The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco Wireless LAN solution command-line interface (CLI) enables operators to connect an ASCII console to the Cisco wireless LAN controller and configure the controller and its associated access points.
This chapter contains the commands available in the Cisco CLI release 7.0. The controllers currently covered are as follows:
To display Cisco wireless LAN controller options and settings, use the show commands.
Use the show 802.11 commands to display more detailed 802.11a, 802.11b/g, or other supported 802.11 network settings.
To display basic 802.11a, 802.11b/g, or 802.11h network settings, use the show 802.11 command.
This example shows to display basic 802.11a network settings:
This example shows how to display basic 802.11h network settings:
show ap stats
show ap summary
show client summary
show interface
show network
show network summary
show port
show wlan
To display the multicast-direct configuration state, use the show 802.11 cleanair command.
show 802.11 { a | b | h } cleanair config
This example shows how to display the 802.11a cleanair configuration:
config 802.11 cleanair alarm
config 802.11 cleanair device
show 802.11 cleanair air-quality summary
show 802.11 cleanair device ap
show 802.11 cleanair device type
To display the air quality summary information for the 802.11 networks, use the
show 802.11 cleanair air-quality summary command.
show 802.11 { a | b | h } cleanair air-quality summary
Displays a summary of 802.11 radio band air quality information. |
This example shows how to display a summary of the air quality information for the 802.11a network:
config 802.11 cleanair alarm
config 802.11 cleanair device
show 802.11 cleanair
show 802.11 cleanair device ap
show 802.11 cleanair device type
To display the worst air quality information for the 802.11 networks, use the
show 802.11 cleanair air-quality worst command.
show 802.11 { a | b | h } cleanair air-quality worst
Displays the worst air quality information for 802.11 networks. |
This example shows how to display worst air quality information for the 802.11a network:
config 802.11 cleanair alarm
config 802.11 cleanair device
show 802.11 cleanair
show 802.11 cleanair device ap
show 802.11 cleanair device type
To display the information of the device access point on the 802.11 radio band, use the show 802.11 cleanair device ap command.
show 802.11 { a | b | h } cleanair device ap cisco_ap
This example shows how to display the device access point for the 802.11a network:
config 802.11 cleanair alarm
config 802.11 cleanair device
show 802.11 cleanair
show 802.11 cleanair air-quality summary
show 802.11 cleanair device type
To display the information of all the interferers device type detected by a specific access point on the 802.11 radio band, use the show 802.11 cleanair device type command.
show 802.11 { a | b | h } cleanair device type device_type
This example shows how to display the information of all the interferers detected by a specified access point for the 802.11a network:
To display the multicast-direct configuration state, use the show 802.11 media-stream command.
show 802.11 { a | b | h } media-stream media-stream name
This example shows how to display the media-stream configuration:
show 802.11 media-stream
Show Mesh Commands
show media-stream group summary
To display the configuration settings for the AAA authentication server database, use the show aaa auth command.
This example shows how to display the configuration settings for the AAA authentication server database:
To display the access control lists (ACLs) that are configured on the controller, use the show acl command.
show acl { summary | detailed acl_name }
Displays a summary of all ACLs configured on the controller. |
|
This example shows how to display a summary of the access control lists:
This example shows how to display the detailed information of the access control lists:
Note The Counter field increments each time a packet matches an ACL rule, and the DenyCounter field increments each time a packet does not match any of the rules.
clear acl counters
config acl apply
config acl counter
config acl cpu
config acl create
config acl delete
To display the access control lists (ACLs) configured on the central processing unit (CPU), use the show acl cpu command.
This example shows how to display the access control lists on the CPU:
clear acl counters
config acl apply
config acl counter
config acl cpu
config acl create
config acl delete
config acl rule
config interface acl
show acl
Use the show advanced 802.11 commands to display more detailed or advanced 802.11a, 802.11b/g, or other supported 802.11 network settings.
To display the automatic channel assignment configuration and statistics, use the show advanced 802.11 channel command.
show advanced 802.11 { a | b } channel
This example shows how to display the automatic channel assignment configuration and statistics:
config advanced 802.11 channel add
config advanced 802.11 channel cleanair-event
config advanced 802.11 channel dca anchor-time
config advanced 802.11 channel dca chan-width-11n
config advanced 802.11 channel dca interval
config advanced 802.11 channel dca sensitivity
config advanced 802.11 channel foreign
config advanced 802.11 channel load
config advanced 802.11 channel noise
config advanced 802.11 channel update
show advanced 802.11 channel
To display the configuration and statistics for coverage hole detection, use the show advanced 802.11 coverage command.
show advanced 802.11{ a | b } coverage
This example shows how to display the statistics for coverage hole detection:
config advanced 802.11 coverage
config advanced 802.11 coverage exception global
config advanced 802.11 coverage fail-rate
config advanced 802.11 coverage level global
config advanced 802.11 coverage packet-count
config advanced 802.11 coverage rssi-threshold
show advanced 802.11 coverage
To display 802.11a or 802.11b Cisco radio RF grouping, use the show advanced 802.11 group command.
show advanced 802.11 { a | b } group
This example shows how to display Cisco radio RF group settings:
To display 802.11a or 802.11b/g Layer 2 client roaming information, use the show advanced 802.11 l2roam command.
show advanced 802.11 { a | b } l2roam {rf-param | statistics mac_address }
This example shows how to display 802.11b Layer 2 client roaming information, enter this command:
To display 802.11a or 802.11b RF event and performance logging, use the show advanced 802.11 logging command.
show advanced 802.11 { a | b } logging
This example shows how to display 802.11b RF event and performance logging:
config advanced 802.11 logging channel
config advanced 802.11 logging coverage
config advanced 802.11 logging foreign
config advanced 802.11 logging load
config advanced 802.11 logging noise
config advanced 802.11 logging performance
config advanced 802.11 logging txpower
show advanced 802.11 channel
To display the 802.11a or 802.11b default Cisco radio monitoring, use the show advanced 802.11 monitor command.
show advanced 802.11 { a | b } monitor
This example shows how to display the radio monitoring for the 802.11b network:
config advanced 802.11 monitor load
config advanced 802.11 monitor mode
config advanced 802.11 monitor noise
config advanced 802.11 monitor signal
To display the 802.11a or 802.11b lightweight access point performance profiles, use the show advanced 802.11 profile command.
show advanced 802.11 { a | b } profile { global | cisco_ap }
This example shows how to display the global configuration and statistics of an 802.11a profile:
This example shows how to display the configuration and statistics of a specific access point profile:
This response indicates that the performance profile for this lightweight access point is using the global defaults and has not been individually configured.
config advanced 802.11 profile clients
config advanced 802.11 profile customize
config advanced 802.11 profile foreign
config advanced 802.11 profile noise
To display the configuration and statistics of the 802.11a or 802.11b receiver, use the show advanced 802.11 receiver command.
show advanced 802.11 { a | b } receiver
This example shows how to display the configuration and statistics of the 802.11a network settings:
To display the 802.11a or 802.11b Cisco lightweight access point name, channel, and transmit level summary, use the show advanced 802.11 summary command.
show advanced 802.11 { a | b } summary
This example shows how to display a summary of the 802.11b access point settings:
Note An asterisk (*) next to a channel number or power level indicates that it is being controlled by the global algorithm settings.
config advanced 802.11 7920VSIEConfig
config advanced 802.11 channel add
show advanced 802.11 channel
To display the 802.11a or 802.11b automatic transmit power assignment, use the show advanced 802.11 txpower command.
show advanced 802.11 { a | b } txpower
This example shows how to display the configuration and statistics of the 802.11b transmit power cost:
To display a list of primary and secondary backup controllers, use the show advanced backup-controller command.
show advanced backup-controller
This example shows how to display the backup controller information:
config advanced backup-controller primary
config advanced backup-controller secondary
To display the number of automatic client handoffs after retries, use the show advanced client-handoff command.
This example shows how to display the client auto handoff mode after excessive retries:
To display the state of over-the-air frame padding on a wireless LAN controller, use the show advanced dot11-padding command.
This example shows how to view the state of over-the-air frame padding:
config advanced dot11-padding
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
debug dot11 mgmt station
To display Extensible Authentication Protocol (EAP) settings, use the show advanced eap command.
This example shows how to display the EAP settings:
config advanced eap
config advanced timers eap-identity-request-delay
config advanced timers eap-timeout
To display the maximum number of simultaneous 802.1X sessions allowed per access point, use the show advanced max-1x-sessions command.
This example shows how to display the maximum 802.1X sessions per access point:
To display the number of probes sent to the WLAN controller per access point per client and the probe interval in milliseconds, use the show advanced probe command.
This example shows how to display the probe settings for the WLAN controller:
To display whether control path rate limiting is enabled or disabled, use the show advanced rate command.
This example shows how to display the switch control path rate limiting mode:
To display whether the WLAN controller disassociates clients after a handoff, use the show advanced send-disassoc-on-handoff command.
show advanced send-disassoc-on-handoff
This example shows how to display the disassociated clients after a handoff:
To display whether or not the Cisco wireless LAN controller port statistics are enabled or disabled, use the show advanced statistics command.
This example shows how to display switch port statistics mode:
To display the mobility anchor, authentication response, and rogue access point entry timers, use the show advanced timers command.
This example shows how to display the system timers setting:
config advanced timers ap-discovery-timeout
config advanced timers ap-fast-heartbeat
config advanced timers ap-heartbeat-timeout
config advanced timers ap-primary-discovery-timeout
config advanced timers auth-timeout
config advanced timers eap-identity-request-delay
config advanced timers eap-timeout
To display the auto-RF settings for a Cisco lightweight access point, use the show ap auto-rf command.
show ap auto-rf 802.11 { a | b } cisco_ap
This example shows how to display auto-RF information for an access point:
To display an access point’s Cisco Client eXtensions (CCX) radio management status information, use the show ap ccx rm command.
Displays the CCX radio management status information for an access point. |
This example shows how to display the status of the CCX radio management:
To display the Cisco Discovery Protocol (CDP) information for an access point, use the show ap cdp commands.
show ap cdp { all | ap-name cisco_ap | neighbors { all | ap-name cisco_ap | detail cisco_ap }}
Displays details about a specific access point neighbor using CDP. |
|
This example shows how to display the CDP status of all access points:
This example shows how to display the CDP status of a specified access point:
This example shows how to display details about all neighbors using CDP:
This example shows how to display details about a specific neighbor with a specified access point using CDP:
This example shows how to display details about neighbors using CDP:
To display the available channels for a specific mesh access point, use the show ap channel command.
This example shows how to display the available channels for a particular access point:
config 802.11-a channel ap
config 802.11h channelswitch
config 802.11h setchannel
To display the detailed configuration for a lightweight access point, use the show ap config command.
show ap config { 802.11 { a | b } | general } cisco_ap
This example shows how to display the detailed configuration for an access point:
This example shows how to display the detailed configuration for another access point:
This example shows how to display the general configuration of a Cisco access point:
Note As of Controller Release 5.2 the 4400 series controllers can only run with the speed and duplex set to auto.
To display the global syslog server settings for all access points that join the controller, use the show ap config global command.
This example shows how to display global syslog server settings:
To display the memory core dump information for a lightweight access point, use the show ap core-dump command.
This example shows how to display memory core dump information:
To display the list of both crash and radio core dump files generated by lightweight access points, use the show ap crash-file command.
This example shows how to display the crash file generated by the access point:
config ap crash-file clear-all
config ap crash-file delete
config ap crash-file get-crash-file
config ap crash-file get-radio-core-dump
To display the data plane status for all access points or a specific access point, use the show ap data-plane command.
show ap data-plane {all | Cisco_AP }
This example shows how to display the data plane status of all access points:
To display the contents of the event log file for an access point that is joined to the controller, use the show ap eventlog command.
This example shows how to display the event log of an access point:
To display the detailed information about the predownloaded image for specified access points, use the
show ap image command.
show ap image { cisco_ap | all}
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to display images present on all access points:
To display inventory information for an access point, use the show ap inventory command.
This example shows how to display the inventory of an access point:
NAME: "test101", DESCR: "Cisco Wireless Access Point"
To display all join-related statistics collected for a specific access point, use the show ap join stats detailed command.
show ap join stats detailed ap_mac
Access point Ethernet MAC address or the MAC address of the 802.11 radio interface. |
This example shows how to display join information for a specific access point trying to join the controller:
show ap join stats detailed
show ap join stats summary
show ap join stats summary all
To display the last join error detail for a specific access point, use the show ap join stats summary command.
show ap join stats summary ap_mac
Access point Ethernet MAC address or the MAC address of the 802.11 radio interface. |
To obtain the MAC address of the 802.11 radio interface, enter the show interface command on the access point.
This example shows how to display specific join information for an access point:
To display the MAC addresses of all the access points that are joined to the controller or that have tried to join, use the show ap join stats summary all command.
show ap join stats summary all
This example shows how to display a summary of join information for all access points:
To display the MAC addresses of all the access points that are joined to the controller or that have tried to join, use the show ap link-encryption command.
show ap link-encryption {all | Cisco_AP }
This example shows how to display the link encryption status of all access points:
To display the current channel-optimized monitor mode settings, use the show ap monitor-mode summary command.
This example shows how to display current channel-optimized monitor mode settings:
AP Name Ethernet MAC Status Scanning Channel List
------------------ ----------------- ---------- ----------------------
To display the statistics for a Cisco lightweight access point, use the show ap stats command.
show ap stats { 802.11 { a | b } | wlan } cisco_ap [tsm {client_mac | all}]
This example shows how to display statistics of an access point for the 802.11b network:
To display a summary of all lightweight access points attached to the controller, use the show ap summary command.
A list that contains each lightweight access point name, number of slots, manufacturer, MAC address, location, and the controller port number appears.
This example shows how to display a summary of all connected access points:
To display the Basic Service Set Identifier (BSSID) value for each WLAN defined on an access point, use the show ap tcp-mss-adjust command.
show ap tcp-mss-adjust { cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to display Transmission Control Protocol (TCP) maximum segment size (MSS) information of all access points:
To display the Basic Service Set Identifier (BSSID) value for each WLAN defined on an access point, use the show ap wlan command.
show ap wlan 802.11 { a | b } cisco_ap
This example shows how to display BSSIDs of an access point for the 802.11b network:
To display the Cisco wireless LAN controller MAC addresses, IP addresses, and port types, use the show arp switch command.
This example shows how to display Address Resolution Protocol (ARP) cache information for the switch:
To display the access point authorization list, use the show auth-list command.
This example shows how to display the access point authorization list:
clear tacacs auth statistics
clear stats local-auth
config auth-list add
config auth-list ap-policy
config auth-list delete
To display the primary and backup software build numbers with an indication of which is active, use the show boot command.
Each Cisco wireless LAN controller retains one primary and one backup operating system software load in nonvolatile RAM to allow controllers to boot off the primary load (default) or revert to the backup load when desired.
This example shows how to display the default boot image information:
Note The show call-control ap command is applicable only for SIP based calls.
To see the metrics for successful calls or the traps generated for failed calls, use the show call-control ap command.
show call-control ap { 802.11a | 802.11b } Cisco_ap { metrics | traps }
This example shows how to display the metrics for successful calls generated for an access point:
This example shows how to display the metrics for the traps generated for an access point:
To aid in troubleshooting, the output of this command shows an error code for any failed calls. Table 2-1 explains the possible error codes for failed calls.
To see call information for a call-aware client when Voice-over-IP (VoIP) snooping is enabled and the call is active, use the show call-control client command
show call-control client callInfo client_MAC_address
This example shows how to display the call information such as the IP port for calls related to the client:
To display the list of clients associated with the capwap access point, use the show capwap client command.
This example shows how to display clients associated with capwap access point:
capwap ap ip address
capwap ap ip default-gateway
show capwap client ip config
To display the capwap static IP configuration, use the show capwap client ip config command.
This example shows how to display the capwap static IP information:
capwap ap controller ip address
capwap ap ip address
show capwap client config
To display the list of clients associated to an access point and their Service Set Identifiers (SSIDs), use the show capwap reap association command.
This example shows how to display clients associated to an access point and their SSIDs:
To display the status of the hybrid-REAP access point (connected or standalone), use the show capwap reap status command.
This example shows how to display the status of the hybrid-REAP access point:
To display whether or not certificates are verified as compatible in the Cisco wireless LAN controller, use the show certificate compatibility command.
show certificate compatibility
This example shows how to display the status of the compatibility mode:
config certificate
config certificate lsc
show certificate lsc
show certificate summary
show local-auth certificates
To verify that the controller has generated a Locally Significant Certificate (LSC), use the show certificate lsc summary command.
show certificate lsc { summary | ap-provision }
Displays summary of LSC certificate settings and certificates. |
|
Displays details about the access points that are provisioned using the LSC. |
This example shows how to display a summary of the LSC:
This example shows how to display the details about the access points that are provisioned using the LSC:
config certificate
config certificate lsc
show certificate compatibility
show certificate summary
show local-auth certificates
To verify that the controller has generated a certificate, use the show certificate summary command.
This example shows how to display a summary of the certificate:
config certificate
config certificate lsc
show certificate compatibility
show certificate lsc
show local-auth certificates
To display the clients on a Cisco lightweight access point, use the show client ap command.
The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to view clients on the exclusion list.
This example shows how to display client information on an access point:
show client detail
show client summary
show client username
show country
show exclusionlist
To display the client’s capability information, use the show client ccx client-capability command.
show client ccx client-capability client_mac_address
This command displays the client’s available capabilities, not the current settings for the capabilities.
This example shows how to display the client’s capability:
config client ccx get-client-capability
config client ccx get-operating-parameters
config client ccx get-profiles
config client ccx stats-request
show client ccx operating-parameters
show client ccx profiles
show client ccx stats-report
To display the data frames sent from the client for the last test, use the show client ccx frame-data command.
show client ccx frame-data client_mac_address
This example shows how to display the data frame sent from the client for the last test:
To display the status of the last test response, use the show client ccx last-response-status command.
show client ccx last-response-status client_mac_address
This example shows how to display the status of the last test response:
config client ccx clear-reports
config client ccx clear-results
config client ccx default-gw-ping
config client ccx dhcp-test
config client ccx log-request
show client ccx last-response-status
show client ccx last-test-status
To display the status of the last test, use the show client ccx last-test-status command.
show client ccx last-test-status client_mac_address
This example shows how to display the status of the last test of the client:
config client ccx clear-reports
config client ccx clear-results
config client ccx default-gw-ping
config client ccx dhcp-test
config client ccx log-request
show client ccx last-response-status
To display a log response, use the show client ccx log-response command.
show client ccx log-response {roam | rsna | syslog } client_mac_address
This example shows how to display the system log response:
This example shows how to display the client roaming log response:
To display the client manufacturing information, use the show client ccx manufacturer-info command.
show client ccx manufacturer-info client_mac_address
This example shows how to display the client manufacturing information:
config client ccx get-client-capability
config client ccx get-manufacturer-info
config client ccx get-operating-parameters
config client ccx get-profiles
To display the client operating-parameters, use the show client ccx operating-parameters command.
show client ccx operating-parameters client_mac_address
This example shows how to display the client operating parameters:
config client ccx get-client-capability
config client ccx get-manufacturer-info
config client ccx get-operating-parameters
config client ccx get-profiles
To display the client profiles, use the show client ccx profiles command.
show client ccx profiles client_mac_address
This example shows how to display the client profiles:
config client ccx get-client-capability
config client ccx get-manufacturer-info
config client ccx get-operating-parameters
config client ccx get-profiles
To display the results from the last successful diagnostic test, use the show client ccx results command.
show client ccx results client_mac_address
This example shows how to display the results from last successful diagnostic test:
config client ccx test-abort
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx clear-reports
config client ccx clear-results
To display Cisco Client eXtension (CCX) client radio management report information, use the show client ccx rm commands.
show client ccx rm client_MAC {status |
report (chan-load | noise-hist | frame request | beacon | frame)}
Displays the client CCX radio management status information. |
|
This example shows how to display the client radio management status information:
This example shows how to display the client radio management load reports:
This example shows how to display the client radio management noise histogram reports:
config client ccx default-gw-ping
config client ccx dhcp-test
To display the Cisco Client eXtensions (CCX) statistics report from a specified client device, use the show client ccx stats-report command.
show client ccx stats-report client_mac_address
This example shows how to displays the statistics report:
config client ccx default-gw-ping
config client ccx dhcp-test
config client ccx dns-ping
To display detailed information for a client on a Cisco lightweight access point, use the show client detail command.
The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list.
Note The WLAN indexes displayed through the show capwap reap assoc command can be different when compared to the WLAN IDs on the controllers. The SSID-to-VLAN mappings are correctly preserved and the functionality is not impacted.
This example shows how to display the client detailed information:
To display client location calibration summary information, use the show client location-calibration summary command.
show client location-calibration summary
This example shows how to display the location calibration summary information:
To display the number of probing clients, use the show client probing command.
This example shows how to display the number of probing clients:
To display the roaming history of a specified client, use the show client roam-history command.
show client roam-history mac_address
This example shows how to display the roaming history of a specified client:
To display a summary of clients associated with a Cisco lightweight access point, use the show client summary command.
The show client ap command may list the status of automatically disabled clients. Use the show exclusionlist command to display clients on the exclusion list.
This example shows how to display a summary of the active clients:
To display the active wired guest LAN clients, use the show client summary guest-lan command.
To display the client traffic stream metrics (TSM) statistics, use the show client tsm command.
show client tsm 802.11 {a | b} client_mac {ap_mac | all}
Specifies the list of all access points to which the client has associations. |
This example shows how to display the client’s TSM for the 802.11a network:
To display the client data by the username, use the show client username command.
This example shows how to display the detailed information for a client by name:
To display the configured country and the radio types supported, use the show country command.
This example shows how to display the configured countries and supported radio types:
To display the radio channels supported in the configured country, use the show country channels command.
To display a list of the supported country options, use the show country supported command.
This example shows how to display a list of all the supported countries:
To display a summary of the controller’s core dump file, use the show coredump summary command.
This example shows how to display the core dump summary:
config coredump
config coredump ftp
config coredump username
To display current WLAN controller CPU usage information, use the show cpu command.
To display web authentication customization information, use the show custom-web command.
This example shows how to display the web authentication customization information:
config custom-web ext-webauth-mode
config custom-web ext-webauth-url
config custom-web ext-webserver
config custom-web redirectUrl
config custom-web webauth-type
config custom-web weblogo
config custom-web webmessage
config custom-web webtitle
To display the maximum number of entries in the database, use the show database summary command.
This example shows how to display a summary of the local database configuration:
To determine if the MAC address and other flag debugging is enabled or disabled, sse the show debug command.
This example shows how to display if debugging is enabled:
This example shows how to display if debugging is enabled:
To display the internal Dynamic Host Configuration Protocol (DHCP) server configuration, use the show dhcp command.
show dhcp {detailed | leases | opt-82 | proxy | stats | summary | timeout | scope }
This example shows how to display the allocated DHCP leases:
This example shows how to display the DHCP summary information:
This example shows how to display the DHCP information for the scope 003:
config dhcp
config dhcp proxy
config interface dhcp
config wlan dhcp_server
debug dhcp
debug dhcp service-port
debug disable-all
show dhcp proxy
To display the Datagram Transport Layer Security (DTLS) server status, use the show dtls connections command.
This example shows how to display the established dtls connections:
To display the status of DHCP proxy handling, use the show dhcp proxy command.
This example shows how to display the status of dhcp proxy information:
config dhcp
config dhcp proxy
config interface dhcp
config wlan dhcp_server
debug dhcp
debug dhcp service-port
debug disable-all
show dhcp
To display the event log, use the show eventlog command.
This example shows how to display the event log entries:
To display a summary of all clients on the manual exclusion list from associating with this Cisco wireless LAN controller, use the show exclusionlist command.
To display the configuration of a specific wired guest LAN, use the show guest-lan command.
To display all wired guest LANs configured on the controller, use the show guest-lan summary command.
This example shows how to display the guest LAN configuration:
config guest-lan
config guest-lan custom-web ext-webauth-url
config guest-lan custom-web global disable
config guest-lan custom-web login_page
config guest-lan nac
config guest-lan security
To display the details for a specific hybrid-REAP group, use the show hreap group detail command.
show hreap group detail group_name
This example shows how to display the detailed information for a specific hybrid-REAP group:
To display the current list of hybrid-REAP groups, use the show hreap group summary command.
This example shows how to display the current list of hybrid-REAP groups:
To display hybrid-REAP OfficeExtend access point information, use the show hreap office-extend command.
show hreap office-extend { summary | latency }
This example shows how to display information about the list of hybrid-REAP officeExtend access points:
This example shows how to display the hybrid-REAP officeExtend access point’s link delay:
To display active Internet Key Exchange (IKE) security associations (SAs), use the show ike command.
show ike { brief | detailed } IP_or_MAC_address
To display details of the system interfaces, use the show interface command:
show interface { summary | detailed interface_name }
The interface name of the wired guest LAN in the following example is management and its VLAN ID is 149.
This example shows how to display a summary of the local interfaces:
This example shows how to display the detailed interface information:
Note Some WLAN controllers may have only one physical port listed because they have only one physical port.
To see any ignored commands or invalid configuration values in an edited configuration file, use the show invalid-config command.
You can execute this command only before the clear config or save config command.
This example shows how to display a list of any ignored commands or invalid configuration values in a configuration file:
To display a physical inventory of the Cisco wireless LAN controller, use the show inventory command.
Some wireless LAN controllers may have no crypto accelerator (VPN termination module) or power supplies listed because they have no provisions for VPN termination modules or power supplies.
This example shows how to display a physical inventory of the controller:
To display active Internet Protocol Security (IPsec) security associations (SAs), use the show IPsec commands.
show IPsec { brief | detailed } IP_or_MAC_address
This example shows how to display brief information about the active Internet Protocol Security (IPsec) security associations (SAs):
config radius acct IPsec authentication
config radius acct IPsec disable
config radius acct IPsec enable
config radius acct IPsec encryption
config radius acct IPsec ike
config radius auth IPsec authentication
config radius auth IPsec disable
config radius auth IPsec encryption
config radius auth IPsec ike
config trapflags IPsec
config wlan security IPsec disable
config wlan security IPsec enable
config wlan security IPsec authentication
config wlan security IPsec encryption
config wlan security IPsec config
config wlan security IPsec ike authentication
config wlan security IPsec ike dh-group
config wlan security IPsec ike lifetime
config wlan security IPsec ike phase1
config wlan security IPsec ike contivity
To display known Cisco lightweight access point information, use the show known ap command.
show known ap { summary | detailed MAC }
This example shows how to display a summary of all known access points:
To display Layer 2 Tunneling Protocol (L2TP) sessions, use the show l2tp command.
show l2tp { summary | ip_address }
This example shows how to display a summary of all L2TP sessions:
To display the current link aggregation (LAG) status, use the show lag summary command.
This example shows how to display the current status of the LAG configuration:
To display the Lightweight Directory Access Protocol (LDAP) server information for a particular LDAP server, use the show ldap command.
This example shows how to display the detailed LDAP server information:
config ldap
config ldap add
config ldap simple-bind
show ldap statistics
show ldap summary
To display all Lightweight Directory Access Protocol (LDAP) server information, use the show ldap statistics command.
This example shows how to display the LDAP server statistics:
config ldap
config ldap add
config ldap simple-bind
show ldap
show ldap summary
To display the current Lightweight Directory Access Protocol (LDAP) server status, use the show ldap summary command.
This example shows how to display a summary of configured LDAP servers:
Idx Server Address Port Enabled
config ldap
config ldap add
config ldap simple-bind
show ldap
show ldap statistics
To display the license agent counter and session information on the Cisco 5500 Series Controller, use the show license agent command.
show license agent { counters | sessions }
This example shows how to display the license agent counters information:
This example shows how to display the license agent sessions information:
config license agent
clear license agent
show license all
show license detail
show license feature
show license image-level
show license summary
To display information for all licenses on the Cisco 5500 Series Controller, use the show license all command.
This example shows how to display all the licenses:
license install
license modify priority
show license agent
show license detail
show license feature
show license image-level
show license summary
To display the maximum number of access points allowed for this license on the Cisco 5500 Series Controller, the number of access points currently joined to the controller, and the number of access points that can still join the controller, use the show license capacity command.
This example shows how to display the license capacity:
license install
license modify priority
show license agent
show license all
show license detail
show license feature
show license image-level
show license summary
To display details of a specific license on the Cisco 5500 Series Controller, use the show license detail command.
show license detail license_name
This example shows how to display the license details:
license install
license modify priority
show license agent
show license all
show license feature
show license image-level
show license summary
To display details of expiring licenses on the Cisco 5500 Series Controller, use the show license expiring command.
This example shows how to display the details of the expiring licenses:
license install
license modify priority
show license all
show license detail
show license evaluation
show license in-use
show license summary
To display details of evaluation licenses on the Cisco 5500 Series Controller, use the show license evaluation command.
This example shows how to display the details of the evaluation licenses:
license install
license modify priority
show license all
show license detail
show license expiring
show license in-use
show license summary
To display a summary of license-enabled features on the Cisco 5500 Series Controller, use the show license feature command.
This example shows how to display the license-enabled features:
license install
license modify priority
show license all
show license detail
show license expiring
show license evaluation
show license image-level
show license in-use
show license summary
To display a summary of license-enabled features on the Cisco 5500 Series Controller, use the show license file command.
This example shows how to display the license files:
license install
show license all
show license detail
show license expiring
show license feature
show license image-level
show license in-use
show license summary
To display the license handles on the Cisco 5500 Series Controller, use the show license handle command.
This example shows how to display the license handles:
license install
show license all
show license detail
show license expiring
show license feature
show license image-level
show license in-use
show license summary
To display the license image level that is in use on the Cisco 5500 Series Controller, use the show license image-level command.
This example shows how to display the image level license settings:
license install
license modify priority
show license all
show license detail
show license expiring
show license feature
show license in-use
show license summary
To display the licenses that are in use on the Cisco 5500 Series Controller, use the show license in-use command.
This example shows how to display the licenses that are in use:
license install
license modify priority
show license all
show license detail
show license evaluation
show license expiring
show license feature
show license image-level
show license permanent
show license summary
To display the permanent licenses on the Cisco 5500 Series Controller, use the show license permanent command.
This example shows how to display the permanent license’s information:
license install
license modify priority
show license all
show license detail
show license evaluation
show license expiring
show license feature
show license image-level
show license in-use
show license summary
To display the license status on the Cisco 5500 Series Controller, use the show license status command.
This example shows how to display the license status:
license install
license modify priority
show license all
show license detail
show license evaluation
show license expiring
show license feature
show license image-level
show license permanent
show license summary
To display license statistics on the Cisco 5500 Series Controller, use the show license statistics command.
This example shows how to display the license statistics:
license install
license modify priority
show license all
show license detail
show license evaluation
show license expiring
show license feature
show license image-level
show license permanent
show license summary
To display a brief summary of all licenses on the Cisco 5500 Series Controller, use the show license summary command.
This example shows how to display a brief summary of all licenses:
license install
license modify priority
show license all
show license detail
show license evaluation
show license expiring
show license feature
show license image-level
show license permanent
show license summary
To display unique device identifier (UDI) values for licenses on the Cisco 5500 Series Controller, use the show license udi command.
This example shows how to display the UDI values for licenses:
license install
license modify priority
show license all
show license detail
show license evaluation
show license expiring
show license feature
show license image-level
show license permanent
show license summary
To display the status of the load-balancing feature, use the show load-balancing command.
This example shows how to display the load-balancing status:
To display local authentication certificate information, use the show local-auth certificates command:
This example shows how to display the authentication certificate information stored locally:
clear stats local-auth
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth config
show local-auth statistics
To display local authentication configuration information, use the show local-auth config command.
This example shows how to display the local authentication configuration information:
clear stats local-auth
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth statistics
To display local Extensible Authentication Protocol (EAP) authentication statistics, use the show local-auth statistics command:
This example shows how to display the local authentication certificate statistics:
clear stats local-auth
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
To display location system information, use the show location command.
show location [ detail mac_address | summary ]
This example shows how to display the location summary information:
clear location rfid
clear location statistics rfid
config location
show location statistics rfid
To see any radio frequency identification (RFID)-related errors, use the show location statistics rfid command.
This example shows how to display the detailed location RFID statistics:
clear location rfid
clear location statistics rfid
config location
show location
To display the syslog facility logging parameters and buffer contents, use the show logging command.
This example shows how to display the current settings and buffer content details:
config logging syslog host
config logging syslog facility
config logging syslog level
To display the existing sessions, use the show loginsession command.
This example shows how to display the current session details:
To display the MAC filter parameters, use the show macfilter command.
show macfilter { summary | detail MAC }
The MAC delimiter (none, colon, or hyphen) for MAC addresses sent to RADIUS servers is displayed. The MAC filter table lists the clients that are always allowed to associate with a wireless LAN.
This example shows how to display the detailed display of a MAC filter entry:
This example shows how to display a summary of hte MAC filter parameters:
config macfilter
config macfilter description
config macfilter interfac
config macfilter ip-address
config macfilter mac-delimiter
config macfilter radius-compat
config macfilter wlan-id
To display a summary of memory analysis settings and any discovered memory issues, enter this command:
show memory monitor [ detail ]
(Optional) Displays details of any memory leaks or corruption. |
Be careful when changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.
This example shows how to display a summary of memory monitoring settings and a summary of test results:
This example shows how to display the monitor test results:
config memory monitor errors
config memory monitor leaks
debug memory
To display the scheduled system reset parameters, use the show reset command.
This example shows how to display the scheduled system reset parameters:
reset system at
reset system in
reset system cancel
reset system notify-time
Use the show media-stream commands to display the multicast-direct configuration state.
To display the details for a specific media-stream group, use the show media-stream group detail command.
show media-stream group detail media-stream_name
This example shows how to display media-stream group configuration details:
To display the summary of the media stream and client information, use the show media-stream group summary command.
show media-stream group summary
This example shows how to display a summary of the media-stream group:
To display settings for outdoor and indoor mesh access points, use the show mesh commands.
To display settings for mesh access points, use the show mesh commands.
show mesh ap { summary | tree }
This example shows how to display a summary format:
This example shows how to display settings in a hierarchical (tree) format:
config mesh alarm
config mesh astools
config mesh background-scanning
config mesh battery-state
To display anti-stranding statistics for outdoor mesh access points, use the show mesh astools stats command.
show mesh astools stats [ cisco_ap ]
(Optional) Anti-stranding feature statistics for a designated mesh access point. |
This example shows how to display anti-stranding statistics on all outdoor mesh access points:
This example shows how to display anti-stranding statistics for access point sb_map1 :
To display whether or not the background-scanning feature is enabled on a mesh network, use the show mesh background-scanning command.
The secondary backhaul access feature is not supported by Cisco 1520 and 1524 indoor mesh access points in the 5.2 release.
This example shows how to display the state of the background-scanning feature:
config mesh background-scanning
show mesh config
show mesh stats
To display whether or not clients on a mesh network have access to the backhaul channel, and at what level of service, use the show mesh backhaul rate-adapt command.
show mesh backhaul rate-adapt {all | bronze | silver | gold | platinum}
This example shows how to display the state of the backhaul rate-adaption feature:
To display call admission control (CAC) topology and the bandwidth used or available in a mesh network, use the show mesh cac command.
show mesh cac { summary | { bwused { voice | video } | access | callpath | rejected } cisco_ap }
This example shows how to display a summary of the call admission control settings:
This example shows how to display the mesh topology and the voice bandwidth used or available:
This example shows how to display the access voice calls in progress in a tree topology:
config 802.11 cac video acm
config 802.11 cac video max-bandwidth
config 802.11 cac video roam-bandwidth
config 802.11 cac video tspec-inactivity-timeout
config 802.11 cac voice acm
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice tspec-inactivity-timeout
config 802.11 cac voice load-based
debug cac
To display the backhaul client access configuration setting, use the show mesh client-access command.
This example shows how to display backhaul client access configuration settings for a mesh access point:
To display mesh configuration settings, use the show mesh config command.
This example shows how to display global mesh configuration settings:
To display global or specific environment summary information for mesh networks, use the show mesh env command.
show mesh env { summary | cisco_ap }
Name of access point for which environment summary information is requested. |
This example shows how to display global environment summary information:
This example shows how to display an environment summary for an access point:
Note As of Controller Release 5.2 the 4400 series controllers can only run with the speed and duplex set to auto.
To display summary or detailed information about the mesh neighbors for a specific mesh access point, use the show mesh neigh command.
show mesh neigh { detail | summary } { cisco_ap | all }
Displays the channel and signal-to-noise ratio (SNR) details between the designated mesh access point and its neighbor. |
|
Displays the mesh neighbors for a designated mesh access point. |
|
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to display a neighbor summary of an access point:
This example shows how to display the detailed neighbor statistics of an access point:
Table 2-4 lists the output flags displayed for the config mesh linktest command.
To display the channel and signal-to-noise ratio (SNR) details for a link between a mesh access point and its neighbor, use the show mesh path command.
This example shows how to display channel and SNR details for a designated link path:
config mesh battery-state
config mesh client-access
config mesh linktest
config mesh range
show mesh config
show mesh neigh
show mesh stats
To display the percentage of packet errors for packets transmitted by the neighbors of a specified mesh access point, use the show mesh per-stats command.
show mesh per-stats summary { cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
The packet error rate percentage equals 1, which is the number of successfully transmitted packets divided by the number of total packets transmitted.
This example shows how to display the percentage of packet errors for packets transmitted by the neighbors to a mesh access point:
config mesh linktest
config mesh range
show mesh config
show mesh neigh
show mesh stats
To display the number of packets in a client access queue by type for a particular mesh access point, use the show mesh queue-stats command.
show mesh queue-stats { cisco_ap | all }
Name of access point for which you want packet queue statistics. |
|
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to display packet queue statistics for access point ap417:
config mesh client-access
config mesh multicast
config mesh secondary-backhaul
show mesh client-access
show mesh config
show mesh stats
show mgmtuser
To display 4.8-GHz public safety settings, use the show mesh public-safety command.
This example shows how to view 4.8-GHz public safety settings:
config 802.11-a
config 802.11-a antenna extAntGain
config 802.11-a channel ap
config 802.11-a txpower ap
config mesh public-safety
config mesh security
show mesh ap
show mesh security-stats
show mesh stats
To display queue statistics for secondary backhaul access in a mesh network, use the show mesh secbh-stats command.
show mesh secbh-stats { cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
The secondary backhaul access feature is not supported by Cisco 1520 and 1524 indoor mesh access points in the 5.2 release.
This example shows how to display statistics for secondary backhaul access of access point SB_RAP1 :
To display the current state of mesh secondary backhaul configuration settings, use the show mesh secondary-backhaul command.
The secondary backhaul access feature is not supported by Cisco 1520 and 1524 indoor mesh access points in the 5.2 release.
This example shows how to display secondary backhaul configuration settings for a mesh access point:
To display packet error statistics for a specific access point, use the show mesh security-stats command.
show mesh security-stats { cisco_ap | all }
Name of access point for which you want packet error statistics. |
|
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This command shows packet error statistics and a count of failures, timeouts, and successes with respect to associations and authentications as well as reassociations and reauthentications for the specified access point and its child.
This example shows how to display packet error statistics for access point ap417:
config mesh alarm
config mesh linkdata
config mesh linktest
config mesh security
To display the mesh statistics for a Cisco lightweight access point, use the show mesh stats command.
This example shows how to display statistics of an access point:
config mesh alarm
config mesh client-access
config mesh ethernet-bridging vlan-transparent
config mesh linkdata
config mesh linktest
config mesh security
show mesh per-stats
show mesh queue-stats
show mesh security-stats
To display the local management user accounts on the Cisco wireless LAN controller, use the show mgmtuser command.
This example shows how to display a list of management users:
config mgmtuser add
config mgmtuser delete
config mgmtuser description
config mgmtuser password
Use the show mobility commands to display mobility settings.
To display the wireless LAN anchor export list for the Cisco wireless LAN controller mobility groups or to display a list and status of controllers configured as mobility anchors for a specific WLAN or wired guest LAN, use the show mobility anchor commands.
show mobility anchor [ wan wlan_id | guest-lan guest_lan_id ]
The status field display (see example) shows one of the following values:
This example shows how to display a mobility wireless LAN anchor list:
config guest-lan mobility anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
config wlan mobility anchor
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To display the statistics information for the Cisco wireless LAN controller mobility groups, use the show mobility statistics command.
This example shows how to display statistics of the mobility manager:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility summary
To display the summary information for the Cisco wireless LAN controller mobility groups, use the show mobility summary command.
This example shows how to display a summary of the mobility manager:
config guest-lan mobility anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
config wlan mobility anchor
debug mobility
show mobility anchor
show mobility statistics
To display the message logs written to the Cisco wireless LAN controller database, use the show msglog command.
If there are more that 15 entries, you are prompted to display the messages shown in the example.
This example shows how to display message logs:
To display detailed Network Access Control (NAC) information about a Cisco wireless LAN controller, use the show nac statistics command.
This example shows how to display detailed statistics of network access control settings:
show nac summary
config guest-lan nac
config wlan nac
debug nac
To display NAC summary information for a Cisco wireless LAN controller, use the show nac summary command.
This example shows how to display a summary information of network access control settings:
show nac statistics
config guest-lan nac
config wlan nac
debug nac
To display the configuration of a particular user in the local user database, use show netuser command.
This example shows how to display a summary of all users in the local user database:
This example shows how to display detailed information on the specifies network user:
config netuser add
config netuser delete
config netuser description
config netuser guest-role apply
config netuser wlan-id
show netuser guest-roles
To display a list of the current quality of service (QoS) roles and their bandwidth parameters, use the show netuser guest-roles command.
This example shows how to display a QoS role for the guest network user:
config netuser add
config netuser delete
config netuser description
config netuser guest-role apply
config netuser wlan-id
show netuser guest-roles
show netuser
To display the current status of 802.3 bridging for all WLANs, use the show network command.
This example shows how to display the network details:
Configure Network Commands
show network summary
show network multicast mgid detail
show network multicast mgid summary
To display the network configuration of the Cisco wireless LAN controller, use the show network summary command.
This example shows how to display a summary configuration:
Configure Network Commands
show network
show network multicast mgid detail
show network multicast mgid summary
To display all the clients joined to the multicast group in a specific multicast group identification (MGID), use the show network multicast mgid detail command.
show network multicast mgid detail mgid_value
This example shows how to display details of the multicast database:
show network
show network summary
show network multicast mgid summary
To display all the multicast groups and their corresponding multicast group identifications (MGIDs), use the show network multicast mgid summary command.
show network multicast mgid summary
This example shows how to display a summary of multicast groups and their MGIDs:
show network
show network summary
show network multicast mgid detail
To display the Network Mobility Services Protocol (NMSP) configuration settings, use the show nmsp notify-interval summary command.
This example shows how to display NMSP configuration settings:
clear locp statistics
clear nmsp statistics
config nmsp notify-interval measurement
show nmsp statistics
show nmsp status
To display Network Mobility Services Protocol (NMSP) counters, use the show nmsp statistics command.
show nmsp statistics { summary | connection all }
This example shows how to display a summary of common NMSP counters:
This example shows how to display all the connection-specific NMSP counters:
clear nmsp statistics
config nmsp notify-interval measurement
show nmsp notify-interval summary
show nmsp status
To display the status of active Network Mobility Services Protocol (NMSP) connections, use the show nmsp status command.
This example shows how to display the status of the active NMSP connections:
clear locp statistics
clear nmsp statistics
config nmsp notify-interval measurement
show nmsp notify-interval summary
show nmsp statistics
To display the Network Mobility Services Protocol (NMSP) services that are active on the controller, use the show nmsp subscription command.
show nmsp subscription { summary | detail ip_addr }
This example shows how to display a summary of all the NMSP services to which the controller is subscribed:
This example shows how to display details of all the NMSP services:
clear locp statistics
clear nmsp statistics
config nmsp notify-interval measurement
show nmsp notify-interval summary
show nmsp statistics
To display information about the pairwise master key (PMK) cache, use the show port command.
This example shows how to display information about a single entry in the PMK cache:
This example shows how to display information about all entries in the PMK cache:
To display the Cisco wireless LAN controller port settings on an individual or global basis, use the show port command.
This example shows how to display information about an individual wireless LAN controller port:
Note Some WLAN controllers may not have multicast or Power over Ethernet (PoE) listed because they do not support those features.
This example shows how to display a summary of all ports:
Note Some WLAN controllers may have only one port listed because they have only one physical port.
clear stats port
config ap port
config interface port
config network web-auth-port
Configure Port Commands
config spanningtree port mode
config spanningtree port pathcost
config spanningtree port priority
show stats port
To display how various processes in the system are using the CPU at that instant in time, use the show process commands.
Displays how various system tasks are using the CPU at that moment. |
|
Displays the allocation and deallocation of memory from various processes in the system at that moment. |
This command is helpful in understanding if any single task is monopolizing the CPU and preventing other tasks from being performed.
This example shows how to display various tasks in the system that are using the CPU at a given moment:
This example shows how to display the allocation and deallocation of memory from various processes at a given moment:
To display quality of service (QoS) information (queue length), use the show qos queue-length all command.
This example shows how to display QoS queue length information:
To display the RADIUS accounting server statistics for the Cisco wireless LAN controller, use the show radius acct statistics command.
This example shows how to display RADIUS accounting server statistics:
config radius acct
config radius acct IPsec authentication
config radius acct IPsec disable
config radius acct network
show radius auth statistics
show radius summary
To display the RADIUS authentication server statistics for the Cisco wireless LAN controller, use the show radius auth statistics command.
This example shows how to display RADIUS authentication server statistics:
config radius auth
config radius auth management
config radius auth network
show radius summary
To display the RADIUS rfc3576 server statistics for the Cisco wireless LAN controller, use the show radius rfc3576 statistics command.
show radius rfc3576 statistics
RFC 3576, an extension to the RADIUS protocol, allows dynamic changes to a user session, which includes support for disconnecting users and changing authorizations applicable to a user session; that is, it provides support for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately. CoA messages modify session authorization attributes such as data filters.
This example shows how to display the RADIUS RFC-3576 server statistics:
config radius auth rfc3576
show radius auth statistics
show radius summary
To display the RADIUS authentication and accounting server summary, use the show radius summary command.
This example shows how to display a RADIUS authentication server summary:
Use the show rfid commands to display radio frequency ID settings.
To display the radio frequency identification (RFID) tags that are associated to the controller as clients, use the show rfid client command.
When the RFID tag is not in client mode, the above fields are blank.
This example shows how to display the RFID tag that is associated to the controller as clients:
config rfid status
config rfid timeout
show rfid config
show rfid detail
show rfid summary
To display the current radio frequency identification (RFID) configuration settings, use the show rfid config command.
This example shows how to display the current RFID configuration settings:
config rfid status
config rfid timeout
show rfid client
show rfid detail
show rfid summary
To display detailed radio frequency identification (RFID) information for a specified tag, use the show rfid detail command.
This example shows how to display detailed RFID information:
config rfid status
config rfid timeout
show rfid config
show rfid client
show rfid summary
To display a summary of the radio frequency identification (RFID) information for a specified tag, use the show rfid summary command.
This example shows how to display a summary of RFID information:
config rfid status
config rfid timeout
show rfid client
show rfid config
show rfid detail
Use the show rogue commands to display unverified (rogue) device settings.
To display details of an ad-hoc rogue access point detected by the Cisco wireless LAN controller, use the show rogue adhoc client detailed command.
This example shows how to display detailed ad-hoc rogue MAC address information:
config rogue adhoc
config rogue rule
show rogue adhoc summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To display a summary of the ad-hoc rogue access points detected by the Cisco wireless LAN controller, use the show rogue adhoc summary command.
This example shows how to display a summary of all ad-hoc rogues:
config rogue adhoc
config rogue rule
show rogue adhoc detailed
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To display details of rogue access point clients detected by the Cisco wireless LAN controller, use the show rogue ap clients command.
show rogue ap clients ap_mac_address
This example shows how to display details of rogue access point clients:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
To display details of a rogue access point detected by the Cisco wireless LAN controller, use the show rogue-ap detailed command.
show rogue ap detailed ap_mac_address
This example shows how to display detailed information of a rogue access point:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
show rogue ap clients
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
To display a summary of the rogue access points detected by the Cisco wireless LAN controller, use the show rogue-ap summary command.
This example shows how to display a summary of all rogue access points:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
show rogue ap clients
show rogue ap detailed
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
To display a list of the friendly rogue access points detected by the controller, use the show rogue-ap friendly summary command.
show rogue ap friendly summary
This example shows how to display a summary of all friendly rogue access points:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap malicious summary
show rogue ap unclassified summary
To display a list of the malicious rogue access points detected by the controller, use the show rogue-ap malicious summary command.
show rogue ap malicious summary
This example shows how to display a summary of all malicious rogue access points:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap unclassified summary
To display a list of the unclassified rogue access points detected by the controller, use the show rogue-ap unclassified summary command.
show rogue ap unclassified summary
This example shows how to display a list of all unclassified rogue access points:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
To display details of a rogue client detected by a Cisco wireless LAN controller, use the show rogue client detailed command.
show rogue client detailed MAC
This example shows how to display detailed information for a rogue client:
show rogue client summary
show rogue ignore-list
config rogue client
config rogue rule
To display a summary of the rogue clients detected by the Cisco wireless LAN controller, use the show rogue client summary command.
This example shows how to display a list of all rogue clients:
show rogue client detailed
show rogue ignore-list
config rogue client
config rogue rule
To display a list of rogue access points that are configured to be ignored, use the show rogue ignore-list command.
This example shows how to display a list of all rogue access points that are configured to be ignored:
config rogue adhoc
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To display detailed information for a specific rogue classification rule, use the show rogue rule detailed command.
show rogue rule detailed rule_name
This example shows how to display detailed information on a specific rogue classification rule:
config rogue rule
show rogue ignore-list
show rogue rule summary
To display the rogue classification rules that are configured on the controller, use the show rogue rule summary command.
This example shows how to display a list of all rogue rules that are configured on the controller:
config rogue rule
show rogue ignore-list
show rogue rule detailed
To display the routes assigned to the Cisco wireless LAN controller service port, use the show route summary command.
This example shows how to display all the configured routes:
To display the active internal firewall rules, use the show rules command.
This example shows how to display active internal firewall rules:
To display a comprehensive view of the current Cisco wireless LAN controller configuration, use the show run-config command.
show run-config [ no ap | commands ]
(Optional) Displays a list of user-configured commands on the controller. |
These commands have replaced the show running-config command.
Some WLAN controllers may have no Crypto Accelerator (VPN termination module) or power supplies listed because they have no provisions for VPN termination modules or power supplies.
The show run-config command shows only values configured by the user. It does not show system-configured default values.
This example shows how to display the current controller running configuration:
To display the serial (console) port configuration, use the show serial command.
This example shows how to display EIA-232 parameters and the serial port inactivity timeout:
To display the console port login timeout and maximum number of simultaneous command-line interface (CLI) sessions, use the show sessions command.
This example shows how to display the CLI session configuration setting:
The response indicates that the CLI sessions never time out and that the Cisco wireless LAN controller can host up to five simultaneous CLI sessions.
To display Simple Network Management Protocol (SNMP) community entries, use the show snmpcommunity command.
This example shows how to display SNMP community entries:
config snmp community accessmode
config snmp community create
config snmp community delete
config snmp community ipaddr
config snmp community mode
config snmp syscontact
To display Cisco wireless LAN controller Simple Network Management Protocol (SNMP) trap receivers and their status, use the show snmptrap command.
This example shows how to display SNMP trap receivers and their status:
config snmp trapreceiver create
config snmp trapreceiver delete
config snmp trapreceiver delete
To display Simple Network Management Protocol (SNMP) version 3 configuration, use the show snmpv3user command.
This example shows how to display SNMP version 3 configuration information:
To display which versions of Simple Network Management Protocol (SNMP) are enabled or disabled on your controller, use the show snmpversion command.
This example shows how to display the SNMP v1/v2/v3 status:
To display the Cisco wireless LAN controller spanning tree port configuration, use the show spanningtree port command.
When the a Cisco 4400 Series wireless LAN controller is configured for port redundancy, the Spanning Tree Protocol (STP) must be disabled for all ports on the Cisco 4400 Series Wireless LAN Controller. STP can remain enabled on the switch connected to the Cisco 4400 Series Wireless LAN Controller.
Note Some WLAN controllers do not support the spanning tree function.
This example shows how to display spanning tree values on a per port basis:
config spanningtree port mode
config spanningtree port pathcost
config spanningtree port priority
show spanningtree switch
To display the Cisco wireless LAN controller network (DS port) spanning tree configuration, use the show spanningtree switch command.
Some WLAN controllers do not support the spanning tree function.
This example shows how to display spanning tree values on a per switch basis:
config spanningtree switch bridgepriority
config spanningtree switch forwarddelay
config spanningtree switch hellotime
config spanningtree switch maxage
config spanningtree switch mode
To display physical port receive and transmit statistics, use the show stats port command.
show stats port { detailed port | summary port }
This example shows how to display the port summary information:
This example shows how to display the detailed port information:
config port adminmode
config port autoneg
config port linktrap
config port power
config port linktrap
To display the network (DS port) receive and transmit statistics, use the show stats switch command.
show stats switch { detailed | summary }
This example shows how to display switch summary statistics:
This example shows how to display detailed switch statistics:
config switchconfig mode
config switchconfig secret-obfuscation
show switchconfig
To display parameters that apply to the Cisco wireless LAN controller, use the show switchconfig command.
This example shows how to display parameters that apply to the Cisco wireless LAN controller:
config switchconfig mode
config switchconfig secret-obfuscation
show stats switch
To display high-level Cisco wireless LAN controller information, use the show sysinfo command.
This example shows how to display wireless LAN controller information:
Use the show tacacs commands to display Terminal Access Controller Access Control System (TACACS) protocol settings and statistics.
To display detailed radio frequency identification (RFID) information for a specified tag, use this command:
This example shows how to display detailed RFID information:
config tacacs acct
config tacacs acct
config tacacs athr
config tacacs auth
show tacacs summary
show tacacs summary
To display TACACS+ server authorization statistics, use the show tacacs athr statistics command.
This example shows how to display TACACS server authorization statistics:
config tacacs acct
config tacacs acct
config tacacs athr
config tacacs auth
show tacacs summary
show tacacs auth statistics
show tacacs summary
To display TACACS+ server authentication statistics, use the show tacacs auth statistics command.
This example shows how to display TACACS server authentication statistics:
config tacacs acct
config tacacs acct
config tacacs athr
config tacacs auth
show tacacs summary
show tacacs summary
To display TACACS+ server summary information, use the show tacacs summary command.
This example shows how to display TACACS server summary information:
config tacacs acct
config tacacs acct
config tacacs athr
config tacacs auth
show tacacs summary
show tacacs athr statistics
show tacacs auth statistics
To display Cisco wireless LAN controller variables frequently requested by Cisco Technical Assistance Center (TAC), use the show tech-support command.
This example shows how to display system resource information:
To display the Cisco wireless LAN controller time and date, use the show time command.
This example shows how to display the controller time and date:
config time manual
config time ntp
config time timezone
config time timezone location
config time timezone location
To display the Cisco wireless LAN controller Simple Network Management Protocol (SNMP) trap flags, use the show trapflags command.
This example shows how to display controller SNMP trap flags:
config trapflags 802.11-Security
config trapflags aaa
config trapflags ap
config trapflags authentication
config trapflags client
config trapflags configsave
config trapflags IPsec
config trapflags linkmode
To display the Cisco wireless LAN controller Simple Network Management Protocol (SNMP) trap log, use the show traplog command.
This example shows how to display controller SNMP trap log settings:
To display access point’s software information, use the show version command.
You can only use this command from the access point console port when not connected to a controller.
This example shows how to display the access point version number:
To display the client watchlist, use the show watchlist command.
This example shows how to display the client watchlist information:
config watchlist add
config watchlist delete
config watchlist disable
config watchlist enable
To display configuration information for a specified wireless LAN or a foreign access point, or to display wireless LAN summary information, use the show wlan command.
show wlan {apgroups | summary | wlan_id | foreignAp }
(Optional) Displays the configuration for support of foreign access points. |
This example shows how to display a summary of wireless LANs for wlan_id 1:
This example shows how to display a summary of all WLANs:
This example shows how to display the configuration for support of foreign access points:
config wlan
config wlan 7920-support
config wlan acl
config wlan interface
show wlan
Use the show wps commands to display Wireless Protection System (WPS) settings.
To display the access point neighbor authentication configuration on the controller, use the show wps ap-authentication summary command.
show wps ap-authentication summary
This example shows how to display a summary of the Wireless Protection System (WPS) access point neighbor authentication:
To display Intrusion Detection System (IDS) sensor summary information or detailed information on a specified Wireless Protection System (WPS) IDS sensor, use the show wps cids-sensor command.
show wps cids-sensor { summary | detail index }
This example shows how to display all settings for the selected sensor:
To display Management Frame Protection (MFP) information, use the show wps mfp command.
show wps mfp { summary | statistics }
This example shows how to display a summary of the MFP configuration and status:
This example shows how to display the MFP statistics:
To display the Intrusion Detection System (IDS) sensor shun list, use the show wps shun-list command.
This example shows how to display the IDS system sensor shun list:
To display installed signatures, use the show wps signature detail command.
show wps signature detail sig-id
This example shows how to display information on the attacks detected by standard signature 1:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature summary
show wps summary
To display more information about the attacks detected by a particular standard or custom signature, use the show wps signature events command.
show wps signature events { summary | { standard | custom } precedenceID { summary | detailed }
Displays Standard Intrusion Detection System (IDS) signature settings. |
|
This example shows how to display the number of attacks detected by all enabled signatures:
This example shows how to display a summary of information on the attacks detected by standard signature 1:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature summary
show wps summary
To see individual summaries of all of the standard and custom signatures installed on the controller, use the show wps signature summary command.
This example shows how to display a summary of all of the standard and custom signatures:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature events
show wps summary
To display Wireless Protection System (WPS) summary information, use the show wps summary command.
This example shows how to display WPS summary information:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature events
show wps signature summary
To display the current state of the Cisco Wireless Intrusion Prevention System (wIPS) operation on the controller, use the show wps wips summary command.
This example shows how to display the statistics of the wIPS operation:
config 802.11 enable
config ap mode
config ap monitor-mode
show ap config
show ap monitor-mode summary
show wps wips summary
To display the adaptive Cisco Wireless Intrusion Prevention System (wIPS) configuration that the Wireless Control System (WCS) forwards to the controller, use the show wps wips summary command.
This example shows how to display a summary of the wIPS configuration:
config 802.11 enable
config ap mode
config ap monitor-mode
show ap config
show ap monitor-mode summary
show wps wips statistics
Use the config commands to configure Cisco wireless LAN (WLAN) controller options and settings.
Use the config 802.11 commands to configure settings and devices on 802.11a, 802.11b/g, 802.11h, or other supported 802.11 networks.
Use the config 802.11-a commands to configure settings specifically for 4.9-GHz or 5.8-GHz public safety frequencies.
To enable or disable the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a commands.
config { 802.11-a49 | 802.11-a58 }{ enable | disable } cisco_ap
Enables the use of this frequency on the designated access point. |
|
Disables the use of this frequency on the designated access point |
|
This example shows how to enable the 4.9-GHz public safety channel on ap_24 access point:
config 802.11-a antenna extAntGain
config 802.11-a channel ap
config 802.11-a txpower ap
show mesh public-safety
To configure the external antenna gain for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a antenna extAntGain commands.
config { 802.11-a49 | 802.11-a58 } antenna extAntGain ant_gain cisco_ap { global | channel_no }
Before you enter the config 802.11-a antenna extAntGain command, disable the 802.11 Cisco radio with the config 802.11-a disable command.
After you configure the external antenna gain, use the config 802.11-a enable command to re-enable the 802.11 Cisco radio.
This example shows how to configure an 802.11-a49 external antenna gain of 10 dBi for AP1 :
config 802.11-a
config 802.11-a channel ap
config 802.11-a txpower ap
Show 802.11 Commands
To configure the channel properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a channel ap command.
config { 802.11-a49 | 802.11-a58 } channel ap cisco_ap { global | channel_no }
This example shows how to set the channel properties:
config 802.11-a
config 802.11-a antenna extAntGain
config 802.11-a channel ap
config 802.11-a txpower ap
To configure the transmission power properties for the 4.9-GHz and 5.8-GHz public safety channels on an access point, use the config 802.11-a txpower ap command.
config { 802.11-a49 | 802.11-a58 } txpower ap cisco_ap { global | power_level }
Transmission power value to the designated mesh access point. Valid values are 1 through 5, inclusive. |
This example shows how to configure an 802.11-a49 transmission power level of 4 for AP1 :
config 802.11-a
config 802.11-a antenna extAntGain
config 802.11-a channel ap
Show 802.11 Commands
Use the config 802.11b commands to configure settings specifically for an 802.11b/g network.
To enable or disable the Cisco wireless LAN solution 802.11g network, use the config 802.11b 11gSupport command.
config 802.11b 11gSupport { enable | disable }
Before you enter the config 802.11b 11gSupport { enable | disable } command, disable the 802.11 Cisco radio with the config 802.11 disable command.
After you configure the support for the 802.11g network, use the config 802.11 enable command to enable the 802.11 radio.
Note To disable an 802.11a, 802.11b and/or 802.11g network for an individual wireless LAN, use the config wlan radio command.
This example shows how to enable the 802.11g network:
show sysinfo
show 802.11b
config 802.11b enable
config wlan radio
config 802.11b disable
config 802.11a disable
config 802.11a enable
To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.
config 802.11b preamble { long | short }
Note You must reboot the Cisco wireless LAN controller (reset system) with save to implement this command.
This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.
This command can be used any time that the CLI interface is active.
This example shows how to change the 802.11b preamble to short:
Use the config 802.11h commands to configure settings specifically for an 802.11h network.
To configure a 802.11h channel switch announcement, use the config 802.11h channelswitch command.
config 802.11h channelswitch { enable mode value | disable }
This example shows how to disable the 802.11h switch announcement:
To configure the 802.11h power constraint value, use the config 802.11h powerconstraint command.
config 802.11h powerconstraint value
This example shows how to configure the 802.11h power constraint to 5:
To configure a new channel using 802.11h channel announcement, use the config 802.11h setchannel command.
config 802.11h setchannel cisco_ap
This example shows how to configure a new channel using the 802.11h channel:
Use the config 802.11 11nsupport commands to configure settings for an 802.11n network.
To enable 802.11n support on the network, use the config 802.11 11nsupport command.
config 802.11 { a | b } 11nsupport { enable | disable }
This example shows how to enable the 802.11n support on an 802.11a network:
config 802.11 11nsupport mcs tx
config 802.11 11nsupport a-mpdu tx priority
config 802.11a disable network
config 802.11a disable
config 802.11a channel ap
config 802.11a txpower ap
config 802.11a chan_width
To specify the aggregation method used for 802.11n packets, use the config 802.11 11nsupport a-mpdu tx priority command.
config 802.11 { a | b } 11nsupport a-mpdu tx priority { 0 - 7 | all } { enable | disable }
All priorities, except 5 and 6, are enabled by default. Priorities 5 and 6 are disabled by default.
Aggregation is the process of grouping packet data frames together rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU). A-MPDU is performed in the software whereas A-MSDU is performed in the hardware.
Aggregated MAC Protocol Data Unit priority levels assigned per traffic type are as follows:
Note Configure the priority levels to match the aggregation method used by the clients.
This example shows how to configure all the priority levels at once so that the traffic associated with the priority level uses A-MSDU transmission:
config 802.11 11nsupport mcs tx
config 802.11a disable network
config 802.11a disable
config 802.11a channel ap
config 802.11a txpower ap
To configure an access point to use a specific antenna, use the config 802.11 11nsupport antenna command.
config 802.11 { a | b } 11nsupport antenna { tx | rx } cisco_ap { A | B | C } { enable | disable }
This example shows how to configure access point AP1 to use the antenna tx to transmit:
config 802.11 11nsupport mcs tx
config 802.11a disable network
config 802.11a disable
config 802.11a channel ap
config 802.11a txpower ap
config 802.11a chan_width
To specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client, use the config 802.11 11nsupport mcs tx command.
config 802.11 { a | b } 11nsupport mcs tx { 0 - 15 } { enable | disable }
Specifies the modulation and coding scheme data rates as follows: |
|
This example shows how to specify MCS rates:
config 802.11 11nsupport
config wlan wmm required
config 802.11 11nsupport a-mpdu tx priority
config 802.11a disable network
config 802.11a disable
config 802.11a channel ap
config 802.11a txpower ap
config 802.11a chan_width
Use the config 802.11 antenna commands to configure radio antenna settings for Cisco lightweight access points on different 802.11 networks.
To configure the diversity option for 802.11 antennas, use the config 802.11 antenna diversity command.
config 802.11 { a | b } antenna diversity { enable | sideA | sideB } cisco_ap
This example shows how to enable antenna diversity for AP01 on an 802.11b network:
This example shows how to enable diversity for AP01 on an 802.11a network, using an external antenna connected to the Cisco lightweight access point left port (sideA):
config 802.11 disable
config 802.11 enable
config 802.11 antenna extAntGain
config 802.11 antenna mode
config 802.11 antenna selection
Show 802.11 Commands
To configure external antenna gain for an 802.11 network, use the config 802.11 antenna extAntGain command.
config 802.11 { a | b } antenna extAntGain antenna_gain cisco_ap
Before you enter the config 802.11 antenna extAntGain command, disable the 802.11 Cisco radio with the config 802.11 disable command.
After you configure the external antenna gain, use the config 802.11 enable command to enable the 802.11 Cisco radio.
This example shows how to configure an 802.11a external antenna gain of 0.5 dBm for AP1 :
config 802.11 disable
config 802.11 enable
config 802.11 antenna diversity
config 802.11 antenna mode
config 802.11 antenna selection
Show 802.11 Commands
To configure the Cisco lightweight access point to use one internal antenna for an 802.11 sectorized 180-degree coverage pattern or both internal antennas for an 802.11 360-degree omnidirectional pattern, use the config 802.11 antenna mode command.
config 802.11 { a | b } antenna mode { omni | sectorA | sectorB } cisco_ap
This example shows how to configure access point AP01 antennas for a 360-degree omnidirectional pattern on an 802.11b network:
config 802.11 disable
config 802.11 enable
config 802.11 antenna diversity
config 802.11 antenna extAntGain
config 802.11 antenna selection
Show 802.11 Commands
To select the internal or external antenna selection for a Cisco lightweight access point on an 802.11 network, use the config 802.11 antenna selection command.
config 802.11 { a | b } antenna selection { internal | external } cisco_ap
This example shows how to configure access point AP02 on an 802.11b network to use the internal antenna:
config 802.11 disable
config 802.11 enable
config 802.11 antenna diversity
config 802.11 antenna extAntGain
config 802.11 antenna mode
config 802.11 antenna selection
Show 802.11 Commands
To change the beacon period globally for an 802.11a, 802.11b, or other supported 802.11 network, use the config 802.11 beaconperiod command.
config 802.11 { a | b } beaconperiod time_units
Note Disable the 802.11 network before using this command. See the “Usage Guidelines” section.
Beacon interval in time units (TU). One TU is 1024 microseconds. |
In Cisco wireless LAN solution 802.11 networks, all Cisco lightweight access point wireless LANs broadcast a beacon at regular intervals. This beacon notifies clients that the 802.11a service is available and allows the clients to synchronize with the lightweight access point.
Before you change the beacon period, make sure that you have disabled the 802.11 network by using the config 802.11 disable command. After changing the beacon period, enable the 802.11 network by using the config 802.11 enable command.
This example shows how to configure an 802.11a network for a beacon period of 120 time units:
show 802.11a
config 802.11b beaconperiod
config 802.11a disable
config 802.11a enable
To enable or disable beamforming on the network or on individual radios, enter the config 802.11 beamforming command.
config 802.11{a | b} beamforming { global | ap ap_name } { enable | disable }
When you enable beamforming on the network, it is automatically enabled for all the radios applicable to that network type.
Follow these guidelines for using beamforming:
Note Beamforming is not supported for complementary-code keying (CCK) data rates (1, 2, 5.5, and 11 Mbps).
If the antenna configuration restricts operation to a single transmit antenna, or if OFDM rates are disabled, beamforming is not used.
This example shows how to enable beamforming on the 802.11a network:
show ap config {802.11a | 802.11b}
show 802.11a
config 802.11b beaconperiod
config 802.11a disable
config 802.11a enable
Use the config 802.11 cleanair commands to configure cleanair settings on different 802.11 networks.
To enable or disable cleanair for the 802.11 a or 802.11 b/g network, use the config 802.11 cleanair command.
config 802.11 cleanair {enable | disable} {network | cisco_ap}
This example shows how to enable the cleanair settings on access point ap_24:
To configure cleanair interference device types, use the config 802.11 cleanair device command.
config 802.11a cleanair device {enable | disable} device_type
This example shows how to enable the CleanAir reporting for the device type jammer:
This example shows how to disable the CleanAir reporting for the device type video:
This example shows how to enable the CleanAir interference device reporting:
To configure the triggering of the air quality alarms, use the config 802.11 cleanair alarm command.
config 802.11 cleanair alarm
{air-quality {disable | enable | threshold threshold}
device {disable [device_type | all] | enable [device_type | all] | reporting [enable | disable]}
This example shows how to enable the CleanAir alarm to monitor the air quality:
This example shows how to enable the CleanAir alarm for the device type video:
This example shows how to enable alarm reporting for the CleanAir interference devices:
Use the config 802.11 cac commands to configure Call Admission Control (CAC) protocol settings.
To enable or disable video Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac video acm command.
config 802.11 { a | b } cac video acm { enable | disable }
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
This example shows how to enable the video CAC for the 802.11a network:
This example shows how to disable the video CAC for the 802.11b network:
config 802.11 cac video max-bandwidth
config 802.11 cac video roam-bandwidth
config 802.11 cac video tspec-inactivity-timeout
To set the percentage of the maximum bandwidth allocated to clients for video applications on the 802.11a or 802.11b/g network, use the config 802.11 cac video max-bandwidth command.
config 802.11 { a | b } cac video max-bandwidth bandwidth
The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.
Note If this parameter is set to zero (0), the controller assumes that you do not want to allocate any bandwidth and allows all bandwidth requests.
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
This example shows how to specify the percentage of the maximum allocated bandwidth for video applications on the selected radio band:
config 802.11 cac video acm
config 802.11 cac video roam-bandwidth
config 802.11 cac voice stream-size
config 802.11 cac voice roam-bandwidth
To configure the percentage of the maximum allocated bandwidth reserved for roaming video clients on the 802.11a or 802.11b/g network, use the config 802.11 cac video roam-bandwidth command.
config 802.11 { a | b } cac video roam-bandwidth bandwidth
The controller reserves the specified bandwidth from the maximum allocated bandwidth for roaming video clients.
Note If this parameter is set to zero (0), the controller assumes that you do not want to do any bandwidth allocation and, therefore, allows all bandwidth requests.
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac video acm
config 802.11 cac video max-bandwidth
config 802.11 cac video tspec-inactivity-timeout
To process or ignore the Wi-Fi Multimedia (WMM) traffic specifications (TSPEC) inactivity timeout received from an access point, use the config 802.11 cac video tspec-inactivity-timeout command.
config 802.11 { a | b } cac video tspec-inactivity-timeout { enable | ignore }
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac video acm
config 802.11 cac video max-bandwidth
config 802.11 cac video roam-bandwidth
To enable or disable bandwidth-based voice Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac voice acm command.
config 802.11 { a | b } cac voice acm { enable | disable }
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
This example shows how to enable the bandwidth-based CAC:
> config 802.11a cac voice acm enable
To set the percentage of the maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g network, use the config 802.11 cac voice max-bandwidth command.
config 802.11 { a | b } cac voice max-bandwidth bandwidth
The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm
config 802.11 cac voice load-based
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice stream-size
config 802.11 cac voice tspec-inactivity-timeout
config 802.11 exp-bwreq
config 802.11 tsm
config wlan
save config
show wlan
show wlan summary
To configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients on the 802.11a or 802.11b/g network, use the config 802.11 cac voice roam-bandwidth command.
config 802.11 { a | b } cac voice roam-bandwidth bandwidth
The maximum radio frequency (RF) bandwidth cannot exceed 85% for voice and video. The controller reserves the specified bandwidth from the maximum allocated bandwidth for roaming voice clients.
Note If this parameter is set to zero (0), the controller assumes you do not want to allocate any bandwidth and therefore allows all bandwidth requests.
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
This example shows how to configure the percentage of the maximum allocated bandwidth reserved for roaming voice clients on the selected radio band:
config 802.11 cac voice acm
config 802.11 cac voice max-bandwidth
config 802.11 cac voice stream-size
To process or ignore the Wi-Fi Multimedia (WMM) traffic specifications (TSPEC) inactivity timeout received from an access point, use the config 802.11 cac voice tspec-inactivity-timeout command.
config 802.11 { a | b } cac voice tspec-inactivity-timeout { enable | ignore }
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm,
config 802.11 cac voice load-based
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice stream-size
To enable or disable load-based Call Admission Control (CAC) for the 802.11a or 802.11b/g network, use the config 802.11 cac voice load-based command.
config 802.11 { a | b } cac voice load-based { enable | disable }
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice stream-size
config 802.11 cac voice tspec-inactivity-timeout
Note Do not use the config 802.11 cac voice max-calls command if the SIP call snooping feature is disabled and if the SIP based CAC requirements are not met.
To configure the maximum number of voice call supported by the radio, use the config 802.11 cac voice max-calls command.
config 802.11 { a | b } cac voice max-calls number
0, which means that there is no maximum limit check for the number of calls.
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm
config 802.11 cac voice load-based
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice tspec-inactivity-timeout
config 802.11 exp-bwreq
Note SIP bandwidth and sample intervals are used to compute per call bandwidth in case of the SIP based CAC.
To configure the bandwidth that is required per call for the 802.11a or 802.11b/g network, use the config 802.11 cac voice sip bandwidth command.
config 802.11{a | b} cac voice sip bandwidth bw_kbps sample-interval number_msecs
Packetization sample interval in msecs. The sample interval for SIP codec is 20 seconds. |
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm
config 802.11 cac voice load-based
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice tspec-inactivity-timeout
config 802.11 exp-bwreq
To configure the codec name and sample interval as parameters and to calculate the required bandwidth per call for the 802.11a or 802.11b/g network, use the config 802.11 cac voice sip codec command.
config 802.11 { a | b } cac voice sip codec {g711 | g729} sample-interval number_msecs
Packetization interval in msecs. The sample interval for SIP codec value is 20 seconds. |
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm
config 802.11 cac voice load-based
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice tspec-inactivity-timeout
config 802.11 exp-bwreq
To configure the number of aggregated voice Wi-Fi Multimedia (WMM) traffic specification (TSPEC) streams at a specified data rate for the 802.11a or 802.11b/g network, use the config 802.11 cac voice stream-size command.
config 802.11 { a | b } cac voice stream-size stream_size number mean_datarate max-streams number
The default number of streams is 2 and the mean data rate of a stream is 84 kbps.
Call Admission Control (CAC) commands require that the WLAN you are planning to modify is configured for Wi-Fi Multimedia (WMM) protocol and the quality of service (QoS) level be set to Platinum.
Before you can configure CAC parameters on a network, you must complete the following prerequisites:
For complete instructions, see the “Configuring Voice and Video Parameters” section in the “Configuring Controller Settings” chapter of the Cisco wireless LAN controller Configuration Guide for your release.
config 802.11 cac voice acm
config 802.11 cac voice load-based
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice tspec-inactivity-timeout
config 802.11 exp-bwreq
To configure an 802.11 network or a single access point for automatic or manual channel selection, use the config 802.11 channel command.
config 802.11 { a | b } channel { global [ auto | once | off ]} | ap { ap_name [ global | channel ]}
When configuring 802.11 channels for a single lightweight access point, enter the config 802.11 disable command to disable the 802.11 network. Enter the config 802.11 channel command to set automatic channel selection by Radio Resource Management (RRM) or manually set the channel for the 802.11 radio, and enter the config 802.11 enable command to enable the 802.11 network.
Note See the Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points document for the channels supported by your access point. The power levels and available channels are defined by the country code setting and are regulated on a country-by-country basis.
This example shows how to have RRM automatically configure the 802.11a channels for automatic channel configuration based on the availability and interference:
This example shows how to configure the 802.11b channels one time based on the availability and interference:
This example shows how to turn 802.11a automatic channel configuration off:
This example shows how to configure the 802.11b channels in access point AP01 for automatic channel configuration:
This example shows how to configure the 802.11a channel 36 in access point AP01 as the default channel:
show 802.11a
config 802.11a disable
config 802.11a enable
config 802.11b channel
config country
To set the operating radio channel for an access point, use the config 802.11 channel ap command.
config 802.11 { a | b } channel ap cisco_ap { global | channel_no }
This example shows how to enable auto-RF for access point AP01 on an 802.11b network:
To configure the channel width for a particular access point, use the config 802.11 chan_width command.
config 802.11{ a | b } chan_width cisco_ap { 20 | 40 }
This parameter can be configured only if the primary channel is statically assigned.
Statically configuring an access point’s radio for 20- or 40-MHz mode overrides the globally configured DCA channel width setting (configured by using the config advanced 802.11 channel dca chan-width-11n command). If you change the static configuration back to global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.
config 802.11 11nsupport
config wlan wmm required
config 802.11 11nsupport a-mpdu tx priority
config 802.11a disable network
config 802.11a disable
config 802.11a channel ap
config 802.11b disable
config 802.11b channel ap
config 802.11a txpower ap
To disable radio transmission for an entire 802.11 network or for an individual Cisco radio, use the config 802.11 disable command.
config 802.11 { a | b } disable { network | cisco_ap }
The transmission is enabled for the entire network by default.
Note You must use this command to disable the network before using many config 802.11 commands.
This command can be used any time that the CLI interface is active.
This example shows how to disable the entire 802.11a network:
This example shows how to disable access point AP01 802.11b transmissions:
show sysinfo
show 802.11a
config 802.11a enable
config 802.11b disable
config 802.11b enable
config 802.11a beaconperiod
To enable or disable the Dynamic Transmit Power Control (DTPC) setting for an 802.11 network, use the config 802.11 dtpc command.
config 802.11 { a | b } dtpc { enable | disable }
This example shows how to disable DTPC for an 802.11a network:
show 802.11a
config 802.11a beaconperiod
config 802.11a disable
config 802.11a enable
To enable radio transmission for an entire 802.11 network or for an individual Cisco radio, use the config 802.11 enable command.
config 802.11 { a | b } enable { network | cisco_ap }
The transmission is enabled for the entire network by default.
Note Use this command in conjunction with the config 802.11 disable command when configuring 802.11 settings.
This command can be used any time that the CLI interface is active.
This example shows how to enable radio transmission for the entire 802.11a network:
This example shows how to enable radio transmission for AP1 on an 802.11b network:
show sysinfo
show 802.11a
config wlan radio
config 802.11a disable
config 802.11b disable
config 802.11b enable
config 802.11b 11gSupport enable
config 802.11b 11gSupport disable
To enable or disable the Cisco Client eXtension (CCX) version 5 expedited bandwidth request feature for an 802.11 radio, use the config 802.11 exp-bwreq command.
config 802.11 { a | b } exp-bwreq { enable | disable }
The expedited bandwidth request feature is disabled by default.
When this command is enabled, the controller configures all joining access points for this feature.
To configure the fragmentation threshold on an 802.11 network, use the config 802.11 fragmentation command.
config 802.11 { a | b } fragmentation threshold
Note This command can only be used when the network is disabled using the config 802.11 disable command.
To configure 802.11a or 802.11b/g Layer 2 client roaming parameters, use the
config 802.11 l2roam rf-params command.
config 802.11 { a | b } l2roam rf-params {default | custom min_rssi roam_hyst scan_thresh trans_time}
For high-speed client roaming applications in outdoor mesh environments, we recommend that you set the trans_time to 1 second.
This example shows how to configure custom Layer 2 client roaming parameters on an 802.11a network:
To set mandatory and supported operational data rates for an 802.11 network, use the config 802.11 rate command.
config 802.11 { a | b } rate { disabled | mandatory | supported } rate
Specifies that a client supports the data rate in order to use the network. |
|
Specifies to allow any associated client that supports the data rate to use the network. |
|
The data rates set with this command are negotiated between the client and the Cisco wireless LAN controller. If the data rate is set to mandatory, the client must support it in order to use the network. If a data rate is set as supported by the Cisco wireless LAN controller, any associated client that also supports that rate may communicate with the Cisco lightweight access point using that rate. It is not required that a client is able to use all the rates marked supported in order to associate.
This example shows how to set the 802.11b transmission at a mandatory rate at 12 Mbps:
To enable or disable the video Traffic Stream Metric (TSM) option for the 802.11a or 802.11b/g network, use the config 802.11 tsm command.
config 802.11 { a | b } tsm { enable | disable }
To configure the transmit power level for all access points or a single access point in an 802.11 network, use the config 802.11 txPower command.
config 802.11 { a | b } txPower { global [ auto | once | power_level ]}
config 802.11 { a | b } txPower { ap ap_name [ global | power_level ]}
The command default (global, auto) is for automatic configuration by RRM.
The supported power levels depends on the specific access point used and the regulatory region. For example, the 1240 series access point supports eight levels and the 1200 series access point supports six levels. See the Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points document for the maximum transmit power limits for your access point. The power levels and available channels are defined by the country code setting and are regulated on a country-by-country basis.
This example shows how to automatically set the 802.11a radio transmit power level in all lightweight access points:
This example shows how to manually set the 802.11b radio transmit power to level 5 for all lightweight access points:
This example shows how to automatically set the 802.11b radio transmit power for access point AP1:
This example shows how to manually set the 802.11a radio transmit power to power level 2 for access point AP1:
show ap config 802.11a
config 802.11b txPower
config country
To configure the AAA authentication search order for management users, use the config aaa auth command.
config aaa auth mgmt [ aaa_server_type ]
You can enter two AAA server types as long as one of the server types is local. You cannot enter radius and tacacs together.
To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.
config aaa auth mgmt [radius | tacacs]
(Optional) Configures the order of authentication for RADIUS servers. |
|
(Optional) Configures the order of authentication for TACACS servers. |
To apply an access control list (ACL) to the data path, use the config acl apply command.
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
To see if packets are hitting any of the access control lists (ACLs) configured on your controller, use the config acl counter command.
config acl counter { start | stop }
ACL counters are available only on the following controllers: 4400 series, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.
To create a new access control list (ACL), use the config acl create command.
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
To create a new access control list (ACL) rule that restricts the traffic reaching the CPU, use the config acl cpu command.
config acl cpu rule_name {wired | wireless | both}
This command allows you to control the type of packets reaching the CPU.
This example shows how to create an ACL named acl101 on the CPU and apply it to wired traffic:
To delete an access control list (ACL), use the config acl delete command.
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
This example shows how to delete an ACL named acl101 on the CPU:
To configure ACL rules, use the config acl rule command.
config acl rule
{action rule_name rule_index { permit | deny } |
add rule_name rule_index |
change index rule_name old_index new_index |
delete rule_name rule_index |
destination address rule_name rule_index ip_address netmask |
destination port range rule_name rule_index start_port end_port |
direction rule_name rule_index { in | out | any } |
dscp rule_name rule_index dscp |
protocol rule_name rule_index protocol |
source address rule_name rule_index ip_address netmask |
source port range rule_name rule_index start_port end_port |
swap index rule_name index_1 index_2 }
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
This example shows how to configure an ACL to permit access:
Use the config advanced 802.11 commands to configure advanced settings and devices on 802.11a, 802.11b/g, or other supported 802.11 networks.
To configure the Cisco unified wireless IP phone 7920 VISE parameters, use the config advanced 802.11 7920VSIEConfig command.
config advanced 802.11 { a | b } 802.11b 7920VSIEConfig { call-admission-limit limit |
G711-CU-Quantum quantum }
This example shows how to configure the call admission limit for 7920 VISE parameters:
Use the config advanced 802.11 channel commands to configure Dynamic Channel Assignment (DCA) settings on supported 802.11 networks.
To add channel to the 802.11 networks auto RF channel list, use the config advanced 802.11 channel add command.
config advanced 802.11 { a | b } channel {add | delete} channel_number
Deletes a channel from the 802.11 network auto RF channel list. |
|
Channel number to add to the 802.11 network auto RF channel list. |
This example shows how to add a channel to the 802.11a network auto RF channel list:
This example shows how to delete a channel from the 802.11a network auto RF channel list:
show advanced 802.11a channel
config advanced 802.11b channel update
To configure cleanair event driven Radio Resource Management (RRM) parameters for all 802.11 Cisco lightweight access points, use the config advanced 802.11 channel cleanair-event command.
config advanced 802.11 { a | b } channel cleanair-event {enable | disable | sensitivity [low | medium | high]}
This example shows how to enable the cleanair event-driven RRM parameters:
This example shows how to set the high sensitivity for cleanair event-driven RRM:
show advanced 802.11a channel
config advanced 802.11b channel update
To configure cleanair event driven Radio Resource Management (RRM) parameters for all 802.11 Cisco lightweight access points, use the config advanced 802.11 channel cleanair-event command.
config advanced 802.11 { a | b } channel cleanair-event {enable | disable | sensitivity [low | medium | high]}
This example shows how to enable the cleanair event-driven RRM parameters:
This example shows how to set the high sensitivity for cleanair event-driven RRM:
To specify the time of day when the Dynamic Channel Assignment (DCA) algorithm is to start, use the config advanced 802.11 channel dca anchor-time command.
config advanced 802.11 { a | b } channel dca anchor-time value
Hour of the time between 0 and 23. These values represent the hour from 12:00 a.m. to 11:00 p.m. |
This example shows how to configure the time of delay when the dynamic channel assignment algorithm starts:
config advanced 802.11 channel dca interval
config advanced 802.11 channel dca sensitivity
show advanced 802.11 channel
To configures the Dynamic Channel Assignment (DCA) channel width for all 802.11n radios in the 5-GHz band, use the command.
config advanced 802.11 { a | b } channel dca chan-width-11n { 20 | 40 }
If you choose 40, be sure to set at least two adjacent channels in the config advanced 802.11 channel {add | delete} channel_number command (for example, a primary channel of 36 and an extension channel of 40). If you set only one channel, that channel is not used for 40-MHz channel width.
To override the globally configured DCA channel width setting, you can statically configure an access point’s radio for 20- or 40-MHz mode using the config 802.11 chan_width command. If you then change the static configuration to global on the access point radio, the global DCA configuration overrides the channel width configuration that the access point was previously using.
This example shows how to add a channel to the 802.11a network auto channel list:
config 802.11 chan_width
config advanced 802.11 channel dca interval
config advanced 802.11 channel dca sensitivity
show advanced 802.11 channel
To specify how often the Dynamic Channel Assignment (DCA) is allowed to run, use the config advanced 802.11 channel dca interval command.
config advanced 802.11 { a | b } channel dca interval value
Valid values are 0, 1, 2, 3, 4, 6, 8, 12, or 24 hours. 0 is 10 minutes (600 seconds). |
If your controller supports only OfficeExtend access points, we recommend that you set the DCA interval to 6 hours for optimal performance. For deployments with a combination of OfficeExtend access points and local access points, the range of 10 minutes to 24 hours can be used.
This example shows how often the DCA algorithm is allowed to run:
config advanced 802.11 channel dca anchor-time
config advanced 802.11 channel dca sensitivity
show advanced 802.11 channel
To specify how sensitive the Dynamic Channel Assignment (DCA) algorithm is to environmental changes (for example, signal, load, noise, and interference) when determining whether or not to change channels, use the config advanced 802.11 channel dca sensitivity command.
config advanced 802.11 { a | b } channel dca sensitivity { low | medium | high }
The DCA sensitivity thresholds vary by radio band as shown in Table 2-3 .
To aid in troubleshooting, the output of this command shows an error code for any failed calls. Table 2-1 explains the possible error codes for failed calls.
|
|
|
---|---|---|
|
||
|
||
|
This example shows how to configure the value of DCA algorithm’s sensitivity to low:
config advanced 802.11 channel dca anchor-time
config advanced 802.11 channel dca interval
show advanced 802.11 channel
To have Radio Resource Management (RRM) consider or ignore foreign 802.11a interference avoidance in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel foreign command.
config advanced 802.11 { a | b } channel foreign { enable | disable }
Enables the foreign access point 802.11a interference avoidance in the channel assignment. |
|
Disables the foreign access point 802.11a interference avoidance in the channel assignment. |
This example shows how to have RRM consider foreign 802.11a interference when making channel selection updates for all 802.11a Cisco lightweight access points:
To have Radio Resource Management (RRM) consider or ignore the traffic load in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel load command.
config advanced 802.11 { a | b } channel load { enable | disable }
Enables the Cisco lightweight access point 802.11a load avoidance in the channel assignment. |
|
Disable the Cisco lightweight access point 802.11a load avoidance in the channel assignment. |
This example shows how to have RRM consider the traffic load when making channel selection updates for all 802.11a Cisco lightweight access points:
To have Radio Resource Management (RRM) consider or ignore non-802.11a noise in making channel selection updates for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel noise command.
config advanced 802.11 { a | b } channel noise { enable | disable }
Enables non-802.11a noise avoidance in the channel assignment. or ignore. |
|
Disables the non-802.11a noise avoidance in the channel assignment. |
This example shows how to have RRM consider non-802.11a noise when making channel selection updates for all 802.11a Cisco lightweight access points:
To enable or disable the controller to avoid checking the non-DFS channels, use the config advanced 802.11 channel outdoor-ap-dca command.
config advanced 802.11 { a | b } channel outdoor-ap-dca { enable | disable }
Enables 802.11 network dca list option for outdoor access point. |
|
Disables 802.11 network dca list option for outdoor access point. |
The config advanced 802.11 { a | b } channel outdoor-ap-dca { enable | disable } command is applicable only for deployments having outdoor access points such as 1522 and 1524.
This example shows how to enable the 802.11a dca list option for outdoor access point:
To have Radio Resource Management (RRM) initiate a channel selection update for all 802.11a Cisco lightweight access points, use the config advanced 802.11 channel update command.
config advanced 802.11 { a | b } channel update
show advanced 802.11a channel
config advanced 802.11b channel update
Use the config advanced 802.11 coverage commands to configure coverage hole detection settings on supported 802.11 networks.
To enable or disable coverage hole detection, use the config advanced 802.11 coverage command.
config advanced 802.11 { a | b } coverage { enable | disable }
If you enable coverage hole detection, the controller automatically determines, based on data that is received from the access points, whether any access points have clients that are potentially located in areas with poor coverage.
If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
>
config advanced 802.11a coverage enable
config advanced 802.11 coverage exception global
config advanced 802.11 coverage fail-rate
config advanced 802.11 coverage level global
config advanced 802.11 coverage packet-count
config advanced 802.11 coverage rssi-threshold
show advanced 802.11 coverage
To specify the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point, use the config advanced 802.11 coverage exception global command.
config advanced 802.11 { a | b } coverage exception global percent
If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
>
config advanced 802.11a coverage exception global 50
config advanced 802.11 coverage
config advanced 802.11 coverage fail-rate
config advanced 802.11 coverage level global
config advanced 802.11 coverage packet-count
config advanced 802.11 coverage rssi-threshold
show advanced 802.11 coverage
To specify the failure rate threshold for uplink data or voice packets, use the config advanced 802.11 coverage fail-rate command.
config advanced 802.11 { a | b } coverage { data | voice } fail-rate percent
Failure rate as a percentage. Valid values are from 1 to 100 percent. |
If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
This example shows how to configure the threshold count for minimum uplink failures for data packets:
>
config advanced 802.11a coverage data fail-rate 80
config advanced 802.11 coverage
config advanced 802.11 coverage exception global
config advanced 802.11 coverage level global
config advanced 802.11 coverage packet-count
config advanced 802.11 coverage rssi-threshold
show advanced 802.11 coverage
To specify the minimum number of clients on an access point with an received signal strength indication (RSSI) value at or below the data or voice RSSI threshold, use the config advanced 802.11 coverage level global command.
config advanced 802.11 { a | b } coverage level global clients
If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
config advanced 802.11 coverage
config advanced 802.11 coverage exception global
config advanced 802.11 coverage fail-rate
config advanced 802.11 coverage packet-count
config advanced 802.11 coverage rssi-threshold
show advanced 802.11 coverage
To specify the minimum failure count threshold for uplink data or voice packets, use the config advanced 802.11 coverage packet-count command.
config advanced 802.11 { a | b } coverage { data | voice } packet-count packets
Minimum number of packets. Valid values are from 1 to 255 packets. |
If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
>
config advanced 802.11a coverage data packet-count 100
config advanced 802.11 coverage
config advanced 802.11 coverage exception global
config advanced 802.11 coverage fail-rate
config advanced 802.11 coverage level global
config advanced 802.11 coverage rssi-threshold
show advanced 802.11 coverage
To specify the minimum receive signal strength indication (RSSI) value for packets that are received by an access point, use the config advanced 802.11 coverage rssi-threshold command.
config advanced 802.11 { a | b } coverage { data | voice } rssi-threshold rssi
The rssi value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. If the access point receives a packet in the data or voice queue with an RSSI value that is below the value that you enter, a potential coverage hole has been detected.
The access point takes RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.
If both the number and percentage of failed packets exceed the values that you entered in the config advanced 802.11 coverage packet-count and config advanced 802.11 coverage fail-rate commands for a 5-second period, the client is considered to be in a pre-alarm condition. The controller uses this information to distinguish between real and false coverage holes and excludes clients with poor roaming logic. A coverage hole is detected if both the number and percentage of failed clients meet or exceed the values entered in the config advanced 802.11 coverage level global and config advanced 802.11 coverage exception global commands over a 90-second period. The controller determines whether the coverage hole can be corrected and, if appropriate, mitigates the coverage hole by increasing the transmit power level for that specific access point.
>
config advanced 802.11a coverage data rssi-threshold -60
config advanced 802.11 coverage
config advanced 802.11 coverage exception global
config advanced 802.11 coverage fail-rate
config advanced 802.11 coverage level global
config advanced 802.11 coverage packet-count
show advanced 802.11 coverage
To enable a specific enhanced distributed channel access (EDCA) profile on the 802.11a network, use the config advanced 802.11 edca-parameters command.
config advanced 802.11 { a | b } edca-parameters {wmm-default | svp-voice | optimized-voice | optimized-video-voice}
This example shows how to enable Spectralink voice priority parameters:
To reset 802.11a advanced settings back to the factory defaults, use the config advanced 802.11 factory command.
config advanced 802.11 { a | b } factory
This example shows how to return all the 802.11a advanced settings to their factory defaults:
To set the 802.11a automatic RF group selection mode on or off, use the config advanced 802.11 group-mode command.
config advanced 802.11 { a | b } group-mode { auto | off }
Sets the 802.11a RF group selection to automatic update mode. |
|
This example shows how to turn the 802.11a automatic RF group selection mode on:
This example shows how to turn the 802.11a automatic RF group selection mode off:
Use the config advanced 802.11 logging commands to configure report log settings on supported 802.11 networks.
To turn the channel change logging mode on or off, use the config advanced 802.11 logging channel command.
config advanced 802.11 { a | b } logging channel { on | off }
This example shows how to turn the 802.11a logging channel selection mode on:
To turn the coverage profile logging mode on or off, use the config advanced 802.11 logging coverage command.
config advanced 802.11 { a | b } logging coverage { on | off }
This example shows how to turn the 802.11a coverage profile violation logging selection mode on:
To turn the foreign interference profile logging mode on or off, use the config advanced 802.11 logging foreign command.
config advanced 802.11 { a | b } logging foreign { on | off }
Enables the 802.11 foreign interference profile violation logging. |
|
Disables the 802.11 foreign interference profile violation logging. |
This example shows how to turn the 802.11a foreign interference profile violation logging selection mode on:
To turn the 802.11a load profile logging mode on or off, use the config advanced 802.11 logging load command.
config advanced 802.11 { a | b } logging load { on | off }
This example shows how to turn the 802.11a load profile logging mode on:
To turn the 802.11a noise profile logging mode on or off, use the config advanced 802.11 logging noise command.
config advanced 802.11 { a | b } logging noise { on | off }
This example shows how to turn the 802.11a noise profile logging mode on:
To turn the 802.11a performance profile logging mode on or off, use the config advanced 802.11 logging performance command.
config advanced 802.11 { a | b } logging performance { on | off }
This example shows how to turn the 802.11a performance profile logging mode on:
To turn the 802.11a transmit power change logging mode on or off, use the config advanced 802.11 logging txpower command.
config advanced 802.11 { a | b } logging txpower { on | off }
This example shows how to turn the 802.11a transmit power change mode on:
Use the config advanced 802.11 monitor commands to configure monitor settings on supported 802.11 networks.
To set the 802.11a noise, interference, and rogue monitoring channel list, use the config advanced 802.11 monitor channel-list command.
config advanced 802.11 { a | b } monitor channel-list { all | country | dca }
Monitors the channels used by the automatic channel assignment. |
This example shows how to monitor the channels used in the configured country:
To set the coverage measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor coverage command.
config advanced 802.11 { a | b } monitor coverage seconds
This example shows how to set the coverage measurement interval to 60 seconds:
To set the load measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor load command.
config advanced 802.11 { a | b } monitor load seconds
This example shows how to set the load measurement interval to 60 seconds:
To enable or disable 802.11a access point monitoring, use the config advanced 802.11 monitor mode command.
config advanced 802.11 { a | b } monitor mode { enable | disable }
This example shows how to enable the 802.11a access point monitoring:
To set the 802.11a noise measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor noise command.
config advanced 802.11 { a | b } monitor noise seconds
This example shows how to set the noise measurement interval to 120 seconds:
To set the signal measurement interval between 60 and 3600 seconds, use the config advanced 802.11 monitor signal command.
config advanced 802.11 { a | b } monitor signal seconds
This example shows how to set the signal measurement interval to 120 seconds:
show advanced 802.11a monitor
config advanced 802.11b monitor signal
Use the config advanced 802.11 profile commands to configure Cisco lightweight access point profile settings on supported 802.11 networks.
To set the Cisco lightweight access point clients threshold between 1 and 75 clients, use the config advanced 802.11 profile clients command.
config advanced 802.11 { a | b } profile clients { global | cisco_ap } clients
802.11a Cisco lightweight access point client threshold between 1 and 75 clients. |
This example shows how to set all Cisco lightweight access point clients thresholds to 25 clients:
This example shows how to set the AP1 clients threshold to 75 clients:
To turn customizing on or off for an 802.11a Cisco lightweight access point performance profile, use the config advanced 802.11 profile customize command.
config advanced 802.11 { a | b } profile customize cisco_ap { on | off }
Customizes performance profiles for this Cisco lightweight access point. |
|
Uses global default performance profiles for this Cisco lightweight access point. |
This example shows how to turn performance profile customization on for 802.11a Cisco lightweight access point AP1:
To set the foreign 802.11a transmitter interference threshold between 0 and 100 percent, use the config advanced 802.11 profile foreign command.
config advanced 802.11 { a | b } profile foreign { global | cisco_ap } percent
802.11a foreign 802.11a interference threshold between 0 and 100 percent. |
This example shows how to set the foreign 802.11a transmitter interference threshold for all Cisco lightweight access points to 50 percent:
This example shows how to set the foreign 802.11a transmitter interference threshold for AP1 to 0 percent:
To set the 802.11a foreign noise threshold between –127 and 0 dBm, use the config advanced 802.11 profile noise command.
config advanced 802.11 { a | b } profile noise { global | cisco_ap } dBm
Configures all 802.11a Cisco lightweight access point specific profiles. |
|
This example shows how to set the 802.11a foreign noise threshold for all Cisco lightweight access points to –127 dBm:
This example shows how to set the 802.11a foreign noise threshold for AP1 to 0 dBm:
To set the Cisco lightweight access point data-rate throughput threshold between 1000 and 10000000 bytes per second, use the config advanced 802.11 profile throughput command.
config advanced 802.11 { a | b } profile throughput { global | cisco_ap } value
Configures all 802.11a Cisco lightweight access point specific profiles. |
|
802.11a Cisco lightweight access point throughput threshold between 1000 and 10000000 bytes per second. |
This example shows how to set all Cisco lightweight access point data-rate thresholds to 1000 bytes per second:
This example shows how to set the AP1 data-rate threshold to 10000000 bytes per second:
To set the RF utilization threshold between 0 and 100 percent, use the config advanced 802.11 profile utilization command. The operating system generates a trap when this threshold is exceeded.
config advanced 802.11 { a | b } profile utilization { global | cisco_ap } percent
Configures a global Cisco lightweight access point specific profile. |
|
This example shows how to set the RF utilization threshold for all Cisco lightweight access points to 0 percent:
This example shows how to set the RF utilization threshold for AP1 to 100 percent:
To set the advanced receiver configuration settings, use the config advanced 802.11 receiver command.
config advanced 802.11 { a | b } receiver default
config advanced 802.11 { a | b } receiver rxstart jumpThreshold value
This example shows how to prevent changes to receiver parameters while the network is enabled:
To initiate updates of the 802.11a transmit power for every Cisco lightweight access point, use the config advanced 802.11 txpower-update command.
config advanced 802.11 { a | b } txpower-update
This example shows how to initiate updates of 802.11a transmit power for an 802.11a access point:
To configure a primary backup controller for a specific controller, use the config advanced backup-controller primary command.
config advanced backup-controller primary backup_controller_name backup_controller_ip_address
To delete a primary backup controller entry, enter 0.0.0.0 for the controller IP address.
This example shows how to configure the primary backup controller:
To configure a secondary backup controller for a specific controller, use the config advanced backup-controller secondary command.
config advanced backup-controller secondary backup_controller_name backup_controller_ip_address
To delete a secondary backup controller entry, enter 0.0.0.0 for the controller IP address.
This example shows how to configure a secondary backup controller:
To set the client handoff to occur after a selected number of 802.11 data packet excessive retries, use the config advanced client-handoff command.
config advanced client-handoff num_of_retries
Number of excessive retries before client handoff (from 0 to 255). |
This command is is supported only for the 1000/1510 series access points.
This example shows how to set the client handoff to 100 excessive retries:
To enable or disable over-the-air frame padding, use the config advanced dot11-padding command.
config advanced dot11-padding { enable | disable }
This example shows how to enable over-the-air frame padding:
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
debug dot11 mgmt station
show advanced dot11-padding
To configure the rate at which access point radios send association and authentication requests to the controller, use the config advanced assoc-limit command.
config advanced assoc-limit { enable [ number of associations per interval | interval in milliseconds ] | disable}
(Optional) Number of association request per access point slot in a given interval. The valid range is 1 to 100. |
|
(Optional) Association request limit interval. The valid range is 100 to 10000. |
When 200 or more wireless clients try to associate to a controller at the same time, the clients no longer become stuck in the DHCP_REQD state when you use the config advanced assoc-limit command to limit association requests from access points.
This example shows how to configure the number of association requests per access point slot in a given interval of 20 with the association request limit interval of 250:
To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.
config advanced eap [eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout |
identity-request-retries retries |
key-index index |
max-login-ignore-identity-response {enable | disable}
request-timeout timeout |
request-retries retries]
This example shows how to configure the key index used for dynamic wired equivalent privacy (WEP):
To enable or disable switch control path rate limiting, use the config advanced rate command.
config advanced rate [ enable | disable ]
This example shows how to enable switch control path rate limiting:
To enable or disable the Cisco wireless LAN controller port statistics collection, use the config advanced statistics command.
config advanced statistics { enable | disable }
This example shows how to disable the switch port statistics collection settings:
To enable or disable the filtering of probe requests forwarded from an access point to the controller, use the config advanced probe filter command.
config advanced probe filter { enable | disable }
This example shows how to enable the filtering of probe requests forwarded from an access point to the controller:
config advanced probe limit
config radius acct IPsec authentication
show advanced probe
show radius acct statistics
To limit the number of probes sent to the WLAN controller per access point per client in a given interval, use the config advanced probe limit command.
config advanced probe limit num_probes interval
Number of probe requests (from 1 to 100) forwarded to the controller per client per access point radio in a given interval. |
|
The default num_probes is 2 probe requests.
The default interval is 500 milliseconds.
This example shows how to set the number of probes per access point per client to 5 and the probe interval to 800 milliseconds:
config advanced probe filter
config radius acct IPsec authentication
show advanced probe
User the advanced timers commands to configure advanced 802.11a settings.
To configure the Cisco lightweight access point discovery time-out, use the config advanced timers ap-discovery-timeout command.
config advanced timers ap-discovery-timeout seconds
Cisco lightweight access point discovery timeout value between 1 and 10 seconds. |
The Cisco lightweight access point discovery timeout is how often a Cisco wireless LAN controller attempts to discover unconnected Cisco lightweight access points.
This example shows how to configure an access point discovery-timeout with the timeout value of 20:
show advanced timers
config advanced timers ap-fast-heartbeat
config advanced timers ap-heartbeat-timeout
config advanced timers ap-primary-discovery-timeout
config advanced timers auth-timeout
To enable or disable the fast heartbeat timer which reduces the amount of time it takes to detect a controller failure for local, hybrid-REAP, or all access points, use the config advanced timers ap-fast-heartbeat command.
config advanced timers ap-fast-heartbeat {local | hreap | all} {enable | disable} interval
This example shows how to enable the fast heartbeat interval for access point in local mode:
This example shows how to enable the fast heartbeat interval for access point in hybrid-REAP mode:
This example shows how to enable the fast heartbeat interval for all access points:
This example shows how to disable the fast heartbeat interval for all access point:
show advanced timers
config advanced timers ap-discovery-timeout
config advanced timers ap-heartbeat-timeout
config advanced timers ap-primary-discovery-timeout
config advanced timers auth-timeout
To configure the Cisco lightweight access point heartbeat timeout, use the config advanced timers ap-heartbeat-timeout command.
config advanced timers ap-heartbeat-timeout seconds
Cisco lightweight access point heartbeat timeout value between 1 and 30 seconds. |
The Cisco lightweight access point heartbeat timeout controls how often the Cisco lightweight access point sends a heartbeat keep-alive signal to the Cisco wireless LAN controller.
This seconds value should be at least three times larger than the fast heartbeat timer.
This example shows how to configure an access point heartbeat timeout to 20:
show advanced timers
config advanced timers ap-discovery-timeout
config advanced timers ap-fast-heartbeat
config advanced timers ap-primary-discovery-timeout
config advanced timers auth-timeout
To configure the access point primary discovery request timer, use the config advanced timers ap-primary-discovery-timeout command.
config advanced timers ap-primary-discovery-timeout interval
Access point primary discovery request timer between 30 and 3600 seconds. |
show advanced timers
config advanced timers ap-discovery-timeout
config advanced timers ap-fast-heartbeat
config advanced timers ap-heartbeat-timeout
config advanced timers auth-timeout
To configure the authentication timeout, use the config advanced timers auth-timeout command.
config advanced timers auth-timeout seconds
Authentication response timeout value in seconds between 10 and 600. |
This example shows how to configure the authentication timeout to 20 seconds:
show advanced timers
config advanced timers ap-fast-heartbeat
config advanced timers ap-discovery-timeout
config advanced timers ap-heartbeat-timeout
config advanced timers ap-primary-discovery-timeout
To configure the Extensible Authentication Protocol (EAP) expiration timeout, use the config advanced timers eap-timeout command.
config advanced timers eap-timeout seconds
This example shows how to configure the EAP expiration timeout to 10 seconds:
To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.
config advanced timers eap-identity-request-delay seconds
Advanced EAP identity request delay in number of seconds between 0 and 10. |
This example shows how to configure the advanced EAP identity request delay to 8 seconds:
config advanced timers auth-timeout, config advanced timers rogue-ap, show advanced timers
Use the config ap commands to configure access point settings.
To enable or disable a Cisco lightweight access point or to add or delete a third-party (foreign) access point, use the config ap commands.
config ap {{ enable | disable } cisco_ap | { add | delete } MAC port { enable | disable } IP_address }
Port number through which the foreign access point can be reached. |
|
This example shows how to disable lightweight access point AP1:
This example shows how to add a foreign access point with MAC address 12:12:12:12:12:12 and IP address 192.12.12.1 from port 2033:
To configure the Cisco bridge backhaul Tx rate, use the config ap bhrate command.
config ap bhrate { rate | auto } cisco_ap
Cisco bridge backhaul Tx rate in kbps. The valid values are 6000, 12000, 18000, 24000, 36000, 48000, and 54000. |
|
In previous software releases, the default value for bridge data rate was 24000 (24 Mbps). In controller software release 6.0, the default value for bridge data rate is auto. If you configured the default bridge data rate value (24000) in a previous controller software release, the bridge data rate is configured with the new default value (auto) when you upgrade to controller software release 6.0. However, if you configured a non default value (for example, 18000) in a previous controller software release, that configuration setting is preserved when you upgrade to software release 6.0.
When the bridge data rate is set to auto, the mesh backhaul chooses the highest rate where the next higher rate cannot be used due to unsuitable conditions for that specific rate (and not because of conditions that affect all rates).
This example shows how to configure the Cisco bridge backhaul Tx rate to 54000 kbps:
To set or delete a bridge group name on a Cisco lightweight access point, use the config ap bridgegroupname command.
config ap bridgegroupname { set groupname | delete } cisco_ap
Deletes a Cisco lightweight access point’s bridge group name. |
|
Only access points with the same bridge group name can connect to each other.
This example shows how to delete a bridge group name on Cisco access point’s bridge group name AP02:
To enable or disable Ethernet-to-Ethernet bridging on a Cisco lightweight access point, use the config ap bridging command.
config ap bridging { enable | disable } cisco_ap
Enables the Ethernet-to-Ethernet bridging on a Cisco lightweight access point. |
|
This example shows how to enable bridging on an access point:
This example shows hot to disable bridging on an access point:
To enable or disable the Cisco Discovery Protocol (CDP) on a Cisco lightweight access point, use the config ap cdp command.
config ap cdp { enable | disable }{ cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
The config ap cdp disable all command disables CDP on all access points that are joined to the controller and all access points that join in the future. CDP remains disabled on both current and future access points even after the controller or access point reboots. To enable CDP, enter the config ap cdp enable all command.
Note After you enable CDP on all access points joined to the controller, you may disable and then reenable CDP on individual access points using the config ap cdp {enable | disable} cisco_ap command. After you disable CDP on all access points joined to the controller, you may not enable and then disable CDP on individual access points.
This example shows how to enable the CDP on all access points:
This example shows how to disable the CDP on ap02 access point:
To configure a Cisco lightweight access point’s memory core dump, use the config ap core-dump command.
config ap core-dump { disable | enable tftp_server_ipaddress filename { compress | uncompress } { cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
config ap crash-file clear-all
config ap crash-file delete
config ap crash-file get-crash-file
config ap crash-file get-radio-core-dump
config ap port
To delete all crash and radio core dump files, use the config ap crash-file clear-all command.
config ap crash-file clear-all
config ap core-dump
config ap crash-file delete
config ap crash-file get-crash-file
config ap crash-file get-radio-core-dump
config ap port
To delete a single crash or radio core dump file, use the config ap crash-file delete command.
config ap crash-file delete filename
This example shows how to delete crash file 1:
config ap core-dump
config ap crash-file clear-all
config ap crash-file get-crash-file
config ap crash-file get-radio-core-dump
config ap port
To collect the latest crash data for a Cisco lightweight access point, use the config ap crash-file get-crash-file command.
config ap crash-file get-crash-file cisco_ap
Use the transfer upload datatype command to transfer the collected data to the Cisco wireless LAN controller.
This example shows how to collect the latest crash data for access point AP3:
config ap core-dump
config ap crash-file clear-all
config ap crash-file delete
config ap crash-file get-radio-core-dump
config ap port
To get a Cisco lightweight access point’s radio core dump, use the config ap crash-file get-radio-core-dump command.
config ap crash-file get-radio-core-dump Slot_ID cisco_ap
This example shows how to collect the radio core dump for access point AP02 and slot 0:
config ap core-dump
config ap crash-file clear-all
config ap crash-file delete
config ap crash-file get-crash-file
config ap port
To configure the global authentication username and password for all access points currently joined to the controller as well as any access points that join the controller in the future, use the config ap dotxuser command.
config ap dot1xuser add username user password password {all | cisco_ap}
You must enter a strong password. Strong passwords have the following characteristics:
This example shows how to configure the global authentication username and password for all access points:
config ap dot1xuser delete
config ap dot1xuser disable
show ap summary
To force a specific access point to use the controller’s global authentication settings, use the config ap dot1xuser delete command.
config ap dot1xuser delete cisco_ap
This example shows how to delete access point AP01 to use the controller’s global authentication settings:
config ap dot1xuser
config ap dot1xuser disable
show ap summary
To disable authentication for all access points or for a specific access point, use the config ap dot1xuser disable command.
config ap dot1xuser disable { all | cisco_ap }
You can disable 802.1X authentication for a specific access point only if global 802.1X authentication is not enabled. If global 802.1X authentication is enabled, you can disable 802.1X for all access points only.
This example shows how to disable the authentication for access point cisco_ap1:
config ap dot1xuser
config ap dot1xuser delete
show ap summary
To configure the duplex and speed settings on the wireless LAN and the lightweight access points, use the config ap ethernet command.
config ap ethernet duplex [auto | half | full] speed [auto | 10 | 100 | 1000] {all | Cisco_ap}
This example shows how to configure the Ethernet port duplex half settings 10 Mbps for all access points:
To specify a descriptive group name for a Cisco lightweight access point, use the config ap group-name command.
config ap group-name groupname cisco_ap
The Cisco lightweight access point must be disabled before changing this parameter.
This example shows how to configure a descriptive name for access point AP01:
config ap group-name
config wlan apgroup
show ap summary
show ap wlan
To configure a primary or secondary RADIUS server for a specific hybrid-REAP access point, use the config ap h-reap radius auth set command.
config ap h-reap radius auth set {primary | secondary} ip_address auth_port secret
Specifies the primary RADIUS server for a specific hybrid-REAP access point. |
|
Specifies the secondary RADIUS server for a specific hybrid-REAP access point. |
|
This example shows how to configure a primary RADIUS server for a specific access point:
config ap mode h-reap
config ap h-reap vlan wlan
config ap h-reap vlan
config ap h-reap vlan native
To enable or disable VLAN tagging for a hybrid-REAP access, use the config ap h-reap vlan command.
config ap h-reap vlan {enable | disable} cisco_ap
Disabled. Once enabled, WLANs enabled for local switching inherit the VLAN assigned at the controller.
This example shows how to enable the access point’s VLAN tagging for a hybrid-REAP access:
To configure a native VLAN for a hybrid-REAP access, use the config ap h-reap vlan native command.
config ap h-reap vlan native vlan-id cisco_ap
This example shows how to configure a native VLAN for a hybrid-REAP access point mode:
To assign a VLAN ID to a hybrid-REAP access point, use the config ap h-reap vlan wlan command.
config ap h-reap vlan wlan ip_address vlan-id cisco_ap
This example shows how to assign a VLAN ID to a hybrid-REAP access point:
To configure an image on a specified access point, use the config ap image predownload command.
config ap image predownload { primary | backup} {cisco_ap | all}
Predownloads an image to a Cisco access point from the controller's primary image. |
|
Predownloads an image to a Cisco access point from the controller's backup image. |
|
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to predownload an image to an access point from the primary image:
To swap an access point’s primary and backup images, use the config ap image swap command.
config ap image swap {cisco_ap | all}
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to swap an access point’s primary and secondary images:
To enable or disable the LED-State for an access point, use the config ap led-state command.
config ap led-state { enable | disable } { cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to enable the LED-State for an access point:
To enable or disable the Datagram Transport Layer Security (DTLS) data encryption for access points on the 5500 series controller, use the config ap link-encryption command.
config ap link-encryption { enable | disable } { Cisco_AP | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
DTLS data encryption is enabled automatically for OfficeExtend access points but disabled by default for all other access points.
Only Cisco 5500 Series Controllers support DTLS data encryption. This feature is not available on other controller platforms. If an access point with data encryption enabled tries to join any other controller, the access point joins the controller, but data packets are sent unencrypted.
Only Cisco 1130, 1140, 1240, and 1250 series access points support DTLS data encryption, and data-encrypted access points can join a Cisco 5500 Series Controller only if the wplus license is installed on the controller. If the wplus license is not installed, the access points cannot join the controller.
This example shows how to enable the data encryption for an access point:
config ap
show dtls connections
To enable or disable link latency for a specific access point or for all access points currently associated to the controller, use the config ap link-latency command:
config ap link-latency {enable | disable | reset} { cisco_ap | all}
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This command enables or disables link latency only for access points that are currently joined to the controller. It does not apply to access points that join in the future.
This example shows how to enable the link latency for all access points:
To modify the descriptive location of a Cisco lightweight access point, use the config ap location command.
config ap location location cisco_ap
Location name of the access point (enclosed by double quotation marks). |
|
The Cisco lightweight access point must be disabled before changing this parameter.
This example shows how to configure the descriptive location for access point AP1:
To set the severity level for filtering syslog messages for a particular access point or for all access points, use the config ap logging syslog level command.
config ap logging syslog level severity_level { cisco_ap | all }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the access point. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the access point.
This example shows how to set the severity for filtering syslog messages to 3:
config logging syslog host
config logging syslog facility
show logging
To configure username, password, and secret password for AP management, use the config ap mgmtuser add command.
config ap mgmtuser add username AP_username password AP_password secret secret
{all | Cisco_AP}
Configures the secret password for privileged AP management. |
|
Applies configuration to every AP that does not have a specific username. |
|
The following requirements are enforced on the password:
The following requirement is enforced on the secret password:
This example shows how to add username, password, and secret password for AP management:
To force a specific access point to use the controller’s global credentials, use the config ap mgmtuser delete command.
config ap mgmtuser delete cisco_ap
This example shows how to delete the credentials of an access point:
To change a Cisco wireless LAN controller communication option for an individual Cisco lightweight access point, use the config ap mode command.
config ap mode { bridge | h-reap | local | reap | rogue | sniffer | se-connect
monitor [ submode { none | wips }]} cisco_ap
Sniffer mode will capture and forward all the packets from the clients on that channel to a remote machine that runs AiroPeek or other supported packet analyzer software. It will include information on the timestamp, signal strength, packet size and so on.
This example shows how to set the controller to communicate with access point AP91 in bridge mode:
This example shows how to set the controller to communicate with access point AP01 in local mode:
This example shows how to set the controller to communicate with access point AP91 in remote office (REAP) mode:
This example shows how to set the controller to communicate with access point AP91 in remote office (REAP) mode:
This example shows how to set the controller to communicate with access point AP91 in rogue access point detector mode:
This example shows how to set the controller to communicate with access point AP02 in wireless sniffer mode:
This example shows how to set the controller to communicate with access point AP02 in wIPS submode:
config 802.11 enable
config ap mode
config ap monitor-mode
show ap config
show ap monitor-mode summary
show wps wips statistics
To configure Cisco lightweight access point channel optimization, use the config ap monitor-mode command.
config ap monitor-mode { 802.11b fast-channel | no-optimization | tracking-opt | wips-optimized } cisco_ap
This example shows how to configure a Cisco wireless intrusion prevention system (wIPS) monitor mode on access point AP01:
config 802.11 enable
config ap mode
show ap config
show ap monitor-mode summary
show wps wips statistics
show wps wips summary
To modify the name of a Cisco lightweight access point, use the config ap name command.
config ap name new_name old_name
This example shows how to modify the name of access point AP1 to AP2:
To configure the port for a foreign access point, use the config ap port command.
This example shows how to configure the port for a foreign access point MAC address:
To configure the power injector state for an access point, use the config ap power injector command.
config ap power injector { enable | disable } { cisco_ap | all} { installed | override | switch_MAC }
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
This example shows how to enable the power injector state for all access points:
To enable or disable the inline power Cisco pre-standard switch state for an access point, use the config ap power pre-standard command.
config ap power pre-standard { enable | disable } cisco_ap
Enables the inline power Cisco pre-standard switch state for an access point. |
|
Disables the inline power Cisco pre-standard switch state for an access point. |
|
This example shows how to enable the inline power Cisco pre-standard switch state for access point AP02:
To set the Cisco lightweight access point primary Cisco wireless LAN controller, use the config ap primary-base command.
config ap primary-base controller_name cisco_ap [controller_ip_address]
The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operations and in the event of a hardware reset.
OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.
This example shows how to set an access point primary Wireless LAN controller:
To assign a priority designation to an access point that allows it to reauthenticate after a controller failure by priority rather than on a first-come-until-full basis, use the config ap priority command.
config ap priority {1 | 2 | 3 | 4} cisco_ap
In a failover situation, if the backup controller does not have enough ports to allow all the access points in the affected area to reauthenticate, it gives priority to higher-priority access points over lower-priority ones, even if it means replacing lower-priority access points.
This example shows how to assign a priority designation to access point AP02 that allows it to reauthenticate after a controller failure by assigning a reauthentication priority 3:
config network ap-priority
show ap summary
show network summary
To reset a Cisco lightweight access point, use the config ap reporting-period command.
config ap reporting-period period
This example shows how to reset an access point reporting period to 120 seconds:
To reset a Cisco lightweight access point, use the config ap reset command.
This example shows how to reset an access point:
To specify the role of an access point in a mesh network, use the config ap role command.
config ap role { rootAP | meshAP } AP_name
Designates the mesh access point as a root access point (RAP). |
|
Designates the mesh access point as a mesh access point (MAP). |
|
Use the meshAP keyword if the access point has a wireless connection to the controller, or use the rootAP keyword if the access point has a wired connection to the controller.
This example shows how to designate mesh access point AP02 as a root access point:
To configure the Reset button for an access point, use the config ap rst-button command.
config ap rst-button { enable | disable } cisco_ap
This example shows how to configure the reset button for access point AP03:
To set the Cisco lightweight access point secondary Cisco wireless LAN controller, use the config ap secondary-base command.
config ap secondary-base controller_name cisco_ap [controller_ip_address]
The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operations and in the event of a hardware reset.
OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.
This example shows how to set an access point secondary Cisco wireless controller:
To enable or disable sniffing on an access point, use the config ap sniff command.
config ap sniff { 802.11a | 802.11b }{ enable channel server_ip | disable } cisco_ap
IP address of the remote machine running Omnipeek, Airopeek, |
|
When the sniffer feature is enabled on an access point, it starts sniffing the signal on the given channel. It captures and forwards all the packets to the remote computer that runs Omnipeek, Airopeek, AirMagnet, or Wireshark software. It includes information on the timestamp, signal strength, packet size and so on.
Before an access point can act as a sniffer, a remote computer that runs one of the listed packet analyzers must be set up so that it can receive packets sent by the access point. After the Airopeek installation, copy the following.dll files to the location where airopeek is installed:
This example shows how to enable the sniffing on the 802.11a an access point primary Wireless LAN controller:
show ap config
config ap sniff 802.11b
To enable Secure Shell (SSH) connectivity on an access point, use the config ap ssh command.
config ap ssh {enable | disable} cisco_ap
The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operation and in the event of a hardware reset.
This example shows how to enable SSH connectivity on access point Cisco_ap2:
To configure Cisco lightweight access point static IP address settings, use the config ap static-ip command.
config ap static-ip { enable cisco_ap ip_address net_mask gateway | disable cisco_ap | add { domain { cisco_ap | all } domain_name } | { nameserver { cisco_ap | all } dns_ ip_address } | delete { domain | nameserver } { cisco_ap | all }}
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
An access point cannot discover the controller using Domain Name System (DNS) resolution if a static IP address is configured for the access point, unless you specify a DNS server and the domain to which the access point belongs.
After you enter the IP, netmask, and gateway addresses, save your configuration to reboot the access point. After the access point rejoins the controller, you can enter the domain and DNS server information.
This example shows how to configure an access point static IP address:
To set the time in seconds that the Cisco lightweight access point sends its DOT11 statistics to the Cisco wireless LAN controller, use the config ap stats-timer command.
config ap stats-timer period cisco_ap
Time in seconds from 0 to 65535. A zero value disables the timer. |
|
A value of 0 (zero) means the Cisco lightweight access point will not send any DOT11 statistics. The acceptable range for the timer is from 0 to 65535 seconds, and the Cisco lightweight access point must be disabled to set this value.
This example shows how to set the stat timer to 600 seconds for access point AP2:
To configure a global syslog server for all access points that join the controller, use the config ap syslog host global command.
config ap syslog host global syslog_server_IP_address
By default, the global syslog server IP address for all access points is 255.255.255.255. Make sure that the access points can reach the subnet on which the syslog server resides before configuring the syslog server on the controller. If the access points cannot reach this subnet, the access points are unable to send out syslog messages.
This example shows how to configure a global syslog server for all access points:
To configure a syslog server for a specific access point, use the config ap syslog host specific command.
config ap syslog host specific Cisco_ap syslog_server_IP_address
By default, the syslog server IP address for each access point is 0.0.0.0, indicating that it is not yet set. When the default value is used, the global access point syslog server IP address is pushed to the access point.
This example shows how to configure a syslog server:
To enable or disable the TCP maximum segment size (MSS) on a particular access point or on all access points, use the config ap tcp-adjust-mss command.
config ap tcp-adjust-mss { enable | disable } { Cisco_AP | all } size
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
When you enable this feature, the access point checks for TCP packets to and from wireless clients in its data path. If the MSS of these packets is greater than the value that you configured or greater than the default value for the CAPWAP tunnel, the access point changes the MSS to the new configured value.
This example shows how to enable the TCP MSS on access point Cisco_ap1 with a segment size of 1200 bytes:
To enable Telnet connectivity on an access point, use the config ap telnet command.
config ap telnet {enable | disable} cisco_ap
The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operation and in the event of a hardware reset.
This example shows how to enable Telnet connectivity on access point cisco_ap1:
This example shows how to disable Telnet connectivity on access point cisco_ap1:
To set the Cisco lightweight access point tertiary Cisco wireless LAN controller, use the config ap tertiary-base command.
config ap tertiary-base controller_name cisco_ap [controller_ip_address]
OfficeExtend access points do not use the generic broadcast or over-the air (OTAP) discovery process to find a controller. You must configure one or more controllers because OfficeExtend access points try to connect only to their configured controllers.
The Cisco lightweight access point associates with this Cisco wireless LAN controller for all network operations and in the event of a hardware reset.
This example shows how to set the access point teritary wireless LAN controller:
To configure the settings used for downgrading a lightweight access point to an autonomous access point, use the config ap ftp-downgrade command.
config ap tftp-downgrade {tftp_ip_address | image_filename | ap_name}
This example shows how to configure the settings for downgrading access point ap1240_102301:
To assign a username and password to access either a specific access point or all access points, use the config ap username command
config ap username user_id password passwd [all | ap_name]
This example shows how to assign a username and password to a specific access point:
This example shows how to assign the same username and password to a all access points:
To enable or disable wireless LAN override for a Cisco lightweight access point radio, use the config ap wlan command.
config ap wlan { enable | disable } { 802.11a | 802.11b } wlan_id cisco_ap
Cisco wireless LAN controller ID assigned to a wireless LAN. |
|
This example shows how to enable wireless LAN override on the AP03 802.11a radio:
To create an authorized access point entry, use the config auth-list add command.
config auth-list add { mic | ssc } AP_MAC [ AP_key ]
Specifies that the access point has a manufacture-installed certificate. |
|
Specifies that the access point has a self-signed certificate. |
|
This example shows how to create an authorized access point entry with a manufacturer-installed certificate on MAC address 00:0b:85:02:0d:20:
To configure an access point authorization policy, use the config auth-list ap-policy command.
config auth-list ap-policy { authorize-ap { enable | disable } | ssc { enable | disable }}
This example shows how to enable an access point authorization policy:
This example shows how to enable an access point with a self-signed certificate to connect:
To delete an access point entry, use the config auth-list delete command.
config auth-list delete AP_MAC
This example shows how to delete an access point entry for MAC address 00:0b:85:02:0d:20:
Use the config band-select command to configure the band selection feature on the controller.
To set the band select probe cycle count, use the config band-select cycle-count command.
config band-select cycle-count cycle_count
This example shows how to set the proble cycle count for band select to 8:
config band-select cycle-threshold
config band-select expire
config band-select client-rssi
To set the time threshold for a new scanning cycle, use the config band-select cycle-threshold command.
config band-select cycle-threshold cycle_threshold
Enter a value for cycle threshold between 1 and 1000 milliseconds. |
This example shows how to set the time threshold for a new scanning cycle with threshold value 700 milliseconds:
config band-select cycle-threshold
config band-select expire
config band-select client-rssi
To set the entry expire for band select, use the config band-select expire command.
config band-select expire {suppression | dual-band} seconds
This example shows how to set the suppression expire to 70 seconds:
config band-select cycle-threshold
config band-select cycle-count
config band-select client-rssi
To set the client RSSI threshold for band select, use the config band-select client-rssi command.
config band-select client-rssi client_rssi
Minimum dBM of a client RSSI to respond to probe between 20 and 90. |
This example shows how to set the suppression expire to 70:
config band-select cycle-threshold
config band-select expire
config band-select cycle-count
To change a Cisco wireless LAN controller boot option, use the config boot command.
config boot { primary | backup }
Each Cisco wireless LAN controller can boot off the primary, last-loaded operating system image (OS) or boot off the backup, earlier-loaded OS image.
This example shows how to set the primary image as active so that the LAN controller can boot off the primary, last loaded image:
This example shows how to set the backup image as active so that the LAN controller can boot off the backup, earlier loaded OS image:
To configure the Cisco Discovery Protocol (CDP) maximum hold timer, use the config cdp timer command.
To configure Secure Sockets Layer (SSL) certificates, use the config certificate command.
config certificate { generate { webadmin | webauth } | compatibility { on | off }}
Specifies the compatibility mode for inter-Cisco wireless LAN controller IPsec settings. |
|
This example shows how to generate a new web administration SSL certificate:
This example shows how to configure the compatibility mode for inter-Cisco wireless LAN controller IPsec settings:
config certificate lsc
show certificate compatibility
show certificate lsc
show certificate summary
show local-auth certificates
To configure Locally Significant Certificate (LSC) certificates, use the config certificate lsc commands.
config certificate lsc { enable | disable | ca-server http://url:port/path | ca-cert { add | delete } |
subject-params country state city orgn dept email | other-params keysize } |
ap-provision { auth-list { add | delete } ap_mac | revert-cert retries }
The default value of keysize is 2048 bits.
The default value of retries is 3.
You can configure only one CA server. To configure a different CA server, delete the configured CA server by using the config certificate lsc ca-server delete command, and then configure a different CA server.
If you configure an access point provision list, only the access points in the provision list are provisioned when you enable AP provisioning (in Step 8). If you do not configure an access point provision list, all access points with an MIC or SSC certificate that join the controller are LSC provisioned.
This example shows how to enable the LSC settings:
This example shows how to enable the LSC settings for Certificate Authority (CA) server settings:
This example shows how to add a CA certificate from the CA server and add it to the controller’s certificate database:
This example shows how to configure an LSC certificate with the keysize of 2048 bits:
config certificate
show certificate compatibility
show certificate lsc
show certificate summary
show local-auth certificates
User the config client commands to configure client settings.
To clear the client reporting information, use the config client ccx clear-reports command.
config client ccx clear-reports client_mac_address
This example shows how to clear the reporting information of the client MAC address 172.19.28.40:
config client ccx get-profiles
config client ccx get-operating-parameters
config client ccx get-manufacturer-info
config client ccx get-client-capability
show client ccx profiles
show client ccx operating-parameters
show client ccx manufacturer-info
show client ccx client-capability
config client ccx stats-request
show client ccx stats-report
To clear the test results on the controller, use the config client ccx clear-results command.
config client ccx clear-results client_mac_address
This example shows how to clear the test results of the client MAC address 172.19.28.40:
config client ccx default-gw-ping
config client ccx
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the default gateway ping test, use the config client ccx default-gw-ping command.
config client ccx default-gw-ping client_mac_address
This test does not require the client to use the diagnostic channel.
This example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the default gateway ping test:
config client ccx dhcp-test
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the DHCP test, use the config client ccx dhcp-test command.
config client ccx dhcp-test client_mac_address
This test does not require the client to use the diagnostic channel.
This example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DHCP test:
config client ccx default-gw-ping
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the Domain Name System (DNS) server IP address ping test, use the config client ccx dns-ping command.
config client ccx dns-ping client_mac_address
This test does not require the client to use the diagnostic channel.
This example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DNS server IP address ping test:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the Domain Name System (DNS) resolution test to the specified hostname, use the config client ccx dns-resolve command.
config client ccx dns-resolve client_mac_address host_name
This test does not require the client to use the diagnostic channel.
This example shows how to send a request to the client 00:E0:77:31:A3:55 to perform the DNS name resolution test to the specified hostname:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-ping
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to send its capability information, use the config client ccx get-client-capability command.
config client ccx get-client-capability client_mac_address
This example shows how to send a request to the client 172.19.28.40 to send its capability information:
config client ccx get-profiles
config client ccx get-operating-parameters
config client ccx get-manufacturer-info
config client ccx clear-reports
show client ccx profiles
show client ccx operating-parameters
show client ccx manufacturer-info
show client ccx client-capability
config client ccx stats-request
show client ccx stats-report
To send a request to the client to send the manufacturer’s information, use the config client ccx get-manufacturer-info command.
config client ccx get-manufacturer-info client_mac_address
This example shows how to send a request to the client 172.19.28.40 to send the manufacturer’s information:
config client ccx get-profiles
config client ccx get-operating-parameters
config client ccx get-client-capability
config client ccx clear-reports
show client ccx profiles
show client ccx operating-parameters
show client ccx manufacturer-info
show client ccx client-capability
config client ccx stats-request
show client ccx stats-report
To send a request to the client to send its current operating parameters, use the config client ccx get-operating-parameters command.
config client ccx get-operating-parameters client_mac_address
This example shows how to send a request to the client 172.19.28.40 to send its current operating parameters:
config client ccx get-profiles
config client ccx get-manufacturer-info
config client ccx get-client-capability
config client ccx clear-reports
show client ccx profiles
show client ccx operating-parameters
show client ccx manufacturer-info
show client ccx client-capability
config client ccx stats-request
show client ccx stats-report
To send a request to the client to send its profiles, use the config client ccx get-profiles command.
config client ccx get-profiles client_mac_address
This example shows how to send a request to the client 172.19.28.40 to send its profile details:
config client ccx get-operating-parameters
config client ccx get-manufacturer-info
config client ccx get-client-capability
config client ccx clear-reports
show client ccx profiles
show client ccx operating-parameters
show client ccx manufacturer-info
show client ccx client-capability
config client ccx stats-request
show client ccx stats-report
To configure a Cisco client eXtension (CCX) log request for a specified client device, use the config client CCX log-request command.
config client ccx log-request log_type {roam | rsna | syslog} client_mac_address
This example shows how to specify the request to specify the client CCS system log:
This example shows how to specify the client CCX roaming log:
This example shows how to specify the client CCX RSNA log:
To send a message to the client, use the config client ccx send-message command.
config client ccx send-message client_mac_address message_id
This example shows how to send a message to the client MAC address 172.19.28.40 with the message user-action-required:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request for statistics, use the config client ccx stats-request command.
config client ccx stats-request measurement_duration stats_name {dot11 | security} client_mac_address
This example shows how to specify dot11 counter settings:
To send a request to the client to terminiate the current test, use the config client ccx test-abort command.
config client ccx test-abort client_mac_address
This example shows how to send a request to the client 11:11:11:11:11:11 to terminiate the correct test settings:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-profile
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the association test, use the config client ccx test-association command.
config client ccx test-association client_mac_address ssid bssid 802.11 { a | b | g } channel
This example shows how to send a request to the client MAC address 00:0E:77:31:A3:55 to perform the basic SSID association test:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-dot1x
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the 802.1x test, use the config client ccx test-dot1x command.
config client ccx test-dot1x client_mac_address profile_id bssid 802.11 { a | b | g } channel
This example shows how to send a request to the client to perform the 802.11b test with the profile name profile_01:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-profile
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To send a request to the client to perform the profile redirect test, use the config client ccx test-profile command.
config client ccx test-profile client_mac_address profile_id
Note The profile_id should be from one of the client profiles for which client reporting is enabled. |
This example shows how to send a request to the client to perform the profile redirect test with the profile name profile_01:
config client ccx default-gw-ping
config client ccx dhcp
config client ccx dns-ping
config client ccx dns-resolve
config client ccx test-association
config client ccx test-dot1x
config client ccx test-abort
config client ccx clear-results
config client ccx send-message
show client ccx last-test-status
show client ccx last-response-status
show client ccx results
show client ccx frame-data
To disconnect a client, use the config client deauthenticate command.
config client deauthenticate MAC
This example shows how to deauthenticate a client:
To configure link aggregation, use the config client location-calibration command.
config client location-calibration {enable mac_address interval | disable mac_address}
(Optional) Specifies that client location calibration is enabled. |
|
(Optional) Specifies that client location calibration is disabled. |
This example shows how to enable the client location calibration for the client 37:15:85:2a with a measurement interval of 45 seconds:
To enable or disable the controller to generate a core dump file following a crash, use the config cordump command.
config coredump { enable | disable }
This example shows how to enable the controller to generate a core dump file following a crash:
config coredump ftp
config coredump username
show coredump summary
To automatically upload a controller core dump file to an FTP server after experiencing a crash, use the config coredump ftp command:
config coredump ftp server_ip_address filename
IP address of the FTP server to which the controller sends its core dump file. |
|
The controller must be able to reach the FTP server to use this command.
This example shows how to configure the controller to upload a core dump file named core_dump_controller to an FTP server at network address 192.168.0.13 :
config coredump
config coredump username
show coredump summary
To specify the FTP server username and password when uploading a controller core dump file after experiencing a crash, use the config coredump username command:
config coredump username ftp_username password ftp_password
The controller must be able to reach the FTP server to use this command.
This example shows how to specify a FTP server username of admin and password adminpassword for the core dump file upload:
To configure the controller’s country code, use the config country command.
Cisco wireless LAN controllers must be installed by a network administrator or qualified IT professional and the installer must select the proper country code. Following installation, access to the unit should be password protected by the installer to maintain compliance with regulatory requirements and to ensure proper unit functionality. See the related product guide for the most recent country codes and regulatory domains.
You can use the show country command to display a list of supported countries.
This example shows how to configure the controller’s country code to DE:
To configure external URL web-based client authorization for the custom-web authentication page, use the config custom-web ext-webauth-mode command.
config custom-web ext-webauth-mode { enable | disable }
This example shows how to enable the external URL web-based client authorization:
config custom-web redirectUrl
config custom-web weblogo
config custom-web webmessage
config custom-web webtitle
config custom-web ext-webauth-url
show custom-web
To configure the complete external web authentication URL for the custom-web authentication page, use the config custom-web ext-webauth-url command.
config custom-web ext-webauth-url URL
This example shows how to configure the complete external web authentication URL http://www.AuthorizationURL.com/ for the web-based client authorization:
config custom-web redirectUrl
config custom-web weblogo
config custom-web webmessage
config custom-web webtitle
config custom-web ext-webauth-mode
show custom-web
To configure an external web server, use the config custom-web ext-webserver command.
config custom-web ext-webserver { add index IP_address | delete index }
Index of the external web server in the list of external web server. The index must be a number between 1 and 20. |
|
This example shows how to add the index of the external web server 2 to the IP address of the external web server 192.23.32.19:
config custom-web ext-webauth-mode
To configure the redirect URL for the custom-web authentication page, use the config custom-web redirectUrl command.
config custom-web redirectUrl URL
This example shows how to configure the URL that is redirected to abc.com:
config custom-web ext-webauth-mode
To configure the type of web authentication, use the config custom-web webauth-type command.
config custom-web webauth-type { internal | customized | external }
This example shows how to configure the type of the web authentication type to internal:
config custom-web ext-webauth-mode
To configure the web authentication logo for the custom-web authentication page, use the config custom-web weblogo command.
config custom-web weblogo { enable | disable }
This example shows how to enable the web authentication logo:
config custom-web ext-webauth-mode
To configure the custom web authentication message text for the custom-web authentication page, use the config custom-web webmessage command.
config custom-web webmessage message
This example shows how to configure the message text Thisistheplace for webauthentication:
config custom-web ext-webauth-mode
To configure the web authentication title text for the custom-web authentication page, use the config custom-web webtitle command.
config custom-web webtitle title
This example shows how to set the custom title text Helpdesk for web authentication:
config custom-web ext-webauth-mode
To configure the local database, use the config database command.
Use the show database command to display local database configuration.
This example shows how to configure the DHCP lease for scope 003.
To configure the internal DHCP, use the config dhcp command.
config dhcp { address-pool scope start end | create-scope scope |
default-router scope router_1 [ router_2 ] [ router_3 ] | delete-scope scope | disable scope |
dns-servers scope dns1 [ dns2 ] [ dns3 ] | domain scope domain |
enable scope | lease scope lease_duration |
netbios-name-server scope wins1 [ wins2 ] [ wins3 ] |
network scope network netmask | opt-82 remote-id { ap_mac | ap_mac : ssid }}
Use the show dhcp command to display the internal DHCP configuration.
This example shows how to configure the DHCP lease for the scope 003.
config dhcp proxy
config interface dhcp
config wlan dhcp_server
debug dhcp
debug dhcp service-port
debug disable-all
show dhcp
show dhcp proxy
To specify the level at which DHCP packets are modified, use the config dhcp proxy command.
config dhcp proxy { enable | disable }
Allows the controller to modify the DHCP packets without a limit. |
|
Reduces the DHCP packet modification to the level of a relay. |
Use the show dhcp proxy command to display the status of DHCP proxy handling.
This example shows how to disable the DHCP packet modification:
config dhcp
config interface dhcp
config wlan dhcp_server
debug dhcp
debug dhcp service-port
debug disable-all
show dhcp
show dhcp proxy
To create or delete an exclusion list entry, use the config exclusionlist command.
config exclusionlist { add MAC [ description ] | delete MAC | description MAC [ description ]}
(Optional) The description, up to 32 characters, for an excluded entry. |
This example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
This example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:
Use the config interface commands to configure interface commands.
To create, delete, enable or disable a wireless LAN, use the config guest-lan command.
config guest-lan { create | delete } guest_lan_id interface_name | { enable | disable } guest_lan_id }
This example shows how to enable a wireless LAN with the LAN ID 16:
To redirect guest users to an external server before accessing the web login page, use the config guest-lan custom-web ext-webauth-url command to specify the URL of the external server.
config guest-lan custom-web ext-webauth-url ext_web_url guest_lan_id
This example shows how to enable a wireless LAN with the LAN ID 16:
To use a guest-LAN specific custom web configuration rather than a global custom web configuration, use the config guest-lan custom-web global disable command.
config guest-lan custom-web global disable guest_lan_id
If you enter the config guest-lan custom-web global enable guest_lan_id command, the custom web authentication configuration at the global level is used.
This example shows how to disable the global web configuration for guest LAN ID 1:
config guest-lan
config guest-lan create
config guest-lan custom-web ext-webauth-url
config guest-lan custom-web login_page
config guest-lan custom-web webauth-type
To enable wired guest users to log into a customized web login page, use the config guest-lan custom-web login_page command.
config guest-lan custom-web login_page page_name guest_lan_id
This example shows how to customize a web login page custompage1 for guest LAN ID 1:
config guest-lan
config guest-lan create
config guest-lan custom-web ext-webauth-url
To define the web login page for wired guest users, use the config guest-lan custom-web webauth-type command.
config guest-lan custom-web webauth-type {internal | customized | external} guest_lan_id
Displays the default web login page for the controller. This is the default value. |
|
Displays the custom web login page that was previously configured. |
|
This example shows how to configure the guest LAN with the webauth-type as internal for guest LAN ID 1:
To configure the wired guest VLAN’s ingress interface which provides a path between the wired guest client and the controller by way of the Layer 2 access switch, use the config guest-lan ingress-interface command.
config guest-lan ingress-interface guest_lan_id interface_name
This example shows how to provide a path between the wired guest client and the controller with guest LAN ID 1 and the interface name guest01:
To configure an egress interface to transmit wired guest traffic out of the controller, use the config guest-lan interface command.
config guest-lan interface guest_lan_id interface_name
This example shows how to configure an egress interface to transmit guest traffic out of the controller for guest LAN ID 1 and interface name guest01:
To add or delete mobility anchor, use the config guest-lan mobility anchor commands.
config guest-lan mobility anchor { add | delete } wlan_id anchor_ip
This example shows how to delete a mobility anchor for WAN ID 4 and the anchor IP 192.168.0.14 :
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
config wlan mobility anchor
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To enable or disable Network Admission Control (NAC) out-of-band support for a guest LAN, use the config guest-lan nac command:
config guest-lan nac { enable | disable } guest_lan_id
This example shows how to enable the NAC out-of-band support for guest LAN ID 3:
show nac statistics
show nac summary
config wlan nac
debug nac
To configure the security policy for the wired guest LAN, use the config guest-lan security command.
config guest-lan security {{web-auth {enable | disable | acl | server-precedence} guest_lan_id | {web-passthrough {acl | email-input | disable| enable} guest_lan_id}}
Configures the authentication server precedence order for web authentication users. |
|
Specifies the web captive portal with no authentication required. |
This example shows how to configure the security web authentication policy for guest LAN ID 1:
To add, delete, or configure a hybrid-REAP group, use the config hreap group command.
config hreap group group_name { add | delete | ap { add | delete } ap-mac |
radius server { add | delete }{ primary | secondary } server_index }
Configures a primary or secondary RADIUS server for a hybrid-REAP group. |
|
This example shows how to add a hybrid-REAP group for MAC address 192.12.1.2:
This example shows how to add RADIUS server as a primary server for a hybrid-REAP group with the server index number 1:
config ap mode
config hreap join min-latency
config hreap office-extend
debug hreap group
show hreap group detail
show hreap group summary
To enable or disable the access point to choose the controller with the least latency when joining, use the config hreap join min-latency command.
config hreap join min-latency {enable | disable} Cisco_AP
Enables the access point to choose the controller with the least latency when joining. |
|
Disables the access point to choose the controller with the least latency when joining. |
|
When you enable this feature, the access point calculates the time between the discovery request and discovery response and joins the Cisco 5500, or 2500 Series Controller that responds first.
This command is not supported on Cisco 4400 and Cisco Wireless Services Module (WiSM).
This example shows how to enable the access point to choose the controller with the least latency when joining:
config ap mode
config hreap group
config hreap office-extend
To configure an OfficeExtend access point, use the config hreap office-extend command.
config hreap office-extend {{enable | disable} Cisco_AP | clear-personalssid-config Cisco_AP }
OfficeExtend mode is enabled automatically when you enable hybrid REAP mode on the access point.
Currently, only Cisco Aironet 1130 series and 1140 series access points that are joined to a Cisco 5500 Series Controller with a WPlus license can be configured to operate as OfficeExtend access points.
Rogue detection is disabled automatically when you enable the OfficeExtend mode for an access point. OfficeExtend access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. You can enable or disable rogue detection for a specific access point or for all access points by using the config rogue detection { enable | disable } { Cisco_AP | all } command.
DTLS data encryption is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable DTLS data encryption for a specific access point or for all access points by using the config ap link-encryption { enable | disable } { Cisco_AP | all } command.
Telnet and SSH access are disabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable Telnet or SSH access for a specific access point by using the config ap telnet { enable | disable } Cisco_AP or config ap ssh { enable | disable } Cisco_AP command.
Link latency is enabled automatically when you enable the OfficeExtend mode for an access point. However, you can enable or disable link latency for a specific access point or for all access points currently associated to the controller by using the config ap link-latency { enable | disable } { Cisco_AP | all } command.
This example shows how to enable the office-extend mode for the access point Cisco_ap:
This example shows how to clear only the access point’s personal SSID for the access point Cisco_ap:
config ap mode
config hreap join min-latency
config hreap group
debug hreap group
show hreap group detail
show hreap group summary
To configure an interface’s access control list, use the config interface acl command.
config interface acl { ap-manager | management | interface_name } { ACL | none }
For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.
This example shows how to configure an access control list with a value None:
To configure address information for an interface, use the config interface address command.
config interface address
{ ap-manager IP_address netmask gateway |
management IP_address netmask gateway |
service-port IP_address netmask |
virtual IP_address |
interface-name interface-name IP_address netmask gateway }
Specifies the interface identified by the interface-name parameter. |
|
For Cisco 5500 Series Controllers, you are not required to configure an AP-manager interface. The management interface acts like an AP-manager interface by default.
This example shows how to configure an access point manager interface with IP address 10.109.15.7, network mask 255.255.0.0, and gateway address 10.109.15.1:
To enable or disable access point manager features on the management or dynamic interface, use the config interface ap-manager command.
config interface ap-manager { management | interface_name } { enable | disable }
Enables access point manager features on a dynamic interface. |
|
Disables access point manager features on a dynamic interface. |
Use the management option to enable or disable dynamic AP management for the management interface. For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.
When you enable this feature for a dynamic interface, the dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
This example shows how to disable an access point manager myinterface:
To create a dynamic interface (VLAN) for wired guest user access, use the config interface create command.
config interface create interface_name vlan-id
This example shows how to create a dynamic interface with the interface named lab2 and VLAN ID 6:
To delete a dynamic interface, use the config interface delete command.
config interface delete interface-name
This example shows how to delete a dynamic interface named VLAN501:
To configure DHCP options on an interface, use the config interface dhcp command.
config interface dhcp
{ ap-manager [primary dhcp_server secondary dhcp_server | option-82 [enable | disable]} |
management [primary dhcp_server secondary dhcp_server | option-82 [enable | disable] ] |
service-port { enable | disable } |
dynamic interface name [primary dhcp_server secondary dhcp_server | option-82 [enable | disable] ]}
Specifies the interface name and the primary DHCP server. Optionally, you can also enter the address of the alternate DHCP server. |
This example shows how to configure ap-manager server with the primary DHCP server 10.21.15.01 and secondary DHCP server 10.21.15.25:
This example shows how to configure DHCP option 82 on the ap-manager:
This example shows how to enable the DHCP for the out-of-band service port:
config dhcp
config dhcp proxy
config interface dhcp
config wlan dhcp_server
debug dhcp
debug dhcp service-port
debug disable-all
show dhcp
show dhcp proxy
show interface
To enable or disable the guest LAN VLAN, use the config interface guest-lan command.
config interface guest-lan interface_name {enable | disable}
This example shows how to enable the guest LAN feature on the interface named myinterface:
To configure the Domain Name System (DNS) hostname of the virtual gateway interface, use the config interface hostname command.
config interface hostname virtual DNS_host
This example shows how to configure virtual gateway interface to use the specified virtual address of the fully qualified DNS hostname DNS_Host:
To deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT), use the config interface nat-address command.
config interface nat-address {management | dynamic-interface interface_name } {{ enable | disable } | { set public_IP_address }}
These NAT commands can be used only on Cisco 5500 Series Controllers and only if the management interface is configured for dynamic AP management.
These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. They do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
This example shows how to enable one-to-one mapping NAT on the management interface:
This example shows how to set the external NAP IP address 10.10.10.10 on the management interface:
To map a physical port to the interface (if a link aggregation trunk is not configured), use the config interface port command.
config interface port { management | interface_name } primary_port { secondary_port }
You can use the management option for all controllers except the Cisco 5500 Series Controllers.
This example shows how to configure the LAb02 interface’s primary port number to 3:
To configure a quarantine VLAN on any dynamic interface, use the config interface quarantine vlan command.
config interface quarantine vlan interface-name vlan_id
This example shows how to configure a quarantine VLAN on the quarantine interface with the VLAN ID 10:
To configure an interface’s VLAN identifier, use the config interface vlan command.
config interface vlan { ap-manager | management | interface-name } vlan
This example shows how to configure VLAN ID 10 on the management interface:
To configure a known Cisco lightweight access point, use the config known ap command.
config known ap { add | alert | delete } MAC
This example shows how to add a new access point entry ac:10:02:72:2f:bf on a known access point:
To enable or disable link aggregation (LAG), use the config lag command.
This example shows how to enable LAG settings:
This example shows how to disable LAG settings:
To configure the Lightweight Directory Access Protocol (LDAP) server settings, use the config ldap command.
config ldap {add | delete | disable | enable | retransmit-timeout} index
This example shows how to enable LDAP server index 10:
To configure a Lightweight Directory Access Protocol (LDAP) server, use the config ldap add command.
config lap add index server_ip_address port user_base user_attr user_type
Distinguished name for the subtree that contains all of the users. |
|
This example shows how to configure a LDAP server with the index10, server IP address 10.31.15.45, port number 2:
To configure the local authentication bind method for the Lightweight Directory Access Protocol (LDAP) server, use the config ldap simple-bind command.
config ldap simple-bind {anonymous index | authenticated index username username password password }
Specifies that a username and password be entered to secure access to the LDAP server. |
|
This example shows how to configure the local authentication bind method that allows anonymous access to the LDAP server:
To configure the license agent on the Cisco 5500 Series Controller, use the config license agent command.
config license agent { default {disable | authenticate [none] }} { listener http {disable | { plaintext | encrypt } url authenticate [acl acl ] {max-message size ] [none] }} { max-session sessions } { notify {disable | url } username password }
The license agent is disabled by default.
The listener is disabled by default.
Notify is disabled by default.
If your network contains various Cisco licensed devices, you might consider using the CLM to manage all of the licenses using a single application. CLM is a secure client/server application that manages Cisco software licenses network wide.
The license agent is an interface module that runs on the controller and mediates between CLM and the controller’s licensing infrastructure. CLM can communicate with the controller using various channels, such as HTTP, Telnet, and so on. If you want to use HTTP as the communication method, you must enable the license agent on the controller.
The license agent receives requests from the CLM and translates them into license commands. It also sends notifications to the CLM. It uses XML messages over HTTP or HTTPS to receive the requests and send the notifications. For example, if the CLM sends a license clear command, the agent notifies the CLM after the license expires.
Note You can download the CLM software and access user documentation at this URL:
http://www.cisco.com/go/clm
This example shows how to authenticate the default license agent settings:
This example shows how to configure the license agent with the number of maximum sessions allowed as 5:
To specify the license level to be used on the next reboot of the Cisco 5500 Series Controller, use the config license boot command.
config license boot { base | wplus | auto }
If you enter auto, the licensing software automatically chooses the license level to use on the next reboot. It generally chooses permanent licenses over evaluation licenses and wplus licenses over base licenses.
Note If you are considering upgrading from a base license to a wplus license, you can try an evaluation wplus license before upgrading to a permanent wplus license. To activate the evaluation license, you need to set the image level to wplus in order for the controller to use the wplus evaluation license instead of the base permanent license.
Note To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the controller defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation license.
This example shows how to set the license boot settings to wplus:
To globally configure aggressive load balancing on the controller, use the config load-balancing command.
config load-balancing { window client_count | status [enable | disable] | denial denial_ count }
Load-balancing-enabled WLANs do not support time-sensitive applications like voice and video because of roaming delays.
When you use Cisco 7921 and 7920 Wireless IP Phones with controllers, make sure that aggressive load balancing is disabled on the voice WLANs for each controller. Otherwise, the initial roam attempt by the phone might fail, causing a disruption in the audio path.
This example shows how to enable the aggressive load balancing settings:
To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.
config local-auth active-timeout timeout
This example shows how to specify the active timeout to authenticate wireless clients using EAP to 500 seconds:
clear stats local-auth
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.
config local-auth eap-profile {[add | delete] profile_name |
cert-issuer {cisco | vendor} |
method [add | delete] method profile_name |
method method local-cert {enable | disable} profile_name |
method method client-cert {enable | disable} profile_name |
method method peer-verify ca-issuer {enable | disable} |
method method peer-verify cn-verify {enable | disable} |
method method peer-verify date-valid {enable | disable}
This example shows how to create a local EAP profile named FAST01:
This example shows how to add the EAP-FAST method to a local EAP profile:
This example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:
This example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:
config local-auth active-timeout
config local-auth method fast
config local-auth user-credentials
show local-auth certificates
show local-auth config
show local-auth statistics
clear stats local-auth
debug aaa local-auth
To configure an EAP-FAST profile, use the config local-auth method fast command.
config local-auth method fast {anon-prov [enable | disable] | authority-id auth_id
pac-ttl days | server-key key_value}
This example shows how to disable the controller to allows anonymous provisioning:
This example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:
This example shows how to configure the number of days to 10 for the PAC to remain viable:
config local-auth active-timeout
config local-auth eap-profile
config local-auth user-credentials
show local-auth certificates
show local-auth config
show local-auth statistics
clear stats local-auth
debug aaa local-auth
To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.
config local-auth user-credentials { local [ldap] | ldap [local]}
Specifies that the local database is searched for the user credentials. |
|
(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials. |
The order of the specified database parameters indicate the database search order.
This example shows how to specify the order in which the local EAP authentication database is searched:
In the above example, the local database is searched first and then the LDAP database.
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
show local-auth certificates
show local-auth config
show local-auth statistics
clear stats local-auth
debug aaa local-auth
To configure a location-based system, use the config location command.
config location { add location [ description ] | delete location | enable | disable |
description location description | algorithm { simple | rssi-average } |
{ rssi-half-life | expiry } [ client | calibrating-client | tags | rogue-aps ] seconds |
notify-threshold [ client | tags | rogue-aps ] threshold |
interface-mapping { add | delete } location wlan_id interface_name |
plm { client { enable | disable } burst_interval | calibrating { enable | disable } { uniband | multiband }}}
See the “Syntax Description” section for default values of individual arguments and keywords.
This example shows how to specify the simple algorithm for averaging RSSI and SNR values on a location-based controller:
clear location rfid
clear location statistics rfid
show location
show location statistics rfid
To set the severity level for logging messages to the controller buffer, use the config logging buffered command.
config logging buffered security_level
This example shows how to set the controller buffer severity level for logging messages to 4:
config logging syslog facility
config logging syslog level
show logging
To set the severity level for logging messages to the controller console, use the config logging console command.
config logging console security_level
This example shows how to set the controller console severity level for logging messages to 3:
config logging syslog facility
config logging syslog level
show logging
To save debug messages to the controller buffer, the controller console, or a syslog server, use the config logging debug command.
config logging debug { buffered | console | syslog } {enable | disable }
This example shows how to save the debug messages to the controller console:
To cause the controller to include information about the source file in the message logs or to prevent the controller from displaying this information, use the config logging fileinfo command.
config logging fileinfo {enable | disable}
Includes information about the source file in the message logs. |
|
Prevents the controller from displaying information about the source file in the message logs. |
This example shows how to enable the controller to include information about the source file in the message logs:
To cause the controller to include process information in the message logs or to prevent the controller from displaying this information, use the config logging procinfo command.
config logging procinfo {enable | disable}
Prevents the controller from displaying process information in the message logs. |
This example shows how to enable the controller to include the process information in the message logs:
To cause the controller to include traceback information in the message logs or to prevent the controller from displaying this information, use the config logging traceinfo command.
config logging traceinfo {enable | disable}
Prevents the controller from displaying traceback information in the message logs. |
This example shows how to disable the controller to include the traceback information in the message logs:
To configure a remote host for sending syslog messages, use the config logging syslog host command.
config logging syslog host { host_IP_address }
To remove a remote host that was configured for sending syslog messages, enter the config logging syslog host host_IP_address delete command.
This example shows how to configure a remote host 10.92.125.52 for sending the syslog messages:
config logging syslog facility
config logging syslog level
show logging
To set the facility for outgoing syslog messages to the remote host, use the config logging syslog facility command.
config logging syslog facility facility_code
This example shows how to set the facility for outgoing syslog messages to authorization:
config logging syslog host
config logging syslog level
show logging
To set the severity level for filtering syslog messages to the remote host, use the config logging syslog level command.
config logging syslog level severity_level
This example shows how to set the severity level for syslog messages to 3:
config logging syslog host
config logging syslog facility
show logging
To close all active Telnet session(s), use the config loginsession close command.
config loginsession close { session_id | all }
This example shows how to close all active Telnet sessions:
Use the config macfilter commands to configure macfilter settings.
To create or delete a MAC filter entry on the Cisco wireless LAN controller, use the config mac filters command.
config macfilter { add client_MAC wlan_id [ interface_name] [ description] [macfilter_IP] |
delete client_MAC}
Use the config macfilter add command to add a client locally to a wireless LAN on the Cisco wireless LAN controller. This filter bypasses the RADIUS authentication process.
This example shows how to add a MAC filer entry 00:E0:77:31:A3:55 with the wireless LAN ID 1, interface name labconnect, and MAC filter IP 10.92.125.51 on the controller:
To add a description to a MAC filter, use the config macfilter description command.
config macfilter description MAC description
(Optional) Description within double quotes (up to 32 characters). |
This example shows how to set the description MAC filter 01 to MAC address 11:11:11:11:11:11:
To create a MAC filter client interface, use the config macfilter interface command.
config macfilter interface MAC interface
This example shows how to create a MAC filer interface Lab01 on client 11:11:11:11:11:11 :
To assign an IP address to an existing MAC filter entry, if one was not assigned using the config macfilter add command, use the config macfilter ip-address command.
config macfilter ip-address MAC_address IP_address
IP address for a specific MAC address in the local MAC filter database. |
This example shows how to specify IP address 10.92.125.51 for a MAC 00:E0:77:31:A3:55 in the local MAC filter database:
To set the MAC delimiter (colon, hyphen, none, and single-hyphen) for MAC addresses sent to RADIUS servers, use the config macfilter mac-delimiter command.
config macfilter mac-delimiter { none | colon | hyphen | single-hyphen }
Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx). |
|
Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx). |
|
Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx). |
This example shows how to have the operating system send MAC addresses to the RADIUS server in the form aa:bb:cc:dd:ee:ff:
This example shows how to have the operating system send MAC addresses to the RADIUS server in the form aa-bb-cc-dd-ee-ff:
This example shows how to have the operating system send MAC addresses to the RADIUS server in the form aabbccddeeff:
To configure the Cisco wireless LAN controller for compatibility with selected RADIUS servers, use the config macfilter radius-compact command.
config macfilter radius-compat { Cisco | free | other }
This example shows how to configure the Cisco ACS compatibility mode to “other”:
To modify a wireless LAN ID for a MAC filter, use the config macfilter wlan-id command.
config macfilter wlan-id MAC wlan_id
Wireless LAN identifier to associate with. A value of zero is not allowed. |
This example shows how to modify client wireless LAN ID 2 for a MAC filer 11:11:11:11:11:11:
To troubleshoot hard-to-solve or hard-to-reproduce memory problems, use the config memory monitor commands.
Note The commands in this section can be disruptive to your system and should be run only when you are advised to do so by the Cisco Technical Assistance Center (TAC).
To enable or disable monitoring for memory errors and leaks, enter this command:
config memory monitor errors { enable | disable }
Note The config memory monitor commands can be disruptive to your system and should be run only when you are advised to do so by the Cisco TAC.
Note Be cautious about changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.
This example shows how to enable monitoring for memory errors and leaks for a controller:
config memory monitor leaks
debug memory
show memory monitor
To configure the controller to perform an auto-leak analysis between two memory thresholds, enter the config memory monitor leaks command.
config memory monitor leaks low_thresh high_thresh
Note The config memory monitor commands can be disruptive to your system and should be run only when you are advised to do so by the Cisco TAC.
The default value for low_thresh is 10000 KB; the default value for high_thresh is 30000 KB.
Note Be cautious about changing the defaults for the config memory monitor command unless you know what you are doing, you have detected a problem, or you are collecting troubleshooting information.
Use this command if you suspect that a memory leak has occurred.
If the free memory is lower than the low_thresh threshold, the system crashes, generating a crash file. The default value for this parameter is 10000 KB, and you cannot set it below this value.
Set the high_thresh threshold to the current free memory level or higher so that the system enters auto-leak-analysis mode. After the free memory reaches a level lower than the specified high_thresh threshold, the process of tracking and freeing memory allocation begins. As a result, the debug memory events enable command shows all allocations and frees, and the show memory monitor detail command starts to detect any suspected memory leaks.
This example shows how to set the threshold values for auto-leak-analysis mode to 12000 KB for the low threshold and 35000 KB for the high threshold:
config memory monitor errors
debug memory
show memory monitor
Use the configure mesh commands to set mesh access point settings.
To configure alarm settings for outdoor mesh access points, use the config mesh alarm command.
config mesh alarm { max-hop | max-children | low-snr | high-snr | association |
parent-change count } value
See the “Syntax Description” section for command and argument value ranges.
This example shows how to set the maximum hops threshold to 8:
This example shows how to set the upper SNR threshold to 25:
config mesh client-access
config mesh ethernet-bridging vlan-transparent
config mesh full-sector-dfs
config mesh multicast
config mesh radius-server
config mesh security
show mesh ap
show mesh security-stats
show mesh stats
show mgmtuser
To globally enable or disable the anti-stranding feature for outdoor mesh access points, use the config mesh astools command.
config mesh astools { enable | disable }
This example shows how to enable anti-stranding on all outdoor mesh access points:
config mesh security
show mesh ap
show mesh astools stats
show mesh config
show mesh stats
show mgmtuser
To globally enable or disable background scanning for Cisco 1510 access points, use the config mesh background-scanning command.
config mesh background-scanning { enable | disable }
Note This is a legacy command of the Cisco 1510 (SkyCaptain) access points. The command still exists on the controller, but it is not supported on current mesh access points.
This example shows how to disable background scanning for all outdoor mesh access points:
To globally configure the DCA channel set for serial backhaul mesh access points, use the config mesh backhaul dca-channels command.
config mesh backhaul dca-channels { enable | disable }
Enables dca channels for serial backhaul mesh access points. |
|
Disables dca channel for serial backhaul mesh access points. |
Note The config mesh backhaul dca-channels command is applicable only to serial backhaul mesh access points 1524 and 1523CM.
Before enabling the config mesh backhaul dca-channels command, ensure the following:
This example shows how to set the DCA channel set for serial backhaul for a mesh access point:
config mesh secondary-backhaul
show mesh ap
show mesh backhaul rate-adapt
show mesh config
show mesh secondary-backhaul
show mesh stats
To globally configure the backhaul Tx rate adaptation (universal access) settings for indoor and outdoor mesh access points, use the config mesh backhaul rate-adapt command.
config mesh backhaul rate-adapt [ all | bronze | silver | gold | platinum ] { enable | disable }
To use this command, mesh backhaul with client access must be enabled by using the config mesh client-access command.
Note After this feature is enabled, all mesh access points reboot.
This example shows how to set the backhaul client access to the best-effort level:
config mesh secondary-backhaul
show mesh ap
show mesh backhaul rate-adapt
show mesh config
show mesh secondary-backhaul
show mesh stats
To configure the battery state for Cisco Aironet 1520 series mesh access points, use the config mesh battery-state command.
config mesh battery-state { enable | disable } { all | cisco_ap }
Enables the battery-state for 1520 series mesh access points. |
|
Disables the battery-state for 1520 series mesh access points. |
|
This example shows how to set the backhaul client access to the best-effort level:
To enable or disable client access to the mesh backhaul on indoor and outdoor mesh access points, use the config mesh client-access command.
config mesh client-access { enable [extended] | disable }
Backhaul interfaces (802.11a radios) act as primary Ethernet interfaces. Backhauls function as trunks in the network and carry all VLAN traffic between the wireless and wired network. No configuration of primary Ethernet interfaces is required.
When this feature is enabled, Cisco Aironet 1520 series (152x) mesh access points allow wireless client association over the 802.11a radio, which implies that a 152x mesh access point can carry both backhaul traffic and 802.11a client traffic over the same 802.11a radio.
When this feature is disabled, the 152x carries backhaul traffic over the 802.11a radio and allows client association only over the 802.11b/g radio.
This example shows how to enable client access extended to allow a wireless client association over the 802.11a radio:
This example shows how to restrict a wireless client association to the 802.11b/g radio:
config mesh secondary-backhaul
show mesh ap
show mesh client-access
show mesh config
show mesh stats
To configure how a mesh access point handles VLAN tags for Ethernet bridged traffic, use the config mesh ethernet-bridging vlan-transparent command.
config mesh ethernet-bridging vlan-transparent { enable | disable }
VLAN transparent is enabled as a default to ensure a smooth software upgrade from 4.1.192.xxM releases to release 5.2. Release 4.1.192.xxM does not support VLAN tagging.
This example shows how to configure Ethernet packets as untagged:
This example shows how to drop tagged Ethernet packets:
config mesh client-access
config mesh linkdata
config mesh linktest
config mesh multicast
show mesh ap
show mesh client-access
show mesh config
show mesh stats
To globally enable or disable full-sector Dynamic Frequency Selection (DFS) on mesh access points, use the config mesh full-sector-dfs command.
config mesh full-sector-dfs { enable | disable }
This command instructs the mesh sector to make a coordinated channel change on the detection of a radar signal. For example, if a mesh access point (MAP) detects a radar signal, the MAP will notify the root access point (RAP), and the RAP will initiate a sector change.
All MAPs and the RAP that belong to that sector go to a new channel, which lowers the probability of MAPs stranding when radar is detected on the current backhaul channel, and no other valid parent is available as backup.
Each sector change causes the network to be silent for 60 seconds (as dictated by the DFS standard).
It is expected that after a half hour, the RAP will go back to the previously configured channel, which means that if radar is frequently observed on a RAP's channel, it is important that you configure a different channel for that RAP to exclude the radar affected channel at the controller.
This example shows to enable full-sector DFS on mesh access points:
config mesh alarm
config mesh background-scanning
config mesh battery-state
config mesh client-access
config mesh linkdata
config mesh linktest
config mesh range
show mesh ap
show mesh security-stats
show mesh stats
show mgmtuser
To enable external MAC filtering of access points, use the config mesh linkdata command.
config mesh linkdata destination_ap_name
Note The config mesh linktest and config mesh linkdata commands are designed to be used together to verify information between a source and a destination access point. To get this information, first execute the config mesh linktest command with the access point that you want link data from in the dest_ap argument. When the command completes, enter the config mesh linkdata command and list the same destination access point, to display the link data will display (see example).
MAC filtering uses the local MAC filter on the controller by default.
When external MAC filter authorization is enabled, if the MAC address is not found in the local MAC filter, then the MAC address in the external RADIUS server is used.
MAC filtering protects your network against rogue mesh access points by preventing access points that are not defined on the external server from joining.
Before employing external authentication within the mesh network, the following configuration is required:
This example shows how to enable external MAC address filtering on access point AP001d.710d.e300:
This example shows how to enable external MAC filtering on access point AP001d.71d.e300:
config mesh alarm
config mesh client-access
config mesh ethernet-bridging vlan-transparent
config mesh linktest
config mesh radius-server
show mesh ap
show mesh client-access
show mesh config
show mesh stats
To verify client access between mesh access points, use the config mesh linktest command.
config mesh linktest source_ap { dest_ap | dest_MAC } datarate packet_rate packet_size duration
Note The config mesh linktest and config mesh linkdata commands are designed to be used together to verify information between a source and a destination access point. To get this information, first enter the config mesh linktest command with the access point that you want link data from in the dest_ap argument. When the command completes, enter the config mesh linkdata command and list the same destination access point, to display the link data.
The following warning message appears when you run a linktest that might oversubscribe the link:
This example shows how to verify client access between mesh access points SB_MAP1 and SB_RAP2 at 36 Mbps, 20 fps, 100 frame size, and 15 second duration:
Table 2-4 lists the output flags displayed for the config mesh linktest command.
config mesh battery-state
config mesh client-access
config mesh full-sector-dfs
config mesh linkdata
config mesh multicast
config mesh range
config mesh secondary-backhaul
show mesh backhaul rate-adapt
show mesh client-access
show mesh config
show mesh security-stats
show mesh stats
To configure multicast mode settings to manage multicast transmissions within the mesh network, use the config mesh multicast commands.
config mesh multicast { regular | in | in-out }
Multicast for mesh networks cannot be enabled using the controller GUI.
Mesh multicast modes determine how bridging-enabled access points mesh access points (MAPs) and root access points (RAPs) send multicasts among Ethernet LANs within a mesh network. Mesh multicast modes manage non-LWAPP multicast traffic only. LWAPP multicast traffic is governed by a different mechanism.
You can use the controller CLI to configure three mesh multicast modes to manage video camera broadcasts on all mesh access points. When enabled, these modes reduce unnecessary multicast transmissions within the mesh network and conserve backhaul bandwidth.
When using in-out mode, it is important to properly partition your network to ensure that a multicast sent by one RAP is not received by another RAP on the same Ethernet segment and then sent back into the network.
Note If 802.11b clients need to receive CAPWAP multicasts, then multicast must be enabled globally on the controller as well as on the mesh network (by using the config network multicast global command). If multicast does not need to extend to 802.11b clients beyond the mesh network, you should disable the global multicast parameter.
This example shows how to multicast video across the entire mesh network and all its segments by bridging-enabled RAPs and MAPs:
config network multicast global
config mesh battery-state
config mesh client-access
config mesh linktest
config mesh secondary-backhaul
show mesh ap
show mesh config
show mesh stats
To enable or disable the 4.9-GHz public safety band for mesh access points, use the config mesh public-safety command.
config mesh public-safety { enable | disable } { all | cisco_ap }
4.9 GHz is a licensed frequency band restricted to public-safety personnel.
This example shows how to enable the 4.9-GHz public safety band for all mesh access points:
config mesh range
config mesh security
show mesh ap
show mesh config
show mesh public-safety
show mesh security-stats
show mesh stats
To enable or disable external authentication for mesh access points, use the config mesh radius-server command.
config mesh radius-server index { enable | disable }
Disables the external authentication for mesh access points. |
This example shows how to enable external authentication for mesh access points:
config mesh alarm
config mesh security
show mesh ap
show mesh security-stats
show mesh stats
To globally set the maximum range between outdoor mesh root access points (RAPs) and mesh access points (MAPs), use the config mesh range command.
(Optional) Maximum operating range (150 to 132000 ft) of the mesh access point. |
After this command is enabled, all outdoor mesh access points reboot. This command does not affect indoor access points.
This example shows how to set the range between an outdoor mesh RAP and a MAP:
config mesh astools
config mesh background-scanning
config mesh ethernet-bridging vlan-transparent
config mesh full-sector-dfs
config mesh linkdata
config mesh linktest
show mesh ap
show mesh stats
To configure a secondary backhaul on the mesh network, use the config mesh secondary-backhaul command.
config mesh secondary-backhaul { enable [ force-same-secondary-channel ] |
disable [ rll-retransmit | rll-transmit ]}
Note The secondary backhaul access feature is not supported by Cisco 1520 and 1524 indoor mesh access points in the 5.2 release.
This command uses a secondary backhaul radio as a temporary path for traffic that cannot be sent on the primary backhaul due to intermittent interference.
This example shows ho to enable a secondary backhaul radio and force all access points rooted at the first hop node to have the same secondary channel:
config mesh battery-state
show mesh backhaul rate-adapt
show mesh client-access
show mesh config
show mesh secondary-backhaul
show mesh stats
To configure the security settings for mesh networks, use the config mesh security commands.
config mesh security {{{ rad-mac-filter | force-ext-auth } { enable | disable }} | eap | psk }
This example shows how to configure EAP as the security option for all mesh access points:
This example shows how to configure PSK as the security option for all mesh access points:
config mesh alarm
config mesh background-scanning
config mesh client-access
config mesh public-safety
config mesh radius-server
show mesh ap
show mesh client-access
show mesh config
show mesh security-stats
show mesh stats
Use the config mgmtuser commands to configure management user settings.
To add a local management user to the Cisco wireless LAN controller, use the config mgmtuser add command.
config mgmtuser add username password { read-write | read-only } [ description ]
This example shows how to create a management user account with read-write access:
To delete a management user from the Cisco wireless LAN controller, use the config mgmtuser delete command.
config mgmtuser delete username
Account username. The username can be up to 24 alphanumeric characters. |
This example shows how to delete a management user account admin from the Cisco wireless LAN controller:
To add a description to an existing management user login to the Cisco wireless LAN controller, use the config mgmtuser description command.
config mgmtuser description username description
Account username. The username can be up to 24 alphanumeric characters. |
|
Description of the account. The description can be up to 32 alphanumeric characters within double quotes. |
This example shows how to add a description “primary-user” to the management user “admin”:
To change a management user password, use the config mgmtuser password command.
config mgmtuser password username password
Account username. The username can be up to 24 alphanumeric characters. |
|
Account password. The password can be up to 24 alphanumeric characters. |
This example shows how to change the password of the management user “admin” with the new password 5rTfm:
Use the config mobility commands to configure mobility (roaming) settings.
To create a new mobility anchor for the WLAN or wired guest LAN, enter, use the config mobility group anchor command.
config mobility group anchor { add | delete } { wlan wlan_id | guest-lan guest_lan_id } anchor_ip
The wlan_id or guest_lan_id must exist and be disabled.
Auto-anchor mobility is enabled for the WLAN or wired guest LAN when you configure the first mobility anchor. Deleting the last anchor disables the auto-anchor mobility feature and resumes normal mobility for new associations.
This example shows how to add a mobility anchor with the IP address 192.12.1.5 to a wireless LAN ID 2:
This example shows how to delete a mobility anchor with the IP address 193.13.1.15 from a wireless LAN:
config guest-lan mobility anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
config wlan mobility anchor
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To configure the mobility domain name, use the config mobility group domain command.
config mobility group domain domain_name
Domain name. The domain name can be up to 31 case-sensitive characters. |
This example shows how to configure a mobility domain name lab1:
config mobility group anchor
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To configure the controller to detect failed mobility group members (including anchor controllers), use the config mobility group keepalive count commands.
config mobility group keepalive count count
Number of times a ping request is sent to a mobility group member before the member is considered unreachable. The valid range is 3 to 20. The default is 3. |
This example shows how to specify the number of times a ping request is sent to a mobility group member before the member is considered unreachable to 3 counts:
config mobility group anchor
config mobility group domain
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To configure the controller to detect failed mobility group members (including anchor controllers), use the config mobility group keepalive commands.
config mobility group keepalive interval
Interval of time between each ping request sent to a mobility group member. The valid range is 1 to 30 seconds. The default value is 10 seconds. |
This example shows how to specify the amount of time between each ping request sent to a mobility group member to 10 seconds:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To add or delete users from the mobility group member list, use the config mobility group member command.
config mobility group member { add MAC IP_address [ group_name ] | delete MAC }
(Optional) Member switch group name (if different from the default group name). |
|
This example shows how to add a mobility group member to the list:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To configure the multicast group IP address for nonlocal groups within the mobility list, use the config mobility group multicast-address command:
config mobility group multicast-address group_name IP_address
Member switch group name (if different from the default group name). |
|
This example shows how to configure the multicast group IP address 10.10.10.1 for a group named test:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To enable or disable multicast mobility mode, use the config mobility multicast-mode command.
config mobility multicast-mode {enable | disable} local_group_multicast_address
This example shows how to enable the multicast mobility mode for the local mobility group IP address 157.168.20.0:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To configure the secure mode for mobility messages between Cisco wireless LAN controllers, use the config mobility secure-mode command.
config mobility secure-mode { enable | disable }
This example shows how to enable the secure mode for mobility messages:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To reset the mobility statistics, use the config mobility statistics command.
config mobility statistics reset
This example shows how to reset the mobility group statistics:
config mobility group anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
Use the config msglog commands to configure msglog level settings.
To reset the message log so that it collects and displays only critical (highest-level) messages, use the config msglog level critical command.
The message log always collects and displays critical messages, regardless of the message log level setting.
This example shows how to configure the message log severity level and display critical messages:
To reset the message log so that it collects and displays both critical (highest-level) and error (second-highest) messages, use the config msglog level error command.
This example shows how to reset the message log to collect and display critical and noncritical error messages:
To reset the message log so that it collects and displays critical (highest-level), error (second-highest), and security (third-highest) messages, use the config msglog level security command.
This example shows how to reset the message log so that it collects and display critical, noncritical, and authentication or security-related errors:
To reset the message log so that it collects and displays all messages, use the config msglog level verbose command.
This example shows how to reset the message logs so that it collects and display all messages:
To reset the message log so that it collects and displays critical (highest-level), error (second-highest), security (third-highest), and warning (fourth-highest) messages, use the config msglog level warning command.
This example shows how to reset the message log so that it collects and displays warning messages in addition to critical, noncritical, and authentication or security-related errors:
Use the config media-stream commands to configure media stream settings.
To configure the media-stream multicast direct, use the config media-stream command.
config media-stream multicast-direct {enable | disable}
Media-stream multicast-direct requires load based Call Admission Control (CAC) to run.
This example shows how to enable a media-stream multicast-direct settings:
This example shows how to disable a media-stream multicast-direct settings:
show 802.11a media-stream name
To configure various parameters of message configuration, use the config media-stream message command.
config media-stream message {state [enable | disable] | url url | email email | phone phone_number | note note}
Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.
This example shows how to enable the session announcement message state:
This example shows how to configure the session announcement e-mail address:
show 802.11a media-stream name
To configure the various global media-stream configurations, use the config media-stream add command.
config media-stream add multicast-direct media_stream_name start-IP end-IP
[template {very-coarse | coarse | ordinary | low-resolution | med-resolution | high-resolution}| detail {bandwidth | packet-size| re-evaluation {periodic | initial}} video video priority {drop | fallback}
Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.
This example shows how to configure a new media stream:
show 802.11a media-stream name
To configure the various global media-stream configurations, use the config media-stream delete command.
config media-stream delete media_stream_name
Media-stream multicast-direct requires load-based Call Admission Control (CAC) to run.
This example shows how to configure the media stream named abc:
show 802.11a media-stream name
Use the config netuser commands to configure netuser settings.
To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.
config netuser add username password {wlan wlan_id | guestlan guestlan_id} userType guest lifetime lifetime description description
Local network usernames must be unique because they are stored in the same database.
This example shows how to add a permanent usernamed Jane to the wireless network for 1 hour:
This example shows how to add a guest usernamed George to the wireless network for 1 hour:
To delete an existing user from the local network, use the config netuser delete command.
config netuser delete username
Network username. The username can be up to 24 alphanumeric characters. |
Local network usernames must be unique because they are stored in the same database.
This example shows how to delete an existing username named able1 from the network:
To add a description to an existing net user, use the config netuser description command.
config netuser description username description
Network username. The username can contain up to 24 alphanumeric characters. |
|
(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes. |
This example shows how to add a user description “HQ1 Contact” to an existing network user named able 1:
To apply a quality of service (QoS) role to a guest user, use the config netuser guest-role apply command.
config netuser guest-role apply username role_name
If you do not assign a QoS role to a guest user, the Role field in the User Details shows the role as default. The bandwidth contracts for this user are defined in the QoS profile for the WLAN.
If you want to unassign a QoS role from a guest user, use the config netuser guest-role apply username default. This user now uses the bandwidth contracts defined in the QoS profile for the WLAN.
This example shows how to apply a QoS role to a guest user jsmith with the QoS guest role named Contractor:
To create a quality of service (QoS) role for a guest user, use the config netuser guest-role create command.
config netuser guest-role create role_name
To delete a QoS role, use the config netuser guest-role delete role-name.
This example shows how to create a QoS role for the guest user named guestuser1:
To delete a quality of service (QoS) role for a guest user, use the config netuser guest-role delete command.
config netuser guest-role delete role_name
This example shows how to delete a quality of service (QoS) role for guestuser1:
To configure the average data rate for TCP traffic on a per user basis, use the config netuser guest-role qos data-rate average-data-rate command.
config netuser guest-role qos data-rate average-data-rate role_name rate
For the role_name parameter in each of these commands, enter a name for the new QoS role. The name uniquely identifies the role of the QoS user (such as contractor, vendor, and so on.). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.
This example shows how to configure an average rate for the QoS guest named guestuser1:
config netuser guest-role create
To configure the average data rate for TCP traffic on a per user basis, use the config netuser guest-role qos data-rate average-realtime-rate command.
config netuser guest-role qos data-rate average-realtime-rate role_name rate
For the role_name parameter in each of these commands, enter a name for the new QoS role. The name uniquely identifies the role of the QoS user (such as contractor, vendor, and so on.). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.
This example shows how to configure an average data rate for the QoS guest user named guestuser1 with the rate for TCP traffic of 0 Kbps:
config netuser guest-role
config netuser guest-role qos data-rate average-data-rate
To configure the peak data rate for TCP traffic on a per user basis, use the config netuser guest-role qos data-rate burst-data-rate command.
config netuser guest-role qos data-rate burst-data-rate role_name rate
The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic to and from the wireless client.
For the role_name parameter in each of these commands, enter a name for the new QoS role. The name uniquely identifies the role of the QoS user (such as contractor, vendor, and so on.). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.
This example shows how to configure the peak data rate for the QoS guest named guestuser1 with the rate for TCP traffic of 0 Kbps:
config netuser guest-role create
config netuser guest-role delete
config netuser guest-role qos data-rate average-data-rate
To configure the burst real-time data rate for UDP traffic on a per user basis, use the config netuser guest-role qos data-rate burst-realtime-rate command.
config netuser guest-role qos data-rate burst-realtime-rate role_name rate
The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the quality of service (QoS) policy may block traffic to and from the wireless client.
For the role_name parameter in each of these commands, enter a name for the new QoS role. The name uniquely identifies the role of the QoS user (such as contractor, vendor, and so on.). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.
This example shows how to configure a burst real-time rate for the QoS guest user named guestuser1 with the rate for TCP traffic of 0 Kbps:
To configure the maximum number of Extensible Authentication Protocol (EAP) user login attempts allowed for a network user, use the config netuser maxEapUserLogin command.
config netuser maxEapUserLogin count
Maximum number of login sessions for a single user. The allowed values are from 0 (unlimited) to 8. |
This example shows how to configure the maximum number of EAP user login attempts to 8:
To configure the maximum number of login sessions allowed for a network user, use the config netuser maxuserlogin command.
config netuser maxuserlogin count [per method]
Maximum number of login sessions for a single user. The allowed values are from 0 (unlimited) to 8. |
This example shows how to configure the maximum number of login sessions for a single user to 8:
To change a local network user password, use the config netuser password command.
config netuser password username password
Network username. The username can be up to 24 alphanumeric characters. |
|
Network user password. The password can contain up to 24 alphanumeric characters. |
This example shows how to change the network user password from aire1 to aire2:
To configure a wireless LAN ID for a network user, use the config netuser wlan-id command.
config netuser wlan-id username wlan_id
Network username. The username can be 24 alphanumeric characters. |
|
Wireless LAN identifier to associate with the user. A zero value associates the user with any wireless LAN. |
This example shows how to configure a wireless LAN ID 2 to associate with the user named aire1:
Use the config network commands to configure network settings.
To enable or disable 802.3 bridging on a controller, use the config network 802.3-bridging command.
config network 802.3-bridging { enable | disable }
In controller software release 5.2, the software-based forwarding architecture for Cisco 2100 Series Controllers is being replaced with a new forwarding plane architecture. As a result, Cisco 2100 Series Controllers and the Cisco wireless LAN controller Network Module for Cisco Integrated Services Routers bridge 802.3 packets by default. Therefore, 802.3 bridging can now be disabled only on Cisco 4400 Series Controllers, the Cisco WiSM, and the Catalyst 3750G Wireless LAN Controller Switch.
To determine the status of 802.3 bridging, enter the show netuser guest-roles command.
This example shows how to enable the 802.3 bridging:
To configure an old bridge access point’s ability to associate with a switch, use the config network allow-old-bridge-aps command.
config network allow-old-bridge-aps { enable | disable }
This example shows how to configure an old bridge access point to associate with the switch:
To configure Cisco lightweight access point fallback, use the config network ap-fallback command.
config network ap-fallback { enable | disable }
This example shows how to enable the Cisco lightweight access point fallback:
To enable or disable the option to prioritize lightweight access points so that after a controller failure they reauthenticate by priority rather than on a first-come-until-full basis, use the config network ap-priority command.
config network ap-priority { enable | disable }
Enables the lightweight access point priority reauthentication. |
|
Disables the lightweight access point priority reauthentication. |
This example shows how to enable the lightweight access point priority reauthorization:
To configure AppleTalk bridging, use the config network apple-talk command.
config network apple-talk { enable | disable }
This example shows how to configure AppleTalk bridging:
To set the Address Resolution Protocol (ARP) entry timeout value, use the config network arptimeout command.
config network arptimeout seconds
Timeout in seconds. The minimum value is 10. The default value is 300. |
This example shows how to set the ARP entry timeout value to 240 seconds:
To configure the bridging shared secret, use the config network bridging-shared-secret command.
config network bridging-shared-secret shared_secret
Bridging shared secret string. The string can contain up to 10 bytes. |
This command creates a secret that encrypts backhaul user data for the mesh access points that connect to the switch.
The zero-touch configuration must be enabled for this command to work.
This example shows how to configure the bridging shared secret string “shhh1”:
To enable or disable broadcast packet forwarding, use the config network broadcast command.
config network broadcast {enable | disable}
This command allows you to enable or disable broadcasting. You must enable multicast mode before enabling broadcast forwarding. Use the config network multicast mode command to configure multicast mode on the controller.
Note ● The default multicast mode is unicast in case of all controllers except for Cisco 2106 Controllers.
This example shows how to enable broadcast packet forwarding:
show network summary
config network multicast global
config network multicast mode
To enable or disable fast Service Set Identifier (SSID) changing for mobile stations, use the config network fast-ssid-change command.
config network fast-ssid-change { enable | disable }
When you enable the Fast SSID Change feature, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.
When you disable the FastSSID Change feature, the controller enforces a delay before clients are allowed to move to a new SSID.
This example shows how to enable the fast SSID changing for mobile stations:
To validate the source IP address and MAC address binding within client packets, use the config network ip-mac-binding command.
config network ip-network-binding { enable | disable }
In controller software release 5.2, the controller enforces strict IP address-to-MAC address binding in client packets. The controller checks the IP address and MAC address in a packet, compares them to the addresses that are registered with the controller, and forwards the packet only if they both match. In previous releases, the controller checks only the MAC address of the client and ignores the IP address.
Note You might want to disable this binding check if you have a routed network behind a workgroup bridge (WGB).
This example shows how to validate the source IP and MAC address within client packets:
To enable or disable the Cisco wireless LAN controller as an access point default primary, use the config network master-base command. This setting is only used upon network installation and should be disabled after the initial network configuration.
config network master-base { enable | disable }
This setting is only used upon network installation and should be disabled after the initial network configuration. Because the primary Cisco wireless LAN controller is normally not used in a deployed network, the primary Cisco wireless LAN controller setting can be saved from 6.0.199.0 or later releases.
This example shows how to enable the Cisco wireless LAN controller as a default primary:
To enable Cisco wireless LAN controller management from an associated wireless client, use the config network mgmt-via-wireless command.
config network mgmt-via-wireless { enable | disable }
This feature allows wireless clients to manage only the Cisco wireless LAN controller associated with the client and the associated Cisco lightweight access point. That is, clients cannot manage another Cisco wireless LAN controller with which they are not associated.
This example shows how to configure switch management from a wireless interface:
To enable or disable multicasting on the controller, use the config network multicast global command.
config network multicast global { enable | disable }
The config network broadcast {enable | disable} command allows you to enable or disable broadcasting without enabling or disabling multicasting as well. This command uses the multicast mode configured on the controller (by using the config network multicast mode command) to operate.
This example shows how to enable the global multicast support:
To enable or disable IGMP snooping, use the config network multicast igmp snooping command.
config network multicast igmp snooping
This example shows how to configure internet IGMP snooping settings:
To set the IGMP timeout value, use the config network multicast igmp timeout command.
config network multicast igmp timeout
You can enter a timeout value between 30 and 300 seconds. The controller sends three queries in one timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group. If the controller does not receive a response through an IGMP report from the client, the controller times out the client entry from the MGID table. When no clients are left for a particular multicast group, the controller waits for the IGMP timeout value to expire and then deletes the MGID entry from the controller. The controller always generates a general IGMP query (to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.
This example shows how to configure the timeout value 20 for IGMP network settings:
To configure the controller to use the multicast method to send broadcast or multicast packets to an access point, use the config network multicast mode multicast command.
config network multicast mode multicast
This example shows how to configure the multicast mode to send a single copy of data to multiple receivers:
To configure the controller to use the unicast method to send broadcast or multicast packets to an access point, use the config network multicast mode unicast command.
config network multicast mode unicast
This example shows how to configure the controller to use the unicast mode:
To enable or disable over-the-air provisioning (OTAP) of Cisco lightweight access points, use the config network otap-mode command.
config network otap-mode { enable | disable }
This example shows how to disable the OTAP provisioning:
To set the RF-Network name, use the config network rf-network-name command.
config network rf-network-name name
This example shows how to set the RF-network name to travelers:
To change the state of the secure web (https is http and SSL) interface, use the config network secureweb command.
config network secureweb { enable | disable }
This command allows users to access the controller GUI using http://ip-address. Web mode is not a secure connection.
This example shows how to enable the secure web interface settings:
To enable or disable secure web mode with increased security, or to enable or disable Secure Sockets Layer (SSL v2) for web administration and web authentication, use the config network secureweb cipher-option command.
config network secureweb cipher-option { high | sslv2 } { enable | disable }
Configures whether or not 128-bit ciphers are required for web administration and web authentication. |
|
Configures SSLv2 for both web administration and web authentication. |
|
The default is disabled for secure web mode with increased security and enabled for SSL v2.
Note The cipher-option high command allows users to access the controller GUI using http://ip-address but only from browsers that support 128-bit (or larger) ciphers.
When cipher-option sslv2 is disabled, users cannot connect using a browser configured with SSLv2 only. They must use a browser that is configured to use a more secure protocol such as SSLv3 or later.
This example shows how to enable secure web mode with increased security:
This example shows how to disable SSL v2:
To allow or disallow new Secure Shell (SSH) sessions, use the config network ssh command.
config network ssh { enable | disable }
This example shows how to enable the new SSH session:
To allow or disallow new Telnet sessions, use the config network telnet command.
config network telnet { enable | disable }
This example shows how to configure the new Telnet sessions:
To change the timeout for idle client sessions, use the config network usertimeout command.
config network usertimeout seconds
Recommended user idle timeout in seconds between 90 and 100000. The valid range is 15 to 100000 seconds. The default value is 300 seconds. |
This example shows how to configure the idle session timeout to 1200 seconds:
To configure an additional port to be redirected for web authentication, use the config network web-auth-port command.
config network web-auth-port port
This example shows how to configure an additional port number 1200 to be redirected for web authentication:
To enable or disable the web mode, use the config network webmode command.
config network webmode { enable | disable }
This example shows how to disable the web interface mode:
To configure bridge access point ZeroConfig support, use the config network zero-config command.
config network zero-config { enable | disable }
This example shows how to enable the bridge access point ZeroConfig support:
To modify the Network Mobility Services Protocol (NMSP) notification interval value on the controller to address latency in the network, use the config nmsp notify-interval measurement command.
config nmsp notify-interval measurement { client | rfid | rogue } interval
Modifies the interval for active radio frequency identification (RFID) tags. |
|
Modifies the interval for rogue access points and rogue clients. |
|
The TCP port (16113) that the controller and location appliance communicate over must be open (not blocked) on any firewall that exists between the controller and the location appliance for NMSP to function.
This example shows how to modify the NMSP notification interval for the active RFID tags to 25 seconds:
clear locp statistics
clear nmsp statistics
show nmsp notify-interval summary
show nmsp statistics
show nmsp status
To enable or disable temporary display of passwords in plain text, use the config passwd-cleartext command.
config passwd-cleartext { enable | disable }
This command must be enabled if you want to see user-assigned passwords displayed in clear text when using the show run-config command.
To execute this command, you must enter an admin password. This command is valid only for this particular session. It is not saved following a reboot.
This example shows how to enable display of passwords in plain text:
To delete an entry in the Pairwise Master Key (PMK) cache from all Cisco wireless LAN controllers in the mobility group, use the config pmk-cache delete command.
config pmk-cache delete { all | mac_address }
This example shows how to delete all entries in the PMK cache:
To enable or disable the administrative mode for a specific controller port or for all ports, use the config port adminmode command.
config port adminmode { all | port } { enable | disable }
This example shows how to disable port 8:
This example shows how to enable all ports:
config port autoneg
config port linktrap
config port multicast appliance
config port power
show port
transfer download port
To configure 10/100BASE-T Ethernet ports for physical port autonegotiation, use the config port autoneg command.
config port autoneg { all | port } { enable | disable }
The default for all Ports si that autonegotiation is enabled.
This example shows how to turn on physical port autonegotiation for all front-panel Ethernet ports:
This example shows how to disable physical port autonegotiation for front-panel Ethernet port 19:
config port adminmode
config port linktrap
config port multicast appliance
config port power
show port
transfer download port
To enable or disable the up and down link traps for a specific controller port or for all ports, use the config port linktrap command.
config port linktrap { all | port } { enable | disable }
This example shows how to disable port 8 traps:
This example shows how to enable all port traps:
config port adminmode
config port autoneg
config port multicast appliance
config port power
show port
transfer download port
To enable or disable the multicast appliance service for a specific controller port or for all ports, use the config port multicast appliance commands.
config port multicast appliance { all | port } { enable | disable }
This example shows how to enable multicast appliance service on all ports:
This example shows how to disable multicast appliance service on port 8:
config port adminmode
config port autoneg
config port linktrap
config port power
show port
transfer download port
To enable or disable Power over Ethernet (PoE) for a specific controller port or for all ports, use the config port power commands.
config port power { all | port } { enable | disable }
This example shows how to enable PoE on all ports:
This example shows how to disable PoE on port 8:
config port adminmode
config port autoneg
config port linktrap
config port multicast appliance
show port
transfer download port
To change the CLI system prompt, use the config prompt command.
New CLI system prompt enclosed in double quotes. The prompt can be up to 31 alphanumeric characters and is case sensitive. |
Because the system prompt is a user-defined variable, it is omitted from the rest of this documentation.
This example shows how to change the CLI system prompt to Cisco 4400:
To define the average data rate in Kbps for TCP traffic per user, use the config qos average-data-rate command.
config qos average-data-rate { bronze | silver | gold | platinum } rate
Average data rate for TCP traffic per user. A value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile. |
This example shows how to configure the average data rate 0 Kbps for the queue gold:
config qos average-realtime-rate
To define the average real-time data rate in Kbps for UDP traffic per user, use the config qos average-realtime-rate command.
config qos average-realtime-rate { bronze | silver | gold | platinum } rate
This example shows how to configure the average real-time actual rate for queue gold:
To define the peak data rate in Kbps for TCP traffic per user, use the config qos burst-data-rate command.
config qos burst-data-rate { bronze | silver | gold | platinum } rate
Peak data rate for TCP traffic per user. A value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile. |
This example shows how to configure the peak rate 30000 Kbps for the queue gold:
config qos average-realtime-rate
To define the burst real-time data rate in Kbps for UDP traffic per user, use the config qos burst-realtime-rate command.
config qos burst-realtime-rate { bronze | silver | gold | platinum } rate
This example shows how to configure the burst real-time actual rate 2000 Kbps for the queue gold:
To change the profile description, use the config qos description command.
config qos description { bronze | silver | gold | platinum } description
Specifies the QoS profile description for the queue platinum. |
|
This example shows how to configure the QoS profile description “description” for the queue gold:
config qos average-realtime-rate
To specify the maximum percentage of RF usage per access point, use the config qos max-rf-usage command.
config qos max-rf-usage { bronze | silver | gold | platinum } usage_percentage
This example shows how to specify the maximum percentage of RF usage for the queue gold:
To define the maximum value (0-7) for the priority tag associated with packets that fall within the profile, use the config qos protocol-type and config qos dot1p-tag commands.
config qos protocol-type { bronze | silver | gold | platinum } { none | dot1p}
config qos dot1p-tag { bronze | silver | gold | platinum } dot1p _ tag
This example shows how to configure the QoS protocol type silver:
This example shows how to configure the a QoS 802.1p tag for the queue gold with the dot1p tag value of 5:
To specify the maximum number of packets that access points keep in their queues, use the config qos queue_length command.
config qos queue_length { bronze | silver | gold | platinum } queue_length
Use the config radius acct commands to configure RADIUS account server settings.
To add, delete, or configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.
config radius acct {{ enable | disable | delete } index } |
add index server_ip port { ascii | hex } secret }
RADIUS server index. The controller begins the search with 1. |
|
RADIUS server’s UDP port number for the interface protocols. |
|
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
This example shows how to configure a priority 1 RADIUS accounting server at 10.10.10.10 using port 1813 with a login password of admin :
To configure IPsec authentication for the Cisco wireless LAN controller, use the
config radius acct ipsec authentication command.
config radius acct ipsec authentication { hmac-md5 | hmac-sha1 } index
This example shows how to configure the IPsec hmac-md5 authentication service on the RADIUS accounting server index 1:
To disable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec disable command.
config radius acct ipsec disable index
This example shows how to disable the IPsec support for RADIUS accounting server index 1:
To enable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec enable command.
config radius acct ipsec enable index
This example shows how to enable the IPsec support for RADIUS accounting server index 1:
To configure IPsec encryption for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec encryption command.
config radius acct ipsec encryption {3des | aes | des} index
This example shows how to configure the IPsec 3DES encryption for RADIUS server index value 3:
To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the
config radius acct ipsec command.
config radius acct ipsec ike dh-group { group-1 | group-2 | group-5 } |
lifetime seconds | phase1 { aggressive | main }} index
This example shows how to configure an IKE lifetime of 23 seconds for RADIUS server index 1:
To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.
config radius acc t mac-delimiter { colon | hyphen | single-hyphen | none }
Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx). |
|
Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx). |
|
Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx). |
|
This example shows how to set the delimiter hyphen to be used in the MAC addresses that are sent to the RADIUS accounting server for the network users:
To configure a default RADIUS server for network users, use the config radius acct network command.
config radius acct network index { enable | disable }
Enables the server as a network user’s default RADIUS server. |
|
Disables the server as a network user’s default RADIUS server. |
This example shows how to configure a default RADIUS accounting server for the network users with RADIUS server index1:
To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.
config radius acct retransmit-timeout index timeout
This example shows how to configure retransmission timeout value 5 seconds between the retransmission:
Use the config radius auth commands to configure RADIUS authentication server settings.
To add, delete, or configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.
config radius auth {{ enable | disable | delete } index } |
add index server_ip port { ascii | hex } secret
RADIUS server index. The controller begins the search with 1. |
|
Adds a RADIUS authentication server. See the “Defaults” section. |
|
RADIUS server’s UDP port number for the interface protocols. |
|
When adding a RADIUS server, the port number defaults to 1813 and the state is enabled.
This example shows how to configure a priority 1 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin :
To configure IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec authentication command.
config radius auth IPsec authentication { hmac-md5 | hmac-sha1 } index
To disable IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec disable command.
config radius auth IPsec {enable | disable} index
This example shows how to enable the IPsec support for RADIUS authentication server index 1:
This example shows how to disable the IPsec support for RADIUS authentication server index 1:
To configure IPsec encryption support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec command.
config radius auth IPsec encryption { 3des | aes | des } index
This example shows how to configure IPsec 3dec encryption RADIUS authentication server index 3:
To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius auth IPsec ike command.
config radius auth IPsec ike { dh-group { group-1 | group-2 | group-5 } |
lifetime seconds | phase1 { aggressive | main }} index
This example shows how to configure IKE lifetime of 23 seconds for RADIUS authentication server index 1:
To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.
config radius auth keywrap { enable | disable | add {ascii | hex} kek mack index}
Index of the RADIUS authentication server on which to configure the AES key wrap. |
This example shows how to enable the AES key wrap for a RADIUS authentication server:
To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.
config radius auth mac-delimiter { colon | hyphen | single-hyphen | none }
Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx). |
|
Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx). |
|
Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx). |
|
This example shows how to specify a delimiter hyphen to be used for a RADIUS authentication server:
To configure a default RADIUS server for management users, use the config radius auth management command.
config radius auth management index { enable | disable }
Enables the server as a management user’s default RADIUS server. |
|
Disables the server as a management user’s default RADIUS server. |
This example shows how to configure a RADIUS server for management users:
To configure a default RADIUS server for network users, use the config radius auth network command.
config radius auth network index { enable | disable }
To change a default transmission timeout for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth retransmit-timeout command.
config radius auth retransmit-timeout index timeout
To configure RADIUS RFC-3576 support for the authentication server for the Cisco wireless LAN controller, use the config radius auth rfc3576 command.
config radius auth rfc3576 { enable | disable } index
RFC 3576, which is an extension to the RADIUS protocol, allows dynamic changes to a user session. RFC 3576 includes support for disconnecting users and changing authorizations applicable to a user session. Disconnect messages cause a user session to be terminated immediately; CoA messages modify session authorization attributes such as data filters.
To configure a retransmission timeout value for a RADIUS accounting server, use the config radius auth server-timeout command.
config radius auth server-timeout index timeout
To configure the controller to mark a RADIUS server as down (not responding) after the server does not reply to three consecutive clients, use the config radius aggressive-failover disabled command.
config radius aggressive-failover disabled
To configure RADIUS backward compatibility for the Cisco wireless LAN controller, use the config radius backward command.
config radius backward compatibility { enable | disable }
To configure callStationIdType information sent in RADIUS messages for the Cisco wireless LAN controller, use the config radius callStationIdType command.
config radius callStationIdType { ipAddr | macAddr | ap-macAddr }
This command uses the selected calling station ID for communications with RADIUS servers and other applications.
To configure the RADIUS server fallback behavior, use the config radius fallback-test command.
config radius fallback-test mode {off | passive | active}} | {username username} | {interval interval}
This example shows how to disable the RADIUS accounting server fallback behavior:
This example shows how to configure the controller to revert to a preferable server from the available backup servers without using the extraneous probe messages:
This example shows how to configure the controller to revert to a preferable server from the available backup servers by using RADIUS probe messages:
config advanced probe filter
config advanced probe limit
show advanced probe
show radius acct statistics
To configure an automatic timeout of radio frequency identification (RFID) tags, use the config rfid auto-timeout command.
config rfid auto-timeout { enable | disable }
To configure radio frequency identification (RFID) tag data tracking, use the config rfid status command.
config rfid status { enable | disable }
To configure a static radio frequency identification (RFID) tag data timeout, use the config rfid timeout command.
Use the configure rogue commands to configure policy settings for unidentified (rogue) clients.
To globally or individually configure the status of an Independent Basic Service Set (IBSS or ad-hoc) rogue access point, use the config rogue adhoc command.
config rogue adhoc { enable | disable | external rogue_MAC | alert { rogue_MAC | all } |
auto-contain [ monitor_ap ] | contain rogue_MAC 1234_aps }
The default for this command is enabled and is set to alert. The default for auto-containment is disabled.
The controller continuously monitors all nearby access points and automatically discovers and collects information on rogue access points and clients. When the controller discovers a rogue access point, it uses RLDP to determine if the rogue is attached to your wired network.
Note RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection (DFS).
When you enter any of the containment commands, the following warning appears:
The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
Enter auto-contain with the monitor_ap argument to monitor the rogue access point without containing it. Enter auto-contain without the optional monitor_ap to automatically contain all wired ad-hoc rogues detected by the controller.
This example shows how to enable the detection and reporting of ad-hoc rogues:
This example shows how to enable alerts for all ad-hoc rogue access points:
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To classify the status of a rogue access point, use the config rogue ap classify command.
config rogue ap classify { friendly state { internal | external } ap_mac
config rogue ap classify { malicious | unclassified } state { alert | contain } ap_mac}
These commands are disabled by default. Therefore, all unknown access points are categorized as unclassified by default.
A rogue access point cannot be moved to the unclassified class if its current state is contain.
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
This example shows how to classify a rogue access point as friendly and can be trusted:
This example shows how to classify a rogue access point as malicious and to send an alert:
This example shows how to classify a rogue access point as unclassified and to contain it:
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To add a new friendly access point entry to the friendly MAC address list, or delete an existing friendly access point entry from the list, use the config rogue ap friendly command.
config rogue ap friendly { add | delete } ap_mac
This example shows how to add a new friendly access point with MAC address 11:11:11:11:11:11 to the friendly MAC address list:
config rogue ap classify
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To enable, disable, or initiate the Rogue Location Discovery Protocol (RLDP), use the config rogue ap rldp command.
config rogue ap rldp enable { alarm-only | auto-contain } [ monitor_ap_only]
config rogue ap rldp initiate rogue_mac_address
config rogue ap rldp disable
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
This example shows how to enable RLDP on all access points:
This example shows how to enable RLDP on monitor-mode access point ap_1:
This example shows how to start RLDP on the rogue access point with MAC address 123.456.789.000:
This example shows how to disable RLDP on all access points:
config rogue ap classify
config rogue ap friendly
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To generate an alarm only, or to automatically contain a rogue access point that is advertising your network’s service set identifier (SSID), use the config rogue ap ssid command.
config rogue ap ssid { alarm | auto-contain }
Generates only an alarm when a rogue access point is discovered to be advertising your network’s SSID. |
|
Automatically contains the rogue access point that is advertising your network’s SSID. |
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
This example shows how to automatically contain a rogue access point that is advertising your network’s SSID:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap timeout
config rogue ap valid-client
config rogue rule
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To specify the number of seconds after which the rogue access point and client entries expire and are removed from the list, use the config rogue ap timeout command.
config rogue ap timeout seconds
Value of 240 to 3600 seconds (inclusive), with a default value of 1200 seconds. |
This example shows how to set an expiration time for entries in the rogue access point and client list to 2400 seconds:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap valid-client
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To generate an alarm only, or to automatically contain a rogue access point to which a trusted client is associated, use the config rogue ap valid-client command.
config rogue ap valid-client { alarm | auto-contain }
Generates only an alarm when a rogue access point is discovered to be associated with a valid client. |
|
Automatically contains a rogue access point to which a trusted client is associated. |
When you enter any of the containment commands, the following warning appears: “Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another party’s network could have legal consequences.
This example shows how to automatically contain a rogue access point that is associated with a valid client:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To configure rogue clients, use the config rogue client command.
config rogue client { aaa { enable | disable } | alert ap_mac | contain client_mac } num_of_APs
This example shows how to enable the AAA server or local database to check MAC addresses:
This example shows how to disable the AAA server or local database from checking MAC addresses:
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To enable or disable rogue detection, use the config rogue detection command.
config rogue detection {enable | disable} { Cisco_AP | all}
Note If an AP itself is configured with the name ‘all’, then the ‘all access points’ case takes precedence over the AP that is named ‘all’.
Rogue detection is enabled by default for all access points joined to the controller except for OfficeExtend access points. OfficeExtend access points are deployed in a home environment and are likely to detect a large number of rogue devices.
This example shows how to enable rogue detection on the access point Cisco_AP:
config rogue rule
config trapflags rogueap
show rogue ap clients
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To add and configure rogue classification rules, use the config rogue rule commands.
config rogue rule { add ap priority priority classify { friendly | malicious } rule_name |
classify { friendly | malicious } rule_name |
condition ap { set | delete } condition_type condition_value rule_name |
{ enable | delete | disable } { all | rule_name } |
match { all | any } |
priority priority rule_name }
For your changes to be effective, you must enable the rule. You can configure up to 64 rules.
This example shows how to create a rule called rule_1 with a priority of 1 and a classification as friendly :
This example shows how to enable rule_1:
This example shows how to change the priority of the last command:
This example shows how to change the classification of the last command:
This example shows how to disable the last command:
This example shows how to delete SSID_2 from the user-configured SSID list in rule-5:
config rogue adhoc
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
config rogue client
config trapflags rogueap
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show rogue client detailed
show rogue client summary
show rogue ignore-list
show rogue rule detailed
show rogue rule summary
To configure a network route from the service port to a dedicated workstation IP address range, use the config route add command.
config route add ip_address netmask gateway
This example shows how to configure a network route to a dedicated workstation IP address 10.1.1.0, subnet mask 255.255.255.0, and gateway 10.1.1.1:
To remove a network route from the service port, use the config route delete command.
config route delete ip_address
This example shows how to delete a route from the network IP address 10.1.1.0:
To set the serial port baud rate, use the config serial baudrate command.
config serial baudrate { 1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 }
This example shows how to configure a serial baud rate with the default connection speed of 9600:
To set the timeout of a serial port session, use the config serial timeout command.
Timeout in minutes from 0 to 160. A value of 0 indicates no timeout. |
Use this command to set the timeout for a serial connection to the front of the Cisco wireless LAN controller from 0 to 160 minutes where 0 is no timeout.
This example shows how to configure the timeout of a serial port session to 10 minutes:
To enable or disable timestamps in message logs, use the config service timestamps command.
config service timestamps { debug | log } { datetime | disable }
Specifies to timestamp message logs with the standard date and time. |
|
This example shows how to configure timestamp message logs with the standard date and time:
This example shows how to prevent message logs being timestamped:
To configure the number of Telnet CLI sessions allowed by the Cisco wireless LAN controller, use the config sessions maxsessions command.
config sessions maxsessions session_num
Up to five sessions are possible while a setting of zero prohibits any Telnet CLI sessions.
This example shows how to configure the number of allowed CLI sessions to 2:
To configure the inactivity timeout for Telnet CLI sessions, use the config sessions timeout command.
config sessions timeout timeout
Timeout of Telnet session in minutes (from 0 to 160). A value of 0 indicates no timeout. |
This example shows how to configure the inactivity timeout for Telnet sessions to 20 minutes:
To configure various slot parameters, use the config slot command.
config slot slot_Id {enable | disable | channel ap | chan_width | txpower ap | antenna extAntGain antenna_gain | rts} Cisco_AP
This example shows how to enable slot 3 for the access point abc:
This example shows how to configure rts for the access point abc:
Use the config snmp commands to configure Simple Network Management Protocol (SNMP) settings.
To modify the access mode (read only or read/write) of an SNMP community, use the config snmp community accessmode command.
config snmp community accessmode { ro | rw } name
Two communities are provided by default with the following settings:
This example shows how to configure read/write access mode for SNMP community:
show snmp community
config snmp community mode
config snmp community create
config snmp community delete
config snmp community ipaddr
To create a new SNMP community, use the config snmp community create command.
config snmp community create name
Use this command to create a new community with the following default configuration
This example shows how to create a new SNMP community named test:
show snmp community
config snmp community mode
config snmp community accessmode
config snmp community delete
config snmp community ipaddr
To delete an SNMP community, use the config snmp community delete command.
config snmp community delete name
This example shows how to delete an SNMP community named test:
show snmp community
config snmp community mode
config snmp community accessmode
config snmp community create
config snmp community ipaddr
To configure the IP address of an SNMP community, use the config snmp community ipaddr command.
config snmp community ipaddr ip_address ip_mask name
This example shows how to configure an SNMP community with the IP address 10.10.10.10, IP mask 255.255.255.0, and SNMP community named public:
show snmp community
config snmp community mode
config snmp community accessmode
config snmp community create
config snmp community delete
config snmp community ipaddr
To enable or disable an SNMP community, use the config snmp community mode command.
config snmp community mode { enable | disable } name
This example shows how to enable the SNMP community named public:
show snmp community
config snmp community accessmode
config snmp community create
config snmp community delete
config snmp community ipaddr
To set the SNMP system contact name, use the config snmp syscontact command.
config snmp syscontact contact
SNMP system contact name. The contact can be up to 31 alphanumeric characters. |
This example shows how to set the SMNP system contact named Cisco WLAN Solution_administrator:
To configure the SNMP system location name, use the config snmp syslocation command.
config snmp syslocation location
SNMP system location name. The location can be up to 31 alphanumeric characters. |
This example shows how to configure the SNMP system location name to Building_2a:
To configure a server to receive SNMP traps, use the config snmp trapreceiver create command.
config snmp trapreceiver create name ip_address
The IP address must be valid for the command to add the new server.
This example shows how to add a new SNMP trap receiver with the SNMP community named test and IP address 10.1.1.1:
To delete a server from the trap receiver list, use the config snmp trapreceiver delete command.
config snmp trapreceiver delete name
SNMP community name. The name can contain up to 16 characters. |
This example shows how to delete a server named test from the SNMP trap receiver list:
To send or disable sending traps to a selected server, use the config snmp trapreceiver mode command.
config snmp trapreceiver mode { enable | disable } name
This command enables or disables the Cisco wireless LAN controller from sending the traps to the selected server.
This example shows how to disable an SNMP trap receiver from sending traps to a server named server1:
To create a version 3 SNMP user, use the config snmp v3user create command.
config snmp v3user create username { ro | rw } { none | hmacmd5 | hmacsha } { none | des | aescfb128 } [ auth_key ] [ encrypt_key ]
SNMP v3 username AccessMode Authentication Encryption
This example shows how to add an SNMP username named test with read-only privileges and no encryption or authentication:
To delete a version 3 SNMP user, use the config snmp v3user delete command.
config snmp v3user delete username
This example shows how to remove an SNMP user named test:
To enable or disable selected SNMP versions, use the config snmp version command.
config snmp version { v1 | v2 | v3 } { enable | disable }
This example shows how to enable SNMP version v1:
Use the config spanningtree commands to configure Spanning Tree Protocol settings.
To turn fast or 802.1D Spanning Tree Protocol (STP) on or off for one or all Cisco wireless LAN controller ports, use the config spanningtree port mode command.
config spanningtree port mode { off | 802.1d | fast } { port | all }
When the Cisco 4400 Series Wireless LAN Controller is configured for port redundancy, STP must be disabled for all ports on the controller. STP can remain enabled on the switch connected to the controller.
Entering this command allows the controller to set up STP, detect logical network loops, place redundant ports on standby, and build a network with the most efficient pathways.
This example shows how to disable STP for all Ethernet ports:
This example shows how to turn on STP 802.1D mode for Ethernet port 24:
This example shows how to turn on fast STP mode for Ethernet port 2:
show spanningtree port
config spanningtree switch mode
config spanningtree port pathcost
config spanningtree port priority
To set the Spanning Tree Protocol (STP) path cost for an Ethernet port, use the config spanningtree port pathcost command.
config spanningtree port pathcost { cost | auto } { port | all }
Port number (1 through 12 or 1 through 24), or all to configure all ports. |
|
When the Cisco 4400 Series Wireless LAN Controller is configured for port redundancy, STP must be disabled for all ports on the controller. STP can remain enabled on the switch that is connected to the controller.
This example shows how to have the STP algorithm automatically assign a path cost for all ports:
This example shows how to have the STP algorithm use a port cost of 200 for port 22:
show spanningtree port
config spanningtree port mode
config spanningtree port priority
To configure the Spanning Tree Protocol (STP) port priority, use the config spanningtree port priority command.
When the Cisco 4400 Series Wireless LAN Controller is configured for port redundancy, STP must be disabled for all ports on the controller. STP can remain enabled on the switch connected to the controller.
This example shows how to set Ethernet port 2 to STP priority 100:
show spanningtree port
config spanningtree switch mode
config spanningtree port mode
config spanningtree port pathcost
To set the bridge ID, use the config spanningtree switch bridgepriority command.
config spanningtree switch bridgepriority priority_num
Note When the Cisco 4400 Series Wireless LAN Controller is configured for port redundancy, STP must be disabled for all ports on the controller. STP can remain enabled on the switch connected to the controller.
The value of the writable portion of the Bridge ID, that is, the first two octets of the (8 octet long) Bridge ID. The other (last) 6 octets of the Bridge ID are given by the value of Bridge MAC address. The value may be specified as a number between 0 and 65535.
This example shows how to configure spanning tree values on a per switch basis with the bridge priority 40230:
show spanningtree switch
config spanningtree switch forwarddelay
config spanningtree switch hellotime
config spanningtree switch maxage
config spanningtree switch mode
To set the bridge timeout, use the config spanningtree switch forwarddelay command.
config spanningtree switch forwarddelay seconds
The value that all bridges use for forwarddelay when this bridge is acting as the root. 802.1D-1990 specifies that the range for this setting is related to the value of the STP bridge maximum age. The granularity of this timer is specified by 802.1D-1990 to be 1 second. An agent may return a badValue error if a set is attempted to a value that is not a whole number of seconds. The default is 15. Valid values are 4 through 30 seconds.
This example shows how to configure spanning tree values on a per switch basis with the bridge timeout as 20 seconds:
config spanningtree switch bridgepriority
config spanningtree switch hellotime
config spanningtree switch maxage
config spanningtree switch mode
config switchconfig flowcontrol
To set the hello time, use the config spanningtree switch hellotime command.
config spanningtree switch hellotime seconds
All bridges use this value for HelloTime when this bridge is acting as the root. The granularity of this timer is specified by 802.1D- 1990 to be 1 second. Valid values are 1 through 10 seconds.
This example shows how to configure the STP hello time to 4 seconds:
show spanningtree switch
spanningtree switch bridgepriority
config spanningtree switch forwarddelay
config spanningtree switch maxage
config spanningtree switch mode
To set the maximum age, use the config spanningtree switch maxage command.
config spanningtree switch maxage seconds
All bridges use this value for MaxAge when this bridge is acting as the root. 802.1D-1990 specifies that the range for this parameter is related to the value of Stp Bridge Hello Time. The granularity of this timer is specified by 802.1D-1990 to be 1 second. Valid values are 6 through 40 seconds.
This example shows how to configure the STP bridge maximum age to 30 seconds:
show spanningtree switch
config spanningtree switch bridgepriority
config spanningtree switch forwarddelay
config spanningtree switch hellotime
config spanningtree switch mode
To turn the Cisco wireless LAN controller Spanning Tree Protocol (STP) on or off, use the config spanningtree switch mode command.
config spanningtree switch mode { enable | disable }
Using this command allows the controller to set up STP, detect logical network loops, place redundant ports on standby, and build a network with the most efficient pathways.
This example shows how to support STP on all Cisco wireless LAN controller ports:
show spanningtree switch
config spanningtree switch bridgepriority
config spanningtree switch forwarddelay
config spanningtree switch hellotime
config spanningtree switch maxage
config spanningtree port mode
To enable or disable 802.3x flow control, use the config switchconfig flowcontrol command.
config switchconfig flowcontrol { enable | disable }
This example shows how to enable 802.3x flow control on Cisco wireless LAN controller parameters:
To configure Lightweight Access Port Protocol (LWAPP) transport mode for Layer 2 or Layer 3, use the config switchconfig command.
config switchconfig mode { L2 | L3 }
This example shows how to configure LWAPP transport mode to Layer 3:
To enable or disable secret obfuscation, use the config switchconfig secret-obfuscation command.
config switchconfig secret-obfuscation { enable | disable }
Secrets and user passwords are obfuscated in the exported XML configuration file.
To keep the secret contents of your configuration file secure, do not disable secret obfuscation. To further enhance the security of the configuration file, enable configuration file encryption.
This example shows how to enable secret obfuscation:
To set the Cisco wireless LAN controller system name, use the config sysname command.
System name. The name can contain up to 31 alphanumeric characters. |
This example shows how to configure the system named Ent_01:
Use the config tacacs commands to configure TACACS+ settings.
To configure TACACS+ accounting server settings, use the config tacacs acct command.
config tacacs acct add {server_index ip_address port type secret_key} | delete {server_index} |
disable {server_index} | enable {server_index} | retransmit-timeout {server_index seconds}
Changes the default retransmit timeout for the TACACS+ server. |
|
This example shows how to add a new TACACS+ accounting server index 3 with the IP address 10.0.0.0, port number 10, and secret key 12345678 in ASCII:
This example shows how to change the default retransmit timeout of 30 seconds for the TACACS+ accounting server:
To configure TACACS+ authorization server settings, use the config tacacs athr command.
config tacacs athr add {server_index ip_address port type secret_key} | delete {server_index}|
disable {server_index} | enable {server_index} | retransmit-timeout {server_index seconds}
Changes the default retransmit timeout for the TACACS+ server. |
|
This example shows how to add a new TACACS+ authorization server index 3 with the IP address 10.0.0.0, port number 4, and secret key 12345678 in ASCII:
This example shows how to change the default retransmit timeout of 30 seconds for the TACACS+ authorization server:
To configure TACACS+ authentication server settings, use the config tacacs auth command.
config tacacs auth add {server_index ip_address port type secret_key} | delete {server_index} |
disable {server_index} | enable {server_index} | retransmit-timeout {server_index seconds}
(Optional) Changes the default retransmit timeout for the TACACS+ server. |
|
This example shows how to add a new TACACS+ authentication server index 2 with the IP address 10.0.0.3, port number 6, and secret key 12345678 in ASCII:
To set the system time, use the config time manual command.
config time manual MM / DD / YY HH : MM : SS
This example shows how to configure the system date to 04/04/2010 and time to 15:29:00:
To set the Network Time Protocol (NTP), use the config time ntp command.
config time ntp { interval seconds | server index ip_address }
This example shows how to configure the NTP polling interval to 7000 seconds:
To configure the system time zone, use the config time timezone command.
config time timezone { enable | disable } delta_hours delta_mins
Local hour difference from the Universal Coordinated Time (UCT). |
|
This example shows how to enable the daylight saving time:
To set the location of the time zone in order to have daylight saving time set automatically when it occurs, use the config time timezone location command.
config time timezone location location_index
This example shows how to set the location of the time zone in order to set the daylight saving time to location index 10 automatically:
Use the config trapflags commands to configure trap flags settings.
To enable or disable sending 802.11 security-related traps, use the config trapflags 802.11-Security command.
config trapflags 802.11-Security wepDecryptError { enable | disable }
This example shows how to disable the 802.11 security related traps:
To enable or disable the sending of AAA server-related traps, use the config trapflags aaa command.
config trapflags aaa { auth | servers } { enable | disable }
Enables trap sending when an AAA authentication failure occurs for management user, net user, or MAC filter. |
|
This example shows how to enable the sending of AAA server-related traps:
To enable or disable the sending of Cisco lightweight access point traps, use the config trapflags ap command.
config trapflags ap { register | interfaceUp } { enable | disable }
Enables sending a trap when a Cisco lightweight access point registers with Cisco switch. |
|
Enables sending a trap when a Cisco lightweight access point interface (A or B) comes up. |
|
This example shows how to prevent traps from sending access point-related traps:
To enable or disable sending traps with invalid SNMP access, use the config trapflags authentication command.
config trapflags authentication { enable | disable }
This example shows how to prevent sending traps on invalid SNMP access:
To enable or disable the sending of client-related DOT11 traps, use the config trapflags client command.
config trapflags client { 802.11-disassocate | 802.11-deauthenticate | 802.11-authfail | 802.11-assocfail | excluded } { enable | disable }
This example shows how to enable the sending of Dot11 disassociation trap to clients:
To enable or disable the sending of configuration-saved traps, use the config trapflags configsave command.
config trapflags configsave { enable | disable }
This example shows how to enable the sending of configuration-saved traps:
To enable or disable the sending of IPsec traps, use the config trapflags IPsec command.
config trapflags IPsec { esp-auth | esp-reply | invalidSPI | ike-neg | suite-neg | invalid-cookie } { enable | disable }
This example shows how to enable the sending of IPsec traps when ESP authentication failure occurs:
To enable or disable Cisco wireless LAN controller level link up/down trap flags, use the config trapflags linkmode command.
config trapflags linkmode { enable | disable }
Enables Cisco wireless LAN controller level link up/down trap flags. |
|
Disables Cisco wireless LAN controller level link up/down trap flags. |
This example shows how to enable the Cisco wireless LAN controller level link up/down trap:
To enable or disable the sending of traps when multiple logins are active, use the config trapflags multiusers command.
config trapflags multiusers { enable | disable }
Enables the sending of traps when multiple logins are active. |
|
Disables the sending of traps when multiple logins are active. |
This example shows how to disable the sending of traps when multiple logins are active:
To enable or disable sending rogue access point detection traps, use the config trapflags rogueap command.
config trapflags rogueap { enable | disable }
This example shows how to disable the sending of rogue access point detection traps:
config rogue ap classify
config rogue ap friendly
config rogue ap rldp
config rogue ap ssid
config rogue ap timeout
config rogue ap valid-client
show rogue ap clients
show rogue ap detailed
show rogue ap summary
show rogue ap friendly summary
show rogue ap malicious summary
show rogue ap unclassified summary
show trapflags
To enable or disable the sending of Radio Resource Management (RRM) parameters traps, use the config trapflags rrm-params command.
config trapflags rrm-params { tx-power | channel | antenna } { enable | disable }
This example shows how to enable the sending of RRM parameter-related traps:
To enable or disable the sending of Radio Resource Management (RRM) profile-related traps, use the config trapflags rrm-profile command.
config trapflags rrm-profile { load | noise | interference | coverage } { enable | disable }
This example shows how to disable the sending of RRM profile-related traps:
To enable or disable the sending of spanning tree traps, use the config trapflags stpmode command.
config trapflags stpmode { enable | disable }
This example shows how to disable the sending of spanning tree traps:
To enable or disable Wireless Protection System (WPS) trap sending, use the config trapflags wps command.
config trapflags wps { enable | disable }
This example shows how to disable the WPS traps sending:
Use the config watchlist commands to configure watchlist settings.
To add a watchlist entry for a wireless LAN, use the config watchlist add command.
config watchlist add { mac MAC | username username }
This example shows how to add a watchlist entry for the MAC address a5:6b:ac:10:01:6b:
config watchlist delete
config watchlist enable
config watchlist disable
show watchlist
To delete a watchlist entry for a wireless LAN, use the config watchlist delete command.
config watchlist delete { mac MAC | username username }
Specifies the MAC address of the wireless LAN to delete from the list. |
|
This example shows how to delete a watchlist entry for the MAC address a5:6b:ac:10:01:6b:
To disable the client watchlist, use the config watchlist disable command.
This example shows how to disable the client watchlist:
To enable a watchlist entry for a wireless LAN, use the config watchlist enable command.
This example shows how to enable a watchlist entry:
Use the config wlan commands to configure wireless LAN command settings.
To create, delete, enable, or disable a wireless LAN, use the config wlan command.
config wlan { enable | disable | create | delete } wlan_id [ name | foreignAp name ssid | all ]
(Optional) WLAN profile name up to 32 alphanumeric characters. |
|
When you create a new WLAN using the config wlan create command, it is created in disabled mode. Leave it disabled until you have finished configuring it.
If you do not specify an SSID, the profile name parameter is used for both the profile name and the SSID.
If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
An error message appears if you try to delete a WLAN that is assigned to an access point group. If you proceed, the WLAN is removed from the access point group and from the access point’s radio.
This example shows how to enable wireless LAN identifier 16:
To configure support for phones, use the config wlan 7920-support command.
config wlan 7920-support { client-cac-limit | ap-cac-limit } { enable | disable } wlan_id
You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.
This example shows how to enable the phone support that requires client-controlled CAC with wireless LAN ID 8:
To configure 802.11e support on a wireless LAN, use the config wlan 802.11e command.
config wlan 802.11e { allow | disable | require } wlan_id
802.11e provides quality of service (QoS) support for LAN applications, which are critical for delay sensitive applications such as Voice over Wireless IP (VoWIP).
802.11e enhances the 802.11 Media Access Control layer (MAC layer) with a coordinated time division multiple access (TDMA) construct, and adds error-correcting mechanisms for delay sensitive applications such as voice and video. The 802.11e specification provides seamless interoperability and is especially well suited for use in networks that include a multimedia capability.
This example shows how to allow 802.11e on the wireless LAN with LAN ID 1:
To configure a user policy override via AAA on a wireless LAN, use the config wlan aaa-override command.
config wlan aaa-override { enable | disable } { wlan_id | foreignAp }
When AAA override is enabled, and a client has conflicting AAA and Cisco wireless LAN controller wireless LAN authentication parameters, client authentication is performed by the AAA server. As part of this authentication, the operating system will move clients from the default Cisco wireless LAN VLAN to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system will also use QoS, DSCP, 802.1p priority tag values, and ACLs provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as Identity Networking.)
If the corporate wireless LAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.
When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is performed by the AAA server if the controller wireless LAN does not contain any client-specific authentication parameters.
The AAA override values may come from a RADIUS server, for example.
This example shows how to configure user policy override via AAA on wireless LAN ID 1:
To configure a wireless LAN access control list (ACL), use the config wlan acl command.
config wlan acl wlan_id [acl_name | none]
(Optional) Clears the ACL settings for the specified wireless LAN. |
This example shows how to configure a WLAN access control list with WLAN ID 1 and ACL named office_1:
To manage access point group VLAN features, use the config wlan apgroup command.
config wlan apgroup { add apgroup_name wlan_id interface_name |
delete apgroup_name |
description apgroup_name description |
interface-mapping { add | delete } apgroup_name wlan_id interface_name |
nac { enable | disable } apgroup_name wlan_id |
radio-policy apgroup_name wlan-id { 802.11a-only | 802.11bg | 802.11g-only | all }}
An error message appears if you try to delete an access point group that is used by at least one access point. Before you can delete an AP group in controller software release 6.0, move all APs in this group to another group. The access points are not moved to the default-group access point group as in previous releases. To see the APs, enter the show wlan apgroups command. To move APs, enter the config ap group-name groupname Cisco_AP command.
This example shows how to enable the NAC out-of band support on access point group 4:
To configure an Service Set Identifier (SSID) broadcast on a wireless LAN, use the config wlan broadcast-ssid command.
config wlan broadcast-ssid { enable | disable } wlan_id
This example shows how to configure an SSID broadcast on wireless LAN ID 1:
To enable or disable Voice-over-IP (VoIP) snooping for a particular WLAN, use the config wlan call-snoop command.
config wlan call-snoop { enable | disable } wlan_id
WLAN should be with Platinum QoS and it needs to be disabled while invoking this CLI
This example shows how to enable VoIP snooping for WLAN 3:
To enable or disable Coverage Hole Detection (CHD) for a wireless LAN, use the config wlan chd command.
config wlan chd wlan_id { enable | disable }
This example shows how to enable CHD for WLAN 3:
To enable or disable Aironet information elements (IEs) for a WLAN, use the config wlan ccx aironet-ie command.
config wlan ccx aironet-ie { enable | disable }
This example shows how to enable Aironet information elements for a WLAN:
To configure the controller to defer priority markings for packets that can defer off channel scanning, use the config wlan channel-scan defer-priority command.
config wlan channel-scan defer-priority priority [enable | disable] wlan_id
(Optional) Enables packet at given priority to defer off channel scanning. |
|
(Optional) Disables packet at gven priority to defer off channel scanning. |
|
The priority value should be set to 6 on the client and on the WLAN.
This example shows how to enable the controller to defer priority markings that can defer off channel scanning with user priority value 6 and WLAN id 30:
config wlan
config wlan channel-scan defer-time
show client detail
To assign the channel scan defer time in milliseconds, use the config wlan channel-scan defer-time command.
config wlan channel-scan defer-time msecs wlan_id
The time value in milliseconds should match the requirements of the equipment on your wlan.
This example shows how to assign the scan defer time to 40 milliseconds for WLAN id 50:
config wlan
config wlan channel-scan defer-priority
show client detail
To configure the internal DHCP server for a wireless LAN, use the config wlan dhcp_server command.
config wlan dhcp_server { wlan_id | foreignAp } ip_address [ required ]
IP address of the internal DHCP server (this parameter is required). |
|
(Optional) Specifies whether DHCP address assignment is required. |
The preferred method for configuring DHCP is to use the primary DHCP address assigned to a particular interface instead of the DHCP server override. If you enable the override, you can use the show wlan command to verify that the DHCP server has been assigned to the WLAN.
This example shows how to configure an IP address 10.10.2.1 of the internal DHCP server for wireless LAN ID 16:
config dhcp
config dhcp proxy
config interface dhcp
debug dhcp
debug dhcp service-port
debug disable-all
show dhcp
show dhcp proxy
To enable the diagnostic channel troubleshooting on a particular WLAN, use the config wlan diag-channel command.
config wlan diag-channel [ enable | disable ] wlan_id
This example shows how to enable the wireless LAN diagnostic channel for WLAN ID 1:
To configure a Delivery Traffic Indicator Message (DTIM) for 802.11 radio network config wlan dtim command.
config wlan dtim { 802.11a | 802.11b} dtim wlan_id
This example shows how to configure DTIM for 802.11a radio network with DTIM value 128 and WLAN ID 1:
To configure the wireless LAN exclusion list, use the config wlan exclusionlist command.
config wlan exclusionlist { wlan_id [ enabled | disabled | time ] |
foreignAp [ enabled | disabled | time ]}
This example shows how to enable the exclusion list for the WLAN ID 1:
To enable or disable client IP address learning for the Cisco WLAN controller, use the config wlan h-reap learn-ipaddr command.
config wlan h-reap learn-ipaddr wlan_id { enable | disable }
Disabled when the config wlan h-reap local-switching command is disabled.
Enabled when the config wlan h-reap local-switching command is enabled.
If the client is configured with Layer 2 encryption, the controller cannot learn the client IP address, and the controller will periodically drop the client. Disable this option to keep the client connection without waiting to learn the client IP address.
Note The ability to disable IP address learning is not supported with H-REAP central switching.
This example shows how to disable client IP address learning for WLAN 6:
To configure the WLAN for local switching, use the config wlan h-reap local switching command.
config wlan h-reap local-switching { enable | disable } wlan_id
When you enable the config wlan h-reap local-switching command, the config wlan h-reap learn-ipaddr command is enabled by default.
Note The ability to disable IP address learning is not supported with HREAP central switching.
This example shows how to enable WLAN 6 for local switching:
To configure a wireless LAN interface, use the config wlan interface command.
config wlan interface { wlan_id | foreignAp } interface-name
This example shows how to configure an interface named VLAN901:
To configure IPv6 support on a wireless LAN, use the config wlan IPv6Support command.
config wlan IPv6support { enable | disable } wlan_id
This example shows how to enable WLAN 6 for local switching:
To add or delete a link to a configured Lightweight Directory Access Protocol (LDAP) server, use the config wlan ldap command.
config wlan ldap { add wlan_id server_id | delete wlan_id { all | server_id }}
Use this command to specify the LDAP server priority for the WLAN.
To specify the LDAP server priority, one of the following must be configured and enabled:
Note Local EAP was introduced in controller software release 4.1; LDAP support on Web authentication was introduced in controller software release 4.2.
This example shows how to add a link to a configured LDAP server with the WLAN ID 100 and server ID 4:
To override the global load balance configuration and enable or disable load balancing on a particular WLAN, use the config wlan load-balance command.
config wlan load-balance allow { enable | disable } wlan_id
This example shows how to enable band selection on a wireless LAN with WLAN ID 3:
To change the state of MAC filtering on a wireless LAN, use the config wlan mac-filtering command.
config wlan mac-filtering { enable | disable } { wlan_id | foreignAp }
This example shows how to enable the MAC filtering on WLAN ID 1:
To configure multicast-direct for wireless LAN’s media stream, use the config wlan media-stream command.
config wlan media-stream multicast-direct {wlan_id | all} {enable | disable}
Media stream multicast-direct requires load based Call Admission Control (CAC) to run. WLAN quality of service (QoS) needs to be set to either gold or platinum.
This example shows how to enable the global multicast-direct media stream with WLAN ID 2:
To configure management frame protection (MFP) options for the wireless LAN, use the config wlan mfp command.
config wlan mfp {client [enable | disable] wlan_id |
infrastructure protection [enable | disable] wlan_id}
(Optional) Configures the infrastructure MFP for the wireless LAN. |
This example shows how to configure client management frame protection for WLAN ID 1:
To change the state of MAC filtering on a wireless LAN, use the config wlan mobility anchor command.
config wlan mobility anchor { add | delete } wlan_id ip_address
This example shows how to configure the mobility wireless LAN anchor list with WLAN ID 4 and IP address 192.168.0.14:6:
config guest-lan mobility anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
debug mobility
show mobility anchor
show mobility statistics
show mobility summary
To enable or disable Network Admission Control (NAC) out-of-band support for a WLAN, enter this command:
config wlan nac { enable | disable } wlan_id
This example shows how to enable NAC out-of-band support:
show nac statistics
show nac summary
config guest-lan nac
debug nac
To configure passive-client feature on a wireless LAN, use the config wlan passive-client command.
config wlan passive-client {enable | disable} wlan_id
You need to enable the global multicast mode and multicast-multicast mode by using the config network multicast global and config network multicast mode commands before entering this command.
Note You should configure the multicast in multicast-multicast mode only not in unicast mode. The passive client feature does not work with multicast-unicast mode in this release.
This example shows how to configure the passive client on wireless LAN ID 2:
To configure peer-to-peer blocking on a WLAN, use the config wlan peer-blocking command.
config wlan peer-blocking { disable | drop | forward-upstream } wlan_id
This example shows how to disable the peer-to-peer blocking for WLAN ID 1:
To change the quality of service for a wireless LAN, use the config wlan qos command.
config wlan qos wlan_id { bronze | silver | gold | platinum }
config wlan qos foreignAp { bronze | silver | gold | platinum }
This example shows how to set the highest level of service on wireless LAN 1:
To set the Cisco radio policy on a wireless LAN, use the config wlan radio command.
config wlan radio wlan_id { all | 802.11a | 802.11b g | 802.11g | 802.11ag }
Configures the wireless LAN on only 802.11b/g (only 802.11b if 802.11g is disabled). |
|
This example shows how to configure the wireless LAN on all radio bands:
config 802.11a enable
config 802.11a disable
config 802.11b enable
config 802.11b disable
config 802.11b 11gSupport enable
config 802.11b 11gSupport disable
show wlan
To configure a wireless LAN’s RADIUS servers, use the config wlan radius_server command.
config wlan radius_server { auth | acct } { enable wlan_id | disable wlan_id } { add wlan_id server_id | delete wlan_id { all | server_id }}
This example shows how to add a link to a configured RADIUS server with WLAN ID 1 and Server ID 1:
config 802.11a enable
config 802.11a disable
config 802.11b enable
config 802.11b disable
config 802.11b 11gSupport enable
config 802.11b 11gSupport disable
show wlan
To configure a wireless LAN’s RADIUS dynamic interface, use the config wlan radius_server overwrite-interface command.
config wlan radius_server overwrite-interface { enable | disable} wlan_id
The controller uses the management interface as identity. If the RADIUS server is on a directly connected dynamic interface, the traffic is sourced from the dynamic interface. Otherwise, the management IP address is used.
If the feature is enabled, controller uses the interface specified on the WLAN configuration as identity and source for all RADIUS related traffic on the WLAN.
This example shows how to enable RADIUS dynamic interface for a WLAN with an ID 1:
config 802.11a enable
config 802.11a disable
config 802.11b enable
config 802.11b disable
config 802.11b 11gSupport enable
config 802.11b 11gSupport disable
show wlan
Use the config wlan security commands to configure wireless LAN security settings.
To change the state of 802.1X security on the wireless LAN Cisco radios, use the config wlan security 802.1X command.
config wlan security 802.1X { enable { wlan_id | foreignAp } | disable { wlan_id | foreignAp } |
encryption { wlan_id | foreignAp } { 0 | 40 | 104 }}
To change the encryption level of 802.1X security on the wireless LAN Cisco radios, use the following key sizes:
This example shows how to configure 802.1X security on WLAN ID 16:
To configure Cisco Key Integrity Protocol (CKIP) security options for the wireless LAN, use the config wlan security ckip command.
config wlan security ckip { enable | disable } wlan_id
[ akm psk set-key { hex | ascii }{ 40 | 104 } key key_index wlan_id |
mmh-mic { enable | disable } wlan_id |
kp { enable | disable } wlan_id ]
This example shows how to configure a CKIP WLAN encryption key of 104 bits (26 hexadecimal characters) for PSK key index 2 on WLAN 03:
To enable or disable conditional web redirect, use the config wlan security cond-web-redir command.
config wlan security cond-web-redir {enable | disable} wlan_id
This example shows how to enable the conditional web direct on WLAN ID 2:
To disable IPsec security, use the config wlan security IPsec disable command.
config wlan security IPsec disable { wlan_id | foreignAp }
This example shows how to disable the IPsec for WLAN ID 16:
To enable IPsec security, use the config wlan security IPsec enable command.
config wlan security IPsec enable { wlan_id | foreignAp }
This example shows how to enable the IPsec for WLAN ID 16:
To modify the IPsec security authentication protocol used on the wireless LAN, use the config wlan security IPsec authentication command.
config wlan security IPsec authentication { hmac-md5 | hmac-sha-1 } { wlan_id | foreignAp }
This example shows how to configure the IPsec HMAC-SHA-1 security authentication parameter for WLAN ID 1:
To modify the IPsec security encryption protocol used on the wireless LAN, use the config wlan security IPsec encryption command.
config wlan security IPsec encryption { 3des | aes | des } { wlan_id | foreignAp }
This example shows how to configure the IPsec aes encryption:
To configure the propriety Internet Key Exchange (IKE) CFG-Mode parameters used on the wireless LAN, use the config wlan security IPsec config command.
config wlan security IPsec config qotd ip_address { wlan_id | foreignAp }
IKE is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how the data should be protected. IKE keeps track of connections by assigning a bundle of Security Associations (SAs), to each connection.
This example shows how to configure the quote-of-the-day server IP 44.55.66.77 for cfg-mode for WLAN 1:
To modify the IPsec Internet Key Exchange (IKE) authentication protocol used on the wireless LAN, use the config wlan security IPsec ike authentication command.
config wlan security IPsec ike authentication { certificates { wlan_id | foreignAp } | pre-share-key { wlan_id | foreignAp } key | xauth-psk { wlan_id | foreignAp } key }
This example shows how to configure the IKE certification mode:
To modify the IPsec Internet Key Exchange (IKE) Diffie Hellman group used on the wireless LAN, use the config wlan security IPsec ike dh-group command.
config wlan security IPsec ike dh-group { wlan_id | foreignAp } { group-1 | group-2 | group-5 }
This example shows how to configure the Diffe Hellman group parameter for group-1:
To modify the IPsec Internet Key Exchange (IKE) lifetime used on the wireless LAN, use the config wlan security IPsec ike lifetime command.
config wlan security IPsec ike lifetime { wlan_id | foreignAp } seconds
This example shows how to configure the IPsec IKE lifetime use on the wireless LAN:
To modify IPsec Internet Key Exchange (IKE) Phase 1 used on the wireless LAN, use the config wlan security IPsec ike phase1 command.
config wlan security IPsec ike phase1 {aggressive | main} { wlan_id | foreignAp }
This example shows how to modify IPsec IKE Phase 1:
To modify Nortel’s Contivity VPN client support on the wireless LAN, use the config wlan security IPsec ike contivity command.
config wlan security IPsec ike contivity { enable | disable } { wlan_id | foreignAp }
This example shows how to modify Contivity VPN client support:
To modify the IPsec pass-through used on the wireless LAN, use the config wlan security IPsec ike passthru command.
config wlan security passthru { enable | disable } { wlan_id | foreignAp } [ ip_address ]
IP address of the IPsec gateway (router) that is terminating the VPN tunnel. |
This example shows how to modify IPsec pass-through used on the wireless LAN:
To enable or disable splash page web redirect, use the config wlan security splash-page-web-redir command.
config wlan security splash-page-web-redir {enable | disable} wlan_id
This example shows how to enable spash page web redirect:
To configure static Wired Equivalent Privacy (WEP) key 802.11 authentication on a wireless LAN, use the config wlan security static-wep-key authentication command.
config wlan security static-wep-key authentication {shared-key | open} wlan_id
This example shows how to enable the static WEP shared key authentication for WLAN ID 1:
To disable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key disable command.
config wlan security static-wep-key disable wlan_id
This example shows how to disable the static WEP keys for WLAN ID 1:
To enable the use of static Wired Equivalent Privacy (WEP) keys, use the config wlan security static-wep-key enable command.
config wlan security static-wep-key enable wlan_id
This example shows how to enable the use of static WEK keys for WLAN ID 1:
To configure the static Wired Equivalent Privacy (WEP) keys and indexes, use the config wlan security static-wep-key encryption command.
config wlan security static-wep-key encryption wlan_id { 40 | 104 } { hex | ascii } key key-index
One unique WEP key index can be applied to each wireless LAN. Because there are only four WEP key indexes, only four wireless LANs can be configured for static WEP Layer 2 encryption.
This example shows how to configure the static WEP keys for WLAN ID 1 that uses hexadecimal character 0201702001 and key index 2:
To change the status of web authentication used on the wireless LAN, use the config wlan security web command.
config wlan security web-auth { acl | enable | disable } { wlan_id | foreignAp } [ acl_name | none ]
This example shows how to configure the security policy for WLAN ID 1 and an acl named ACL03:
To add an access control list (ACL) to the wireless LAN definition, use the config wlan security web-passthrough acl command.
config wlan security web-passthrough acl { wlan_id | foreignAp } { acl_name | none }
This example shows how to add an ACL to the wireless LAN definition:
To disable a web captive portal with no authentication required on a wireless LAN, use the config wlan security web-passthrough disable command.
config wlan security web-passthrough disable { wlan_id | foreignAp }
This example shows how to disable a web captive portal with no authentication required on wireless LAN ID 1:
To configure a web captive portal using an e-mail address, use the config wlan security web-passthrough email-input command.
config wlan security web-passthrough email-input { enable | disable } { wlan_id | foreignAp }
This example shows how to configure a web captive portal using an e-mail address:
To enable a web captive portal with no authentication required on the wireless LAN, use the config wlan security web-passthrough enable command.
config wlan security web-passthrough enable { wlan_id | foreignAp }
This example shows how to enable a web captive portal with no authentication required on wireless LAN ID 1:
To disable WPA1, use the config wlan security wpa1 disable command.
config wlan security wpa1 disable wlan_id
This example shows how to disable WPA1:
To enable WPA1, use the config wlan security wpa1 enable command.
config wlan security wpa1 enable wlan_id
This example shows how to configure the WPA1 on WLAN ID 1:
To configure the Wi-Fi protected access (WPA) preshared key mode, use the config wlan security wpa1 pre-shared-key command.
config wlan security wpa1 pre-shared-key { enable wlan_id key | disable wlan_id }
This example shows how to configure the WPA preshared key mode:
To disable WPA2, use the config wlan security wpa2 disable command.
config wlan security wpa2 disable wlan_id
This example shows how to disable WPA2:
To enable WPA2, use the config wlan security wpa2 enable command.
config wlan security wpa2 enable wlan_id
This example shows how to enable WPA2:
To configure the Wi-Fi protected access (WPA) preshared key mode, use the config wlan security wpa2 pre-shared-key command.
config wlan security wpa2 pre-shared-key { enable wlan_id key | disable wlan_id }
This example shows how to disable the WPA2-PSK for WLAN ID 2:
To change the status of Wi-Fi protected access (WPA) authentication, use the config wlan security wpa2 tkip command.
config wlan security wpa2 tkip { enable | disable } wlan_id
This example shows how to configure the WPA2 TKIP mode for WLAN ID 1:
To change the status of Wi-Fi protected access (WPA) authentication, use the config wlan security wpa2 wpa-compat command.
config wlan security wpa2 wpa-compat { enable | disable } wlan_id
This example shows how to configure the WPA compatibility mode for WLAN ID 1:
To configure client session timeout of wireless LAN clients, use the config wlan session-timeout command.
config wlan session-timeout { wlan_id | foreignAp } seconds
The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management; and 0 seconds for all other Layer 2 security types. A value of 0 is equivalent to no timeout.
This example shows how to configure the client session timeout to 6000 seconds for WLAN ID 1:
To release the guest user IP address when the web authentication policy time expires and exclude the guest user from acquiring an IP address for three minutes, use the config wlan webauth-exclude command.
config wlan webauth-exclude wlan_id {enable | disable}
You can use this command for guest WLANs that are configured with web authentication.
This command is applicable when you configure the internal DHCP scope on the controller.
By default, when the web authentication timer expires for a guest user, the guest user can immediately reassociate with the same IP address before another guest user can acquire the IP address. If there are many guest users or limited IP address in the DHCP pool, some guest users might not be able to acquire an IP address.
When you enable this feature on the guest WLAN, the guest user’s IP address is released when the web authentication policy time expires and the guest user is excluded from acquiring an IP address for three minutes. The IP address is available for another guest user to use. After three minutes, the excluded guest user can reassociate and acquire an IP address, if available.
This example shows how to enable the web authentication exclusion for WLAN ID 5:
To configure Wi-Fi Multimedia (WMM) mode on a wireless LAN, use the config wlan wmm command.
config wlan wmm { allow | disable | require } wlan_id
(Optional) Specifies that clients use WMM on the specified wireless LAN. |
|
When the controller is in Layer 2 mode and WMM is enabled, you must put the access points on a trunk port in order to allow them to join the controller.
Use the config wps commands to configure Wireless Protection System (WPS) settings.
To configure access point neighbor authentication, use the config wps ap-authentication command.
config wps ap-authentication [enable | disable | threshold threshold_value]
(Optional) Specifies that WMM-enabled clients are on the wireless LAN. |
|
This example shows how to configure WMM-enabled clients with the threshold value 25:
To enable or disable protection from Denial of Service (DoS) attacks, use the config wps auto-immune command.
config wps auto-immune { enable | disable }
A potential attacker can use specially crafted packets to mislead the Intrusion Detection System (IDS) into treating a legitimate client as an attacker. It causes the controller to disconnect this legitimate client and launch a DoS attack. The auto-immune feature, when enabled, is designed to protect against such attacks. However, conversations using Cisco 792x phones might be interrupted intermittently when the auto-immune feature is enabled. If you experience frequent disruptions when using 792x phones, you might want to disable this feature.
This example shows how to configure the auto-immune mode:
To configure Intrusion Detection System (IDS) sensors for the Wireless Protection System (WPS), use the config wps cids-sensor command.
config wps cids-sensor {[add index ip_address username password] | [delete index] |
[enable index] | [disable index] | [port index port] | [interval index query_interval] |
[fingerprint index sha1 fingerprint]}
Command defaults are listed below as follows:
This example shows how to configure the intrusion detection system with the IDS index 1, IDS sensor IP address 10.0.0.51, IDS username Sensor_user0doc1, and IDS password passowrd01:
To configure client exclusion policies, use the config wps client-exclusion command.
config wps client-exclusion {802.11-assoc | 802.11-auth | 802.1x-auth | ip-theft | web-auth | all} {enable | disable}
This example shows how to disable clients on the 802.11 association attempt after five consecutive failures:
To configure Management Frame Protection (MFP), use the config wps mfp command.
config wps mfp infrastructure {enable | disable}
This example shows how to enable the infrastructure MFP:
To force the controller to synchronization with other controllers in the mobility group for the shun list, use the config wps shun-list command.
This example shows how to configure the controller to synchronize with other controllers for the shun list:
To enable or disable Intrusion Detection System (IDS) signature processing, or to enable or disable a specific IDS signature, use the config wps signature command.
config wps signature { standard | custom } state signature_id { enable | disable }
Enables the IDS signature processing or a specific IDS signature. |
|
Disables IDS signature processing or a specific IDS signature. |
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
This example shows how to enable IDS signature processing, which enables the processing of all IDS signatures:
This example shows how to disable a standard individual IDS signature:
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature events
show wps signature summary
show wps summary
To specify the number of matching packets per interval that must be identified at the individual access point level before an attack is detected, use the config wps signature frequency command.
config wps signature frequency signature_id frequency
Number of matching packets per interval that must be at the individual access point level before an attack is detected. The range is 1 to 32,000 packets per interval. |
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
This example shows how to set the number of matching packets per interval per access point before an attack is detected to 1800 for signature ID 4:
config wps signature
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature events
show wps signature summary
show wps summary
To specify the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval, use the config wps signature interval command.
config wps signature interval signature_id interval
Number of seconds that must elapse before the signature frequency threshold is reached. The range is 1 to 3,600 seconds. |
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
This example shows how to set the number of seconds to elapse before reaching the signature frequency threshold to 200 for signature ID 1:
config wps signature
config wps signature frequency
config wps signature mac-frequency
config wps signature quiet-time
config wps signature reset
show wps signature events
show wps signature summary
show wps summary
To specify the number of matching packets per interval that must be identified per client per access point before an attack is detected, use the config wps signature mac-frequency command.
config wps signature mac-frequency signature_id mac_frequency
Number of matching packets per interval that must be identified per client per access point before an attack is detected. The range is 1 to 32,000 packets per interval. |
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
This example shows how to set the number of matching packets per interval per client before an attack is detected to 50 for signature ID 3:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature quiet-time
config wps signature reset
show wps signature events
show wps signature summary
show wps summary
To specify the length of time after which no attacks have been detected at the individual access point level and the alarm can stop, use the config wps signature quiet-time command.
config wps signature quiet-time signature_id quiet_time
Length of time after which no attacks have been detected at the individual access point level and the alarm can stop. The range is 60 to 32,000 seconds. |
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
This example shows how to set the number of seconds after which no attacks have been detected per access point to 60 for signature ID 1:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature reset
show wps signature events
show wps signature summary
show wps summary
To reset a specific Intrusion Detection System (IDS) signature or all IDS signatures to default values, use the config wps signature reset command.
config wps signature reset { signature_id | all }
If IDS signature processing is disabled, all signatures are disabled, regardless of the state configured for individual signatures.
This example shows how to reset the IDS signature 1 to default values:
config wps signature
config wps signature frequency
config wps signature interval
config wps signature mac-frequency
config wps signature quiet-time
show wps signature events
show wps signature summary
show wps summary
Use the capwap ap commands to configure capwap access point settings.
To configure the controller IP address into the capwap access point from the access point’s console port, use the capwap ap controller ip address command.
capwap ap controller ip address ip_address
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the controller IP address 10.23.90.81 into the capwap access point:
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the dot1x username and password into the capwap access point from the access point’s console port, use the capwap ap dot1x command.
capwap ap dot1x username user_name password password
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the dot1x username ABC and password pass01:
capwap ap controller ip address
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the access point host name from the access point’s console port, use the capwap ap hostname command.
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases. This command is available only for Lightweight AP IOS Software recovery image (rcvk9w8) without any private-config. You can remove private-config by using the clear capwap private-config command.
This example shows how to configure the hostname WLC into the capwap access point:
capwap ap controller ip address
capwap ap dot1x
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the IP address into the capwap access point from the access point’s console port, use the capwap ap ip address command.
capwap ap ip address ip_address
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the IP address 10.0.0.0.1 into capwap access point:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the default gateway from the access point’s console port, use the capwap ap ip default-gateway command.
capwap ap ip default-gateway default_gateway
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the capwap access point with the default gateway address 10.0.0.1:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the system log server to log all the capwap errors, use the capwap ap log-server command.
capwap ap log-server ip_address
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the syslog server with the IP address 10.0.0.1:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the primary controller name and IP address into the capwap access point from the access point’s console port, use the capwap ap primary-base command.
capwap ap primary-base controller_name controller_ip_address
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the primary controller name WLC1 and primary controller IP address 10.92.109.1 into the capwap access point:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primed-timer
capwap ap secondary-base
capwap ap tertiary-base
To configure the primed timer into the capwap access point, use the capwap ap primed-timer command.
capwap ap primed-timer {enable | disable}
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to enable the primed-timer settings:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap secondary-base
capwap ap tertiary-base
To configure the secondary controller name and IP address into the capwap access point from the access point’s console port, use the capwap ap secondary-base command.
capwap ap secondary-base controller_name controller_ip_address
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the secondary controller name WLC2 and secondary controller IP address 10.92.108.2 into the capwap access point:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap tertiary-base
To configure the tertiary controller name and IP address into the capwap access point from the access point’s console port, use the capwap ap tertiary-base command.
capwap ap tertiary-base controller_name controller_ip_address
This command must be entered from an access point’s console port.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the tertiary controller name WLC3 and secondary controller IP address 10.80.72.2 into the capwap access point:
capwap ap controller ip address
capwap ap dot1x
capwap ap hostname
capwap ap ip address
capwap ap ip default-gateway
capwap ap log-server
capwap ap primary-base
capwap ap primed-timer
capwap ap secondary-base
To configure the controller IP address into the H-REAP access point from the access point’s console port, use the lwapp ap controller ip address command.
lwapp ap controller ip address ip_address
This command must be entered from an access point’s console port.
Prior to changing the H-REAP configuration on an access point using the access point’s console port, the access point must be in standalone mode (not connected to a controller) and you must remove the current LWAPP private configuration by using the clear lwapp private-config command.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to configure the controller IP address 10.92.109.1 into the H-REAP access point:
Use the save config command before you log out of the command line interface to save all previous configuration changes.
To save Cisco wireless LAN controller configurations, use the save config command.
This example shows how to save the Cisco wireless LAN controller settings:
Use the clear command to clear existing configurations, log files, and other functions.
To clear the current counters for an access control list (ACL), use the clear acl counters command.
Note ACL counters are available only on the following controllers: Cisco 4400 Series Controller, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.
This example shows how to clear the current counters for acl1:
To clear (reset to the default values) a lightweight access point’s configuration settings, use the clear ap-config command.
Entering this command does not clear the static IP address of the access point.
This example shows how to clear the access point’s configuration settings for the access point named ap1240_322115:
To delete the existing event log and create an empty event log file for a specific access point or for all access points joined to the controller, use the clear ap-eventlog command.
clear ap-eventlog {specific ap_name | all}
Name of the access point for which the event log file will be emptied. |
|
Deletes the event log for all access points joined to the controller. |
This example shows how to delete the event log for all access points:
To clear the join statistics for all access points or for a specific access point, use the clear ap join stats command.
clear ap join stats { all | ap_mac }
This example shows how to clear the join statistics of all the access points:
To clear the Address Resolution Protocol (ARP) table, use the clear arp command.
This example shows how to cleat the ARP table:
clear transfer
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the traffic stream metrics (TSM) statistics for a particular access point or all the access points to which this client is associated, use the clear client tsm command.
clear client tsm { 802.11a | 802.11b } client_mac { ap_mac | all }
This example shows how to clear the TSM for the MAC address 00:40:96:a8:f7:98:
To reset configuration data to factory defaults, use the clear config command.
This example shows how to reset the configuration data to factory defaults:
clear transfer
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the external web authentication URL, use the clear ext-webauth-url command.
This example shows how to clear the external web authentication URL:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the license agent’s counter or session statistics, use the clear license agent command.
clear license agent { counters | sessions }
This example shows how to clear the license agent’s counter settings:
To clear a specific radio frequency identification (RFID) tag or all of the RFID tags in the entire database, use the clear location rfid command.
clear location rfid { mac_address | all }
This example shows how to clear all of the RFID tags in the database:
clear location statistics rfid
config location
show location
show location statistics rfid
To clear radio frequency identification (RFID) statistics, use the clear location statistics rfid command.
clear location statistics rfid
This example shows how to clear RFID statistics:
clear location statistics rfid
config location
show location
To clear the Location Protocol (LOCP) statistics, use the clear locp statistics command.
This example shows how to clear the statistics related to LOCP:
clear nmsp statistics
config nmsp notify-interval measurement
show nmsp notify-interval summary
show nmsp statistics
show nmsp status
To remove the login banner file from the controller, use the clear login-banner command.
This example shows how to clear the login banner file:
To clear (reset to default values) an access point’s current Lightweight Access Point Protocol (LWAPP) private configuration, which contains static IP addressing and controller IP address configurations, use the clear lwapp private-config command.
This command is executed from the access point console port.
Prior to changing the H-REAP configuration on an access point using the access point’s console port, the access point must be in standalone mode (not connected to a controller) and you must remove the current LWAPP private configuration by using the clear lwapp private-config command.
Note The access point must be running Cisco IOS Release 12.3(11)JX1 or higher releases.
This example shows how to clear an access point’s current LWAPP private configuration:
debug capwap
debug capwap reap
debug lwapp console cli
show capwap reap association
show capwap reap status
To clear the Network Mobility Services Protocol (NMSP) statistics, use the clear nmsp statistics command.
This example shows how to delete the NMSP statistics log file:
clear locp statistics
config nmsp notify-interval measurement
show nmsp notify-interval summary
show nmsp status
To clear the RADIUS accounting statistics on the controller, use the clear radius acc statistics command.
clear radius acct statistics [index | all]
This example shows how to clear the RADIUS accounting statistics:
To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.
clear radius tacacs auth statistics [index | all]
This example shows how to clear the RADIUS authentication server statistics:
To clear the custom web authentication redirect URL on the Cisco wireless LAN controller, use the clear redirect-url command.
This example shows how to clear the custom web authentication redirect URL:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the WLAN statistics, use the clear stats ap wlan command.
This example shows how to clear the WLAN configuration elements of the access point cisco_ap:
To clear the local Extensible Authentication Protocol (EAP) statistics, use the clear stats local-auth command.
This example shows how to clear the local EAP statistics:
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
debug aaa local-auth
show local-auth certificates
show local-auth config
show local-auth statistics
To clear mobility manager statistics, use the clear stats mobility command.
This example shows how to cleat mobility manager statistics:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download serverip
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
clear stats port
To clear statistics counters for a specific port, use the clear stats port command.
This example shows how to clear the statistics counters for port 9:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download serverip
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the statistics for one or more RADIUS servers, use the clear stats radius command.
clear stats radius {auth | acct} {index | all}
This example shows how to clear the statistics for all RADIUS authentication servers:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download serverip
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear all switch statistics counters on a Cisco wireless LAN controller, use the clear stats switch command.
This example shows how to clear all switch statistics counters:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download start
clear upload datatype
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the TACACS+ server statistics on the controller, use the clear stats tacacs command.
clear stats tacacs [auth | athr | acct] [index | all]
(Optional) Clears the TACACS+ authentication server statistics. |
|
(Optional) Clears the TACACS+ authorization server statistics. |
|
This example shows how to clear the TACACS+ accounting server statistics for index 1:
To clear the transfer information, use the clear transfer command.
This example shows how to clear the transfer information:
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To clear the trap log, use the clear traplog command.
This example shows how to clear the trap log:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the custom web authentication image, use the clear webimage command.
This example shows how to clear the custom web authentication image:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the custom web authentication message, use the clear webmessage command.
This example shows how to clear the custom web authentication message:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
To clear the custom web authentication title, use the clear webtitle command.
This example shows how to clear the custom web authentication title:
clear transfer
clear download datatype
clear download filename
clear download mode
clear download path
clear download serverip
clear download start
clear upload filename
clear upload mode
clear upload path
clear upload serverip
clear upload start
Use the reset command to schedule a reboot of the controller and access points.
To reset the system at a specified time, use the reset system at command.
reset system at YYYY-MM-DD HH: MM: SS image {no-swap | swap} reset-aps [save-config]
This example shows how to reset the system at 2010-03-29 and 12:01:01 time:
To specify the amount of time delay before the devices reboot, use the reset system in command.
reset system in HH: MM: SS image {swap | no-swap} reset-aps save-config
This example shows how to reset the system after a delay of 00:01:01:
To cancel a scheduled reset, use the reset system cancel command.
This example shows how to cancel a scheduled reset:
To configure the trap generation prior to scheduled resets, use the reset system notify-time command.
reset system notify-time minutes
Number of minutes before each scheduled reset at which to generate a trap. |
This example shows how to configure the trap generation to 10 minutes before the scheduled resets:
Use the transfer command to transfer files to or from the Cisco wireless LAN controller.
To set the password for the.PEM file so that the operating system can decrypt the web administration SSL key and certificate, use the transfer download certpassword command.
transfer download certpassword private_key_password
This example shows how to transfer a file to the switch with the certificate’s private key password certpassword:
clear transfer
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To set the download file type, use the transfer download datatype command.
transfer download datatype {config | code | image | signature | webadmincert | webauthbundle | eapdevcert | eapcacert}
Downloads a certificate for web administration to the system. |
|
This example shows how to download an executable image to the system:
clear transfer
transfer download certpassword
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To download a specific file, use the transfer download filename command.
transfer download filename filename
This example shows how to transfer a file named build603:
clear transfer
transfer download certpassword
transfer download mode
transfer download path
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To set the transfer mode, use the transfer download mode command.
transfer download mode {ftp | tftp}
This example shows how to transfer a file using the tftp mode:
clear transfer
transfer download certpassword
transfer download filename
transfer download path
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To set the password for an FTP transfer, use the transfer download password command.
transfer download password password
This example shows how to set the password for FTP transfer to pass01:
transfer download mode
transfer download port
transfer download username
To set a specific FTP or TFTP path, use the transfer download path command.
Note Pathnames on a TFTP or FTP server are relative to the server’s default or root directory. For example, in the case of the Solarwinds TFTP server, the path is “/”. |
This example shows how to transfer a file to the path c:\install\version2:
clear transfer
transfer download certpassword
transfer download filename
transfer download mode
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To specify the FTP port, use the transfer download port command.
This example shows how to specify FTP port number 23:
transfer download mode
transfer download password
transfer download username
To configure the IP address of the TFTP server from which to download information, use the transfer download serverip command.
transfer download serverip TFTP_server ip_address
This example shows how to configure the IP address of the TFTP server with the IP address 175.34.56.78:
clear transfer
transfer download certpassword
transfer download filename
transfer download mode
transfer download path
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To initiate a download, use the transfer download start command.
This example shows how to initiate a download:
clear transfer
transfer download certpassword
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To specify the TFTP packet timeout, use the transfer download tftpPktTimeout command.
transfer download tftpPktTimeout timeout
This example shows how to transfer a file with the TFTP packet timeout of 55 seconds:
clear transfer
transfer download certpassword
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To specify the number of allowed TFTP packet retries, use the transfer download tftpMaxRetries command.
transfer download tftpMaxRetries retries
Number of allowed TFTP packet retries between 1 and 254 seconds. |
This example shows how to set the number of allowed TFTP packet retries to 55:
clear transfer
transfer download certpassword
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer download start
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload path
transfer upload serverip
transfer upload start
To specify the FTP username, use the transfer download username command.
transfer download username username
This example shows how to set the FTP username to ftp_username:
transfer download mode
transfer download password
transfer download port
To configure encryption for configuration file transfers, use the transfer encrypt command.
transfer encrypt { enable | disable | set-key key }
Specifies the encryption key for configuration file transfers. |
|
This example shows how to enable the encryption settings:
clear transfer
transfer download datatype
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer upload datatype
transfer download filename
transfer download mode
transfer download path
transfer download serverip
transfer download start
To set the controller to upload specified log and crash files, use the transfer upload datatype command.
transfer upload datatype { config | coredump | crashfile | errorlog | invalid-config | pac | packet-capture | panic-crash-file | radio-core-dump | signature | systemtrace | traplog | watchdog-crash-file }
Uploads a console dump file resulting from a software-watchdog-initiated controller reboot following a crash. |
This example shows how to upload the system error log file:
clear transfer
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To upload a specific file, use the transfer upload filename command.
transfer upload filename filename
This example shows how to upload a file build603:
clear transfer
transfer upload datatype
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To configure the transfer mode, use the transfer upload mode command.
transfer upload mode { ftp | tftp }
This example shows how to set the transfer mode to TFTP:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To load a Protected Access Credential (PAC) to support the local authentication feature and allow a client to import the PAC, use the transfer upload pac command.
transfer upload pac username validity password
This example shows how to upload a PAC with the username user1, validity period 53, and password pass01:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To configure the password for FTP transfer, use the transfer upload password command.
transfer upload password password
This example shows how to configure the password for the FTP transfer to pass01:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To set a specific upload path, use the transfer upload path command.
This example shows how to set the upload path to c:\install\version2:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload port
transfer upload serverip
transfer upload start
transfer upload username
To specify the FTP port, use the transfer upload port command.
This example shows how to specify FTP port 23:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload serverip
transfer upload start
transfer upload username
To configure the IP address of the TFTP server to upload files to, use the transfer upload serverip command.
transfer upload serverip ip_address
This example shows how to set the IP address of the TFTP server to 175.31.56.78:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload start
transfer upload username
To initiate an upload, use the transfer upload start command.
This example shows how to initiate an upload of a file:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload username
To specify the FTP username, use the transfer upload username command.
transfer download username username
Username required to access the FTP server. The username can contain up to 31 characters. |
This example shows how to set the FTP username to ftp_username:
clear transfer
transfer upload datatype
transfer upload filename
transfer upload mode
transfer upload pac
transfer upload password
transfer upload path
transfer upload port
transfer upload serverip
transfer upload start
Use the license commands to install, remove, modify, or rehost licenses.
Note The license commands are available only on the Cisco 5500 Series Controller.
Note For detailed information on installing and rehosting licenses on the Cisco 5500 Series Controller, see the “Installing and Configuring Licenses” section in Chapter 4 of the Cisco Wireless LAN Controller Configuration Guide.
To remove a license from the Cisco 5500 Series Controller, use the license clear command.
You can delete an expired evaluation license or any unused license. You cannot delete unexpired evaluation licenses, the permanent base image license, or licenses that are in use by the controller.
This example shows how to remove the license settings of the license named wplus-ap-count:
license comment
license install
license revoke
license save
show license all
To add comments to a license or delete comments from a license on the Cisco 5500 Series Controller, use the license comment command.
license comment { add | delete } license_name comment_string
This example shows how to add a comment “wplus ap count license” to the license name wplus-ap-count:
license clear
license install
license revoke
license save
show license all
To install a license on the Cisco 5500 Series Controller, use the license install command.
URL of the TFTP server (tftp:// server_ip / path / filename). |
We recommend that the access point count be the same for the base-ap-count and wplus-ap-count licenses installed on your controller. If your controller has a base-ap-count license of 100 and you install a wplus-ap-count license of 12, the controller supports up to 100 access points when the base license is in use but only a maximum of 12 access points when the wplus license is in use.
You cannot install a wplus license that has an access point count greater than the controller's base license. For example, you cannot apply a wplus-ap-count 100 license to a controller with an existing base-ap-count 12 license. If you attempt to register for such a license, an error message appears indicating that the license registration has failed. Before upgrading to a wplus-ap-count 100 license, you would first have to upgrade the controller to a base-ap-count 100 or 250 license.
This example shows how to install a license on the controller from the URL tftp://10.10.10.10/path/license.lic:
license clear
license modify priority
license revoke
license save
show license all
To raise or lower the priority of the base-ap-count or wplus-ap-count evaluation license on a Cisco 5500 Series Controller, use the license modify priority command.
license modify priority license_name { high | low }
If you are considering upgrading to a license with a higher access point count, you can try an evaluation license before upgrading to a permanent version of the license. For example, if you are using a permanent license with a 50 access point count and want to try an evaluation license with a 100 access point count, you can try out the evaluation license for 60 days.
AP-count evaluation licenses are set to low priority by default so that the controller uses the ap-count permanent license. If you want to try an evaluation license with an increased access point count, you must change its priority to high. If you no longer want to have this higher capacity, you can lower the priority of the ap-count evaluation license, which forces the controller to use the permanent license.
Note You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have a medium priority, which cannot be configured.
Note If the ap-count evaluation license is a wplus license and the ap-count permanent license is a base license, you must also change the feature set to wplus.
Note To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the controller defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation license.
This example shows how to set the priority of the wplus-ap-count to high:
license clear
license install
license revoke
license save
show license all
To rehost a license on a Cisco 5500 Series Controller, use the license revoke command.
license revoke { permission_ticket_url | rehost rehost_ticket_url }
URL of the TFTP server (tftp:// server_ip / path / filename) where you saved the permission ticket. |
|
URL of the TFTP server (tftp:// server_ip / path / filename) where you saved the rehost ticket. |
Before you revoke a license, save the device credentials by using the license save credential url command.
You can rehost all permanent licenses except the permanent base image license. Evaluation licenses and the permanent base image license cannot be rehosted.
In order to rehost a license, you must generate credential information from the controller and use it to obtain a permission ticket to revoke the license from the Cisco licensing site ( https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet). Next, you must obtain a rehost ticket and use it to obtain a license installation file for the controller on which you want to install the license.
For detailed information on rehosting licenses, see the “Installing and Configuring Licenses” section in Chapter 4 of the Cisco Wireless LAN Controller Configuration Guide.
This example shows how to revoke the license settings from the saved permission ticket URL tftp://10.10.10.10/path/permit_ticket.lic:
This example shows how to revoke the license settings from the saved rehost ticket URL tftp://10.10.10.10/path/rehost_ticket.lic:
license clear
license install
license modify priority
license save
show license all
To save a backup copy of all installed licenses or license credentials on the Cisco 5500 Series Controller, use the license save command.
URL of the TFTP server (tftp:// server_ip / path / filename). |
Save the device credentials before you revoke the license by using the license revoke command.
This example shows how to save a backup copy of all installed licenses or license credentials on tftp://10.10.10.10/path/cred.lic:
license clear
license install
license modify priority
license revoke
show license all
Use the debug commands to manage system debugging.
Note Enabling all debug commands on a system with many clients authenticating may result in some debugs being lost.
To configure AAA debug options, use the debug aaa command.
debug aaa {[ all | detail | events | packet | ldap | local-auth | tacacs ] [ enable | disable ]}
(Optional) Specifies debugging of the AAA Lightweight Directory Access Protocol (LDAP) events. |
|
(Optional) Specifies debugging of the AAA local Extensible Authentication Protocol (EAP) events. |
|
This example shows how to enable the debugging of AAA LDAP events:
To debug AAA local authentication on the controller, use the debug aaa local-auth command.
debug aaa local-auth { db | shim | eap { framework | method } { all | errors | events | packets | sm }} { enable | disable }
This example shows how to enable the debugging of the AAA local EAP authentication:
clear stats local-auth
config local-auth active-timeout
config local-auth eap-profile
config local-auth method fast
config local-auth user-credentials
show local-auth certificates
show local-auth config
show local-auth statistics
To configure the Airewave Director software debug options, use the debug airwave-director command.
debug airewave-director {all | channel | detail | error | group | manager | message | packet | power | profile | radar | rf-change} { enable | disable }
This example shows how to enable the debugging of Airewave Director profile events:
To enable or disable remote debugging of Cisco lightweight access points or to remotely execute a command on a lightweight access point, use the debug ap command.
debug ap { enable | disable | command cmd } cisco_ap
This example shows how to enable remote debugging on access point AP01:
This example shows how to execute the config ap location command on access point AP02:
This example shows how to execute the flash LED command on access point AP03:
To enable or disable remote debugging of Cisco lightweight access points or to remotely execute a command on a lightweight access point, use the debug ap enable command.
debug ap { enable | disable | command cmd } cisco_ap
This example shows how to enable remote debugging on access point AP01:
This example shows how to disable remote debugging on access point AP02:
This example shows how to execute the flash LED command on access point AP03:
To configure Address Resolution Protocol (ARP) debug options, use the debug arp command.
debug arp { all | detail | events | message } { enable | disable }
This example shows how to enable ARP debug settings:
This example shows how to disable ARP debug settings:
To configure debugging of broadcast options, use the debug bcast command.
debug bcast { all | error | message | igmp | detail } { enable | disable }
This example shows how to enable broadcast debug settings:
This example shows how to disable broadcast debug settings:
To configure Call Admission Control (CAC) debug options, use the debug cac command.
debug cac { all | event | packet }{ enable | disable }
This example shows how to enable debug CAC settings:
config 802.11 cac video acm
config 802.11 { enable | disable } network
config 802.11 cac video max-bandwidth
config 802.11 cac video roam-bandwidth
config 802.11 cac video tspec-inactivity-timeout
config 802.11 cac voice acm
config 802.11 cac voice load-based
config 802.11 cac voice max-bandwidth
config 802.11 cac voice roam-bandwidth
config 802.11 cac voice stream-size
config 802.11 cac voice tspec-inactivity-timeout
To debug the SIP call control settings, use the debug call-control command.
debug call-control { all | event }{ enable | disable }
Configures debugging options for all SIP call control messages. |
|
This example shows how to enable debugging of all SIP call control messages:
To obtain troubleshooting information about Control and Provisioning of Wireless Access Points (CAPWAP) settings, use the debug capwap command.
debug capwap { detail | dtls-keepalive | errors | events | hexdump | info | packet | payload } { enable | disable }
Configures debugging for CAPWAP DTLS data keepalive packets settings. |
|
This example shows how to enable debug CAPWAP detail settings:
clear lwapp private-config
debug disable-all
show capwap reap association
show capwap reap status
To obtain troubleshooting information about Control and Provisioning of Wireless Access Points (CAPWAP) settings on a Hybrid Remote Edge Access Point (hybrid-REAP) access point, use the debug capwap reap command.
debug capwap reap [ mgmt | load ]
This example shows how to debug hybrid-REAP client authentication and association messages:
clear lwapp private-config
debug disable-all
show capwap reap association
show capwap reap status
To debug if the passive client is associated correctly with the access point and if the passive client has moved into the DHCP required state at the controller, use the debug client command.
This example shows how to debug a passive client with mac address 00:0d:28:f4:c0:45:
debug disable-all
show capwap reap association
show capwap reap status
To configure hardware cryptographic debug options, use the debug crypto command.
debug crypto { all | sessions | trace | warning } { enable | disable }
This example shows how to enable the debugging of hardware crypto sessions:
To configure DHCP debug options, use the debug dhcp command.
debug dhcp { message | packet } { enable | disable }
This example shows how to enable DHCP debug settings:
config dhcp
config dhcp proxy
config interface dhcp
config wlan dhcp_server
debug dhcp service-port
debug disable-all
show dhcp
show dhcp proxy
To enable or disable debugging of Dynamic Host Configuration Protocol (DHCP) packets on the service port, use the debug dhcp service-port command.
debug dhcp service-port { enable | disable }
This example shows how to enable debugging of DHCP packets on a service port:
config dhcp
config dhcp proxy
config interface dhcp
config wlan dhcp_server
debug dhcp
debug disable-all
show dhcp
show dhcp proxy
To disable all debug messages, use the debug disable-all command.
This example shows how to disable all debug messages:
To configure dot11 events debug options, use the debug dot11 command.
debug dot11 {all | load-balancing | management | mobile | rfid | rldp | rogue | state} { enable | disable }
This example shows how to enable dot11 debug settings:
debug disable-all
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
debug dot11 mgmt station
To debug 802.11 management interface events, use the debug dot11 mgmt interface command.
This example shows how to debug dot11 management interface events:
debug disable-all
debug dot11
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
debug dot11 mgmt station
To debug 802.11 management messages, use the debug dot11 mgmt msg command.
This example shows how to debug dot11 management messages:
debug disable-all
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
debug dot11 mgmt station
To debug 802.11 Service Set Identifier (SSID) management events, use the debug dot11 mgmt ssid command.
This example shows how to debug dot11 SSID management events:
debug disable-all
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt state-machine
debug dot11 mgmt station
To debug the 802.11 state machine, use the debug dot11 mgmt state-machine command.
debug dot11 mgmt state-machine
This example shows how to debug dot11 state machine settings:
debug disable-all
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt station
To debug client events, use the debug dot11 mgmt station command.
This example shows how to debug management station settings:
debug disable-all
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
To configure dot1x debug options, use the debug dot1x command.
debug dot1x {aaa | all | events | packet | states} { enable | disable }
This example shows how to enable debugging of dot1x mobile state transitions:
This example shows how to disable debugging of all dot1x interactions:
debug disable-all
debug dot11
debug dot11 mgmt interface
debug dot11 mgmt msg
debug dot11 mgmt ssid
debug dot11 mgmt state-machine
debug dot11 mgmt station
To enable or disable debugging of access point groups, use the debug group command.
debug group { enable | disable }
This example shows how to enable debugging of access point groups:
To enable or disable debugging of hybrid-REAP (HREAP) backup RADIUS server events or errors, use the debug hreap aaa command.
debug hreap aaa { event | error } { enable | disable }
This example shows how to enable debugging of HREAP RADIUS server events:
debug disable-all
debug hreap cckm
debug hreap group
config hreap group
show hreap group detail
show hreap group summary
show radius summary
To enable or disable debugging of hybrid-REAP (HREAP) Cisco Centralized Key Management (CCKM fast roaming), use the debug hreap cckm command.
debug hreap cckm { enable | disable }
This example shows how to enable debugging of HREAP CCKM fast roaming events:
debug disable-all
debug hreap aaa
debug hreap group
config hreap group
show hreap group detail
show hreap group summary
show radius summary
To enable or disable debugging of hybrid-REAP (HREAP) access point groups, use the debug hreap group command.
debug hreap group { enable | disable }
This example shows how to enable debugging of HREAP access point groups:
debug disable-all
debug hreap aaa
debug hreap cckm
config hreap group
show hreap group detail
show hreap group summary
To configure debugging of Layer 2 age timeout messages, use the debug l2age command.
debug l2age { enable | disable }
This example shows how to enable Layer2 age debug settings:
To begin debugging the access point console CLI, use the debug lwapp console cli command from the access point console port.
This access point CLI command must be entered from the access point console port.
This example shows how to begin debugging the access point console:
To configure MAC address debugging, use the debug mac command.
debug mac { disable | addr MAC }
This example shows how to configure MAC address debugging settings:
To enable or disable debugging of errors or events during controller memory allocation, use this command
debug memory { errors | events } { enable | disable }
This example shows how to enable debugging of memory leak events:
config memory monitor errors
config memory monitor leaks
show memory monitor
To begin debugging mesh security problems, use the debug mesh security command.
debug mesh security { all | events | errors }{ enable | disable }
This example shows how to enable debugging of mesh security error messages:
To debug wireless mobility issues, use the debug mobility command.
debug mobility {{ directory | handoff | multicast } { enable | disable } |
keep-alive { enable | disable } IP_address
This example shows how to enable debugging of wireless mobility packets:
config guest-lan mobility anchor
config mobility group domain
config mobility group keepalive count
config mobility group keepalive interval
config mobility group member
config mobility group multicast-addres
config mobility multicast-mode
config mobility secure-mode
config mobility statistics reset
config wlan mobility anchor
show mobility anchor
show mobility statistics
show mobility summary
To configure debugging of Network Access Control (NAC), use the debug nac command.
debug nac { events | packet } { enable | disable }
This example shows how to enable NAC debug settings:
show nac statistics
show nac summary
config guest-lan nac
config wlan nac
To configure debugging of the Network Mobility Services Protocol (NMSP), use the debug nmsp command.
debug nmsp { all | connection | detail | error | event | message | packet }
Configures debugging for NMSP transmit and receive messages. |
|
This example shows how to configure debugging of NMSP connection events:
clear nmsp statistics
debug disable-all
config nmsp notify-interval measurement
To configure debugging of the Network Time Protocol (NTP), use the debug ntp command.
debug ntp { detail | low | packet } { enable | disable }
This example shows how to enable NTP debug settings:
To configure logging of packets sent to the controller CPU, use the debug packet logging command.
debug packet logging { acl | disable | enable { rx | tx | all } packet_count display_size | format { hex2pcap | text2pcap }}
debug packet logging acl { clear-all | driver { rule_index action npu_encap port } | eoip-eth { rule_index action dst src type vlan }| eoip-ip { rule_index action src dst proto src_port dst_port } | eth { rule_index action dst src type vlan } | ip { rule_index action src dst proto src_port dst_port }| lwapp-dot11 { rule_index action dst src bssid type }| lwapp-ip { rule_index action src dst proto src_port dst_port }}
This example shows how to enable logging of the packets:
To configure the access policy manager debug options, use the debug pem command.
debug pem { events | state } { enable | disable }
This example shows how to enable access policy manager debug settings:
To configure debugging of the security policy manager module, use the debug pm command.
debug pm { all disable | { config | hwcrypto | ikemsg | init | list | message | pki | rng | rules |
sa-export | sa-import | ssh-l2tp | ssh-appgw | ssh-engine | ssh-int | ssh-pmgr | ssh-ppp | ssh-tcp } {enable | disable}}
This example shows how to configure debugging of PKI-related events:
To configure debugging of Power over Ethernet (PoE) debug options, use the debug poe command.
debug poe { detail | error | message } { enable | disable }
This example shows how to enable PoE debug settings:
To configure Router Blade Control (RBCP) debug options, use the debug rbcp command.
debug rbcp {all | detail | errors | packet} { enable | disable }
This example shows how to enable RBCP debug settings:
To configure radio-frequency identification (RFID) debug options, use the debug rfid command.
debug rfid {all | detail | errors | nmsp | receive} { enable | disable }
Configures debugging of RFID Network Mobility Services Protocol (NMSP) messages. |
|
This example shows how to enable debugging of RFID error messages:
To debug the access point monitor service, use the debug service ap-monitor command.
debug service ap-monitor { all | error | event | nmsp | packet } { enable | disable }
Configures debugging of access point monitor Network Mobility Services Protocol (NMSP) events. |
|
This example shows how to debug access point monitor NMSP events:
To configure SNMP debug options, use the debug snmp command.
debug snmp {agent | all | mib | trap} { enable | disable }
This example shows how to enable SNMP debug settings:
To configure transfer debug options, use the debug transfer command.
debug transfer {all | tftp | trace} { enable | disable }
This example shows how to enable transfer/upgrade settings:
To configure WLAN Control Protocol (WCP) debug options, use the debug wcp command.
debug wcp { events | packet } { enable | disable }
This example shows how to enable WCP debug settings:
To troubleshoot Wireless Provisioning Service (WPS) signature settings, use the debug wps sig command.
debug wps sig { enable | disable }
This example shows how to enable WPS signature settings:
To debug WPS Management Frame Protection (MFP) settings, use the debug wps mfp command.
debug wps mfp { client | capwap | detail | report | mm }{ enable | disable }
Configures debugging for MFP messages between the controller and access points. |
|
Configures debugging for MFP mobility (inter-controller) messages. |
|
This example shows how to enable debugging of WPS MFP settings:
To test the mobility Ethernet over IP (EoIP) data packet communication between two controllers, use the eping command.
eping mobility_peer_IP_address
IP address of a controller that belongs to a mobility group. |
This command tests the mobility data traffic over the management interface.
Note This ping test is not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.
This example shows how to test EoIP data packets and to set the IP address of a controller that belongs to a mobility group to 172.12.35.31:
To test mobility UDP control packet communication between two controllers, use the mping command.
mping mobility_peer_IP_address
IP address of a controller that belongs to a mobility group. |
This test runs over mobility UDP port 16666. It tests whether the mobility control packet can be reached over the management interface.
Note This ping test is not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.
This example shows how to test mobility UDP control packet communications and to set the IP address of a controller that belongs to a mobility group to 172.12.35.31:
eping
config logging buffered debugging
show logging
debug mobility handoff enable