig [pull|push]ExampleRemote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#modeconfig pullrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  modeconfig pullrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)modeconfig [pull|push]Configures the mode config method associated with a remote VPN client. The options are: pull and push.The mode (pull or push) defines the method used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1187.1.17.5.5 peercrypto-map auto-vpn-tunnel/remote-vpn-client instanceConfigures the IKEv1 or IKEv2 peer for the auto site-to-site VPN tunnel or remote VPN client. The peer device can be specified either by its hostname or by its IP address. A maximum of three peers can be configured.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>Parameters• peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>ExampleSite-to-site tunnel:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#peer 1 ikev2 ikev2Peer1rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  peer 1 ikev2 ikev2Peer1  local-endpoint-ip 192.168.13.10  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#Remote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#peer 1 ikev1 RemoteIKEv1Peer1rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#peer <1-3> Creates a new peer and configures the peer’s priority level. Peer ‘1’ is the primary peer, and peer ‘3’ is redundant.ikev1 <IKEv1-PEER-NAME>Configures an IKEv1 peer• <IKEv1-PEER-NAME> – Specify the IKEv1 peer’s name.ikev2<IKEv2-PEER-NAME>Configures an IKEv2 peer• <IKEv2-PEER-NAME> – Specify the IKEv2 peer’s name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1197.1.17.5.6 pfscrypto-map auto-vpn-tunnel/remote-vpn-client instanceConfigures Perfect Forward Secrecy (PFS) for the auto site-to-site VPN tunnel or remote VPN clientPFS is the key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include 2, 5 and 14. This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpfs [14|2|5]Parameters• pfs [14|2|5]ExampleSite-to-site VPN tunnel:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#pfs 5rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  peer 1 ikev2 ikev2Peer1  local-endpoint-ip 192.168.13.10  pfs 5  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#Remote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#pfs 14rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62  pfs 14rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#pfs [14|2|5] Configures PFS• 14 – Configures D-H Group14 (2048-bit modp)• 2 – Configures D-H Group2 (1024-bit modp)• 5 – Configures D-H Group5 (1536-bit modp)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1207.1.17.5.7 remo te-typ ecrypto-map auto-vpn-tunnel/remote-vpn-client instanceConfigures the remote VPN client type as either None or XAuthSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxremote-type [none|xauth]Parameters• remote-type [none|xauth]ExampleRemote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62  pfs 14  remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#remote-type [none|xauth]Specify the remote VPN’s client type• none – Configures remote VPN client with No XAUTH• xauth – Configures remote VPN client as using XAUTH (applicable only for IKEv1). This is the default setting.XAuth (extended authentication) provides additional authentication validation by permitting an edge device to request extended authentication information from an IPSec host. This forces the host to respond with additional authentication credentials. The edge device respond with a failed or passed message.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1217.1.17.5.8 security-associationcrypto-map auto-vpn-tunnel/remote-vpn-client instanceDefines the IPSec SA’s (created by this auto site-to-site VPN tunnel or remote VPN client) settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsecurity-association [inactivity-timeout|level|lifetime]security-association [inactivity-timeout <120-86400>|level perhost]security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]Parameters• security-association [inactivity-timeout <120-86400>|level perhost]• security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]ExampleSite-to-site tunnel:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association inactivity-timeout 200rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association level perhostrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-association lifetime kilobytes 250000inactivity-timeout <120-86400>Specifies an inactivity period, in seconds, for this IPSec VPN SA. Once the set value is exceeded, the association is timed out.• <120-86400> – Specify a value from 120 - 86400 seconds. The default is 900 seconds.level perhost Specifies the granularity level for this IPSec VPN SA• perhost – Sets the IPSec VPN SA’s granularity to the host levellifetime [kilobytes <500-2147483646>|seconds <120-86400>]Defines the IPSec SA’s lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association.• kilobytes <500-2147483646> – Defines volume based key duration. Specify a value from 500 - 2147483646 kilobytes. Select this option to define a connection volume lifetime (in kilobytes) for the duration of the IPSec VPN SA. Once the set volume is exceeded, the association is timed out. This option is disabled by default.• seconds <120-86400> – Defines time based key duration. Specify the time frame from 120 - 86400 seconds. Select this option to define a lifetime (in seconds) for the duration of the IPSec VPN SA. Once the set value is exceeded, the association is timed out. This option is disabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 122rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  security-association level perhost  peer 1 ikev2 ikev2Peer1  local-endpoint-ip 192.168.13.10  pfs 5  security-association lifetime kilobytes 250000  security-association inactivity-timeout 200  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#Remote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#security-association lifetime seconds 10000rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62  pfs 14  security-association lifetime seconds 10000  remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1237.1.17.5.9 transform-setcrypto-map auto-vpn-tunnel/remote-vpn-client instanceApplies a transform set (encryption and hash algorithms) to site-to-site VPN tunnel or remote VPN client. This command allows you to provide customized data protection for each crypto map can be customized with its own data protection and peer authentication schemes.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtransform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}Parameters• transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}ExampleSite-to-site VPN tunnel:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#transform-set AutoVPNrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  security-association level perhost  peer 1 ikev2 ikev2Peer1  local-endpoint-ip 192.168.13.10  pfs 5  security-association lifetime kilobytes 250000  security-association inactivity-timeout 200  transform-set AutoVPN  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#Remote VPN client:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#transform-set RemoteVPNrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62  pfs 14  security-association lifetime seconds 10000  transform-set RemoteVPN  remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#transform-set <TRANSFORM-SET-TAG> <TRANSFORM-SET-TAG>Applies a transform set. The transform set should be existing and configured.• <TRANSFORM-SET-TAG> – Specify the transform set’s name.• <TRANSFORM-SET-TAG> – Optional. Specify a second transform set. You can pro-vide multiple, space-separated, transform set tags.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1247.1.17.5.10 u secrypto-map auto-vpn-tunnel/remote-vpn-client instanceApplies an existing and configured IP access list to the auto site-to-site VPN tunnel or remote VPN client. Based on the IP access list’s settings traffic is permitted or denied across the VPN tunnel.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse ip-access-list <IP-ACCESS-LIST-NAME>Parameters• use ip-access-list <IP-ACCESS-LIST-NAME>ExampleSite-to-site VPN tunnel:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#use ip-access-list testrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  use ip-access-list test  security-association level perhost  peer 1 ikev2 ikev2Peer1  local-endpoint-ip 192.168.13.10  pfs 5  security-association lifetime kilobytes 250000  security-association inactivity-timeout 200  transform-set AutoVPN  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#Remote VPN client:rrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#use ip-access-list test1rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context' crypto map test 2 ipsec-isakmp dynamic  use ip-access-list test1  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62  pfs 14  security-association lifetime seconds 10000  transform-set RemoteVPN  remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#ip-access-list <IP-ACCESS-LIST-NAME>Specify the IP access list name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1257.1.17.5.11 n ocrypto-map auto-vpn-tunnel/remote-vpn-client instanceRemoves or reverts the auto site-to-site VPN tunnel or remote VPN client settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [ip|local-endpoint-ip|modeconfig|peer|pfs|remote-type|security-association|transform-set|use]Parameters• no <PARAMETERS>ExampleThe following example shows the IPSec site-to-site VPN tunnel ‘test’ settings before the ‘no’ commands are executed:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  use ip-access-list test  security-association level perhost  peer 1 ikev2 ikev2Peer1  local-endpoint-ip 192.168.13.10  pfs 5  security-association lifetime kilobytes 250000  security-association inactivity-timeout 200  transform-set AutVPN  ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no use ip-access-listrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no security-association level perhostrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no ip nat cryptorfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no pfsrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no local-endpoint-ipThe following example shows the IPSec site-to-site VPN tunnel ‘test’ settings after the ‘no’ commands are executed:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp  peer 1 ikev2 ikev2Peer1  security-association lifetime kilobytes 250000  security-association inactivity-timeout 200  transform-set AutoVPNrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no <PARAMETERS> Removes or resets this auto site-to-site/remote VPN settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 126The following example shows the IPSec remote VPN client ‘test’ settings before the ‘no’ commands are executed:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  use ip-access-list test2  peer 1 ikev1 RemoteIKEv1Peer1  local-endpoint-ip 157.235.204.62  pfs 14  security-association lifetime seconds 10000  transform-set RemoteVPN  remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no use ip-access-listrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no peer 1rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no transform-setThe following example shows the IPSec remote VPN client ‘test’ settings after the ‘no’ commands are executed:rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic  local-endpoint-ip 157.235.204.62  pfs 14  security-association lifetime seconds 10000  remote-type nonerfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1277.1.17.5.12 crypto-map-ipsec-manual-instancecrypto-map-config-commandsTo navigate to the automatic IPSec manual VPN tunnel configuration instance, use the following command:In the device-config mode:<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-manualIn the profile-config mode:<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-manualrfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 3 ipsec-manualrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#?Manual Crypto Map Configuration commands:  local-endpoint-ip     Use this IP as local tunnel endpoint address, instead                        of the interface IP (Advanced Configuration)  mode                  Set the tunnel mode  no                    Negate a command or set its defaults  peer                  Set peer  security-association  Set security association parameters  session-key           Set security session key parameters  use                   Set setting to use  clrscr                Clears the display screen  commit                Commit all changes made in this session  do                    Run commands from Exec mode  end                   End current mode and change to EXEC mode  exit                  End current mode and down to previous mode  help                  Description of the interactive help system  revert                Revert changes  service               Service Commands  show                  Show running system information  write                 Write running configuration to memory or terminalrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#The following table summarizes IPSec manual VPN tunnel configuration mode commands:Command Description Referencelocal-endpoint-ipUses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration)page 7-128mode Sets the tunnel mode page 7-129peer Sets the peer device’s IP address page 7-130security-associationDefines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by a crypto mappage 7-131session-key Defines encryption and authentication keys for a crypto map page 7-132use Uses the configured IP access list page 7-134no Removes or reverts crypto map IPSec manual settings page 7-135
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1287.1.17.5.13 local-endpoint-ipcrypto-map-ipsec-manual-instanceUses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration)Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlocal-endpoint-ip <IP>Parameters• local-endpoint-ip <IP>Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#local-endpoint-ip 172.16.10.3local-endpoint-ip <IP>Uses the configured IP as local tunnel’s endpoint address• <IP>   – Specify the IP address. The specified IP address must be available on the interface.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1297.1.17.5.14 m od ecrypto-map-ipsec-manual-instanceSets the crypto map tunnel modeSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmode [transport|tunnel]Parameters• mode [transport|tunnel]Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#mode transportrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual  mode transportrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#mode [transport|tunnel] Sets the mode of the tunnel for this crypto map• transport – Initiates transport mode• tunnel – Initiates tunnel mode (default setting)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1307.1.17.5.15 p ee rcrypto-map-ipsec-manual-instanceSets the peer device’s IP address. This can be set for multiple remote peers. The remote peer can be an IP address.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer <IP>Parameters• peer <IP>Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#peer 172.16.10.12rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual  peer 172.16.10.12rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#peer <IP> Enter the peer device’s IP address. If not configured, it implies respond to any peer.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1317.1.17.5.16 security-associationcrypto-map-ipsec-manual-instanceDefines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by this crypto mapSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsecurity-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]Parameters• security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#security-association lifetime seconds 123rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#show context Command not applicable to this crypto maprfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#lifetime [kilobytes <500-2147483646>|seconds <120-86400>]Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association.• kilobytes <500-2147483646> – Defines volume based key duration. Specify a value from 500 - 2147483646 bytes.• seconds <120-86400> – Defines time based key duration. Specify the time frame from 120 - 86400 seconds.NOTE: This command is not applicable to the ipsec-manual crypto map.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1327.1.17.5.17 s essi o n -keycrypto-map-ipsec-manual-instanceDefines encryption and authentication keys for this crypto map Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxsession-key [inbound|outbound] [ah|esp] <256-4294967295>session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]] <WORD>session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-192|aes-256|des|esp-null]] <WORD> authenticator [md5|sha] <WORD>Parameters•  session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]] <WORD>• session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-192|aes-256|des|esp-null]] <WORD> authenticator [md5|sha] <WORD>session-key [inbound|outbound]Defines the manual inbound and outbound security association key parametersah <256-4294967295>Configures authentication header (AH) as the security protocol for the security session• <256-4294967295> – Sets the SPI for the security association from 256 - 4294967295The SPI (in combination with the destination IP address and security protocol) identifies the security association.[0|2|authenticator [md5|sha] <WORD>]Specifies the key type•0 – Sets a clear text key•2 – Sets an encrypted key• authenticator – Sets AH authenticator details• md5 <WORD> – AH with MD5 authentication• sha <WORD> – AH with SHA authentication• <WORD> – Sets security association key value. The following key lengths (in hexcharacters) are required (w/o leading 0x).AH-MD5: 32, AH-SHA: 40session-key [inbound|outbound]Defines the manual inbound and outbound security association key parametersesp <256-4294967295>Configures Encapsulating Security Payloads (ESP) as the security protocol for the security session. This is the default setting.• <256-4294967295> – Sets the SPI for the security association from 256 - 4294967295The SPI (in combination with the destination IP address and security protocol) identifies the security association.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 133Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#session-key inbound esp 273 cipher esp-null authenticator sha 58768979rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual  peer 172.16.10.2  mode transport  session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#[0|2|cipher [3des|aes|aes-192|aes-256|des|esp-null]]•0 – Sets a clear text key•2 – Sets an encrypted key• cipher – Sets encryption/decryption key details• 3des – ESP with 3DES encryption• aes – ESP with AES encryption• aes-192 – ESP with AES-192 encryption• aes-256 – ESP with AES-256 encryption• des – ESP with DES encryption• esp-null – ESP with no encryption• authenticator – Specify ESP authenticator details• md5 <WORD> – ESP with MD5 authentication•sha <WORD> – ESP with SHA authentication• <WORD> – Sets security association key value. The following key lengths(in hex characters) are required (w/o leading 0x).AH-MD5: 32, AH-SHA:40
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1347.1.17.5.18 u secrypto-map-ipsec-manual-instanceAssociates an existing IP access list with this crypto map. The ACL protects the VPN traffic. Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse ip-access-list <IP-ACCESS-LIST-NAME> Parameters• use ip-access-list <IP-ACCESS-LIST-NAME>Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#use ip-access-list testrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual  use ip-access-list test  peer 172.16.10.12  mode transport  session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#ip-access-list <IP-ACCESS-LIST-NAME>Specify the IP access list name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1357.1.17.5.19 n ocrypto-map-ipsec-manual-instanceRemoves or resets this crypto map’s settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [local-endpoint-ip|mode|peer|security-association|session-key|use]Parameters• no <PARAMETERS>Examplerfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual  use ip-access-list test  peer 172.16.10.12  mode transport  session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no use ip-access-listrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no peerrfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no moderfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual  session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no <PARAMETERS> Removes or resets this crypto map settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1367.1.17.6  crypto-remote-vpn-client commandscryptoThis section documents the IKEV2 remote VPN client configuration settings. Use this command to define the server resources used to secure (authenticate) a remote VPN connection with a target peer.Use the profile-config instance to configure remote VPN client settings. To navigate to the remote-vpn-client configuration instance, use the following commands:<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME><DEVICE>(config-profile-<PROFILE-NAME>)#crypto remote-vpn-client<DEVICE>(config-profile-<PROFILE-NAME>-crypto-ikev2-remote-vpn-client)#rfs4000-229D58(config)#profile rfs4000 testRFS4000rfs4000-229D58(config-profile-testRFS4000)#rfs4000-229D58(config-profile-testRFS4000)#crypto remote-vpn-clientrfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#?Crypto IKEV2 Remote Vpn Client Config commands:  dhcp-peer      Configure parameters for peers received via DHCP option  no             Negate a command or set its defaults  peer           Add a remote peer  shutdown       Disable remote vpn client  transform-set  Specify IPSec transform to use  clrscr         Clears the display screen  commit         Commit all changes made in this session  do             Run commands from Exec mode  end            End current mode and change to EXEC mode  exit           End current mode and down to previous mode  help           Description of the interactive help system  revert         Revert changes  service        Service Commands  show           Show running system information  write          Write running configuration to memory or terminalrfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#NOTE: To configure remote VPN client settings on a device, on the device’s configuration mode, use the crypto > remote-vpn-client command.For example: rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto remote-vpn-clientNOTE: The following configuration enables a access point to adopt to a controller over the remote VPN link: On a profile: rfs4000-229D58(config-profile-testRFS4000)#controller host <HOST-IP> remote-vpn-clientOn a device: rfs4000-229D58(config-00-23-68-22-9D-58)#controller host <HOST-IP> remote-vpn-client
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 137The following table summarizes crypto remote VPN client configuration mode commands:Command Description Referencedhcp-peer Configures DHCP peer’s local ID and authentication settings page 7-138peer Adds a remote IKEv2 peer page 7-139shutdown Disables the remote VPN client page 7-140transform-set Associates an existing IPSec transform set with this remote VPN client page 7-141no Removes the remote VPN client settings page 7-142
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1387.1.17.6.1 d h c p- p ee rcrypto-remote-vpn-client commandsConfigures DHCP peer’s local ID and authentication settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdhcp-peer [authentication|localid]dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]Parameters• dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]• dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]Examplerfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#dhcp-peer authentication psk 0 @123testingrfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client  dhcp-peer authentication psk 0 @123testingrfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#dhcp-peer authentication psk[0 <WORD>|2 <WORD>|<WORD>]Configures the DHCP peer’s authentication type as PSK• 0 <WORD> – Configures a clear text authentication key• 2 <WORD> – Configures an encrypted authentication key• <WORD> – Provide a 8 - 21 character shared key password for DHCP peer authenticationdhcp-peer authentication rsaConfigures the DHCP peer’s authentication type as RSA. This is the default setting.dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]Configures the DHCP peer's localid using one of the following options:• autogen-uniqueid - Generates a localid using the device's unique identity. The system prefixes the device's unique identity to the string provided here. The device’s unique identity should be existing and configured. For more information on configuring a device’s unique identity, see autogen-uniqueid.• <WORD> – Provide the string.• string - Uses the value provided here as the DHCP peer’s localid.• <WORD> - Provide the string.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1397.1.17.6.2 pee rcrypto-remote-vpn-client commandsConfigures IKEv2 peers and assigns them priorities for utilization with remote VPN client connections. A maximum of three (3) peers can be added to support redundancy.IKEv2 uses an initial handshake in which VPN peers negotiate cryptographic algorithms, mutually authenticate, and establish a session key, creating an IKE-SA. Additionally, a first IPSec SA is established during the initial SA creation. All IKEv2 messages are request/response pairs. It is the responsibility of the side sending the request to retransmit if it does not receive a timely response.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer <1-3> ikev2 <IKEV2-PEER-NAME>Parameters• peer <1-3> ikev2 <IKEV2-PEER-NAME>Examplerfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer1 ikev2 ikev2Peer1rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer 2 ikev2 ikev2Peer2rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client  peer 1 ikev2 ikev2Peer1  peer 2 ikev2 ikev2Peer2rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer <1-3> Adds a IKEv2 peer. You can add maximum of three (3) peers to achieve redundancy.• <1-3> – Specify a priority level for the peer from 1 - 3 (1 = primary, 2 = secondary, and 3 = redundant).ikev2 <IKEV2-PEER-NAME>Specify the IKEv2 peer’s name.Note: The peer should be existing and configured. To configure an IKEv2 peer use the crypto > ikev2 > peer > <IKEv2-PEER-NAME> command.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1407.1.17.6.3 shu tdow ncrypto-remote-vpn-client commandsDisables remote-vpn-client on this profile or device. Remote VPN client feature is enabled by default.To enable a disabled remote VPN client execute the no > shutdown command.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxshutdownParametersNoneExamplerfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#shutdownrfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1417.1.17.6.4 transform-setcrypto-remote-vpn-client commandsSpecifies the IPSec Transform set to use with this remote VPN client. A transform set is a combination of security protocols, algorithms, and other settings applied to IPSec protected client traffic.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtransform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}Parameters• transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}Examplerfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#transform-set TransformSet1rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#showcontext crypto remote-vpn-client  peer 1 ikev2 ikev2Peer1  transform-set TransformSet1rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#transform-set <IPSEC-XFORM-TAG> <IPSEC-XFORM-TAG>Associates an IPSec Transform (should be existing and configured) set with this remote VPN client. You can optionally associate more than one transform set with this remote VPN client configuration. List the transform set tags separated by a space. Note: To configure a transform-set, use the crypto > ipsec > transform-set command in the profile or device configuration mode.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1427.1.17.6.5 nocrypto-remote-vpn-client commandsRemoves the remote VPN client settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dhcp-peer|peer <1-3>|shutdown|transform-set]no dhcp-peer [authentication|localid]no peer <1-3>no shutdownno transform-setParameters• no <PARAMETERS>Examplerfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client  peer 1 ikev2 peer5rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#no peer 1rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-clientrfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#no <PARAMETERS> Removes or resets this remote VPN client settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1437.1.18 databaseProfile Config CommandsBacks up captive-portal and/or NSight database to a specified location and file. When applied to devices, this profile will enable the back up of the specified database. This command also enables you to configures a low-disk-space threshold value.These parameters can also be configured in the device configuration context of an NX95XX series service platform.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdatabase [backup|low-disk-space-threshold]database backup database [captive-portal|nsight] <URL>database low-disk-space-threshold <10-50>Parameters• database backup database [captive-portal|nsight] <URL>• database low-disk-space-threshold <10-50>Examplenx9500-6C8809(config-profile-testNX9500)#database backup database nsight ftp://anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gzRelated Commandsdatabase backup database [captive-portal|nsight]Backs up captive portal and/or NSight database to a specified location and file. Select the database to backup.• database – Selects the database to backup• captive-portal – Backs up captive portal database• nsight – Backs up NSight databaseAfter specifying the database type, configure the destination location and file name.<URL> Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gzsftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gztftp://<hostname|IP>[:port]/pathdatabase low-disk-space-threshold <10-50>Configures the low disk space threshold for syslog warning. Once the threshold value configured here is reached a syslog warning is sent.• <10-50> – Specify the threshold from 10 - 50. The default is 30.no Removes database backup configurations
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1447.1.19 device-onboardProfile Config CommandsConfigures the logo image file name and title displayed on the EGuest device-onboarding portal. The EGuest UI can be accessed only by vendor-admin users.Supported in the following platforms:• Service Platforms — NX9500, NX9510, NX9600, VX9000Syntaxdevice-onboard [logo|title] <WORD>Parameters• device-onboard [logo|title] <WORD>ExampleSplit-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard logo extremenetworks.pngSplit-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard title EXTREME NETWORKS ONBOARDING UISplit-EG-Server(config-device-00-0C-29-09-3C-CC)#show context include-factory | include device-onboard device-onboard title EXTREME NETWORKS ONBOARDING UI device-onboard logo extremenetworks.pngSplit-EG-Server(config-device-00-0C-29-09-3C-CC)#Following example shows a Management Policy, vendor-admin user configuration:EC-NOC(config-management-policy-EGuest)#show context include-factory | include user user onboard-user password 1 1d5e9d60425bde727261b66b5e7eb0236058e7aae45225961ce7b872ea238240 role vendor-admin group Samsung,Philips,Nest1,Orbit1EC-NOC(config-management-policy-EGuest)#Related CommandsNOTE: Vendor admin users are configured in the Management policy context. For more information, see user.device-onboard [logo|title] <WORD>Configures the logo and page title displayed on the device-onboarding portal• logo – Specify the logo image file name. Note, logo image dimensions must not exceed 109 pixel and 52 pixel in width and height respectively.• title – Specify the UI portal title. Note, the title should not exceed 32 characters in length.The following keyword is common to both of the above parameters:• <WORD> – Specify the logo image file name/page title.no Removes the device-onboarding UI portal’s logo image file name and title configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1457.1.20 device-upgradeProfile Config CommandsConfigures device firmware upgrade settings on this profileAdministrators can customize profiles with unique device configuration file and firmware upgrade support. In a clustered environment, operations performed on one device are propagated to each member of the cluster and then onwards to devices managed by each cluster member. The number of concurrent device upgrades and their start times can be customized to ensure a sufficient number of devices remain in duty while upgrades are administered to others.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdevice-upgrade [add-auto|auto|count|persist-images]device-upgrade add-auto [(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)]device-upgrade auto {(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)}device-upgrade count <1-128>device-upgrade persist-imagesParameters• device-upgrade add-auto[(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)]device-upgrade add-autoConfigures a list of devices types for automatic firmware upgradeThis command specifies the types of devices that can be automatically upgraded (if enabled). To enable automatic device firmware upgrade, use the ‘auto’ command. When enabled, access points, wireless controllers, and service platforms, using this profile, will automatically upgrade firmware on adopted devices that match the specified device types.[<DEVICE-TYPE>] Specifies the type of devices to be upgraded. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000.Note: Multiple device types can be added to the add-auto list.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 146• device-upgrade auto {(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)}• device-upgrade count <1-128>• device-upgrade persist-imagesExamplerfs4000-229D58(config-profile-default-rfs4000)#device-upgrade auto ap71xxrfs4000-229D58config-profile-default-rfs4000)#show contextprofile rfs4000 default-rfs4000 autoinstall configuration autoinstall firmware device-upgrade auto ap71xx device-upgrade persist-ap-image crypto ikev1 policy ikev1-default  qos trust 802.1p--More--rfs4000-229D58(config-profile-default-rfs4000)#Related Commandsdevice-upgrade auto Enables automatic firmware upgrade on specified device types. When used along with the add-auto command, the auto command allows access points, wireless controllers, and service platforms to automatically upgrade firmware on adopted devices matching the specified device types.<DEVICE-TYPE> Optional. Specifies the type of device to be lined up for automatic firmware upgrade. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000.Note: Multiple device types can be added to the auto list.device-upgrade count <1-128>Configures the maximum number of concurrent upgrades possible• <1-128> – specify a value from 1 - 128. The default is 10.device-upgrade Configures parameters for automatic firmware upgrade of adopted devices. Use this command to select the device types and the maximum number of concurrent upgrades.persist-images Enables RF Domain manager to retain AP firmware image after upgrade, subject to availability of space. This option is enabled by default.This option is enabled for all controllers and service platforms RF Domain managers with the flash memory capacity to store firmware images for the selected access point models they provision. This feature is disabled for access point RF Domain managers that do not typically have the flash memory capacity needed.no Removes device firmware upgrade settings on this profiledevice-upgrade (show commands)Displays device upgrade details
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1477.1.21 diagProfile Config CommandsEnables looped packet logging. When enabled, devices, using this profile, start logging looped packets to a separate queue. This option is disabled by default.Looped packet logging can also be enabled in the device configuration context.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdiag pktsParameters• diag pktsExamplenx9500-6C8809(config-profile-default-nx75xx)#diag pktsnx9500-6C8809(config-profile-default-nx75xx)#show context include-factory | include diag diag pktsnx9500-6C8809(config-profile-default-nx75xx)#Related CommandsNOTE: To view logged looped packets, execute the service > show > diag > pkts command. For more information, see service.diag pkts Enables looped packet loggingno Disables looped packet logging
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1487.1.22 dot1xProfile Config CommandsConfigures 802.1x standard authentication controlsDot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection.Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login.Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic.Dot1x authentication capabilities is supported on the following platforms:Supported in the following platforms:• Access Points — AP6511, AP6521, AP6522, AP6562, AP7161, AP7502, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432• Wireless Controllers — RFS4000, RFS6000, NX5500, NX7500Dot1x supplicant capabilities is supported on the following platforms:Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, NX5500, NX7500Syntaxdot1x [guest-vlan|holdtime|system-auth-control|use]dot1x holdtime <0-600>dot1x system-auth-controldot1x guest-vlan supplicantdot1x use aaa-policy <AAA-POLICY-NAME>Parameters• dot1x system-auth-control• dot1X holdtime <0-600>system-auth-control Enables system auth control. Enables dot1x authorization globally for the controller. This feature is disabled by default.holdtime <0-600> Configures a holdtime value. This is the interval after which an authentication attempt is ignored or failed.• <0-600> – Specify a value from 0 - 600 seconds. A value of ‘0’ indicates no holdtime. The default is 600 seconds or 10 minutes.Adding a hold time at startup allows time for the network to converge before receiving or transmitting 802.1x authentication packets.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 149• dot1x guest-vlan supplicant• dot1x use aaa-policy <AAA-POLICY-NAME>Examplenx9500-6C8809(config-profile-test-nx5500)#dot1x use aaa-policy OnBoardingnx9500-6C8809(config-profile-test-nx5500)#dot1x system-auth-controlnx9500-6C8809(config-profile-test-nx5500)#show contextprofile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto load-management crypto remote-vpn-client interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface pppoe1 use firewall-policy default service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoardingnx9500-6C8809(config-profile-test-nx5500)#Related Commandsguest-vlan Configures guest VLAN and supplicant behaviorThis feature is disabled by default.supplicant Allows 802.1x capable supplicant to enter guest VLAN. When enabled, this is the VLAN that supplicant’s traffic is bridged on.use aaa-policy <AAA-POLICY-NAME>Associates a specified 802.1x AAA policy (for MAC authentication) with this access point profile• <AAA-POLICY-NAME> – Specify the AAA policy name. Once specified, this AAA policy is utilized for authenticating user requests.no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1507.1.23 dpiProfile Config CommandsEnables Deep Packet Inspection (DPI) on this profile. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall.This command is also available in the device configuration mode.Supported in the following platforms:• Access Points — AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxdpi {custom-app|logging|metadata}dpi {custom-app <CUSTOM-APP-NAME>}dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]|on]}dpi {metadata [http|ssl|tcp-rtt|voice-video]}dpi {metadata [http|ssl|voice-video]}dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}Parameters• dpi {custom-app <CUSTOM-APP-NAME>}• dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]|on]}dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. custom-app <CUSTOM-APP-NAME>Optional. Adds custom application to this profile• <CUSTOM-APP-NAME> – Specify custom application name (should be existing and configured)If no custom application is specified, the system detects the PACE built-in applications.Note: For more information on application categories and application detection, see application.dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 151• dpi {metadata [http|ssl|voice-video]}• dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|notifications|warnings]|on] Optional. Enables DPI logging and sets the logging level• level – Configures the DPI logging level. Use one of the following options to specify the logging level:• <0-7>                        Logging severity level• alerts                         Immediate action needed                (1)• critical                       Critical conditions                             (2)• debugging                 Debugging messages                      (7)• emergencies             System is unusable                          (0)• errors                        Conditions                                         (3)• nformational              Informational messages                    (6)• notifications               Normal but significant conditions      (5) - Default setting• warnings                    Warning conditions                           (4)Either specify the logging level index (from 0 - 7) or the description. For example, to log all alerts either enter ‘1’ or ‘alerts’.• on – Enables application detection event logging. DPI logging is disabled by de-fault.dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction.metadata [http|ssl|voice-video]Optional. Enables metadata extraction from following flows:• http – HTTP flows. This option is disabled by default.• ssl – SSL flows. This option is disabled by default.• voice-video – Voice and video classified flows. This option is disabled by default.dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}Optional. Enables Transmission Control Protocol - Round Trip Time (TCP-RTT) metadata collection for application groups. Before executing this command, ensure that you have created at least one application group.Enable this option in the profile/device contexts of the AP7522, AP7532, AP7562, AP8432, AP8533 access point models, as only these APs support TCP-RTT metadata collection.• app-group – Optional. Specifies the customized application-group name containing the applications for which TCP-RTT is to be collected• <APPLICATION-GROUP-NAME> – Specify the app-group name (should be existingand configured). If not specified, the system collects TCP-RTT metadata for all thecustomized app-groups created. You can enable TCP-RTT metadata collection oneight (8) application groups at a time.For more information on creating customized application-groups, see application-group.The TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server and database is up and NSight analytics data collection is enabled.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 152Examplenx9500-6C8809(config-profile-testNX9500)#dpi logging onnx9500-6C8809(config-profile-testNX9500)#dpi logging level 7nx9500-6C8809(config-profile-testNX9500)#show contextprofile nx9000 testNX9500 bridge vlan 10  ip igmp snooping  ip igmp snooping querier  ipv6 mld snooping......................................................... router bgp dpi logging on dpi logging level debuggingnx9500-6C8809(config-profile-testNX9500)#nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#dpi metadata tcp-rtt app-group amazonRelated Commandsno Disables DPI (application assurance) on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1537.1.24 dscp-mappingProfile Config CommandsConfigures IP Differentiated Services Code Point (DSCP) to 802.1p priority mapping for untagged framesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdscp-mapping <WORD> priority <0-7>Parameters• dscp-mapping <word> priority <0-7>Examplerfs7000-37FABE(config-profile-default-rfs7000)#dscp-mapping 20 priority 7rfs7000-37FABE(config-profile-default-rfs7000)#show contextprofile rfs7000 default-rfs7000 dscp-mapping 20 priority 7 no autoinstall configuration no autoinstall firmware crypto isakmp policy default crypto ipsec transform-set default esp-aes-256 esp-sha-hmac interface me1 interface ge1 ip dhcp trust qos trust dscprfs7000-37FABE(config-profile-default-rfs7000)#Related Commands<WORD> Specifies the DSCP value of a received IP packet. This could be a single value or a list. For example, 10-20, 25, 30-35.priority <0-7> Specifies the 802.1p priority to use for a packet if untagged. The priority is set on a scale of 0 - 7. The priority values are:• 0 – Best effort• 1 – Background•2 – Spare• 3 – Excellent effort• 4 – Controlled load•5 – Video•6 – Voice •7 – Network controlNote: The specified 802.1p priority value is added as a 3-bit IP precedence value in the Type of Service (ToS) field of the IP header used to set the priority. Up to 64 entries are permitted.no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1547.1.25 eguest-server (VX9000 only)Profile Config CommandsEnables the ExtremeGuest (EGuest) serverThe WiNG EGuest solution is an independently installable VM/Server that provides integrated guest management and analytics. Use this command to enable the EGuest daemon on the EGuest server.Supported in the following platforms:• Service Platforms — VX9000Syntaxeguest-serverParameters• eguest-serverExampleOn the EGuest server, execute the command without the ‘host’ option to enable the EGuest daemon.EG-Server(config-device-02-EE-1A-7E-AE-5B)#eguest-serverEG-Server(config-device-02-EE-1A-7E-AE-5B)#show context include-factory | include eguest-server eguest-serverEG-Server(config-device-02-EE-1A-7E-AE-5B)#Related CommandsNOTE: EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest server’s self context. For more information, see license.NOTE: For more information on configuring an EGuest captive-portal deployment, see configuring ExtremeGuest captive-portal.eguest-server Execute this command, without the ‘host’ option, on the EGuest server. When executed, the EGuest daemon is enabled on the host.EGuest server can be hosted only a VX9000 platform.no Disables the EGuest server by stopping the EGuest daemon
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1557.1.26 eguest-server (NOC Only)Profile Config CommandsPoints to the EGuest server when executed along with the ‘host’ option. The WiNG EGuest solution is an independently installable VM/Server that provides integrated guest management and analytics. Use this command to enable the EGuest daemon on the EGuest server.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxeguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}Parameters• eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}ExampleOn the NOC, execute along with the ‘host’ option to point to the EGuest server.EG-NOC(config-device-74-67-F7-5C-64-4A)#eguest-server 1 host EG-Server httpsEG-NOC(config-device-74-67-F7-5C-64-4A)#show context include-factory | include eguest-server no eguest-server eguest-server 1 host EG-Server httpsEG-NOC(config-device-74-67-F7-5C-64-4A)#Related CommandsNOTE: EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest server’s self context. For more information, see license.NOTE: For more information on configuring an EGuest captive-portal deployment, see configuring ExtremeGuest captive-portal.eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}Configures the EGuest server details in the profile/device context of the NOC (access point/controller). When configured, the NOC posts registration requests and captive-portal related data directly to the specified EGuest server.• <1-3> – Configures the EGuest server index number. A maximum of three EGuest servers can be configured.• host <IPv4/IPv6/HOSTNAME> – Configures the EGuest server’s IPv4/IPv6 ad-dress or hostname.• {http|https} – Optional. Configures the mode of connection as HTTP or HTTPS.Note: HTTPS is recommended as it uses encryption for transmission and is therefore more secure.no Removes the EGuest server IP address/hostname configuration
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1567.1.27 email-notificationProfile Config CommandsConfigures e-mail notification settings. When a system event occurs e-mail notifications are sent (provided message logging is enabled) based on the settings configured here. Use this option to configure the outgoing SMTP server settings.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxemail-notification [host|recipient]email-notification recipient <RECIPIENT-NAME>email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [port|security|username]email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port <1-65535>, security [none|ssl|starttls], username <SMTP-USERNAME> password [2 <WORD>|<WORD>])]Parameters• email-notification recipient <RECIPIENT-EMAIL>• email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port <1-65535>, security [none|ssl|starttls], username <SMTP-USERNAME> password [2 <WORD>|<WORD>])]recipient<RECIPIENT-EMAIL>Defines the recipient’s e-mail address. A maximum of 6 (six) e-mail addresses can the configured.• <RECIPIENT-EMAIL> – Specify the recipient’s e-mail address (should not exceed 64 characters in length).host <SMTP-SERVER-IP/HOSTNAME>Configures the host SMTP server’s IP address or hostname• <SMTP-SERVER-IP/HOSTNAME> – Specify the SMTP server’s IP address or hostname.sender <SENDER-EMAIL>Defines the sender’s e-mail address. This is the from address on notification e-mails.• <SENDER-EMAIL> – Specify the sender’s e-mail address (should not exceed 64 characters in length). Use the email-notification > recipient > <EMAIL-ADDRESS> command to configure the recipient's address.port <1-65535> This option is recursive and applicable to the ‘security‘ and ‘username’ parameters.Configures the SMTP server port. Use this option to configure a non-standard SMTP port on the outgoing SMTP server. The standard SMTP port is 25.• <1-65535> – Specify the port from 1 - 65535.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 157Examplerfs6000-37FABE(config-profile-default-rfs6000)#email-notification recipient test@examplecompany.comrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs7000 default-rfs7000 dscp-mapping 20 priority 7 no autoinstall configuration no autoinstall firmware ............................................................. interface ge4  ip dhcp trust  qos trust dscp  qos trust 802.1p use firewall-policy default email-notification recipient test@examplecompany.com service pm sys-restartrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandssecurity [none|ssl|starttls]This option is recursive and applicable to the ‘port‘ and ‘username’ parameters.Configures the SMTP encryption type used• none – No encryption used•ssl – Uses Secure Sockets Layer (SSL) encryption between the SMTP server and the client• starttls – Uses STARTTLS encryption between the SMTP server and the clientusername <SMTP-USERNAME> password [2 <WORD>|<WORD>]This option is recursive and applicable to the ‘port‘ and ‘security’ parameters.Configures the SMTP sender’s username. Many SMTP servers require users to authenticate with a username and password before sending e-mail through the server.• <SMTP-USERNAME> – Specify the SMTP username (should not exceed 64 characters in length).• password – Configures the SMTP server password. Specify the password associ-ated with the username of the sender on the outgoing SMTP server.• 2 <WORD> – Configures an encrypted password• <WORD> – Specify the password (should not exceed 127 characters inlength).no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1587.1.28 enforce-versionProfile Config CommandsEnables checking of a device’s firmware version before attempting adoption or clusteringSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxenforce-version [adoption|cluster] [full|major|minor|none|strict]Parameters• enforce-version [adoption|cluster] [full|major|minor|none|strict]Examplenx9500-6C8809(config-profile-test-nx5500)#enforce-version cluster fullnx9500-6C8809(config-profile-test-nx5500)#enforce-version adoption majornx9500-6C8809(config-profile-test-nx5500)#show contextprofile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha ....................................................interface pppoe1 use firewall-policy default enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoardingnx9500-6C8809(config-profile-test-nx5500)#Related Commandsadoption Verifies firmware versions before adopting. This option is enabled by default.cluster Verifies firmware versions before clustering. This option is enabled by default.full Allows adoption or clustering when the first four octets of the firmware versions match (for example 5.8.6.0)major Allows adoption or clustering when the first two octets of the firmware versions match (for example 5.8)minor Allows adoption or clustering when the first three octets of the firmware versions match (for example 5.8.6)none Allows adoption or clustering between any firmware versionsstrict Allows adoption or clustering only when firmware versions exactly match (for example 5.8.6.0-008B). This is the default setting for both ‘adoption’ and ‘cluster’ options.no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1597.1.29 environmental-sensorProfile Config CommandsConfigures the environmental sensor settingsAn AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the AP8132's radio coverage area.Supported in the following platforms:• Access Points — AP8132Syntaxenvironmental-sensor [humidity|light|motion|polling-interval|temperature]environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]environmental-sensor light {holdtime|radio-shutdown|threshold}environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|radio-2]}environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}Parameters• environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]• environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|radio-2]}environmental-sensorConfigures environmental sensor settings on this profilehumidity Enables (turns on) humidity sensors. This setting is enabled by default.motion Enables (turns on) motion sensors.This setting is enabled by default.polling-interval <1-100>Configures polling interval, in seconds, on all sensors. This is the interval after which the sensor module polls its environment to assess the various parameters, such as light intensity.• <1-100> – Specify a value from 1 - 100 seconds. The default is 5 seconds.temperature Enables (turns on) temperature sensors. This setting is enabled by default.environmental-sensorConfigures environmental sensor settings on this profilelight Enables (turns on) light sensors and specifies its settingsWhen enabled, the sensor module polls the environment to determine the light intensity. Based on the reading, the system determines whether the AP8132’s deployment location has lights on or off. Light intensity also helps determine whether the access point’s deployment location is currently populated with clients.holdtime <10-201>Optional. Configures a holdtime, in seconds, for the light sensor• <10-201> – Specify a value from 10 - 201 seconds. The default value is 11 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 160• environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}Examplerfs4000-229D58(config-profile-testRFS4000)#environmental-sensor humidityrfs4000-229D58(config-profile-testRFS4000)#environmental-sensor polling-interval 60rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light radio-shutdown allrfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold high 300rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold low 100rfs4000-229D58(config-profile-testRFS4000)#show contextprofile rfs4000 testRFS4000 bridge vlan 1  tunnel-over-level2  ip igmp snooping  ip igmp snooping querier environmental-sensor polling-interval 60 environmental-sensor light threshold high 300 environmental-sensor light threshold low 100 environmental-sensor light radio-shutdown all no autoinstall configuration no autoinstall firmware device-upgrade persist-images--More--rfs4000-229D58(config-profile-testRFS4000)#Related Commandsradio-shutdown [all|radio1|radio2]Optional. Shuts down the sensor’s radios• all – Shuts down all radios. This is the default setting.• radio1 – Shuts down radio 1•radio2 – Shuts down radio 2AP8132’s using this profile have their radios shut down, when the radio’s power falls below the specified threshold. Use the environmental-sensor > light > threshold > [high|low] command to set the threshold values.environmental-sensorConfigures environmental sensor settings on this profilelight Enables (turns on) light sensors and specifies its settingsthreshold  Optional. Configures the upper and lower thresholds for the amount of light in the environmenthigh <100-10000>Specifies the upper threshold from 100 - 10000 lux. This value determines whether lighting is on in the AP8132’s deployment location. The radios are turned off if the average reading value is lower than the value set here. The default is 400 lux.The light sensor triggers an event if the amount of light exceeds the specified value.low <0-1000> Specifies the lower threshold from 0 - 1000 lux. This value determines whether lighting is off in the AP8132’s deployment location. The radios are turned on when the average value is higher than the value set here. The default is 200 lux.The light sensor triggers an event if the amount of light drops below the specified value.no Removes the environmental sensor’s settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1617.1.30 eventsProfile Config CommandsDisplays system event messagesSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxevents [forward on|on]Parameters• events [forward on|on]Examplerfs6000-37FABE(config-profile-default-rfs6000)#events forward onrfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsforward on Forwards system event messages to the wireless controller, service platform, or cluster members. This feature is enabled by default.• on – Enables forwarding of system eventson Generates system events. This feature is enabled by default.no Disables or reverts settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1627.1.31 exportProfile Config CommandsEnables export of startup.log file after every bootSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxexport startup-log [max-retries|retry-interval|url]export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]Parameters• export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]Examplenx9500-6C8809(config-profile-test-nx5500)#export startup-log max-retries 10 retry-interval 30 url ftp://anonymous:anonymous@192.168.13.10/log/startup.lognx9500-6C8809(config-profile-test-nx5500)#show contextprofile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  ....................................................... interface ge5 interface ge6 interface pppoe1 use firewall-policy default export startup-log max-retries 10 retry-interval 30 url ftp://anonymous:anonymous@192.168.13.10/log/startup.log enforce-version adoption major enforce-version cluster full service pm sys-restart--More--gnx9500-6C8809(config-profile-test-nx5500)#Related Commandsexport startup-log Enables export of the startup.log file after every boot. This option is disabled by default.max-retries <2-65535>Configures the maximum number of retries in case the export process fails• <2-65535> – Specify a value from 2 - 65535.retry-interval <30-86400>Configures the interval between two consecutive retries• <30-86400> – Specify a value from 30 - 86400 seconds.url <URL> Configures the destination URL in the following format:tftp://<hostname|IP>[:port]/path/fileftp://<user>:<passwd>@<hostname|IP>[:port]/path/filesftp://<user>@<hostname|IP>[:port]>/path/fileno Disables export of startup.log file
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1637.1.32 file-syncProfile Config CommandsConfigures parameters enabling auto syncing of trustpoint/wireless-bridge certificate between the staging-controller and its adopted access pointsThis command is applicable to the access point’s profile as well as device configuration modes.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600Syntaxfile-sync [auto|count <1-20>]Parameters• file-sync [auto|count <1-20>]Examplenx9500-6C8809(config-profile-default-rfs6000)#file-sync autonx9500-6C8809(config-profile-default-rfs6000)#file-sync count 8nx9500-6C8809(config-profile-default-rfs6000)#show contextprofile rfs6000 default-rfs6000 no autoinstall configuration no autoinstall firmware no device-upgrade auto file-sync count 8 file-sync auto crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac --More--nx9500-6C8809(config-profile-default-rfs6000)#Related Commandsfile-sync [auto|count <1-20>]Configures the following file-synching parameters:• auto – Enables the staging controller to autoinstall trustpoint/wireless-bridge certificate on an access point when it comes up for the first time and adopts to the controller. Prior to enabling file syncing, ensure that the wireless-bridge certificate is present on the staging controller. To upload the certificate on the controller, in the user or privilege executable modes, execute the following command: file-sync > load-file > <URL>. • count <1-20> – Configures the maximum number of access points that can be concurrently auto-installed.• <1-20> – Specify a value from 1 - 20. The default is 10 access points.For the NX95XX service platforms the count-range is from 1 - 128.no Disables automatic file syncing between the staging-controller and its access points
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1647.1.33 floorProfile Config CommandsSets the floor name where the target device (access point, wireless controller, or service platform using this profile) is physically located. Assigning a building floor name helps in grouping devices within the same general coverage area.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfloor <WORD> {<1-4094>}Parameters• floor <WORD> {<1-4094>}Examplerfs6000-37FABE(config-profile-default-rfs6000)#floor fifthrfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs7000 default-rfs7000 bridge vlan 1  ip igmp snooping  ip igmp snooping querier area Ecospace floor fifth autoinstall configuration autoinstall firmware--More--rfs6000-37FABE(config-profile-default-rfs6000)#Related Commandsfloor <WORD> {<1-4094>}Sets the floor name where the target device is located• <WORD> – Specify the floor name (should not exceed 64 characters in length).• <1-4094> – Optional. Configures the floor number from 1 - 4094. The default is 1.no Resets the configured floor name and number
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1657.1.34 greProfile Config CommandsThe following table summarizes commands that allow you to enter the GRE configuration mode:Command Description Referencegre Enables GRE tunneling on a profile/device This command also creates a GRE tunnel and enters its configuration mode. Use this command to modify an existing GRE tunnel’s settings.page 7-166gre-config-instanceSummarizes GRE tunnel configuration mode commands page 7-168
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1667.1.34.1  gregreEnables Generic Routing Encapsulation (GRE) tunneling on this profile, and creates a new GRE tunnel or modifies an existing GRE tunnel.The GRE protocol allows encapsulation of one protocol over another. It is a tunneling protocol that transports any layer 3 protocol over an IP network. When enabled, a payload packet is first encapsulated in the GRE protocol. The GRE encapsulated payload is then encapsulated in another IP packet before being forwarded to the destination.GRE tunneling can be configured to bridge Ethernet packets between WLANs and a remote WLAN gateway over an IPv4 GRE tunnel. The tunneling of 802.3 packets using GRE is an alternative to MiNT or L2TPv3. Related features like ACLs for extended VLANs are still available using layer 2 tunneling over GRE.Using GRE, access points map one or more VLANs to a tunnel. The remote end point is a user-configured WLAN gateway IP address, with an optional secondary IP address should connectivity to the primary GRE peer be lost. VLAN traffic is expected in both directions in the GRE tunnel. A WLAN mapped to these VLANs can be either open or secure. Secure WLANs require authentication to a remote RADIUS server available within your deployment using standard RADIUS protocols. Access Points can reach both the GRE peer as well as the RADIUS server using IPv4.The WiNG software now supports for both IPv4 or IPv6 tunnel endpoints. However, a tunnel needs to contain either IPv4 or IPv6 formatted device addresses and cannot be mixed. With the new IPv6 tunnel implementation, all outbound packets are encapsulated with the GRE header, then the IPv6 header. The header source IP address is the local address of the IPv6 address of tunnel interface, and the destination address peer address of the tunnel. All inbound packets are de-capsulated by removing the IPv6 and GRE header before sending it over to the IP stack.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxgre tunnel <GRE-TUNNEL-NAME>Parameters• gre tunnel <GRE-TUNNEL-NAME>NOTE: Only one GRE tunnel can be created for every profile.gre tunnel <GRE-TUNNEL-NAME>Creates a new GRE tunnel or modifies an existing GRE tunnel• <GRE-TUNNEL-NAME> – If creating a new tunnel, specify a unique name for it. If modifying an existing tunnel, specify its name.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 167Examplerfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#?GRE Tunnel Mode commands:  dscp                    Differentiated Services Code Point  establishment-criteria  Set tunnel establishment criteria  failover                L2gre tunnel failover  mtu                     L2GRE tunnel endpoint maximum transmission unit(MTU)  native                  Native trunking characteristics  no                      Negate a command or set its defaults  peer                    L2GRE peer  tunneled-vlan           VLANs to tunnel  clrscr                  Clears the display screen  commit                  Commit all changes made in this session  do                      Run commands from Exec mode  end                     End current mode and change to EXEC mode  exit                    End current mode and down to previous mode  help                    Description of the interactive help system  revert                  Revert changes  service                 Service Commands  show                    Show running system information  write                   Write running configuration to memory or terminalrfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 1 ip 192.168.13.8rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 2 ip 192.168.13.10rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel  peer 1 ip 192.168.13.8  peer 2 ip 192.168.13.10rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#rfs4000-229D58(config-profile-testRFS4000)#show contextprofile rfs4000 testRFS4000 bridge vlan 1  tunnel-over-level2  ip igmp snooping  ip igmp snooping querier.................................................................................. use firewall-policy default service pm sys-restart router ospf gre tunnel testGREtunnel  peer 1 ip 192.168.13.8  peer 2 ip 192.168.13.10rfs4000-229D58(config-profile-testRFS4000)#Related Commandsno Disables GRE tunneling on this profile
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1687.1.34.2  gre-config-instancegreThe following table summarizes GRE tunnel configuration mode commands:Command Description Referencedscp Sets the GRE tunnel’s Differentiated Services Code Point (DSCP) / 802.1q priority valuepage 7-169establishment-criteriaConfigures the GRE tunnel establishment criteria page 7-169failover Enables periodic pinging of the primary gateway to assess its availability, in case it is unreachablepage 7-171mtu Configures the maximum transmission unit (MTU) for IPv4/IPv6 L2GRE tunnel endpointspage 7-172native Configures native trunking settings for this GRE tunnel page 7-173no Removes the GRE tunnel settings based on the parameters passed page 7-174peer Configures the GRE tunnel’s end-point peers page 7-175tunneled-vlan Defines the VLAN that connected clients use to route GRE-tunneled traffic within their respective WLANspage 7-176
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1697.1.34.2.1 d s c pgre-config-instanceSets the GRE tunnel’s DSCP / 802.1q priority value from encapsulated packets to the outer packet IPv4 header.This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdscp [<0-63>|reflect]Parameters• dscp [<0-63>|reflect]Examplerfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#dscp 20rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel  dscp 20rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#Related Commandsdscp <0-63> Specifies the DSCP 802.1q priority value for outer packets from 0 - 63. The default is 1.dscp reflect Copies the DSCP 802.1q value from inner packetsno Removes the GRE tunnel settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1707.1.34.2.2 establishment-criteriagre-config-instanceConfigures the GRE tunnel establishment criteriaIn a multi-controller RF domain, it is always the master node that establishes the tunnel. The tunnel is created only if the tunnel device is designated as one of the following: vrrp-master, cluster-master, or rf-domain-manager.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxestablishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]Parameters• establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]Examplenx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#establishment-criteria rf-domain-managernx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel  establishment-criteria rf-domain-managernx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-255>]Configures the GRE tunnel establishment criteria. The options are:• always – Always automatically establishes tunnel (default setting). The tunnel device need not be a cluster master, RF Domain manager, or VRRP master to establish the GRE tunnel. This is the default setting.• cluster-master – Establishes tunnel only if the tunnel device is designated as the cluster master• rf-domain-manager – Establishes tunnel only if the tunnel device is designated as the RF Domain manager• vrrp-master <1-255> – Establishes tunnel only if the tunnel device is designated as the Virtual Router Redundancy (VRRP) master• <1-255> – Configures the VRRP group ID from 1 - 255. A VRRP group enables thecreation of a group of routers as a default gateway for redundancy. Clients can pointto the IP address of the VRRP virtual router as their default gateway and utilize a dif-ferent group member if a master becomes unavailable.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1717.1.34.2.3 failovergre-config-instanceEnables periodic pinging of the primary gateway to assess its availability. When enabled, the system continues pinging, an unreachable gateway, for a specified number of times and at the specified interval.This option is disabled by default.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxfailover interval <1-250> retry <1-10>Parameters• failover interval <1-250> retry <1-10>Examplerfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#failover interval 200 retry 5rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel  dscp 20  failover interval 200 retry 5rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#Related Commandsfailover interval <1-250> retry <1-10>Specifies the interval, in seconds, between two successive pings to the primary gateway. If the primary gateway is unreachable, the system pings it at intervals specified here.• <1-250> – Specify a value from 1 - 250 seconds.• retry – Specifies the maximum number attempts made to ping the primary gate-way before the session is terminated.• <1-10> – Specify a value from 1 - 10.no Removes the GRE tunnel settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1727.1.34.2.4 mtugre-config-instanceConfigures the MTU for IPv4/IPv6 L2GRE tunnel endpointsThe MTU is the largest physical packet size (in bytes) transmittable within the tunnel. Any messages larger than the configured MTU are divided into smaller packets before transmission. Larger the MTU greater is the efficiency because each packet carries more user data, while protocol overheads, such as headers or underlying per-packet delays remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmtu [ipv4 <900-1476>|ipv6 <1236-1456>]Parameters• mtu [ipv4 <900-1476>|ipv6 <1236-1456>]Examplenx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv4 1200nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv6 1300nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel  mtu ipv4 1200  mtu ipv6 1300  establishment-criteria rf-domain-managernx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu [ipv4 <900-1476>|ipv6 <1236-1456>]Configures the MTU for L2GRE tunnel endpoints• ipv4 <900-1476> – Configures IPv4 L2GRE tunnel endpoint MTU from 900 - 1476. The default is 1476.• ipv6 <1236-1456> – Configures IPv6 L2GRE tunnel endpoint MTU from 1236 - 1456. The default is 1456.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1737.1.34.2.5 nativegre-config-instanceConfigures native trunking settings for this GRE tunnelSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxnative [tagged|vlan <1-4094>]Parameters• native [tagged|vlan <1-4094>]Examplenx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native taggednx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native vlan 20nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel  native vlan 20  native tagged  mtu ipv4 1200  mtu ipv6 1300  establishment-criteria rf-domain-managernx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#Related Commandsnative tagged Enables native VLAN taggingThe IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default.native vlan <1-4094> Specifies a numerical VLAN ID (1 - 4094) for the native VLANThe native VLAN allows an Ethernet device to associate untagged frames to a VLAN, when no 802.1q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode.no Removes the GRE tunnel settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1747.1.34.2.6 nogre-config-instanceRemoves or resets the GRE tunnel settings based on the parameters passedSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [dscp|establishment-criteria|failover|mtu|native|peer|tunneled-vlan]no [dscp|establishment-criteria|failover|tunneled-vlan]no mtu [ipv4|ipv6]no native [tagged|vlan]no peer <1-2>Parameters• no <PARAMETERS>ExampleThe following example shows the GRE tunnel ‘testGRETunnel’ settings before the no commands are executed:rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel  peer 1 ip 192.168.13.6  native vlan 1  tunneled-vlan 1,10  native tagged  dscp 20  failover interval 200 retry 5rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no dscprfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no native vlanrfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no tunneled-vlanrfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no failoverThe following example shows the GRE tunnel ‘testGRETunnel’ settings after the no commands are executed:rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel  peer 1 ip 192.168.13.6  native taggedrfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no <PARAMETERS> Removes or resets the GRE tunnel’s settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1757.1.34.2.7 p e ergre-config-instanceAdds the GRE tunnel’s end-point peers. A maximum of two peers, representing the tunnel’s end points, can be added for each GRE tunnel.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxpeer <1-2> ip <IPv4/IPv6>Parameters• peer <1-2> ip <IPv4/IPv6>Examplerfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#peer 1ip 192.168.13.6rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel  peer 1 ip 192.168.13.6  native tagged  dscp 20  failover interval 200 retry 5rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#Related Commandspeer <1-2> ip <IPv4/IPv6>Configures the tunnel’s end-point peers• <1-2> – Specify a numeric index for each peer to help differentiate the tunnel end points.• ip – Specify the IP address (IPv4/IPv6) of the added GRE peer to serve as a network address identifier.• <IPv4/IPv6> – Specify the peer’s IPv4 or IPv6 address.no Removes the GRE tunnel settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1767.1.34.2.8 tunneled-vlangre-config-instanceDefines the VLAN that connected clients use to route GRE tunneled traffic within their respective WLANsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxtunneled-vlan <VLAN-ID>Parameters• tunneled-vlan <VLAN-ID>Examplerfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#tunneled-vlan 10rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel  peer 1 ip 192.168.13.6  native vlan 1  tunneled-vlan 1,10  native tagged  dscp 20  failover interval 200 retry 5rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#Related Commandstunneled-vlan <VLAN-ID>Specifies the VLANs associated with this GRE tunnel• <VLAN-ID> – Specify the VLAN IDs. Specify a comma-separated list of IDs, to specify multiple VLANs. For example, 1,10,12,16-20.no Removes the GRE tunnel settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1777.1.35 http-analyzeProfile Config CommandsEnables forwarding of HTTP request related data to the HTTP analytics engineWireless clients (MUs) connect to APs and route their HTTP requests through the APs. These APs extract and forward HTTP request packets, through MiNT, to the NX series controller. The NX series controller uses a new analytic daemon to cache, format, and forward information to the analytics engine. Currently the analytics daemon is supported only on the NX series service platform. Therefore, it is essential that all APs should use an NX series service platform as controller.In a hierarchically organized network, HTTP analytics data forwarding is a simple and transparent process. The site controllers receive the HTTP data from adopted APs adopted. This data is compressed and forwarded to the Network Operations Center (NOC) controller. There is no need for a separate configuration to enable this feature.Use this command to configure the mode and interval at which data is sent to the controller and the external analytics engine. This command also configures the external engine’s details, such as URL, credentials, etc.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxhttp-analyze [compress|external-server|update-interval <1-3600>]http-analyze [compress|update-interval <1-3600>http-analyze external-server [password <WORD>|proxy <URL>|update-interval <1-3600>|url <URL>|username <WORD>|validate-server-certificate]Parameters• http-analyze [compress|update-interval <1-3600>]• http-analyze external-server [password <WORD>|proxy <URL>|update-interval|url|username|validate-server-certificate]NOTE: The Analytics module helps gather data about customer behavior such as web sites visited, search terms used, mobile device types, number of new users vs. repeat users. This data provides a better understanding of pricing strategies and promotions being run by competitors.http-analyze Configures HTTP analysis related parameterscompress Compresses update files before forwarding to the controller. This option is disabled by default.update-interval <1-3600>Configures the interval, in seconds, at which buffered packets are pushed to the controller• <1-3600> – Specify the interval from 1 - 3600 seconds. The default is 60 seconds.http-analyze external-serverConfigures the external HTTP analytics engine’s parameters
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 178Examplerfs6000-37FABE(config-profile-default-rfs6000)#http-analyze compressrfs6000-37FABE(config-profile-default-rfs6000)#http-analyze update-interval 200rfs6000-37FABE(config-profile-default-rfs6000)#show contextprofile rfs7000 default-rfs7000 bridge vlan 1.....................................................................  qos trust 802.1p interface pppoe1 use firewall-policy default http-analyze update-interval 200 http-analyze compress service pm sys-restart router ospfrfs6000-37FABE(config-profile-default-rfs6000)#nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server username anonymousnx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server password anonymousnx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server validate-server-certificatenx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server update-interval 100nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server urlhttps://192.168.13.10 password <WORD> Configures the external analytics engine’s password• <WORD> – Provide the login password. This is the password associated with the user name needed to access the external analytics engine.proxy <URL> Configures the proxy server’s uniform resource locator (URL)• <URL> – Specify the proxy server’s URL in the following format: http://username:password@proxy-server:port. For example, http://mot:sym@wwwgate0.mot.com:1080update-interval <1-36000>Configures the interval, in seconds, at which buffered packets are pushed to the external analytics engine• <1-3600> – Specify the interval from 1 - 3600 seconds. The default is 60 seconds.url <URl> Configures the external analytics engine’s IP address or URL• <URL> – Provide the IP address or URL.username <WORD> Configures the user name needed to access the external analytics engine• <WORD> – Provide the user name.validate-server-certificateValidates the external analytics engine’s certificate, if it is using HTTPS as the mode of access
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 179nx9500-6C8809(config-profile-test-nx5500)#show contextprofile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware ...................................................... interface ge5 interface ge6 interface pppoe1 use firewall-policy default export startup-log max-retries 10 retry-interval 30 url ftp://anonymous:anonymous@192.168.13.10/log/startup.log http-analyze external-server url https://192.168.13.10 http-analyze external-server username anonymous http-analyze external-server password anonymous http-analyze external-server update-interval 100 enforce-version adoption major enforce-version cluster full--More--nx9500-6C8809(config-profile-test-nx5500)#nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server proxy http://mot:sym@wwwgate0.mot.com:1080nx9500-6C8809(config-profile-test-nx5500)#show contextprofile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default  isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default............................................................... http-analyze external-server url https://192.168.13.10 http-analyze external-server username anonymous http-analyze external-server password anonymous http-analyze external-server update-interval 100 http-analyze external-server proxy http://mot:sym@wwwgate0.mot.com:1080 enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoardingnx9500-6C8809(config-profile-test-nx5500)#Related Commandsno Disables HTTP analyze settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1807.1.36 interfaceProfile Config CommandsThe following table summarizes interface configuration commands:Command Description Referenceinterface Selects an interface to configure page 7-181interface-config-ge-instanceSummarizes Ethernet interface (associated with the wireless controller or service platform) configuration commandspage 7-184interface-config-vlan-instanceSummarizes VLAN interface configuration commands page 7-217interface-config-port-channel-instanceSummarizes port-channel interface configuration commands page 7-235interface-config-radio-instanceSummarizes radio interface configuration commands (applicable to devices with built-in radios)page 7-252interface-config-wwan-instanceSummarizes WWAN interface configuration commands page 7-327interface-config-bluetooth-instanceSummarizes the Bluetooth radio interface configuration commands (supported only on the AP8432 and AP8533 model access pointspage 7-337
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1817.1.36.1  interfaceinterfaceSelects an interface to configureA profile’s interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to RFS4000, RFS6000 controllers and NX7500 and NX95XX series service platforms. Ports vary depending on the platform, but controller or service platform models do have some of the same physical interfaces.A controller or service platform requires its virtual interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each VLAN ID the controller or service platform is connected to. If the profile is configured to support an access point radio, an additional radio interface is available, unique to the access point’s radio configuration.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntax Service Platformsinterface [<INTERFACE-NAME>|fe <1-4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-4>]Syntax Access Points and Wireless Controllersinterface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel <1-4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|xge <1-4>]Parameters• interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel <1-4>|radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-4>]<INTERFACE-NAME> Enters the configuration mode of the interface identified by the <INTERFACE-NAME> keywordbluetooth <1-1> Selects the Bluetooth radio interface• <1-1> – Specify the Bluetooth radio interface index from 1 - 1. As of now only one Bluetooth radio interface is supported.This interface is applicable only for the AP8432 and AP8533 model access points.fe <1-4> Selects a FastEthernet interface• <1-4> – Specify the interface index from 1 - 4.ge <1-24> Selects a GigabitEthernet interface• <1-24> – Specify the interface index from 1 - 24. (4 for RFS7000 and 8 for RFS6000).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 182Usage GuidelinesThe ports available on a device vary depending on the model. For example, the following ports are available on RFS4000, RFS6000 and RFS7000 model wireless controllers:• RFS4000 - ge1, ge2, ge3, ge4, ge5, up1• RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1GE ports on are RJ-45 supporting 10/100/1000Mbps..ME ports are available on RFS6000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable.The ports available on service platforms also vary depending on the model. For example, the following ports are available on NX series service platforms:• NX7500 - ge1-ge10, xge1-xge2• NX95XX series - ge1, ge2, xge1-xge4• EX3500 – ge1-1 to ge1-24• EX3548 – ge1-1 to ge1-48GE ports are available on devices, such as RFS4000 and RFS6000controllers. GE ports are RJ-45 supporting 10/100/1000Mbps. ME ports are available on RFS6000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable.me1 Selects a management interfaceNot applicable for RFS4000 model devices.The management interface is applicable only for RFS6000 and RFS7000 model controllers.port-channel <1-4> Selects the port channel interface• <1-4> – Specify the interface index from 1 - 4.pppoe1 Selects the PPP over Ethernet interface to configureradio [1|2|3] Selects a radio interface• 1 – Selects radio interface 1•2 – Selects radio interface 2• 3 – Selects radio interface 3The radio interface is not available on wireless controllers or service platforms.up1 Selects the uplink GigabitEthernet interfacevlan <1-4094> Selects a VLAN interface• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.wwan1 Selects a Wireless WAN interfaceThis interface is applicable only to AP7161, AP81XX, AP8232, RFS4000, RFS6000 model access points and controllers.xge <1-4> Selects a TenGigabitEthernet interface• <1-2> – Specify the interface index from 1 - 4.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 183UP ports are available on RFS4000 and RFS6000 platforms. A UP port is used to connect to the backbone network. UP ports are available on devices, such as RFS4000 and RFS6000 controllers. A UP port supports either RJ-45 or fiber. The UP port is the preferred means to connect to the backbone as it has a non-blocking 1gbps connection unlike the GE ports.The following ports are available on access points:• AP6511 - fe1, fe2, fe3, fe4, up1• AP6521 - GE1/POE (LAN)• AP6522 - GE1/POE (LAN)•AP6532 - GE1/POE• AP6562 - GE1/POE• AP7161 - GE1/POE (LAN), GE2 (WAN)• AP7502 - GE1 (THRU), fe1, fe2, fe3,•AP7522 - GE1/POE (LAN)•AP7532 - GE1/POE (LAN)• AP81XX - GE1/POE (LAN), GE2 (WAN)• AP82XX - GE1/POE (LAN), GE2 (WAN)Examplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#?SVI configuration commands:  crypto               Encryption module  description          Vlan description  dhcp                 Dynamic Host Configuration Protocol (DHCP)  dhcp-relay-incoming  Allow on-board DHCP server to respond to relayed DHCP                       packets on this interface  ip                   Interface Internet Protocol config commands  ipv6                 Internet Protocol version 6 (IPv6)  no                   Negate a command or set its defaults  shutdown             Shutdown the selected interface  use                  Set setting to use  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#Related CommandsNOTE: For a NX7500 model service platform, there are options for either a 2 port or 4 port network management card. Either card can be managed using WiNG. If the 4 port card is used, ports ge7-ge10 are available. If the 2 port card is used, ports xge1-xge2 are available.no Removes the selected interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1847.1.36.2  interface-config-ge-instanceinterfaceThis section documents the GigabitEthernet configuration commands.GE port placement and quantity varies depending on the controller, service platform, or access point model. Configure the GE interface either in the device’s profile-config context or directly on a device.The following example uses the config-profile-default-rfs7000 instance to configure a GigabitEthernet interface:nx9500-6C8809(config-profile-testNX9000-if-ge2)#?Interface configuration commands:  captive-portal-enforcement  Enable captive-portal enforcement on this port  cdp                         Cisco Discovery Protocol  channel-group               Channel group commands  description                 Interface specific description  dot1x                       802.1X  duplex                      Set duplex to interface  ip                          Internet Protocol (IP)  ipv6                        Internet Protocol version 6 (IPv6)  lacp                        LACP commands  lacp-channel-group          LACP channel commands  lldp                        Link Local Discovery Protocol  mac-auth                    Enable mac-auth for this port  no                          Negate a command or set its defaults  power                       PoE Command  qos                         Quality of service  remove-override             Remove configuration item override from the                              device (so profile value takes effect)  shutdown                    Shutdown the selected interface  spanning-tree               Spanning tree commands  speed                       Configure speed  switchport                  Set switching mode characteristics  use                         Set setting to use  clrscr                      Clears the display screen  commit                      Commit all changes made in this session  do                          Run commands from Exec mode  end                         End current mode and change to EXEC mode  exit                        End current mode and down to previous mode  help                        Description of the interactive help system  revert                      Revert changes  service                     Service Commands  show                        Show running system information  write                       Write running configuration to memory or                              terminalnx9500-6C8809(config-profile-testNX9000-if-ge2)#The following table summarizes the interface configuration commands:Command Description Referencecaptive-portal-enforcementEnables captive-portal enforcement on this Ethernet port page 7-186cdp Enables Cisco Discovery Protocol (CDP) on this Ethernet port page 7-187channel-group Assigns this Ethernet port to a channel group page 7-188description Configures a description for this Ethernet port page 7-189dot1x (authenticator)Configures 802.1X authenticator settings page 7-190
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 185dot1x (supplicant)Configures 802.1X supplicant settings page 7-193duplex Specifies the duplex mode for the interface page 7-195ip Sets the IP address for this Ethernet port page 7-196ipv6 Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this interfacepage 7-197lacp Configures the selected GE port’s Link Aggregation Control Protocol (LACP) port-priority valuepage 7-199lacp-channel-groupConfigures the selected GE port as a member of a port-channel group (also referred as LAG)page 7-200lldp Configures Link Local Discovery Protocol (LLDP) page 7-202mac-auth Enables MAC-based authentication on this Ethernet port page 7-203no Removes or reverts the selected Ethernet port settings page 7-204power Configures Power over Ethernet (PoE) settings on this interface page 7-205qos Enables QoS page 7-206shutdown Disables the selected Ethernet port page 7-207spanning-tree Configures spanning tree parameters page 7-208speed Specifies the speed on this Ethernet port page 7-211switchport Sets interface switching mode characteristics page 7-212use Associates IPv4, IPv6, and/or MAC ACL with the selected Ethernet port page 7-215Command Description Reference
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1867.1.36.2.1 captive-portal-enforcementinterface-config-ge-instanceEnables application of captive portal access permission rules to data transmitted over this specific Ethernet port. This setting is disabled by default.Captive portal enforcement allows users on the wired network to pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user can pass traffic on the captive portal.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcaptive-portal-enforcement {fall-back}Parameters• captive-portal-enforcement {fall-back}Examplerfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#captive-portal-enforcementrfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#show context interface ge2  captive-portal-enforcementrfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#Related Commandscaptive-portal-enforcement fall-backEnables captive-portal enforcement on this Ethernet port• fall-back – Optional. Enforces captive portal validation only if port authentication fails. When selected, captive portal policies are enforced only when RADIUS authentication of the client MAC address is not successful. If this option is not selected, captive portal policies are enforced regardless of the client's MAC address being in the RADIUS server's user database or not.no Disables captive-portal enforcement on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1877.1.36.2.2 cdpinterface-config-ge-instanceEnables CDP on the selected GE portSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcdp [receive|transmit]Parameters• cdp [receive|transmit]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#cdp transmitRelated Commandsreceive Enables CDP packet snooping on this interface. When enabled, the port receives periodic interface updates from a multicast address. This option is enabled by default.transmit Enables CDP packet transmission on this interface. When enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default.no Disables CDP packet snooping on the controller or service platform’s selected GE ports
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1887.1.36.2.3 channel-groupinterface-config-ge-instanceAssigns this Ethernet port to a channel group. Ethernet ports can be aggregated to form a channel group. For example, an RFS7000 has four (4) Ethernet ports (1, 2, 3, & 4). These can be aggregated to form a minimum of one and maximum of two channel groups. A port can be a member of only one channel group at a time.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxchannel-group <1-4>Parameters• channel-group <1-4>Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  ip dhcp trust  qos trust dscp  qos trust 802.1p  channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commands<1-4> Specifies a channel group number from 1 - 4. The number of channel groups supported varies with the device type. For example:RFS7000 – Supports two channel groupsRFS6000 – Supports four channel groupsRFS4000 – Supports three channel groupsNX5500 – Supports three channel groupsNX75XX – Supports four channel groupsNX95XX – Supports two channel groupsno Removes the channel group to which this port belongs
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1897.1.36.2.4 descriptioninterface-config-ge-instanceConfigures a description for this Ethernet portSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxdescription [<LINE>|<WORD>]Parameters• description [<LINE>|<WORD>]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#description “This is GigabitEthernet interface for Royal King”rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  ip dhcp trust  qos trust dscp  qos trust 802.1p  channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commands<LINE> Configures the maximum length (number of characters) of the interface description<WORD> Configures a unique description for this interface. The description should not exceed the length specified by the <LINE> parameter.no Removes the interface description
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1907.1.36.2.5 dot1x (authenticator)interface-config-ge-instanceConfigures 802.1X authenticator settingsDot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection.Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login.Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6562, AP7161, AP7502, AP81XX, AP8232, AP8432• Wireless Controllers — RFS4000, RFS6000, NX5500, NX7500Syntaxdot1x authenticator [guest-vlan|host-mode|max-reauth-req|port-control|reauthenticate|timeout]dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|reauthenticate|timeout [quiet-period|reauth-period] <1-65535>]Parameters• dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|reauthenticate|timeout [quiet-period|reauth-period]]NOTE: The dot1x (802.1x) supplicant settings are documented in the next section.dot1x authenticator Configures 802.1x authenticator settingsguest-vlan <1-4094> Configures the guest VLAN for this interface. This is the VLAN, traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Select the VLAN index from 1 - 4094.host-mode [multi-host|single-host]Configures the host mode for this interface• multi-host – Configures multiple host mode• single-host – Configures single host mode. This is the default setting.max-reauth-req <1-10>Configures maximum number of re-authorization retries for the supplicant. This is the maximum number of re-authentication attempts made before this port is moved to unauthorized.• <1-10> – Specify a value from 1 -10. The default is 2.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 191Examplerfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator guest-vlan 2rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator host-mode multi-hostrfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator max-reauth-req 6rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator reauthenticaterfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1  dot1x authenticator host-mode multi-host  dot1x authenticator guest-vlan 2  dot1x authenticator reauthenticate  dot1x authenticator max-reauth-count 6  ip dhcp trust  qos trust dscp  qos trust 802.1prfs4000-229D58(config-profile-testRFS4000-if-ge1)#The following examples show the configurations made on an RFS6000 to enable it as a dot1X authenticator:1 Configure AAA policy on the authenticator, and identify the authentication server as onboard (self):rfs6000-817379(config-aaa-policy-aaa-wireddot1x)#show contextaaa-policy aaa-wireddot1xauthentication server 1 onboard controllerrfs6000-817379(config-aaa-policy-aaa-wireddot1x)#This AAA policy is used in the authenticator’s self configuration mode as shown in the last step.2 Configure RADIUS user policy on the authenticator:rfs6000-817379(config-radius-user-pool-wired-dot1x-users)#show conradius-user-pool-policy wired-dot1x-usersuser bob password 0 bob1234rfs6000-817379(config-radius-user-pool-wired-dot1x-users)#The user name and password configured here should match that of the supplicant. For more information, see the examples provided in the dot1x (supplicant) section.3 Configure RADIUS server policy on the authenticator, and associate the RADIUS user policy created in the previous step:port-control[auto|force-authorized|force-unauthorized]Configures port control state• auto – Configures auto port state• force-authorized – Configures authorized port state. This is the default setting.• force-unauthorized – Configures unauthorized port statereauthenticate Enables re-authentication for this port. When enabled, clients are forced to re-authenticate on this port. The setting is disabled by default. Therefore, clients are not required to re-authenticate for connection over this port until this setting is enabled.timeout [quiet-period|reauth-period] <1-65535>Configures timeout settings for this interface• quiet-period – Configures the quiet period timeout in seconds. This is the interval, in seconds, between successive client authentication attempts.• reauth-period – Configures the time after which re-authentication is initiatedThe following option is common to ‘quiet-period’ and ‘reauth-period’ keywords:• <1-65535> – Specify a ‘quiet-period’ or ‘reauth-period’ from 1 - 65535 seconds.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 192rfs6000-817379(config-radius-server-policy-for-wired-dot1x)#show conradius-server-policy for-wired-dot1xuse radius-user-pool-policy wired-dot1x-usersrfs6000-817379(config-radius-server-policy-for-wired-dot1x)#4 In the authenticator’s self configuration mode, associate the RADIUS server policy, created in the previous step, and configure other parameters (in bold) as shown in the following example:rfs6000-817379(config-device-00-15-70-81-73-79)#use radius-server-policy for-wired-dot1x5 In the authenticator’s interface > ge configuration mode, configure the following parameters:rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator host-mode single-host rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator port-control auto6 In the authenticator’s self configuration mode, configure the following parameters:rfs6000-817379(config-device-00-15-70-81-73-79)#dot1x system-auth-controlrfs6000-817379(config-device-00-15-70-81-73-79)#dot1x use aaa-policy aaa-wireddot1xFollowing example displays the above configured parameters:rfs6000-817379(config-device-00-15-70-81-73-79)#show contextuse profile default-rfs6000use rf-domain defaulthostname rfs6000-817379 use radius-server-policy for-wired-dot1xinterface me1  ip address 192.168.0.1/24interface ge2  dot1x authenticator host-mode single-host  dot1x authenticator port-control autointerface vlan1  ip address dhcp  ip dhcp client request options alllogging onlogging console debuggingdot1x system-auth-controldot1x use aaa-policy aaa-wireddot1x--More--rfs6000-817379(config-device-00-15-70-81-73-79)#Related Commandsno Disables or reverts interface settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1937.1.36.2.6 dot1x (supplicant)interface-config-ge-instanceConfigures 802.1X supplicant (client) settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, NX5500, NX7500Syntaxdot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]Parameters• dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]Examplerfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x supplicant username bobpassword 0 test@123rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1  dot1x supplicant username bob password 0 test@123  dot1x authenticator host-mode multi-host  dot1x authenticator guest-vlan 2  dot1x authenticator reauthenticate  dot1x authenticator max-reauth-count 6  ip dhcp trust  qos trust dscp  qos trust 802.1prfs4000-229D58(config-profile-testRFS4000-if-ge1)#The following example shows the configuration made on an AP7522 to enable it as a dot1X supplicant:ap7522-85B19C(config-device-84-24-8D-85-B1-9C-if-ge2)#dot1x supplicant username bob password 0 bob1234ap7522-85B19C(config-device-84-24-8D-85-B1-9C)#show contextuse profile default-ap7522use rf-domain defaulthostname ap7522-85B19Cno adoption-modeinterface ge1  switchport mode access  switchport access vlan 1  dot1x supplicant username bob password 0 bob1234logging onlogging console debugging--More--ap7522-85B19C(config-device-84-24-8D-85-B1-9Cdot1x supplicant Configures 802.1x suppliant settingsusername <USERNAME>Sets the username for authentication• <USERNAME> – Specify the supplicant’s username.password [0 <WORD>|2 <WORD>|<WORD>]Sets the password associated with the supplicant’s username. Select any one of the following options:• 0 <WORD> – Sets a clear text password• 2 <WORD> – Sets an encrypted password•<WORD> – Specify the password.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 194Related Commandsno Removes 802.1X supplicant (client) settings
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1957.1.36.2.7 d u pl exinterface-config-ge-instanceConfigures duplex mode (for the flow of packets) on this Ethernet portSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxduplex [auto|half|full]Parameters• duplex [auto|half|full]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#duplex fullrfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  duplex full  dot1x supplicant username Bob password 0 test@123  ip dhcp trust  qos trust dscp  qos trust 802.1p  channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commandsauto Enables automatic duplexity on an interface port. The port automatically detects whether it should run in full or half-duplex mode. (default setting)half Sets the port to half-duplex mode. Allows communication in one direction only at any given time. When selected, data is sent over the port, then immediately data is received from the direction in which the data was transmitted.full Sets the port to full-duplex mode. Allows communication in both directions simultaneously. When selected, the port can send data while receiving data as well.no Reverts to default (auto)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 1967.1.36.2.8 ipinterface-config-ge-instanceSets the ARP and DHCP components for this Ethernet portSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxip [arp|dhcp]ip [arp [header-mismatch-validation|trust]|dhcp trust]Parameters• ip [arp [header-mismatch-validation|trust]|dhcp trust]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#ip dhcp trustrfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#ip arp header-mismatch-validationrfs7000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  duplex full  dot1x supplicant username Bob password 0 test@123  ip dhcp trust  ip arp header-mismatch-validation  qos trust dscp  qos trust 802.1p  channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commandsarp [header-mismatch-validation|trust]Configures ARP packet settings• header-mismatch-validation – Enables matching of source MAC address in the ARP and Ethernet headers to check for mismatch. This option is disabled by default.• trust – Enables trust state for ARP responses on this interface. When enabled, ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network. This option is disabled by default.dhcp trust Enables trust state for DHCP responses on this interface. When enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.no Removes the ARP and DHCP components configured for this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1977.1.36.2.9 ipv6interface-config-ge-instanceSets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this interfaceThe ICMPv6 ND protocol uses ICMP messages and solicited multicast addresses to track neighboring devices on the same local network. These messages are used to discover a neighbor’s link layer address and to verify if a neighboring device is reachable.The ICMP messages are neighbor solicitation (NS) and neighbor advertisement (NA) messages. When a destination host receives an NS message from a neighbor, it replies back with a NA. The NA contains the following information:• Source address – This is the IPv6 address of the device sending the NA• Destination address – This is the IPv6 address of the device from whom the NS message is received• Data portion – Includes the link layer address of the device sending the NANS messages are used to verify a neighbor’s (whose ink layer address is known) reachability. To confirm a neighbor’s reachability a node sends an NS message in which the neighbor’s unicast address is specified as the destination address. If the neighbor sends back an acknowledgment on receipt of the NS message it is considered reachable.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxipv6 [dhcpv6|nd]ipv6 dhcpv6 trustipv6 nd [header-mismatch-validation|raguard|trust]Parameters• ipv6 dhcpv6 trust• ipv6 nd [header-mismatch-validation|raguard|trust]ipv6 dhcpv6 trust Enables trust state for DHCPv6 responses on this interface. When enabled, all DHCPv6 responses received on this port are trusted and forwarded. This option is enabled by default.A DHCPv6 server can be connected to a DHCPv6 trusted port.ipv6 nd Configures IPv6 ND settingsheader-mismatch-validationEnables matching of source MAC address in the ICMPv6 ND and Ethernet headers (link layer option) to check for mismatch. This option is disabled by default.raguard Allows redirection of router advertisements (RAs) and ICMPv6 packets originating on this interface. When selected, RAs are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is enabled by default.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 198Examplerfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 dhcpv6 trustrfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd header-mismatch-validationrfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd trustrfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#show contextinterface ge1  switchport mode access  switchport access vlan 1  ipv6 nd trust  ipv6 nd header-mismatch-validation  ipv6 dhcpv6 trustrfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#Related Commandstrust Enables trust state for IPv6 ND requests received on this interface. When enabled, IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to the request with a router advertisement packet containing Internet Layer configuration parameters. This option is disabled by default.no Removes or reverts IPv6 settings on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1997.1.36.2.10 l a cpinterface-config-ge-instanceConfigures the selected GE port’s Link Aggregation Control Protocol (LACP) port-priority value. If LACP is enabled, and the selected port is a member of a link aggregation group (LAG), use this command to configure the port’s priority within the LAG.As per the IEEE 802.3ad standard, LACP enables aggregation of multiple physical links to form a single logical channel. Each aggregated group of physical links is a LAG. When enabled, LACP dynamically determines if link aggregation is possible between two peers, and automatically configures the aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device is also using LACP and is able to join the LAG.Enabling LACP provides automatic recovery in case one or more of the aggregated physical links fail.Supported in the following platforms:• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlacp port-priority <1-65535>Parameters• lacp port-priority <1-65535>Examplenx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp port-priority 2nx9500-6C8809(config-profile-testnx9000-if-ge1)#show context interface ge1  lacp port-priority 2nx9500-6C8809(config-profile-testnx9000-if-ge1)#Related CommandsNOTE: Use the lacp-channel-group command to configure this port as a LAG member.lacp port-priority <1-65535>Configures the selected GE port’s port-priority value. The selected port’s actual priority within the LAG is determined by the port-priority value specified here along with the port’s number. Higher the value, lower is the priority. Use this option to manipulate a port’s priority. For example, in a LAG having five physical ports, four active and one standby, manually increasing the standby port’s priority ensures that if one of the active port fails, the standby port is included in the LAG during re-negotiation.• <1-65535> – Specify a value from 1 - 65535. The default value is 32768.no Removes the selected GE port’s configured port-priority value
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2007.1.36.2.11 lacp-channel-groupinterface-config-ge-instanceConfigures the selected GE port as a member of a port channel group (also referred as LAG)As per the IEEE 802.3ad standard, LACP enables the aggregation of multiple physical links (ethernet ports) to form a single logical channel. When enabled, LACP dynamically determines if link aggregation is possible and then automatically configures the aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device is also using LACP and is able to join the LAG.Supported in the following platforms:• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlacp-channel-group <1-4> mode [active|passive]Parameters• lacp-channel-group <1-4> mode [active|passive]Examplenx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp-channel-group 2 mode activenx9500-6C8809(config-profile-test2nx9000-if-ge1)#show context interface ge1  lacp-channel-group 2 mode active  lacp port-priority 2nx9500-6C8809(config-profile-test2nx900-if-ge1)#NOTE: Successful aggregation of two or more physical links is feasible only if the aggregating physical links are configured identically. To ensure uniformity in configuration across LAG members, implement configuration changes (such as changes in the switching mode, speed, etc.) on the logical port (the port-channel) and not on the physical port. Changes made on the port-channel will cascade down to each member of the LAG thereby retaining uniformity.lacp-channel-group <1-4>Associates this GE port with an existing port-channel group• <1-4> – Specify a value from 1 - 4.Use the interface > port-channel > <1-4> command to configure a port-channel group. For more information, see interface-config-port-channel-instance.mode [active|passive] After configuring the selected port as a LAG member, specify whether the port is an active or passive member within the group. An active member initiates and participates in LACP negotiations.• active – Configures the port as an active member. When set to active, the port always transmits LACPDU irrespective of the remote device’s port mode.• passive – Configures the port as passive member. When set to passive, the port will only respond to LACPDU received from its corresponding Active port.At least one port within a LAG, on either of the two negotiating peers, should be in the active mode. LACP negotiations are not initiated if all LAG member ports are passive. Further, the peer-to-peer LACP negotiations are always initiated by the peer with the lower system-priority value. For more information on configuring the system-priority, see lacp.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 201To enable dynamic link aggregation on a device (service platform), execute the following steps:1 Create a port-channel group on the device. Enter the port-channel configuration mode.nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface port-channel 1a Set the switching mode to access or trunk as per requirement. In this example, the mode is set to ‘access’.nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport modeaccessb Specify the VLAN to switch, commit changes and exit.nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport access vlan 1nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#commitnx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#exit2 Enable dynamic link aggregation on the device’s physical port. Enter the GE port’s configuration mode.nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface ge 2a Enable link aggregation and associate the port with the port-channel group created in step 1.nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp-channel-group 1 modeactiveNote, the mode can be set to passive. However, at least one of the aggregated GE ports in the port-channel group should be active in order to initiate link aggregation negotiations with other LACP-enabled peers.b Specify the GE port’s priority value.nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp port-priority 2Related Commandsno Removes the selected GE port’s port-channel group membership
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2027.1.36.2.12 lldpinterface-config-ge-instanceConfigures Link Local Discovery Protocol (LLDP) parameters on this Ethernet portSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxlldp [receive|transmit]Parameters• lldp [receive|transmit]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#lldp transmitRelated Commandsreceive Enables LLDP Protocol Data Units (PDUs) snooping. When enabled, the port receives periodic updates from a multicast address informing about presence of neighbors. This option is enabled by default.transmit Enables LLDP PDU transmission. When enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default.no Disables or reverts interface settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2037.1.36.2.13 m a c-au t hinterface-config-ge-instanceEnables authentication of MAC addresses on the selected wired port. When enabled, this feature authenticates the MAC address of a device, connecting to this interface, with a RADIUS server. When successfully authenticated, packets from the source are processed. Since only one MAC address is supported per wired port, packets from all other sources are dropped.For more information on enabling this feature, see mac-auth.Enable port MAC authentication in conjunction with Wired 802.1x settings to configure a MAC authentication AAA policy.This option is also available in the device configuration mode.Supported in the following platforms:• Access Points — AP6522 AP6562, AP7161, AP7502, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxmac-authParametersNoneExamplerfs4000-229D58(config-profile-testRFS4000-if-ge1)#mac-authrfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1  mac-auth  ip dhcp trust  qos trust dscp  qos trust 802.1p  channel-group 1rfs4000-229D58(config-profile-testRFS4000-if-ge1)#rfs4000-229D58(config-profile-testRFS4000-if-ge5)#mac-authrfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context interface ge5  switchport mode access  switchport access vlan 1  dot1x authenticator host-mode single-host  dot1x authenticator guest-vlan 5  dot1x authenticator port-control auto  mac-authrfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#Related Commandsno Disables authentication of MAC addresses on the selected wired port
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2047.1.36.2.14 n ointerface-config-ge-instanceRemoves or reverts the selected Ethernet port settingsSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxno [captive-portal-enforcement|cdp|channel-group|description|dot1x|duplex|ip|ipv6|lacp|lacp-channel-group|lldp|mac-auth|power|qos|shutdown|spanning-tree|speed|switchport|use]no [captive-portal-enforcement|channel-group|description|duplex|mac-auth|shutdown|speed]no [cdp|lldp] [receive|transmit]no dot1x [authenticator [guest-vlan|host-mode|max-reauth-req|port-control|reauthentication|timeout [quiet-period|reauth-period]]|supplicant]no ip [arp [header-mismatch-validation|trust]|dhcp trust]no ipv6 [dhcpv6 trust|nd [header-mismatch-validation|raguard|trust]]no [lacp port-priority|lacp-channel-group]no power {best-effort|limit|priority}no qos trust [802.1p|cos|dscp]no spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|portfast]no switchport [access vlan|mode|trunk native tagged]no use [ip-access-list|ipv6-access-list|mac-access-list] inParameters• no <PARAMETERS>Usage GuidelinesThe no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated.Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#no cdprfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#no duplexno <PARAMETERS> Removes or reverts this Ethernet port settings based on the parameters passed
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2057.1.36.2.15 p owe rinterface-config-ge-instanceConfigures Power over Ethernet (PoE) settings on this interfaceWhen configured, this option allows the selected port to use Power over Ethernet. When enabled, the controller supports 802.3af PoE on each of its GE ports. PoE allows users to monitor port power consumption and configure power usage limits and priorities for each GE port.Supported in the following platforms:• Wireless Controllers — RFS4000, RFS6000Syntaxpower {best-effort|limit <0-40>|priority [critical|high|low]}Parameters• power {best-effort|limit <0-40>|priority [critical|high|low]}Examplerfs4000-229D58(config-profile-testRFS4000-if-ge1)#power limit 30rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power priority criticalrfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1  ip dhcp trust  qos trust dscp  qos trust 802.1p  power limit 30  power priority criticalrfs4000-229D58(config-profile-testRFS4000-if-ge1)#Related Commandspower Configures power related thresholds for this interfacebest-effort Optional. Enables power when the device is not operating from an 802.3at class 4 power sourcelimit <0-40> Optional. Configures the PoE power limit from 0 - 40 Watts. The default is 30 Watts.priority [critical|high|low]Optional. Configures the PoE power priority on this interface. This is the priority assigned to this port versus the power requirements of the other ports available on the controller.• critical – Sets PoE priority as critical• high – Sets PoE priority as high• low – Sets PoE priority as low. This is the default setting.no Removes PoE settings on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2067.1.36.2.16 q o sinterface-config-ge-instanceDefines Quality of Service (QoS) settings on this Ethernet portSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxqos trust [802.1p|cos|dscp]Parameters• qos trust [802.1p|cos|dscp]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#qos trust dscprfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#qos trust 802.1prfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  duplex full  dot1x supplicant username Bob password 0 test@123  ip dhcp trust  ip arp header-mismatch-validation  qos trust dscp  qos trust 802.1p  channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commandstrust [802.1p|cos|dscp] Trusts QoS values ingressing on this interface• 802.1p – Trusts 802.1p COS values ingressing on this interface• cos – Trusts 802.1p COS values ingressing on this interface. This option is enabled by default.• dscp – Trusts IP DSCP QOS values ingressing on this interface. This option is enabled by default.no Removes QoS settings on the selected interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2077.1.36.2.17 s h u tdow ninterface-config-ge-instanceShuts down (disables) an interface. The interface is administratively enabled unless explicitly disabled using this command.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000SyntaxshutdownParametersNoneExamplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#shutdownRelated Commandsno Disables or reverts interface settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2087.1.36.2.18 spanning-treeinterface-config-ge-instanceConfigures spanning tree parametersSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxspanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|port-cisco-interoperability|portfast]spanning-tree [force-version <0-3>|guard root|portfast]spanning-tree [bpdufilter|bpduguard] [default|disable|enable]spanning-tree link-type [point-to-point|shared]spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]spanning-tree port-cisco-interoperability [disable|enable]Parameters• spanning-tree [force-version <0-3>|guard root|portfast]• spanning-tree [bpdufilter|bpduguard] [default|disable|enable]force-version <0-3> Specifies the spanning tree force version. A version identifier of less than 2 enforces the spanning tree protocol. Select one of the following versions:•0 – Spanning Tree Protocol (STP)• 1 – Not supported•2 – Rapid Spanning tree Protocol (RSTP)•3 – Multiple Spanning Tree Protocol (MSTP). This is the default settingguard root Enables Root Guard for the portThe Root Guard disables superior Bridge Protocol Data Unit (BPDU) reception. The Root Guard ensures the enabled port is a designated port. If the Root Guard enabled port receives a superior BPDU, it moves to a discarding state (root-inconsistent STP state). This state is equivalent to a listening state, and data is not forwarded across the port. Therefore, enabling the guard root enforces the root bridge position. Use the no parameter with this command to disable the Root Guard.portfast Enables rapid transitions. Enabling PortFast allows the port to bypass the listening and learning states.bpdufilter [default|disable|enable]Sets a PortFast BPDU filter for the portUse the no parameter with this command to revert the port BPDU filter to its default. The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU filter ensures PortFast enabled ports do not transmit or receive BPDUs.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 209• spanning-tree link-type [point-to-point|shared]• spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]• spanning-tree port-cisco-interoperability [disable|enable]Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree bpdufilter disablerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree bpduguard enablerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree force-version 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree guard rootrfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree mst 2 port-priority 10bpduguard [default|disable|enable]Enables BPDU guard on a portUse the no parameter with this command to set BPDU guard to its default.When the BPDU guard is set for a bridge, all PortFast-enabled ports that have the BPDU guard set to default shut down upon receiving a BPDU. If this occurs, the BPDU is not processed. The port can be brought back either manually (using the no shutdown command), or by configuring the errdisable-timeout to enable the port after a specified interval.link-type [point-to-point|shared]Enables point-to-point or shared link types• point-to-point – Enables rapid transition. This option indicates the port should be treated as connected to a point-to-point link. A port connected to a controller is a point-to-point link.• shared – Disables rapid transition. This option indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link,mst <0-15>  Configures MST on a spanning treecost <1-200000000> Defines path cost for a port from 1 - 200000000. The default path cost depends on the speed of the port. The cost helps determine the role of the port in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost.port-priority <0-240> Defines port priority for a bridge from 1 - 240. Lower the priority greater is the likelihood of the port becoming a designated port. Applying a higher value impacts the port's likelihood of becoming a designated port.port-cisco-interoperabilityEnables interoperability with Cisco's version of MSTP (which is incompatible with standard MSTP)enable Enables CISCO Interoperabilitydisable Disables CISCO Interoperability. The default is disabled.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 210rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  duplex full  spanning-tree bpduguard enable  spanning-tree bpdufilter disable  spanning-tree force-version 1  spanning-tree guard root  spanning-tree mst 2 port-priority 10 --More--rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commandsno Removes spanning tree settings configured on this interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2117.1.36.2.19 speedinterface-config-ge-instanceSpecifies the speed of a FastEthernet (10/100) or GigabitEthernet (10/100/1000) port. This is the speed at which the port can receive and transmit the data.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxspeed [10|100|1000|auto]Parameters• speed [10|100|1000|auto]Usage GuidelinesSet the interface speed to auto detect and use the fastest speed available. Speed detection is based on connected network hardware.Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#speed 10rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  speed 10  duplex full  spanning-tree bpduguard enable  spanning-tree bpdufilter disable  spanning-tree force-version 1  spanning-tree guard root  spanning-tree mst 2 port-priority 10  dot1x supplicant username Bob password 0 test@123  ip dhcp trust  ip arp header-mismatch-validation  qos trust dscp  qos trust 802.1p  channel-group 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commands10 Forces 10 Mbps operation100 Forces 100 Mbps operation1000 Forces 1000 Mbps operationauto Port automatically detects its operational speed based on the port at the other end of the link. Select this option to enable the port to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis.no Resets speed to default (auto)
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2127.1.36.2.20 switchpo r tinterface-config-ge-instanceSets switching mode characteristics for the selected interfaceSupported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxswitchport [access|mode|trunk]switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]switchport mode [access|trunk]switchport trunk [allowed|native]switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Parameters• switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]• switchport mode [access|trunk]• switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]access vlan [<1-4094>|<VLAN-ALIAS-NAME>]Sets the VLAN when interface is in the access mode. You can either directly specify the native VLAN ID or use a VLAN alias to identify the native VLAN.• <1-4094> – Specify the SVI VLAN ID from 1 - 4094.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name (should be existing and configured).An Ethernet port in the access mode accepts packets only from the native VLAN. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN.mode [access|trunk] Sets the interface’s switching mode to access or trunk (can only be used on physical - layer 2 - interfaces)• access – If access mode is selected, the access VLAN is automatically set to VLAN1. In this mode, only untagged packets in the access VLAN (vlan1) are accepted on this port. All tagged packets are discarded.• trunk – If trunk mode is selected, tagged VLAN packets are accepted. The native VLAN is automatically set to VLAN1. Untagged packets are placed in the native VLAN by the wireless controller or service platform. Outgoing packets in the native VLAN are sent untagged. The default mode for both ports is trunk.trunk allowed Sets trunking mode, allowed VLANs characteristics of the port. Use this option to add VLANs that exclusively send packets over the listed port.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 213• switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Usage GuidelinesInterfaces ge1 - ge4 can be configured as trunk or in access mode. An interface configured as “trunk” allows packets (from the given list of VLANs) to be added to the trunk. An interface configured as “access” allows packets only from native VLANs.Use the [no] switchport (access|mode|trunk) to undo switchport configurations. vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>Sets allowed VLAN options. The options are:• <VLAN-ID> – Allows a group of VLAN IDs. Specify the VLAN IDs, can be either a range (55-60) or a comma-separated list (35, 41, etc.)• none – Allows no VLANs to transmit or receive through the layer 2 interface• add <VLAN-ID> – Adds VLANs to the current list• <VLAN-ID> – Specify the VLAN IDs. Can be either a range of VLAN (55-60) or alist of comma separated IDs (35, 41, etc.)• remove <VLAN-ID> – Removes VLANs from the current list• <VLAN-ID> – Specify the VLAN IDs. Can be either a range of VLAN (55-60) or alist of comma separated IDs (35, 41, etc.)Allowed VLANs are configured only when the switching mode is set to “trunk”.trunk Sets trunking mode characteristics of the switchportnative [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]Configures the native VLAN ID for the trunk-mode portThe native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode.• tagged – Tags the native VLAN. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header enabling upstream Ethernet devices to know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame.• vlan [<1-4094>|<VLAN-ALIAS-NAME>] – Sets the native VLAN for classifying untagged traffic when the interface is in trunking mode. • <1-4094> – Specify a value from 1 - 4094.• <VLAN-ALIAS-NAME> – Specify the VLAN alias name used to identify theVLANs. The VLAN alias should be existing and configured.
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 214Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#switchport trunk native taggedrfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#switchport access vlan 1rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  speed 10  duplex full  switchport mode access  switchport access vlan 1  spanning-tree bpduguard enable  spanning-tree bpdufilter disable  --More--rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commandsno Disables or reverts interface settings to their default
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2157.1.36.2.21 us einterface-config-ge-instanceSpecifies the IP (IPv4 and IPv6) access list and MAC access list used with this Ethernet port. The associated ACL firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxuse [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-LIST-NAME>|mac-access-list in <MAC-ACCESS-LIST-NAME>]Parameters• use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-LIST-NAME>|mac-access-list in <MAC-ACCESS-LIST-NAME>]ip-access-list in  <IPv4-ACCESS-LIST-NAME>Associates an IPv4 access list with this Ethernet port. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.• in – Applies the IPv4 ACL on incoming packets• <IPv4-ACCESS-LIST-NAME> – Specify the IPv4 access list name (it should be anexisting and configured).ipv6-access-list in  <IPv6-ACCESS-LIST-NAME>Associates an IPv6 access list with this Ethernet port. IPv6 is the latest revision of the IP designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.• in – Applies the IPv6 ACL on incoming packets• <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list name (it should be anexisting and configured).mac-access-list in <MAC-ACCESS-LIST-NAME>Associates a MAC access list with this Ethernet port. MAC ACLs filter/mark packets based on the MAC address from which they arrive, as opposed to filtering packets on layer 2 ports.• in – Applies the MAC ACL on incoming packets• <MAC-ACCESS-LIST-NAME> – Specify the MAC access list name (it should be anexisting and configured).
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 216Examplerfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#use mac-access-list in testrfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#use ip-access-list in testrfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1  description "This is GigabitEthernet interface for Royal King"  speed 10  duplex full  switchport mode accessi  switchport access vlan 1  use ip-access-list in test  use mac-access-list in test  spanning-tree bpduguard enable  spanning-tree bpdufilter disable  spanning-tree force-version 1--More--rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#Related Commandsno Disassociates the IP access list or MAC access list from the interface
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2177.1.36.3  interface-config-vlan-instanceinterfaceUse the config-profile-<DEVICE-PROFILE-NAME> mode to configure Ethernet, VLAN and tunnel settings.To switch to this mode, use the following commands:<DEVICE>(config-profile-default-<DEVICE-TYPE>)#interface [<INTERFACE-NAME>|fe <1-4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|xge <1-24>]The following example uses the config-profile-default-rfs7000 instance to configure a VLAN interface:rfs6000-37FABE(config-profile-default-rfs6000)#interface vlan 8rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#?SVI configuration commands:  crypto               Encryption module  description          Vlan description  dhcp                 Dynamic Host Configuration Protocol (DHCP)    dhcp-relay-incoming  Allow on-board DHCP server to respond to relayed DHCP                       packets on this interface  ip                   Interface Internet Protocol config commands  ipv6                 Internet Protocol version 6 (IPv6)  no                   Negate a command or set its defaults  shutdown             Shutdown the selected interface  use                  Set setting to use  clrscr               Clears the display screen  commit               Commit all changes made in this session  do                   Run commands from Exec mode  end                  End current mode and change to EXEC mode  exit                 End current mode and down to previous mode  help                 Description of the interactive help system  revert               Revert changes  service              Service Commands  show                 Show running system information  write                Write running configuration to memory or terminalrfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#The following table summarizes interface VLAN configuration commands:Commands Description Referencecrypto Defines the encryption module used with this VLAN interface page 7-218description Defines the VLAN interface description page 7-219dhcp Enables inclusion of optional fields (client identifier) in DHCP client requestspage 7-220dhcp-relay-incomingAllows an onboard DHCP server to respond to relayed DHCP packets on this interfacepage 7-221ip Configures the VLAN interface’s IP settings page 7-222ipv6 Configures the VLAN interface’s IPv6 settings page 7-225no Removes or reverts this VLAN interface’s settings to default page 7-230shutdown Shuts down this VLAN interface page 7-232use Associates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-route-advertisement policy with this VLAN interfacepage 7-233
PROFILESAccess Point, Wireless Controller and Service Platform CLI Reference Guide  7 - 2187.1.36.3.1 cr y ptointerface-config-vlan-instanceAssociates an existing and configured VPN crypto map with this VLAN interface.Crypto map entries are sets of configuration parameters for encrypting packets that pass through the VPN tunnel. For more information on crypto maps, see crypto-map-config-commands.Supported in the following platforms:• Access Points — AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533• Wireless Controllers — RFS4000, RFS6000• Service Platforms — NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000Syntaxcrypto map <CRYPTO-MAP-NAME>Parameters• crypto map <CRYPTO-MAP-NAME>Examplerfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#crypto map map1rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8  crypto map map1rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#Related Commandsmap <CRYPTO-MAP-NAME>Attaches a crypto map to the selected VLAN interface. The crypto map should be existing and configured.• <CRYPTO-MAP-NAME> – Specify the crypto map name.no Disables or reverts interface VLAN settings to their default

Navigation menu