Juniper WLC 100

Mobility System Software
7.5 Command Reference Guide
Release
7.5
July 2011
Juniper Networks, Inc.

1194 Matilda Ave
Sunnyvale, CA 94089
Tel: +1 925-474-2200
Fax: +1 925-251-0642
Toll-Free: 877-359-8779
www.juniper.net
2011 Juniper Networks, Inc. All rights reserved.
Trademarks
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo,
NetScreen-Global Pro, ScreenOS, and GigaScreen are registered trademarks of Juniper Networks, Inc. in
the United States and other countries.
The following are trademarks of Juniper Networks, Inc.: ERX, ESP, E-series, Instant Virtual Extranet,
Internet Processor, J2300, J4300, J6300, J-Protect, J-series, J-Web, JUNOS, JUNOScope, JUNOScript,
JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD, NetScreen-5GT,
NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208,
NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100,
NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA
1000 Series, NetScreen-SA 3000 Series, NetScreen-SA 5000 Series, NetScreen-SA Central Manager,
NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security Manager, NMC-RX, SDX, Stateful
Signature, T320, T640, T-series, and TX Matrix. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners. All specifications are
subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this
document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this
publication without notice
Copyright 2011, Juniper Networks, Inc.
Disclaimer
All statements, specifications, recommendations, and technical information are current or planned as of
the date of the publication of this document. They are reliable as of the time of this writing and are
presented without warranty of any kind, expressed or implied. In an effort to continuously improve the
product and add features, Juniper Networks reserves the right to change any specifications contained in
this document without prior notice of any kind.
Copyright 2011, Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are
registered trademarks of Juniper Networks, Inc. in the United States and other countries.
The following are trademarks of Juniper Networks, Inc.: ERX, ESP, E-series, Instant Virtual Extranet, Internet Processor, J2300, J4300, J6300, J-Protect, J-series, J-Web,
JUNOS, JUNOScope, JUNOScript, JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD, NetScreen-5GT, NetScreen-5XP,
NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP
100, NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series, NetScreen-SA 3000 Series, NetScreen-SA
5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security Manager, NMC-RX, SDX, Stateful Signature, T320,
T640, T-series, and TX Matrix. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All
specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the
right to change, modify, transfer, or otherwise revise this publication without notice.
Introducing the Juniper Networks Mobility System

Juniper Networks Mobility System 5
Documentation 5
This command reference explains Mobility System Software (MSS) command line interface (CLI)
commands that you enter on a Mobility Exchange to configure and manage the Juniper Networks
Mobility System wireless LAN (WLAN).
Read this reference if you are a network administrator responsible for managing Mobility Exchange (MX)
switches and Mobility Point (MP) access points in a network.
Juniper Networks Mobility System

The Juniper Networks Mobility System is an enterprise-class WLAN solution that seamlessly integrates
with an existing wired enterprise network. The Juniper system provides secure connectivity to both
wireless and wired users in large environments such as office buildings, hospitals, and university
campuses and in small environments such as branch offices.
The Juniper Mobility System fulfills the three fundamental requirements of an enterprise WLAN: It
eliminates the distinction between wired and wireless networks, allows users to work safely from anywhere
(secure mobility), and provides a comprehensive suite of intuitive tools for planning and managing the
network before and after deployment, greatly easing the operational burden on IT resources.
The Juniper Networks Mobility System consists of the following components:
RingMaster tool suite A full-featured graphical user interface (GUI) application used to plan,
configure, deploy, and manage a WLAN and its users
One or more Mobility Exchange (MX) switches Distributed, intelligent machines for
managing user connectivity, connecting and powering Mobility Point (MP) access points, and
connecting the WLAN to the wired network backbone
Multiple Mobility Point (MP) access points Wireless access points (APs) that transmit
and receive radio frequency (RF) signals to and from wireless users and connect them to an
MX switch
Mobility System Software (MSS) The operating system that runs all MX switches and
MPs in a WLAN, and is accessible through a command-line interface (CLI), the Web View
interface, or the RingMaster GUI.
Documentation
Consult the following documents to plan, install, configure, and manage a Juniper Networks Mobility
System.
Planning, Configuration, and Deployment
RingMaster Quick Start Guide Instructions for installing and configuring RingMaster services.
RingMaster Planning Guide Instructions for planning, deploying, and managing the entire
WLAN with the RingMaster tool suite. Read this guide to learn how to plan wireless services.
Juniper Networks Mobility System
RingMaster Management Guide Instructions for managing and monitoring your WLAN using
the RingMaster tool suite and how to optimize and manage your WLAN.
Installation
Juniper Mobility Exchange Hardware Installation Guide Instructions and specifications for
installing an MX.
JuniperMobility System Software Quick Start Guide Instructions for performing basic setup of
secure (802.1X) and guest (WebAAA) access, and for configuring a Mobility Domain for
roaming
Juniper Indoor Mobility Point Installation Guide Instructions and specifications for installing an
MP access point and connecting it to an MX.
Juniper Outdoor Mobility Point Installation Guide Instructions and specifications for installing
outdoor access points and connecting to an MX.
Juniper Regulatory Information Important safety instructions and compliance information that
you must read before installing Juniper Networks products.
Configuration and Management
RingMaster Configuration Guide Instructions for planning, configuring, deploying, and

managing the entire WLAN with the RingMaster tool suite
Juniper Mobility System Software Users Guide Instructions for configuring advanced
features through the MSS CLI.
Juniper Mobility System Software Command Reference Functional and alphabetic reference
to all MSS commands supported on MXs and MPs.
Documentation Symbols Key
Informational Note: Indicates important features or instructions.
Caution: This situation or condition can lead to data loss or damage to the product or other property
Warning: Alerts you to the risk of personal injury or death.
Hypertext Links
Hypertext links appear in Blue. For example, this is a link to END USER LICENSE AGREEMENT.
Documentation Symbols Key
Text and Syntax Conventions

Juniper guides use the following text and syntax conventions:
Table 1.
Convention
Description
Example
Bold text like this
Represents text that you type.
Represents text that you type.
Fixed-width text
like this
Represents output that appears on the
user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this
Introduces important new terms.
A policy term is a named structure that defines
Identifies book names.
match conditions and actions.
Junos OS System Basics

Configuration Guide
Identifies RFC and Internet draft

titles
RFC 1997, BGP

Communities Attribute
Italic text like this
Represents variables (options for which you substitute
Configure the machines domain name:
a value) in commands or configuration statements.
[edit]
root@# set system domain-name
domain-name
Plain text like this
To configure a stub area,

include the stub
statement at the [edit
protocols ospf area
area-id] hierarchy level.
Represents names of configuration statements,

commands, files, and directories; IP addresses;
configuration hierarchy levels; or labels on routing
platform components.
The console port is

labeled CONSOLE.
< > (angle brackets)
Enclose optional keywords or variables.
stub <default-metric metric>;
| (pipe symbol)
Indicates a choice between the mutually exclusive
broadcast | multicast
keywords or variables on either side of the symbol. The
(string1 | string2 | string3)
set of choices is often enclosed in parentheses for

clarity.
# (pound sign)
Indicates a comment specified on the same line as the
rsvp { # Required for dynamic MPLS only
configuration statement to which it applies

[ ] (square brackets)
Identify a level in the configuration hierarchy.
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
; (semicolon)
Identifies a leaf statement at a configuration hierarchy

level.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the
documentation. Send e-mail to [email protected] with the following:
Document URL or title
Page number if applicable
Software version
Your name and company
Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and
need post-sales technical support, you can access our tools and resources online or open a case with
JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resourceguides/
7100059-en.pdf .
Product warrantiesFor product warranty information, visit
http://www.juniper.net/support/warranty/ .
JTAC hours of operationThe JTAC centers have resources available 24 hours a day, 7 days a
week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal
called the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://tools.juniper.net/SerialNumberEntitlementSearch/
Documentation Feedback
Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE
SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED
HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A
REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND
BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED
HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY
CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal
office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customers principal
office is located outside the Americas) (such applicable entity being referred to herein as Juniper),
and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper
reseller the applicable license(s) for use of the Software (Customer) (collectively, the Parties).
2. The Software. In this Agreement, Software means the program modules and features of the Juniper
or Juniper-supplied software, for which Customer has paid the applicable license or support fees to
Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which
Customer purchased from Juniper or an authorized Juniper reseller. Software also includes updates,
upgrades and new releases of such software. Embedded Software means Software which Juniper
has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or
replacements which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth
herein, Juniper grants to Customer a non-exclusive and non-transferable license, without right to
sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper
equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or
as many chassis or processing units for which Customer has paid the applicable license fees;
provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software
only, Customer shall use such Software on a single computer containing a single physical random
access memory space and containing any number of processors. Use of the Steel-Belted Radius
or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires
multiple licenses, regardless of whether such computers or virtualizations are physically contained
on a single chassis.
c.
Product purchase documents, paper or electronic user documentation, and/or the particular
licenses purchased by Customer may specify limits to Customers use of the Software. Such limits
may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions,
calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or
require the purchase of separate licenses to use particular features, functionality, services,
applications, operations, or capabilities, or provide throughput, performance, configuration,
bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may
restrict the use of the Software to managing certain kinds of networks or require the Software to be
used only in conjunction with other specific Software.Customers use of the Software shall be
subject to all such limitations and purchase of all applicable licenses.
d. For any trial copy of the Software, Customers right to use the Software expires 30 days after
download, installation or use of the Software. Customer may operate the Software after the 30-day
trial period only if Customer pays for a license to do so. Customer may not extend or create an
additional trial period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only
to manage access to Customers enterprise network. Specifically, service provider customers are
expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software
to support any commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein
to any user who did not originally purchase
the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the
Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or
create derivative works based on the Software; (b) make unauthorized copies of the Software (except
as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the
Software, in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in
any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the
secondhand market; (f) use any locked or key-restricted feature, function, service, application,
operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from
Juniper, even if such feature, function, service, application, operation, or capability is enabled without a
key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the Software
in any manner that extends or is broader than the uses purchased by Customer from Juniper or an
authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded
Software (or make it available for use) on Juniper equipment that the Customer did not originally
purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or
benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use
the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this
Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its
compliance with this Agreement.
10
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the
confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to
maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the
Software for Customers internal business purposes.
7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest
(including copyright) in and to the Software, associated documentation, and all copies of the Software.
Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the
Software or associated documentation, or a sale of the Software, associated documentation, or copies
of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall
be as set forth in the warranty statement that accompanies the Software (the Warranty Statement).
Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support
services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE
LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL
DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES
ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY
STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL
WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR
OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT
THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL
OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO
INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer,
whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid
by Customer for the Software that gave rise to the claim, or if the Software is embedded in another
Juniper product, the price paid by Customer for such other product. Customer acknowledges and
agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers
of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk
between the Parties (including the risk that a contract remedy may fail of its essential purpose and
cause consequential loss), and that the same form an essential basis of the bargain between the
Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall
result in automatic termination of the license granted herein. Upon such termination, Customer shall
destroy or return to Juniper all copies of the Software and related documentation in Customers
possession or control.
11
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be
responsible for paying Taxes arising from the purchase of the license, or importation or use of the
Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to
Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or
modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will
provide reasonable assistance to Juniper in connection with such withholding taxes by promptly:
providing Juniper with valid tax receipts and other required documentation showing Customers
payment of any withholding taxes; completing appropriate applications that would reduce the amount
of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related
to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and
Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability
incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein.
Customers obligations under this Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of
any United States and any applicable foreign agency or authority, and not to export or re-export the
Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the
Software supplied to Customer may contain encryption or other capabilities restricting Customers
ability to export the Software without an export license.
12. Commercial Computer Software. The Software is commercial computer software and is provided
with restricted rights. Use, duplication, or disclosure by the United States government is subject to
restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR
12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request,
Juniper shall provide Customer with the interface information needed to achieve interoperability
between the Software and another independently created program, on payment of applicable fee, if
any. Customer shall observe strict obligations of confidentiality with respect to such information and
shall use such information in compliance with any applicable terms and conditions upon which Juniper
makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any
supplier of Juniper whose products or technology are embedded in (or services are accessed by) the
Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain
third party software may be provided with the Software and is subject to the accompanying license(s),
if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly
available (such as the GNU General Public License (GPL) or the GNU Library General Public
License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as
appropriate) available upon request for a period of up to three years from the date of distribution. Such
request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA
94089, ATTN: General Counsel. You may obtain a copy of the GPL at
http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html .
12
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without
reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International
Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the
Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and
federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole
agreement between Juniper and the Customer with respect to the Software, and supersedes all prior
and contemporaneous agreements relating to the Software, whether oral or written (including any
inconsistent terms contained in a purchase order), except that the terms of a separate written
agreement executed by an authorized Juniper representative and Customer shall govern to the extent
such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement
nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the
party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such
invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and
associated documentation has been written in the English language, and the Parties agree that the
English version will govern. (For Canada: Les parties aux prsents confirment leur volont que cette
convention de mme que tous les documents y compris tout avis qui s'y rattach, soient redigs en
langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is
and will be in the English language)).
13
14
Access Commands
Use access commands to control access to the Mobility Software System (MSS) (CLI). This chapter
presents access commands alphabetically. Use the following table to locate commands in this chapter
based on their use.
Access Privileges
enable on page 15
set enablepass on page 16
disable on page 15
quit on page 16
disable
Usage Changes the CLI session from enabled mode to restricted access.
Syntax disable
Defaults None.
Access Enabled.
History Introduced in MSS 1.0.
Examples The following command restricts access to the CLI for the current session:
WLC# disable
WLC>
See Also enable on page 15
enable
Usage Places the CLI session in enabled mode, which provides access to all commands required
for configuring and monitoring the system.
Syntax enable
Access All.
Usage MSS displays a password prompt to challenge you with the enable password. To enable a
session, your or another administrator must have configured the enable password to this WLC
with the set enablepass command.
Examples The following command plus the enable password provides enabled access to the CLI
for the current sessions:
WLC> enable
Enter password: password
WLC#
See Also
set enablepass on page 16
15
set confirm on page 28
quit
Usage Exit from the CLI session.
Syntax quit
Defaults None.
Access All.
Examples To end your session, type the following command:
WLC> quit
set enablepass
Usage Sets the password that provides enabled access (for configuration and monitoring) to the
MX switch.
Informational Note: e enable password is case-sensitive.
After typing the set enablepass command, press Enter. If you are entering the first enable
password on this MX, press Enter at the Enter old password prompt. Otherwise, type the old
password. Then type a password of up to 32 alphanumeric characters with no spaces, and reenter
it at the Retype new password prompt.
Caution: Be sure to use a password that you can remember. If you lose the enable password,
the only way to restore it returns the WLC to the default settings and erases the configuration.
Syntax set enablepass

Defaults None.
Access Enabled.
Examples The following example illustrates the prompts that the system displays when the enable
password is changed. The passwords you enter are not displayed.
WLC# set enablepass
Enter old password: old-password
Enter new password: new-password
Retype new password: new-password
Password changed
See Also
disable on page 15
16
Access Commands
enable on page 15
17
18
System Services Commands

Use system services commands to configure and monitor system information for a Mobility
Exchange (WLC) switch. This chapter presents system services commands alphabetically. Use
the following table to located commands in this chapter based on their use.
New
Configuration
quickstart on page 24
Auto-Config
set auto-config on page 25
Run Scripts
set run on page 30

clear run on page 21
Display
clear banner motd on page 20

set banner motd on page 27
set banner acknowledge on page 26
show banner motd on page 38
set confirm on page 28
set length on page 28
System Identification
set prompt on page 30

set system name on page 38
Updated
set system location on page 37
New
set system console-timeout on page 31
Updated
set system contact on page 32

set system countrycode on page 32
set system idle-timeout on page 36
set system ip-address on page 36
show load on page 39
Updated
show system on page 41
Updated
clear system on page 21

clear prompt on page 20
Updated
Help
help on page 22
History
history on page 23
clear history on page 20
Updated
License
set license on page 29

show license on page 39
Technical Support
show tech-support on page 44

19
clear banner motd

Usage Deletes the message-of-the-day (MOTD) banner that is displayed before the login prompt
for each CLI session on the WLC switch.
Syntax clear banner motd
Defaults None.
Access Enabled.
History Introduced in MSS Version 1.0.
Examples To clear a banner, type the following command:
WLC# clear banner motd
success: change accepted
Informational Note: As an alternative to clearing the banner, you can overwrite the existing banner with
an empty banner by typing the following command: set
banner motd ^^
See Also
clear history
Usage Deletes the command history buffer for the current CLI session.
Syntax clear history
Defaults None.
Access All.
Examples To clear the history buffer, type the following command:
WLC# clear history
success: command buffer was flushed.
See Also history on page 23
clear prompt
Usage Resets the system prompt to its previously configured value. If the prompt was not
configured previously, this command resets the prompt to the default.
Syntax clear prompt
Defaults None.
Access Enabled.
Examples To reset the prompt, type the following command:
wildebeest# clear prompt
success: change accepted.
20
WLC#
See Also set prompt on page 30. (For information about default prompts, see Command
Prompts on page 25.)
clear run
Usage Clear the rule associated with scriptname.
Syntax clear run scriptfilename
Defaults None
Access Enabled
History Added in MSS 7.1.
Examples To clear the script, runmem, use the following command:
WLC# clear run runmem
clear system
Clears the system configuration of the specified information.
Caution: If you change the IP address, any currently configured Mobility Domain operations
cease. You must reset the Mobility Domain.
Syntax clear system [console-timeout | contact | countrycode |

idle-timeout | ip-address | location | WLC-secret |name]
console-timeou Clears the configured timeout for the CLI.
t
contact
Resets the name of contact person for the WLC to null.
countrycode
Resets the country code for the WLC to null.
idle-timeout
Resets the number of seconds a CLI management session can remain idle
to the default value (3600 seconds).
ip-address
Resets the IP address of the WLC to null.
location
Resets the location of the WLC to null.
WLC-secret
Clears the WLC secret from the system.
name
Resets the name of the WLC to the default system name, which is
WLC-mm-nnnnnn, where mm is the model number and nnnnnn is the
last 6 digits of the switchs MAC address.
Defaults None.
Access Enabled.
21
History
Version 1.0
Command introduced.
Version 4.1
Option idle-timeout added.
Version 7.1
Option WLC-secret added.
Version 7.3
Option console-timeout added.
Examples To clear the location of the WLC, type the following command:
WLC# clear system location
See Also
show config on page 605
help
Usage Displays a list of commands that can be used to configure and monitor the WLC.
Syntax help
Defaults None.
Access All.
Examples Use this command to see a list of available commands. If you have restricted access,
you see fewer commands than if you have enabled access. To display a list of CLI commands
available at the enabled access level, type the following command at the enabled access level:
WLC# help
Commands:
------------------------------------------------------------------------
22
backup
Backup system information to filename (or url)
clear
Clear,
commit
Commit the content of the ACL table
copy
Copy from filename (or url) to filename (or url)
crypto
Crypto, use 'crypto help' for more information
delete
Delete url
dir
Show list of files on flash device
use 'clear help' for more information
disable
Disable privileged mode
exit
Exit from the Admin session
help
Show this help screen
history
Show contents of history substitution buffer
install
Install sygate on-demand agent
ldap-ping
test binding to a LDAP server or server-group
load
Load, use 'load help' for more information
logout
monitor
Monitor, use 'monitor help' for more information
md5
md5 filename
mkdir
Create a subdirectory on flash device
monitor
monitor port counters
ping
Send echo packets to hosts
quickstart
Perform an initial configuration
quit
radping
Send requests to RADIUS server
reset
Reset, use 'reset help' for more information
restore
Restore system information from file name (or url)
rfping
Rfping operations
rmdir
Remove a directory created by mkdir
rollback
Remove changes to the edited ACL table
run
Evaluate contents of a cli file
save
storage
Save the running configuration to persistent
set
Set, use 'set help' for more information
show
Show, use 'show help' for more information
telnet
telnet IP address [server port]
traceroute
Print the route packets take to network host
uninstall
Uninstall sygate on-demand agent files
upgrade
Upgrade Resiliency Cluster
See Also Using CLI Help on page 210
history
Usage Displays the command history buffer for the current CLI session.
Syntax history
Defaults None.
Access All.
23

Examples To show the history of your session, type the following command:
WLC> history
Show History (most recent first)
-------------------------------[00] show config
[01] show version
[02] enable
See Also clear history on page 20
quickstart
Runs a script that interactively helps you configure a new WLC.
(For more information, see the Mobility System Software Quick Start Guide.)
Caution: The quickstart command is for configuration of a new WLC only. After prompting you
for verification, the command erases the WLC configuration before continuing. If you run this
command on a WLC with a configuration, the configuration is erased. In addition, error messages
such as Critical AP Notice for directly connected MPs can appear.
24
set auto-config
Usage Enables an WLC switch to contact a RingMaster server for its configuration.
A network administrator at the corporate office can preconfigure the switch in a RingMaster
network plan. The switch configuration must have a name for the switch, the model must be
WLCR-2, and the serial number must match the switchs serial number. The configuration should
also include all other settings required for the deployment, including MP configuration, SSIDs, AAA
settings, and so on.
When the RingMaster server in the corporate network receives the configuration request, the
server looks in the currently open network plan for a WLC configuration with the same model and
serial number as the one in the configuration request.
If the network plan contains a configuration with a matching model and serial number,
RingMaster sends the configuration to the WLC and restarts the WLC. The WLC boots using
the configuration received from RingMaster.
If the network plan does not have a configuration with a matching model and serial number, a
verification warning appears in RingMaster. The warning lists the WLC serial number and IP
address. The network administrator can upload the WLC into the network plan, configure WLC
parameters, and deploy the configuration to the WLC.
To use the auto-config option with a new (unconfigured) WLCR-2, insert a paperclip or similar
object into the WLCR-2 factory reset hole to press the switch. The factory reset switch must be
held for about 3 seconds while the factory reset LED (the right LED above port 1) is lit. Normally,
this LED remains solidly lit for 3 seconds after power on. However, when the factory reset switch is
pressed, the LED flashes for 3 seconds instead.
If you want another WLC model to be able to access a RingMaster server for a configuration, you
also must preconfigure the WLC with the following information:
IP address
Default router (gateway) address
Domain name and DNS server address
You can enable the WLC to use the MSS DHCP client to obtain this information from a DHCP
server in the local network where the WLC is deployed. Alternatively, you can statically configure
the information.
The IP address and DNS information are configured independently. You can configure the
combination of settings that work with the network resources available at the deployment site. The
following examples show some of the combinations you can configure.
Syntax set auto-config {enable | disable}
enable
Enables the switch to contact a RingMaster server to request a configuration.
disable
Disables the auto-config option.
Defaults The auto-config option is automatically enabled on an unconfigured WLCR-2 when the
factory reset switch is pressed during power on. However, auto-config is disabled by default on
other models.
25
Access Enabled.
Examples The following commands stage an WLC to use the auto-config option. The network
where the WLC is installed has a DHCP server, so the WLC is configured to use a MSS DHCP
client to obtain an IP address, default router address, DNS domain name, and DNS server IP
addresses.
1. Configure a VLAN:
WLC8# set vlan 1 port 7
2. Enable the DHCP client on VLAN 1:
WLC# set interface 1 ip dhcp-client enable
3. Enable the auto-config option:
WLC# set auto-config enable
4. Save the configuration changes:
WLC# save config
success: configuration saved.
See Also
crypto generate key on page 478
crypto generate self-signed on page 481
save config on page 601
set interface dhcp-client on page 114
set vlan port on page 83
set banner acknowledge

Usage Configures a prompt that is displayed following the MOTD banner. The user must
acknowledge the prompt in order to gain access to the system.
Enable the MOTD prompt, then optionally specify a prompt message. When a user logs into the
WLC using the CLI, the configured MOTD banner is displayed, followed by the MOTD prompt
message (if one is specified). In response, the user has the option of entering y to proceed or any
other key to terminate the connection.
Syntax set banner acknowledge mode {enable | disable}
Syntax set banner acknowledge message message
26
enable
Enables the prompt to acknowledge the MOTD banner.
disable
Disables the prompt to acknowledge the MOTD banner.
Delimiting character that begins and ends the prompt message; for example,
double quotes ().
message
Up to 32 alphanumeric characters, but not the delimiting character.
Defaults None.
Access Enabled.
Examples To enable the prompt for the MOTD banner, type the following command:
WLC# set banner acknowledge enable
To set Do you agree? as the text to be displayed following the MOTD banner, type the following
command:
WLC# set banner acknowledge message Do you agree?
After these commands are entered, when the user logs on, the MOTD banner is displayed,
followed by the text Do you agree? If the user enters y, then the login proceeds. If not, then the
user is disconnected.
Quotation marks can be used in the message if they are enclosed by delimiting characters. For
example, to set the text Do you agree? (including the quotation marks) as the text to be displayed
following the MOTD banner, type the following command:
WLC# set banner acknowledge message "Do you agree?"
See Also
set banner motd

Usage Configures the banner string that is displayed before the beginning of each login prompt for
each CLI session on the WLC.
Type a delimiting character, then the message, then another delimiting character.
Syntax set banner motd text
Delimiting character that begins and ends the message; for example, double
quotes ().
text
Up to 2000 alphanumeric characters, including tabs and carriage returns, but

not the delimiting character.
Note: The text cannot contain lines longer than 256 characters.
Defaults None.
27
Access Enabled.
Examples To create a banner that says Meeting @ 4:00 p.m. in Conference Room #3, type the
following command:
WLC# set banner motd "Meeting @ 4:00 p.m. in Conference Room #3"
success: motd changed.
See Also
set banner acknowledge on page 26
set confirm
Usage Enables or disables the display of confirmation messages for commands that might have a
large impact on the network.
This command remains in effect for the duration of the session, until you enter an exit or quit
command, or until you enter another set confirm command.
Usage
Syntax set confirm {on | off}
on
Enables confirmation messages.
off
Disables confirmation messages.
Defaults Configuration messages are enabled.

Access Enabled.
Examples MSS displays a message requiring confirmation when you enter certain commands that
can have a potentially large impact on the network. For example:
WLC# clear vlan red
This may disrupt user connectivity. Do you wish to continue? (y/n) [n]
Examples To turn off these confirmation messages, type the following command:
WLC# set confirm off
success: Confirm state is off
set length
Usage Defines the number of lines of CLI output to display between paging prompts. MSS
displays the set number of lines and waits for you to press any key to display another set, or type
q to quit the display.
Use this command if the output of a CLI command is greater than the number of lines allowed by
default for a terminal type.
28
Syntax set length screenlength

screenlength
Number of lines of text to display between paging prompts. You can specify
0 and from 10 to 512. The 0 value disables the paging prompt action
entirely.
Defaults MSS displays 24 lines by default.

Access All.
History
Version 1.0
Command introduced.
Version 6.0
Minimum screen length set to 10 lines.
Version 7.0
Changed variable from number-of-lines to screenlength
Examples To set the number of lines displayed to 100, type the following command:
WLC# set length 100
success: screen length for this session set to 100
set license
Usage Installs an upgrade or feautre license key on an WLC.
The WLC-200 and WLC-216 can boot and manage up to 32 MPs by default. You can increase the
MP support to 64, 96, or 128 MPs, by installing one or more activation keys. You can install a
32-MP upgrade, 64-MP upgrade, or 96-MP upgrade. If you have already installed a 32-MP or
64-MP upgrade, you can still install additional upgrades.
The entire upgrade matrix is available in the Release Notes for the latest released MSS version.
Syntax set license activation-key
activation-key
Hexadecimal digits generated by the Juniper Networks license server or

otherwise provided by Juniper Networks for your WLC.
The activation key is based on the serial number of the WLC.
You can enter the number in either of the following formats:
xxxx-xxxx-xxxx-xxxx-xxxx
xxxxxxxxxxxxxxxxxxxx
xxxx-xxxx-xxxx-xxxx-xxxx-feature
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 2.0
Command deprecated.
29
Version 3.1
Command readded to support new licensing scheme. In MSS Version 1.0,

switches were licensed based on the number of active user sessions
supported. In 3.1 and later, switches are licensed based on the number of
MPs they can boot and manage.
Version 7.1
Per feature licensing support added.
Examples To install an activation key for an additional 80 MPs, type the following command:
WLC# set license 3B02-D821-6C19-CE8B-F20E
success: license accepted
See Also show license on page 39
set prompt
Usage Changes the CLI prompt for the WLC to a string you specify.
When you first log in for the initial configuration of the WLC, the CLI provides an
WLC-mm-nnnnnn> prompt. After you become enabled by typing enable and giving a suitable
password, the WLC-mm-nnnnnn# prompt is displayed.
If you use the set system name command to change the default system name, MSS uses that
name in the prompt, unless you also change the prompt with set prompt.
Syntax set prompt string
string
Alphanumeric string up to 32 characters long. To include spaces in the prompt,

you must enclose the string in double quotation marks ().
Defaults The factory default for the WLC name is WLC-mm-nnnnnn, where mm is the model
number and nnnnnn is the last 6 digits of the 12-digit system MAC address.
Access Enabled.
Examples The following example sets the prompt from WLC to happy_days:
WLC# set prompt happy_days
happy_days#
See Also
clear prompt on page 20
set run
Usage Sets the timing for scripts to automatically run on the WLC.
Use this command to run scripts in *.txt format that automatically run the specified commands
configured in the file.
30
To execute a script at a specified minute of a specified hour or every hour, in a specified day or
every week-day or everyday, use the interval specification format day, hour, and minute. For
example, to run a script every weekday at 18:15, use the format Wk1815. To run every Monday at
5 minutes after the hour,use the format, MoAll05. To run a script everyday at midnight, use the
format Any0000.
To run a script every X hours, use the format dayHrint/HHh. To run a script every X minutes, use
the format DayHrint/MMm. For example, to run a script every week day between 3-6 a.m.
excluding 6: a.m., use the format Wk03-06/01h.
Syntax set run scriptname on [interval intervalspec | startup | shutdown]
scriptname
Name of the script in *.txt format
intervalspec
Specified intervals for the script to run on the WLC.

Day - su|mo|tu|we|th|fr|sa|any
Hrnum - 00-23
Hrint - Hrnum1 - Hrnum2 where Hrnum2 is larger than Hrnum1.
Hour - All | Hrnum
Min - 00-59
startup
Execute the script when the WLC booted up.
shutdown
Execute the script when the WLC is shutdown.
Defaults None
Access Enabled
History Added in MSS 7.1
Examples To run a script called runmem every Saturday at 5 p.m. use the following command:
WLC# set run runmem sa1800
set system console-timeout

Usage Sets the timeout for the CLI console.
Syntax set system console-timeout console-timeout
console-timeout
Time, in seconds, with a range of 0 (off) to 86400.
Defaults None
Access Enabled
History Added in MSS 7.1.
Examples To set the console timeout to 120 seconds (2 minutes), use the following command:
WLC# set system console-timeout 120
31
set system contact

Usage Stores a contact name for the WLC.
To view the system contact string, type the show system command.
Syntax set system contact string
string
Alphanumeric string up to 256 characters long.
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced.
MSSVersion 7.3
Ability to include spaces added.
Examples The following command sets the system contact information to [email protected]:
MX-20#set system contact [email protected]
See Also
set system countrycode

Usage Defines the country-specific IEEE 802.11 regulations to enforce on the WLC.
You must set the system county code to a valid value before using any set ap commands to
configure a Mobility Point (MP).
Syntax set system countrycode code
code
Two-letter code for the country of operation for the WLC. You can specify
one of the codes listed in Table 2.
Table 2.Country Codes
32
Country
Code
Algeria
DZ
Argentina
AR
Anguilla
AI
Australia
AU
Austria
AT
Bosnia and Herzegovia
BA
Table 2.Country Codes (continued)

Country
Code
Belgium
BE
Bulgaria
BG
Bahrain
BH
Bolivia
BO
Botswana
BW
Brazil
BR
Belize
BZ
Canada
CA
Chile
CL
China
CN
Colombia
CO
Costa Rica
CR
Cote DIvoire
CI
Croatia
HR
Cyprus
CY
Czech Republic
CZ
Denmark
DK
Dominica
DM
Dominican Republic
DO
Ecuador
EC
El Salvador
SV
Egypt
EG
Estonia
EE
Finland
FI
France
FR
Germany
DE
Greece
GR
Grenada
GD
Guatemala
GT
Guam
GU
Honduras
HN
Hong Kong
HK
Hungary
HU
Iceland
IS
India
IN
Indonesia
ID
Ireland
IE
Israel
IL
Italy
IT
Jamaica
JM
33

Country
Code
Japan
JP
Jordan
JO
Kazakhstan
KZ
Kenya
KE
St. Kitts and Nevis
KN
Kuwait
KW
Cayman Islands
KY
Latvia
LV
Lebanon
LB
Liechtenstein
LI
Lithuania
LT
St. Lucia
LC
Liechtenstein
LI
Luxembourg
LU
Macedonia, Former Yugoslav
MK
Republic of
34
Malaysia
MY
Malta
MT
Mauritius
MU
Mexico
MX
Monserrat
MS
Morocco
MA
Namibia
NA
Netherlands
NL
New Zealand
NZ
Nigeria
NG
Norway
NO
Oman
OM
Pakistan
PK
Panama
PA
Paraguay
PY
Peru
PE
Philippines
PH
Poland
PL
Portugal
PT
Puerto Rico
PR
Qatar
QA
Romania
RO
Russia
RU
Saudi Arabia
SA

Country
Code
Serbia
CS
Singapore
SG
Slovakia
SK
Slovenia
SI
South Africa
ZA
South Korea
KR
Spain
ES
Sri Lanka
LK
Sweden
SE
Switzerland
CH
Taiwan
TW
Tanzania
TZ
Thailand
TH
East Timor
TP
Trinidad and Togo
TT
Tunisia
TN
Turkey
TR
Ukraine
UA
United Arab Emirates
AE
United Kingdom
GB
United States
US
Uruguay
UY
Venezuela
VE
Vietnam
VN
St. Vincent and the Grenadines
VC
US Virgin Islands
VI
Zambia
ZM
Zimbabwe
ZW
Defaults The factory default country code is None.

Access Enabled.
History
Version 1.0
Command introduced
Version 1.1
New country codes added: AE, AU, BR, CN, CZ, ES, GR, HK, HU, KR, IL,
IN, LI, WLC, MY, NZ, PL, SA, SG, SI, SK, TH, TW, ZA
Version 6.2
New country codes added: BH, BO, BW, CL, CO CR, CI, HR, CY, DM, DO,
EC, SV, EG, EE, GD, GT, HN, ID, JM, JO, KZ, KE, KN, KW, KY, LV, LB, LI,
LT, LC, MU, MS, MA, NA, NG, OM, PK, PA, PY, PE, PH, PR, RO, RU, CS,
LK, TZ, TT, TN, TR, UA, UY, VE, VN, VC, ZM, and ZW.
35
Examples To set the country code to Canada, type the following command:
MX-20#set system country code CA
See Also show config on page 605
set system idle-timeout

Usage Specifies the maximum number of seconds a CLI management session with the switch can
remain idle before MSS terminates the session.
This command applies to all types of CLI management sessions: console, Telnet, and SSH. The
timeout change applies to existing sessions only, not to new sessions.
Syntax set system idle-timeout seconds
Number of seconds a CLI management session can remain idle before MSS
terminates the session. You can specify from 0 to 86400 seconds (one day).
If you specify 0, the idle timeout is disabled.
seconds
The timeout interval is in 30-second increments. For example, the interval

can be 0, or 30 seconds, or 60 seconds, or 90 seconds, and so on. If you
enter an interval that is not divisible by 30, the CLI rounds up to the next
30-second increment. For example, if you enter 31, the CLI rounds up to 60.
Defaults 3600 seconds (one hour). Setting the value to 0 turns off the feature. A maximum of
86400 seconds can be configured.
Access Enabled.
History .
Version 4.1
Command introduced.
Version 7.0
Maximum value changed to 86400 seconds.
Examples The following command sets the idle timeout to 1800 seconds (one half hour):
WLC# set system idle-timeout 1800
See Also
set system ip-address

Usage Sets the system IP address so that it can be used by various services in the WLC.
Warning: Any currently configured Mobility Domain operations cease if you change the IP address. If
you change the address, you must reset the Mobility Domain.
36
Syntax set system ip-address ip-addr
IP address, in dotted decimal notation.
ip-addr
Defaults None.
Access Enabled.

Examples The following command sets the IP address of the WLC to 192.168.253.1:
WLC# set system ip-address 192.168.253.1
See Also
set interface on page 113
set system location

Usage Stores location information for the WLC.
Syntax set system location string
string
Alphanumeric string up to 256 characters long
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 7.3
Ability to include spaces added.
Usage You can include spaces in the system location string, but cannot exceed 256 characters.
To view the system location string, type the show system command.
Examples To store the location of the WLC in the configuration, type the following command:
WLC# set system location first-floor-bldg3
See Also
37
set system name

Usage Changes the name of the WLC from the default system name and also provides content
for the CLI prompt, if you do not specify a prompt.
Entering set system name with no string resets the system name to the factory default.
To view the system name string, type the show system command.
Syntax set system name string
string
Alphanumeric string up to 256 characters long, with no blank spaces.

RingMaster requires unique WLC names.
Defaults By default, the system name and command prompt have the same value. The factory
default for both is WLC-mm-nnnnnn, where mm is the model number and nnnnnn is the last 6 digits
of the 12-digit system MAC address.
Access Enabled.
Examples The following example sets the system name to a name that identifies the WLC switch:
WLC# set system name WLC-bldg3
WLC-bldg3#
See Also
set prompt on page 30
show banner motd

Usage Shows the banner configured with the set banner motd command.
Syntax show banner motd
Defaults None.
Access Enabled.
Examples To display the banner with the message of the day, type the following command:
WLC# show banner motd
hello world
See Also clear banner motd on page 20
38
show license
Usage Displays information about the license key(s) currently installed on an WLC.
Syntax show license keys
Defaults None.
Access All.
History
Version 1.0
Command introduced.
Version 2.0
Current session count and Last sent alert time fields removed.
Version 3.1
Command readded as show licenses, with new output.
Version 7.0
Command changed to show license keys with new output.
Examples To view license keys, type the following command:

MX-20#show license keys
Serial Number
: 0321300013
40 access points are supported

Additional Features:
Feature Description
Installed
Active
---------------------------------------------------Installed License Authorization Keys

See Also set license on page 29
show load
Usage Changes to the show load command allows you to obtain instantaneous CPU and
memory load information in a more useful format. In addition, more information is provided that
may assist with troubleshooting the WLC on the network.
The following information is displayed:
System CPU load
Summary data displayed:
Last second (also called instant load)
Last minute
Last 5 minutes
Last hour
Last day
Last three days
Historical values drawn as a graph, showing peaks and averages:
Last minute
Last hour
39
Last three days

System memory load
Summary data displayed:
Last second (also called instant load)
Last minute
Last 5 minutes
Last hour
Last day
Last three days
Historical values drawn as a graph, showing peaks and averages:
Last minute
Last hour
Last three days
Syntax show load
Defaults None.
Access Enabled.
Version 4.1
Command introduced.
Version 6.2
Enhancements to output format.
Usage To display the CPU load recorded from the time the WLC was booted, as well as from the
previous time the show load command was run, type the following command:
Examples
WLCR2_desk# show load cpu
Period
Usage
-------------------Last second:
2%
Last minute:
2%
Last 5 minutes: 2%
Last hour:
2%
Last day:
1%
Last 3 days:
33141%
WLCR2_desk# show load cpu history

|100
|90
|80
40
|70
|60
|50
|40
|30
|20
^
^^
^|10
************************************************************|<5
6----5----5----4----4----3----3----2----2----1----1----5----0--0
CPU load history for the past hour

* = average CPU load (%)
^ = peak CPU load (%)
WLCR2_desk# show load memory history

|128
|112
|96
|80
|64
|48
************************************************************|32
************************************************************|16
************************************************************|<8
6----5----5----4----4----3----3----2----2----1----1----5----0--0
Memory utilization history for the past hour

* = average utilization (MBytes)
^ = peak utilization (MBytes)
The overall field shows the CPU load as a percentage from the time the WLC was booted. The
delta field shows CPU load as a percentage from the last time the show load command was
entered.
See Also show system on page 41
show system
Usage Displays system information.
Syntax show system
Defaults None.
Access Enabled.
41
History
Version 1.0
Command introduced
Version 2.0
System Description field added
Version 3.0
System Description field removed
Version 4.0
License field removed. To display license information, use the show license
command.
Version 7.0
Total Power over Ethernet changed to Total PoE draw (W).
Examples To show system information, type the following command:

WLC# show system
========================================================================
=======
Product Name:
WLC
System Name:
WLC-bldg3
System Countrycode: US
System Location:
first-floor-bldg3
System Contact:
[email protected]
System IP:
192.168.12.7
System Secret Encrypted:

System Console-Timeout: 120 seconds
System Idle Timeout:3600
System MAC:
00:0B:0E:00:04:30
========================================================================
=======
Boot Time:
2003-11-07 15:45:49
Uptime:
13 days 04:29:10
========================================================================
=======
Fan status:
fan1 OK fan2 OK fan3 OK
Temperature: temp1 ok
temp2 ok
temp3 ok
PSU Status:
Lower Power Supply DC ok AC ok
Memory:
97.04/744.03 (13%)
Upper Power Supply missing
Total PoE Draw (W): 29.000

========================================================================
=======
Table 3 describes the fields of show system output.
42
Table 3.show system Output

Field
Description
Product Name
MX model number.
System Name
System name (factory default, or optionally configured with set system name).
System Countrycode
Country-specific 802.11 code required for MP operation (configured with set system
countrycode).
System Location
System Contact
Record of MX physical location (optionally configured with set system location).

Contact information about the system administrator or another person to contact about the
system (optionally configured with set system contact).
System IP
Common interface, source, and default IP address for the MX, in dotted decimal notation
(configured with set system ip-address).
System Secret
A password configured for WLC-WLC security.
System idle timeout
Number of seconds MSS allows a CLI management session (console, Telnet, or SSH) to
remain idle before terminating the session. (The system idle timeout can be configured using
the set system idle-timeout command.)
System MAC
MX media access control (MAC) machine address set at the factory, in 6-byte hexadecimal
format.
Boot Time
Date and time of the last system reboot.
Uptime
Number of days, hours, minutes, and seconds that the MX has been operating since its last
restart.
Fan status
Operating status of the three MX cooling fans:

OKFan is operating.
FailedFan is not operating. MSS sends an alert to the system log every 5 minutes until
this condition is corrected.
Fan 1 is located nearest the front of the chassis, and fan 3 is located nearest the back.
Temperature
Status of temperature sensors at three locations in the MX switch:

okTemperature is within the acceptable range of 0 C to 50 C (32 F to 122 F).
AlarmTemperature is above or below the acceptable range. MSS sends an alert to the
system log every 5 minutes until this condition is corrected.
PSU Status
Status of the lower and upper power supply units:

missingPower supply is not installed or is inoperable.
DC okPower supply is producing DC power.
DC output failurePower supply is not producing DC power. MSS sends an alert to the
system log every 5 minutes until this condition is corrected.
AC okPower supply is receiving AC power.
AC not presentPower supply is not receiving AC power.
Memory
Current size (in megabytes) of nonvolatile memory (NVRAM) and synchronous dynamic
RAM (SDRAM), plus the percentage of total memory space in use, in the following format:
NVRAM size /SDRAM size (percent of total)
Total PoE Draw (W)
Total power that the MX is currently supplying to directly connected MPs, in watts.
See Also
43

show tech-support
Usage Provides an in-depth snapshot of the status of the WLC, which includes details about the
boot image, the version, ports, and other configuration values. This command also displays the
last 100 log messages.
Enter this command before calling the Juniper Networks Technical Assistance Center (TAC). See
Contacting the Technical Assistance Center on page 315 for more information
Syntax show tech-support [file [subdirname/]filename]
[subdirname/]filename
Optional subdirectory name, and a string up to 32 alphanumeric

characters. The commands output is saved into a file with the
specified name in nonvolatile storage.
Defaults None.
Access Enabled.
See Also
show boot on page 604
show license on page 39
show version on page 607
44
Port Commands
Use port commands to configure and manage individual ports and load-sharing port groups. This chapter
presents port commands alphabetically. Use the following table to locate commands in this chapter based
on their use.
Port Type
set port type ap on page 61
Updated
set ap on page 53
Updated
set port type wired-auth on page 62

clear port type on page 48
clear ap on page 46
Name
set port name on page 58

clear port name on page 48
State
set port on page 55

reset port on page 53
show port status on page 68
Gigabit interface type
show port media-type (deprecated) on page 65

set port media-type(deprecated) on page 57
clear port media-type (deprecated) on page 47
Speed
set port speed on page 60
Autonegotiation
set port negotiation on page 58
PoE
set port poe on page 59

show port poe on page 66
SNMP
set port trap on page 61
Port Groups
set port-group on page 56

show port-group on page 64
clear port-group on page 47
Port Mirroring
set port mirror on page 57

show port mirror on page 66
clear port mirror on page 48
Statistics
show port counters on page 63

monitor port counters on page 49
clear port counters on page 46
45
clear ap
Usage Removes a Distributed MP.
Warning: When you clear a Distributed MP, MSS ends user sessions that are using the MP.
Syntax clear ap {apnum | auto | fdb}

apnum
Number of the MP(s) to remove.
auto
Clear all auto operations.
fdb
Clear dynamic AP FDB entries.
Defaults None.
Access Enabled.
History
MSS Version 2.0
Command introduced.
MSS Version 6.0
Command changed from dap to ap.
MSS Version 7.1
Attribute all deprecated. Attributes fdb and auto added.
Examples The following command clears MP 1:

WLC# clear ap 1
This will clear specified AP devices. Would you like to continue? (y/n)
[n]y
See Also
set ap on page 53
clear port counters

Usage Clears port statistics counters and resets them to 0.
Syntax clear port counters
Defaults None.
Access Enabled.
Examples The following command clears all port statistics counters and resets them to 0:
WLC# clear port counters
success: cleared port counters
See Also
show port counters on page 63
46
Port Commands
clear port-group
Usage Removes a port group.
Syntax clear port-group name name
name name
Name of the port group.
Defaults None.
Access Enabled.
Examples The following command clears port group server1:
WLC# clear port-group name server1
See Also
clear port media-type (deprecated)

Usage Disables the copper interface and reenables the fiber interface on an WLC-400 gigabit
Ethernet port.
Syntax clear port media-type name
name
List of physical ports. MSS disables the copper interface and reenables the
fiber interface on all the specified ports.
Defaults The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default.
Access Enabled.
History
MSS Version 4.0
Command introduced.
MSS Version 7.0
port-list changed to literal value of name.
MSS Version 7.1
Deprecated.
Usage This command applies only to the WLC-400. This command does not affect a link that is
already active on the port.
Examples The following command disables the copper interface and reenables the fiber interface
on port 2:
WLC-400# clear port media-type name
See Also
47
clear port mirror

Usage Removes a port mirroring configuration.
Syntax clear port mirror
Defaults None.
Access Enabled.
Examples The following command clears the port mirroring configuration from the switch:
WLC# clear port mirror
See Also
clear port name

Usage Removes the name assigned to a port.
Syntax clear port port-list name
List of physical ports. MSS removes the names from all the specified ports.
port-list
Defaults None.
Access Enabled.

Examples The following command clears the names of ports 17 through 20:
WLC# clear port 17-20 name
See Also
clear port preference

Deprecated in MSS Version 4.0. Use the clear port media-type command.
clear port type

Usage Removes all configuration settings from a port and resets the port as a network port.
Use this command to change a port back to a network port. All configuration settings specific to the port
type are removed. For example, if you clear an MP port, all MP-specific settings are removed. Table 4 lists
the default network port settings that MSS applies when you clear a port type.
Warning: When you clear a port, MSS ends user sessions that are using the port.
48
Port Commands
Syntax clear port type port-list

port-list
List of physical ports. MSS resets and removes the configuration from all the
specified ports.
Defaults The cleared port becomes a network port but is not placed in any VLANs.
Access Enabled.
Table 4.Network Port Defaults
Port Parameter
Setting
VLAN membership
None.
Although the command changes a port to a network port, the command does not place
the port in any VLAN. To use the port in a VLAN, you must add the port to the VLAN.
Spanning Tree Protocol (STP)
Based on the VLAN(s) you add the port to.
802.1X
No authorization.
Port groups
None.
Internet Group Management Protocol
Enabled as port is added to VLANs.
(IGMP) snooping
Access point and radio parameters
Not applicable
Maximum user sessions
Not applicable
Examples The following command clears port 5:

WLC# clear port type 5
This may disrupt currently authenticated users. Are you sure? (y/n) [n]y
See Also
monitor port counters

Usage Displays and continually updates port statistics.
Each type of statistic is displayed separately. Press the Spacebar to cycle through the displays for each
type.
If you use an option to specify a statistic type, the display begins with that statistic type. You can use one
statistic option with the command. For error reporting, the cyclic redundancy check (CRC) errors include
misalignment errors. Jumbo packets with valid CRCs are not counted. A short packet can be reported as a
short packet, a CRC error, or an overrun. In some circumstances, the transmitted octets counter might
increment a small amount for a port with nothing attached.
Use the keys listed in Table 5 to control the monitor display.
49
Syntax monitor port counters [octets | packets | receive-errors |

transmit-errors | collisions | receive-etherstats | transmit-etherstats]
octets
Displays octet statistics first.
packets
Displays packet statistics first.
receive-errors
Displays errors in received packets first.
transmit-errors
Displays errors in transmitted packets first.
collisions
Displays collision statistics first.
receive-etherstats
Displays Ethernet statistics for received packets first.
transmit-etherstats Displays Ethernet statistics for transmitted packets first.

Defaults All types of statistics are displayed for all ports. MSS refreshes the statistics every 5
seconds, and the interval cannot be configured. Statistics types are displayed in the following
order by default:
Octets
Packets
Receive errors
Transmit errors
Collisions
Receive Ethernet statistics
Transmit Ethernet statistics
Access All.
Table 5.Key Controls for Monitor Port Counters Display
Key
Effect on Monitor Display
Spacebar
Advances to the next statistic type.
Esc
Exits the monitor. MSS stops displaying the statistics and displays a new command
prompt.
Clears the statistics counters for the currently displayed statistics type. The counters
begin incrementing again.
Examples The following command starts the port statistics monitor beginning with octet statistics
(the default):
WLC# monitor port counters
As soon as you press Enter, MSS clears the window and displays statistics at the top of the
window.
Port
Status
Tx Octets
Rx Octets
========================================================================
=======
50
Port Commands
Up
27965420
34886544
...
To cycle the display to the next set of statistics, press the Spacebar. In this example, packet
statistics are displayed next:
Port
Status
NonUnicast
Rx Unicast
Rx NonUnicast
Tx Unicast
Tx
========================================================================
=======
1
Up
54620
68318
62144
62556
...
Table 6 describes the port statistics displayed by each statistics option. The Port and Status fields
are displayed for each option.
51
Table 6.Output for monitor port counters

Statistics Option
Field
Description
Displayed for All Options
Port
Displays the port statistics.
Status
Port status. The status can be Up or Down.
Rx Octets
Total number of octets received by the port.
octets
This number includes octets received in frames that contained errors.

Tx Octets
Total number of octets received.

This number includes octets received in frames that contained errors.
packets
Rx Unicast
Number of unicast packets received.

This number does not include packets that contain errors.
Rx NonUnicast
Number of broadcast and multicast packets received.
Tx Unicast
Number of unicast packets transmitted.

Tx NonUnicast
Number of broadcast and multicast packets transmitted.

receive-errors
Rx Crc
Number of frames received by the port that had the correct length but
contained an invalid frame check sequence (FCS) value. This statistic
includes frames with misalignment errors.
Rx Error
Total number of frames received in which the Physical layer (PHY)
Rx Short
Number of frames received by the port that were fewer than 64 bytes long.
Rx Overrun
Number of frames received by the port that were valid but were longer than
detected an error.
1518 bytes. This statistic does not include jumbo packets with valid CRCs.
transmit-errors
Tx Crc
Number of frames transmitted by the port that had the correct length but
contained an invalid FCS value.
Tx Short
Number of frames transmitted by the port that were fewer than 64 bytes
Tx Fragment
Total number of frames transmitted that were less than 64 octets long and
long.
had invalid CRCs.
collisions
Tx Abort
Total number of frames that had a link pointer parity error.
Single Coll
Total number of frames transmitted that experienced one collision before

64 bytes of the frame were transmitted on the network.
Multiple Coll
Total number of frames transmitted that experienced more than one

collision before 64 bytes of the frame were transmitted on the network.
Excessive Coll
Total number of frames that experienced more than 16 collisions during

transmit attempts. These frames are dropped and not transmitted.
Total Coll
receive-etherstats Rx 64
52
Best estimate of the total number of collisions on this Ethernet segment.

Number of packets received that were 64 bytes long.
Rx 127
Number of packets received that were from 65 through 127 bytes long.
Rx 255
Rx 511
Rx 1023
Rx 1518
Port Commands
Table 6.Output for monitor port counters (continued)

Statistics Option
Field
Description
transmit-etherstat
Tx 64
Number of packets transmitted that were 64 bytes long.
Tx 127
Number of packets transmitted that were from 65 through 127 bytes long.
Tx 255
Tx 511
Tx 1023
Number of packets transmitted that were from 512 through 1023 bytes
long.
Tx 1518
Number of packets transmitted that were from 1024 through 1518 bytes
long.
See Also show port counters on page 63
reset port
Usage Resets a port by toggling the link state and Power over Ethernet (PoE) state.
The reset command disables the port link and PoE (if applicable) for at least 1 second, then reenables
them. This behavior is useful for forcing an MP that is connected to two MX switches to reboot over the link
to the other WLC.
Syntax reset port port-list
List of physical ports. MSS resets all the specified ports.
port-list
Defaults None.
Access Enabled.

Examples The following command resets port 5:
WLC# reset port 5
See Also set port on page 55
set ap
Usage Configures an MP, either directly connected to the MX or indirectly connected through an
intermediate Layer 2 or Layer 3 network.
Informational Note: Before configuring a Distributed MP, you must use the set system countrycode command to
set the IEEE 802.11 country-specific regulations on the MX switch. See set system countrycode on page 32.
53
Syntax set ap apnum serial-id serial-ID

model {2330 | 2330A | 2330B | 2332-A1 |AP-EASYA | AP1602 | AP1602C | AP2750 |
AP3750 | AP3850 | AP3950 | AP9551 |MP-371 | MP-371B | MP-372 | MP-372-JP|
MP-372A | MP-372B | MP-422 | MP-422A | MP-422B| MP-422FB |MP-422F|MP-432 |
MP-432F | MP-522 | MP-522E |MP-620 | MP-620A | MP-620B | MP-622 | MP-632 |
MP-632F | MP-71| MP-82} [radiotype {11a | 11b| 11g | 11na | 11ng}]
Number for the Distributed MP.
apnum
The range of valid connection numbers depends on the WLC model:

WLC-2001 to 320
WLC-2161 to 320
WLC-4001 to 300
WLC-201 to 100
WLC-81 to 30
WLCR-21 to 8
MP access point serial ID. The serial ID is listed on the MP case. To
display the serial ID using the CLI, use the show version details
command.
serial-id serial-ID
MP access point model.

model {2330 | 2330A | 2330B|
2332-A1 | AP1602 | AP1602C |
AP2750 | AP3750 | AP3850 |
AP3950 | MP-371 | MP-372 |
MP-372-JP |MP-372A | MP-422
| MP-422A| MP-422F | MP-432|
MP-620 | |MP-620A |
MP-622| MP-82| MP-71}}
radiotype 11a | 11b | 11g
Radio type:
11a802.11a
11b802.11b
11g802.11g
11na802.11na
11ng802.11ng
This option applies only to single-radio models.
Defaults The default vales are the same as the defaults for the set port type ap command.
Access Enabled.
History
Version 2.0
Command introduced
Version 2.1
New values for model option added:

mp-52
mp-262
54
Port Commands
Version 3.0

AP2750
mp-341
mp-352
Version 3.2
New value for model option added: mp-372
Version 4.1

2330
2330A
AP3750
mp-372-CN
mp-372-JP
mp-620
Deprecated values for model option removed:
mp-101
mp122
Version 6.0
Changed dap to ap. Added MP-422 model and MP-71.
Version 7.0
Added MP-371, MP-422A, MP-422F, MP-432, MP-620A,

Removed MP-52, MP-252, MP-372-CN, MP-341, and MP-352
Version 7.1
Added models MP-622, MP-632, and MP-82.
Version 7.3
Added models MP-522 and MP-522E
Examples The following command configures MP 1 for MP model MP-372 with serial-ID 0322199999:
WLC# set ap 1 serial-id 0322199999 model mp-372
The following command removes MP 1:
WLC# clear ap 1
This will clear specified AP devices. Would you like to continue? (y/n) [n]y
See Also
clear ap on page 46
set port
Usage Administratively disables or reenables a port.
A port that is administratively disabled cannot send or receive packets. This command does not affect the
link state of the port.
55
Syntax set port {enable | disable} port-list

enable
Enables the specified ports.
disable
Disables the specified ports.
port-list
List of physical ports. MSS disables or reenables all the specified ports.
Defaults All ports are enabled.

Access Enabled.
Examples The following command disables port 16:
WLC# set port disable 16
success: set "disable" on port 16
The fol1owing command reenables the port:
WLC# set port enable 16
success: set "enable" on port 16
See Also reset port on page 53
set port-group
Usage Configures a load-sharing port group. All ports in the group function as a single logical link.
Do not use dashes or hyphens in a port group name. If you do, MSS does not display or save the port
group.
You can configure up to 16 ports in a port group, in any combination of ports. The port numbers do not
need to be contiguous and you can use 10/100 Ethernet ports and gigabit Ethernet ports in the same port
group.
After adding a port to a port group, you cannot configure port parameters on the individual port. Instead,
change port parameters on the entire group. Specify the group name instead of an individual port name or
number in port configuration commands.
To add or remove ports in a group that is already configured, change the mode to off, add or remove the
ports, then change the mode to on.
Syntax set port-group name group-name port-list mode {on | off}
name group-name
Alphanumeric string of up to 255 characters, with no spaces. The port group name
must start with a letter.
port-list
List of physical ports. All the ports you specify are configured together as a single
logical link.
mode {on | off}
State of the group. Use on to enable the group or off to disable the group. The group
is enabled by default.
Defaults Once configured, a group is enabled by default.

Access Enabled.
56
Port Commands
Examples The following command configures a port group named server1 containing ports 1 through 5,
and enables the link:
WLC# set port-group name server1 1-5 mode on
The following commands disable the link for port group server1, change the list of ports in the group, and
reenable the link:
WLC# set port-group name server1 1-5 mode off
WLC# set port-group name server1 1-4,7 mode on
See Also
set port media-type(deprecated)

Usage Disables the fiber interface and enables the copper interface on an WLC-400 gigabit Ethernet port.
Syntax set port media-type name port-name
port-list
List of physical ports. MSS sets the preference on all the specified ports.
rj45
Uses the copper interface.
Defaults The GBIC (fiber) interface is enabled, and the copper interface is disabled, by default.
Access Enabled.
History
Version 4.0
Command introduced.
Version 7.1
Command deprecated.
Usage This command applies only to the WLC-400.

If you set the port interface to RJ-45 on a port that already has an active fiber link, MSS immediately
changes the link to the copper interface.
Examples The following command disables the fiber interface and enables the copper interface on port 2:
WLC-400# set port media-type name port-name
See Also
set port mirror

Usage Configures port mirroring. Port mirroring is a troubleshooting feature that copies (mirrors) traffic
sent or received by an WLC port (the source port) to another port (the observer) on the same WLC. You
can attach a protocol analyzer to the observer port to examine the source ports traffic. Both traffic
directions (send and receive) are mirrored.
57
The WLC can have one port mirroring pair (one source port and one observer port) at a time. The source
port can be a network port, MP access port, or wired authentication port. However, the observer port must
be a network port, and cannot be a member of any VLAN or port group.
Syntax set port mirror source-port observer observer-port
source-port
Number of the port whose traffic you want to analyze. You can specify only one port.
observer-port
Number of the port to copy the traffic from the source port.
Defaults None.
Access Enabled.
Examples The following command sets port 2 to monitor port 1 traffic:
WLC# set port 1 observer 2
See Also
set port name

Usage Assigns a name to a port.
After naming a port, you can use the port name or number in other CLI commands. clear port name on
page 48
Syntax set port port name name
port
Number of a physical port. You can specify only one port.
name name
Alphanumeric string of up to 16 characters, with no spaces.
Defaults None.
Access Enabled.
Examples The following command sets the name of port 17 to adminpool:
WLC# set port 17 name adminpool
See Also
clear port name on page 48
set port negotiation

Usage Disables or reenables autonegotiation on gigabit Ethernet or 10/100 Ethernet ports. The gigabit
Ethernet ports operate at 1000 Mbps only. They do not change speed to match 10-Mbps or 100-Mbps
links.
WLC-8, WLC-200, and WLC-216 10/100 Ethernet ports support half-duplex and full-duplex operation.
58
Port Commands
It is recommended that you do not configure the mode of an WLC port so that one side of the link is set to
autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can
cause slow throughput on the link. The slow throughput occurs because the side that is configured for
autonegotiation falls back to half-duplex. A stream of large packets sent to an WLC port with this
configuration can cause forwarding on the link to stop.
Syntax set port negotiation port-list {enable | disable}
port-list
List of physical ports. MSS disables or reenables autonegotiation on all the specified
ports.
enable
Enables autonegotiation on the specified ports.
disable
Disables autonegotiation on the specified ports.
Defaults Autonegotiation is enabled on all Ethernet ports by default.

Access Enabled.
Examples The following command disables autonegotiation on ports 3, 8, and 16 through 18:
WLC# set port negotiation 3,8,16-18 disable
The following command enables autonegotiation on port 21:
WLC# set port negotiation 21 enable
set port poe

Usage Enables or disables Power over Ethernet (PoE) on ports connected to MPs.
This command does not apply to any gigabit Ethernet ports or to ports 7 and 8 on the WLC-8 switch, port
19 on the WLC-216, or port 3 on the WLC-200.
Warning: When you set the port type for MP use, you can enable PoE on the port. Use the MX PoE to power Juniper
Networks MP access points only. If you enable PoE on ports connected to other devices, damage can result.
Syntax set port poe port-list enable | disable

port-list
List of physical ports. MSS disables or reenables PoE on all the specified ports.
enable
Enables PoE on the specified ports.
disable
Disables PoE on the specified ports.
Defaults PoE is disabled on network and wired authentication ports. The state on MP ports depends on
whether you enabled or disabled PoE when setting the port type. See set port type ap on page 61.
Access Enabled.
Examples The following command disables PoE on ports 7 and 9, which are connected to an MP:
WLC# set port poe 7,9 disable
59
If you are enabling power on these ports, they must be connected only to
approved PoE devices with the correct wiring. Do you wish to continue? (y/n)
[n]y
The following command enables PoE on ports 7 and 9:
WLC# set port poe 7,9 enable
If you are enabling power on these ports, they must be connected only to
approved PoE devices with the correct wiring. Do you wish to continue? (y/n)
[n]y
See Also
set port preference

Deprecated in MSS Version 4.0
set port speed

Usage Changes the speed of a port.
It is recommended that you do not configure the mode of an WLC port so that one side of the link is set to
autonegotiation while the other side is set to full-duplex. Although MSS allows this configuration, it can
result in slow throughput on the link. The slow throughput occurs because the side that is configured for
autonegotiation falls back to half-duplex. A stream of large packets sent to an WLC port in such a
configuration can cause forwarding on the link to stop.
Do not set the port speed of a gigabit port to auto. Although the CLI allows this setting, it is invalid. If you
set the port speed of a gigabit port to auto, the link will stop working.
Syntax set port speed port-list {10 | 100 | 1000 | auto}
port-list
List of physical ports. MSS sets the port speed on all the
specified ports.
10
Sets the port speed of a 10/100 Ethernet port to 10 Mbps

and sets the operating mode to full-duplex.
100
Sets the port speed of a 10/100 Ethernet port to 100 Mbps

1000
Sets the port speed of a gigabit Ethernet port to 1000 Mbps

10000
Sets the port speed of a gigabit Ethernet port to 10000 Mbps

auto
Enables a port to detect the speed and operating mode of

the traffic on the link and set itself accordingly.
Defaults All ports are set to auto.

Access Enabled.
60
Port Commands

Version 1.0
Command introduced.
Version 7.0
Added 10000 as a port speed.
Examples The following command sets the port speed on ports 1, 7 through 11, and 14 to
10 Mbps and sets the operating mode to full-duplex:
WLC# set port speed 1,7-11,14 10
set port trap

Usage Enables or disables Simple Network Management Protocol (SNMP) linkup and linkdown
traps on an individual port.
The set port trap command overrides the global setting of the set snmp trap command.
The set port type command does not affect the global trap information displayed by the show
snmp configuration command. For example, if you globally enable linkup and linkdown traps but
then disable the traps on a single port, the show snmp configuration command still indicates that
the traps are globally enabled.
Syntax set port trap port-list {enable | disable}
port-list
List of physical ports.
enable
Enables the Telnet server.
disable
Disables the Telnet server.
Defaults SNMP linkup and linkdown traps are disabled by default.

Access Enabled.
Examples The following command enables SNMP linkup and linkdown traps on ports 17 and 18:
WLC# set port trap 17-18 enable
See Also
set ip snmp server on page 122
set snmp community on page 127
set snmp trap on page 138
set snmp trap receiver on page 138
show snmp configuration on page 156
set port type ap

Command deprecated in MSS Version 6.0. Use the command set ap instead.
61
set port type wired-auth

Configures an MX port for a wired authentication user.
Informational Note: Before changing the port type from ap to wired-auth or from wired-auth to ap, you must reset
the port with the clear port type command.
Syntax set port type wired-auth port-list [auth-fall-thru

{last-resort | none | web-portal-form}][ idle-timeout timeout][tag tag-list]
[max-sessions num]
port-list
timeout
Sets the idle-timeout for a client. Default value is 300 seconds.
tag-list
One or more numbers between 1 and 4094 that subdivide a wired authentication
port into virtual ports.
num
Maximum number of simultaneous user sessions supported.
last-resort
Automatically authenticates the user, without requiring a username and password.
none
Denies authentication and prohibits the user from accessing the network over this
port.
web-portal
Serves the user a web page from the WLC nonvolatile storage for secure login to the
network.
Defaults The default tag-list is null (no tag values). The default number of sessions is 1. The default
fallthru authentication type is none. The default idle-timeout is 300 seconds.
Access Enabled.
History
Version 1.0
Command introduced.
Version 2.0
Maximum number of sessions increased from 16. You can specify as many as you
need. (There is no specific maximum.)
Version 3.0
Options added to change the fallthru authentication type. This is the authentication
type that MSS uses if the user does not support 802.1X and is not authenticated by
MAC authentication.
Version 4.0
Option for WebAAA fallthru authentication type changed from web-auth to

web-portal.
Version 7.1
Option web-portal changed to web-portal-form.
Usage You cannot set a port type if the port is a member of a port VLAN. To remove a port from a VLAN,
use the clear vlan command. To reset a port as a network port, use the clear port type command.
When you change port type, MSS applies default settings appropriate for the port type. Table 7 lists the
default settings that MSS applies when you set a port type to ap.
62
Port Commands
For 802.1X clients, wired authentication works only if the clients are directly attached to the wired
Table 7.Wired Authentication Port Defaults
Port Parameter
Setting
VLAN membership
Removed from all VLANs. You cannot assign an MP access port to a VLAN. MSS
automatically assigns MP access ports to VLANs based on user traffic.
Spanning Tree Protocol (STP)
Not applicable
802.1X
Uses authentication parameters configured for users.
Port groups
Not applicable
IGMP snooping
Enabled as users are authenticated and join VLANs.
Maximum user sessions
1 (one).
Fallthru authentication type
None.
authentication port, or are attached through a hub that does not block forwarding of packets from the
client to the PAE group address (01:80:c2:00:00:03). Wired authentication works in accordance with
the 802.1X specification, which prohibits a client from sending traffic directly to an authenticator MAC
address until the client is authenticated. Instead of sending traffic to the authenticator MAC address,
the client sends packets to the PAE group address. The 802.1X specification prohibits networking
devices from forwarding PAE group address packets, because this would make it possible for multiple
authenticators to acquire the same client.
For non-802.1X clients, who use MAC authentication, WebAAA, or last-resort authentication, wired
authentication works if the clients are directly attached or indirectly attached.
Examples The following command sets port 10 for a wired authentication user:
WLC# set port type wired-auth 10
Examples The following command sets port 7 for a wired authentication user and specifies a maximum
of three simultaneous user sessions:
WLC# set port type wired-auth 7 max-sessions 3
See Also
show port counters

Displays port statistics.
63
Syntax show port counters [octets | packets | receive-errors | transmit-errors

| collisions | receive-etherstats | transmit-etherstats] [port port-list]
octets
Displays octet statistics.
packets
Displays packet statistics.
receive-errors
Displays errors in received packets.
transmit-errors
Displays errors in transmitted packets.
collisions
Displays collision statistics.
receive-etherstats
Displays Ethernet statistics for received packets.
transmit-etherstats Displays Ethernet statistics for transmitted packets.

port port-list
List of physical ports. If you do not specify a port list, MSS displays statistics
for all ports.
Defaults None.
Access All.
Usage You can specify one statistic type with the command.
Examples The following command shows octet statistics for port 3:
WLC> show port counters octets port 3
Port
Status
Rx Octets
Tx Octets
=============================================================================
3
Up
27965420
34886544
This commands output has the same fields as the monitor port counters command. For descriptions of
the fields, see Table 6 on page 52.
See Also
clear port counters on page 46
show port-group
Displays port group information.
Syntax show port-group [name group-name]
name group-name
Displays information for the specified port group.
Defaults None.
Access All.
History
64
Version 1.0
Command introduced.
Version 4.2
Option all removed for simplicity. You can display information for all groups by
entering the command without specifying a group name.
Port Commands
Examples The following command displays the configuration of port group server2:
WLC# show port-group name server2
Port group: server2 is up
Ports:
15, 17
Following are the fields in the show port-group output.

Table 8.show port-group Output Fields
Field
Description
Port group
Name and state (enabled or disabled) of the port group.
Ports
Ports contained in the port group.
See Also
show port media-type (deprecated)

Displays the enabled interface types on an WLC-400 gigabit Ethernet ports.
Syntax show port media-type [port-list]
List of physical ports. MSS displays the enabled interface types for all
specified ports.
port-list
Defaults None.
Access All.
Version 4.0
Command introduced.
Version 7.1
Command deprecated.
Usage This command applies only to the WLC-400.

Examples The following command displays the enabled interface types on all four ports of an
WLC-400:
WLC-400# show port media-type
Port
Media Type
===========================================================
1
GBIC
RJ45
GBIC
GBIC
65
Following are the fields in this display.

Table 9.show port media-type Fields
Field
Description
Port
Port number.
Preference
Preference setting:
GBICThe GBIC (fiber) interface is enabled.
RJ45The RJ-45 (copper) interface is enabled.
See Also
show port mirror

Displays the port mirroring configuration.
Syntax show port mirror
Defaults None.
Access Enabled.
Examples The following command displays the port mirroring configuration on the WLC:
WLC# show port mirror
Port 1 is mirrored to port 2
If port mirroring is not configured, the message in the following example is displayed instead:
WLC# show port mirror
No ports are mirrored
See Also
show port poe

Displays status information for ports with Power over Ethernet (PoE) enabled.
Syntax show port poe [port-list]
List of physical ports. If you do not specify a port list, PoE information is displayed for
all ports.
port-list
Defaults None.
Access All.
Examples The following command displays PoE information for all ports on a 22-port MX:
WLC# show port poe
Link
Port
66
Name
Port
Status
PoE
Type
PoE
config
Draw(Watts)
Port Commands
==============================================================================
1
up
disabled
off
down
disabled
off
down
disabled
off
down
disabled
off
down
disabled
off
down
disabled
off
down
disabled
off
down
disabled
off
up
MP
enabled
1.44
10
10
up
disabled
off
11
11
down
disabled
off
12
12
down
disabled
off
13
13
down
disabled
off
14
14
down
disabled
off
15
15
down
disabled
off
16
16
down
disabled
off
17
17
down
disabled
off
18
18
down
disabled
off
19
19
down
disabled
off
20
20
down
disabled
off
21
21
down
disabled
invalid
22
22
down
disabled
invalid\
Following are the fields in this display.

Table 10.show port poe Fields
Field
Description
Port
Port number.
Name
Port name. If the port does not have a name, the port number is listed.
Link status
Link status of the port:

upThe port is connected.
downThe port is not connected.
Port type
Port type:
MPThe port is an MP access port.
- (The port is not an MP access port.)
PoE config
PoE state:
enabled
disabled
PoE Draw
Power draw on the port, in watts.

For 10/100 Ethernet ports on which PoE is disabled, this field displays off. For gigabit Ethernet
ports, this field displays invalid, because PoE is not supported on gigabit Ethernet ports.
The value overcurrent indicates a PoE problem such as a short in the cable.
67
See Also set port poe on page 59
show port preference

Deprecated in MSS Version 4.0
show port status

Displays configuration and status information for ports.
Syntax show port status [port-list]
List of physical ports. If you do not specify a port list, information is displayed for all
ports.
port-list
Defaults None.
Access All.
Examples The following command displays information for all ports on a 22-port MX switch:
WLC# show port status
Port
Name
Admin
Oper
Config
Actual
Type
Media
==============================================================================
68
1 1
10/100BaseTx
up
up
auto
100/full
network
2 2
10/100BaseTx
up
down
auto
network
3 3
10/100BaseTx
up
down
auto
network
4 4
10/100BaseTx
up
down
auto
network
5 5
10/100BaseTx
up
down
auto
network
6 6
10/100BaseTx
up
down
auto
network
7 7
10/100BaseTx
up
down
auto
network
8 8
10/100BaseTx
up
down
auto
network
9 9
10/100BaseTx
up
up
auto
100/full
ap
10 10
10/100BaseTx
up
up
auto
100/full
network
11 11
10/100BaseTx
up
down
auto
network
12 12
10/100BaseTx
up
down
auto
network
Port Commands
13 13
10/100BaseTx
up
down
auto
network
14 14
10/100BaseTx
up
down
auto
network
15 15
10/100BaseTx
up
down
auto
network
16 16
10/100BaseTx
up
down
auto
network
17 17
10/100BaseTx
up
down
auto
network
18 18
10/100BaseTx
up
down
auto
network
19 19
10/100BaseTx
up
down
auto
network
20 20
10/100BaseTx
up
down
auto
network
21 21
connector
up
down
auto
network
no
22 22
connector
up
down
auto
network
no
Table 11 describes the fields in this display.

Table 11.Output for show port status
Field
Description
Port
Port number.
Name
Port name. If the port does not have a name, the port number is listed.
Admin
Administrative status of the port:

upThe port is enabled.
downThe port is disabled.
Operational status of the port:
Oper
upThe port is operational.

downThe port is not operational.
Config
Port speed configured on the port:

1010 Mbps.
100100 Mbps.
10001000 Mbps.
autoThe port sets its own speed.
Actual
Speed and operating mode in effect on the port.
Type
Port type:
apMP port
networkNetwork port
waWired authentication port
69
Table 11.Output for show port status (continued)

Field
Description
Media
Link type:
10/100BaseTX10/100BASE-T.
GBIC1000BASE-SX or 1000BASE-LX GBIC.
1000BaseT1000BASE-T.
No connectorGBIC slot is empty.
See Also
set port on page 55
set port negotiation on page 58
set port speed on page 60
70
Port Commands
71
72
Port Commands
73
74
VLAN Commands
Use virtual LAN (VLAN) commands to configure and manage parameters for individual port
VLANs on network ports, and to display information about clients roaming within a mobility
domain. This chapter presents VLAN commands alphabetically. Use the following table to locate
commands in this chapter based on use.
Creation
set vlan name on page 82
Ports

clear vlan on page 78
show vlan config on page 91
Roaming and Tunnels
show roaming station on page 87

show roaming vlan on page 89
show tunnel on page 90
Restriction of Client
Layer 2 Forwarding
set security l2-restrict on page 81

show security l2-restrict on page 89
clear security l2-restrict on page 77
clear security l2-restrict counters on page 78
Tunnel Affinity
set vlan tunnel-affinity on page 83
FDB Entries
set fdb on page 80

show fdb on page 85
show fdb count on page 87
clear fdb on page 75
FDB Aging Timeout
set fdb agingtime on page 81

show fdb agingtime on page 87
VLAN Profiles for MP

local switching
set vlan-profile on page 84

show vlan-profile on page 92
clear vlan-profile on page 79
clear fdb
Deletes an entry from the forwarding database (FDB).
75
Syntax clear fdb {address-mode static |permanent | system} [mac-addr] [dynamic

| port port-list | [vlan vlan-id]
address-mode
perm
Clears permanent entries. A permanent entry does not age out and remains
in the database even after a reboot, reset, or power cycle. You must specify
a VLAN name or number with this option.
static
Clears static entries. A static entry does not age out, but is removed from the
database after a reboot, reset, or power cycle. You must specify a VLAN
name or number with this option.
system
Clears system entries from the FDB. You must specify a VLAN name or
number with this option.
dynamic
Clears dynamic entries. A dynamic entry is automatically removed through

aging or after a reboot, reset, or power cycle. You are not required to specify
a VLAN name or number with this option.
mac-addr
Clears MAC addresses from the FDB. You must specify a MAC address in
the format a:b:c:d:e:f or a-b-c-d-e-f.
port port-list
Clears dynamic entries that match destination ports in the port list. You are
not required to specify a VLAN name or number with this option.
vlan vlan-id
VLAN name or numberrequired for removing permanent and static

entries. For dynamic entries, specifying a VLAN removes entries that match
only that VLAN. Otherwise, dynamic entries that match all VLANs are
removed.
tag tag-value
VLAN tag value that identifies a virtual port. If you do not specify a tag value,
MSS deletes only entries that match untagged interfaces. Specifying a tag
value deletes entries that match only the specified tagged interface.
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 7.0
Added address-mode and MAC address option.
Usage You can delete forwarding database entries based on entry type, port, or VLAN. A VLAN
name or number is required for deleting permanent or static entries.
Examples The following command clears all static forwarding database entries that match VLAN
blue:
WLC# clear fdb static vlan blue
The following command clears all dynamic forwarding database entries that match all VLANs:
WLC# clear fdb dynamic
76
VLAN Commands
The following command clears all dynamic forwarding database entries that match ports 3 and 5:
WLC# clear fdb port 3,5
See Also
set fdb on page 80
show fdb on page 85
clear security l2-restrict

Removes one or more MAC addresses from the list of destination MAC addresses that clients in a
VLAN are allowed to send traffic at Layer 2.
Syntax clear security l2-restrict vlan vlan-id
[permit-mac mac-addr [mac-addr] | all]
vlan-id
VLAN name or number.
permit-mac
mac-addr
[mac-addr]
List of MAC addresses. MSS no longer allows clients in the VLAN to send
traffic to the MAC addresses at Layer 2.
all
Removes all MAC addresses from the list.
Defaults If you do not specify a list of MAC addresses or all, all addresses are removed.
Access Enabled.
Usage If you clear all MAC addresses, Layer 2 forwarding is no longer restricted in the VLAN.
Clients within the VLAN can communicate directly.
There can be a slight delay before functions such as pinging between clients become available
again after Layer 2 restrictions are lifted. Even though packets are passed immediately once Layer
2 restrictions are gone, it can take 10 seconds or more for upper-layer protocols to update their
ARP caches and regain their functionality.
To clear the statistics counters without removing any MAC addresses, use the clear security
l2-restrict counters command instead.
Examples The following command removes MAC address aa:bb:cc:dd:ee:ff from the list of
addresses that clients in VLAN abc_air are allowed to send traffic at Layer 2:
WLC# clear security l2-restrict vlan abc_air permit-mac
aa:bb:cc:dd:ee:ff
See Also
77
clear security l2-restrict counters

Clear statistics counters for Layer 2 forwarding restriction.
Syntax clear security l2-restrict counters [vlan vlan-id | all]
vlan-id
all
Clears Layer 2 forwarding restriction counters for all VLANs.
Defaults If you do not specify a VLAN or all, counters for all VLANs are cleared.
Access Enabled.
Usage To clear MAC addresses from the list of addresses that clients are allowed to send data,
use the clear security l2-restrict command instead.
Examples The following command clears Layer 2 forwarding restriction statistics for VLAN
abc_air:
WLC# clear security l2-restrict counters vlan abc_air
See Also
clear vlan
Removes physical or virtual ports from a VLAN or removes a VLAN entirely.
Warning: When you remove a VLAN, MSS completely removes the VLAN from the configuration and also
removes all configuration information for that VLAN. If you want to remove only a specific port from the VLAN,
make sure you specify the port number in the command.
When you remove a VLAN, MSS completely removes the VLAN from the configuration and also removes
all configuration information for that VLAN. If you want to remove only a specific port from the VLAN, make
sure you specify the port number in the command.
Syntax clear vlan vlan-id [port port-list [tag tag-value]]
vlan-id
port port-list
List of physical ports. MSS removes the specified ports from the VLAN. If
you do not specify a list of ports, MSS removes the VLAN entirely.
tag tag-value
Tag number that identifies a virtual port. MSS removes only the specified
virtual port from the specified physical ports.
Defaults None.
Access Enabled.
78
VLAN Commands
Usage If you do not specify a port-list, the entire VLAN is removed from the configuration.
Informational Note: You cannot delete the default VLAN but you can remove ports from it. To remove
ports from the default VLAN, use the port port-list option.
Examples The following command removes port 1 from VLAN green:

WLC# clear vlan green port 1
This may disrupt user connectivity. Do you wish to continue? (y/n) [n]y
The following command removes port 4, which uses tag value 69, from VLAN red:
WLC# clear vlan red port 4 tag 69
The following command completely removes VLAN marigold:
WLC# clear vlan marigold
See Also
clear vlan-profile
Removes a VLAN profile or individual entries from a VLAN profile.
Syntax clear vlan-profile profile-name [vlan vlan-name]
profile-name
VLAN profile name
vlan-name
Name of a VLAN to remove from the VLAN profile.
Defaults None.
Access Enabled.
Usage A VLAN profile lists the VLANs that locally switch traffic by MPs where the VLAN profile is
applied. Use this command to remove individual VLANs from a VLAN profile, or to remove an
entire VLAN profile. If you remove all of the entries from a VLAN profile, the VLAN profile is
removed.
If a VLAN profile is changed so that traffic that had been tunneled to an WLC is now locally
switched by MPs, or vice-versa, the sessions of clients associated with the MPs where the VLAN
profile is applied are terminated, and the clients must re-associate with the MPs.
Examples The following command removes the entry for VLAN red from VLAN profile locals:
WLC# clear vlan-profile locals vlan red
79
WLC#
The following command removes VLAN profile locals:
WLC# clear vlan-profile locals
WLC#
See Also
set ap local-switching vlan-profile on page 280
set fdb
Adds a permanent or static entry to the forwarding database.
Syntax set fdb {perm | static} mac-addr port port-list
vlan vlan-id [tag tag-value]
perm
Adds a permanent entry. A permanent entry does not age out and remains in
the database even after a reboot, reset, or power cycle.
static
Adds a static entry. A static entry does not age out, but is removed from the
database after a reboot, reset, or power cycle.
mac-addr
Destination MAC address of the entry. Use colons to separate the octets (for
example, 00:11:22:aa:bb:cc).
port port-list
List of physical destination ports for which to add the entry. A separate entry
is added for each port you specify.
vlan vlan-id
Name or number of a VLAN of which the port is a member. The entry is

added only for the specified VLAN.
tag tag-value
VLAN tag value that identifies a virtual port. You can specify a number from
1 through 4093. If you do not specify a tag value, an entry is created for an
untagged interface only. If you specify a tag value, an entry is created only
for the specified tagged interface.
Defaults None.
Access Enabled.
Usage You cannot add a multicast or broadcast address as a permanent or static FDB entry.
Examples The following command adds a permanent entry for MAC address 00:11:22:aa:bb:cc on
ports 3 and 5 in VLAN blue:
WLC# set fdb perm 00:11:22:aa:bb:cc port 3,5 vlan blue
The following command adds a static entry for MAC address 00:2b:3c:4d:5e:6f on port 1 in the
default VLAN:
WLC# set fdb static 00:2b:3c:4d:5e:6f port 1 vlan default
80
VLAN Commands

See Also
show fdb on page 85
set fdb agingtime

Changes the aging timeout period for dynamic entries in the forwarding database.
Syntax set fdb agingtime vlan-id age seconds
vlan-id
VLAN name or number. The timeout period change applies only to entries
that match the specified VLAN.
age seconds
Value for the timeout period, in seconds. You can specify a value from 0
through 1,000,000. If you change the timeout period to 0, aging is disabled.
Defaults The aging timeout period is 300 seconds (5 minutes).

Access Enabled.
Examples The following command changes the aging timeout period to 600 seconds for entries
that match VLAN orange:
WLC# set fdb agingtime orange age 600
See Also show fdb agingtime on page 87
set security l2-restrict

Restricts Layer 2 forwarding between clients in the same VLAN. When you restrict Layer 2
forwarding in a VLAN, MSS allows Layer 2 forwarding only between a client and a set of MAC
addresses, generally the VLAN default routers. Clients within the VLAN are not permitted to
communicate directly to each other. To communicate with another client, the client must use one of
the specified default routers.
Syntax set security l2-restrict vlan vlan-id
[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]
vlan-id
mode
{enable | disable}
Enables or disables restriction of Layer 2 forwarding.
permit-mac mac-addr
[mac-addr]
MAC addresses to which clients are allowed to forward data at Layer 2.

You can specify up to four addresses.
Defaults Layer 2 restriction is disabled by default.

Access Enabled.
81
Usage You can specify multiple addresses by listing them on the same command line or by
entering multiple commands. To change a MAC address, use the clear security l2-restrict
command to remove it, and then use the set security l2-restrict command to add the correct
address.
Restriction of client traffic does not begin until you enable the permitted MAC list. Use the mode
enable option with this command.
Examples The following command restricts Layer 2 forwarding of client data in VLAN abc_air to
the default routers with MAC address aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66:
WLC# set security l2-restrict vlan abc_air mode enable permit-mac
aa:bb:cc:dd:ee:ff 11:22:33:44:55:66
See Also
set vlan name

Creates a VLAN and assigns a number and name to it.
Syntax set vlan vlan-num name name
vlan-num
VLAN number. You can specify a number from 2 through 4093.
name
String up to 16 alphabetic characters long.
Defaults VLAN 1 is named default by default. No other VLANs have default names.
Access Enabled.
Usage You must assign a name to a VLAN (other than the default VLAN) before you can add
ports to the VLAN.
It is recommended that you do not use the name default. This name is already used for VLAN 1. It
is also recommended that you do not rename the default VLAN.
You cannot use a number as the first character in the VLAN name. It is recommended that you do
not use the same name with different capitalizations for VLANs. For example, do not configure two
separate VLANs with the names red and RED.
VLAN names are case-sensitive for RADIUS authorization when a client roams to an WLC. If the
switch is not configured with the VLAN of the client, but is configured with a VLAN with the same
spelling but different capitalization, authorization for the client fails. For example, if the client is on
VLAN red but the WLC to which the client roams has VLAN RED instead, RADIUS authorization
fails.
Examples The following command assigns the name marigold to VLAN 3:
WLC# set vlan 3 name marigold
82
VLAN Commands
See Also set vlan port on page 83
set vlan port

Assigns one or more network ports to a VLAN. You also can add a virtual port to each network port
by adding a tag value to the network port.
Syntax set vlan vlan-id port port-list [tag tag-value]
vlan-id
port port-list
tag tag-value
Tag value that identifies a virtual port. You can specify a value from 1
through 4093.
Defaults By default, no ports are members of any VLANs. An MX cannot forward traffic on the
network until you configure VLANs and add network ports to the VLANs.
Access Enabled.
Usage You can combine this command with the set port name command to assign the name and
add the ports at the same time.
If you do not specify a tag value, the MX sends untagged frames for the VLAN. If you do specify a
tag value, the WLC sends tagged frames only for the VLAN.
If you do specify a tag value, it is recommended to use the same value as the VLAN number. MSS
does not require the VLAN number and tag value to be the same but it can be required by devices
from other vendors.
Examples The following command assigns the name beige to VLAN 11 and adds ports 1 through
3 to the VLAN:
WLC# set vlan 11 name beige port 1-3
The following command adds port 16 to VLAN beige and assigns tag value 86 to the port:
WLC# set vlan beige port 16 tag 86
See Also
set vlan tunnel-affinity

Changes an MX preferences within a mobility domain for tunneling user traffic for a VLAN. When a
user roams to an MX that is not a member of the users VLAN, the WLC can forward the user
traffic by tunneling to another MX that is a member of the VLAN.
83
Syntax set vlan vlan-id tunnel-affinity affinity

vlan-id
affinity
Preference of this WLC for forwarding user traffic for the VLAN. You can
specify a value from 1 through 10. A higher number indicates a greater
preference.
Defaults Each VLAN on a WLC network port has an affinity value of 5 by default.
Access Enabled.
Usage Increasing a WLC affinity value increases the preferability of the WLC for forwarding user
traffic for the VLAN.
If more than one MX has the highest affinity value, MSS randomly selects one of the switches for
the tunnel.
Examples The following command changes the VLAN affinity for VLAN beige to 10:
WLC# set vlan beige tunnel-affinity 10
See Also
show roaming vlan on page 89
set vlan-profile
Configures entries in a VLAN profile that can be applied to an MP for local switching.
Syntax set vlan-profile profile-name vlan vlan-name [mode
{overlay|local-switching} [tag tag-value]
profile-name
VLAN profile name.
vlan-name
Name of a VLAN.
mode
Select overlay or local-switching.
tag-value
Optional tag value associated with the VLAN. When this value is set, it is
used as the 802.1Q tag for the VLAN.
Defaults If local switching is enabled on an MP, but no VLAN profile is configured, then a default
VLAN profile is used. The default VLAN profile includes a single VLAN named default that is
untagged.
Access Enabled.
84
Version 6.0
Command introduced.
Version 7.1
Attribute mode added.
VLAN Commands
Usage A VLAN profile consists of a list of VLANs and tags. When a VLAN profile is applied to an
MP, traffic for the VLANs specified in the VLAN profile is locally switched by the MP instead of
being tunneled back to an WLC.
You enter a separate set vlan-profile command for each VLAN you want to add to the VLAN
profile. A VLAN profile can contain up to 128 entries.
Examples The following command adds an entry for VLAN red to VLAN profile locals:
WLC# set vlan-profile locals vlan red
See Also
show fdb
Displays entries in the forwarding database.
Syntax show fdb [mac-addr-glob [vlan vlan-id]]
show fdb {perm | static | dynamic | system | all} [port port-list | vlan vlan-id]
mac-addr-glob
A single MAC address or set of MAC addresses. Specify a MAC address, or

use the wildcard character (*) to specify a set of MAC addresses. (For
details, see MAC Address Globs on page 7.)
vlan vlan-id
Name or number of a VLAN to display entries.
perm
Displays permanent entries. A permanent entry does not age out and
remains in the database even after a reboot, reset, or power cycle.
static
Displays static entries. A static entry does not age out, but is removed from
the database after a reboot, reset, or power cycle.
dynamic
Displays dynamic entries. A dynamic entry is automatically removed through

aging or after a reboot, reset, or power cycle.
system
Displays system entries. A system entry is added by MSS. For example, the
authentication protocols can add entries for wired and wireless
authentication users.
all
Displays all entries in the database, or all the entries that match a particular
port or ports or a particular VLAN.
port port-list
Destination port(s) for which to display entries.
Defaults None.
Access All.
Usage To display the entire forwarding database, enter the show fdb command without options.
To display only a portion of the database, use optional parameters to specify the types of entries to
display.
85
Examples The following command displays all entries in the forwarding database:
WLC# show fdb all
* = Static Entry. + = Permanent Entry. # = System Entry.
VLAN TAG
Type]
Dest MAC/Route Des [CoS]
Destination Ports
[Protocol
---- ---- ------------------ --------------------------------------------1
00:01:97:13:0b:1f
aa:bb:cc:dd:ee:ff
00:0b:0e:02:76:f5
[ALL]
[ALL]
[ALL]
Total Matching FDB Entries Displayed = 3

The top line of the display identifies the characters to distinguish among the entry types.
The following command displays all entries that begin with the MAC address glob 00:
WLC# show fdb 00:*
* = Static Entry. + = Permanent Entry. # = System Entry.
VLAN TAG
Type]
Dest MAC/Route Des [CoS]
Destination Ports
[Protocol
---- ---- ------------------ --------------------------------------------1
00:01:97:13:0b:1f
[ALL]
00:0b:0e:02:76:f5
[ALL]
Total Matching FDB Entries Displayed = 2

Table 12 describes the fields in the show fdb output.
Table 12.Output for show fdb
Field
Description
VLAN
VLAN number.
TAG
VLAN tag value. If the interface is untagged, the TAG field is blank.
Dest MAC/Route Des
MAC address of the forwarding entry destination.
CoS
Type of entry. The entry types are explained in the first row of the command output.
This Class of Service (CoS) value is not associated with MSS quality of service (QoS)
features.
Destination Ports
MX port associated with the entry. A WLC sends traffic to the destination MAC address
through this port.
Protocol Type
Layer 3 protocol address types that can be mapped to this entry.
Total Matching FDB Entries
Number of entries displayed by the command.
Displayed
See Also
set fdb on page 80
86
VLAN Commands
show fdb agingtime

Displays the aging timeout period for forwarding database entries.
Syntax show fdb agingtime [vlan vlan-id]
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, the aging timeout
period for each VLAN is displayed.
Defaults None.
Access All.
Examples The following command displays the aging timeout period for all VLANs:
WLC# show fdb agingtime
VLAN 2 aging time = 600 sec
VLAN 1 aging time = 300 sec
Because the forwarding database aging timeout period can be configured on an individual VLAN
basis, the command lists the aging timeout period for each VLAN separately.
See Also set fdb agingtime on page 81
show fdb count

Lists the number of entries in the forwarding database.
Syntax show fdb count {perm | static | dynamic} [vlan vlan-id]
perm
Lists the number of permanent entries. A permanent entry does not age out
and remains in the database even after a reboot, reset, or power cycle.
static
Lists the number of static entries. A static entry does not age out, but is
removed from the database after a reboot, reset, or power cycle.
dynamic
Lists the number of dynamic entries. A dynamic entry is automatically

removed through aging or after a reboot, reset, or power cycle.
vlan vlan-id
VLAN name or number. Entries are listed for only the specified VLAN.
Defaults None.
Access All.
Examples The following command lists the number of dynamic entries that the forwarding
database contains:
WLC# show fdb count dynamic
Total Matching Entries = 2
See Also show fdb on page 85
show roaming station

Displays a list of the stations roaming to the WLC through a VLAN tunnel.
87
Syntax show roaming station [vlan vlan-id] [peer ip-addr]

vlan vlan-id
Output is restricted to stations using this VLAN.
peer ip-addr
Output is restricted to stations tunnelling through this peer MX in the Mobility

Domain.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 4.0
Old AP MAC field removed.

Usage The output displays roaming stations within the previous 1 second.
Examples To display all stations roaming to the WLC switch, type the following command:
WLC# show roaming station
User Name
Station Address
VLAN
State
---------------------- ----------------- --------------- ----redsqa
10.10.10.5
violet
Up
Table 13 describes the fields in the display.

Table 13.Output for show roaming station
Field
Description
User Name
Name of the user. This is the name used for authentication. The name resides in a RADIUS
server database or the local user database on an MX.
Station Address
IP address of the user device.
VLAN
Name of the VLAN that the RADIUS server or MX local user database assigned the user.
State
State of the session:

SetupStation is attempting to roam to this MX. This switch has asked the MX from which the
station is roaming for the station session information and is waiting for a reply.
UpMSS has established a tunnel between the MX switches and the station has successfully
roamed to this MX over the tunnel.
ChckThis WLC is in the process of accepting a reassociation request from the roaming peer
WLC for a station currently roaming to the peer switch.
TChckThis WLC is in the process of accepting a reassociation request from the roaming peer
WLC for a station currently roaming to this switch.
WIndThis WLC is waiting for network congestion to clear before sending the roaming
indication to the roaming peer WLC.
WRespThis WLC is waiting for network congestion to clear before sending the roaming
response to the roaming peer WLC.
See Also show roaming vlan on page 89
88
VLAN Commands
show roaming vlan

Shows all VLANs in the mobility domain, the WLC switches servicing the VLANs, and the tunnel
affinity values configured on each WLC for the VLANs.
Syntax show roaming vlan
Defaults None.
Access Enabled.
Examples The following command shows the current roaming VLANs:
WLC# show roaming vlan
VLAN
Switch IP Address Affinity
---------------- --------------- -------vlan-cs
192.168.14.2
vlan-eng
192.168.14.4
vlan-fin
192.168.14.2
vlan-it
192.168.14.4
vlan-it
192.168.14.2
vlan-pm
192.168.14.2
vlan-sm
192.168.14.2
vlan-tp
192.168.14.4
vlan-tp
192.168.14.2

Table 14.Output for show roaming vlan
Field
Description
VLAN
VLAN name.
WLC
System IP address of the MX on which the VLAN is configured.
Affinity
Preference of this WLC for forwarding user traffic for the VLAN. A
higher number indicates a greater preference.
See Also
show roaming station on page 87
show security l2-restrict

Displays configuration information and statistics for Layer 2 forwarding restriction.
Syntax show security l2-restrict [vlan vlan-id | all]
vlan-id
all
Displays information for all VLANs.
89
Defaults If you do not specify a VLAN name or all, information is displayed for all VLANs.
Access Enabled.
Examples The following command shows Layer 2 forwarding restriction information for all VLANs:
WLC# show security l2-restrict
VLAN Name
En Drops
Permit MAC
Hits
---- ---------------- -- ---------- ------------------- ---------1 default
2 vlan-2
0 00:0b:0e:02:53:3e
5947
00:30:b6:3e:5c:a8
0 04:04:04:04:04:04

Table 15.Output for show security l2-restrict
Field
Description
VLAN
VLAN number.
Name
VLAN name.
En
Enabled state of the feature for the VLAN:

YEnabled. Forwarding of Layer 2 traffic from clients is restricted to the MAC
address(es) listed under Permit MAC.
NDisabled. Layer 2 forwarding is not restricted.
Drops
Number of packets dropped because the destination MAC address is not one of the
addresses listed under Permit MAC.
Permit MAC
MAC addresses that clients in the VLAN are allowed to send traffic at Layer 2.
Hits
Number of packets with the source MAC address of a client in this VLAN, and the
destination MAC address was one of those listed under Permit MAC.
See Also
show tunnel
Displays the tunnels from the WLC where you type the command.
Syntax show tunnel
Defaults None.
Access Enabled
Examples To display all tunnels from an MX to other switches in the Mobility Domain, type the
following command.
WLC# show tunnel
VLAN
90
Local Address
Remote Address
State
Port
LVID
RVID
VLAN Commands
--------------- --------------- --------------- ------- ----- --------vlan-eng

130
192.168.14.2
192.168.14.4
DORMANT
1024
4096

Table 16.Output for show tunnel
Field
Description
VLAN
VLAN name.
Local Address
IP address of the local end of the tunnel. This is the WLC IP address where you enter
Remote Address
IP address of the remote end of the tunnel. This is the system IP address of another
the command.
MX in the mobility domain.
State
Tunnel state:
Up
Dormant
Port
Tunnel port ID.
LVID
Local VLAN ID.
RVID
Remote VLAN ID.
See Also show vlan config on page 91
show vlan config

Displays VLAN information.
Syntax show vlan config [vlan-id]
vlan-id
VLAN name or number. If you do not specify a VLAN, information for all
VLANs is displayed.
Defaults None.
Access All.
Examples The following command displays information for VLAN burgundy:
WLC# show vlan config burgundy
Admin
VLAN Name
VLAN
Tunl
Port
Status State Affin Port
Tag
State
---- ---------------- ------ ----- ----- ---------------- ----- ----2 burgundy
Up
Up
5
2
none Up
none Up
none Up
none Up
91
11
none Up
t:10.10.40.4
none Up

Table 17.Output for show vlan config
Field
Description
VLAN
VLAN number.
Name
VLAN name.
Admin Status
Administrative status of the VLAN:

DownThe VLAN is disabled.
UpThe VLAN is enabled.
VLAN State
Link status of the VLAN:

DownThe VLAN is not connected.
UpThe VLAN is connected.
Tunl Affin
Tunnel affinity value assigned to the VLAN.
Port
Member port of the VLAN. The port can be a physical port or a virtual port.
Physical ports are 10/100 Ethernet or gigabit Ethernet ports on the switch, and are
listed by port number.
Virtual ports are tunnels to other switches in a mobility domain, and are listed as
follows: t:ip-addr, where ip-addr is the system IP address of the MX switch at the
other end of the tunnel.
This field can include MP access ports and wired authentication ports, because MSS
dynamically adds these ports to a VLAN when handling user traffic for the VLAN.
Tag
Tag value assigned to the port.
Port State
Link state of the port:

DownThe port is not connected.
UpThe port is connected.
See Also
set vlan tunnel-affinity on page 83
show vlan-profile
Displays the contents of the VLAN profiles configured on the WLC. A VLAN profile lists the VLANs
that traffic is locally switched by MPs with the VLAN profile.
Syntax show vlan-profile [profile-name]
profile-name
VLAN profile name
Defaults If a profile-name is not specified, the contents of all VLAN profiles configured on the WLC
switch are displayed.
Access All.
92
VLAN Commands
Examples The following command displays the contents of VLAN profile locals:
WLC# show vlan-profile locals
vlan-profile: locals
AP list: 1,2,3
Vlan Name
Tag
---------
---
blue
none
red
45
ap numbers: 67
Table 18 describes the fields in the show vlan-profile output.
Table 18.Output for show vlan-profile
Field
Description
vlan-profile
Name of the VLAN profile.
Vlan Name
Name of the VLAN for which local switching is performed.
Mode
Value of the 802.1Q tag used for the VLAN.
ap numbers
The index numbers of the APs where this VLAN profile is applied.
See Also
93
94
Quality of Service Commands

Use Quality of Service (QoS) commands to configure packet prioritization in MSS. Packet
prioritization ensures that WLC switches and MPs give preferential treatment to high-priority traffic
such as voice and video.
(To override the prioritization for specific traffic, use access controls lists [ACLs] to set the Class of
Service [CoS] for the packets.
This chapter presents QoS commands alphabetically. Use the following table to locate commands
in this chapter based on their use.
QoS Settings
show qos on page 99

show qos dscp-table on page 99
Updated
set qos cos-to-dscp-map on page 96

set qos dscp-to-cos-map on page 97
set qos flow on page 97
Updated
set qos flow on page 97

set qos traffic-class on page 98
clear qos on page 95
clear qos-profile on page 96
clear qos
Resets the WLC mapping of Differentiated Services Code Point (DSCP) values to internal QoS
values.
The WLC internal QoS map ensures that prioritized traffic remains prioritized while transiting the
WLC. An WLC uses the QoS map to do the following:
Classify inbound packets by mapping the DSCP values to one of eight internal QoS values
Classify outbound packets by marking the DSCP values based on the WLC internal QoS values
Syntax clear qos
[cos-to-dscp-map [from-qos] | dscp-to-cos-map [from-dscp]| [flow sip-data]|
[traffic-class voip-data]]
cos-to-dscp-map
[from-qos]
Resets the mapping between the specified internal QoS value and the
DSCP values with which MSS marks outbound packets.
QoS values are from 0 to 7.
dscp-to-cos-map
[from-dscp]
Resets the mapping between the specified range of DSCP values and
internal QoS value with which MSS classifies inbound packets.
95
flow
Resets the flow of SIP data.
sip-data
traffic-class
Resets the traffic class.
voip-data
Defaults None.
Access Enabled.
MSS Version 4.1
Introduced
MSS Version 7.1
sip-data and traffic-class added.
Usage To reset all mappings to the default values, use the clear qos command without the
optional parameters.
Examples The following command resets all QoS mappings:
WLC# clear qos
The following command resets the mapping used to classify packets with DSCP value 44:
WLC# clear qos dscp-to-qos-map 44
clear qos-profile
Clears a QoS profile from the configuration.
Syntax clear qos-profile profile-name
Defaults None
Access Enabled
Examples To clear a QoS profile with the profile name, best_voice, from the MSS configuration,
use the following command:
WLC# clear qos-profile best_voice
set qos cos-to-dscp-map

Changes the value that MSS maps an internal QoS value when marking outbound packets.
Syntax set qos cos-to-dscp-map level dscp dscp-value
96
level
Internal CoS value. You can specify a number from 1 to 7.
dscp dscp-value
DSCP value. You can specify the value as a decimal number. Valid
values are 0 to 63.
Defaults The defaults are listed by the show qos command.

Access Enabled.
Examples The following command maps internal CoS value 5 to DSCP value 50:
WLC# set qos cos-to-dscp-map 5 dscp 50
warning: cos 5 is marked with dscp 50 which will be classified as cos 6
If the change results in a change to CoS, MSS displays a warning message indicating the change.
In this example, packets receiving CoS 5 upon ingress are marked with a DSCP value equivalent
to CoS 6 upon egress.
See Also
set qos dscp-to-cos-map on page 97
show qos on page 99
set qos dscp-to-cos-map

Changes the internal QoS value that MSS maps to a packet DSCP value when classifying inbound
packets.
Syntax set qos dscp-to-cos-map dscp-range cos level
dscp-range
DSCP range. You can specify the values as decimal numbers. Valid
decimal values are 0 to 63.
To specify a range, use the following format: 40-56. Specify the lower
number first.
cos level
Internal QoS value. You can specify a number from 1 to 7.
Defaults The defaults are listed by the show qos command.

Access Enabled.
Examples The following command maps DSCP values 40-56 to internal CoS value 6:
WLC# set qos dscp-to-cos-map 40-56 cos 6
As shown in this example, if the change results in a change to CoS, MSS displays a warning
message indicating the change.
See Also
set qos cos-to-dscp-map on page 96
show qos on page 99
set qos flow

Create and modify QoS traffic flows.
97
Syntax set qos flow sip-data

Defaults Enabled
History Introduced in MSS Version 7.1
Usage Used in VoIP configurations.
set qos traffic-class

Create and modify classes of traffic on the network.
Syntax set qos traffic-class voip-data flow sip-data
Defaults None
Access Enable
Usage Used in VoIP configurations.
set qos-profile
Configures QoS parameters to apply to multiple clients.
Syntax set qos-profile profile-name [access-category background | best effort
| video | voice]|[cos static-cos-value][max-bandwidth
max-bw-kb][use-client-dscp enable | disable] trust-client-dscp [enable |
disable]
profile-name
Name of the QoS profile
access-category
Four types of forwarding queues to configure QoS.
background
best-effort
video
voice
Mark QoS traffic with a specific CoS value from 0 to 7.
cos
static-cos-value
max-bandwidth
max-bw-kb
trust-client-dscp
{enable|disable }
Configure the bandwidth for the QoS profile. You can configure it as 1 to
100000 Kbps with 0 as unlimited bandwidth.
Allows the WLC to use the client DSCP for radio ingress traffic and ignore
WMM.
Defaults None
Access Enabled
History Command introduced in MSS Version 6.2.
Version 6.2
98
Command introduced.
Version 7.1
The attribute trust-client-dscp added.
Version 7.3
The attribute use-client-dscp is deprecated.
show qos
Displays the WLC QoS settings.
Syntax show qos [default]
default
Displays the default mappings.
Defaults None.
Access Enabled.
Examples The following command displays the default QoS settings:
WLC# show qos default
Ingress QoS Classification Map (dscp-to-cos)
Ingress DSCP
CoS Level
========================================================================
00-09
10-19
20-29
30-39
40-49
50-59
60-63
Egress QoS Marking Map (cos-to-dsc)

CoS Level
7
========================================================================
=======
Egress DSCP
56
Egress ToS byte
0xE0
16
24
32
40
48
0x00
0x20
0x40
0x60
0x80
0xA0
0xC0
See Also show qos dscp-table on page 99
show qos dscp-table

Displays a table that maps Differentiated Services Code Point (DSCP) values to the equivalent
combinations of IP precedence values and IP ToS values.
99
Syntax show qos dscp-table

Defaults None.
Access Enabled.
History Introduced in MSS Version 4.0 as the show security acl dscp command and renamed in
MSS Version 4.1.
Examples The following command displays the table:
WLC# show qos dscp-table
DSCP
dec
TOS
hex
dec
precedence
tos
hex
----------------------------------------------0
0x00
0x00
0x01
0x04
0x02
0x08
0x3f
252
0xfc
14
...
63
See Also show qos on page 99
show qos traffic-class

Displays the traffic classes configured for QoS.
Syntax show qos traffic-class traffic-class-name
Defaults The default traffic-class name is voip-data.
100
IP Services Commands
Use IP services commands to configure and manage IP interfaces, management services, the
Domain Name Service (DNS), Network Time Protocol (NTP), aliases, and to ping a host or trace a
route. This chapter presents IP services commands alphabetically. Use the following table to
locate commands in this chapter based on their use.
IP Interface

set interface dhcp-client on page 114
New
set interface security on page 116

set interface status on page 117
show interface on page 149
show dhcp-client on page 146
Updated
clear interface on page 103
New
clear interface security on page 103

System IP Address

clear system ip-address on page 110
IP Route
set ip route on page 121

show ip route on page 153
Updated
clear ip route on page 105

SSH Management
set ip ssh server on page 123

set ip ssh on page 123
Telnet Management
set ip telnet on page 124

set ip telnet server on page 125
show ip telnet on page 154
clear ip telnet on page 106
HTTPS Management
set ip https server on page 120

set ip https authentication on page 120
show ip https on page 152
DNS
set ip dns on page 118

set ip dns domain on page 118
set ip dns server on page 119
show ip dns on page 151
clear ip dns domain on page 104
clear ip dns server on page 105
101
IP Alias
set ip alias on page 117

show ip alias on page 150
clear ip alias on page 104
Time and Date
set timedate on page 143

set timezone on page 144
set summertime on page 142
show timedate on page 159
show timezone on page 159
show summertime on page 158
clear timezone on page 110
clear summertime on page 109
NTP
set ntp on page 125

set ntp server on page 126
set ntp update-interval on page 126
show ntp on page 155
clear ntp server on page 106
clear ntp update-interval on page 107
ARP
set arp on page 112

set arp agingtime on page 113
show arp on page 145
SNMP
set snmp protocol on page 137

set snmp security on page 138
Updated

set snmp community group on page 128
set snmp usm on page 138
set snmp notify profile on page 129
set snmp notify target on page 133
show snmp status on page 157
show snmp community on page 156
show snmp usm on page 158
show snmp notify profile on page 157
show snmp notify target on page 157
show snmp counters on page 157
clear snmp community on page 107
clear snmp usm on page 109
102
clear snmp notify profile on page 108

clear snmp notify target on page 108
Ping
ping on page 111
Telnet client
telnet on page 160
Traceroute
traceroute on page 161
DHCP server
set interface dhcp-server on page 115

show dhcp-server on page 147
clear interface
Removes an IP interface.
Syntax clear interface vlan-id ip
vlan-id
Defaults None.
Access Enabled.
Usage If the interface you want to remove is configured as the system IP address, removing the
address can interfere with system tasks using the system IP address, including the following:
Mobility domain operations
Topology reporting for dual-homed MPs
Default source IP address used in unsolicited communications such as AAA accounting reports
and SNMP traps
Examples The following command removes the IP interface configured on VLAN mauve:
WLC# clear interface mauve ip
success: cleared ip on vlan mauve
See Also
clear interface security

Clears default IP security operations.
Syntax clear interface vlanid ip security destination ipaddr
vlanid
The name of the VLAN to set security operations.
ipaddr
The IP address of the security destination
Defaults None
103
Access Enabled
Examples To clear 172.21.25.1 on the VLAN fast1 from the security destination, use the following
command:
WLC# clear interface fast1 ip security destination 172.21.25.1
clear ip alias
Removes an alias, which is a string that represents an IP address.
Syntax clear ip alias name
name
Alias name.
Defaults None.
Access Enabled.
Examples The following command removes the alias server1:
WLC# clear ip alias server1
See Also
clear ip dns domain

Removes the default DNS domain name.
Syntax clear ip dns domain
Defaults None.
Access Enabled.
Examples The following command removes the default DNS domain name from an MX:
WLC# clear ip dns domain
Default DNS domain name cleared.
See Also
104
clear ip dns server

Removes a DNS server from an MX configuration.
Syntax clear ip dns server ip-addr
ip-addr
IP address of a DNS server.
Defaults None.
Access Enabled.
Examples The following command removes DNS server 10.10.10.69 from an MX configuration:
WLC# clear ip dns server 10.10.10.69
See Also
clear ip route
Removes a route from the IP route table.
Syntax clear ip route {default | ip-addr mask | ip-addr/mask-length} default-router
default
Default route.
default is an alias for IP address 0.0.0.0/0.
ip-addr mask
IP address and subnet mask for the route destination, in dotted

decimal notation (for example, 10.10.10.10 255.255.255.0).
ip-addr/mask-length
IP address and subnet mask length in CIDR format (for example,

10.10.10.10/24).
default-router
IP address, DNS hostname, or alias of the next-hop router.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 1.1
mask and /mask-length options added. These options are required in MSS
version 1.1.
default-router option added, because MSS 1.1 supports multiple routes to
the same destination. This option is required in MSS version 1.1.
105
Examples The following command removes the route to destination 10.10.10.68/24 through router
10.10.10.1:
WLC# clear ip route 10.10.10.68/24 10.10.10.1
See Also
clear ip telnet
Resets the Telnet server TCP port number to the default value. An MX listens for Telnet
management traffic on the Telnet server port.
Syntax clear ip telnet
Defaults The default Telnet port number is 23.
Access Enabled.
Examples The following command resets the TCP port number for Telnet management traffic to its
default:
WLC# clear ip telnet
See Also
clear ntp server

Removes an NTP server from an MX configuration.
Syntax clear ntp server {ip-addr | all}
ip-addr
IP address of the server to remove, in dotted decimal notation.
all
Removes all NTP servers from the configuration.
Defaults None.
Access Enabled.
Examples The following command removes NTP server 192.168.40.240 from an MX
configuration:
WLC# clear ntp server 192.168.40.240
106

See Also
set ntp on page 125
clear ntp update-interval

Resets the NTP update interval to the default value.
Syntax clear ntp update-interval
Defaults The default NTP update interval is 64 seconds.
Access Enabled.
Examples To reset the NTP interval to the default value, type the following command:
WLC# clear ntp update-interval
See Also
set ntp on page 125
clear snmp community

Clears an SNMP community string.
Syntax clear snmp community name community-name
community-name
Name of the SNMP community you want to clear.
Defaults None.
Access Enabled.
Examples The following command clears community string setswitch2:
WLC# clear snmp community name setswitch2
See Also
107
clear snmp notify profile

Clears an SNMP notification profile.
Syntax clear snmp notify profile profile-name
profile-name
Name of the notification profile you are clearing.
Defaults None.
Access Enabled.
Examples The following command clears notification profile snmpprof_rfdetect:
WLC# clear snmp notify profile snmpprof_rfdetect
See Also
clear snmp notify target

Clears an SNMP notification target.
Syntax clear snmp notify target notify-target-id
ID of the target.
notify-target-id
Defaults None.
Access Enabled.

MSS Version 4.0
Command introduced.
MSS Version 7.0
target-num changed to notify-target-id
Examples The following command clears notification target 3:

WLC# clear snmp notify target 3
See Also
108
clear snmp trap receiver

This command is deprecated in MSS Version 4.0. To clear an SNMP notification target (also called
trap receiver), see clear snmp notify target on page 108.
clear snmp usm

Clears an SNMPv3 user.
Syntax clear snmp usm usm-user-name
usm-user-name
Name of the SNMPv3 user to clear.
Defaults None.
Access Enabled.
Examples The following command clears SNMPv3 user snmpmgr1:
WLC# clear snmp usm snmpmgr1
See Also
clear summertime
Clears the summertime setting from an WLC.
Syntax clear summertime
Defaults None.
Access Enabled.
Examples To clear the summertime setting from an WLC, type the following command:
WLC# clear summertime
See Also
109
clear system ip-address

Clears the system IP address.
Warning: Clearing the system IP address disrupts the system tasks that use the address.
Syntax clear system ip-address

Defaults None.
Access Enabled.
Usage Clearing the system IP address can interfere with system tasks using the system IP address,
including the following:
Mobility Domain operations
Default source IP address used in unsolicited communications such as AAA accounting reports and
SNMP traps
Examples To clear the system IP address, type the following command:
WLC# clear system ip-address
See Also
clear timezone
Clears the time offset for the WLC real-time clock from Coordinated Universal Time (UTC). UTC is also
know as Greenwich Mean Time (GMT).
Syntax clear timezone
Defaults None.
Access Enabled.
Examples To return the WLC real-time clock to UTC, type the following command:
WLC# clear timezone
See Also
Syntax clear summertime on page 109
110

ping
Tests IP connectivity between an MX and another device. MSS sends an Internet Control
Message Protocol (ICMP) echo packet to the specified device and listens for a reply packet.
Syntax ping host [count num-packets] [dnf] [flood] [interval time]
[size size][tos tos]
[user count num-packets] [dnf] [flood] [interval time] [size size][tos tos]]
host
IP address, MAC address, hostname, alias, or user to ping.
count num-packets
Number of ping packets to send. You can specify from 0 through

2,147,483,647. If you enter 0, MSS pings continuously until you
interrupt the command.
dnf
Enables the Do Not Fragment bit in the ping packet to prevent

fragmenting the packet.
flood
Sends new ping packets as quickly as replies are received, or 100

times per second, whichever is greater.
Use the flood option sparingly. This option creates a lot of traffic and
can affect other traffic on the network.
interval time
Time interval between ping packets, in milliseconds. You can specify

from 100 through 10,000.
size size
Packet size, in bytes. You can specify from 56 through 65,507.

Because the WLC adds header information, the ICMP packet size is
8 bytes larger than the specified size.
tos tos
Set the tos byte in the IP header. You can specify an integer from 0 to
255.
user
Interpret 'host' argument as a user name.
Defaults
count5.
dnfDisabled.
interval100 (one tenth of a second)
size56.
Access Enabled.
History
Version 1.0
Command introduced.
111
Version 3.0
user option deprecated.
Version 7.0
tos and user options added.
Usage To stop a ping command in progress, press Ctrl+C.

An MX cannot ping its IP address. MSS does not support this.
Examples The following command pings a device that has IP address 10.1.1.1:
WLC# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) from 10.9.4.34 : 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=0.769 ms
--- 10.1.1.1 ping statistics --5 packets transmitted, 5 packets received, 0 errors, 0% packet loss
See Also traceroute on page 161
set arp
Adds an ARP entry to the ARP table.
Syntax set arp {permanent | static | dynamic} ip-addr mac-addr
permanent
Adds a permanent entry. A permanent entry does not age out and remains in the
database even after a reboot, reset, or power cycle.
static
Adds a static entry. A static entry does not age out, but the entry does not remain in
the database after a reboot, reset, or power cycle.
dynamic
Adds a dynamic entry. A dynamic entry is automatically removed if the entry ages
out, or after a reboot, reset, or power cycle.
ip-addr
IP address of the entry, in dotted decimal notation.
mac-addr
MAC address to map to the IP address. Use colons to separate the octets (for
example, 00:11:22:aa:bb:cc).
Defaults None.
Access Enabled.
Examples The following command adds a static ARP entry that maps IP address 10.10.10.1 to MAC
address 00:bb:cc:dd:ee:ff:
WLC# set arp static 10.10.10.1 00:bb:cc:dd:ee:ff
success: added arp 10.10.10.1 at 00:bb:cc:dd:ee:ff on VLAN 1
See Also
112
set arp agingtime

Changes the aging timeout for dynamic ARP entries.
Syntax set arp agingtime seconds
seconds
Number of seconds an entry can remain unused before MSS removes the entry. You
can specify from 0 through 1,000,000. To disable aging, specify 0.
Defaults The default aging timeout is 1200 seconds.

Access Enabled.
Usage Aging applies only to dynamic entries.
To reset the ARP aging timeout to its default value, use the set arp agingtime 1200 command.
Examples The following command changes the ARP aging timeout to 1800 seconds:
WLC# set arp agingtime 1800
success: set arp aging time to 1800 seconds
The following command disables ARP aging:
WLC# set arp agingtime 0
success: set arp aging time to 0 seconds
See Also
set arp on page 112
set interface
Configures an IP interface on a VLAN.
Syntax set interface vlan-id ip {ip-addr mask | ip-addr/mask-length}
vlan-id
ip-addr mask
IP address and subnet mask in dotted decimal notation (for

example, 10.10.10.10 255.255.255.0).
ip-addr/mask-length

10.10.10.10/24).
Defaults None.
Access Enabled.
Usage You can assign one IP interface to each VLAN.
113
If an interface is already configured on the specified VLAN, this command replaces the interface. If
you replace an interface in use as the system IP address, replacing the interface can interfere with
system tasks that use the system IP address, including the following:
and SNMP traps
Examples The following command configures IP interface 10.10.10.10/24 on VLAN default:
WLC# set interface default ip 10.10.10.10/24
success: set ip address 10.10.10.10 netmask 255.255.255.0 on vlan
default
The following command configures IP interface 10.10.20.10 255.255.255.0 on VLAN mauve:
WLC# set interface mauve ip 10.10.20.10 255.255.255.0
success: set ip address 10.10.20.10 netmask 255.255.255.0 on vlan mauve
See Also
set interface dhcp-client

Configures the DHCP client on a VLAN and allows the VLAN to obtain an IP interface from a
DHCP server.
Syntax set interface vlan-id ip dhcp-client {enable | disable}
vlan-id
enable
Enables the DHCP client on the VLAN.
disable
Disables the DHCP client on the VLAN.
Defaults The DHCP client is enabled by default on an unconfigured WLCR-2 when the factory
reset switch is pressed and held during power on.
The DHCP client is disabled by default on all other WLC models, and is disabled on an WLCR-2 if
it is already configured, or the factory reset switch is not pressed and held during power on.
Access Enabled.
Usage You can enable the DHCP client on one VLAN only. You can configure the DHCP client on
more than one VLAN, but the client can be active on only one VLAN.
MSS also has a configurable DHCP server. (See set interface dhcp-server on page 115.) You
can configure a DHCP client and DHCP server on the same VLAN, but only the client or the server
can be enabled. The DHCP client and DHCP server cannot both be enabled on the same VLAN at
the same time.
114
Examples The following command enables the DHCP client on VLAN corpvlan:
WLC# set interface corpvlan ip dhcp-client enable
See Also
show dhcp-client on page 146
set interface dhcp-server

Configures the MSS DHCP server.
Informational Note: Use of the MSS DHCP server to allocate client addresses is intended for
temporary, demonstration deployments and not for production networks. It is recommended that you do not
use the MSS DHCP server to allocate client addresses in a production network.
Syntax set interface vlan-id ip dhcp-server [enable | disable] [start ip-addr1

stop ip-addr2] [dns-domain domain-name] [primary-dns ip-addr [secondary-dns
ip-addr]]
[default-router ip-addr]
vlan-id
enable
Enables the DHCP server.
disable
Disables the DHCP server.
start ip-addr1
Specifies the beginning address of the address range.
stop ip-addr2
Specifies the ending address of the address range.
dns-domain domain-name Name of the DHCP clients default DNS domain.

primary-dns ip-addr
IP addresses of the DNS servers for the DHCP client.
[secondary-dns ip-addr]
default-router ip-addr IP address of the DHCP client default router.
Defaults The DHCP server is enabled by default on a new (unconfigured) WLCR-2, WLC-8,
WLC-200, or WLC-216, in order to provide an IP address to the host connected to the WLC for
access to the Web Quick Start. On all WLC models, the DHCP server is enabled and cannot be
disabled for directly connected MPs.
The DHCP server is disabled by default for any other use.
Access Enabled.
History
Version 4.0
Command introduced
115
Version 5.0
New options added:

dns-domain
primary-dns and secondary-dns
default-router
Usage By default, all addresses except the host address of the VLAN, the network broadcast
address, and the subnet broadcast address are included in the range. If you specify the range, the
start address must be lower than the stop address, and all addresses must be in the same subnet.
The IP interface of the VLAN must be within the same subnet but is not required to be within the
range.
Specification of the DNS domain name, DNS servers, and default router are optional. If you omit
one or more of these options, the MSS DHCP server uses oath values configured elsewhere on
the switch:
DNS domain nameIf this option is not set with the set interface dhcp-server command
dns-domain option, the MSS DHCP server uses the value set by the set ip dns domain
command.
DNS serversIf these options are not set with the set interface dhcp-server command
primary-dns and secondary-dns options, the MSS DHCP server uses the values set by the
set ip dns server command.
Default routerIf this option is not set with the set interface dhcp-server command
default-router option, the MSS DHCP server can use the value set by the set ip route
command. A default route configured by set ip route can be used if the route is in the DHCP
client subnet. Otherwise, the MSS DHCP server does not specify a router address.
Examples The following command enables the DHCP server on VLAN red-vlan to serve
addresses from the 192.168.1.5 to 192.168.1.25 range:
WLC# set interface red-vlan ip dhcp-server enable start 192.168.1.5 stop
192.168.1.25
See Also
show dhcp-server on page 147
set interface security

Configures the IPSec client for the interface.
Syntax set interface int_id ip security destination dst_addr spi spi
encrypt-algo [3des-cbc 3des_cbc_key | aes-cbc aes_cbc_key]
auth-algo [hmac hmac_key | sha1 sha1_key]
Defaults None
Access Enabled
116
Usage IPSec is a general purpose internet security protocol, and can be used for protecting layer
4 protocols, including both TCP and UDP. IPSec has an advantage over SSL and other methods
because the application does not need to be designed to use IPSec like other higher-layer protocol
that must beincorporated into the design of an application.
Examples To set the IPSec parameters, use the following command:
WLC# set interface 1 ip security destination 192.168.1.100 spi 200
encrypt-algo aes-cbc thisistheencrkey auth-algo hmac -sha1
theauthenticationkey
To enable the IPSec parameters, use the following command:
WLC# set interface <int id> ip security destination <dst_addr>
<enable|disable>
set interface status

Administratively disables or reenables an IP interface.
Syntax set interface vlan-id status {up | down}
vlan-id
up
Enables the interface.
down
Disables the interface.
Defaults IP interfaces are enabled by default.

Access Enabled.
Examples The following command disables the IP interface on VLAN mauve:
WLC# set interface mauve status down
success: set interface mauve to down
See Also
set ip alias
Configures an alias, which maps a name to an IP address. You can use aliases as shortcuts in CLI
commands.
Syntax set ip alias name ip-addr
name
String of up to 32 alphanumeric characters, with no spaces.
ip-addr
IP address in dotted decimal notation.
Defaults None.
117
Access Enabled.
Examples The following command configures the alias HR1 for IP address 192.168.1.2:
WLC# set ip alias HR1 192.168.1.2
See Also
set ip dns
Enables or disables DNS on an MX.
Syntax set ip dns {enable | disable}
enable
Enables DNS.
disable
Disables DNS.
Defaults DNS is disabled by default.

Access Enabled.
Examples The following command enables DNS on an MX:
WLC# set ip dns enable
Start DNS Client
See Also
set ip dns domain

Configures a default domain name for DNS queries. The WLC appends the default domain name
to domain names or hostnames you enter in commands.
Syntax set ip dns domain name
name
Domain name of between 1 and 64 alphanumeric characters with no spaces (for

example, example.org).
Defaults None.
Access Enabled.
118
Usage To override the default domain name when entering a hostname in a CLI command, enter
a period at the end of the hostname. For example, if the default domain name is example.com,
enter chris. if the fully qualified hostname is chris and not chris.example.com.
Aliases take precedence over DNS. When you enter a hostname, MSS checks for an alias with
that name first, before using DNS to resolve the name.
Examples The following command configures the default domain name example.com:
WLC# set ip dns domain example.com
Domain name changed
See Also
set ip dns server

Specifies a DNS server to use for resolving hostnames you enter in CLI commands.
Syntax set ip dns server ip-addr {primary | secondary}
ip-addr
IP address of a DNS server, in dotted decimal or CIDR notation.
primary
Defines the server as the primary server that MSS always consults first for
resolving DNS queries.
secondary
Defines the server as a secondary server. MSS consults a secondary server

only if the primary server does not reply.
Defaults None.
Access Enabled.
Usage You can configure an MX to use one primary DNS server and up to five secondary DNS
servers.
Examples The following commands configure an MX to use a primary DNS server and two
secondary DNS servers:
WLC# set ip dns server 10.10.10.50/24 primary
WLC# set ip dns server 10.10.20.69/24 secondary
WLC# set ip dns server 10.10.30.69/24 secondary
See Also
119

set ip https authentication

Authenticates incoming HTTPS requests using AAA for authentication.
Syntax set ip https authentication {legacy | aaa}
legacy
Uses the enable password on the WLC.
aaa
Requires a configured user with service-type 6 (administrative) privileges.
Defaults None
Access Enabled
History Introduced in MSS 7.1
set ip https server

Enables the HTTPS server on an MX. The HTTPS server is required for Web View access to the
switch.
Warning: If you disable the HTTPS server, Web View access to the WLC is disabled.
Syntax set ip https server {enable | disable}

enable
Enables the HTTPS server.
disable
Disables the HTTPS server.
Defaults The HTTPS server is disabled by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 3.2
Default changed to disabled

HTTPS server no longer required for WebAAA
Examples The following command enables the HTTPS server on an MX:

WLC# set ip https server enable
See Also
120

set ip route
Adds a static route to the IP route table.
Syntax set ip route {default | ip-addr mask | ip-addr/mask-length} default-router metric
Default route. An MX uses the default route if an explicit route is not available
for the destination.
default
default is an alias for IP address 0.0.0.0/0.

ip-addr mask
IP address and subnet mask for the route destination, in dotted decimal
notation (for example, 10.10.10.10 255.255.255.0).
ip-addr/mask-length

10.10.10.10/24).
default-router
IP address, DNS hostname, or alias of the next-hop router.
metric
Cost for using the route. You can specify a value from 0 through
2,147,483,647. Lower-cost routes are preferred over higher-cost routes.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 1.1
Support added for CIDR notation

Support added for up to 4 default routes and four static routes to an explicit
destination
Usage MSS can use a static route only if a direct route in the route table resolves the static route. MSS
adds routes with next-hop types Local and Direct when you add an IP interface to a VLAN, if the VLAN is
available. If one of the added routes can resolve the static route, MSS can use the static route.
Before you add a static route, use the show interface command to verify that the WLC has an IP interface
in the same subnet as the next-hop router. If not, the VLAN:Interface field of the show ip route command
output shows that the route is down.
You can configure a maximum of 4 routes per destination. This includes default routes, which have
destination 0.0.0.0/0. Each route to a given destination must have a unique router address. When the route
table contains multiple default or explicit routes to the same destination, MSS uses the route with the
lowest cost. If two or more routes to the same destination have the lowest cost, MSS selects the first route
in the route table.
121
When you add multiple routes to the same destination, MSS groups the routes and lists them from
lowest cost at the top of the group to highest cost at the bottom of the group. If you add a new
route with the same destination and cost as a route already in the table, MSS places the new route
at the top of the group of routes with the same cost.
Examples The following command adds a default route that uses default router 10.5.4.1 and gives
the route a cost of 1:
WLC# set ip route default 10.5.4.1 1
The following commands add two default routes, and configure MSS to always use the route
through 10.2.4.69 when the MX interface to that default router is up:
The following command adds an explicit route from an MX to any host on the 192.168.4.x subnet
through the local router 10.5.4.2, and gives the route a cost of 1:
WLC# set ip route 192.168.4.0 255.255.255.0 10.5.4.2 1
The following command adds another explicit route, using CIDR notation to specify the subnet
mask:
WLC# set ip route 192.168.5.0/24 10.5.5.2 1
set ip snmp server

Enables or disables the SNMP service on the MX.
Syntax set ip snmp server {enable | disable}
enable
Enables the SNMP service.
disable
Disables the SNMP service.
Defaults The SNMP service is disabled by default.

Access Enabled.
Examples The following command enables the SNMP server on an MX:
WLC# set ip snmp server enable
122
See Also
clear snmp trap receiver on page 109
set port trap on page 61
set snmp trap on page 138
set snmp trap receiver on page 138
show snmp configuration on page 156
set ip ssh
Changes the TCP port number on which an MX listens for Secure Shell (SSH) management traffic.
Warning: If you change the SSH port number from an SSH session, MSS immediately ends the session. To
open a new management session, you must configure the SSH client to use the new TCP port number.
Syntax set ip ssh port port-num

TCP port number.
port-num
Defaults The default SSH port number is 22.

Access Enabled.
Examples The following command changes the SSH port number on an MX to 6000:
WLC# set ip ssh port 6000
See Also
set ip ssh server

Disables or reenables the SSH server on an MX.
Warning: If you disable the SSH server, SSH access to the MX is also disabled.
Syntax set ip ssh server {enable | disable}

enable
Enables the SSH server.
disable
Disables the SSH server.
123
Defaults The SSH server is enabled by default.

Access Enabled.
History
Version 2.0
Command introduced
Version 2.1
Default changed from disabled to enabled.
Usage SSH requires an SSH authentication key. You can generate one or allow MSS to generate
one. The first time an SSH client attempts to access the SSH server on an WLC, the WLC
automatically generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the
crypto generate key ssh 2048 command to generate one.
The maximum number of SSH sessions supported on an MX is eight. If Telnet is also enabled, the
WLC can have up to eight Telnet or SSH sessions, in any combination, and one Console session.
See Also
set ip ssh on page 123
set ip telnet
Changes the TCP port number that an MX listens for Telnet management traffic.
Warning: If you change the Telnet port number from a Telnet session, MSS immediately ends the session. To
open a new management session, you must Telnet to the switch with the new Telnet port number.
Warning:
Syntax set ip telnet port-num

port-num
TCP port number.
Defaults The default Telnet port number is 23.

Access Enabled.
Examples The following command changes the Telnet port number on an MX to 5000:
WLC# set ip telnet 5000
See Also
124
set ip telnet server

Enables the Telnet server on an MX.
Warning: If you disable the Telnet server, Telnet access to the MX is also disabled.
Syntax set ip telnet server {enable | disable}

enable
Enables the Telnet server.
disable
Disables the Telnet server.
Defaults The Telnet server is disabled by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 2.1
Default changed from enabled to disabled.
Usage The maximum number of Telnet sessions supported on an MX is eight. If SSH is also enabled, the
WLC can have up to eight Telnet or SSH sessions, in any combination, and one console session.
Examples The following command enables the Telnet server on an MX:
WLC# set ip telnet server enable
See Also
set ntp
Enables or disables the NTP client on an MX.
Syntax set ntp {enable | disable}
enable
Enables the NTP client.
disable
Disables the NTP client.
Defaults The NTP client is disabled by default.

Access Enabled.
125
Usage If NTP is configured on a system whose current time differs from the NTP server time by more than
10 minutes, convergence of the WLC time can take many NTP update intervals. It is recommended that
you set the time manually to the NTP server time before enabling NTP to avoid a significant delay in
convergence.
Examples The following command enables the NTP client:
WLC# set ntp enable
success: NTP Client enabled
See Also
set ntp server

Configures an MX to use an NTP server.
Syntax set ntp server ip-addr
IP address of the NTP server, in dotted decimal notation.
ip-addr
Defaults None.
Access Enabled.

Usage You can configure up to three NTP servers. MSS queries all the servers and selects the best
response based on the method described in RFC 1305, Network Time Protocol (Version 3) Specification,
Implementation and Analysis.
To use NTP, you also must enable the NTP client with the set ntp command.
Examples The following command configures an MX to use NTP server 192.168.1.5:
WLC# set ntp server 192.168.1.5
See Also
set ntp on page 125
set ntp update-interval

Changes how often an WLC sends queries to the NTP servers for updates.
Syntax set ntp update-interval seconds
seconds
126
Number of seconds between queries. You can specify from 16 through 1024 seconds.
Defaults The default NTP update interval is 64 seconds.

Access Enabled.
Examples The following command changes the NTP update interval to 128 seconds:
WLC# set ntp update-interval 128
See Also
set ntp on page 125
set snmp community

Configures a community string for SNMPv1 or SNMPv2c.
Informational Note: For SNMPv3, use the set snmp usm command to configure an SNMPv3 user.
SNMPv3 does not use community strings.
Syntax set snmp community name comm-string

access {read-only | read-notify | notify-only | read-write |
notify-read-write}
comm-string
Name of the SNMP community. Specify between 1 and 32

alphanumeric characters, with no spaces.
read-only
Allows an SNMP management application using the string to get (read)

object values on the switch but not to set (write) them.
read-notify
Allows an SNMP management application using the string to get object

values on the WLC but not to set them. The switch can use the string to
send notifications.
notify-only
Allows the WLC to use the string to send notifications.
read-write
Allows an SNMP management application using the string to get and

set object values on the switch.
notify-read-write Allows an SNMP management application using the string to get and
set object values on the switch. The WLC also can use the string to
send notifications.
Defaults None.
Access Enabled.
127
History
Version 1.0
Command introduced.
Version 3.1
Default community strings changed from public (for read-only) and private
(for read-write) to blank.
Version 4.0
Default strings removed. There are no default strings in MSS Version 4.0.
New access types added for SNMPv3:
read-notify
notify-only
notify-read-write
Usage SNMP community strings are passed as clear text in SNMPv1 and SNMPv2c. Juniper
Networks recommends that you use strings that cannot easily be guessed by unauthorized users.
For example, do not use the well-known strings public and private.
If you are using SNMPv3, you can configure SNMPv3 users to use authentication and to encrypt
SNMP data.
Examples The following command configures the read-write community good_community:
WLC# set snmp community read-write good_community
The following command configures community string switchmgr1 with access level
notify-read-write:
WLC# set snmp community name switchmgr1 notify-read-write
See Also
set snmp community group

Sets the security group for the SNMP community. You can select from administrator or monitor.
Syntax set snmp community name name group [group-name | admin | monitor]
Defaults None
Access Enabled
History Added in Version 7.0
128
Usage SNMPv3 is based on SNMPv1 and SNMPv2 but with the added capability of security and
administration. The Mobility System Software has a limited implementation of SNMPv3 that has two
predefined groups: Administration and Monitoring. These roles are defined as follows:
Monitoring read access for everything but SNMP security configurations and prevents write access.
Administration read access for everything and write access for the MIBs sysName, sysContact,
sysLocation.
set snmp group

A group defines access rights afforded to users assigned to it.
Syntax set snmp group name description description security-model [1 | 2 | usm]
security-level [noAuthNoPriv | authNoPriv | authPriv]
Defaults None
Access Enabled
History Added in Version 7.0
Usage Used to comply with the US Army TIC requirements.
Examples To set the group eng_dev to security model usm with authorization privileges, use the following
command:
WLC# set snmp group eng_dev security-model usm security-level authPriv
set snmp notify profile

Configures an SNMP notification profile. A notification profile is a named list of all the notification types that
can be generated by a WLC, and for each notification type, the action to take (drop or send) when an event
occurs.
You can configure up to ten notification profiles.
Syntax set snmp notify profile {default | profile-name} {drop | send} {notification-type
| all}
default |
profile-name
Name of the notification profile you are creating or modifying. The

profile-name can be up to 32 alphanumeric characters long, with no
spaces.
To modify the default notification profile, specify default.
drop | send
Specifies the action that the SNMP engine takes with regard to the
notifications you specify with notification-type or all.
129
notification-type
Name of the notification type:

ApManagerChangeTrapsGenerated when a change occurs on
an WLC managing MPs.
ApNonOperStatusTrapsGenerated to indicate an MP radio is
nonoperational.
ApOperRadioStatusTrapsGenerated when the status of an MP
radio changes.
ApRejectLicenseExceededTrapsGenerated when the number of
MPs exceeds the licenses.
AuthenTrapsGenerated when the MX switchs SNMP engine
receives a bad community string.
AutoTuneRadioChannelChangeTrapsGenerated when the
RF Auto-Tuning feature changes the channel on a radio.
AutoTuneRadioPowerChangeTrapsGenerated when the
RF Auto-Tuning feature changes the power setting on a radio.
ClientAssociationFailureTrapsGenerated when a clients
attempt to associate with a radio fails.
ClientAssociationSuccessTrapsGenerated when a client
associates successfully.
ClientAuthenticationSuccessTrapsGenerated when a client
successfully authenticates on the network.
ClientDeAuthenticationTrapsGenerated when a client
deauthenticates from a radio.
ClientAuthenticationFailureTrapsGenerated when
authentication fails for a client.
ClientAuthorizationSuccessTrapsGenerated when a client is
successfully authorized.
ClientAuthorizationFailureTrapsGenerated when authorization
fails for a client.
ClientClearedTrapsGenerated when a clients session is cleared.
ClientDeAssociationTrapsGenerated when a client is dissociated
from a radio.
ClientDisconnectTrapsGenerated when a client disconnects from
the radio.
ClientDot1xFailureTrapsGenerated when a client experiences an
802.1X failure.
ClientDynAuthorChangeFailureTrapsGenerated when a RADIUS
client fails to dynamically change authorization on a RADIUS server.
130
notification-type
(cont.)
ClientDynAuthorChangeSuccessTrapsGenerated when a
RADIUS client successfully dynamically changes authorization on a
RADIUS server.
ClientIPAddrChangeTrapsGenerated when the IP address for a
client changes.ClientRoamingTrapsGenerated when a client
roams.
ClusterFailureTrapsGenerated when the cluster configuration fails
on the network.
ConfigurationsSavedTrapsGenerated when a configuration is
saved on an WLC.
CounterMeasureStartTrapsGenerated when MSS begins
countermeasures against a rogue access point.
CounterMeasureStopTrapsGenerated when MSS stops
countermeasures against a rogue access point.
DeviceFailTrapsGenerated when an event with an Alert severity
occurs.
DeviceOkayTrapsGenerated when a device returns to its normal
state.
LinkDownTrapsGenerated when the link is lost on a port.
LinkUpTrapsGenerated when the link is detected on a port.
MichaelMICFailureTrapsGenerated when two Michael message
integrity code (MIC) failures occur within 60 seconds, triggering Wi-Fi
Protected Access (WPA) countermeasures.
MobilityDomainFailBackTrapsGenerated when a primary seed
returns to primary status after a failover to a secondary seed.
MobilityDomainFailOverTrapsGenerated when a secondary
mobility domain seed becomes the primary seed when a failover
occurs on the network.
MobilityDomainJoinTrapsGenerated when the WLC switch is
initially able to contact a mobility domain seed member, or can
contact the seed member after a timeout.
MobilityDomainResiliencyStatusTrapsGenerated status
information about the cluster configuration on the network.
MobilityDomainTimeoutTrapsGenerated when a timeout occurs
after an WLC switch has unsuccessfully tried to communicate with a
seed member.
131
notification-type
(cont.)
PoEFailTrapsGenerated when a serious PoE problem, such as a

short circuit, occurs.
RFDetectAdhocUserTrapsGenerated when MSS detects an
ad-hoc user.
RFDetectAdhocUserDisappearTrapsGenerated when an ad hoc
user is no longer detected on the network.
RFDetectBlacklistedTrapsGenerated when blacklisted APs are
detected on the network.
RFDetectClientViaRogueWiredAPTrapsGenerated when MSS
detects, on the wired part of the network, the MAC address of a
wireless client associated with a third-party AP.
RFDetectDoSPortTrapsGenerated when MSS detects an
associate request flood, reassociate request flood, or disassociate
request flood.
RFDetectClassificationChangeTrapsGenerated when the
classification of a device changes.
RFDetectDoSTrapsGenerated when MSS detects a DoS attack
other than an associate request flood, reassociate request flood, or
disassociate request flood.
RFDetectRogueDeviceTrapsGenerated when MSS detects a
rogue device .
RFDetectRogueDeviceDisappearTrapsGenerated when a rogue
device is no longer being detected.
RFDetectSuspectDeviceDisappearTrapsGenerated when a
suspect device disappears from the network.
RFDetectSuspectDeviceTrapsGenerated when a wireless device
not on the list of permitted vendors is detected.
all
Sends or drops all notifications.
Defaults A default notification profile (named default) is already configured on the WLC. All notifications in
the default profile are dropped by default.
Access Enabled.
MSS Version 4.0
Introduced command.
MSS Version 7.0
Updated traps to reflect RF changes.
Examples The following command changes the action in the default notification profile from drop to send
for all notification types:
WLC# set snmp notify profile default send all
132
The following commands create notification profile snmpprof_rfdetect, and change the action to
send for all RF detection notification types:
WLC# set snmp notify profile snmpprof_rfdetect send
RFDetectAdhocUserTraps
WLC# set snmp notify profile snmp_rfdetect send
RFDetectAdhocUserDisappearTraps
RFDetectClientViaRogueWiredAPTraps
WLC# set snmp notify profile snmpprof_rfdetect send RFDetectDoSTraps
RFDetectAdhocUserTraps
WLC# set snmp notify profile snmpprof_rfdetect send RFDetectRogueAPTraps
RFDetectRogueDeviceDisappearTraps
See Also
set snmp notify target

Configures a notification target for notifications from SNMP.
A notification target is a remote device that the WLC sends SNMP notifications. You can configure
the MSS SNMP engine to send confirmed notifications (informs) or unconfirmed notifications
(traps). Some of the command options differ depending on the SNMP version and the type of
notification you specify. You can configure up to 10 notification targets.
SNMPv3 with Informs
To configure a notification target for informs from SNMPv3, use the following command:
133
Syntax set snmp notify target target-num ip-addr[:udp-port-number]

usm inform user username
snmp-engine-id {ip | hex hex-string}
[profile profile-name]
[security {unsecured | authenticated | encrypted}]
[retries num][timeout num]
target-num
ID for the target. This ID is local to the WLC and does not need to
correspond to a value on the target. You can specify a number from
1 to 10.
ip-addr[:udp-port-number]
IP address of the server. You also can specify the UDP port number
to send notifications to.
username
USM username. This option is applicable only when the SNMP

version is usm.
If the user sends informs rather than traps, you also must specify the
snmp-engine-id of the target.
snmp-engine-id
{ip | hex hex-string}
SNMP engine ID of the target. Specify ip if the target SNMP engine

ID is based on the IP address. If the target SNMP engine ID is a
hexadecimal value, use hex hex-string to specify the value.
profile profile-name
Notification profile that the SNMP user use to specify the notification
types to send or drop.
security {unsecured |
authenticated | encrypted}
Specifies the security level, and is applicable only when the SNMP
version is usm:
unsecuredMessage exchanges are not authenticated, nor are
they encrypted. This is the default.
authenticatedMessage exchanges are authenticated, but are
not encrypted.
encryptedMessage exchanges are authenticated and
encrypted.
retries num
Specifies the number of times the MSS SNMP engine resends a

notification that has not been acknowledged by the target. You can
specify from 0 to 3 retries.
timeout num
Specifies the number of seconds MSS waits for acknowledgement of

a notification. You can specify from 1 to 5 seconds.
SNMPv3 with Traps

To configure a notification target for traps from SNMPv3, use the following command:
134

usm trap user username
[security {unsecured | authenticated | encrypted}]
target-num
correspond to a value on the target. You can specify a number from 1
to 10.
username
USM username. This option is applicable only when the SNMP

version is usm.
Notification profile this SNMP user uses to specify the notification

security {unsecured |
authenticated | encrypted}
Specifies the security level, and is applicable only when the SNMP
version is usm:
unsecuredMessage exchanges are not authenticated, nor are
they encrypted. This is the default.
authenticatedMessage exchanges are authenticated, but are not
encrypted.
encryptedMessage exchanges are authenticated and encrypted.
SNMPv2c with Informs

To configure a notification target for informs from SNMPv2c, use the following command:
v2c community-string inform [profile profile-name] [retries num][timeout num]
target-num
to 10.
community-string
Community string.
Notification profile this SNMP user will use to specify the notification
retries num
Specifies the number of times the MSS SNMP engine resends a

notification that has not been acknowledged by the target. You can
specify from 0 to 3 retries.
timeout num
Specifies the number of seconds MSS waits for acknowledgement of

a notification. You can specify from 1 to 5 seconds.
SNMPv2c with Traps

To configure a notification target for traps from SNMPv2c, use the following command:
135

v2c community-string trap
target-num
correspond to a value on the target itself. You can specify a number
from 1 to 10.
community-string
Community string.
SNMPv1 with Traps

To configure a notification target for traps from SNMPv1, use the following command:
v1 community-string
target-num
to 10.
community-string
Community string.
Defaults The default UDP port number on the target is 162. The default minimum required security level is
unsecured. The default number of retries is 0 and the default timeout is 2 seconds.
Access Enabled.
Usage The inform or trap option specifies whether the MSS SNMP engine expects the target to
acknowledge notifications sent to the target by the WLC . Use inform if you want acknowledgements. Use
trap if you do not want acknowledgements. The inform option is applicable to SNMP version v2c or usm
only.
Examples The following command configures a notification target for acknowledged notifications:
WLC# set snmp notify target 1 10.10.40.9 usm inform user securesnmpmgr1
snmp-engine-id ip
This command configures target 1 at IP address 10.10.40.9. The target SNMP engine ID is based on its
address. The MSS SNMP engine sends notifications based on the default profile, and requires the target
to acknowledge receiving them.
The following command configures a notification target for unacknowledged notifications:
136
WLC# set snmp notify target 2 10.10.40.10 v1 trap

See Also
set snmp protocol

Enables an SNMP protocol. MSS supports SNMPv1, SNMPv2c, and SNMPv3.
Syntax set snmp protocol {v1 | v2c | usm | all} {enable | disable}
v1
SNMPv1
v2c
SNMPv2c
usm
SNMPv3 (with the user security model)
all
Enables all supported versions of SNMP.
enable
Enables the specified SNMP version(s).
disable
Disables the specified SNMP version(s).
Defaults All SNMP versions are disabled by default.

Access Enabled.
Usage SNMP requires the WLC system IP address to be set. SNMP does not work without the system IP
address.
You also must enable the SNMP service using the set ip snmp server command.
Examples The following command enables all SNMP versions:
WLC# set snmp protocol all enable
See Also
show snmp status on page 157
137
set snmp security

This command is deprecated in MSS Version 7.0.
set snmp trap

This command is deprecated in MSS Version 4.0. To enable or disable SNMP notifications, configure a
notification profile. See set snmp notify profile on page 129.
set snmp traplog

Records traps sent by the SNMP agent as an index of oldest and newest trap occurrence.
Syntax set snmp traplog mode {enable | disable}
Defaults None
Access Enabled
set snmp traplog filter

Controls the content of the SNMP traplog.
Syntax set snmp traplog filter {log | ignore} {all | notify_name}
Defaults None
Access Enabled
set snmp trap receiver

This command is deprecated in MSS Version 4.0. To configure an SNMP notification target (also called
trap receiver), see set snmp notify target on page 133.
set snmp usm

Creates a USM user for SNMPv3.
Informational Note: This command does not apply to SNMPv1 or SNMPv2c. For these SNMP versions, use the set
snmp community command to configure community strings.
Syntax set snmp usm usm-user-name snmp-engine-id {ip ip-addr | local | hex hex-string}
access {read-only | read-notify | notify-only | read-write |
notify-read-write} auth-type {none | md5 | sha} {auth-pass-phrase string |
auth-key hex-string} encrypt-type {none | des | 3des | aes} {encrypt-pass-phrase
string | encrypt-key hex-string}
138
usm-user-name
Name of the SNMPv3 user. Specify between 1 and 32

alphanumeric characters, with no spaces.
snmp-engine-id {ip ip-addr | local |

hex hex-string}
Specifies a unique identifier for the SNMP engine.

To send informs, you must specify the engine ID of
the inform receiver. To send traps and to allow get
and set operations and so on, specify local as the
engine ID.
hex hex-stringID is a hexadecimal string.
ip ip-addrID is based on the IP address of the
station running the management application. Enter
the IP address of the station. MSS calculates the
engine ID based on the address.
localUses the value computed from the switchs
system IP address.
access {read-only | read-notify |

notify-only | read-write |
notify-read-write}
Specifies the access level of the user:

read-onlyAn SNMP management application
using the string can get (read) object values on
the switch but cannot set (write) them.
read-notifyAn SNMP management application
using the string can get object values on the
switch but cannot set them. The switch can use
the string to send notifications.
notify-onlyThe switch can use the string to
send notifications.
read-writeAn SNMP management application
using the string can get and set object values on
the switch.
notify-read-writeAn SNMP management
application using the string can get and set
object values on the switch. The switch can use
the string to send notifications.
139
auth-type {none | md5 | sha}

Specifies the authentication type used to authenticate
{auth-pass-phrase string | auth-key communications with the remote SNMP engine. You
hex-string}
can specify one of the following:
noneNo authentication is used.
md5Message-digest algorithm 5 is used.
shaSecure Hashing Algorithm (SHA) is used.
If the authentication type is md5 or sha, you can
specify a passphrase or a hexadecimal key.
To specify a passphrase, use the
auth-pass-phrase string option. The string can
be from 8 to 32 alphanumeric characters long,
with no spaces.
To specify a key, use the auth-key hex-string
option.
encrypt-type {none | des | 3des |
aes} {encrypt-pass-phrase string |
encrypt-key hex-string}
Specifies the encryption type used for SNMP traffic.

You can specify one of the following:
noneNo encryption is used. This is the default.
desData Encryption Standard (DES) encryption
is used.
3desTriple DES encryption is used.
aesAdvanced Encryption Standard (AES)
encryption is used.
If the encryption type is des, 3des, or aes, you can
specify a passphrase or a hexadecimal key.
To specify a passphrase, use the
encrypt-pass-phrase string option. The string
can be from 8 to 32 alphanumeric characters
long, with no spaces.
To specify a key, use the encrypt-key hex-string
option.
Defaults No SNMPv3 users are configured by default. When you configure an SNMPv3 user, the
default access is read-only, and the default authentication and encryption types are both none.
Access Enabled.
Examples The following command creates USM user snmpmgr1, associated with the local SNMP
engine ID. This user can send traps to notification receivers.
WLC# set snmp usm snmpmgr1 snmp-engine-id local
140
The following command creates USM user securesnmpmgr1, which uses SHA authentication and 3DES
encryption with passphrases. This user can send informs to the notification receiver that has engine ID
192.168.40.2.
WLC# set snmp usm securesnmpmgr1 snmp-engine-id ip 192.168.40.2 auth-type sha
auth-pass-phrase myauthpword encrypt-type 3des encrypt-pass-phrase
mycryptpword
See Also
set snmp group on page 129
set snmp view

Controls SNMP view operations to allow difference levels of access to management information.
Syntax set snmp view view-name description description [root included |
excluded] treefamily oid-subtree [included| excluded]
view view-name
The name configured for a view.
description description
A text description of the view
root [included | excluded]
Include or exclude the root of the OID tree.
treefamily [included | excluded]
Include or exclude the OID treefamily.
Defaults All views excluded.

Access Enabled
History Added in MSS Version 7.0
Usage Controls access to SNMP operations.
Examples To include the root of the OIC tree, use the following command:
WLC# set snmp view eng_dev description labs root include
See Also
set snmp group on page 129
141

set summertime
Offsets the real-time clock of an WLC by +1 hour and returns it to standard time for daylight
savings time or a similar summertime period.
Syntax set summertime summername [start week weekday month hour min end week weekday
month hour min]
summername
Name of up to 32 alphanumeric characters that describes the summertime

offset. You can use a standard name or any name you like.
start
Start of the time change period.
week
Week of the month to start or end the time change. Valid values are first,
second, third, fourth, or last.
weekday
Day of the week to start or end the time change. Valid values are sun, mon,
tue, wed, thu, fri, and sat.
month
Month of the year to start or end the time change. Valid values are jan, feb,
mar, apr, may, jun, jul, aug, sep, oct, nov, and dec.
hour
Hour to start or end the time changea value between 0 and 23 on the
24-hour clock.
min
Minute to start or end the time changea value between 0 and 59.
end
End of the time change period.
Defaults If you do not specify a start and end time, the system implements the time change
starting at 2:00 a.m. on the first Sunday in April and ending at 2:00 a.m. on the last Sunday in
October, according to the North American standard.
Access Enabled.
Usage You must first set the time zone with the set timezone command for the offset to work
properly without the start and end values.
Configure summertime before you set the time and date. Otherwise, the summertime adjustment
of the time makes the time incorrect, if the date is within the summertime period.
Examples To enable summertime and set the summertime time zone to PDT (Pacific Daylight
Time), type the following command:
MX-20# set summertime PDT
See Also
142

set system ip-address

Configures the system IP address. The system IP address determines the interface or source IP
address MSS uses for system tasks, including the following:
Topology reporting for dual-homed MP access points
and SNMP traps
Syntax set system ip-address ip-addr
ip-addr
IP address, in dotted decimal notation. The address must be configured as part of the
MX VLANs.
Defaults None.
Access Enabled.
Usage You must use an address that is configured on one of the MX VLANs.
To display the system IP address, use the show system command.
Examples The following commands configure an IP interface on VLAN taupe and configure the
interface to be the system IP address:
WLC# set interface taupe ip 10.10.20.20/24
success: set ip address 10.10.20.20 netmask 255.255.255.0 on vlan taupe
WLC# set system ip-address 10.10.20.20
See Also
clear system ip-address on page 110
set timedate
Sets the time of day and date on the WLC.
143
Syntax set timedate {date mmm dd yyyy [time hh:mm:ss]}

date mmm dd yyyy
System date:
mmmmonth.
ddday.
yyyyyear.
time hh:mm:ss
System time, in hours, minutes, and seconds.
Defaults None.
Access Enabled.
Usage The day of week is automatically calculated from the day that you set. The time displayed by the
CLI after you type the command might be slightly later than the time entered due to the interval between
pressing Enter and when the CLI reads and displays the new time and date.
Configure summertime before you set the time and date. Otherwise, the summertime adjustment makes
the time incorrect, if the date is within the summertime period.
Examples The following command sets the date to March 13, 2003 and time to 11:11:12:
WLC# set timedate date feb 29 2004 time 23:58:00
Time now is:
Sun Feb 29 2004, 23:58:02 PST
See Also
set timezone
Sets the number of hours, and optionally, the number of minutes, that the WLC real-time clock is offset
from Coordinated Universal Time (UTC). These values are also used by Network Time Protocol (NTP), if it
is enabled.
Syntax set timezone zonename {-hours [minutes]}
144
zonename
Time zone name of up to 32 alphabetic characters. You can use a standard name or
any name you like.
Minus time to indicate hours (and minutes) to be subtracted from UTC. Otherwise,
hours and minutes are added by default.
hours
Number of hours to add or subtract from UTC.
minutes
Number of minutes to add or subtract from UTC.
Defaults If this command is not used, then the default time zone is UTC.
Access Enabled.
Examples To set the time zone for Pacific Standard Time (PST), type the following command:
MX-20# set timezone PST -8
Timezone is set to 'PST', offset from UTC is -8:0 hours.
See Also
show arp
Displays the ARP table.
Syntax show arp [ip-addr]
ip-addr
IP address.
Defaults If you do not specify an IP address, the entire ARP table is displayed.
Access All.
Examples The following command displays ARP entries:
WLC# show arp
ARP aging time: 1200 seconds
Host
HW Address
VLAN
Type
State
------------------------------ ----------------- ----- ------- -------10.5.4.51
00:0b:0e:02:76:f5
1 DYNAMIC RESOLVED
10.5.4.53
00:0b:0e:02:76:f7
1 LOCAL
RESOLVED

Table 19.Output for show arp
Field
Description
ARP aging time
Number of seconds a dynamic entry can remain unused before MSS removes the entry from the
ARP table.
Host
IP address, hostname, or alias.
HW Address
MAC address mapped to the IP address, hostname, or alias.
VLAN
VLAN the entry is for.
145
Table 19.Output for show arp (continued)

Field
Description
Type
Entry type:
DYNAMICEntry was learned from network traffic and ages out if unused for longer than the
ARP aging timeout.
LOCALEntry for the MX MAC address. Each VLAN has one local entry for the switch MAC
address.
PERMANENTEntry does not age out and remains in the configuration even following a
reboot.
STATICEntry does not age out but is removed after a reboot.
State
Entry state:
RESOLVINGMSS sent an ARP request for the entry and is waiting for the reply.
RESOLVEDEntry is resolved.
See Also
set arp on page 112
show dhcp-client
Displays DHCP client information for all VLANs.
Syntax show dhcp-client
Defaults None.
Access All.
Examples The following command displays DHCP client information:
WLC# show dhcp-client
Interface:
corpvlan(4)
Configuration Status: Enabled

DHCP State:
IF_UP
Lease Allocation:
65535 seconds
Lease Remaining:
65532 seconds
IP Address:
10.3.1.110
Subnet Mask:
255.255.255.0
Default Gateway:
10.3.1.1
DHCP Server:
10.3.1.4
DNS Servers:
10.3.1.29
DNS Domain Name:
mycorp.com

Table 20.Output for show dhcp-client
146
Field
Description
Interface
VLAN name and number.
Table 20.Output for show dhcp-client (continued)

Field
Description
Configuration Status
Status of the DHCP client on this VLAN:

Enabled
Disabled
State of the IP interface:
DHCP State
IF_UP
IF_DOWN
Lease Allocation
Duration of the address lease.
Lease Remaining
Number of seconds remaining before the address lease expires.
IP Address
IP address received from the DHCP server.
Subnet Mask
Network mask of the IP address received from the DHCP server.
Default Gateway
Default router (gateway) IP address received from the DHCP server. If the address is
0.0.0.0, the server did not provide an address.
DHCP Server
IP address of the DHCP server.
DNS Servers
DNS server IP address(es) received from the DHCP server.
DNS Domain Name
Default DNS domain name received from the DHCP server.
See Also set interface dhcp-client on page 114
show dhcp-server
Displays MSS DHCP server information.
Syntax show dhcp-server [interface vlan-id] [verbose]
interface vlan-id
Displays the IP addresses leased by the specified VLAN.
verbose
Displays configuration and status information for the MSS DHCP server.
Defaults None.
Access All.
Examples The following command displays the addresses leased by the MSS DHCP server:
WLC# show dhcp-server
VLAN Name
(sec)
Address
MAC
Lease Remaining
---- -------------- --------------- -----------------------------------1 default

12345
10.10.20.2
00:01:02:03:04:05
1 default
2103
10.10.20.3
00:01:03:04:06:07
2 red-vlan
102
192.168.1.5
00:01:03:04:06:08
147
2 red-vlan
16789
192.168.1.7
00:01:03:04:06:09
The following command displays configuration and status information for each VLAN that the
DHCP server is configured:
WLC# show dhcp-server verbose
Interface:
0 (Direct AP)
Status:
UP
Address Range:
10.0.0.1-10.0.0.253
Interface:
default(1)
Status:
UP
Address Range:
10.10.20.2-10.10.20.254
Hardware Address:
00:01:02:03:04:05
State:
BOUND
Lease Allocation:
43200 seconds
Lease Remaining:
12345 seconds
IP Address:
10.10.20.2
Subnet Mask:
255.255.255.0
Default Router:
10.10.20.1
DNS Servers:
10.10.20.4 10.10.20.5
DNS Domain Name:
mycorp.com
Table 21 and Table 22 describe the fields in these displays.

Table 21.Output for show dhcp-server
Field
Description
VLAN
VLAN number.
Name
VLAN name.
Address
IP address leased by the server.
MAC Address
MAC address of the device that holds the lease for the address.
Lease Remaining
Table 22.Output for show dhcp-server verbose

Field
Description
Interface
VLAN name and number.
Status
Status of the interface:

UP
DOWN
148
Address Range
Range from which the server can lease addresses.
Hardware Address
MAC address of the DHCP client.
Table 22.Output for show dhcp-server verbose (continued)

Field
Description
State
State of the address lease:

SUSPENDMSS is checking for the presence of another DHCP server on the subnet.
This is the initial state of the MSS DHCP server. The MSS DHCP server remains in this
state if another DHCP server is detected.
CHECKINGMSS is using ARP to verify whether the address is available.
OFFERINGMSS offered the address to the client and is waiting for the client to send a
DHCPREQUEST for the address.
BOUNDThe client accepted the address.
HOLDINGThe address is already in use and is therefore unavailable.
Lease Allocation
Duration of the address lease, in seconds.
Lease Remaining
IP Address
IP address leased to the client.
Subnet Mask
Network mask of the IP address leased to the client.
Default Router
Default router IP address included in the DHCP Offer to the client.
DNS Servers
DNS server IP address(es) included in the DHCP Offer to the client.
DNS Domain Name
Default DNS domain name included in the DHCP Offer to the client.
See Also set interface dhcp-server on page 115
show interface
Displays the IP interfaces configured on the MX.
Syntax show interface [vlan-id]
vlan-id
Defaults If you do not specify a VLAN ID, interfaces for all VLANs are displayed.
Access All.
History
Version 1.0
Command introduced.
Version 4.0
RIB field added.
Usage The IP interface table flags an address assigned by a DHCP server with an asterisk ( * ).
Examples The following command displays all the IP interfaces configured on an MX:
WLC# show interface
VLAN Name
Address
Mask
Enabled State RIB
---- --------------- --------------- --------------- ------- ------------1 default
10.10.10.10
255.255.255.0
YES
Up
ipv4
2 mauve
10.10.20.10
255.255.255.0
NO
Down
ipv4
255.255.255.0
YES
Up
ipv4
4 corpvlan
*10.3.1.110

149
Table 23.Output for show interface

Field
Description
VLAN
VLAN number
Name
VLAN name
Address
IP address
Mask
Subnet mask
Enabled
Administrative state:
YES (enabled)
NO (disabled)
State
Link state:
Up (operational)
Down (unavailable)
RIB
Routing Information Base
See Also
show ip alias
Displays the IP aliases configured on the MX.
Syntax show ip alias [name]
name
Alias string.
Defaults If you do not specify an alias name, all aliases are displayed.
Access Enabled.
Examples The following command displays all the aliases configured on an MX:
WLC# show ip alias
Name
IP Address
--------------------
--------------------
HR1
192.168.1.2
payroll
192.168.1.3
radius1
192.168.7.2

Table 24.Output for show ip alias
Field
Description
Name
Alias string.
IP Address
IP address associated with the alias.
See Also
150

show ip dns
Displays the DNS servers used by the MX.
Syntax show ip dns
Defaults None.
Access All.
Examples The following command displays the DNS information:
WLC# show ip dns
Domain Name: example.com
DNS Status: enabled
IP Address
Type
----------------------------------10.1.1.1
PRIMARY
10.1.1.2
SECONDARY
10.1.2.1
SECONDARY

Table 25.Output for show ip dns
Field
Description
Domain Name
Default domain name configured on the MX
DNS Status
Status of the WLC DNS client:

Enabled
Disabled
IP Address
IP address of the DNS server
Type
Server type:
PRIMARY
SECONDARY
See Also
151
show ip https
Displays information about the HTTPS management port.
Syntax show ip https
Defaults None.
Access All.
Examples The following command shows the status and port number for the HTTPS management
interface to the MX switch:
WLC> show ip https
HTTPS is enabled
HTTPS is set to use port 443
Last 10 Connections:
IP Address
Last Connected
------------
-----------------------
------------
10.10.10.56
2003/05/09 15:51:26 pst
349

Table 26.Output for show ip https
Field
Description
HTTPS is enabled/disabled
State of the HTTPS server:

Enabled
Disabled
HTTPS is set to use port
TCP port number on which the MX listens for HTTPS connections.
Last 10 connections
List of the last 10 devices to establish connections to the MX HTTPS server.
IP Address
IP address of the device that established the connection.

If a browser connects to an MX from behind a proxy, then only the proxy IP address is shown. If
multiple browsers connect using the same proxy, the proxy address appears only once in the
output.
Last Connected
Time when the device established the HTTPS connection to the WLC.
Time Ago (s)
Number of seconds since the device established the HTTPS connection to the switch.
See Also
152
show ip route
Displays the IP route table on the WLC.
Syntax show ip route [destination]
Route destination IP address, in dotted decimal notation.
destination
Defaults None.
Access All.

Usage When you add an IP interface to an available VLAN, MSS adds direct and local routes for the
interface to the route table. If the VLAN is down, MSS does not add the routes. If you add an interface to a
VLAN but the routes for that interface do not appear in the route table, use the show vlan config
command to check the VLAN state.
If you add a static route and the route state is shown as Down, use the show interface command to verify
that the MX has an IP interface in the default router subnet. MSS cannot resolve a static route unless one
of the WLC VLANs has an interface in the default router subnet. If the WLC has such an interface but the
static route is still down, use the show vlan config command to check the state of the VLAN ports.
Examples The following command shows all routes in an MX IP route table:
WLC# show ip route
Router table for IPv4
Destination/Mask
Proto
Metric NH-Type Gateway
VLAN:Interface
__________________ _______ ______ _______ _______________ _______________

0.0.0.0/ 0 Static
1 Router
10.0.1.17
Down
0.0.0.0/ 0 Static
2 Router
10.0.2.17
vlan:2:ip
10.0.2.1/24 IP
0 Direct
10.0.2.1/32 IP
vlan:2:ip:10.0.1.1/24
0 Direct
10.0.2.255/32 IP
vlan:2:ip:10.0.1.1/24
0 Direct
224.0.0.0/ 4 IP
0 Local
vlan:2:ip
MULTICAST

Table 27.Output for show ip route
Field
Destination/Mask
Description
IP address and subnet mask of the route destination.
The 244.0.0.0 route is automatically added by MSS and supports the IGMP snooping feature.
Proto
Protocol that added the route to the IP route table. The protocol can be one of the following:
IPMSS added the route.
StaticAn administrator added the route.
Metric
Cost for using the route.
153
Table 27.Output for show ip route (continued)

Field
Description
NH-Type
Next-hop type:
LocalRoute is for a local interface. MSS adds the route when you configure an IP address on
an MX.
DirectRoute is for a locally attached subnet. MSS adds the route when you add an interface
in the same subnet as the MX.
RouterRoute is for a remote destination. An MX switch forwards traffic for the destination to
the default router (gateway).
Gateway
Next-hop router for reaching the route destination.

This field applies only to static routes.
VLAN:Interface
Destination VLAN, protocol type, and IP address of the route. Because direct routes are for local
interfaces, a destination IP address is not listed.
The destination for the IP multicast route is MULTICAST.
For static routes, the value Down means the MX does not have an interface to the destination
next-hop router. To provide an interface, configure an IP interface that is in the same IP subnet as
the next-hop router. The IP interface must be on a VLAN with the port attached to the default
router.
See Also
show ip telnet
Displays information about the Telnet management port.
Syntax show ip telnet
Defaults None.
Access All.
Examples The following command shows the status and port number for the Telnet management interface
to the MX:
WLC> show ip telnet
Server Status
Port
---------------------------------Enabled
23
154
Table 28.Output for show ip telnet

Field
Description
Server Status
State of the HTTPS server:

Enabled
Disabled
Port
TCP port number that the MX listens for Telnet management traffic.
See Also
show ntp
Displays NTP client information.
Syntax show ntp
Defaults None.
Access All.
History
Version 1.0
Command introduced
Version 2.0
Peer State and Local State fields added
Examples To display NTP information for an MX, type the following command:
WLC> show ntp
NTP client: enabled
Current update-interval: 20(secs)
Current time: Fri Feb 06 2004, 12:02:57
Timezone is set to 'PST', offset from UTC is -8:0 hours.
Summertime is enabled.
Last NTP update: Fri Feb 06 2004, 12:02:46
NTP Server
Peer state
Local State
--------------------------------------------------192.168.1.5
SYSPEER
SYNCED
155
Table 29.Output for show ntp

Field
Description
NTP client
State of the NTP client. The state can be one of the following:
Enabled
Disabled
Current update-interval
Number of seconds between queries sent by the MX to the NTP servers for updates.
Current time
System time that was current on the MX when you pressed Enter after typing the show ntp
command.
Timezone
Time zone configured on the switch. MSS offsets the time reported by the NTP server based on
the time zone.
This field is displayed only if you change the time zone.
Summertime
Summertime period configured on the switch. MSS offsets the system time +1 hour and returns it
to standard time for daylight savings time or a similar summertime period that you set.
This field is displayed only if you enable summertime.
Last NTP update
Time when the WLC received the most recent update from an NTP server.
NTP Server
IP address of the NTP server.
Peer state
State of the NTP session from the point of view of the NTP server:
CORRECT
REJECT
SELCAND
SYNCCAND
SYSPEER
Local state
State of the NTP session on the WLC NTP client:

INITED
START
SYNCED
See Also
set ntp on page 125
show snmp configuration

This command is deprecated in MSS Version 4.0. Use the show snmp status command instead.
show snmp community

Displays the configured SNMP community strings.
Syntax show snmp community
Defaults None.
156
Access Enabled.
See Also
show snmp counters

Displays SNMP statistics counters.
Syntax show snmp counters
Defaults None.
Access Enabled.
show snmp notify profile

Displays SNMP notification profiles.
Syntax show snmp notify profile
Defaults None.
Access Enabled.
show snmp notify target

Displays SNMP notification targets.
Syntax show snmp notify target
Defaults None.
Access Enabled.
See Also
show snmp status

Displays SNMP version and status information.
Syntax show snmp status
Defaults None.
Access Enabled.
157
See Also
set snmp security on page 138
show snmp counters on page 157
show snmp usm

Displays information about SNMPv3 users.
Defaults None.
Access Enabled.
See Also
show summertime
Shows an MX offset time from the real-time clock time.
Syntax show summertime
Defaults None.
Access All.
Examples To display the summertime setting on an MX, type the following command:
MX-20# show summertime
Summertime is enabled, and set to 'PDT'.
Start
: Sun Apr 04 2004, 02:00:00
End
: Sun Oct 31 2004, 02:00:00
Offset : 60 minutes
Recurring : yes, starting at 2:00 am of first Sunday of April
and ending at 2:00 am on last Sunday of October.
See Also
158

show timedate
Shows the date and time of day currently set on an WLC real-time clock.
Syntax show timedate
Defaults None.
Access All.
Examples To display the time and date set on an WLC real-time clock, type the following
command:
MX-20# show timedate
Sun Feb 29 2004, 23:59:02 PST
See Also
show timezone
Shows the time offset for the real-time clock from UTC on an WLC.
Syntax show timezone
Defaults None.
Access All.
Examples To display the offset from UTC, type the following command:
WLC# show timezone
Timezone set to 'pst', offset from UTC is -8 hours
See Also
159

telnet
Opens a Telnet client session with a remote device.
Syntax telnet {ip-addr | hostname} [port port-num]
ip-addr
IP address of the remote device.
hostname
Hostname of the remote device.
port port-num
TCP port number that the TCP server on the remote device listens for Telnet
connections.
Defaults MSS attempts to establish Telnet connections with TCP port 23 by default.
Access Enabled.
Usage To end a Telnet session from the remote device, press Ctrl+t or type exit in the
management session on the remote device. To end a client session from the local device, use the
clear sessions telnet client command.
If the configuration of the MX on which you enter the telnet command has an ACL that denies
Telnet client traffic, the ACL also denies access by the telnet command.
Examples In the following example, an administrator establishes a Telnet session with another MX
and enters a command on the remote WLC:
WLC# telnet 10.10.10.90
Session 0 pty tty2.d Trying 10.10.10.90...
Connected to 10.10.10.90
Disconnect character is '^t'
Copyright (c) 2002, 2003
Username: username
Password: password
WLC-remote> show vlan
Admin
VLAN Name
VLAN
Tunl
Status State Affin Port
Port
Tag
State
---- ---------------- ------ ----- ----- ---------------- ----- ----160
1 default
Up
3 red
10 backbone
Up
Up
Up
Up
Up
none Up
21
none Up
22
none Up
When the administrator presses Ctrl+t to end the Telnet connection, the management session
returns to the local MX prompt:
WLC-remote> Session 0 pty tty2.d terminated tt name tty2.d
WLC#
See Also
clear sessions on page 527
show sessions on page 529
traceroute
Traces the route from the WLC to an IP host.
Syntax traceroute host [dnf] [no-dns] [port port-num] [queries num]
[size size] [ttl hops] [wait ms]
host
IP address, hostname, or alias of the destination host. Specify the IP

address in dotted decimal notation.
dnf
Sets the Do Not Fragment bit in the ping packet to prevent the packet from
being fragmented.
no-dns
Prevents MSS from performing a DNS lookup for each hop to the destination
host.
port port-num
TCP port number listening for the traceroute probes.
queries num
Number of probes per hop.
size size
Probe packet size in bytes. You can specify from 40 through 1460.
ttl hops
Maximum number of hops, which can be from 1 through 255.
wait ms
Probe wait in milliseconds. You can specify from 1 through 100,000.
Defaults
dnfDisabled
no-dnsDisabled
port33434
queries3
size38
ttl30
161
wait5000
Access All.
Usage To stop a traceroute command that is in progress, press Ctrl+C.
Examples The following example traces the route to host server1:
WLC# traceroute server1
traceroute to server1.example.com (192.168.22.7), 30 hops max, 38 byte
packets
1 engineering-1.example.com (192.168.192.206) 2 ms 1 ms 1 ms
2 engineering-2.example.com (192.168.196.204) 2 ms 3 ms 2 ms
3 gateway_a.example.com (192.168.1.201) 6 ms 3 ms 3 ms
4 server1.example.com (192.168.22.7) 3 ms * 2 ms
The first row of the display indicates the target host, the maximum number of hops, and the packet
size. Each numbered row displays information about one hop. The rows are displayed in the order
that the hops occur, beginning with the hop closest to the MX.
The row for a hop lists the total time in milliseconds for each ICMP packet to reach the router or
host, plus the time for the ICMP Time Exceeded message to return to the host.
An exclamation point (!) following any of these values indicates that the Port Unreachable
message returned by the destination has a maximum hop count of 0 or 1. This can occur if the
destination uses the maximum hop count value from the arriving packet as the maximum hop
count in its ICMP reply. The reply does not arrive at the source until the destination receives a
traceroute packet with a maximum hop count equal to the number of hops between the source and
destination.
An asterisk (*) indicates that the timeout period expired before MSS received a Time Exceeded
message for the packet.
If Traceroute receives an ICMP error message other than a Time Exceeded or Port Unreachable
message, MSS displays one of the error codes described in Table 30 instead of displaying the
round-trip time or an asterisk (*).
Table 30 describes the traceroute error messages.
Table 30.Error Messages for traceroute
Field
Description
!N
No route to host. The network is unreachable.
!H
No route to host. The host is unreachable.
!P
Connection refused. The protocol is unreachable.
!F
Fragmentation needed but Do Not Fragment (DNF) bit was set.
!S
Source route failed.
!A
Communication administratively prohibited.
Unknown error occurred.
See Also ping on page 111
162
163
164
165
166
AAA Commands
Use authentication, authorization, and accounting (AAA) commands to provide a secure network
connection and a record of user activity. Location policy commands override any virtual LAN
(VLAN) or security ACL assignment by AAA or the local MX database to help you control access
locally.
(Security ACLs are packet filters. For command descriptions, see Chapter , Security ACL
Commands, on page 453.)
This chapter presents AAA commands alphabetically. Use the following table to locate commands
Authentication
New
set aaa-profile on page 181

set authentication console on page 188
Updated
set authentication admin on page 186

set authentication dot1x on page 190
set authentication mac on page 194
set authentication mac-prefix on page 195
Updated
set authentication proxy on page 198

set authentication web on page 199
clear authentication admin on page 170
clear authentication console on page 171
clear authentication dot1x on page 171
clear authentication mac on page 172
clear authentication proxy on page 173
clear authentication web on page 173
Local Authorization for
set user on page 212
Password Users
clear user on page 178

set user attr on page 214
clear user attr on page 179
set usergroup on page 216
clear usergroup on page 180
set user group on page 215
clear user group on page 179
167
clear usergroup attr on page 181

Local Authorization for
set mac-user on page 204
MAC Users
clear mac-user on page 174

show mac-user on page 218
set mac-user attr on page 204
clear mac-user attr on page 175
set mac-usergroup attr on page 209
clear mac-usergroup attr on page 177
clear mac-user group on page 176
clear mac-usergroup on page 176
Web authorization
set web-portal on page 218
Accounting
set accounting {admin | console} on page 182
New
set accounting cdr on page 183

set accounting {dot1x | mac | web | last-resort} on
page 183
Updated
set accounting command on page 185
Updated
set accounting system on page 185

show accounting statistics on page 226
clear accounting on page 169
clear accounting command on page 170
AAA information
show aaa on page 218

show mac-user on page 218
show mac-usergroup on page 220
show user on page 222
show usergroup on page 224
Mobility Profiles
set mobility-profile on page 210

set mobility-profile mode on page 212
show mobility-profile on page 228
clear mobility-profile on page 178
Location Policy
set location policy on page 200

show location policy on page 228
clear location policy on page 174
Password and User

Login Restrictions
set authentication password-restrict on page 197

set authentication max-attempts on page 196
168
AAA Commands
set authentication minimum-password-length on

page 196
set user expire-password-in on page 215
set usergroup expire-password-in on page 217
clear user lockout on page 180
clear accounting
Removes accounting services for specified wireless users with administrative access or network
access.
Syntax clear accounting {admin| console | [mac | dot1x | web | system
[ssid ssid| wired user-glob]]|last-resort | statistics | system}
{user-glob}
admin
Users with administrative access to the MX through a console connection or

through a Telnet or Web View connection.
dot1x
Users with network access through the MX. Users with network access are
authorized to use the network through either an IEEE 802.1X method or
their media access control (MAC) address.
system
Disables sending of Accounting-On and Accounting-Off messages to a

RADIUS server, if previously enabled.
When this command is entered, an Accounting-Off message is generated
and sent to the server or server group specified with the set accounting
system command.
user-glob
Single user or set of users with administrative access or network access.

Specify a username, use the double-asterisk wildcard character (**) to
specify all usernames, or use the single-asterisk wildcard character (*) to
specify a set of usernames up to or following the first delimiter
charactereither an at sign (@) or a period (.). (For details, see User
Globs on page 27.)
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 5.0
system option added
Version 7.0
mac and web options added
Examples The following command removes accounting services for authorized network user Nin:
WLC# clear accounting dot1x Nin
169
See Also
set accounting system on page 185
clear accounting command

Removes command auditing from the configuration and commands are no longer sent to an
external RADIUS server for logging.
Syntax clear accounting command
Defaults None
Access Enabled
clear authentication admin

Removes an authentication rule for administrative access through Telnet or Web View.
Syntax clear authentication admin user-glob
A single user or set of users.
user-glob

specify a set of usernames up to or following the first delimiter character,
either an at sign (@) or a period (.). (For details, see User Globs on
page 27.)
Defaults None.
Access Enabled.
Informational Note: The syntax descriptions for the clear authentication commands are separate for
clarity. However, the options and behavior for the clear authentication admin command are the same as in
previous releases.
Examples The following command clears authentication for administrator Jose:

WLC# clear authentication admin Jose
See Also
170
AAA Commands
clear authentication console

Removes an authentication rule for administrative access through the Console.
Syntax clear authentication console user-glob
A single user or set of users.
user-glob

specify a set of usernames up to or following the first delimiter character,
either an at sign (@) or a period (.). (For details, see User Globs on
page 27.)
Defaults None.
Access Enabled.
Informational Note: The syntax descriptions for the clear authentication commands are separate for
clarity. However, the options and behavior for the clear authentication console command are the same as in
previous releases.
Examples The following command clears authentication for administrator Regina:

WLC# clear authentication console Regina
See Also
clear authentication dot1x

Removes an 802.1X authentication rule.
Syntax clear authentication dot1x {ssid ssid-name | wired} user-glob
ssid
ssid-name
SSID name to which this authentication rule applies.
wired
Clears a rule used for access over an WLC wired-authentication port.
user-glob
User-glob associated with the rule you are removing.
171
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
ssid ssid-name and wired options added
Examples The following command removes 802.1X authentication for network users with
usernames ending in @thiscorp.com who try to access SSID finance:
WLC# clear authentication dot1x ssid finance *@thiscorp.com
See Also
clear authentication last-resort

Deprecated in MSS Version 5.0. The last-resort user is not required or supported in MSS Version
5.0. Instead, a user who accesses the network on an SSID by using the fallthru access type
last-resort is automatically a last-resort user. The authorization attributes assigned to the user
come from the default authorization attributes set on the SSID.
clear authentication mac

Removes a MAC authentication rule.
Syntax clear authentication mac {ssid ssid-name | wired} mac-addr-glob
ssid ssid-name
SSID name to apply the authentication.
wired
mac-addr-glob
MAC address glob associated with the rule you are removing.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
Examples The following command removes a MAC authentication rule for access to SSID
thatcorp by MAC addresses beginning with aa:bb:cc:
172
AAA Commands
WLC# clear authentication mac ssid thatcorp aa:bb:cc:*

See Also
clear authentication proxy

Removes a proxy rule for third-party AP users.
Syntax clear authentication proxy ssid ssid-name user-glob
ssid
ssid-name
user-glob
Defaults None.
Access Enabled.
Examples The following command removes the proxy rule for SSID mycorp and userglob **:
WLC# clear authentication proxy ssid mycorp **
See Also
clear authentication web

Removes a WebAAA rule.
Syntax clear authentication web {ssid ssid-name | wired} user-glob
ssid
ssid-name
wired
user-glob
Defaults None.
Access Enabled.
Examples The following command removes WebAAA for SSID research and userglob
temp*@thiscorp.com:
173
WLC# clear authentication web ssid research temp*@thiscorp.com

See Also
clear location policy

Removes a rule from the location policy on an MX.
Syntax clear location policy [ index | all ]
index
Index of MACE to clear ( 1...)
all
Clears all policies
Defaults None.
Access Enabled.
Version 1.1
Command introduced.
Version 7.0
rule-number replaced by the options index and all.
Usage To determine the index numbers of location policy rules, use the show location policy
command. Removing all the ACEs from the location policy disables this function on the MX.
Examples The following command removes location policy rule 4 from an MX location policy:
WLC# clear location policy 4
success: clause 4 is removed.
See Also
clear mac-user
Removes a user profile from the local database on the MX for a user authenticated by a MAC
address.
(To remove a user profile in RADIUS, see the documentation for your RADIUS server.)
Syntax clear mac-user mac-address-glob
mac-address-glob
174
MAC address of the user, in hexadecimal numbers separated by colons (:).

You can omit leading zeros.
AAA Commands
Defaults None.
Access Enabled.
Version 1.0
Command introduced.
Version 7.0
mac-addr changed to mac-address-glob.
Usage Deleting a MAC user profile from the database deletes the assignment of any profile
attributes to the user.
Examples The following command removes user profiles at MAC address 01:02:*
WLC# clear mac-user 01:02:*
See Also
clear mac-user attr

For a user authenticating with a MAC address, this command removes an authorization attribute
from the user profile in the local database on the MX.
(To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.)
Syntax clear mac-user mac-address-glob attr attribute-name
mac-address-glob
MAC address of the user, in hexadecimal numbers separated by colons

(:). You can omit leading zeros.
attribute-name
Name of an attribute used to authorize the MAC user for a particular

service or session characteristic. (For a list of authorization attributes, see
Table 31 on page 206.)
Defaults None.
Access Enabled.
History .
Version 1.0
Command introduced.
Version 7.0
MAC glob support added.
Examples The following command removes an access control list (ACL) from the profile of a user
at MAC address 01:02:03:04:05:06:
WLC# clear mac-user 01:02:03:04:05:06 attr filter-id
See Also
175

clear mac-user group

Removes a user profile from a MAC user group in the local database on the MX for a user
authenticating with a MAC address.
(To remove a MAC user group profile in RADIUS, see the documentation for your RADIUS server.)
Syntax clear mac-user mac-address-glob group
mac-address-glob
MAC address of the user, in hexadecimal numbers separated by

colons (:). You can omit leading zeros.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 7.0
MAC glob support added.
Usage Removing a MAC user from a MAC user group removes the group name from the user
profile, but does not delete the user group from the local MX database. To remove the group, use
clear mac-usergroup.
Examples The following command deletes a user profile at MAC address 01:02:03:04:05:06 from
its user group:
WLC# clear mac-user 01:02:03:04:05:06 group
See Also
set mac-user on page 204
clear mac-usergroup
Removes a user group from the local database on the MX for a group of users authenticating with
a MAC address.
(To delete a MAC user group in RADIUS, see the documentation for your RADIUS server.)
Syntax clear mac-usergroup group-name
group-name
Name of an existing MAC user group.
Defaults None.
Access Enabled.
176
AAA Commands

Usage To remove a user from a MAC user group, use the clear mac-user group command.
Examples The following command deletes the MAC user group eastcoasters from the local
database:
WLC# clear mac-usergroup eastcoasters
See Also
clear mac-usergroup attr

Removes an authorization attribute from a MAC user group in the local database on the MX, for a
group of users who are authenticated by a MAC address.
(To unconfigure an authorization attribute in RADIUS, see the documentation for your RADIUS
server.)
Syntax clear mac-usergroup group-name attr attribute-name
group-name
attribute-name
Name of an attribute used to authorize the MAC users in the user group
for a particular service or session characteristic. (For a list of
authorization attributes, see Table 31 on page 206.)
Defaults None.
Access Enabled.
Usage To remove the group itself, use the clear mac-usergroup command.
Examples The following command removes the members of the MAC user group eastcoasters
from a VLAN assignment by deleting the VLAN-Name attribute from the group:
WLC# clear mac-usergroup eastcoasters attr vlan-name
See Also
177
clear mobility-profile
Removes a Mobility Profile entirely.
Syntax clear mobility-profile mprofile-name
mprofile-name
Name of an existing Mobility Profile.
Defaults None.
Access Enabled.
Examples The following command removes the Mobility Profile for user Nin:
WLC# clear mobility-profile Nin
See Also
clear user
Removes a user profile from the local database on the MX.
(To remove a user profile in RADIUS, see the documentation for your RADIUS server.)
Syntax clear user username
username
Username
Defaults None.
Access Enabled.
Usage Deleting the user profile from the database deletes the assignment of any profile attributes
to the user.
Examples The following command deletes the user profile for user Nin:
WLC# clear user Nin
See Also
178
AAA Commands
clear user attr

Removes an authorization attribute from the user profile in the local database on the MX for a user
with a password.
(To remove an authorization attribute from a RADIUS user profile, see the documentation for your
RADIUS server.)
Syntax clear user username attr attribute-name
username
Username of a user with a password.
attribute-name
Name of an attribute used to authorize the user for a particular service

or session characteristic. (For a list of authorization attributes, see
Table 31 on page 206.)
Defaults None.
Access Enabled.
Examples The following command removes the Session-Timeout attribute from jsmith user profile:
WLC# clear user jsmith attr session-timeout
See Also
clear user group

Removes a user with a password from membership in a user group in the local database on the
MX.
(To remove a user from a user group in RADIUS, see the documentation for your RADIUS server.)
Syntax clear user username group
username
Username
Defaults None.
Access Enabled.
Usage Removing the user from the group removes the group name from the user profile, but does
not delete either the user or the user group from the local MX database. To remove the group, use
clear usergroup.
Examples The following command removes the user Nin from the user group Nin is in:
WLC# clear user Nin group
See Also
179
set user group on page 215

clear user lockout

Restores access to a user who has been locked out of the system due to an expired password or
exceeding the maximum number of failed login attempts.
Syntax clear user username lockout
username
Defaults None.
Access Enabled.
Usage If a users password has expired, or the user is unable to log in within the configured limit
for login attempts, then the user is locked out of the system, and cannot gain access without the
intervention of an adminstrator. Use this command to restore access to the user.
Examples The following command restores access to user Nin, who was previously locked out of
the system:
WLC# clear user Nin lockout
See Also
set authentication minimum-password-length on page 196
set user expire-password-in on page 215
clear usergroup
Removes a user group and its attributes from the local database on the MX for users with
passwords.
(To delete a user group in RADIUS, see the documentation for your RADIUS server.)
Syntax clear usergroup group-name
group-name
Name of an existing user group.
Defaults None.
Access Enabled.
Usage Removing a user group from the local MX database does not remove the user profiles of
the group members from the database.
Examples The following command deletes the cardiology user group from the local database:
WLC# clear usergroup cardiology
180
AAA Commands

See Also
clear usergroup attr

Removes an authorization attribute from a user group in the local database on the MX.
(To remove an authorization attribute in RADIUS, see the documentation for your RADIUS server.)
Syntax clear usergroup group-name attr attribute-name
group-name
Name of an existing user group.
attribute-name
Name of an attribute used to authorize all the users in the group for a
particular service or session characteristic. (For a list of authorization
attributes, see Table 31 on page 206.)
Defaults None.
Access Enabled.
Examples The following command removes the members of the user group cardiology from a
network access time restriction by deleting the Time-Of-Day attribute from the group:
WLC# clear usergroup cardiology attr time-of-day
See Also
set aaa-profile
Usage Creates AAA profiles and configure the authentication methods to all for authentication
chaining.
This feature allows multiple authentications for a client on the network. The most common of these
is MAC authentication and dot1x. In some cases, three authentications are required by the
network configuration.
All authentication types are supported in a chain and are allowed in any sequence except that
Web authentication must be last in the chain. Authorization is required at each step of the chain
and an attribute assigned in a previous step is replaced by the subsequent step.
181
Syntax MX# set aaa-profile name profile-name authen-type [dot1x

auth-method-1 ] auth-method2 auth-method3 auth-method4
profile-name
The authentication profile name allows a maximum of 32 characters and

cannot be configured using special characters such as #$&?\.
authen-type
The authentication type, one of the following:

dot1x
auth-method
set accounting {admin | console}

Sets up accounting services for specified wireless users with administrative access, and defines
the accounting records and where they are sent.
Syntax set accounting {admin | console} {user-glob} {start-stop | stop-only}
method1 [method2] [method3] [method4]
admin
Users with administrative access to the MX switch through Telnet or Web

View.
console
Users with administrative access to the MX switch through a console

connection.
user-glob

Globs on page 27.)
This option does not apply if mac is specified. For mac, specify a
mac-addr-glob. (See MAC Address Globs on page 27.)
start-stop
Sends accounting records at the start and end of a network session.
stop-only
Sends accounting records only at the end of a network session.
method1
At least one of up to four methods that MSS uses to process accounting

records. Specify one or more of the following methods in priority order. If the
first method does not succeed, MSS tries the second method, and so on.
method2
method3
method4
A method can be one of the following:

localStores accounting records in the local database on the MX
switch. When the local accounting storage space is full, MSS
overwrites older records with new ones.
server-group-nameStores accounting records on one or more
Remote Authentication Dial-In User Service (RADIUS) servers. You
can also enter the names of existing RADIUS server groups as
methods.
Defaults Accounting is disabled for all users by default.

182
AAA Commands
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
console option added
Usage For network users with start-stop accounting whose records are sent to a RADIUS server,
MSS sends interim updates to the RADIUS server when the user roams.
Examples The following command issues start-and-stop accounting records at the local MX
database for administrator Natasha, when she accesses the switch using Telnet or Web View:
WLC# set accounting admin Natasha start-stop local
See Also
set accounting cdr

Sets the accounting services for SIP VoIP calls.
Syntax set accounting cdr radius-server-group
Defaults None
Access Enabled
Usage Use this command to set accounting services for SIP Call Detail Records.
Examples To begin accounting services for SIP on a RADIUS server group named sipaccount,
use the following command:
WLC# set accounting cdr sipaccount
set accounting {dot1x | mac | web | last-resort}

Sets up accounting services for specified wireless users with network access, and defines the
accounting records and where they are sent.
Syntax set accounting {dot1x | mac | web | last-resort} {ssid ssid-name |
wired} {user-glob | mac-addr-glob} {start-stop | stop-only}
dot1x
Users with network access through the MX switch who are authenticated by
802.1X.
mac
MAC authentication
web
WebAAA
183
ssid ssid-name
SSID name to which this accounting rule applies. To apply the rule to all
SSIDs, type any.
wired
Applies this accounting rule specifically to users who are authenticated on a

wired authentication port.
user-glob

Globs on page 27.)
This option does not apply if mac or last-resort is specified. For mac, specify
a mac-addr-glob.
mac-addr-glob
A single user or set of users with access via a MAC address. Specify a MAC
address, or use the wildcard (*) character to specify a set of MAC
addresses. (For details, see MAC Address Globs on page 27.)
This option applies only when mac is specified.
start-stop
Sends accounting records at the start and end of a network session.
stop-only
Sends accounting records only at the end of a network session.
method1

records. Specify one or more of the following methods in priority order. If the
first method does not succeed, MSS tries the second method, and so on.
method2
method3
method4

localStores accounting records in the local database on the MX switch.
When the local accounting storage space is full, MSS overwrites older
records with new ones.
server-group-nameStores accounting records on one or more Remote
Authentication Dial-In User Service (RADIUS) servers. You can also enter
the names of existing RADIUS server groups as methods.
Defaults Accounting is disabled for all users by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
web option added
Usage For network users with start-stop accounting profiles whose records are sent to a RADIUS
server, MSS sends interim updates to the RADIUS server when the user roams.
Examples The following command issues stop-only records to the RADIUS server group sg2 for
network user Nin, who is authenticated by 802.1X:
184
AAA Commands
WLC# set accounting dot1x Nin stop-only sg2

See Also
set accounting command

Provides the ability to log all CLI commands to an external server for auditing purposes. The
following capabilities are available:
All successfully completed commands are logged.
Commands are logged to an external RADIUS server or servers.
Password/key data is obscured.
Configuration is handled as an additional RADIUS accounting type:
VSA 13
Each command accounting message contains the following information:
Timestamp
tty port
Username
Source IP address
Command issued
Command status (success/failure)
Syntax set accounting command radius-server-group
Defaults None
Access Enabled
Examples To begin command auditing and logging commands to the RADIUS server group,
corpsecure, use the following command:
WLC# set accounting command corpsecure
set accounting system

Configures MSS to send Accounting-On and Accounting-Off messages to a specified RADIUS
server group.
185
Syntax set accounting system method1 [method2] [method3] [method4]

method1
method2
method3
method4

records. Specify one or more methods in priority order. If the first method
does not succeed, MSS tries the second method, and so on.
The local method is not valid for this command.
Defaults By default MSS does not send Accounting-On or Accounting-Off messages.

Access Enabled.
Usage Use this command to configure MSS to send an Accounting-On message
(Acct-Status-Type = 7) to a RADIUS server when the WLC switch starts, and an Accounting-Off
message (Acct-Status-Type = 8) to the RADIUS server when the WLC switch is adminstratively
shut down.
When you enable this command, an Accounting-On message is generated and sent to the
specified server or server group. Subsequent Accounting-On messages are generated each time
the WLC starts. When the WLC is administratively shut down, an Accounting-Off message is
generated.
Accounting-Off messages are sent only when the WLC is administratively shut down, not when a
critical failure causes the WLC to reset. The WLC does not wait for a RADIUS server to
acknowledge the Accounting-Off message; the WLC makes one attempt to send the
Accounting-Off message, then shuts down.
Examples The following command causes Accounting-On and Accounting-Off messages to be
sent to RADIUS server group shorebirds:
WLC# set accounting system shorebirds
See Also
set authentication admin

Configures authentication and defines where it is performed for specified users with administrative
access through Telnet or Web View.
186
AAA Commands
Syntax set authentication admin user-glob

user-glob
Single user or set of users with administrative access over the network
through Telnet or Web View.
Globs on page 27.)
method1
method2
method3
method4
At least one of up to four methods that MSS uses to handle authentication.

Specify one or more of the following methods in priority order. MSS applies
multiple methods in the order you enter them.
localUses the local database of usernames and user groups on the MX
switch for authentication.
server-group-nameUses the defined group of RADIUS servers for
authentication. You can enter up to four names of existing RADIUS server
groups as methods.
noneFor users with administrative access only, MSS performs no
authentication, but prompts for a username and password and accepts any
combination of entries, including blanks.
ldap_group_name Uses the defined group of LDAP servers for
authentication. You can configure up to four LDAP server groups.
The authentication method none you can specify for administrative access is
different from the fallthru authentication type none, which applies only to
network access. The authentication method none allows access to the WLC
switch by an administrator. The fallthru authentication type none denies
access to a network user. (See set service-profile [rsn-id | wpa-ie]
auth-fallthru on page 1332.)
For more information, see Usage.
Defaults By default, authentication is deactivated for all admin users. The default authentication
method in an admin authentication rule is local. MSS checks the local MX database for
authentication.
Access Enabled.
History
MSS 1.0
Command introduced.
MSS 7.1
LDAP added as an authentication method.
187
Informational Note: The syntax descriptions for the set authentication commands are separated for
clarity. However, the options and behavior for the set authentication admin command are the same as in
previous releases.
Usage You can configure different authentication methods for different groups of users. (For
details, see User Globs, MAC Address Globs, and VLAN Globs on page 27.)
If you specify multiple authentication methods in the set authentication console command, MSS
applies them in the order that they appear in the command, with these results:
If the first method responds with pass or fail, the evaluation is final.
If the first method does not respond, MSS tries the second method, and so on.
However, if local appears first, followed by a RADIUS server group, MSS ignores any failed
searches in the local MX database and sends an authentication request to the RADIUS server
group.
Informational Note: If a AAA rule specifies local as a secondary AAA method, to be used if the RADIUS
servers are unavailable, and MSS authenticates a client with the local method, MSS starts again at the
beginning of the method list when attempting to authorize the client. This can cause unexpected delays during
client processing and can cause the client to time out before completing logon.
Examples The following command configures administrator Jose, who connects via Telnet, for
authentication on RADIUS server group sg3:
WLC# set authentication admin Jose sg3
See Also
set authentication console

Configures authentication and defines where it is performed for specified users with administrative
access through a console connection.
188
AAA Commands
Syntax set authentication console user-glob

Single user or set of users with administrative access through the switchs
console.
user-glob

Globs on page 27.)
method1
method2
method3
method4
localUses the local database of usernames and user groups on the

MX switch for authentication.
authentication. You can enter up to four names of existing RADIUS
server groups as methods.
noneFor users with administrative access only, MSS performs no
authentication, but prompts for a username and password and accepts
any combination of entries, including blanks.
The authentication method none you can specify for administrative access is
different from the fallthru authentication type none, which applies only to
network access. The authentication method none allows access to the WLC
by an administrator. The fallthru authentication type none denies access to a
network user. (See set service-profile [rsn-id | wpa-ie] auth-fallthru on
page 1332.)
Note: You must configure an LDAP server group before you can use LDAP as an
authentication method.

Defaults By default, authentication is deactivated for all console users, and the default
authentication method in a console authentication rule is none. MSS requires no username or
password, by default. These users can press Enter at the prompts for administrative access.
Informational Note: It is recommended that you change the default setting unless the WLC is in a secure
physical location.
189
Access Enabled.
Informational Note: The syntax descriptions for the set authentication commands are separated for
clarity. However, the options and behavior for the set authentication console command are the same as in
previous releases.
Usage You can configure different authentication methods for different groups of users. (For
details, see User Globs, MAC Address Globs, and VLAN Globs on page 27.)
If you specify multiple authentication methods in the set authentication console command, MSS
applies them in the order in which they appear in the command, with these results:
group.
Examples To set the console port so that it does not enforce username-password authentication
for administrators, type the following command:
WLC# set authentication console * none
See Also
set authentication dot1x

Configures authentication and defines how it is performed for specified wireless or wired
authentication clients who use an IEEE 802.1X authentication protocol to access the network
through the MX.
Syntax set authentication dot1x {ssid ssid-name | wired} user-glob [bonded]
protocol method1 [method2] [method3] [method4]
190
ssid
ssid-name
SSID name to which this authentication rule applies. To apply the rule to all
SSIDs, type any.
wired
Applies this authentication rule specifically to users connected to a wired

authentication port.
AAA Commands
user-glob
A single user or a set of users with 802.1X network access.

Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter charactereither an at sign (@) or
a period (.). (For details, see User Globs on page 27.)
bonded
Enables Bonded Auth (bonded authentication). When this feature is enabled,

MSS authenticates the user only if the computer that the user is on has already
been authenticated.
191
protocol
Protocol used for authentication. Specify one of the following:

eap-md5Extensible Authentication Protocol (EAP) with message-digest
algorithm 5. For wired authentication clients:
Uses challenge-response to compare hashes
Provides no encryption or integrity checking for the connection
The eap-md5 option does not work with Microsoft wired authentication clients.
eap-tlsEAP with Transport Layer Security (TLS):
Provides mutual authentication, integrity-protected negotiation, and key
exchange
Requires X.509 public key certificates on both sides of the connection
Provides encryption and integrity checking for the connection
Cannot be used with RADIUS server authentication (requires user information
to be in the WLC local database)
peap-mschapv2Protected EAP (PEAP) with Microsoft Challenge
Handshake Authentication Protocol version 2 (MS-CHAP-V2). For wireless
clients:
Uses TLS for encryption and data integrity checking and server-side
authentication.
Provides MS-CHAP-V2 mutual authentication.
Only the server side of the connection needs a certificate.
The wireless client authenticates using TLS to set up an encrypted session. Then
MS-CHAP-V2 performs mutual authentication using the specified AAA method.
pass-throughMSS sends all the EAP protocol processing to a RADIUS
server.
method1
method2
method3
method4
At least one and up to four methods that MSS uses to handle authentication.
localUses the local database of usernames and user groups on the MX
switch for authentication.
authentication. You can enter up to four names of existing RADIUS server
groups as methods.
RADIUS servers cannot be used with the EAP-TLS protocol.For more information,
see Usage.
Defaults By default, authentication is unconfigured for all clients with network access through MP
ports or wired authentication ports on the MX. Connection, authorization, and accounting are also
disabled for these users.
192
AAA Commands
Bonded authentication is disabled by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 2.1
bonded option added for bonded authentication
Version 3.0
Usage You can configure different authentication methods for different groups of users by
globbing. (For details, see User Globs on page 27.)
You can configure a rule either for wireless access to an SSID, or for wired access through an
WLC wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name
or specify any to match on all SSID names. If the rule is for wired access, specify wired instead of
an SSID name.
You cannot configure client authentication that uses both EAP-TLS protocol and one or more
RADIUS servers. EAP-TLS authentication is supported only on the local MX database.
If you specify multiple authentication methods in the set authentication dot1x command, MSS
However, if local appears first, followed by a RADIUS server group, MSS overrides any failed
searches in the local MX database and sends an authentication request to the server group.
If the user does not support 802.1X, MSS attempts to perform MAC authentication for the user. In
this case, if the WLC configuration contains a set authentication mac command that matches the
SSID the user is attempting to access and the user MAC address, MSS uses the method specified
by the command. Otherwise, MSS uses local MAC authentication by default.
If the username does not match an authentication rule for the SSID the user is attempting to
access, MSS uses the fallthru authentication type configured for the SSID, which can be
last-resort, web-portal (for WebAAA), or none. The following command configures EAP-TLS
authentication in the local MX database for SSID mycorp and 802.1X client Geetha:
WLC# set authentication dot1x ssid mycorp Geetha eap-tls local
The following command configures PEAP-MS-CHAP-V2 authentication at RADIUS server groups
sg1 through sg3 for all 802.1X clients at example.com who want to access SSID examplecorp:
WLC# set authentication dot1x ssid examplecorp *@example.com
peap-mschapv2 sg1 sg2 sg3
See Also
193

set service-profile [rsn-id | wpa-ie] auth-fallthru on page 332
set authentication last-resort

Deprecated in MSS Version 5.0. The last-resort user is not required or supported in MSS Version
5.0. Instead, a user who accesses the network on an SSID by using the fallthru access type
last-resort is automatically a last-resort user. The authorization attributes assigned to the user
come from the default authorization attributes set on the SSID.
set authentication mac

Configures authentication and defines where it is performed for specified non-802.1X users with
network access through a media access control (MAC) address.
Syntax set authentication mac {ssid ssid-name | wired} mac-address-glob method1
[method2] [method3] [method4]
ssid ssid-name
SSIDs, type any.
wired

mac-addr-glob
A single user or set of users with access via a MAC address. Specify a MAC
address, or use the wildcard (*) character to specify a set of MAC
addresses. (For details, see MAC Address Globs on page 27.)
method1

method2
method3
method4

localUses the local database of usernames and user groups on the
MX switch for authentication.
authentication. You can enter up to four names of existing RADIUS
server groups as methods.
Defaults By default, authentication is deactivated for all MAC users, which means MAC address
authentication fails by default. When using RADIUS for authentication, the default password for
MAC and last-resort users is Juniper.
194
AAA Commands
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
Version 7.1
Added LDAP as an authentication option.
Usage You can configure different authentication methods for different groups of MAC addresses
by globbing. (For details, see User Globs, MAC Address Globs, and VLAN Globs on page 27.)
If you specify multiple authentication methods in the set authentication mac command, MSS
group.
If the WLC configuration contains a set authentication mac command that matches the SSID the
user is attempting to access and the user MAC address, MSS uses the method specified by the
command. Otherwise, MSS uses local MAC authentication by default.
If the username does not match an authentication rule for the SSID the user is attempting to
access, MSS uses the fallthru authentication type configured for the SSID, which can be
last-resort, web-portal (for WebAAA), or none.
Examples To use the local MX database to authenticate all users who access the mycorp2 SSID
by their MAC address, type the following command:
WLC# set authentication ssid mycorp2 mac ** local
See Also
set authentication mac-prefix

Specifies the MAC address prefix for SSID authentication.
Syntax set authentication mac-prefix {ssid [ ssid | any]} wired mac-glob
Defaults None
Access Enabled.
195

Usage You can configure different authentication methods for different groups of MAC addresses
by globbing. (For details, see User Globs, MAC Address Globs, and VLAN Globs on page 27.)
Examples To set the MAC address glob for authenticating an SSID, use the following command:
WLC# set authentication mac-prefix ssid any 00:00*
set authentication max-attempts

Specifies the maximum number of login attempts users can make before being locked out of the
system.
Syntax set authentication max-attempts number
number
Number of allowable login attempts for a user. You can specify a number between
0 1000. Specifying 0 causes the number of allowable login attempts to reset to
the default values.
Defaults For Telnet or SSH sessions, a maximum of 4 failed login attempts are allowed by default.
For console or network sessions, an unlimited number of failed login attempts are allowed by
default.
Access Enabled.
Usage Use this command to specify the maximum number of failed login attempts allowed for a
user. If the user is unable to log in within the specified number of attempts, the user is locked out of
the system, and access must be manually restored with the clear user lockout command.
Examples To allow users a maximum of 3 attempts to log into the system, type the following
command:
WLC# set authentication max-attempts 3
See Also
set authentication minimum-password-length

Specifies the minimum allowable length for user passwords.
Syntax set authentication minimum-password-length length
length
Minimum number of characters that can be in a user password. You can specify a
minimum password length between 0 32 characters. Specifying 0 removes the
restriction on password length.
Defaults By default, there is no minimum length for user passwords.

196
AAA Commands
Access Enabled.
Usage Use this command to specify the minimum length for user passwords. When this command
is configured, you cannot configure a password shorter than the specified length.
When you enable this command, MSS evaluates the passwords configured on the WLC switch
and displays a list of users whose password does not meet the minimum length restriction.
Examples To set the minimum length for user passwords at 7 characters, type the following
command:
WLC# set authentication minimum-password-length 7
warning: the following users have passwords that are shorter than the
minimum password length dan
admin
user2
goofball
See Also
set authentication password-restrict

Activates password restrictions for network and administrative users.
Syntax set authentication password-restrict {enable | disable}
enable
Enables password restrictions on the WLC.
disable
Disables password restrictions on the WLC.
Defaults By default the password restrictions are disabled.

Access Enabled.
Usage When this command is enabled, the following password restrictions take effect:
Passwords must be a minimum of 10 characters in length, and a mix of uppercase letters,
lowercase letters, numbers, and special characters, including at least two of each (for example,
Tre%Pag32!).
A user cannot reuse any of his or her 10 previous passwords (not applicable to network users).
When a user changes his or her password, at least 4 characters must be different from the
previous password.
197
When you enable the password restrictions, MSS evaluates the passwords configured on the
WLC switch and displays a list of users whose password does not meet the restriction on length
and character types.
Examples To enable password restrictions on the WLC switch, type the following command:
WLC# set authentication password-restrict enable
warning: the following users have passwords that do not have atleast 2
each of upper-case letters, lower-case letters, numbers and special
characters dan
admin
user1
user2
jdoe
jsmith
See Also
set authentication max-attempts on page 196
set authentication proxy

Configures a proxy authentication rule for wireless users on a third-party AP.
Syntax set authentication proxy ssid ssid-name user-glob server-group-name
ssid ssid-name
user-glob
A single user or a set of users.

specify all usernames, or use the single-asterisk wildcard character
(*) to specify a set of usernames up to or following the first delimiter
Globs on page 27.)
radius-server-group
A group of RADIUS servers used for authentication.
Defaults None.
Access Enabled.
Usage AAA for third-party AP users has additional configuration requirements. See the
Configuring AAA for Users of Third-Party APs section in the Configuring AAA for Network
Users chapter of the Juniper Mobility System Software Configuration Guide.
198
AAA Commands
Examples The following command configures a proxy authentication rule that matches on all
usernames associated with SSID mycorp. MSS uses RADIUS server group srvrgrp1 to proxy
RADIUS requests and hence to authenticate and authorize the users.
WLC# set authentication proxy ssid mycorp ** srvrgrp1
See Also
clear authentication proxy on page 173
set radius proxy client on page 501
set radius proxy port on page 502
set authentication web

Configures an authentication rule that allows a user to log into the network using a web page
served by the WLC. The rule can be activated if the user is not otherwise granted or denied access
by 802.1X, or granted access by MAC authentication.
Syntax set authentication web {ssid ssid-name | wired} user-glob
user-glob
A single user or a set of users.

Specify a username, use the double-asterisk wildcard character (**) to specify all
usernames, or use the single-asterisk wildcard character (*) to specify a set of
usernames up to or following the first delimiter charactereither an at sign (@) or
a period (.). (For details, see User Globs on page 27.)
ssid
ssid-name
SSIDs, type any.
wired

method1
At least one and up to four methods that MSS uses to handle authentication.
method2
method3
method4

localUses the local database of usernames and user groups on the MX switch
for authentication.
authentication. You can enter up to four names of existing RADIUS server groups
as methods.
RADIUS servers cannot be used with the EAP-TLS protocol.
ldap_group_name Uses the defined group of LDAP servers for authentication.
You can configure up to four LDAP server groups.
199
Defaults By default, authentication is unconfigured for all clients with network access through MP
ports or wired authentication ports on the MX switch. Connection, authorization, and accounting
are also disabled for these users.
Access Enabled.
History Introduced in MSS 3.0. Added LDAP in MSS 7.1.
Usage You can configure different authentication methods for different groups of users by
globbing. (For details, see User Globs on page 27.)
You can configure a rule either for wireless access to an SSID, or for wired access through an
WLC wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name
or specify any to match on all SSID names. If the rule is for wired access, specify wired instead of
an SSID name.
If you specify multiple authentication methods in the set authentication web command, MSS
However, if local appears first, followed by a RADIUS server group, MSS overrides any failed
searches in the local MX database and sends an authentication request to the server group.
MSS uses a WebAAA rule only under the following conditions:
The client is not denied access by 802.1X or does not support 802.1X.
The client MAC address does not match a MAC authentication rule.
The fallthru type is web-portal. (For a wireless authentication rule, the fallthru type is specified
by the set service-profile auth-fallthru command. For a wired authentication rule, the type is
specified by the auth-fall-thru option of the set port type wired-auth command.)
Examples The following command configures a WebAAA rule in the local MX database for SSID
ourcorp and userglob rnd*:
WLC# set authentication web ssid ourcorp rnd* local
See Also
set location policy

Creates and enables a location policy on an MX. A location policy enables you to locally set or
change authorization attributes for a user after the user is authorized by AAA, without making
changes to the AAA server.
200
AAA Commands
Syntax set location policy deny if {ssid operator ssid-name | time-of-day

operator time-of-day|vlan operator vlan-glob | user operator user-glob |
port port-list | ap ap-num | all }
[before rule-number | modify rule-number]
Syntax set location policy permit {vlan vlan-name | inacl inacl-name | outacl
outacl-name}
if {ssid operator ssid-name | vlan operator vlan-glob | user operator user-glob | port
port-list | ap ap-num | all}
[before rule-number | modify rule-number]
deny
Denies access to the network to users with attributes that match the location
policy rule.
permit
Allows access to the network or to a specified VLAN, and/or assigns a

particular security ACL to users with attributes matching the location policy
rule.
Action optionsFor a permit rule, MSS changes the attributes assigned to the user to the
values specified by the following options:
vlan vlan-name
Name of an existing VLAN to assign to users with attributes matching the

location policy rule.
inacl inacl-name
Name of an existing security ACL to apply to packets sent to the MX switch

with attributes matching the location policy rule.
Optionally, you can add the suffix .in to the name.
outacl
outacl-name
Name of an existing security ACL to apply to packets sent from the MX

switch with characteristics that match the location policy rule.
Optionally, you can add the suffix .out to the name.
Condition optionsMSS takes the action specified by the rule if all conditions in the rule are
met. You can specify one or more of the following conditions:
ssid operator
ssid-name
SSID with which the user is associated. The operator must be eq, which
applies the location policy rule to all users associated with the SSID.
Asterisks (wildcards) are not supported in SSID names. You must specify
the complete SSID name.
time-of-day
operator
time-of-day
Time of day that the user is allowed or denied access to the wireless
network.
eqDefines a specific timeframe.
neqDefines any other time than the specified timeframe.
201
vlan operator
vlan-glob
VLAN-Name attribute assigned by AAA and condition that determines if the

location policy rule applies. Replace operator with one of the following
operands:
eqApplies the location policy rule to all users assigned VLAN names
matching vlan-glob.
neqApplies the location policy rule to all users assigned VLAN names
not matching vlan-glob.
For vlan-glob, specify a VLAN name, use the double-asterisk wildcard
character (**) to specify all VLAN names, or use the single-asterisk wildcard
character (*) to specify a set of VLAN names up to or following the first
delimiter character, either an at sign (@) or a period (.). (For details, see
VLAN Globs on page 28.)
user operator
user-glob
Username andv condition that determines if the location policy rule applies.
Replace operator with one of the following operands:
eqApplies the location policy rule to all usernames matching user-glob.
neqApplies the location policy rule to all usernames not matching
user-glob.
For user-glob, specify a username, use the double-asterisk wildcard
character (**) to specify all usernames, or use the single-asterisk wildcard
character (*) to specify a set of usernames up to or following the first
delimiter character, either an at sign (@) or a period (.). (For details, see
User Globs on page 27.)
before
rule-number
Inserts the new location policy rule in front of another rule in the location
policy. Specify the number of the existing location policy rule. (To determine
the number, use the show location policy command.)
modify
rule-number
Replaces the rule in the location policy with the new rule. Specify the number
of the existing location policy rule. (To determine the number, use the show
location policy command.)
port port-list
List of physical port(s) that determines if the location policy rule applies.
Defaults By default, users are permitted VLAN access and assigned security ACLs according to
the VLAN-Name and Filter-Id attributes applied to the users during normal authentication and
authorization.
Access Enabled.
History
Version 1.1
Command introduced
Version 3.2
ssid option added
Usage Only a single location policy is allowed per MX switch. The location policy can contain up to
150 rules. Once configured, the location policy becomes effective immediately. To disable location
policy operation, use the clear location policy command.
202
AAA Commands
Conditions within a rule are ANDed. All conditions in the rule must match in order for MSS to take
the specified action. If the location policy contains multiple rules, MSS compares the user
information to the rules one at a time, in the order the rules appear in the WLC configuration file,
beginning with the rule at the top of the list. MSS continues comparing until a user matches all
conditions in a rule or until there are no more rules.
The order of rules in the location policy is important to ensure users are properly granted or denied
access. To position rules within the location policy, use before rule-number and
modify rule-number in the set location policy command, and the clear location policy
rule-number command.
When applying security ACLs:
Use inacl inacl-name to filter traffic that enters the WLC from users via an MP access port or
wired authentication port, or from the network via a network port.
Use outacl outacl-name to filter traffic sent from the switch to users via an MP access port or
wired authentication port, or from the network via a network port.
You can optionally add the suffixes .in and .out to inacl-name and outacl-name so that they
match the names of security ACLs stored in the local MX database.
Examples The following command denies network access to all users at *.theirfirm.com, causing
them to fail authorization:
WLC# set location policy deny if user eq *.theirfirm.com
The following command authorizes access to the guest_1 VLAN for all users who are not at
*.wodefirm.com:
WLC# set location policy permit vlan guest_1 if user neq *.wodefirm.com
The following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN instead,
and applies the security ACL tac_24 to the traffic they receive:
WLC# set location policy permit vlan bld4.tac outacl tac_24 if user eq
*.ny.ourfirm.com
The following command authorizes access to users on VLANs with names matching bld4.* and
applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive:
WLC# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq
bldg4.*
The following command authorizes users entering the network on MX ports 3 through 7 and
port 12 to use the floor2 VLAN, overriding any settings from AAA:
WLC# set location policy permit vlan floor2 if port 3-7,12
The following command places all users who are authorized for SSID tempvendor_a into VLAN
kiosk_1:
WLC# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a
See Also
203
set mac-user
Configures a user profile in the local database on the MX for a user who can authenticate by a
MAC address, and optionally adds the user to a MAC user group.
(To configure a MAC user profile in RADIUS, see the documentation for your RADIUS server.)
Syntax set mac-user mac-address-glob[group group-name]
mac-addr-glob
. Allows a group of MAC devices to authenticate, such as a group of VoIP

phones. Ony ine asterisk is allowed and it must be the last character.
The most specific format overrides other formats. For instance,
00:11:30:21:ab:cd overrides an entry of 00:11:30:*.
group-name
Defaults None.
Access Enabled.
History
MSS Version 1.0
Introduced command
MSS Version 6.2
MAC glob introduced.
Usage MSS does not require MAC users to belong to user groups.
Users authenticated by MAC address are authenticated only for network access through the MX.
MSS does not support passwords for MAC users.
Examples The following command creates a user profile for a user at MAC address
01:02:03:04:05:* and assigns the user to the eastcoasters user group:
WLC# set mac-user 01:02:03:04:05:* group eastcoasters
See Also
clear mac-user on page 174
set mac-user attr

Assigns an authorization attribute in the local database on the MX to a user authenticating with a
MAC address.
(To assign authorization attributes through RADIUS, see the documentation for your RADIUS
server.)
204
AAA Commands
Syntax set mac-user mac-address-glob attr attribute-name value

mac-address-glob
MAC address of the user, in hexadecimal numbers separated by

colons (:). You can omit leading zeros.
attribute-name value
Name and value of an attribute used to authorize the MAC user for a
particular service or session characteristic. For a list of authorization
attributes and values that you can assign to local users, see Table 31
on page 206.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 1.1
Authorization attributes encryption-type and time-of-day added
Version 3.0
Authorization attributes end-date, ssid, start-date, and url added
Version 5.0
Authorization attribute acct-interim-interval added
Version 7.1
Attributes qos-profile, simultaneous-logins, and termination-action

added.
Usage To change the value of an attribute, enter set mac-user attr with the new value. To delete
an attribute, use clear mac-user attr.
You can assign attributes to individual MAC users and to MAC user groups. If attributes are
configured for a MAC user and also for the group the MAC user is in, the attributes assigned to the
individual MAC user take precedence for that user. For example, if the start-date attribute
configured for a MAC user is earlier than the start-date configured for the MAC user group for the
user, the MAC user network access can begin as soon as the user start-date. The MAC user does
not need to wait for the MAC user group start date.
205
Table 31.Authentication Attributes for Local Users

Attribute
Description
Valid Value(s)
encryption-type
Type of encryption required for
One of the following numbers that identifies an
access by the client. Clients who
encryption algorithm:
attempt to use an unauthorized

encryption method are rejected.
1AES_CCM (Advanced Encryption Standard

using Counter with CBC-MAC)
Encryption-Type is a Juniper
2Reserved
vendor-specific attribute (VSA). The
4TKIP (Temporal Key Integrity Protocol)
vendor ID is 14525, and the vendor
8WEP_104 (the default) (Wired-Equivalent

Privacy protocol using 104 bits of key strength)
type is 3.
16WEP_40 (Wired-Equivalent Privacy protocol

using 40 bits of key strength)
32NONE (no encryption)
64Static WEP
In addition to these values, you can specify a sum of
them for a combination of allowed encryption types.
For example, to specify WEP_104 and WEP_40, use
24.
end-date
Date and time user access expires.
Date and time, in the following format:

YY/MM/DD-HH:MM
You can use end-date alone or with start-date. You
also can use start-date, end-date, or both in
conjunction with time-of-day.
filter-id
Security access control list (ACL), to
Name of an existing security ACL, up to
(network access mode
permit or deny traffic received (input)
32 alphanumeric characters, with no tabs or spaces.
only)
or sent (output) by the MX switch.

(For more information about security
ACLs, see Chapter , Security ACL
Commands, on page 453.)
Use acl-name.in to filter traffic that enters the

WLC from users via an MP or wired authentication
port, or from the network via a network port.
Use acl-name.out to filter traffic sent from the
WLC to users via an MP port or wired
authentication port, or from the network via a
network port.
If the Filter-Id value returned through the
authentication and authorization process does not
match the name of a committed security ACL in the
WLC, the user fails to authorize and is unable to
authenticate.
idle-timeout
This option is not implemented in the current MSS version.
mobility-profile
Mobility Profile attribute for the user.
Name of an existing Mobility Profile, up to
(For more information, see set
32 alphanumeric characters, with no tabs or spaces.
only)
mobility-profile on page 210.)
If the Mobility Profile feature is enabled, and a user is
Mobility-Profile is a Juniper
assigned a Mobility Profile name that does not exist
on the WLC, the user is denied access.

type is 2.
qos-profile
206
The name of an associated QoS
You must have configured a QoS profile before you
profile.
can apply this attribute.
AAA Commands
Table 31.Authentication Attributes for Local Users (continued)

Attribute
Description
service-type
Type of access requested by the user.
Valid Value(s)
One of the following numbers:

2Framed; for network user access
6Administrative; for administrative access to the
WLC, with authorization to access the enabled
(configuration) mode. The user must enter the
enable command and the correct enable
password to access the enabled mode.
7NAS-Prompt; for administrative access to the
nonenabled mode only. In this mode, the user can
still enter the enable command and the correct
enable password to access the enabled mode.
For administrative sessions, the WLC always sends
6 (Administrative).
The RADIUS server can reply with one of the values
listed above.
If the service-type is not set on the RADIUS server,
administrative users receive NAS-Prompt access,
and network users receive Framed access.
session-timeout
Maximum number of seconds for the
Number between 0 and 4,294,967,296 seconds
users session.
(approximately 136.2 years).
only)
If the global reauthentication timeout (set by the set

dot1x reauth-period command) is shorter than the
session-timeout, MSS uses the global timeout
instead.
simultaneous-
Maximum number of time s a client
logins
can log onto the network.
You can configure a value from 0 to 1000.
ssid
SSID accessible by the user after
Name of the SSID you want the user to use. The
authentication.
SSID must be configured in a service profile, and the

service profile must be used by a radio profile
only)
assigned to Juniper radios in the Mobility Domain.

start-date
Date and time at which the user
Date and time, in the following format:
becomes eligible to access the
YY/MM/DD-HH:MM
network.
You can use start-date alone or with end-date. You
MSS does not authenticate the user
also can use start-date, end-date, or both in
unless the attempt to access the
conjunction with time-of-day.
network occurs at or after the

specified date and time, but before
the end-date (if specified).
termination-action
The type of action taken to terminate

a client on the network.
You can select one of two options:

0 (Default for Disconnect)
1 (Radius-request for Re-authentication)
207

Attribute
Description
Valid Value(s)
time-of-day
Day(s) and time(s) during which the
One of the following:
user is permitted to log into the
neverAccess is always denied.
only)
network.
anyAccess is always allowed.
After authorization, the user session
alAccess is always allowed.
can last until either the Time-Of-Day
One or more ranges of values that consist of one

of the following day designations (required), and a
time range in hhmm-hhmm 4-digit 24-hour format
(optional):
range or the Session-Timeout

duration (if set) expires, whichever is
shorter.
Time-Of-Day is a Juniper
type is 4.
moMonday
tuTuesday
weWednesday
thThursday
frFriday
saSaturday
suSunday
wkAny day between Monday and Friday
Separate values or a series of ranges (except time
ranges) with commas (,) or a vertical bar (|). Do not
use spaces.
The maximum number of characters is 253.
For example, to allow access only on Tuesdays and
Thursdays between 10 a.m. and 4 p.m., specify the
following: time-of-day tu1000-1600,th1000-1600
time-of-day
To allow access only on weekdays between 9 a.m
and 5 p.m., and on Saturdays from 10 p.m. until
only)
2 a.m., specify the following:
(cont.)
time-of-day wk0900-1700,sa2200-0200
(Also see the examples for set user attr on
page 214.)
You can use time-of-day in conjunction with
start-date, end-date, or both.
url
URL to redirect the user after
Web URL, in standard format. For example:
successful WebAAA.
http://www.example.com
only)
You must include the http:// portion.

You can dynamically include any of the variables in
the URL string:
$uUsername
$vVLAN
$sSSID
$pService profile name
To use the literal character $ or ?, use the following:
$$
$q
user-name
name
208
User name to be displayed
User name up to 80 characters and can be numbers

and special characters.
AAA Commands

Attribute
Description
Valid Value(s)
vlan-name
Virtual LAN (VLAN) assignment.
Name of a VLAN that you want the user to use. The
VLAN-Name is a Juniper
VLAN must be configured on an MX within the
only)
Mobility Domain to which this MX belongs.

type is 1.
On some RADIUS servers, you might
need to use the standard RADIUS
attribute Tunnel-Pvt-Group-ID,
instead of VLAN-Name.
acct-interim-interval
Interval in seconds between
Number between 180 and 3,600 seconds, or 0 to
accounting updates, if start-stop
disable periodic accounting updates.
accounting mode is enabled.
The WLC ignores the acct-interim-interval value and

issues a log message if the value is below 60
seconds.
If both a RADIUS server and the WLC supply a value
for the acct-interim-interval attribute, then the value
from the WLC takes precedence.
Examples The following command assigns input access control list (ACL) acl-03 to filter packets
from a user at MAC address 01:02:03:04:05:06:
WLC# set mac-user 01:02:03:04:05:06 attr filter-id acl-03.in
The following command restricts a user at MAC address 06:05:04:03:02:01 to network access
between 7 p.m. on Mondays and Wednesdays and 7 a.m. on Tuesdays and Thursdays:
WLC# set mac-user 06:05:04:03:02:01 attr time-of-day
mo1900-1159,tu0000-0700,we1900-1159,th0000-0700
See Also
clear mac-user attr on page 175
set mac-usergroup attr

Creates a user group in the local database on the MX for users authenticated by a MAC address,
and assigns authorization attributes for the group.
(To configure a user group and assign authorization attributes through RADIUS, see the
documentation for your RADIUS server.)
209
Syntax set mac-usergroup group-name attr attribute-name value

group-name
Name of a MAC user group. Specify a name of up to 32 alphanumeric

characters, with no spaces. The name must begin with an alphabetic
character.
Name and value of an attribute used to authorize all MAC users in the
group for a particular service or session characteristic. (For a list of
authorization attributes, see Table 31 on page 206.)
Defaults None.
Access Enabled.
Usage To change the value of an attribute, enter set mac-usergroup attr with the new value. To
delete an attribute, use clear mac-usergroup attr.
You can assign attributes to individual MAC users and to MAC user groups. If attributes are
configured for a MAC user and also for the group of the MAC user, the attributes assigned to the
individual MAC user take precedence for that user. For example, if the start-date attribute
configured for a MAC user is earlier than the start-date configured for the MAC user group, the
MAC user network access can begin as soon as the user start-date. The MAC user does not need
to wait for the MAC user group start date.
Examples The following command creates the MAC user group eastcoasters and assigns the
group members to VLAN orange:
WLC# set mac-usergroup eastcoasters attr vlan-name orange
See Also
set mobility-profile
Creates a Mobility Profile and specifies the MP and/or wired authentication ports on the WLC
through which any user assigned to the profile is allowed access.
Syntax set mobility-profile name name
{port {none | all | port-list}} | {ap {none | all | apnum}}
210
name
Name of the Mobility Profile. Specify up to 32 alphanumeric characters, with

no spaces.
none
Prevents any user to whom this profile is assigned from accessing any MP
access point or wired authentication port on the WLC switch.
all
Allows any user to whom this profile is assigned to access all MP access
ports and wired authentication port on the WLC switch.
AAA Commands
port-list
List of MP access ports or wired authentication ports through which any user
assigned this profile is allowed access. The same port can be used in
multiple Mobility Profile port lists.
ap-num
List of MP connections through which any user assigned this profile is

allowed access. The same MP can be used in multiple Mobility Profile port
lists.
Defaults No default Mobility Profile exists on the WLC. If you do not assign Mobility Profile
attributes, all users have access through all ports, unless denied access by other AAA servers or
by access control lists (ACLs).
Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Option dap added for Distributed MPs
Usage To assign a Mobility Profile to a user or group, specify it as an authorization attribute in one
of the following commands:
set user attr mobility-profile name
set usergroup attr mobility-profile name
set mac-user attr mobility-profile name
set mac-usergroup attr mobility-profile name
To enable the use of the Mobility Profile feature on the WLC switch, use the set mobility-profile
mode command.
Warning: When the Mobility Profile feature is enabled, a user is denied access if assigned a
Mobility-Profile attribute in the local WLC database or RADIUS server when no Mobility Profile of that name
exists on the WLC.
To change the ports in a profile, use set mobility-profile again with the updated port list.
Examples The following commands create the Mobility Profile magnolia, which restricts user
access to port 12; enable the Mobility Profile feature on the WLC switch; and assign the magnolia
Mobility Profile to user Jose.
WLC# set mobility-profile name magnolia port 12
WLC# set mobility-profile mode enable
WLC# set user Jose attr mobility-profile magnolia
The following command adds port 13 to the magnolia Mobility Profile (which is already assigned to
port 12):
211
WLC# set mobility-profile name magnolia port 12-13

See Also
set mobility-profile mode

Enables or disables the Mobility Profile feature on the WLC switch.
Warning: When the Mobility Profile feature is enabled, a user is denied access if assigned a Mobility-Profile
attribute in the local WLC database or RADIUS server if no Mobility Profile of that name exists on the WLC.
Syntax set mobility-profile mode {enable | disable}

enable
Enables the use of the Mobility Profile feature on the WLC.
disable
Specifies that all Mobility Profile attributes are ignored by the WLC.
Defaults The Mobility Profile feature is disabled by default.

Access Enabled.
Examples To enable the use of the Mobility Profile feature, type the following command:
WLC# set mobility-profile mode enable
See Also
set user
Configures a user profile in the local database on the MX for a user with a password.
(To configure a user profile in RADIUS, see the documentation for your RADIUS server.)
212
AAA Commands
Syntax set user username password [encrypted] string

username
encrypted
Indicates that the password string you entered is already in its

encrypted form. If you use this option, MSS does not encrypt the
displayed form of the password string, and instead displays the string
exactly as you entered it. If you omit this option, MSS does encrypt
the displayed form of the string.
password string
Password of up to 32 alphanumeric characters, with no spaces.
Defaults None.
Access Enabled.
Usage The show config command shows the encrypted option with this command, even when
you omit the option. The encrypted option appears in the configuration because MSS
automatically encrypts the password when you create the user (unless you use the encrypted
option when you enter the password).
Although MSS allows you to configure a user password for the special last-resort guest user, the
password has no effect. Last-resort users can never access an MX in administrative mode and
never require a password.
The only valid username of the form last-resort-* is last-resort-wired. The last-resort-wired user
allows last-resort access on a wired authentication port.
Examples The following command creates a user profile for user Nin in the local database, and
assigns the password goody:
WLC# set user Nin password goody
success: User Nin created
The following command assigns the password chey3nne to the admin user:
WLC# set user admin password chey3nne
success: User admin created
The following command changes the password for Nin from goody to 29Jan04:
WLC# set user Nin password 29Jan04
See Also
clear user on page 178
213
set user attr

Configures an authorization attribute in the local database on the MX for a user with a password.
(To assign authorization attributes in RADIUS, see the documentation for your RADIUS server.)
Syntax set user username attr attribute-name value
username
Name and value of an attribute you are using to authorize the user for
a particular service or session characteristic. For a list of authorization
attributes and values that you can assign to network users, see
Table 31 on page 206.
Defaults None.
Access Enabled.
MSS Version 1.0
Command introduced.
MSS Version 7.0
The following attributes were added:

simultaneous-loginsrange from 0 (none) to 1000.
termination-actionsselect 0 (terminate session when it expires)
or 1 (re-authenticate by sending a request to the RADIUS server).
user-nametype the username to display in the session information.
Usage To change the value of an attribute, enter set user attr with the new value. To delete an
attribute, use clear user attr.
You can assign attributes to individual users and to user groups. If attributes are configured for a
user and also for the group the user belongs, the attributes assigned to the individual user take
precedence for that user. For example, if the start-date attribute configured for a user is earlier
than the start-date configured for the user group the user is in, the user has network access as
soon as the user start-date. The user does not need to wait for the user group start date.
Examples The following command assigns user Tamara to VLAN orange:
WLC# set user Tamara attr vlan-name orange
The following command assigns Tamara to the Mobility Profile tulip.
WLC# set user Tamara attr mobility-profile tulip
214
AAA Commands
The following command limits the days and times when user Student1 can access the network, to
5 p.m. to 2 a.m. every weekday, and all day Saturday and Sunday:
WLC# set user Student1 attr time-of-day Wk1700-0200,Sa,Su
See Also
clear user attr on page 179
set user expire-password-in

Specifies how long a users password is valid before it must be reset.
Syntax set user username expire-password-in time
username
time
How long the specified users password is valid. The amount of time
can be specified in days (for example, 30 or 30d), hours (720h), or a
combination of days and hours (30d12h).
Defaults By default, user passwords do not expire.

Access Enabled.
Usage Use this command to specify how long a specified users password is valid. After this
amount of time, the users password expires, and a new password will have to be set.
Examples The following command sets user Student1s password to be valid for 30 days:
WLC# set user Student1 expire-password-in 30
See Also
set user group

Adds a user to a user group. The user must have a password and a profile that exists in the local
database on the MX.
(To configure a user in RADIUS, see the documentation for your RADIUS server.)
Syntax set user username group group-name
username
group-name
Name of an existing user group for password users.
215
Defaults None.
Access Enabled.
Usage MSS does not require users to belong to user groups.
To create a user group, user the command set usergroup.
Examples The following command adds user Hosni to the cardiology user group:
WLC# set user Hosni group cardiology
See Also
clear user group on page 179
set usergroup
Creates a user group in the local database on the MX for users and assigns authorization
attributes for the group.
(To create user groups and assign authorization attributes in RADIUS, see the documentation for
your RADIUS server.)
Syntax set usergroup group-name attr attribute-name value
group-name
Name of a group for password users. Specify a name of up to

32 alphanumeric characters, with no spaces. The name must begin
with an alphabetic character.
Name and value of an attribute you are using to authorize all users in
the group for a particular service or session characteristic. For a list of
authorization attributes and values that you can assign to users, see
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 7.0
The following attributes were added:

simultaneous-loginsrange from 0 (none) to 1000.
termination-actionsselect 0 (terminate session when it expires) or 1
(re-authenticate by sending a request to the RADIUS server).
user-nametype the username to display in the session information.
Usage To change the value of an attribute, enter set usergroup attr with the new value. To delete
an attribute, use clear usergroup attr.
216
AAA Commands
To add a user to a group, user the command set user group.

You can assign attributes to individual users and to user groups. If attributes are configured for a
user and also for the group the user belongs, the attributes assigned to the individual user take
precedence for that user. For example, if the start-date attribute configured for a user is earlier
than the start-date configured for the user group the user belongs, network access for the user can
begin as soon as the user start-date. The user does not need to wait for the user group start date.
Examples The following command adds the user group cardiology to the local database and
assigns all the group members to VLAN crimson:
WLC# set usergroup cardiology attr vlan-name crimson
See Also
set usergroup expire-password-in

Specifies how long the passwords for the users in user group are valid before they must be reset.
Syntax set usergroup group-name expire-password-in time
group-name
Name of a group for password users.
time
How long the passwords for the users in the specified group are valid.
The amount of time can be specified in days (for example, 30 or 30d),
hours (720h), or a combination of days and hours (30d12h).
Defaults By default, user passwords do not expire.

Access Enabled.
Usage Use this command to specify how long the passwords for the users in a group are valid.
After this amount of time, the passwords expire, and must be reset.
Examples The following command sets the passwords for the users in user group cardiology to be
valid for 30 days:
WLC# set usergroup cardiology expire-password-in 30
See Also
217
set web-portal
Globally enables or disables WebAAA on an WLC.
Syntax set web-portal {enable | disable}
enable
Enables WebAAA on the switch.
disable
Disables WebAAA on the switch.
Defaults Enabled.
Access Enabled.
History
Version 3.0
Command introduced.
Version 4.0
Command name changed from set web-aaa to set web-portal, to match

change to portal-based implementation.
Usage This command disables or reenables support for WebAAA. However, WebAAA has
additional configuration requirements. For information, see the Configuring AAA for Network
Users chapter in the Juniper Mobility System Software Configuration Guide.
Examples To disable WebAAA, type the following command:
WLC# set web-portal disable
See Also
show aaa
Deprecated command.
Syntax show aaa
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 4.0
Web Portal section added, to indicate the state of the WebAAA feature
Version 6.2
Deprecated
show mac-user
Displays a summary or verbose status relating to a specific MAC user or all MAC users.
218
AAA Commands
Syntax show mac-user [mac-glob|verbose]

mac-glob
Displays MAC addresses based on the MAC format
verbose
Displays all MAC user information
Defaults None
Access Enabled
History
Version 6.2
Command introduced
Examples To display all MAC users, type the following command:

WLC# show mac-user
WLC# show mac-user [<mac-glob>|verbose]
MAC
Group
VLAN
----------------
--------
-------
00:11:11:21:11:1
2
Guests
insecure
00:11:11:21:11:*
Guests
red
WLC# show mac-user 00:11:11:21:11:12

MAC
Group
VLAN
----------------
--------
-------
00:11:11:21:11:1
2
Guests
insecure
WLC# show mac-user verbose

MAC:
00:11:11:21:12
Group:
Guests
VLAN
insecure
Other attributes:
ssid:
Juniper
end-date:
01/08/23-12:00
idle-timeout:
120
acct-interim-interval:
180
MAC:
00:11:11:21:*
Group:
Guests
VLAN
insecure
Other attributes:
ssid:
Juniper
end-date:
01/08/23-12:00
219
idle-timeout:
120
180
WLC# show mac-user 00:11:11:21:11* verbose

MAC:
00:11:11:21:*
Group:
Guests
VLAN
insecure
Other attributes:
ssid:
Juniper
end-date:
01/08/23-12:00
idle-timeout:
120
180
Table 36 describes the fields that can appear in the show mac-user output.
Table 32.show mac-user output
Field
Description
MAC
MAC address
Group
Member of a configured group
VLAN
Current VLAN of the MAC user
Other attributes
Other AAA attributes
ssid
Current SSID configured for the MAC user
end-date
The expiration date fo the MAC user
idle-timeout
Number of seconds the user is idle before the connection is lost.
Interval in seconds between accounting updates, if start-stop accounting mode is

enabled.
show mac-usergroup
Displays summary status for all MAC usergroups or verbose status for a specific MAC usergroup.
Syntax show mac-usergroup [mac-ug-name|verbose]
mac-ug-name
Configured usergroup name
verbose
Detailed information about a MAC usergroup
Defaults None
Access Enabled
220
AAA Commands

Examples The following command displays information about MAC usergroups:
WLC# show mac-usergroup [<mac-ug-name>|verbose]
Users Mapped
Other
Attr. of
Group
MAC Usergroup
to Group
VLAN
------------------
--------------
------
Admin
red
Guests
insecure 4
WLC# show mac-usergroup Guests

MAC Usergroup:
Guests2
VLAN:
blue
Other attributes:
ssid:
Juniper
end-date:
01/08/23-12:00
idle-timeout:
120
180
MAC users in this group:

MAC
VLAN
------------
--------
00:11:11:21:11:
12
insecure
00:11:11:21:11:
*
red
WLC# show mac-usergroup Admin

MAC Usergroup:
Admin
VLAN:
red
Other attributes:
ssid:
Juniper
idle-timeout:
120
180
No MAC users in this group.

Table 33 describes the fields that can appear in the show mac-usergroup output.
Table 33.show mac-usergroup output
Field
Description
MAC Usergroup
List of the configured MC Usergroups
Users Mapped to Group
The number of users configured in each group
221
Table 33.show mac-usergroup output

Field
Description
VLAN
The VLAN configured for a usergroup
Other attr of the group
The number of configured attributes for the group
MAC
MAC address
Group
Member of a configured group
VLAN
Current VLAN of the MAC user
Other attributes
Other AAA attributes
ssid
Current SSID configured for the MAC user
end-date
The expiration date fo the MAC user
idle-timeout
Number of seconds the user is idle before the connection is lost.
Interval in seconds between accounting updates, if start-stop accounting mode

is enabled.
show user
Displays a summary of users configured on the WLC. For user globs, wildcards (*) are allowed at
the beginning or end of the string.
Syntax show user [name-glob|verbose]
name-glob
The name of configured user or user glob
verbose
Displays details about users
Defaults None
Access Enabled
Examples Use the following command to display information about configured users on the WLC.
WLC# show user john* verbose
User Name
Status
Group
VLAN
--------------
------------
--------
-------
johndoe
disabled
Admin
red
johnsmith
enabled
Admin
red
guest_access
disabled
Guests
red
WLC# show user *john*
222
User Name
Status
Group
VLAN
--------------
------------
--------
-------
johndoe
disabled
Admin
red
johnsmith
enabled
Admin
red
AAA Commands
WLC# show user verbose

User name:
johndoe
Status:
disabled
Password:
iforgot(encypted)
Group:
Admin
VLAN:
red
Password-expires-in:
12 days
Other attributes:
ssid:
Juniper
end-date:
01/08/23-12:00
idle-timeout:
120
180
User name:
johnsmith
Status:
enabled
Password:
iforgot2(encypted)
Group:
Admin
VLAN:
red
12 days
Other attributes:
None
User name:
guest_access
Status:
disabled
Password:
iforgot3(encypted)
Group:
Admin
VLAN:
red
5 days
Other attributes:
ssid:
Juniper1
end-date:
01/08/20-9:00
idle-timeout:
100
600
WLC# show user *john* verbose

User name:
johndoe
Status:
disabled
Password:
iforgot(encypted)
Group:
Admin
VLAN:
red
12 days
Other attributes:
ssid:
Juniper
223
end-date:
01/08/23-12:00
idle-timeout:
120
180
User name:
johnsmith
Status:
enabled
Password:
iforgot2(encypted)
Group:
Admin
VLAN:
red
12 days
Other attributes:
None
Table 34 describes the fields that can appear in show user output.
Table 34.show user Output
Field
Description
User Name
Name configured for a user on the WLC.
Status
Current condition of the client:

Enabled
Disabled
Password
Displays a users password and if it is encrypted or not.
Group
Name of a usergroup if configured
VLAN
The name of the VLAN configured for the user.
Password-expires-in
The length of time, in days, before a users password expires.
Other attributes
Additional attributes configured for user.
show usergroup
Displays summary status for a single user group or all user groups.
Syntax show usergroup ug-name
Defaults None
Access Enabled
History Command introduced in MSS 6.2
Examples
WLC# show usergroup [<ug-name>}
Users Mapped
224
Other
Attr. of
Group
Usergroup
to Group
VLAN
------------------
--------------
------
Admin
red
Guests
red
Guests2
blue
AAA Commands
WLC# show usergroup Admin

Usergroup:
Admin
VLAN:
red
12 days
Other attributes:
ssid:
Juniper
end-date:
01/08/23-12:00
idle-timeout:
120
180
Users in this group:

User Name
VLAN
------------
--------
johndoe
red
johnsmith
red
WLC# show usergroup Guests2

Usergroup:
Guests2
VLAN:
blue
Other attributes:
None
No users in this group.

Table 35 describes the fields that can appear in the show usergroup output.
Table 35.show usergroup Output
Field
Description
Usergroup
All usergroups configured on the WLC.
Users Mapped to Group
Number of users mapped to a single group.
VLAN
The VLAN configured for the usergroup.
Other Attr of Group
Number of attributes configured for each group.
Password-expires-in
The length of time, in days, that the password is valid.
Other attributes:
Displayed for single usergroup
SSID
The SSID configured for the usergroup.
end-date
The date and time that the usergroup is no longer valid.
idle-timeout
The length of time, in seconds, that a user can be idle before logging out of the network.
acct-interm-interval
Interval in seconds between accounting updates, if start-stop accounting mode is enabled
Users in this group:
All users configured in the usergroup
User Name
Configured user names in this group
VLAN
Assigned VLAN for each user.
225
Table 36.show mac-user Output

Field
Description
MAC
MAC address of the user
Group
The user group for the MAC-user
VLAN
The VLAN assigned to the mac-user
See Also
show accounting statistics

Displays the AAA accounting records for wireless users. The records are stored in the local
database on the MX.
(To display RADIUS accounting records, see the documentation for your RADIUS server.)
Syntax show accounting statistics
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 4.2
Formatting of output enhanced for readability
Examples To display the locally stored accounting records, type the following command:
WLC# show accounting statistics
Dec 14 00:39:48
Acct-Status-Type=STOP
Acct-Authentic=0
Acct-Multi-Session-Id=SESS-3-01f82f-520236-24bb1223
Acct-Session-Id=SESS-3-01f82f-520236-24bb1223
User-Name=vineet
AAA_ACCT_SVC_ATTR=2
Acct-Session-Time=551
Event-Timestamp=1134520788
Acct-Output-Octets=3204
Acct-Input-Octets=1691
226
AAA Commands
Acct-Output-Packets=20
Acct-Input-Packets=19
AAA_VLAN_NAME_ATTR=default
Calling-Station-Id=00-06-25-12-06-38
Nas-Port-Id=3/1
Called-Station-Id=00-0B-0E-00-CC-01
AAA_SSID_ATTR=vineet-dot1x
Dec 14 00:39:53
Acct-Status-Type=START
Acct-Authentic=0
User-Name=vineet
Acct-Multi-Session-Id=SESS-4-01f82f-520793-bd779517
Acct-Session-Id=SESS-4-01f82f-520793-bd779517
Event-Timestamp=1134520793
AAA_ACCT_SVC_ATTR=2
AAA_VLAN_NAME_ATTR=default
Calling-Station-Id=00-06-25-12-06-38
Nas-Port-Id=3/1
Called-Station-Id=00-0B-0E-00-CC-01
AAA_SSID_ATTR=vineet-dot1x
Table 37 describes the fields that can appear in show accounting statistics output.
Table 37.show accounting statistics Output
Field
Description
Date and time
Date and time of the accounting record.
Acct-Status-Type
Type of accounting record:

START
STOP
UPDATE
Acct-Authentic
Location where the user was authenticated (if authentication took place) for the session:
1RADIUS server
2Local MX database
User-Name
Acct-Multi-Session-Id
Unique accounting ID for multiple related sessions in a log file.
AAA_TTY_ATTR
For sessions conducted through a console or administrative Telnet connection, the
Event-Timestamp
Time (in seconds since January 1, 1970) at which the event was triggered. (See
Telnet terminal number.

RFC 2869 for more information.)
Acct-Session-Time
Number of seconds that the session has been online.
Acct-Output-Octets
Number of octets the MX sent during the session.
227
Table 37.show accounting statistics Output (continued)

Field
Description
Acct-Input-Octets
Number of octets the MX received during the session.
Acct-Output-Packets
Number of packets the MX sent during the session.
Acct-Input-Packets
Number of packets the MX received during the session.
Vlan-Name
Name of the client VLAN.
Calling-Station-Id
MAC address of the supplicant (client).
Nas-Port-Id
Number of the port and radio on the MP through which the session was conducted.
Called-Station-Id
MAC address of the MP through which the client reached the network.
See Also
show location policy

Displays the list of location policy rules that make up the location policy on an MX.
Syntax show location policy
Defaults None.
Access Enabled.
Examples The following command displays the list of location policy rules in the location policy on
an MX :
WLC show location policy
Id Clauses
---------------------------------------------------------------1) deny if user eq *.theirfirm.com
2) permit vlan guest_1 if vlan neq *.wodefirm.com
3) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.wodefirm.com
See Also
show mobility-profile
Displays the named Mobility Profile. If you do not specify a Mobility Profile name, this command
shows all Mobility Profile names and port lists on the WLC.
Syntax show mobility-profile [name]
name
Name of an existing Mobility Profile.
Defaults None.
228
AAA Commands
Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Port type description added:

APMP access port
DAPDistributed MP connection
Examples The following command displays the Mobility Profile magnolia:

WLC# show mobility-profile magnolia
Mobility Profiles
Name
Ports
=========================
magnolia
AP 12
See Also
229
230
Mobility Domain Commands

Use Mobility Domain commands to configure and manage Mobility Domain groups.
A Mobility Domain is a system of WLCs and MPs working together to support a roaming user
(client). One WLC acts as a seed WLC, which maintains and distributes a list of IP addresses of
the domain members.
Smart Cluster is a network resiliency feature added in MSS 7.0. It has the following features:
Centralized configuration of WLCs and MPs.
Autodistribution of configuration parameters to MPs.
Hitless failover on the network if an WLC is unavailable.
Automatic load balancing of MPs across any WLCs in the cluster.
Informational Note: The number of MPs supported on a cluster member is limited to the number
supported on an WLC. It is recommended to use larger capacity WLCs, such as WLC-200s, WLC-216s, or
WLC-2800s in your configuration to obtain the maximum benefits of cluster configuration.
Informational Note: Juniper Networks recommends that you run the same MSS version on all the WLC
switches in a Mobility Domain and Smart Cluster.
This chapter presents Mobility Domain commands alphabetically. Use the following table to locate
commands in this chapter based on their use.
Mobility Domain set mobility-domain mode seed domain-name on page 238

set domain security on page 234
set mobility-domain ap-affinity-group on page 235
set mobility-domain member on page 235
set mobility-domain mode member seed-ip on page 236
show mobility-domain on page 240
show mobility-domain config on page 240
clear mobility-domain ap-affinity-group on page 232
clear mobility-domain member on page 233
clear domain security on page 232
clear mobility-domain on page 232
Virtual Controller
Cluster
load configuration cluster on page 233

set cluster mode on page 233
set cluster preempt on page 234
231
show cluster on page 239

sshow cluster ap on page 239
clear domain security

Disables WLC-WLC security.
Syntax clear domain security
Defaults None.
Access Enabled.
Usage This command is equivalent to the set domain security none command.
Examples The following command disables WLC-WLC security on an WLC:
MX-20# clear domain security
clear mobility-domain
Clears all Mobility Domain configuration and information from an WLC, regardless of whether the
WLC is a seed or a member of a Mobility Domain.
Syntax clear mobility-domain
Defaults None.
Access Enabled.
Usage This command has no effect if the WLC is not configured as part of a Mobility Domain.
Examples To clear a Mobility Domain from an WLC within the domain, type the following
command:
MX-20# clear mobility-domain
See Also
set mobility-domain mode seed domain-name on page 238
clear mobility-domain ap-affinity-group

Clears the AP affinity configuration from the Mobility Domain.
232
Syntax clear mobility-domain ap-affinity-group [address ipaddr netmask

netmask | ip/netmask]
Defaults None
Access Enabled.
clear mobility-domain member

On the seed WLC, the command removes the identified member from the Mobility Domain.
Syntax clear mobility-domain member ip-addr
ip-addr
IP address of the Mobility Domain member, in dotted decimal notation.
Defaults None.
Access Enabled.
Usage This command has no effect if the WLC member is not configured as part of a Mobility
Domain or the current WLC is not the seed.
Examples The following command clears a Mobility Domain member with the IP address
192.168.0.1:
MX-20# clear mobility-domain member 192.168.0.1
See Also set mobility-domain member on page 235
load configuration cluster

Load a previous cluster configuration on the WLC.
Syntax load configuration cluster filename
Defaults None
Access Enabled
Usage This command is only allowed on a Mobility Domain member when Virtual Controller
Cluster is enabled.
set cluster mode

Enable cluster configuration on WLCs in a mobility domain.
Syntax set cluster mode [enable | disable [restore-backup-config]]
enable
Enables cluster mode.
disable
Disables cluster mode after the feature is enabled.
Defaults None
Access Enabled.
233
History .
MSS 7.0
Command introduced.
MSS 7.3
restore-backup-config deprecated.
Usage You must enable cluster mode on all WLCs that are members of the cluster.
Examples The following command enables cluster mode on an WLC in a mobility domain:
WLC# set cluster mode enable
set cluster preempt

Use this command on the secondary seed of the cluster to allow the secondary seed to become
active if the primary seed fails.
Syntax set cluster preempt [enable | disable]
Defaults None
Access Enabled
Usage You can only use this command on the secondary seed of the mobility domain.
Examples The following command enables preempt mode on a secondary seed:
WLC# set cluster preempt enable
set domain security

Enables WLC-WLC security on the WLC Mobility Domain.
Syntax set domain security {none | required}
none
WLC-WLC security is disabled.
required
WLC-WLC security is enabled.
Defaults The default is none. (WLC-WLC security is disabled.)

Access Enabled.
Usage The setting must be the same (none or required) on all switches, the seed and all
members, in the Mobility Domain.
The set domain security none command is equivalent to the clear domain security command.
Examples The following command enables WLC-WLC security on an MX:
WLC# set domain security required
234
set mobility-domain ap-affinity-group

Allows you to specify prefered IP subnets for a primary and backup WLC on the network. It places
APs in affinity groups based on the subnets. A cluster member can belong to multiple affinity
groups.
Syntax set mobility-domain ap-affinity-group address [ipaddr netmask
netmask |ip/masklen]
Defaults None
Access Enabled.
Usage Extends the configuration between the PAM and members.
Examples The following command sets the affinity for the primary WLC, 172.21.26.135:
WLC# set mobility-domain ap-affinity-group address 172.21.26.135 netmask
255.255.255.0
set mobility-domain member

On the seed MX, adds a member to the list of Mobility Domain members. If the current MX is not
configured as a seed, this command is rejected.
Syntax set mobility-domain member ip-addr [key hex-bytes | keyfile filename]
ip-addr
IP address of the Mobility Domain member in dotted decimal notation.
key hex-bytes
Fingerprint of the public key to use for WLC-WLC security. Specify the key as
16 hexadecimal bytes. Use a colon between each byte, as in the following
example:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
keyfile
Name of the file that contains the key in the above format.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 5.0
Option key hex-bytes added.
Version 7.1
Option keyfile added.
Usage This command must be entered from the seed MX.

Examples The following commands add three MX switches with the IP addresses 192.168.1.8,
192.168.1.9, and 192.168.1.10 as members of a Mobility Domain with a seed as the current MX:
WLC# set mobility-domain member 192.168.1.8
235

See Also
set mobility-domain mode seed domain-name on page 238
set mobility-domain mode member secondary-seed-ip

Sets the IP address of the secondary seed WLC on a nonseed WLC.
Syntax set mobility-domain mode member ip-addr secondary-seed-ip
secondary-seed-ip-addr key hex-bytes
ip-addr
IP address of the mobility domain member.
secondary-seed-ip-addr
IP address of the secondary seed, in dotted decimal notation.
key hex-bytes
Fingerprint of the public key to use for WLC-WLC security. Specify

the key as 16 hexadecimal bytes. Use a colon between each byte,
as in the following example:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
Defaults None.
Access Enabled.
Examples The following command sets the current WLC as a nonseed member of the Mobility
Domain whose secondary seed has the IP address 192.168.1.8:
WLC# set mobility-domain mode member seed-ip 192.168.1.8
mode is: member
seed IP is: 192.168.1.8
See Also
set mobility-domain mode member seed-ip

On a nonseed WLC, sets the IP address of the seed WLC. This command is used on a member
WLC to configure it as a member. If the WLC is currently part of another Mobility Domain or using
another seed, this command overwrites that configuration.
236
Syntax set mobility-domain mode member seed-ip ip-addr key hex-bytes

ip-addr
IP address of the Mobility Domain member, in dotted decimal notation.
key hex-bytes
Fingerprint of the public key to use for WLC-WLC security. Specify the key as
16 hexadecimal bytes. Use a colon between each byte, as in the following
example:
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 5.0
Option key hex-bytes added.
Examples The following command sets the current WLC as a nonseed member of the Mobility
Domain whose seed has the IP address 192.168.1.8:
WLC# set mobility-domain mode member secondary-seed-ip 192.168.1.8
See Also
set mobility-domain mode secondary-seed domain-name on page 237
set mobility-domain mode secondary-seed domain-name

Ses the current WLC as a secondary-seed device for the Mobility Domain.
Syntax
set mobility-domain mode secondary-seed domain-name
mob-domain-name seed-ip primary-seed-ip-addr
mob-domain-name
Name of the Mobility Domain. Specify between 1 and 32 characters

with no spaces.
primary-seed-ip-addr
The address of the seed device in the Mobility Domain
Defaults None.
Access Enabled.
Usage You can optionally specify a secondary seed in a Mobility Domain. The secondary seed
provides redundancy for the primary seed switch in the Mobility Domain. If the primary seed
becomes unavailable, the secondary seed assumes the role of the seed WLC. This allows the
Mobility Domain to continue functioning if the primary seed becomes unavailable.
When the primary seed WLC fails, the remaining members form a Mobility Domain, with the
secondary seed taking over as the primary seed WLC.
237
If countermeasures had been in effect on the primary seed, they are stopped while the
secondary seed gathers RF data from the member switches. Once the secondary seed has
rebuilt the RF database, countermeasures can be restored.
VLAN tunnels (other than those between the member switches and the primary seed) continue
to operate normally.
Roaming and session statistics continue to be gathered, providing that the primary seed is
uninvolved with roaming.
When the primary seed is restored, the seed resumes the role of the primary seed WLC in the
Mobility Domain. The secondary seed returns to the role of a regular member of the Mobility
Domain.
Examples The following command configures this WLC as the secondary seed in a Mobility
Domain named Pleasanton:
WLC# set mobility-domain mode secondary-seed domain-name Pleasanton
mode is: secondary-seed
domain name is: Pleasanton
See Also
set mobility-domain mode seed domain-name

Creates a Mobility Domain by setting the current WLC as the seed device and naming the Mobility
Domain.
Syntax set mobility-domain mode seed domain-name mob-domain-name
mob-domain-name
Name of the Mobility Domain. Specify between 1 and 32 characters with no

spaces.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 4.1
Maximum length of mob-domain-name increased to 32 characters.
Usage Before you use this command, the current WLC must have an IP address set with the set
system ip-address command. After you enter this command, all Mobility Domain traffic is sent
and received from the specified IP address.
You must explicitly configure only one WLC per domain as the seed. All other WLC switches in the
domain receive their Mobility Domain information from the seed.
Examples The following command creates a Mobility Domain named Pleasanton with the current
WLC as the seed:
238
WLC# set mobility-domain mode seed domain-name Pleasanton

mode is: seed
domain name is: Pleasanton
See Also
show cluster
Displays the cluster configuration and resiliency state on a Mobility Domain.
Syntax show cluster
Defaults None
Access Enabled
Examples The following command displays the cluster configuration and resiliency state:
Network Resiliency Cluster Enabled
Mode
: PRIMARY-SEED
Active Seed
: YES
Network is Resilient
show cluster ap
Displays all MPs configured on cluster member.
Syntax show cluster ap
Defaults None
Access Enabled
Examples The following command displays the MPs configured on a cluster member:
WLC# show cluster ap
Primary AP Manager(PAM) and Secondary AP manager(SAM) List:
Flags:L - Cluster Load Balancing; C - Connection Wait; S - Session setup
Wait
AP
PAM WLC IP
to SAM
---- ---------------------------------
SAM WLC IP
AP connected to PAM
--------------- -------------------
3
YES
192.168.254.85
192.168.254.83
YES
12
YES
192.168.254.83
192.168.254.85
YES
AP connected
239
6
YES
192.168.254.85
192.168.254.83
YES
15
YES
192.168.254.85
192.168.254.83
YES
9
YES
192.168.254.85
192.168.254.83
YES
14
YES
192.168.254.83
192.168.254.85
YES
10
YES
192.168.254.83
192.168.254.85
YES
4
YES
192.168.254.85
192.168.254.83
YES
5
YES
192.168.254.85
192.168.254.83
YES
1
YES
192.168.254.85
192.168.254.83
YES
2
YES
192.168.254.85
192.168.254.83
YES
8
YES
192.168.254.83
192.168.254.85
YES
7
YES
192.168.254.85
192.168.254.83
YES
show cluster upgrade

Displays the upgrade status of each member in the cluster and displays the number of APs that
have been upgraded and how many upgrades are pending on APs.
Syntax show cluster upgrade
Defaults None
Access Enabled
show mobility-domain config

This command was deprecated in MSS 7.0
show mobility-domain
On the seed WLC, displays the Mobility Domain status and members.
Syntax show mobility-domain
Defaults None.
Access Enabled.
240
History
Version 1.0
Command introduced
Version 7.0
Updated with cluster information
Examples To display Mobility Domain status, type the following command:

WLC# show mobility-domain
Mobility Domain name:
Mobility1
Flags: u = up[2], d = down[2], c = cluster enabled[1], p = primary seed,

s = secondary seed (S = cluster preempt mode enabled), m = member, a =
active seed, y = syncing, w = waiting to sync, n = sync completed, f =
sync failed
Member: * = switch behind NAT
Member Flags Model Version NoAPs APCap
----- ------ ------ -------- ----- ----10.2.8.102 upacn MX-800R 7.5.90.0 2 16
10.2.8.65 us-cn MXR-2 7.5.90.0 0 4
10.8.116.105 *um-cn MX-8 7.5.90.0 1 12
Table 38.show mobility-domain Output
Field
Description
Mobility Domain name
Name of the Mobility Domain
Flags
Indicates various states of the Mobility Domain members.

u = up
d = down
c = cluster enabled
p = primary seed
s = secondary seed
m = member
a = active seed
y = syncing
w = waiting to sync
n = sync completed
f = sync failed
Member
IP addresses of the seed WLC and members in the Mobility Domain. * = a remote
site behind a firewall device that supports NAT.
Flags
State of the WLC in the Mobility Domain:

Letters indicate which flags are present.
Model
Model of WLC switch
Version
MSS version running on the WLC.
See Also
241
show mobility-domain ap-affinity-groups

Displays affinity information for a Mobility Domain configuration.
Syntax show mobility-domain ap-affinity-groups
Defaults None
Access Enabled
upgrade cluster
Network resiliency enhancements now allows you to perform an in-service software upgrade on a
cluster configuration.
Access Enabled
Usage The upgrade assumes that the old and new versions of MSS are 7.1 and higher.
Syntax upgrade cluster [force]
242
Network Domain Commands

Use Network Domain commands to configure and manage Network Domain groups.
A Network Domain is a group of geographically dispersed Mobility Domains that share information
over a WAN link. This shared information allows a user configured on an WLC in one Mobility
Domain to establish connectivity with an WLC in another Mobility Domain in the same Network
Domain. The WLC forwards the user traffic by creating a VLAN tunnel to an WLC in the remote
Mobility Domain.
In a Network Domain, one or more WLC switches serve as a seed switch. At least one of the
Network Domain seeds maintains a connection with each of the member WLC switches in the
Network Domain. The Network Domain seeds share information about the VLANs configured on
their members, so that all the Network Domain seeds have a common database of VLAN
information.
This chapter presents Network Domain commands alphabetically. Use the following table to locate
Network Domain set network-domain mode seed domain-name on page 247

set network-domain mode member seed-ip on page 245
set network-domain peer on page 246
show network-domain on page 247
clear network-domain on page 243
clear network-domain mode on page 244
clear network-domain peer on page 244
clear network-domain seed-ip on page 245
clear network-domain
Clears all Network Domain configuration and information from an WLC, regardless of whether the
WLC is a seed or a member of a Network Domain.
Syntax clear network-domain
Defaults None.
Access Enabled.
Usage This command has no effect if the WLC is not configured as part of a Network Domain.
Examples To clear a Network Domain from an WLC within the domain, type the following
command:
MX-20# clear network-domain
243
This will clear all network-domain configuration. Would you like to

continue? (y/n) [n] y
See Also
set network-domain mode seed domain-name on page 247
clear network-domain mode

Removes the Network Domain seed or member configuration from the WLC.
Syntax clear network-domain mode {seed | member}
seed
Clears the Network Domain seed configuration from the WLC.
member
Clears the Network Domain member configuration from the WLC.
Defaults None.
Access Enabled.
Usage This command has no effect if the WLC is not configured as part of a Network Domain.
Examples The following command clears the Network Domain member configuration from the
WLC:
MX-20# clear network-domain mode member
The following command clears the Network Domain seed configuration from the WLC:
MX-20# clear network-domain mode seed
See Also
clear network-domain peer

Removes the configuration of a Network Domain peer from an WLC configured as a Network
Domain seed.
Syntax clear network-domain peer {peer-ip | all}
ip-addr
IP address of the Network Domain peer in dotted decimal notation.
all
Clears the Network Domain peer configuration for all peers from the WLC.
Defaults None.
Access Enabled.
244

Usage This command has no effect if the WLC is not configured as a Network Domain seed.
Examples The following command clears the Network Domain peer configuration for peer
192.168.9.254 from the WLC:
MX-20# clear network-domain peer 192.168.9.254
The following command clears the Network Domain peer configuration for all peers from the WLC:
MX-20# clear network-domain peer all
See Also set network-domain peer on page 246
clear network-domain seed-ip

Removes the specified Network Domain seed from the WLC configuration. When you enter this
command, the Network Domain TCP connections between the WLC switch and the specified
Network Domain seed are closed.
Syntax clear network-domain seed-ip seed-ip
ip-addr
IP address of the Network Domain seed in dotted decimal notation.
Defaults None.
Access Enabled.
Usage This command has no effect if the WLC is not configured as part of a Network Domain, or
if the WLC is not configured as a member of a Network Domain using the specified Network
Domain seed.
Examples The following command removes the Network Domain seed with IP address
192.168.9.254 from the WLC configuration:
MX-20# clear network-domain seed-ip 192.168.9.254
See Also set network-domain mode member seed-ip on page 245
set network-domain mode member seed-ip

Sets the IP address of a Network Domain seed. This command is used for configuring an WLC as
a member of a Network Domain. You can specify multiple Network Domain seeds and configure
one as the primary seed.
Syntax set network-domain mode member seed-ip seed-ip
[affinity num]
ip-addr
IP address of the Network Domain seed, in dotted decimal notation.
num
Preference for using the specified Network Domain seed. You can specify a
value from 1 through 10. A higher number indicates a greater preference.
245
Defaults The default affinity for a Network Domain seed is 5.

Access Enabled.
Usage You can specify multiple Network Domain seeds on the WLC. When the WLC needs to
connect to a Network Domain seed, the WLC first attempts to connect to the seed with the highest
affinity. If that seed is unavailable, the WLC attempts to connect to the seed with the next-highest
affinity. After a connection is made to a non-highest-affinity seed, the WLC switch then periodically
attempts to connect to the highest-affinity seed.
Examples The following command sets the WLC switch as a member of the Network Domain
whose seed has the IP address 192.168.1.8:
WLC# set network-domain mode member seed-ip 192.168.1.8
The following command sets the WLC as a member of a Network Domain with a seed that has the
IP address 192.168.9.254 and sets the affinity for that seed to 7. If the WLC specifies other
Network Domain seeds, and they are configured with the default affinity of 5, then 192.168.9.254
becomes the primary Network Domain seed for the WLC.
WLC# set network-domain mode member seed-ip 192.168.9.254 affinity 7
See Also
set network-domain peer

On a Network Domain seed, configures one or more WLC switches as redundant Network Domain
seeds. The seeds in a Network Domain share information about the VLANs configured on the
member devices, so that all the Network Domain seeds have the same database of VLAN
information.
Syntax set network-domain peer peer-ip
ip-addr
IP address of the Network Domain seed to specify as a peer, in dotted

decimal notation.
Defaults None.
Access Enabled.
Usage This command must be entered on an WLC configured as a Network Domain seed.
Examples The following command sets the WLC with IP address 192.168.9.254 as a peer of this
Network Domain seed:
WLC# set network-domain peer 192.168.9.254
See Also
246
set network-domain mode seed domain-name

Creates a Network Domain by setting the current WLC as a seed device and naming the Network
Domain.
Syntax set network-domain mode seed domain-name net-domain-name
net-domain-name
Name of the Network Domain. Specify between 1 and 16 characters with no

spaces.
Defaults None.
Access Enabled.
Usage Before you use this command, the current WLC must have an IP address set with the set
system ip-address command. After you enter this command, Network Domain traffic is sent and
received from the specified IP address.
You can configure multiple WLC switches as Network Domain seeds. If you do this, you must
identify them as peers by using the set network domain peer command.
Examples The following command creates a Network Domain named California with the current
WLC as a seed:
WLC# set network-domain mode seed domain-name California
See Also
show network-domain
Displays the status of Network Domain seeds and members.
Syntax show network-domain
Defaults None.
Access Enabled.
Examples The output of the command differs based on whether the WLC is a member of a
Network Domain or a Network Domain seed. To display Network Domain status, type the following
command:
WLC# show network-domain
On an WLC that is a Network Domain member, the following output is displayed:
Member Network Domain name: California
Member
State
Mode
247
--------------- ------------- ----------10.67.1.201
UP
MEMBER
10.67.1.200
UP
SEED
On an WLC that is a Network Domain seed, information is displayed about the Network Domains
that WLC is a member, as well as Network Domain seeds with that the WLC has a peer
relationship. For example:
Network Domain name: California
Peer
State
--------------- ------------10.67.1.200
UP
Member
State
Mode
--------------- ------------- ----------10.67.1.201
UP
MEMBER

Table 39.show network-domain Output
Field
Description
Output if WLC is the Network Domain seed:

Network Domain name
Name of the Network Domain for which the WLC is a seed.
Peer
IP addresses of the other seeds in the Network Domain.
State
State of the connection between the WLC and the peer Network Domain seeds:
UP
DOWN
Member
IP addresses of the seed WLC and members in the Network Domain
State
State of the WLC in the Network Domain:

UP
DOWN
Mode
Role of the WLC in the Network Domain:

MEMBER
SEED
Output if WLC is a Network Domain member:

Member Network Domain name Name of the Network Domain with the WLC as a member.
Member
IP addresses of the seed WLC and members in the Network Domain
State
State of the WLC in the Network Domain:

UP
DOWN
Mode
Role of the WLC in the Network Domain:

MEMBER
SEED
See Also
248

249
250
MP Access Point Commands

Use MP access point commands to configure and manage MP access points. Be sure to do the
following before using the commands:
Define the country-specific IEEE 802.11 regulations on the MX. (See set system countrycode
on page 32.)
Install the MP and connect it to a port on the MX. (See the Juniper Indoor Mobility Point
Installation Guide or Juniper Mobility Point MP-620 Installation Guide.)
Configure an MP as a directly connected MP or a Distributed MP.
Warning: Changing the system country code after MP configuration disables MPs and deletes the
configuration. If you change the country code on an MX, you must reconfigure all MPs.
Mixed Cipher Support

All cipher options are now grouped under the command rsn-ie or wpa-ie to allow multiple
ciphers per service profile.
Informational Note: You must enable a cipher such as cipher-tkip before enabling rsn-ie or wpa-ie. For
example to enable cipher-tkip on a service profile, you must use the following sequence of commands:
WLC# set service-profile profile-name wpa-ie cipher-tkip enable

success:change accepted.
WLC# set service-profile profile-name wpa-ie enable
This chapter presents MP access point commands alphabetically. Use the following table to locate
New
New
New
New
WAN
Data Path Encryption

Automatic
Configuration of
Distributed MPs
set ap tunnel mode on page 292

set remote ap wan outage mode on page 296
set remote ap data security mode on page 293
set domain data security on page 294
set ap auto on page 263
set ap auto mode on page 266
set ap auto radiotype on page 267
set ap auto persistent on page 266
set ap bias on page 268
set ap blink on page 269
251
set ap group on page 278

set ap radio auto-tune max-power on page 283
set ap radio auto-tune max-retransmissions on
page 284
set ap radio mode on page 288
set ap radio radio-profile on page 289
set ap upgrade-firmware on page 299
External Antennas
set ap radio antennatype on page 282

set ap radio antenna-location on page 281
MP-MP Tunneling
set ap tunnel-affinity on page 292
MP-WLC security
set ap fingerprint on page 276

set ap security on page 291
Static IP Address
Assignment for
Distributed MPs
set ap boot-configuration ip on page 269

set ap boot-configuration switch on page 274
set ap boot-configuration vlan on page 275
clear ap boot-configuration on page 259
show ap boot-configuration on page 394
Radio Profile
Assignment
Updated

set radio-profile mode on page 316
clear radio-profile on page 261
set radio-profile service-profile on page 323
show radio-profile on page 400
SSID Assignment
set service-profile ssid-name on page 351

set service-profile ssid-type on page 352
set service-profile beacon on page 334
Radio Properties
set radio-profile active-scan on page 302

set radio-profile beacon-interval on page 309
set radio-profile countermeasures on page 311
Updated
set radio-profile dfs-channels on page 312

set radio-profile weighted-fair-queuing on page 313
set radio-profile frag-threshold on page 313
set radio-profile max-rx-lifetime on page 314
set radio-profile preamble-length on page 319
252
set radio-profile rts-threshold on page 323
Updated
Authentication and
Encryption
Updated
set service-profile attr on page 330

set service-profile [rsn-ie | wpa-ie] auth-dot1x on
page 331
set service-profile [rsn-ie | wpa-ie] auth-psk on page 333
set service-profile web-portal-form on page 359
set service-profile web-portal-acl on page 357
Updated
Updated
set service-profile wpa-ie on page 365
Updated
set service-profile rsn-ie on page 350
Updated
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on

page 337
Updated
set service-profile [rsn-ie | wpa-ie] cipher-tkip on

page 338
Updated
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on

page 338
Updated
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on

page 339
set service-profile [rsn-ie | wpa-ie] psk-phrase on
page 348
Updated
set service-profile [rsn-ie | wpa-ie] psk-raw on page 349

set service-profile tkip-mc-time on page 354
set service-profile wep active-multicast-index on
page 363
set service-profile wep active-unicast-index on
page 363
set service-profile wep key-index on page 364
set service-profile keep-initial-vlan on page 343
set service-profile transmit-rates on page 354
set service-profile long-retry-count on page 344
set service-profile short-retry-count on page 351
set service-profile shared-key-auth on page 350
show service-profile on page 404
clear service-profile on page 262
QoS and VoIP
set radio-profile qos-mode on page 320

set radio-profile wmm-powersave on page 328
253
set service-profile cac-mode on page 335

set service-profile cac-session on page 336
Updated
set service-profile static-cos on page 353

set service-profile cos on page 340
Updated
set service-profile use-client-dscp on page 356

DHCP Restrict
set service-profile dhcp-restrict on page 341
Broadcast control
set service-profile no-broadcast on page 346
Proxy ARP
set service-profile proxy-arp on page 347
Keepalives and
session timers
set service-profile idle-client-probing on page 342

set service-profile user-idle-timeout on page 357
set service-profile web-portal-session-timeout on
page 362
Radio transmit rates

set radio-profile rate-enforcement on page 320
Transmission retries

RF Auto-Tuning
set radio-profile auto-tune 11a-channel-range on

page 302
set radio-profile auto-tune channel-holddown on
page 304
Updated
set radio-profile auto-tune channel-interval on page 305

set radio-profile auto-tune channel-lockdown on
page 305
Updated
set radio-profile auto-tune power-config on page 306

set radio-profile auto-tune power-interval on page 307
set radio-profile auto-tune power-lockdown on page 308
show auto-tune neighbors on page 392
show auto-tune attributes on page 391
AeroScout tag
support
set radio-profile rf-scanning mode on page 322
Radio State
Dual Homing
RF Load Balancing
set ap radio load-balancing on page 286

clear ap radio load-balancing group on page 260
set band-preference on page 300
254
set load-balancing mode on page 300

set load-balancing strictness on page 301
set service-profile load-balancing-exempt on page 343
show load-balancing group on page 399
MP Administration
and Maintenance
set ap name on page 280

set ap force-image-download on page 277
reset ap on page 263
Updated
set ap power-mode on page 281
Updated
set ap radio channel on page 284

set ap radio tx-power on page 290
set ap image on page 278
set ap led-mode on page 278
clear ap radio on page 257
show ap config radio on page 371
show ap status on page 385
show ap counters on page 374
show ap global on page 397
show ap connection on page 395
show ap unconfigured on page 398
show ap qos-stats on page 381
show ap etherstats on page 383
MP Local Switching
set ap local-switching mode on page 279

clear ap local-switching vlan-profile on page 256
show ap arp on page 369
show ap fdb on page 380
show ap vlan on page 390
WLAN Mesh Services
set ap boot-configuration mesh mode on page 271

set ap boot-configuration mesh psk-phrase on page 271
set ap boot-configuration mesh psk-raw on page 272
set ap boot-configuration mesh ssid on page 273
set service-profile mesh on page 345
set service-profile bridging on page 335
255

show ap mesh-links on page 384
AirDefense Integration
set ap image on page 278

clear ap image on page 256
clear ap image
Clears an AirDefense sensor software image file from the configuration on an MP.
Syntax clear ap apnum image
Index value that identifies the MP to the WLC. You can specify a value
between 1 and 9999.
ap apnum
Defaults None.
Access Enabled.
History
Version 5.0
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Added index value range of 1-9999.
Usage Use this command to configure an MP that was converted to an AirDefense sensor to
revert back to an MP. When you do this, the next time the MP is booted, it becomes a Juniper
Mobility Point.
Examples
Examples The following command causes the AirDefense sensor software file to be cleared from
the configuration of MP 1:
WLC# clear ap 1 image
See Also set ap image on page 278
clear ap local-switching vlan-profile

Clears the VLAN profile that had been applied to an MP to use with local switching.
Syntax clear ap apnum local-switching vlan-profile
apnum
Index value that identifies the MP on the WLC. You can specify a value between 1
and 9999.
Defaults None.
Access Enabled.
256
History
Version 6.0
Command was introduced.
Version 6.2
Added index value range of 1 to 9999.
being tunneled back to an WLC.
Use this command to reset the VLAN profile used by the MP for local switching to the default
VLAN profile. Traffic that was locally switched because of an entry in the cleared VLAN profile is
tunneled to an WLC.
When clearing a VLAN profile causes traffic that was locally switched by MPs to be tunneled to an
WLC, the sessions of clients associated with the MPs with the VLAN profile are terminated, and
the clients must re-associate with the MPs.
Examples The following command clears the VLAN profile that was applied to MP 7:
WLC# clear ap 7 local-switching vlan-profile
See Also
clear ap radio
Disables an MP radio and resets it to its factory default settings.
Syntax clear ap apnum radio {1 | 2 | all}
ap apnum
Index value that identifies the MP on the WLC. You can specify a value
between 1 and 9999.
radio 1
Radio 1 of the MP.
radio 2
Radio 2 of the MP. (This option does not apply to single-radio models.)
radio all
All radios on the MP.
Defaults The clear ap radio command resets the radio to the default settings listed in Table 40
and in Table 42 on page 316.
Table 40.Radio-Specific Parameters
Parameter
Default Value
antenna-
indoors
location
Description
Location of the radio antenna.
This parameter applies only to MP models that support
external antennas.
257
Table 40.Radio-Specific Parameters (continued)

Parameter
Default Value
Description
antennatype
For most MP models, the default is
Juniper external antenna model
internal.
This parameter applies only to MP models that support
For MP-620, the default for the
external antennas.
802.11b/g radio is ANT-1360-OUT.

The default for the 802.11a radio is
ANT-5360-OUT.
The default for the 802.11b/g radio
on model MP-262 is ANT1060.
auto-tune
Highest setting allowed for the
Maximum percentage of client retransmissions a radio can
max-power
country of operation or highest
experience before RF Auto-Tuning considers changing the
setting supported on the hardware,
channel on the radio.
whichever is lower.
channel
802.11b/g6
Number of the channel on which a radio transmits and
802.11aLowest valid channel

number for the country of
operation.
receives traffic.
mode
disable
Operational state of the radio.
radio-profile
None. You must add the radios to a
802.11 settings
radio profile.
tx-power
Highest setting allowed for the
Transmit power of a radio, in decibels referred to 1 milliwatt
country of operation or highest
(dBm)
setting supported on the hardware,

whichever is lower.
Access Enabled
History
Version 1.0
Command introduced.
Version 2.0
Option dap added for Distributed MPs.
Version 5.0
Option antenna-location added.

Option auto-tune min-client-rate removed.
Option auto-tune max-retransmissions removed.
Version 6.0
Version 6.2
Option dap removed for distributed MPs.

Usage When you clear a radio, MSS performs the following actions:
Clears the transmit power, channel, and external antenna setting from the radio.
Removes the radio from its radio profile and places the radio in the default radio profile.
This command does not affect the PoE setting.
Examples The following command disables and resets radio 2 on the MP connected to port 3:
WLC# clear ap 3 radio 2
See Also
258

clear ap boot-configuration
Removes the static IP address configuration for a Distributed MP.
Syntax clear ap apnum boot-configuration
ap apnum
Index value that identifies the MP on the WLC. You can specify a value from
1 to 9999.
Defaults None.
Access Enabled.
History
Version 4.2
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Added a range of 1 to 9999 for index value.
Usage When the static IP configuration is cleared for an MP, and an MP is rebooted, it uses the
standard boot process.
Examples The following command clears the static IP address configuration for MP 1.
WLC# clear ap 1 boot-configuration
This will clear specified AP devices. Would you like to continue? (y/n)
[n]y
See Also
259
clear ap radio load-balancing group

Removes an MP radio from a load-balancing group.
Syntax clear ap apnum radio {1 | 2} load-balancing group
ap apnum
Index value that identifies the MP on the WLC. You can specify a value from 1
to 9999.
radio 1
Radio 1 of the MP.
radio 2
Defaults None.
Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Usage If an MP radio has been assigned to an RF load balancing group, you can use this
command to remove the MP radio from the group.
Examples The following command clears radio 1 on MP 7 from the load balancing group to which
it had been assigned:
WLC# clear ap 7 radio 1 load-balancing group
WLC#
See Also
260
clear radio-profile
Removes a radio profile or resets one of the profile parameters to the default value.
Syntax clear radio-profile name [parameter]
name
Radio profile name.
parameter
Radio profile parameter:

beacon-interval
countermeasures
dtim-interval
frag-threshold
max-rx-lifetime
max-tx-lifetime
preamble-length
rts-threshold
service-profile
snoop
weighted-fair-queuing
(For information about these parameters, see the set radio-profile
commands that use them.)
Defaults If you reset an individual parameter, the parameter is returned to the default value listed
in Table 42 on page 316.
Access Enabled.
History
Version 1.0
Command introduced.
Version 1.1
Option added to clear individual radio-profile parameter instead of entire

profile.
Version 3.0
Parameters that no longer apply to radio profiles in MSS Version 3.0

removed:
beaconed-ssid
clear-ssid
crypto-ssid
shared-key-auth
service-profile parameter added.
Version 4.1
countermeasures parameter added.
261
Version 4.2

removed:
long-retry
short-retry
Usage If you specify a parameter, the setting is reset to the default value. The settings of the other
parameters are unchanged and the radio profile remains in the configuration. If you do not specify
a parameter, the entire radio profile is deleted from the configuration. All radios that use this profile
must be disabled before you can delete the profile.
Examples The following commands disable the radios using radio profile rp1 and reset the
beaconed-interval parameter to the default value:
WLC# set radio-profile rp1 mode disable
WLC# clear radio-profile rp1 beacon-interval
The following commands disable the radios using radio profile rptest and remove the profile:
WLC# set radio-profile rptest mode disable
WLC# clear radio-profile rptest
See Also
clear service-profile
Removes a service profile or resets one of the profile parameters to the default value.
Syntax clear service-profile name
name
Service profile name.
Defaults None.
Access Enabled.
History
Version 3.0
Command introduced
Version 4.2
Options added to clear SODA parameters.
Version 7.5
SODA parameters removed.
Usage If the service profile is mapped to a radio profile, you must remove it from the radio profile
first. (After disabling all radios that use the radio profile, use the clear radio-profile name
service-profile name command.)
262
Examples The following commands disable the radios using radio profile rp6, remove
service-profile svcprof6 from rp6, then clear svcprof6 from the configuration.
WLC# clear radio-profile rp6 service-profile svcprof6
WLC# clear service-profile svcprof6
clear radio-profile on page 261
reset ap
Restarts an MP access point.
Syntax reset ap apnum
between 1 and 9999.
ap apnum
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 2.0
Version 6.0
Option dap removed.
Version 6.2
Usage When you enter this command, the MP drops all sessions and reboots.
Warning: Restarting an MP can cause data loss for users who are currently associated with the MP.
Examples The following command resets MP 7:

WLC# reset ap 7
This will reset specified AP devices. Would you like to continue? (y/n)y
success: rebooting ap attached to port 7
set ap auto
Creates a profile for automatic configuration of MPs.
263
Syntax set ap auto

Defaults None.
Access Enabled.
History
Version 4.0
Command introduced.
Version 4.2
Option persistent added.

Option force-image-download added.
Version 5.0
Option radio num auto-tune min-client-rate removed.

Option radio num tx-pwr removed.
Version 6.0
Option dap removed.
Version 7.1
Options power-mode, time-out, and tunnel-affinity added.
Usage Table 41 lists the configurable profile parameters and the default values. The only
parameter that requires configuration is the profile mode. The profile is disabled by default. To use
the profile to configure Distributed MPs, you must enable the profile using the set ap auto mode
enable command.
The profile uses the default radio profile by default. You can change the profile using the set ap
auto radio radio-profile command. You can use set ap auto commands to change settings for
the parameters listed in Table 41. (The commands are listed in the See Also section.)
Table 41.Configurable Profile Parameters for Distributed MPs
Parameter
Default Value
MP Parameters
bias
high
blink
disable
(Not shown in show ap config output)

force-image-download
disable (NO)
group (load balancing group)
none
led-mode
disabled
local-switching
disabled
mode
disabled
persistent
none
power-mode
auto
time-out
25 seconds
tunnel-affinity
upgrade-firmware (boot-download-enable)
enable (YES)
Radio Parameters
264
radio num auto-tune max-power
default
radio num mode
enabled
radio num radio-profile
default
Table 41.Configurable Profile Parameters for Distributed MPs (continued)

Parameter
Default Value
radiotype
11g
(or 11b for country codes where 802.11g is not allowed)
Examples The following command creates a profile for automatic Distributed MP configuration:
WLC# set ap auto
See Also
265
set ap auto mode

Enables an WLC profile for automatic Distributed MP configuration.
Syntax set ap auto mode {enable | disable}
enable
Enables the MP configuration profile.
disable
Disables the MP configuration profile.
Defaults The MP configuration profile is disabled by default.

Access Enabled.
History I
Version 4.0
Command introduced.
Version 6.0
Option dap removed.
Usage You must use the set ap auto command to create the profile before you can enable it.
Examples The following command enables the profile for automatic Distributed MP configuration:
WLC# set ap auto mode enable
See Also
set ap auto persistent

Converts a temporary MP configuration created by the MP configuration profile into a persistent
MP configuration on the WLC.
Syntax set ap auto persistent [apnum | all]
266
apnum
to 9999.
all
Converts the configurations of all Auto-APs being managed by the WLC into
permanent configurations.
Defaults None.
Access Enabled.
History I
Version 4.0
Introduced command.
Version 6.0
Option dap removed.
Version 6.2
Added the index value range of 1 to 9999.
Usage To display the Distributed MP numbers assigned to Auto-MPs, use the show ap status all
command.
Examples The following command converts the configuration of Auto-AP 10 into a permanent
configuration:
WLC# set ap auto persistent 10
See Also
set ap auto radiotype

Sets the radio type for single-MP radios that use the MP configuration profile.
Syntax set ap auto [radiotype {11a | 11b| 11g}]
radiotype 11a | 11b | 11g
Radio type:
11a802.11a
11b802.11b
11g802.11g
Defaults The default radio type for models AP2750, MP-241, and MP-341, and for the 802.11b/g
radios in other models is 802.11g in regulatory domains that support 802.11g, or 802.11b in
regulatory domains that do not support 802.11g.
Access Enabled.
History
Version 4.0
Command introduced.
Version 5.0
Option 11a supported.
Version 6.0
Option dap removed.
267
Usage If you set the radiotype to 11a and the MP configuration profile is used to configure a
two-radio MP model, radio 1 is configured as an 802.11b/g radio and radio 2 is configured as the
802.11a radio. Because this is the reverse of the standard configuration (where radio 1 is the
802.11a radio and radio 2 is the 802.11b/g radio), the radio 1 settings configured in the MP
configuration profile are applied to radio 2. Likewise, the radio 2 settings configured in the profile
are applied to radio 1. This behavior ensures that settings for radio 1 are always applied to the
80211a radio, regardless of the radio number.
Examples The following command sets the radio type to 802.11b:
WLC# set ap auto radiotype 11b
See Also
set ap bias
Changes the bias for an MP. Bias is the priority of one MX over other MX switches for booting and
configuring the MP.
Syntax set ap apnum auto bias {high | low}
auto
Configures bias for the MP configuration profile. (See set ap auto on

page 263.)
high
High bias.
low
Low bias.
Defaults The default bias is high.

Access Enabled.
History
Version 1.0
Command introduced.
Version 2.0
Version 4.0
Option auto added for configuration of the MP configuration profile.
Version 6.0
Option dap removed.
Usage High bias is preferred over low bias. Bias applies only to WLC switches indirectly attached
to the MP through an intermediate Layer 2 or Layer 3 network. An MP always attempts to boot on
MP port 1 first, and if an MX is directly attached on MP port 1, the MP always boots from it.
If MP port 1 is indirectly connected to WLC switches through the network, the MP boots from the
WLC with the high bias for the MP. If the bias for all connections is the same, the MP selects the
WLC that has the greatest capacity to add more active MPs. For example, if an MP is dual homed
to two WLC-400 switches, and one of the switches has 50 active MPs while the other WLC has 60
active MPs, the new MP selects the WLC that has only 50 active MPs.
268
If the boot request on MP port 1 fails, the MP attempts to boot over its port 2, using the same
process described above.
The following command changes the bias for a Distributed MP to low:
WLC# set ap 1 bias low
See Also show ap config radio on page 371
set ap blink
Enables or disables LED blink mode on an MP to make it easy to identify. When blink mode is
enabled on MP-xxx models, the health and radio LEDs alternately blink green and amber. When
blink mode is enabled on an AP2750, the 11a LED blinks on and off. By default, blink mode is
disabled.
Syntax set ap apnum blink {enable | disable}
ap apnum
1 to 9999.
enable
Enables blink mode.
disable
Disables blink mode.
Defaults LED blink mode is disabled by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Version 4.0
Version 6.0
Option dap removed.
Version 6.2
Version 7.1
Option auto removed.
Usage Changing the LED blink mode does not alter operation of the MP access point. Only the
behavior of the LEDs is affected.
Examples The following command enables LED blink mode on the MP access points connected
to ports 3 and 4:
WLC# set ap 3-4 blink enable
set ap boot-configuration ip
Specifies static IP address information for a Distributed MP.
269
Syntax set ap apnum boot-configuration ip ip-addr netmask mask-addr gateway

gateway-addr [mode {enable | disable}]
ap apnum
Index value that identifies the MP on the WLC. You can specify a
value from 1 to 9999.
ip ip-addr
The IP address to be assigned to the MP, in dotted decimal

notation (for example, 10.10.10.10).
netmask mask-addr
The subnet mask, in dotted decimal notation (for example,

255.255.255.0).
gateway gateway-addr
The IP address of the next-hop router, in dotted decimal notation.
mode {enable | disable}
Enables or disables the static IP address for the MP.
Defaults By default MPs use DHCP to obtain an IP address, rather than a using a manually
assigned IP address.
Access Enabled.
History
Version 4.2
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage Normally, Distributed MPs use DHCP to obtain IP address information. In some
installations, DHCP may not be available. In this case, you can assign static IP address
information to the MP, including the MP IP address and netmask, and default gateway.
If the manually assigned IP information is incorrect, the MP uses DHCP to obtain an IP address.
Examples The following command configures MP 1 to use IP address 172.16.0.42 with a 24-bit
netmask, and use 172.16.0.20 as its default gateway:
WLC# set ap 1 boot-configuration ip 172.16.0.42 netmask 255.255.255.0
gateway 172.16.0.20
See Also
set ap boot-configuration switch on page 274
270
set ap boot-configuration mesh mode

Enables WLAN mesh services on the MP.
Syntax set ap apnum boot-configuration mesh mode {enable | disable}
ap apnum
Index value that identifies the MP on the WLC. This can be a value
from 1 to 9999.
Enables or disables WLAN mesh services for the MP.
Defaults Disabled.
Access Enabled.
History Introduced in MSS .
Version 6.0
Command introduced.
Version 6.2
Added index value range from 1 to 9999.
Usage Use this command to enable WLAN mesh services for an Mesh AP. Prior to deploying the
Mesh AP in a final untethered location, you must connect the MP to an WLC and enter this
command to configure the MP for mesh services.
Examples The following command enables WLAN mesh services for MP 7:
WLC# set ap 7 boot-configuration mesh mode enable
See Also
set ap boot-configuration mesh psk-phrase

Specifies a preshared key (PSK) phrase that a Mesh AP uses for authentication to its Mesh Portal
AP.
Syntax set ap apnum boot-configuration mesh psk-phrase passphrase
ap apnum
Index value that identifies the MP on the WLC. You can specify a value from 1 to
9999.
passphrase
An ASCII string from 8 to 63 characters long. The string can contain blanks if
you use quotation marks at the beginning and end of the string.
Defaults None.
Access Enabled.
271
History
Version 6.0
Command introduced.
Version 6.2
Usage Use this command to configure the preshared key that a Mesh AP uses to authenticate to
a Mesh Portal AP. You must connect the MP to an WLC and enter this command to configure the
MP for mesh services prior to deploying the Mesh AP in its final untethered location.
MSS converts the passphrase into a 256-bit binary number for system use and a raw hexadecimal
key to store in the WLC configuration. Neither the binary number nor the passphrase is ever
displayed in the configuration. To use PSK authentication, you must enable it and you also must
enable WPA IE or WPA2 IE. .
Examples The following command configures MP 7 to use passphrase
1234567890123<>?=+&% The quick brown fox jumps over the lazy dog when authenticating
with a Mesh Portal AP
WLC# set ap 7 boot-configuration mesh psk-phrase "1234567890123<>?=+&%
The quick brown fox jumps over the lazy dog"
success: change accepted..
See Also
set ap boot-configuration mesh psk-raw

Configures a raw hexadecimal preshared key (PSK) to use for authenticating a Mesh AP to a
Mesh Portal AP. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise
session keys for individual WPA clients.
Syntax set ap apnum boot-configuration mesh psk-raw hex
apnum
1 to 9999.
hex
A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter the

two-character ASCII form of each hexadecimal number.
Defaults None.
Access Enabled.
History
272
Version 6.0
Command introduced.
Version 6.2
Usage Use this command to configure the preshared key that a Mesh AP uses to authenticate to
a Mesh Portal AP. You must connect the MP to an WLC and enter this command to configure the
MP for mesh services prior to deploying the Mesh AP to a final untethered location.
MSS converts the hexadecimal number into a 256-bit binary number for system use. MSS also
stores the hexadecimal key in the WLC configuration. The binary number is never displayed in the
configuration. To use PSK authentication, you must enable it and you also must enable WPA IE or
WPA2 IE.
Examples The following command configures MP7 to use a raw PSK to authenticate with a Mesh
Portal AP:
WLC# set ap 7 boot-configuration mesh psk-raw
c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d
See Also
set ap boot-configuration mesh ssid

Specifies the name of the SSID a Mesh AP attempts to associate with when the AP is booted.
Syntax set ap apnum boot-configuration mesh ssid mesh-ssid
ap apnum
1 to 9999.
mesh-ssid
Name of the mesh SSID (up to 32 characters).
Defaults None.
Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Add the index value range of 1 to 9999.
Usage You must connect the MP to an WLC and enter this command to specify the mesh SSID
prior to deploying the Mesh AP in its final untethered location. When the MP is booted in an
untethered location, and determines that it has no Ethernet link to the network, it then associates
with the specified mesh-ssid.
Note that when the mesh-ssid is specified, the regulatory domain of the WLC and the power
restrictions are copied to the MP flash memory. This prevents the Mesh AP from operating outside
of regulatory limits after the AP is booted and before the AP receives a complete configuration
from the WLC. Consequently, it is important that the regulatory and antenna information specified
on the WLC actually reflects the locale where the Mesh AP is to be deployed, in order to avoid
regulatory violations.
273
Examples The following command configures MP 7 to attempt to associate with the SSID
wlan-mesh when booted in an untethered location:
WLC# set ap 7 boot-configuration mesh ssid wlan-mesh
See Also
set ap boot-configuration mesh mode on page 271
set ap boot-configuration switch

Specifies the WLC that a Distributed MP contacts and attempts to use as the boot device.
Syntax set ap apnum boot-configuration switch [switch-ip ip-addr] [name name
dns ip-addr] [mode {enable | disable}]
ap apnum
switch-ip ip-addr
The IP address of the WLC to boot the Distributed MP.
name name
The fully qualified domain name of the WLC that the Distributed
MP boots from. When both a name and a switch-ip are specified,
the MP uses the name.
dns ip-addr
The IP address of the DNS server used to resolve the specified

name of the WLC.
Enables or disables the MP using the specified boot device.
Defaults By default MPs use the process described in Default MP Boot Process, in the Juniper
Mobility System Software Configuration Guide to boot from an WLC, instead of using a manually
specified WLC.
Access Enabled.
History
Version 4.2
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage When you specify a boot WLC for a distributed MP to boot from, it boots using the process
described in MP Boot Process Using Static IP Configuration, in the Juniper Mobility System
Software Configuration Guide.
When a static IP address is specified for a Distributed MP, there is no preconfigured DNS
information or DNS name for the WLC that the Distributed MP attempts to use as the boot device.
If you configure a static IP address for a Distributed MP, but do not specify a boot device, then the
WLC must be reachable via subnet broadcast.
274
Examples The following command configures Distributed MP 1 to use an WLC with address
172.16.0.21 as its boot device.
WLC# set ap 1 boot-configuration switch switch-ip 172.16.0.21 mode
enable
The following command configures Distributed MP 1 to use the WLC with the name WLCr2 as its
boot device. The DNS server at 172.16.0.1 is used to resolve the name of the WLC.
WLC# set ap 1 boot-configuration switch name WLCr2 dns 172.16.0.1 mode
enable
See Also
set ap boot-configuration vlan

Specifies 802.1Q VLAN tagging information for a Distributed MP.
Syntax set ap apnum boot-configuration vlan vlan-tag tag-value [mode {enable |
disable}]
Syntax set ap apnum boot-configuration vlan mode {enable | disable}
ap apnum
vlan-tag tag-value
The VLAN tag value. You can specify a number from 1 4093.
mode {enable |
disable}
Enables or disables use of the specified VLAN tag on the Distributed

MP.
Defaults None.
Access Enabled.
History
Version 4.2
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage When this command is configured, all Ethernet frames emitted from the Distributed MP are
formatted with an 802.1Q tag with a specified VLAN number. Frames not tagged for this value and
sent to the Distributed MP are ignored.
Examples The following command configures Distributed MP 1 to use VLAN tag 100:
WLC# set ap 1 boot-configuration vlan vlan-tag 100 mode enable
275

See Also
set ap fingerprint
Verifies an MP fingerprint on an WLC. If MP-WLC security is required by an WLC, an MP can
establish a management session with the WLC only if you have verified the MP identity by
verifying the fingerprint on the WLC.
Syntax set ap apnum fingerprint fingerprint
ap apnum
1 to 9999.
fingerprint
The 16-digit hexadecimal number of the fingerprint. Use a colon between

each digit. Make sure the fingerprint you enter matches the fingerprint used
by the MP.
Defaults None.
Access Enabled.
History
Version 4.0
Introduced command.
Version 6.0
Option dap removed.
Version 6.2
Usage MPs are configured with an encryption key pair at the factory. The fingerprint for the public
key is displayed on a label on the back of the MP, in the following format:
RSA
aaaa:aaaa:aaaa:aaaa:
aaaa:aaaa:aaaa:aaaa
If an MP is already installed and operating, you can use the show ap status command to display
the fingerprint. The show ap config command lists the MP fingerprint only if the fingerprint has
been verified in MSS. If the fingerprint has not been verified, the fingerprint information in the
command output is blank.
Examples The following example verifies the fingerprint for Distributed MP 8:
WLC# set ap 8 fingerprint
b4:f9:2a:52:37:58:f4:d0:10:75:43:2f:45:c9:52:c3
See Also
set ap security on page 291
276

set ap force-image-download
Configures an MP to download a software image from the WLC instead of loading the locally
stored image on the MP.
Syntax set ap auto force-image-download {enable | disable}
ap auto
Configures forced image download for the MP configuration profile. (See set
ap auto on page 263.)
force-imagedownload
enable
Enables forced image download.
force-imagedownload
disable
Disables forced image download.
Defaults Forced image download is disabled by default.

Access Enabled.
History
Version 5.0
Command introduced.
Version 6.0
Option dap removed.
Usage A change to the forced image download option takes place the next time the MP is
restarted.
Even when forced image download is disabled (the default), the MP still checks with the WLC to
verify that the MP has the latest image, and to verify that the WLC is running MSS Version 5.0 or
later.
The MP loads a local image only if the WLC is running MSS Version 5.0 or later and does not have
a different MP image than the one in the MP local storage. If the WLC is not running MSS Version
5.0 or later, or the WLC has a different version of the MP image than the version in the MP local
storage, the MP loads the image from the WLC.
The forced image download option is not applicable to MP models MP-52, MP-101, and MP-122.
Examples The following command enables forced image download on Distributed MP 69:
WLC# set ap 69 force-image-download enable
277
set ap group
Deprecated in MSS Version 6.0. To configure RF load balancing, see set load-balancing mode
on page 300.
set ap image
Loads an AirDefense sensor software image on an MP.
Syntax set ap apnum image filename
ap apnum
1 to 9999.
filename
Name of the AirDefense sensor software image file. This file is assumed to
have been copied to the WLC.
Defaults None.
Access Enabled.
History
Version 5.0
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage After the AirDefense sensor software is copied to the WLC, use this command to configure
an MP to load the software. When you do this, the software is transferred to the MP, which then
reboots and comes up as an AirDefense sensor.
Examples The following command causes Distributed MP 1 to load the adconvert.bin file, then
reboot as an AirDefense sensor:
WLC# set ap 1 image adconvert.bin
This will change the file a AP will boot. Would you like to continue?
(y/n) [n] y
See Also clear ap image on page 256
set ap led-mode
Allows you to set the LED behavior on an AP or APs. The setting is active after the AP receives a
configuration from the WLC. The blink command has precedence over this command.
Syntax set [apnum | apnum-range | auto] led-mode {auto | static | off}
auto
LEDs are in standard behavior mode.
static
LEDs do not flash when traffic is on the network. All other LED behavior is
standard.
off
All LEDs are off once the AP is active.
Defaults Auto
278
Access Enabled
Usage Used in configurations where the LED activity is undesired.
Informational Note: The following MPs do not support this command:
MP-71
MP-620
MP-622
set ap local-switching mode

Enables local switching for a specified MP.
Syntax set ap apnum local-switching mode {enable | disable}
apnum
1 to 9999.
enable
Enables local switching for the MP.
disable
Disables local switching for the MP.
Defaults Local switching is disabled by default.

Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Usage Local switching allows traffic for specified VLANs to be switched by the MP, instead of
tunneling traffic back to an WLC. The VLANs that perform local switching are specified in a VLAN
profile.
Local switching can be enabled on MPs connected to the WLC through an intermediate Layer 2 or
Layer 3 network. Local switching is not supported for MPs that are directly connected to an WLC.
If local switching is enabled on an MP, but no VLAN profile is configured, then a default VLAN
profile is used. The default VLAN profile includes a single VLAN named default that is not tagged.
Examples The following command enables local switching for MP 7:
WLC# set ap 7 local-switching mode enable
See Also
279
set ap local-switching vlan-profile

Applies a specified VLAN profile to an MP to use with local switching.
Syntax set ap apnum local-switching vlan-profile profile-name
apnum
1 to 9999.
profile-name
The name of a VLAN profile configured on the WLC.
Defaults If local switching is enabled on an MP, but no VLAN profile is configured, then a default
VLAN profile is used. The default VLAN profile includes a single VLAN named default that is not
tagged.
Access Enabled.
tunneling the traffic back to an WLC.
When applying a VLAN profile causes traffic that was tunneled to an WLC to be locally switched by
MPs, or vice-versa, the sessions of clients associated with the MPs with the applied VLAN profile
are terminated, and the clients must re-associate with the MPs.
Examples The following command specifies that MP 7 use VLAN profile locals:
WLC# set ap 7 local-switching vlan-profile locals
See Also
clear ap local-switching vlan-profile on page 256
set ap name
Changes an MP name.
Syntax set ap apnum name name
ap apnum
1 to 9999.
name
Alphanumeric string of up to 16 characters, with no spaces.
Defaults The default name of a directly attached MP is based on the port number of the MP
access port attached to the MP. For example, the default name for an MP on MP access port 1 is
MP01.
Access Enabled.
280
History
Version 1.0
Command introduced
Version 2.0
Version 4.1
Default Distributed MP name changed from DMPnum to DAPnum
Version 6.0
Option dap removed.
Version 6.2
Examples The following command changes the name of the MP on port 1 to techpubs:
WLC# set ap 1 name techpubs
set ap power-mode
Specifies a power mode for the AP.
Syntax set ap apnum power-mode {auto | high}
auto
Manages power automatically on the AP.
high
Operates the AP at the maximum available power.
Defaults None
Access Enabled
Usage This command is used mainly for MPs with 802.11n capabilities.
Examples To set an MP to use the maximum available power, use the following command:
WLC# set ap 3 power-mode high
set ap radio antenna-location

Specifies the location (indoors or outdoors) of an external antenna. Use this command to ensure
that the proper set of channels is available on the radio. In some cases, the set of valid channels
for a radio differs depending on whether the antenna is located indoors or outdoors.
Syntax set ap apnum radio number antenna-location
{indoors | outdoors}
ap apnum
to 9999.
radio number
Specify radio 1 or radio 2.
antenna-loca Specify antenna location.

tion
281
indoors
Specifies that the external antenna is installed indoors (inside the building).
outdoors
Specifies that the external antenna is installed outdoors.
Defaults The default antenna location is indoors.

Access Enabled.
Examples The following command sets the antenna location for radio 1 on Distributed MP 22 to
outdoors:
WLC# set ap 22 radio 1 antenna-location outdoors
See Also set ap radio antennatype on page 282
set ap radio antennatype

Sets the model number for an external antenna.
set ap apnum radio {1 | 2} antennatype {ANT1060 | ANT1120 | ANT1180 |
ANT5060 | ANT5120 | ANT5180 |
ANT-1360-OUT | ANT-5360-OUT | ANT-5060-OUT | ANT-5120-OUT |
internal}
ap apnum
Index value that identifies the MP on the WLC. You can

specify a value from 1 to 9999.
radio 1
Radio 1 of the MP.
radio 2
Radio 2 of the MP. (This option does not apply to

single-radio models.)
antennatype
{ANT1060 | ANT1120 |
ANT1180 | internal}
MP-3xx and MP-262 802.11b/g external antenna models:

ANT106060 802.11b/g antenna
internalUses the internal antenna instead
antennatype
{ANT5060 | ANT5120 |
ANT5180 | internal}
MP-3xx 802.11a external antenna models:

ANT506060 802.11a antenna
282
antennatype
{ANT-1360-OUT | ANT-5360-O
UT | ANT-5060-OUT | ANT-51
20-OUT | internal}
MP-620 external antenna models:

ANT-1360-OUT360 802.11b/g antenna
ANT-5360-OUT360 802.11a antenna
Defaults All radios use the internal antenna by default, if the MP model has an internal antenna.
The MP-620 802.11b/g radio uses model ANT-1360-OUT by default. The MP-620 802.11a radio
uses model ANT-5360-OUT by default. The MP-262 802.11b/g radio uses model ANT1060 by
default.
Access Enabled.
History
Version 2.1
Version 3.2
Command introduced
Model numbers added for 802.11a external antennas.
Default changed to internal (except for the MP-262).
Version 4.1
Model numbers added for MP-620 external antennas.
Version 6.2
Usage This command applies only to radios on MP models MP-3xx and MP-620 and to the
802.11b/g radio on model MP-262.
Examples The following command configures the 802.11b/g radio on Distributed MP 1 to use
antenna model ANT1060:
WLC# set ap 1 radio 1 antennatype ANT1060
set ap radio auto-tune max-power

Sets the maximum power that RF Auto-Tuning can set on a radio.
Syntax set ap {apnum | auto} radio {1 | 2} auto-tune max-power power-level
ap apnum
ap auto
Sets the maximum power for radios configured by the MP

configuration profile. (See set ap auto on page 263.)
radio 1
Radio 1 of the MP.
283
radio 2
Radio 2 of the MP. (This option does not apply to single-radio

models.)
power-level
Maximum power setting RF Auto-Tuning can assign to the radio,

expressed as the number of decibels in relation to 1 milliwatt
(dBm). You can specify a value from 1 up to the maximum value
allowed for the country of operation.
The power-level can be a value from 1 to 20 or you can set it to
default.
Defaults The default maximum power setting that RF Auto-Tuning can set on a radio is the
highest setting allowed for the country of operation or highest setting supported on the hardware,
whichever is lower.
Access Enabled.
History
Version 3.0
Command introduced
Version 4.0
Version 6.2
Examples The following command sets the maximum power that RF Auto-Tuning can set on radio
1 on the MP access point on port 7 to 12 dBm.
WLC# set ap 7 radio 1 auto-tune max-power 12
See Also
set ap radio auto-tune max-retransmissions

Deprecated in MSS Version 5.0.
set ap radio auto-tune min-client-rate

Deprecated in MSS Version 5.0. To configure radio transmit rates, see set service-profile
transmit-rates on page 354.
set ap radio channel

Sets an MP radio channel.
Syntax set ap apnum radio {1 | 2} channel channel
284
ap apnum
1 to 9999.
radio 1
Radio 1 of the MP.

radio 2
channel channel
Channel number. The valid channel numbers depend on the country of

operation.
Defaults The default channel depends on the radio type:

The default channel number for 802.11b/g is 6.
The default channel number for 802.11a is the lowest valid channel number for the country of
operation.
Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Version 6.0
Option dap removed.
Version 6.2
Version 7.3
Option channel-number changed to channel.
Usage You can configure the transmit power of a radio on the same command line. Use the
tx-power option.
This command is not valid if dynamic channel tuning (RF Auto-Tuning) is enabled.
Examples The following command configures the channel on the 802.11a radio on the MP access
point connected to port 5:
WLC# set ap 5 radio 1 channel 36
The following command configures the channel and transmit power on the 802.11b/g radio on the
MP access point connected to port 11:
WLC# set ap 11 radio 1 channel 1 tx-power 10
See Also
set ap radio link-calibration

Configures an MP radio to emit link calibration packets, which can aid in positioning a Mesh AP.
Syntax set ap apnum radio {1 | 2} link-calibration mode {enable | disable}
ap apnum
9999.
radio 1
Radio 1 of the MP.
285
radio 2
enable
Enables link calibration packets for the MP radio.
disable
Disables link calibration packets for the MP radio.
Defaults Disabled.
Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Usage A Mesh Portal MP can be configured to emit link calibration packets to assist with
positioning the Mesh AP. A link calibration packet is an unencrypted 802.11 management packet of
type Action. When enabled on an MP, link calibration packets are sent at a rate of 5 per second.
The MP-620 is equipped with a connector to which an external RSSI meter can be attached during
installation. When an RSSI meter is attached to an MP-620 and a calibration packet is received,
the MP-620 emits a voltage to the RSSI meter proportional to the received signal strength of the
packet. This can aid in positioning the MP-620 where it has a strong signal to the Mesh Portal AP.
Only one radio on an MP can be configured to send link calibration packets. Link calibration
packets are intended to be used only during installation of MPs; they are not intended to be
enabled on a continual basis.
Examples The following command enables link calibration packets for MP radio 1 on MP 7:
WLC# set ap 7 radio 1 link-calibration mode enable
See Also
set ap radio load-balancing

Disables or enables RF load balancing for an MP radio.
Syntax set ap apnum radio {1 | 2} load-balancing {enable | disable}
ap apnum
1 to 9999.
radio 1
Radio 1 of the MP.
radio 2
enable
Enables RF load balancing for the MP radio.
disable
Disables RF load balancing for the MP radio.
Defaults RF load balancing is enabled by default for all MP radios.
286
Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Usage By default, RF load balancing is enabled on all MP radios. Use this command to disable or
re-enable RF load balancing for the specified MP radio.
RF load balancing can also be disabled or re-enabled globally with the set load-balancing mode
command. If RF load balancing has been enabled or disabled for a specific MP radio, then the
setting for the individual radio takes precedence over the global setting, if the global setting is
load-balancing mode enabled.
Examples The following command disables RF load balancing for MP radio 1 on MP 7:
WLC# set ap 7 radio 1 load-balancing disable
See Also
set ap radio load-balancing group

Assigns an MP radio to a load balancing group.
Syntax set ap apnum radio {1 | 2} load-balancing group name [rebalance]
ap apnum
1 to 9999.
radio 1
Radio 1 of the MP.
radio 2
group name
Name of an RF load balancing group to which the MP radio is assigned. A

radio can belong to only one group.
rebalance
Configures the MP radio to disassociate client sessions and rebalance them

whenever a new MP radio is added to the load balancing group.
Defaults By default, MP radios are not part of an RF load balancing group.

Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Added index valued range from 1 to 9999.
287
Usage Assigning radios to specific load balancing groups is optional. When you do this, MSS
considers them to have exactly overlapping coverage areas, rather than using signal strength
calculations to determine their overlapping coverage. MSS attempts to distribute client sessions
across radios in the load balancing group evenly. A radio can be assigned to only one group.
Examples The following command assigns MP radio 1 on MP 7 to load balancing group room1:
WLC# set ap 7 radio 1 load-balancing group room1
WLC#
See Also
set ap radio mode

Enables or disables a radio on an MP.
Syntax set ap {apnum | auto}} radio {1 | 2} mode {enable |sentry| disable}
ap apnum
1 to 9999.
ap auto
Sets the radio mode for MPs managed by the MP configuration profile. (See
set ap auto on page 263.)
radio 1
Radio 1 of the MP.
radio 2
mode enable
Enables a radio.
mode sentry
Allows longer dwell times on scanning channels.
mode disable
Disables a radio.
Defaults MP access point radios are disabled by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Version 4.0
Version 6.0
Option dap removed.
Version 6.2
Added the index value range of 1 to 9999. Added sentry mode.
Usage To enable or disable one or more radios assigned to a profile, use the set ap radio
radio-profile command. To enable or disable all radios that use a specific radio profile, use the set
radio-profile command.
288
Examples The following command enables radio 1 on MP 1:

WLC# set ap 1 radio 1 mode enable
The following command sets radio 2 in sentry mode on MP 1:
WLC# set ap 1 radio 2 mode sentry
See Also
set ap radio radio-profile

Assigns a radio profile to an MP radio and enables or disables the radio.
Syntax set ap {apnum | auto} radio {1 | 2}
radio-profile name mode {enable | disable}
ap apnum
1 to 9999.
radio 1
Radio 1 of the MP.
radio 2
radio-profile
name
Radio profile name of up to 16 alphanumeric characters, with no spaces.
mode enable
Enables radios on the specified ports with the parameter settings in the
specified radio profile.
mode disable
Disables radios on the specified ports.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Version 4.0
Version 6.0
Option dap removed.
Version 6.2
Usage When you create a new profile, the radio parameters in the profile are set to the factory
default settings.
To enable or disable all radios using a specific radio profile, use set radio-profile.
289
Examples The following command enables radio 1 on MP 5 assigned to radio profile rp1:
WLC# set ap 5 radio 1 radio-profile rp1 mode enable
See Also
set ap radio tx-power

Sets the transmit power of an MP radio.
Syntax set ap apnum radio {1 | 2} tx-power power-level
ap apnum
1 to 9999.
radio 1
Radio 1 of the MP.
radio 2
tx-power
power-level
Number of decibels in relation to 1 milliwatt (dBm). The valid values depend

on the country of operation.
The maximum transmit power you can configure on any Juniper Networks
radio is the maximum allowed for the country in which you plan to operate
the radio or one of the following values if that value is less than the country
maximum: on an 802.11a radio, 11 dBm for channel numbers less than or
equal to 64, or 10 dBm for channel numbers greater than 64; on an
802.11b/g radio, 16 dBm for all valid channel numbers for 802.11b, or
14 dBm for all valid channel numbers for 802.11g.
Defaults The default transmit power on all MP radio types is the highest setting allowed for the
country of operation or highest setting supported on the hardware, whichever is lower.
Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Version 3.0
Default power level changed
Version 6.0
Option dap removed.
Version 6.2
Added the index value range from 1 to 9999.
Usage You also can configure a radio channel on the same command line. Use the channel
option.
290
This command is not valid if dynamic power tuning (RF Auto-Tuning) is enabled.
Examples The following command configures the transmit power on the 802.11a radio on the MP
access point connected to port 5:
WLC# set ap 5 radio 1 tx-power 10
The following command configures the channel and transmit power on the 802.11b/g radio on the
MP access point connected to port 11:
WLC# set ap 11 radio 1 channel 1 tx-power 10
See Also
set ap security
Sets security requirements for management sessions between an WLC and Distributed MPs.
This feature applies to Distributed MPs only, not to directly connected MPs configured on MP
access ports.
Informational Note: The maximum transmission unit (MTU) for encrypted MP management traffic is 1498
bytes, whereas the MTU for unencrypted management traffic is 1474 bytes. Make sure the devices in the
intermediate network between the WLC switch and Distributed MP can support the higher MTU.
Syntax set ap security secsetting {require | optional | none}

security
secsetting
Name of the security setting.
require
Requires all Distributed MPs to have encryption keys that have been verified
in the CLI by an administrator. If an MP does not have an encryption key or
the key has not been verified, the WLC does not establish a management
session with the MP.
optional
Allows MPs to be managed by the switch even if they do not have encryption
keys or their keys have not been verified by an administrator. Encryption is
used for MPs that support it.
none
Encryption is not used, even for MPs that support it.
Defaults The default setting is optional.

Access Enabled.
History
Version 4.0
Command introduced.
Version 6.0
Option dap removed.
291
Usage This parameter applies to all Distributed MPs managed by the WLC. If you change the
setting to required, the WLC requires Distributed MPs to have encryption keys. The WLC also
requires their fingerprints to be verified in MSS. When MP security is required, an MP can
establish a management session with the WLC only if its fingerprint has been verified by you in
MSS.
A change to MP security support does not affect management sessions that are already
established. To apply the new setting to an MP, restart the MP.
Examples The following command configures an WLC to require Distributed MPs to have
encryption keys:
WLC# set ap security require
See Also
set ap tunnel-affinity
The MP-MP tunneling feature extends the WLC-WLC tunnel feature to allow MPs with
local-switching enabled to create and terminate client VLAN tunnels. Therefore, a VLAN is not
required on every MP.
Defaults None
Access Enabled
History Added in MSS Version 7.1.
Syntax set ap [apnum |auto] tunnel-affinity affinity
apnum
Number of the MP to configure for MP-MP tunneling.
auto
Enable MP-MP tunneling on all MPs.
tunnel-affinity
The default value for affinity is 4 with a range of 0 to 10 where 0 indicates

that the MP is not used as a tunnel endpoint.
affinity
set ap tunnel mode

Usage Configures tunneling on a WLA. If a client connects to a WLA that has local switching
enabled on a VLAN, and the VLAN does not exist in the VLAN profile, then the client connects in
overlay mode.
This command allow clients to connect if the tunnel limits are reached and if a client cannot
connect, an appropriate error message is recorded in the event log.
292
Syntax set ap {apnum | auto} ap-tunnel mode {enable | disable}

apnum
The number that corresponds to the desired WLA.
auto
Use the auto configuration option to automatically retrieve AP

configuration parameters.
enable
Enable AP tunnel mode.
disable
Disable AP tunnel mode
Defaults This feature is disabled by default. When this configuration is changed, affected session
are dropped and then reconnected in the correct mode. If tunnel mode is enabled and local
switching is already enabled on the WLA, then overlay sessions are terminated and then
reconnected in order to establish overlay sessions. Tunnel mode only takes effect if local switching
is enabled on the WLA.
Access Enabled
Examples
To view a WLA configuration with tunnel mode enabled, use the show ap config command:
MX# show ap 4 config 4
AP 4 (AP04)
Model: WLA522
Mode:
.............
.............
Fingerprint:
Communication timeout: 25
Location:
Contact:
Vlan-profile: mesh
AP tunnel: enabled
Radio 1 (802.11g)
set remote ap data security mode

Usage Configures a WLA for data path encryption.
293
Syntax set ap {apnum | auto} remote-ap data-security mode [enable | disable

apnum
The number of the WLA to configure for WAN data path encryption.
auto
Configure any AP in WLAN data path encryption..
enable
Enable remote AP WAN outage mode.
disable
Disable remote AP WAN outage mode
Defaults Data path encryption is disabled by default. It can only be enabled if the global ap
security option is set to required or optional.Data path encryption is disabled by default. It can only
be enabled if the global ap security option is set to required or optional.
Access Enabled
set domain data security

Usage Configure a WLC for data path encryption to another WLC.
This feature can be enabled on WLCs that do not support data path encryption to ensure
compatibility for cluster configurations. A warning is displayed that the feature is not supported on
this platform. The exception occurs when the WLC is the active cluster seed and another WLC in
the cluster can support data path encryption.
Syntax set domain data-security {none | optional| required}
None
No data path encryption on the domain. This is the default value to allow for
backward compatibility between WLCs.
Optional
A connection may or may not have data path encryption configured. A tunnel
can be created to a peer WLC that does not support data path encryption.
Required
Data path encryption is required on the domain. The WLC attempts to

encrypt data tunnels to other WLCs on the network. If the peer WLC is not
configured to support data path encryption or does not support it, then no
tunnel is created.
Defaults None
Access Enabled
Examples In cluster mode, the primary seed (PS) ensures that an WLA with data security enabled
is not assigned a PAM or SAM that does not support this feature. If such a WLC is not located on
the network, the WLA remains unassigned. You can display this information using the following
command:
MX# show cluster ap
Total APs: [2], APs connected to PAM: [2], APs connected to SAM: [2]
294
Flags: L - Cluster Load Balancing; C - Connection Wait; S - Session

setup Wait
U - Unassigned
AP
PAM WLC IP
to SAM
SAM WLC IP
AP connected to PAM
AP connected
---------------------------------------------------------------------------2
10.7.116.108
NO
3 0.0.0.0
[U]NO
10.7.116.106
YES
0.0.0.0
[U]NO
If the data path encryption configuration is changed after a WLA is operational, the change is
applied immediately. This may affect connectivity on existing sessions while the WLA and WLC
synchronize the changes on the network. If you make changes to the configuration, a warning is
displayed at the command prompt:
MX# set ap 3 remote-ap data-security mode enable
This may cause the AP to reboot, are you sure? (y/n)[n]
The following commands display the configuration of the WLAs:
MX# show ap config verbose
AP 1 (AP01)
Model:
WLA522
Mode:
remote
Bias:
high
Options:
led-auto
upgrade-firmware, data-security,
The current data security status of the WLA is displayed using the show
ap status
command:
MX# show ap status

Flags: o= operational (219), c = configure (0), d = download (0),
b = boot (0), a = auto AP, m = mesh AP, p/P = mesh portal
(ena/actv),
r = redundant (1), z = remote AP in outage,
i/I = insecure (control/control+data), u = unencrypted,
e/E = encrypted (control/control+data)
Radio: E enabled - 20MHz channel, S = sentry
W/w = enabled - 40MHz wide channel(HTplus/HTminus)
D = admin disabled, U = mesh uplink
IP Address: * = AP behind NAT
AP
2
Flag
Uptime
IP Address
Model
MAC Address
Radio 1
Radio
----------------------------------------------------------------------------
295
3
o--E
10.7.254.10
44/17
01d23h
WLA522
00:0b:0e:1a:24:40 E
1/4
To show the status of a WLA using a verbose output, use the following command:
MX# show ap status verbose
AP: 3 Name:AP03
Model: Juniper WLA522, Rev: A, Serial number: 0574100817
F/W1: 5.7
F/W2 : 5.7
S/W : 7.5.0.0
Boot S/W: 7.5.0.0
IP-addr/mask: 10.7.254.10/255.255.0.0 (DHCP,vlan NET41IP40),
Fingerprint: 8f:de:cd:8d:1e:7d:da:7b:c7:32:fe:74:57:51:af:db
Port 1 MAC: 00:0b:0e:50:11:00, link 100/full, POE: 802.3af
Port 2 MAC: 00:0b:0e:50:11:01, link: down, POE:none
State: operational (encrypted, data-encrypted)
Uptime: 3 days, 5 hours, 12 minutes, 59 seconds
Radio 1 Type: 802.11g, State: configure succeeded [Enabled]
Antenna type: INTERNAL
Every WLC publishes domain data-security information to the members of the mobility domain.
This information is used for tunnel endpoint selection by the mobility domain members. To display
information about tunnels on the network, use the following command:
MX# show tunnel
VLAN
Address
Local Address
Remote
State
Port
LVID
RVID
Ver
---------------------------------------------------------------------------green
*
1025
10.2.8.102
3584
1
10.8.116.105
Up
The state field now includes an asterisk (*) to indicate that the tunnel is encrypted.
set remote ap wan outage mode

Usage Configures a WLA as a remote access point with WAN outage support.
Informational Note: To view the configuration options in the MSS CLI, you must install the WAN
Outage feature license.
296
During normal operation, the WLA sends announcements and pings to the WLC and receives
acknowledgements in return. If the acknowledgements are not returned within a certain period, the
WLA determines the status of the WLC. An initial evaluation period is used to confirm the outage
and the evaluation period has a range from 25 seconds, the default value, to a maximum of 5
minutes. Once outage is confirmed, the configured evaluation period determines the keepalive
interval of the pings sent to detect when the WAN link is active on the network.
Once the WAN link becomes available again, the WLA synchronizes the client session state with
the WLC and the client sessions continue to remain active until the WLC is ready to handle new
client associations.
Syntax set ap {apnum | auto} remote-ap wan-outage mode {enable | disable}
apnum
The number of the WLA to configure for WAN outage mode
auto
Configure any AP in WLAN outage mode.
enable
Enable remote AP WAN outage mode.
eval-period value
Configure a timer to periodically check the state of the WLC connection on

the network. The default value is 300 seconds with a range of 5 to 86400
seconds.\
disable
Disable remote AP WAN outage mode
Defaults The default setting is 0 (stay in outage mode indefinitely) and the range is from 0 to 120
hours (5 days). This period indicates the maximum length of time that a WLA remains in outage
mode.
Access Enabled
Examples To configure the maximum duration of a WAN outage before a WLA reboots, use this
command:
MX# set ap {apnum | auto} remote-ap wan-outage extended-timeout duration
Use a day-hour format to set the duration. For example,
MX# set ap 2 remote-ap wan-outage extended-timeout 3
The duration is three (3) days.
MX# set ap 2 remote-ap wan-outage extended-timeout 6h
The duration is six (6) hours.
When the duration has elapsed, the WLC clears all of the WLA state and session information, and
the WLA clears the session information and may reboot.
In addition to configuring the extended timeout period, you can configure a timer to periodically
check the state of the WLC connection on the network. Use the following commands to configure
this parameter:
MX# set ap {apnum | auto} remote-ap wan-outage eval-period value
To display the remote WLA configuration, type the following command:
MX# show ap config apnum
297
For example, to display the configuration of the remote WLA 5002, type the following command:
MX# show ap config 5002
AP 5002 (AP5002)
Model: WLA522
Mode: remote
Bias: high
Options: upgrade-firmware, led-auto
Connection: network
Serial number: 5002
Fingerprint:
Communication timeout: 25
Extended timeout: 2h
Evaluation timeout: 5
Location:
Contact:
Description:
Vlan-profile:
Tunnel affinity:
The status for a remote WLA in outage mode is displayed using the following command:
MX# show ap status
Flags: o= operational (219), c = configure (0), d = download (0),
b = boot (0), a = auto AP, m = mesh AP, p/P = mesh portal (ena/actv),
r = redundant (192), z = remote AP in outage, i = insecure, e =
encrypted,
u = unencrypted
Radio: E = enabled - 20MHz channel, S = sentry, W/w = enabled - 40MHz
wide channel (HTplus/HTminus), D = admin disabled, U = mesh uplink
AP
Flag
2 Uptime
IP Address
Model
MAC Address
Radio 1
Radio
------------------------------------------------------------------------------5002
36/18
oz-i
10.41.43.212
03d05h
WLA522
00:0b:0e:50:02:00
1/21
5003
36/18
o--1
10.41.40.56
03d05h
WLA522
00:0b:0e:50:02:00
1/21
To show details about the status of the remote WLA, use the following command:
MX# show ap status 5002 verbose
298
AP: 5002 Name:AP5002 (remote)

Model: Juniper WLA522, Rev: n/a, Serial number: 5011
F/W1: 1.0
F/W2 : 1.0
S/W : 7.5.0.0
Boot S/W: 7.5.0.0
IP-addr/mask: 10.41.46.38/255.255.248.0 (DHCP,vlan NET41IP40),
Fingerprint: 8f:de:cd:8d:1e:7d:da:7b:c7:32:fe:74:57:51:af:db
Port 1 MAC: 00:0b:0e:50:11:00, link 10/half, POE: 802.3af
Port 2 MAC: 00:0b:0e:50:11:01, link: down, POE:802.3af
State: operational (encrypted and fingerprint not verified)
Remote AP: current_outage_time: 0 hours, 1 minutes, 50 seconds
set ap upgrade-firmware
Disables or reenables automatic upgrade of an MP boot firmware.
Syntax set ap auto upgrade-firmware {enable | disable}
ap auto
Configures firmware upgrades for the MP configuration

profile. (See set ap auto on page 263.)
enable
Enables automatic firmware upgrades.
disable
Disables automatic firmware upgrades.
Defaults Automatic firmware upgrades of MPs are enabled by default.

Access Enabled.
History
Version 1.0
Command introduced
Version 2.0
Version 4.0
Version 6.0
Option dap removed.
Usage When the feature is enabled on an MX port, an MP connected to that port upgrades the
boot firmware to the latest version stored on the MX.
Examples The following command disables automatic firmware upgrades on the MP connected to
port 9:
WLC# set ap 9 upgrade-firmware disable
299
set band-preference
Configures MSS to steer clients that support both the 802.11a and 802.11b/g radio bands to a
specific radio on an MP for the purpose of RF load balancing.
Syntax set band-preference {none | 5GHz | 2GHz}
none
When a client supports both 802.11a and 802.11b/g radio bands, does not
steer the client to a specific MP radio.
5GHz
When a client supports 802.11b/g radio band, steers the client to the 5 GHz
radio.
2GHz
When a client supports both 802.11a radio bands, steers the client to the 2
GHz radio.
Defaults By default, clients are not steered to specific MP radios for RF load balancing.
Access Enabled.
Usage Use this command to steer clients that support both the 802.11a and 802.11b/g bands, to a
specific radio on an MP for the purpose of load balancing. This global band-preference option
controls the degree that an MP with two radios attempts to conceal one of its radios from a client
with the purpose of steering the client to the other radio.
Examples The following command steers clients that support the 802.11a band to the 802.11a
radio on an MP:
WLC# set band-preference 2GHz
See Also
set load-balancing mode

Disables or enables RF load balancing globally on the WLC.
Syntax set load-balancing mode {enable | disable}
enable
Enables RF load balancing globally on the WLC.
disable
Disables RF load balancing globally on the WLC.
Defaults RF load balancing is enabled by default.

Access Enabled.
Usage By default, RF load balancing is enabled on all MP radios. Use this command to disable or
re-enable RF load balancing globally for all MP radios managed by the WLC.
300
If RF load balancing has been enabled or disabled for a specific MP radio, then the setting for the
individual radio takes precedence over the global setting.
Examples The following command globally disables RF load balancing for all MP radios managed
by the WLC:
WLC# set load-balancing mode disable
WLC#
See Also
set load-balancing strictness

Controls the degree to which MSS balances the client load among MPs when performing RF load
balancing.
Syntax set load-balancing strictness {low | med | high | max}
low
No clients are denied service. New clients can be steered to other MPs, but
only to the extent that service can be provided to all clients.
med
Overloaded radios steer new clients to other MPs more strictly than the low
option. Clients attempting to connect to overloaded radios may be delayed
several seconds.
high
Overloaded radios steer new clients to other MPs more strictly than the med
option. Clients attempting to connect to overloaded radios may be delayed
up to a minute.
max
RF load balancing is strictly enforced. That is, overloaded radios do not

respond to new clients at all. A client would not be able to connect during
times that all of the detectable MP radios are overloaded.
Defaults Low.
Access Enabled.
Usage When performing RF load balancing, MSS may attempt to steer clients to less-busy radios
in a load-balancing group. To do this, MSS makes MP radios with heavy client loads less visible to
new clients, causing them to associate with MP radios that have a lighter load.
Use this command to specify how strictly MSS attempts to keep the client load balanced across
the MP radios in the load-balancing group. When low strictness is specified (the default), MSS
makes heavily loaded MP radios less visible in order to steer clients to less-busy MP radios, but
ensures that even if all the MP radios in the group are heavily loaded, clients are not denied
service.
301
At the other end of the spectrum, when max strictness is specified, if an MP radio has reached the
maximum client load, MSS makes the MP invisible to new clients, and new clients attempt to
connect to other MP radios. In the event that all the MP radios in the group have reached the
maximum client load, then no new clients can to connect to the network.
Examples The following command sets the RF load balancing strictness to the maximum setting:
WLC# set load-balancing strictness max
Success: strictness set to "MAX"
See Also
set radio-profile 11g-only

Deprecated in MSS Version 4.2. To configure radio data rates, see set service-profile
transmit-rates on page 354.
set radio-profile 11n

Configures 11n radio ranges on the MP-432.
Syntax set radio-profile profile-name 11n channel-width-na {20MHz | 40MHz}
profile-name
Radio profile name
11n channel-width-na
Set the channel width to 20 MHz or 40 MHz
Defaults None
Access Enabled
Examples Use the following command to set the channel width to 40 MHz:
WLC# set radio-profile boardroom 11n channel-width-na 40MHz
set radio-profile active-scan

Deprecated in MSS 7.0.
set radio-profile auto-tune 11a-channel-range

When configured, the MP 802.11a radio selects a channel from a limited range of available
channels or all available channels.
302
Syntax set radio-profile profile-name auto-tune 11a-channel-range

{lower-bands | all-bands}
profile-name
The name of the radio profile to configure the 802.11a channel range.
lower-bands
Only the lower channels are available for the 802.11a radio: 36, 40, 44, 48,
52, 56, 60, or 64.
all-bands
All 802.11a channels are available for the 802.11a radio: 36. 40, 44, 48, 52,
56, 60, 64, 149, 153, 157, and 161.
Defaults lower-bands
Access Enabled
History
Version 6.0
Command introduced.
Usage Improves the 802.11a radio usage on the network.

Examples The following command enables the 802.11a radio to select any available channel in
the 802.11a range:
WLC# set radio-profile test auto-tune 11a-channel-range all-bands
set radio-profile auto-tune channel-config

Disables or reenables dynamic channel tuning (RF Auto-Tuning) for the MP radios in a radio
profile.
Syntax set radio-profile profile-name auto-tune channel-config {enable | disable}
profile-name
Radio profile name.
enable
Configures radios to dynamically select channels when the radios are

started.
disable
Configures radios to use statically assigned channels, or the default

channels if unassigned, when the radios are started.
Defaults Dynamic channel assignment is enabled by default.

Access Enabled.
History
Version 3.0
Command introduced.
Version 5.0
Option no-client added.
Version 6.0
no-client changed to ignore-clients.
Version 7.0
Option ignore-clients moved to a separate command.
Usage If you disable RF Auto-Tuning for channels, MSS does not dynamically set the channels
when radios are first enabled and also does not tune the channels during operation.
303
If RF Auto-Tuning for channels is enabled, MSS does not allow you to manually change channels.
Even when RF Auto-Tuning for channels is enabled, MSS does not change the channel on radios
that have active client sessions, unless you use the ignore-clients command.
Examples The following command disables dynamic channel tuning for radios in the rp2 radio
profile:
WLC# set radio-profile rp2 auto-tune channel-config disable
See Also
set radio-profile auto-tune channel-holddown on page 304
set radio-profile auto-tune channel-holddown

Sets the minimum number of seconds a radio in a radio profile must remain on the current channel
assignment before RF Auto-Tuning can change the channel. The channel holddown provides
additional stability to the network by preventing the radio from changing channels too rapidly in
response to spurious RF anomalies such as short-duration channel interference.
Syntax set radio-profile profile-name auto-tune channel-holddown holddown
profile-name
Radio profile name.
rate
Minimum number of seconds a radio must remain on its current channel

setting before RF Auto-Tuning is allowed to change the channel. You can
specify from 0 to 65535 seconds.
Defaults The default RF Auto-Tuning channel holddown is 900 seconds.

Access Enabled.
Usage The channel holddown applies even if RF anomalies occur that normally cause an
immediate channel change.
Examples The following command changes the channel holddown for radios in radio profile rp2 to
600 seconds:
WLC# set radio-profile rp2 auto-tune channel-holddown 600
See Also
set radio-profile auto-tune 11a-channel-range on page 302
set radio-profile auto-tune channel-lockdown on page 305
304
set radio-profile auto-tune channel-interval

Sets the interval at which RF Auto-Tuning decides whether to change the channels on radios in a
radio profile. At the end of each interval, MSS processes the results of the RF scans performed
during the previous interval, and changes radio channels if needed.
Syntax set radio-profile profile-name auto-tune channel-interval seconds
profile-name
Radio profile name.
seconds
Number of seconds RF Auto-Tuning waits before changing radio channels

to adjust to RF changes, if needed. You can specify from 30 to 65535
seconds.
Defaults The default channel interval is 3600 seconds (one hour).

Access Enabled.
Usage It is recommended to use an interval of at least 300 seconds (5 minutes).
RF Auto-Tuning can change a radio channel before the channel interval expires in response to RF
anomalies. Even in this case, channel changes cannot occur more frequently than the channel
holddown interval.
If you set the interval to 0, RF Auto-Tuning does not reevaluate the channel at regular intervals.
However, RF Auto-Tuning can still change the channel in response to RF anomalies.
Examples The following command sets the channel interval for radios in radio profile rp2 to 2700
seconds (45 minutes):
WLC# set radio-profile rp2 auto-tune channel-interval 2700
See Also
set radio-profile auto-tune channel-lockdown

Locks down the current channel settings on all radios in a radio profile. The channel settings that
are in effect when the command is entered are changed into statically configured channel
assignments on the radios. RF Auto-Tuning of channels is then disabled in the radio profile.
Syntax set radio-profile profile-name auto-tune channel-lockdown
profile-name
Radio profile name.
Defaults By default, when RF Auto-Tuning of channels is enabled, channels continue to be

changed dynamically based on network conditions.
Access Enabled.
305

Usage To save this command and the static channel configuration commands created when you
enter this command, save the configuration.
Examples The following command locks down the channel settings for radios in radio profile rp2:
WLC# set radio-profile rp2 auto-tune channel-lockdown
See Also
set radio-profile auto-tune power-backoff-timer

set radio-profile auto-tune ignore-clients

Ignores client connections in auto-tune channel selections.
Syntax set radio-profile profile-name auto-tune ignore-clients
{enable | disable}
profile-name
Radio profile name.
enable
Configures auto-tune to ignore client connections.
disable
Disables the feature.
Defaults None
Access Enabled
set radio-profile auto-tune power-config

Enables or disables dynamic power tuning (RF Auto-Tuning) for the MP radios in a radio profile.
Syntax set radio-profile name auto-tune power-config {enable | disable}
name
Radio profile name.
enable
Configures radios to dynamically set power levels when the MPs are started.
disable
Configures radios to use statically assigned power levels, or the default

power levels if unassigned, when the radios are started.
Defaults Dynamic power assignment is disabled by default.

Access Enabled.
306

Usage When RF Auto-Tuning for power is disabled, MSS does not dynamically set the power
levels when radios are first enabled and also does not tune power during operation with
associated clients.
When RF Auto-Tuning for power is enabled, MSS does not allow you to manually change the
power level.
Examples The following command enables dynamic power tuning for radios in the rp2 radio
profile:
WLC# set radio-profile rp2 auto-tune power-config enable
See Also
set radio-profile auto-tune power-interval

Sets the interval at which RF Auto-Tuning decides whether to change the power level on radios in
a radio profile. At the end of each interval, MSS processes the results of the RF scans performed
during the previous interval, and changes radio power levels if needed.
Syntax set radio-profile name auto-tune power-interval seconds
name
Radio profile name.
seconds
Number of seconds MSS waits before changing radio power levels to adjust
to RF changes, if needed. You can specify from 1 to 65535 seconds.
Defaults The default power tuning interval is 600 seconds.

Access Enabled.
Examples The following command sets the power interval for radios in radio profile rp2 to 240
seconds:
WLC# set radio-profile rp2 auto-tune power-interval 240
See Also
307
set radio-profile auto-tune power-ramp-interval on page 308

set radio-profile auto-tune power-lockdown

Locks down the current power settings on all radios in a radio profile. The power settings that are
in effect when the command is entered are changed into statically configured power settings on
the radios. RF Auto-Tuning of power is then disabled in the radio profile.
Syntax set radio-profile name auto-tune power-lockdown
name
Radio profile name.
Defaults By default, when RF Auto-Tuning of power is enabled, power settings continue change
dynamically based on network conditions.
Access Enabled.
Usage To save this command and the static power configuration commands created when you
enter this command, save the configuration.
Examples The following command locks down the power settings for radios in radio profile rp2:
WLC# set radio-profile rp2 auto-tune power-lockdown
See Also
set radio-profile auto-tune power-ramp-interval

Changes the interval at which power is increased or decreased, in 1 dBm increments, on radios in
a radio profile until the optimum power level calculated by RF Auto-Tuning is reached.
Syntax set radio-profile profile-name auto-tune power-ramp-interval seconds
profile-name
Radio profile name.
seconds
Number of seconds MSS waits before increasing or decreasing radio power

by another 1 dBm. You can specify from 1 to 65535.
Defaults The default interval is 60 seconds.

Access Enabled.
308
Examples The following command changes the power ramp interval for radios in radio profile rp2
to 120 seconds:
WLC# set radio-profile rp2 auto-tune power-ramp-interval 120
See Also
set radio-profile beacon-interval

Changes the rate at which each MP radio in a radio profile advertises a service set identifier
(SSID).
Syntax set radio-profile profile-name beacon-interval interval
profile-name
Radio profile name.
interval
Number of milliseconds (ms) between beacons. You can specify from 25 ms

to 8191 ms.
Defaults The beacon interval for MP radios is 100 ms by default.

Access Enabled.
Usage You must disable all radios that are using a radio profile before you can change
parameters in the profile. Use the set radio-profile mode command.
Examples The following command changes the beacon interval for radio profile rp1 to 200 ms:
WLC# set radio-profile rp1 beacon-interval 200
See Also
set radio-profile cac background

Sets Quality of Service (QoS) options for a radio profile.
Syntax set radio-profile profile-name cac background {max-utilization
percentage | mode [enable | disable] | policing [enable | disable]}
profile-name
Name of radio profile.
max-utilization
Set maximum admission control limit for background traffic. You can
configure a percentage from 1 to 100 percent.
percentage
309
mode
Configures CAC to be mandatory for the radio profile.
policing
Configure admission control policing for the radio profile.
Defaults None
Access Enabled
set radio-profile cac best-effort

Syntax set radio-profile profile-name cac best-effort {max-utilization
percentage | mode [enable | disable] | policing [enable | disable]}
profile-name
max-utilizatio Set maximum admission control limit for best effort traffic. You can configure
a percentage from 1 to 100 percent.
n
percentage
mode
policing
Defaults None
Access Enabled
Introduced in MSS Version 7.0.
set radio-profile cac video

Syntax set radio-profile profile-name cac video {max-utilization percentage |
mode [enable | disable] | policing [enable | disable]}
profile-name
max-utilization
percentage
Set maximum admission control limit for video traffic. You can
mode
policing
Defaults None
Access Enabled
set radio-profile cac voice

310
Syntax set radio-profile profile-name cac voice {max-utilization percentage |

mode [enable | disable] | policing [enable | disable]}
profile-name
max-utilization
percentage
Set maximum admission control limit for voice traffic. You can
mode
policing
Defaults None
Access Enabled
set radio-profile countermeasures

Enables or disables countermeasures on the MP radios managed by a radio profile.
Countermeasures are packets sent by a radio to prevent clients from being able to use rogue
access points.
MP radios can also issue countermeasures against interfering devices. An interfering device is not
part of the Juniper network but also is not a rogue. No client connected to the device has been
detected communicating with any network entity listed in the forwarding database (FDD) of any
WLC in the Mobility Domain. Although the interfering device is not connected to your network, the
device might be causing RF interference with MP radios.
Syntax set radio-profile profile-name countermeasures {all | rogue | none}
profile-name
Radio profile name.
all
Configures radios to attack rogues and interfering devices.
rogue
Configures radios to attack rogues only.
none
Disables countermeasures for this radio profile.
Defaults Countermeasures are disabled by default.

Access Enabled.
History
Version 4.0
Command introduced.
Version 4.1
New option configured added to support

on-demand countermeasures.
Version 7.0
The option configured was removed.
Examples The following command enables countermeasures in radio profile radprof3 for rogues
only:
WLC# set radio-profile radprof3 countermeasures rogue
311

The following command disables countermeasures in radio profile radprof3:
WLC# clear radio-profile radprof3 countermeasures
The following command causes radios managed by radio profile radprof3 to issue
countermeasures against devices in the WLC switchs attack list:
WLC# set radio-profile radprof3 countermeasures configured
Note that when you issue this command, countermeasures are then issued only against devices in
the WLC attack list, not against other devices that were classified as rogues by other means.
set radio-profile dfs-channels

Enables the use of DFS channels to meet regulatory requirements.
Syntax set radio-profile profile-name dfs-channels {enable | disable}
Defaults Disabled
Access Enabled
MSS 7.0
Command introduced.
set radio-profile dtim-interval

Changes the number of times after every beacon that each MP radio in a radio profile sends a
delivery traffic indication map (DTIM). An MP sends the multicast and broadcast frames stored in
its buffers to clients who request them in response to the DTIM.
Informational Note: The DTIM interval applies to both the beaconed SSID and the nonbeaconed SSID.
Syntax set radio-profile profile-name dtim-interval interval

profile-name
Radio profile name.
interval
Number of times the DTIM is transmitted after every beacon. You can enter
a value from 1 through 31.
Defaults By default, MPs send the DTIM once after each beacon.
Access Enabled.
Usage You must disable all radios using a radio profile before you can change parameters in the
profile. Use the set radio-profile mode command.
The DTIM interval does not apply to unicast frames.
312
Examples The following command changes the DTIM interval for radio profile rp1 to 2:
WLC# set radio-profile rp1 dtim-interval 2
See Also
set radio-profile weighted-fair-queuing

Usage Configures a minimum service level to specific radio profiles. Medium time weights
determine the relative transmit utilization of the radio between service profiles.
Syntax set radio-profile profile-name weighted-fair-queuing {enable |
disable} weight service-profile-name weight
profile-name
Name of the radio profile.
enable
Enable weighted queuing.
disable
Disable weighted queuing.
service-profile-name
Name of the service profile to apply weighted queuing.
weight
Configure a weight value from 1 to 100. All profiles with

weighted queuing add up to 100.
Defaults None
Access Enabled
Examples To configure weighted queuing for a service and radio profile, use the following
command:
WLC# set radio-profile wireless weighted-fair-queuing enable weight
mp_conference 25
set radio-profile frag-threshold

Changes the fragmentation threshold for the MP radios in a radio profile. The fragmentation
threshold is the threshold at which the long-retry-count is applicable instead of the
short-retry-count.
The long-retry-count specifies the number of times a radio can send a unicast frame that is equal
to or longer than the frag-threshold without receiving an acknowledgment.
The short-retry-count specifies the number of times a radio can send a unicast frame that is
shorter than the frag-threshold without receiving an acknowledgment.
313
Syntax set radio-profile name frag-threshold threshold

name
Radio profile name.
threshold
Maximum frame length, in bytes. You can enter a value from 256 through
2346.
Defaults The default fragmentation threshold for MP radios is 2346 bytes.

Access Enabled.
The frag-threshold does not specify the maximum length a frame is allowed to be without being
broken into multiple frames before transmission. The MP does not support fragmentation upon
transmission, only upon reception.
The frag-threshold does not change the RTS threshold, which specifies the maximum length of a
frame before the radio uses the RTS/CTS method to send the frame. To change the RTS
threshold, use the set radio-profile rts-threshold command instead.
Examples The following command changes the fragmentation threshold for radio profile rp1 to
1500 bytes:
WLC# set radio-profile rp1 frag-threshold 1500
See Also
set radio-profile long-retry

Deprecated in MSS Version 4.2. In 4.2, this parameter is associated with service profiles instead of
radio profiles. See set service-profile long-retry-count on page 344.
set radio-profile max-rx-lifetime

Changes the maximum receive threshold for the MP radios in a radio profile. The maximum
receive threshold specifies the number of milliseconds that a frame received by a radio can remain
in buffer memory.
314
Syntax set radio-profile name max-rx-lifetime time

name
Radio profile name.
time
Number of milliseconds. You can enter a value from 500 (0.5 second)
through 250,000 (250 seconds).
Defaults The default maximum receive threshold for MP radios is 2000 ms (2 seconds).
Access Enabled.
Examples The following command changes the maximum receive threshold for radio profile rp1 to
4000 ms:
WLC# set radio-profile rp1 max-rx-lifetime 4000
See Also
315
set radio-profile mode

Creates a new radio profile, and disables or reenables all MP radios that are using a specific
profile.
Syntax set radio-profile profile-name [mode {enable | disable | sentry}]
profile-name

Use this command without the mode enable or mode disable option to
create a new profile.
enable
Enables the radios that use this profile.
disable
Disables the radios that use this profile.
sentry
Allows longer dwell times on scanning channels.
Defaults Each radio profile has a set of properties with factory default values that you can change
with the other set radio-profile commands in this chapter. Table 42 lists the parameters controlled
by a radio profile and the default values.
Table 42.Defaults for Radio Profile Parameters
Radio Behavior When Parameter Set To Default
Parameter
Default Value
Value
active-scan
enable
Sends probe any requests (probe requests with a null

SSID name) to solicit probe responses from other access
points.
auto-tune
enable
Allows dynamic configuration of channel and power

settings by MSS.
beacon-interval
100
Waits 100 ms between beacons.
countermeasures
Not configured
Does not issue countermeasures against any device.
dtim-interval
Sends the delivery traffic indication map (DTIM) after every

beacon.
frag-threshold
2346
Uses the short-retry-count for frames shorter than 2346

bytes and uses the long-retry-count for frames that are
2346 bytes or longer.
max-rx-lifetime
2000
Allows a received frame to stay in the buffer for up to

2000 ms (2 seconds).
max-tx-lifetime
2000
preamble-length
short
Allows a frame that is scheduled for transmission to stay in

the buffer for up to 2000 ms (2 seconds).
Advertises support for short 802.11b preambles, accepts
either short or long 802.11b preambles, and generates
unicast frames with the preamble length specified by the
client.
This parameter applies only to 802.11b/g radios.
qos-mode
wmm
Classifies and marks traffic based on 802.1p and DSCP,

and optimizes forwarding prioritization of MP radios for
Wi-Fi Multimedia (WMM).
rfid-mode
disable
Radio does not function as a location receiver in an

AeroScout Visibility System.
316
Table 42.Defaults for Radio Profile Parameters (continued)

Radio Behavior When Parameter Set To Default
Parameter
Default Value
Value
rts-threshold
2346
Transmits frames longer than 2346 bytes by means of the

Request-to-Send/Clear-to-Send (RTS/CTS) method.
service-profile
wmm-powersave
No service
You must configure a service profile. The service profile
profiles defined
sets the SSID name and other parameters.
disable
Requires clients to send a separate PSpoll to retrieve each

unicast packet buffered by the MP radio.
Access Enabled.
History
Version 1.0
Version 3.0
Command introduced
removed:
auth-dot1x
auth-psk
beaconed-ssid
cipher-ccmp
cipher-tkip
cipher-wep104
cipher-wep40
clear-ssid
crypto-ssid
psk-phrase
psk-raw
shared-key-auth
tkip-mc-time
wep key-index
wep active-multicast-index
wep active-unicast-index
wpa-ie
auto-tune and service-profile parameters added.
317
Version 4.2

removed:
11g-only
long-retry
short-retry
wmm parameter name changed to qos-mode.
Version 5.0
Parameters added:
rfid-mode
wmm-powersave
Usage Use the command without any optional parameters to create new profile. If the radio profile
does not already exist, MSS creates a new radio profile. Use the enable or disable option to
enable or disable all the radios using a profile. To assign the profile to one or more radios, use the
set ap radio radio-profile command.
To change a parameter in a radio profile, you must first disable all the radios in the profile. After
you complete the change, you can reenable the radios.
To enable or disable specific radios without disabling all of them, use the set ap radio command.
Examples The following command configures a new radio profile named rp1:
WLC# set radio-profile rp1
The following command enables the radios that use radio profile rp1:
WLC# set radio-profile rp1 mode enable
The following commands disable the radios that use radio profile rp1, change the beacon interval,
then reenable the radios:
WLC# set radio-profile rp1 beacon-interval 200
WLC# set radio-profile rp1 mode enable
The following command enables the WPA IE on MP radios in radio profile rp2:
WLC# set radio-profile rp2 wpa-ie enable
See Also
318
set radio-profile preamble-length

Changes the preamble length for which an 802.11b/g MP radio advertises support. This command
does not apply to 802.11a.
Syntax set radio-profile name preamble-length {long | short}
name
Radio profile name.
long
Advertises support for long preambles.
short
Advertises support for short preambles.
Defaults The default is short.

Access Enabled.
History
Version 1.0
Command introduced.
Version 1.1
Default changed from long to short.
Usage Changing the preamble length value affects only the support advertised by the radio.
Regardless of the preamble length setting (short or long), an 802.11b/g radio accepts and can
generate 802.11b/g frames with either short or long preambles.
If a client associated with an 802.11b/g radio uses long preambles for unicast traffic, the MP still
accepts frames with short preambles but does not transmit frames with short preambles. This
change also occurs if the access point overhears a beacon from an 802.11b/g radio on another
access point that indicates the radio has clients that require long preambles.
You must disable all radios that use a radio profile before you can change parameters in the
Examples The following command configures 802.11b/g radios that use the radio profile rp_long
to advertise support for long preambles instead of short preambles:
WLC# set radio-profile rp_long preamble-length long
See Also
319
set radio-profile qos-mode

Sets the prioritization mode for forwarding queues on MP radios managed by the radio profile.
Syntax set radio-profile name qos-mode {svp | wmm}
svp
Optimizes forwarding prioritization of MP radios for SpectraLink Voice

Priority (SVP).
wmm
Classifies and marks traffic based on 802.1p and DSCP, and optimizes
forwarding prioritization of MP radios for Wi-Fi Multimedia (WMM).
Defaults The default QoS mode is wmm.

Access Enabled.
Usage When SVP is enabled, MP forwarding prioritization is optimized for SpectraLink Voice
Priority (SVP) instead of WMM, and the MP does not tag packets sent to the WLC. Otherwise,
classification and tagging remain in effect. (For information, see the Configuring Quality of
Service chapter of the Juniper Mobility System Software Users Guide.)
If you plan to use SVP or another non-WMM type of prioritization, you must configure ACLs to tag
the packets. (See the Enabling Prioritization for Legacy Voice over IP section in the Configuring
and Managing Security ACLs chapter of the Juniper Mobility System Software Users Guide.)
Examples The following command changes the QoS mode for radio profile rp1 to SVP:
WLC# set radio-profile rp1 qos-mode svp
See Also
set radio-profile rate-enforcement

Configures MSS to enforce data rates, which means that a connecting client must transmit at one
of the mandatory or standard rates in order to associate with the MP.
Syntax set radio-profile name rate-enforcement {enable | disable}
name
Radio profile name.
enable
Enables data rate enforcement for the radios in the radio profile.
disable
Disables data rate enforcement for the radios in the radio profile.
Defaults Data rate enforcement is disabled by default.

Access Enabled.
Usage Each type of radio (802.11a, 802.11b, and 802.11g) providing service to an SSID has a set
of radio rates allowed for use when sending beacons, multicast frames, and unicast data. You can
configure the rate set for each type of radio, specifying rates in three categories:
320
Mandatory Valid 802.11 transmit rates that clients must support in order to associate with the
MP
Disabled Valid 802.11 transmit rates are disabled. MPs do not transmit at the disabled rates
Standard Valid 802.11 transmit rates that are not disabled and are not mandatory
By default, the rate set is not enforced, meaning that a client can associate with and transmit data
to the MP using a disabled data rate, although the MP does not transmit data back to the client at
the disabled rate.
You can use this command to enforce the data rates, which means that a connecting client must
transmit at one of the mandatory or standard rates in order to associate with the MP. When data
rate enforcement is enabled, clients transmitting at the disabled rates are not allowed to associate
with the MP.
This command is useful if you want to completely prevent clients from transmitting at disabled data
rates. For example, you can disable slower data rates so that clients transmitting at these rates do
not consume bandwidth on the channel at the expense of clients transmitting at faster rates.
Examples The following command enables data rate enforcement for radio profile rp1:
WLC# set radio-profile rp1 rate-enforcement mode enable
See Also
show ap counters on page 374
set radio-profile rf-scanning channel-scope

Configures the channel-scope for RF scanning.
Syntax set radio-profile profile-name rf-scanning channel-scope
[operating|regulatory|all]
regulatory
Scans and audits regulatory channels for 802.11a or 802.11b/g.
operating
Scans and audits the current channel.
all
Scans and audits all channels on the radio.
Defaults None
Access Enabled
Examples To scan only operating channels on radio profile, gofish, use the following command:
WLC> set radio-profile gofish rf-scanning channel-scope operating
set radio-profile rf-scanning cts-to-self

Configures RF scanning to send CTS packets before going to another channel.
321
Syntax set radio-profile name rf-scanning cts-to-self [enable | disable]

Defaults None
Access Enabled
Examples To enable a radio profile to send CTS packets, use the following command:
WLC# set radio-profile corp1 rf-scanning cts-to-self enable
set radio-profile rf-scanning mode

Configures RF scanning mode in active or passive states.
Syntax set radio-profile profile-name rf-scanning mode [passive | active]
passive
The radio scans once per predefined time and audits the packets on the
wireless network. The default time is 1 second.
active
The radio actively sends probes to other channels and then audits the
packets on the wireless network.
Defaults None
Access Enabled
Examples To configure active rf-scanning mode for radio profile gofish, use the following
command:
WLC> set radio-profile gofish rf-scanning mode active
set radio-profile rfid-mode

Enables MP radios managed by a radio profile to function as location receivers in an AeroScout
Visibility System. An AeroScout Visibility System allows system administrators to track mobile
assets using RFID tags.
When you enable RFID mode on a radio profile, radios in the profile can receive and process
signals transmitted by RFID tags and relay them with related information to the AeroScout Engine.
If the floor plan is modeled in RingMaster, you also can use RingMaster to display the locations of
assets.
Syntax set radio-profile profile-name rfid-mode {enable | disable}
profile-name
Radio profile name.
enable
Enables radios to function as asset location receivers.
disable
Disables radios from functioning as asset location receivers.
Defaults The default is disable.

Access Enabled.
322

Examples The following command enables radios managed by radio profile rp1 to act as asset
location receivers:
WLC# set radio-profile rfid-mode enable
See Also
set radio-profile rts-threshold

Changes the RTS threshold for the MP radios in a radio profile. The RTS threshold specifies the
maximum length a frame can be before the radio uses the RTS/CTS method to send the frame.
The RTS/CTS method clears the air of other traffic to avoid corruption of the frame due to a
collision with another frame.
Syntax set radio-profile profile-name rts-threshold threshold
profile-name
Radio profile name.
threshold
Maximum frame length, in bytes. You can enter a value from 0 through 65535.
Defaults The default RTS threshold for an MP radio is 65535 bytes.

Access Enabled.
Usage You must disable all radios with a radio profile before you can change parameters in the
Examples The following command changes the RTS threshold for radio profile rp1 to 1500 bytes:
WLC# set radio-profile rp1 rts-threshold 1500
See Also
set radio-profile service-profile

Maps a service profile to a radio profile. All radios that use the radio profile also use the parameter
settings, including SSID and encryption settings, in the service profile.
Syntax set radio-profile profile-name service-profile profile-name
profile-name
service-profil Service profile name of up to 16 alphanumeric characters, with no spaces.

e name
323
Defaults By default, aradio profile does not have a service profile associated with it. In this case,
the radios in the radio profile use the default settings for parameters controlled by the service
profile. Table 43 lists the parameters controlled by a service profile and the default values.
Table 43.Defaults for Service Profile Parameters
Parameter
Default Value
Radio Behavior When Parameter Set To Default Value
attr
No attributes configured
Does not assign the SSID authorization attribute values to
auth-dot1x
enable
SSID users, even if attributes are not otherwise assigned.

When the Wi-Fi Protected Access (WPA) information element
(IE) is enabled, uses 802.1X to authenticate WPA clients.
auth-fallthru
none
Denies access to users who do not match an 802.1X or MAC

authentication rule for the SSID requested by the user.
auth-psk
disable
Does not support using a preshared key (PSK) to authenticate

WPA clients.
beacon
enable
Sends beacons to advertise the SSID managed by the service
bridging
none
Supports bridging between MPs
cac-mode
none
Does not limit the number of active user sessions based on
profile.
Call Admission Control (CAC).

cac-session
14
If session-based CAC is enabled (cac-mode is set to

session), limits the number of active user sessions on a radio
to 14.
cipher-ccmp
disable
Does not use Counter with Cipher Block Chaining Message

Authentication Code Protocol (CCMP) to encrypt traffic sent to
WPA clients.
cipher-tkip
enable
When the WPA IE is enabled, uses Temporal Key Integrity

Protocol (TKIP) to encrypt traffic sent to WPA clients.
cipher-wep104
disable
Does not use Wired Equivalent Privacy (WEP) with 104-bit

keys to encrypt traffic sent to WPA clients.
cipher-wep40
disable
Does not use WEP with 40-bit keys to encrypt traffic sent to
WPA clients.
cos
If static CoS is enabled (static-cos is set to enable), assigns

CoS 0 to all data traffic to or from clients.
dhcp-restrict
disable
Does not restrict a clients traffic to only DHCP traffic while the
client is being authenticated and authorized.
idle-client-probing
enable
Sends a keepalive packet (a null-data frame) to each client

every 10 seconds.
keep-initial-vlan
disable
Reassigns the user to a VLAN after roaming, instead of

leaving the roamed user on the VLAN assigned by the switch
where the user logged on.
Enabling this option does not retain the initial VLAN
assignment for a user in all cases. (For information, see set
service-profile keep-initial-vlan on page 1343.)
load-balancing-exempt
none
Exempts the service profile from load balancing.
long-retry-count
Sends a long unicast frame up to five times without

acknowledgment.
324
Table 43.Defaults for Service Profile Parameters (continued)

Parameter
Default Value
no-broadcast
disable
Does not reduce wireless broadcast traffic by sending

unicasts to clients for ARP requests and DHCP Offers and
Acks instead of forwarding them as multicasts.
max-bw
none
Sets the service profile bandwidth limit from 1 to 300000
mesh
none
Enables mesh mode on the network.
proxy-arp
disable
Does not reply on behalf of wireless clients to ARP requests
Kbps. 0 equals unlimited bandwidth.
for client IP addresses. Instead, the radio forwards the ARP

Requests as wireless broadcasts.
psk-encrypted
none
Sets an encrypted preshared key.
psk-phrase
No passphrase defined
Uses dynamically generated keys rather than statically
psk-raw
No preshared key
Uses dynamically generated keys rather than statically
defined
configured keys to authenticate WPA clients.
disable
Does not use the RSN IE in transmitted frames. (The RSN IE
configured keys to authenticate WPA clients.
rsn-ie
is required for 802.11i. RSN is sometimes called WPA2.)

shared-key-auth
disable
Does not use shared-key authentication.

This parameter does not enable PSK authentication for WPA.
To enable PSK encryption for WPA, use the set radio-profile
auth-psk command.
short-retry-count
Sends a short unicast frame up to five times without

acknowledgment.
ssid-name
Juniper
Uses the SSID name Juniper.
ssid-type
crypto
Encrypts wireless traffic for the SSID.
tkip-mc-time
60000
Uses Michael countermeasures for 60,000 ms (60 seconds)

following detection of a second MIC failure within 60 seconds.
transmit-rates
802.11a:
Accepts associations only from clients that support one of the
mandatory:
6.0,12.0,24.0
mandatory rates.
beacon-rate: 6.0
2 Mbps for 802.11b/g).
multicast-rate: auto
Sends multicast data at the highest rate that can reach all
disabled: none
clients connected to the radio.
802.11b:
mandatory: 1.0,2.0
beacon-rate: 2.0
Sends beacons at the specified rate (6 Mbps for 802.11a,
Accepts frames from clients at all valid data rates. (No rates
are disabled by default.)
disabled: none
802.11g:
mandatory:
1.0,2.0,5.5,11.0
beacon-rate: 2.0
disabled: none
user-idle-timeout
180
Allows a client to remain idle for 180 seconds (3 minutes)

before MSS changes the clients session to the Disassociated
state.
325
Table 43.Defaults for Service Profile Parameters (continued)

Parameter
Default Value
web-portal-acl
portalacl
If set to portalacl and the service profile fallthru is set to
This is the default only if
web-portal, radios use the portalacl ACL to filter traffic for
the fallthru type on the
Web Portal users during authentication.
service profile has been
If the fallthru type is web-portal but web-portal-acl is set to
set to web-portal.
an ACL other than portalacl, the other ACL is used.
Otherwise, the value is
If the fallthru type is not web-portal, radios do not use the
unconfigured.
web-portal-acl setting.
web-portal-form
Not configured
For WebAAA users, serves the Juniper Networks login page.
web-portal-logout
none
If set to logout-url, you can define a custom URL that allows a

client to log out of the network. To enable this feature, use the
mode option and then enable.

web-portal-session-
timeout
Allows a Web Portal WebAAA session to remain in the

Deassociated state 5 seconds before being terminated
automatically.
wep key-index
No keys defined
Uses dynamic WEP rather than static WEP.

If you configure a WEP key for static WEP, MSS continues to
also support dynamic WEP.
wep active-multicast-index
Uses WEP key 1 for static WEP encryption of multicast traffic

if WEP encryption is enabled and keys are defined.
wep active-unicast-index
Uses WEP key 1 for static WEP encryption of unicast traffic if

WEP encryption is enabled and keys are defined.
wpa-ie
disable
Does not use the WPA IE in transmitted frames.
Access Enabled.
Version 3.0
Command introduced.
Version 7.0
The option static-cos was removed.
Usage You must configure the service profile before you can map it to a radio profile. You can
map the same service profile to more than one radio profile.
You must disable all radios that use a radio profile before you can change parameters in the
Examples The following command maps service-profile wpa_clients to radio profile rp2:
WLC# set radio-profile rp2 service-profile wpa_clients
See Also
set service-profile [rsn-ie | wpa-ie] auth-dot1x on page 331
326

set service-profile [rsn-ie | wpa-ie ]cipher-ccmp on page 337
set service-profile [rsn-ie | wpa-ie] cipher-tkip on page 338
set service-profile [rsn-ie | wpa-ie] cipher-wep104 on page 338
set service-profile [rsn-ie | wpa-ie ] cipher-wep40 on page 339
set service-profile [rsn-ie | wpa-ie] psk-phrase on page 348
set service-profile web-portal-session-timeout on page 362
set service-profile wep active-multicast-index on page 363
set service-profile wep active-unicast-index on page 363
set radio-profile snoop

Adds a configured snoop filter to the radio profile.
327
Syntax set radio-profile profile-name snoop snoop-filter

profile-name
Name of the radio-profile.
snoop-filter
Name of the snoop filter to add to the radio profile.
Defaults None
Access Enabled
set radio-profile wmm

Deprecated in MSS Version 4.2. To enable or disable WMM, see set radio-profile qos-mode on
page 320.
set radio-profile wmm-powersave

Enables Unscheduled Automatic Powersave Delivery (U-APSD) on MP radios managed by the
radio profile. U-APSD enables WMM clients that use powersave mode to more efficiently request
buffered unicast packets from MP radios.
When U-APSD is enabled, a client can retrieve buffered unicast packets for a traffic priority
enabled for U-APSD by sending a QoS data or QoS-Null frame for that priority. U-APSD can be
enabled for individual traffic priorities, for individual clients, based on the clients request. A client
enables U-APSD for a traffic priority by indicating this preference when (re)associating with the MP
radio.
A client can but is not required to request U-APSD for all four traffic priorities. The MP radio still
buffers packets for all traffic priorities even if the client does not request U-APSD for them.
However, to retrieve buffered packets for priorities not using U-APSD, a client must send a
separate PSpoll for each buffered packet.
Syntax set radio-profile name wmm-powersave {enable | disable}
name
Radio profile name.
enable
Enables U-APSD.
disable
Disables U-APSD.
Defaults U-APSD is disabled by default.

Access Enabled.
Usage U-APSD is supported only for QoS mode WMM. If WMM is not enabled on the radio
profile, use the set radio-profile qos-mode command to enable it.
Examples The following command enables U-APSD on radio profile rp1:
WLC# set radio-profile rp1 wmm-powersave enable
See Also
328

set service-profile 11n

Configures maximum MPDU and MSDU packet length, frame aggregation for 802.11n and the
short guard interval for 11n network traffic.
Syntax set service-profile profile-name 11n a-mpdu-max-length [ 8K | 16K |
32K | 64K] a-msdu-max-length [4K | 8K] frame-aggregation [msdu | mpdu |
all | disable] mode-na [enable | disable |required] mode-ng [enable |
disable |required] short-guard-interval [enable | disable]
profile-name
Name of the service profile.
a-mpdu-max-length
Configures the length of the MPDU packet in kilobytes. Select from 8,

16, 32, or 64K.
a-msdu-max-length
Configures the length of the MSDU packet in kilobytes. Select from 8,

16, 32, or 64K.
frame-aggregation
Enables aggregation of MPDU and MSDU packets. Select either

MPDU or MSDU or all. You can also disable this option.
mode-na
Set the 11n mode to na for the profile.
mode-ng
Set the 11n mode to ng for the profile.
short-guard-interv Configure this option to prevent inter-symbol interference on the

al
802.11n network.
Defaults None
Access Enabled
History
Version 7.0
Command introduced.
Version 7.1
Options mode-na and mode-ng added.
set service-profile active-call-idle-timeout

Set the length of time that a VoIP connection can be idle before the connection times out on the
network.
Syntax set service-profile profile-name active-call-idle-timeout timeout
profile-name
timeout
Configures the length of in seconds. You can set this to a value from
20 to 300.
Defaults None
Access Enable
329
set service-profile attr

Configures authorization attributes that are applied by default to users accessing the SSID
managed by the service profile. These SSID default attributes are applied in addition to any
supplied by the RADIUS server or from the local database.
Syntax set service-profile profile-name attr attribute-name value
profile-name
Name and value of an attribute you are using to authorize SSID users
for a particular service or session characteristic.
For a list of authorization attributes and values that you can assign to
network users, see Table 31 on page 206. All of the attributes listed in
Table 31 can be used with this command except ssid.
Defaults By default, a service profile does not have any authorization attributes set.
Access Enabled.
MSS Version 4.1
Command introduced.
MSS Version 7.0
Attribute simultaneous-login added.
Usage To change the value of a default attribute for a service profile, use the set service-profile
attr command and specify a new value.
The SSID default attributes are applied in addition to any attributes supplied for the user by the
RADIUS server or the local database. When the same attribute is specified both as an SSID
default attribute and through AAA, then the attribute supplied by the RADIUS server or the local
database takes precedence over the SSID default attribute. If a location policy is configured, the
location policy rules also take precedence over SSID default attributes. The SSID default attributes
serve as a fallback when neither the AAA process, nor a location policy, provides them.
For example, a service profile might be configured with the service-type attribute set to 2. If a user
accessing the SSID is authenticated by a RADIUS server, and the RADIUS server returns the
vlan-name attribute set to orange, then that user has a total of two attributes set: service-type
and vlan-name.
If the service profile is configured with the vlan-name attribute set to blue, and the RADIUS server
returns the vlan-name attribute set to orange, then the attribute from the RADIUS server takes
precedence; the user is placed in the orange VLAN.
You can display the attributes for each connected user and if they are set through AAA or through
SSID defaults by entering the show sessions network verbose command. You can display the
configured SSID defaults by entering the show service-profile command.
Examples The following command assigns users accessing the SSID managed by service profile
sp2 to VLAN blue:
WLC# set service-prof sp2 attr vlan-name blue
330

The following command assigns users accessing the SSID managed by service profile sp2 to the
Mobility Profile tulip.
WLC# set service-prof sp2 attr mobility-profile tulip
The following command limits the days and times when users accessing the SSID managed by
service profile sp2 can access the network, to 5 p.m. to 2 a.m. every weekday, and all day
Saturday and Sunday:
WLC# set service-prof sp2 attr time-of-day Wk1700-0200,Sa,Su
See Also
show sessions network on page 532
set service-profile [rsn-ie | wpa-ie] auth-dot1x

Disables or reenables 802.1X authentication of Wi-Fi Protected Access (WPA) clients by MP
radios, when the WPA information element (IE) is enabled in the service profile that is mapped to
the radio profile for the radios.
Syntax set service-profile profile-name [rsn-ie | wpa-id] auth-dot1x
{enable | disable}
profile-name
enable
Enables 802.1X authentication of WPA clients.
disable
Disables 802.1X authentication of WPA clients.
Defaults When the WPA IE is enabled, 802.1X authentication of WPA clients is enabled by
default. If the WPA IE is disabled, the auth-dot1x setting has no effect.
Access Enabled.
Usage This command does not disable dynamic WEP for non-WPA clients. To disable dynamic
WEP for non-WPA clients, enable the WPA IE (if not already enabled) and disable the 40-bit WEP
and 104-bit WEP cipher suites in the WPA IE, if they are not already disabled.
To use 802.1X authentication for WPA clients, you also must enable the WPA IE.
If you disable 802.1X authentication of WPA clients, the only method available for authenticating
the clients is preshared key (PSK) authentication. To use this, you must enable PSK support and
configure a passphrase or key.
Examples The following command disables 802.1X authentication for WPA clients that use service
profile wpa_clients:
WLC# set service-profile wpa_clients auth-dot1x disable
See Also
331

set service-profile [rsn-id | wpa-ie] auth-fallthru

Specifies the authentication type for users who do not match an 802.1X or MAC authentication
rule for an SSID managed by the service profile. When a user tries to associate with an SSID,
MSS checks the authentication rules for that SSID for a userglob that matches the username. If
the SSID does not have an authentication rule that matches the username, authentication for the
user falls through to the fallthru type.
The fallthru type is a service profile parameter, and applies to all radios within the radio profiles
that are mapped to the service profile.
Syntax set service-profile name [rsn-id | wpa-ie] auth-fallthru
{last-resort | none | web-portal}
last-resort
Automatically authenticates the user and allows access to the SSID

requested by the user, without requiring a username and password.
none
Denies authentication and prohibits the user from accessing the SSID.
The fallthru authentication type none is different from the authentication
method none you can specify for administrative access. The fallthru
authentication type none denies access to a network user. In contrast, the
authentication method none allows access to the WLC by an administrator.
(See set authentication admin on page 1186 and set authentication
console on page 1188.)
web-portal
Serves the user a web page from the WLC nonvolatile storage for secure
login to the network.
Defaults The default fallthru authentication type is none.

If a username does not match a userglob in an authentication rule for the SSID requested by the
user, the WLC managing the radio that the user is connected to redirects the user to a Web page
located on the WLC. The user must type a valid username and password on the Web page to
access the SSID.
Access Enabled.
History
Version 1.0
Command introduced.
Version 4.0
Option for WebAAA fallthru authentication type changed from web-auth to

web-portal.
Default changed to none.
332
Usage The last-resort fallthru authentication type allows any user to access any SSID managed
by the service profile. This method does not require the user to provide a username or password.
Use the last-resort method only if none of the SSIDs managed by the service profile require
secure access.
The web-portal authentication type also requires additional configuration items. (See the
Configuring AAA for Network Users chapter of the Juniper Mobility System Software Users
Guide.)
Examples The following command sets the fallthru authentication type for SSIDS managed by the
service profile rnd_lab to web-portal:
WLC# set service-profile rnd_lab auth-fallthru web-portal
See Also
set service-profile [rsn-ie | wpa-ie] auth-psk

Enables pre-shared key (PSK) authentication of Wi-Fi Protected Access (WPA) clients by MP
radios in a radio profile, when the WPA information element (IE) is enabled in the service profile.
Syntax set service-profile name [rsn-id | wpa-ie] auth-psk
{enable | disable}
name
enable
Enables PSK authentication of WPA clients.
disable
Disables PSK authentication of WPA clients.
Defaults When the WPA IE is enabled, PSK authentication of WPA clients is enabled by default. If
the WPA IE is disabled, the auth-psk setting has no effect.
Access Enabled.
Usage This command affects authentication of WPA clients only.
To use PSK authentication, you also must configure a passphrase or key. In addition, you must
enable the WPA IE.
Examples The following command enables PSK authentication for service profile wpa_clients:
WLC# set service-profile wpa_clients auth-psk enable
See Also
333
set service-profile beacon

Disables or reenables beaconing of the SSID managed by the service profile.
An MP radio responds to an 802.11 probe any request with only the beaconed SSID(s). For a
nonbeaconed SSID, radios respond only to directed 802.11 probe requests that match the
nonbeaconed SSIDs SSID string.
When you disable beaconing for an SSID, the radio still sends beacon frames, but the SSID name
in the frames is blank.
Syntax set service-profile name beacon {enable | disable}
name
enable
Enables beaconing of the SSID managed by the service profile.
disable
Disables beaconing of the SSID managed by the service profile.
Defaults Beaconing is enabled by default.

Access Enabled.
Examples The following command disables beaconing of the SSID managed by service profile
sp2:
WLC# set service-profile sp2 beacon disable
See Also
334
set service-profile bridging

Enables wireless bridging for a service profile configured for WLAN mesh services.
Syntax set service-profile service-profile bridging {enable | disable}
service-profile
Mesh service profile name.
enable
Enables wireless bridging for the service profile.
disable
Enables wireless bridging for the service profile.
Defaults None.
Access Enabled.
Usage WLAN mesh services can be used in a wireless bridge configuration, implementing MPs
as bridge endpoints in a transparent Layer 2 bridge. A typical application of wireless bridging is to
provide network connectivity between two buildings using a wireless link.
When wireless bridging is enabled for a service profile, the MPs with the applied service profile
serve as bridge peers. When a Mesh AP associates with a Mesh Portal AP through this service
profile, the Mesh Portal AP automatically configures the Mesh AP to operate in bridge mode.
Examples The following command enables wireless bridging on service profile sp1:
WLC# set service-profile sp1 bridging enable
See Also
set service-profile cac-mode

Configures the Call Admission Control (CAC) mode.
Syntax set service-profile profile-name cac-mode {none | session | voip-call}
profile-name
none
CAC is not used.
session
CAC is based on the number of active sessions.
voip-call
CAC is based on VoIP calls.
Defaults The default CAC mode is none.

Access Enabled.
History
335
MSS Version 4.2
Command introduced.
MSS Version 7.1
Added option voip-call.
Examples The following command enables session-based CAC on service profile sp1:
WLC# set service-profile sp1 cac-mode session
See Also
set service-profile cac-session

Specifies the maximum number of active sessions a radio can have when session-based CAC is
enabled. When an MP radio has reached the maximum allowed number of active sessions, the
radio refuses connections from additional clients.
Syntax set service-profile profile-name cac-session max-sessions
profile-name
max-sessions
Maximum number of active sessions allowed on the radio.
Defaults The default number of sessions allowed is 14.

Access Enabled.
Usage This command applies only when the CAC mode is session. If the CAC mode is none,
you can still change the maximum number of sessions, but the setting does not take effect until
you change the CAC mode to session. To change the CAC mode, use the set service-profile
cac-mode command.
Examples The following command changes the maximum number of sessions for radios used by
service profile sp1 to 10:
WLC# set service-profile sp1 cac-session 10
See Also
336
set service-profile cac-voip-call

Configures the maximum number of VoIP calls for a service profile.
Syntax set service-profile profile-name cac-voip-call max-voip-calls
profile-name
max-voip-calls
Configure between 0 and 500 calls allowed on the service profile.
Defaults None
Access Enabled
Examples To set the maximum number of VoIP calls for a service profile, use the following
command:
WLC# set service-profile corpbusiness cac-voip-call 100
set service-profile [rsn-ie | wpa-ie ]cipher-ccmp

Enables Counter with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
encryption with WPA clients, for a service profile.
Syntax set service-profile name [rsn-ie | wpa-ie] cipher-ccmp
{enable | disable}
name
enable
Enables CCMP encryption for WPA clients.
disable
Disables CCMP encryption for WPA clients.
Defaults CCMP encryption is disabled by default.

Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 7.1
Moved command to rsn-ie and wpa-ie as part of

the mixed cipher feature.
Usage To use CCMP, you must also enable the WPA IE.
Examples The following command configures service profile sp2 to use CCMP encryption:
WLC# set service-profile sp2 cipher-ccmp enable
See Also
337
set service-profile [rsn-ie | wpa-ie] cipher-tkip

Disables or reenables Temporal Key Integrity Protocol (TKIP) encryption in a service profile.
Syntax set service-profile name [ rsn-ie | wpa-ie] cipher-tkip
{enable | disable}
name
enable
Enables TKIP encryption for RSN or WPA clients.
disable
Disables TKIP encryption for RSN or WPA clients.
Defaults When RNS IE or WPA IE is enabled, you can enable TKIP encryption. It is disabled by
default.
Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 7.1
Moved command to rsn-ie and wpa-ie as part of the mixed cipher

feature.
Usage To use TKIP, you must also enable the WPA IE.
Examples The following command disables TKIP encryption in service profile sp2:
WLC# set service-profile sp2 wpa-ie cipher-tkip disable
See Also
set service-profile [rsn-ie | wpa-ie] cipher-wep104

Enables dynamic Wired Equivalent Privacy (WEP) with 104-bit keys, in a service profile.
Syntax set service-profile name [rsn-ie | wpa-ie] cipher-wep104
{enable | disable}
338
name
enable
Enables 104-bit WEP encryption for RSN or WPA clients.
disable
Disables 104-bit WEP encryption for RNS or WPA clients.
Defaults 104-bit WEP encryption is disabled by default.

Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 7.1
Moved command to rsn-ie and wpa-ie as part of the mixed cipher

feature.
Usage To use 104-bit WEP with RSN or WPA clients, you must also enable RSN-IE or WPA IE.
When 104-bit WEP in RSN or WPA is enabled in the service profile, radios managed by a radio
profile that is mapped to the service profile can also support non-RSN or non-WPA clients that use
dynamic WEP.
To support WPA clients that use 40-bit dynamic WEP, you must enable WEP with 40-bit keys. Use
the set service-profile wpa-ie cipher-wep40 command.
Microsoft Windows XP does not support WEP with WPA. To configure a service profile to provide
dynamic WEP for XP clients, leave WPA disabled and use the set service-profile wep
commands.
To support non-WPA clients that use static WEP, you must configure static WEP keys. Use the set
service-profile wep command.
Examples The following command configures service profile sp2 to use 104-bit WEP encryption:
WLC# set service-profile sp2 wpa-ie cipher-wep104 enable
See Also
set service-profile [rsn-ie | wpa-ie ] cipher-wep40

Enables dynamic Wired Equivalent Privacy (WEP) with 40-bit keys, in a service profile.
Syntax set service-profile name [rsn-ie | wpa-ie] cipher-wep40
{enable | disable}
name
enable
Enables 40-bit WEP encryption for RSN or WPA clients.
disable
Disables 40-bit WEP encryption for RSN or WPA clients.
Defaults 40-bit WEP encryption is disabled by default.

339
Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 7.1
Command moved to rsn-ie and wpa-ie to support mixed ciphers on

a service profile.
Usage To use 40-bit WEP with RNS or WPA clients, you must also enable RSN IE or WPA IE.
When 40-bit WEP in RSN or WPA is enabled in the service profile, radios managed by a radio
profile that is mapped to the service profile can also support non-WPA clients that use dynamic
WEP.
To support WPA clients that use 104-bit dynamic WEP, you must enable WEP with 104-bit keys in
the service profile. Use the set service-profile wpa-ie cipher-wep104 command.
Microsoft Windows XP does not support WEP with WPA. To configure a service profile to provide
dynamic WEP for XP clients, leave WPA disabled and use the set service-profile wep
commands.
To support non-WPA clients that use static WEP, you must configure static WEP keys. Use the set
service-profile wep key-index command.
Examples The following command configures service profile sp2 to use 40-bit WEP encryption:
WLC# set service-profile sp2 wpa-ie cipher-wep40 enable
See Also
set service-profile cos

Sets the Class-of-Service (CoS) level for static CoS.
Syntax set service-profile profile-name cos cos
profile-name
cos
CoS value assigned by the MP to all traffic in the service profile.
Defaults The default static CoS level is 0.

Access Enabled.
340
Usage This command applies only when static CoS is enabled. If static CoS is disabled,
prioritization is based on the QoS mode configured in the radio profile, and on any ACLs that set
CoS. (See the Configuring Quality of Service chapter of the Juniper Mobility System Software
Configuration Guide.) To enable static CoS, use the set service-profile static-cos command.
Examples The following command changes the static CoS level to 7 (voice priority):
WLC# set service-profile sp1 cos 7
See Also
set service-profile dhcp-restrict

Enables or disables DHCP Restrict on a service profile. DHCP Restrict filters the traffic from a
newly associated client and allows DHCP traffic only, until the client has been authenticated and
authorized. All other traffic is captured by the WLC and is not forwarded. After the client is
successfully authorized, the traffic restriction is removed.
Syntax set service-profile profile-name dhcp-restrict {enable | disable}
profile-name
enable
Enables DHCP Restrict.
disable
Disables DHCP Restrict.
Defaults DHCP Restrict is disabled by default.

Access Enabled.
Usage To further reduce the overhead of DHCP traffic, use the set service-profile no-broadcast
command to disable DHCP broadcast traffic from MP radios to clients on the service profiles
SSID.
Examples The following command enables DHCP Restrict on service profile sp1:
WLC# set service-profile sp1 dhcp-restrict enable
See Also
341
set service-profile dot1x-handshake-timeout

Configure the number of milliseconds before the dot1X handshake message is retransmitted.
Syntax set service-profile profile-name dot1X-handshake-timeout timeout
profile-name
timeout
Enter a value from 20 to 5000 seconds. Enter 0 to use the

global dot1x value.
Defaults None
Access Enable
set service-profile idle-client-probing

Disables or reenables periodic keepalives from MP radios to clients on a service profiles SSID.
When idle-client probing is enabled, the MP radio sends a unicast null-data frame to each client
every 10 seconds. Normally, a client that is still active sends an Ack in reply to the keepalive.
If a client does not send any data or respond to any keepalives before the user idle timeout
expires, MSS changes the client session to the Disassociated state.
Syntax set service-profile profile-name idle-client-probing {enable |
disable}
profile-name
enable
Enables keepalives.
disable
Disables keepalives.
Defaults Idle-client probing is enabled by default.

Access Enabled.
Usage The length of time a client can remain idle (unresponsive to idle-client probes) is specified
by the user-idle-timeout command.
Examples The following command disables idle-client keepalives on service profile sp1:
WLC# set service-profile sp1 idle-client-probing disable
See Also
342
set service-profile keep-initial-vlan

Configures MP radios managed by the radio profile to leave a roamed user on the VLAN assigned
by the WLC where the user logged on. When this option is disabled, a users VLAN is reassigned
by each WLC when a user roams.
Syntax set service-profile profile-name keep-initial-vlan {enable | disable}
profile-name
enable
Enables radios to leave a roamed user on the same VLAN instead of

reassigning the VLAN.
disable
Configures radios to reassign a roamed user VLAN.
Defaults This option is disabled by default.

Access Enabled.
Usage Even when this option is enabled, the WLC that a user roams to (the roamed-to WLC) can
reassign the VLAN in any of the following cases:
A location policy on the local WLC reassigns the VLAN.
The user is configured in the WLC local database and the VLAN-Name attribute is set on the
user or on a user group the user is in.
The access rule on the roamed-to WLC uses RADIUS, and the VLAN-Name attribute is set on
the RADIUS server.
Examples The following command enables the keep-initial-vlan option on service profile sp3:
WLC# set service-profile sp3 keep-initial-vlan enable
See Also show service-profile on page 404
set service-profile load-balancing-exempt

Exempts a service profile from performing RF load balancing.
Syntax set service-profile profile-name load-balancing-exempt {enable |
disable}
profile-name
enable
Exempts the specified service profile from RF load balancing.
disable
If a service profile has previously been exempted from RF load balancing,

restores RF load balancing for the service profile.
Defaults By default, MP radios automatically perform RF load balancing for all service profiles.
Access Enabled.
343
Usage Use this command to exempt a service profile from RF load balancing. Exempting a
service profile from RF load balancing means that if an MP radio is attempting to steer clients
away, the radio does not reduce or conceal the availability of the SSID named in the exempted
service profile. Even if a radio is withholding probe responses to manage the load, the radio does
respond to probes for an exempt SSID. Also, if an MP radio is withholding probe responses, and a
client probes for any SSID, and the radio has at least one exempt SSID, the radio responds to the
probe, but the response reveals only the exempt SSID(s).
Examples The following command exempts service profile sp3 from RF load balancing:
WLC# set service-profile sp3 load-balancing-exempt enable
See Also
set service-profile long-retry-count

Changes the long retry threshold for a service profile. The long retry threshold specifies the
number of times a radio can send a long unicast frame without receiving an acknowledgment. A
long unicast frame is a frame that is equal to or longer than the frag-threshold.
Syntax set service-profile name long-retry-count threshold
name
threshold
Number of times the radio can send the same long unicast frame. You can
enter a value from 1 through 15.
Defaults The default long unicast retry threshold is 5 attempts.

Access Enabled.
Examples The following command changes the long retry threshold for service profile sp1 to 8:
WLC# set service-profile sp1 long-retry-count 8
See Also
344
set service-profile max-bw

Configures the maximum bandwidth for a service profile.
Syntax set service-profile profile-name max-bw max-bw-kb
profile-name
max-bw-kb
Configure a bandwidth from 1-300000 Kbps. 0 = unlimited bandwith
Defaults None
Access Enabled
Usage Use this command to configure specific bandwidth requirements for a service profile. Once
configured, the service profile can be mapped to a specific radio profile.
set service-profile mesh

Creates a service profile for use with WLAN mesh services.
Syntax set service-profile name mesh mode {enable | disable}
name
enable
Enables mesh services for the service profile.
disable
Disables mesh services for the service profile.
Defaults None.
Access Enabled.
Usage Use this command to configure mesh services for a service profile. Once configured, the
service profile can then be mapped to a radio profile that manages a radio on the Mesh Portal MP,
which then allows a Mesh Portal AP to beacon a mesh services SSID to Mesh APs.
Examples The following command enables mesh services for service profile sp1:
WLC# set service-profile sp1 mesh mode enable
See Also
345
set service-profile no-broadcast

Disables or reenables the no-broadcast mode. The no-broadcast mode helps reduce traffic
overhead on an SSID by having more SSID bandwidth available for unicast traffic. The
no-broadcast mode also helps VoIP handsets conserve power by reducing the amount of
broadcast traffic sent to the phones.
When enabled, the no-broadcast mode prevents MP radios from sending DHCP or ARP
broadcasts to clients on the service profile SSID. Instead, an MP radio processes the traffic as
follows:
ARP requestsIf the SSID has clients with IP addresses that the WLC does not already know,
the WLC allows the MP radio to send the ARP request as a unicast to only those stations with
unknown addresses on the WLC. The MP radio does not forward the ARP request as a
broadcast and does not send the request as a unicast to stations whose addresses the WLC
already knows.
DHCP Offers or AcksIf the destination MAC address belongs to a client on the SSID, the MP
radio sends the DHCP Offer or Ack as a unicast to that client only.
The no-broadcast mode does not affect other types of broadcast traffic and does not prevent
clients from sending broadcasts.
Syntax set service-profile name no-broadcast {enable | disable}
name
enable
Enables the no-broadcast mode. MP radios are not allowed to send

broadcast traffic to clients on the SSID of the service profile.
disable
Disables the no-broadcast mode.
Defaults The no-broadcast mode is disabled by default. (Broadcast traffic not disabled.)
Access Enabled.
Usage To further reduce ARP traffic on a service profile, use the set service-profile proxy-arp
command to enable Proxy ARP.
Examples The following command enables the no-broadcast mode on service profile sp1:
WLC# set service-profile sp1 no-broadcast enable
See Also
346
set service-profile proxy-arp

Enables proxy ARP. When proxy ARP is enabled, the WLC replies to ARP requests for client IP
address on behalf of the clients. This feature reduces broadcast overhead on a service profile
SSID by eliminating ARP broadcasts from MP radios to the SSID clients.
If the ARP request is for a client with an IP address not on the WLC, the WLC allows MP radios to
send the ARP request to clients. If the no-broadcast mode is also enabled, the MP radios send the
ARP request as a unicast to only the clients with unknown addresses on the WLC. However, if
no-broadcast mode is disabled, the MP radios sends the ARP request as a broadcast to all clients
on the SSID.
Syntax set service-profile profile-name proxy-arp {enable | disable}
profile-name
enable
Enables proxy ARP.
disable
Disables proxy ARP.
Defaults Proxy ARP is disabled by default.

Access Enabled.
Usage To further reduce broadcast traffic on a service profile, use the set service-profile
no-broadcast command to disable DHCP and ARP request broadcasts.
Examples The following command enables proxy ARP on service profile sp1:
WLC# set service-profile sp1 proxy-arp enable
See Also
set service-profile [rsn-ie | wpa-ie] psk-encrypted

Configures an encrypted passphrase for preshared key (PSK) authentication to use when
authenticating RSN or WPA clients, in a service profile.
Syntax set service-profile profile-name [rsn-ie | wpa-ie] psk-encrypted
passphrase
profile-name
rsn-ie |
wpa-ie
Enable psk-encryption on RSN IE or WPA IE clients.
passphrase
Defaults None
347
Access Enabled
set service-profile [rsn-ie | wpa-ie] psk-phrase

Configures a passphrase for preshared key (PSK) authentication to use for authenticating WPA
clients, in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique
pairwise session keys for individual WPA clients.
Syntax set service-profile profile-name [rsn-ie | wpa-ie] psk-phrase passphrase
profile-name
rsn-ie |
wpa-ie
passphrase
Defaults None.
Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 7.1
Command moved to rsn-ie and wpa-ie as part of the mixed cipher

feature.
Usage MSS converts the passphrase into a 256-bit binary number for system use and a raw
hexadecimal key to store in the WLC configuration. Neither the binary number nor the passphrase
is ever displayed in the configuration.
To use PSK authentication, you must enable it and you also must enable the WPA IE.
Examples The following command configures service profile sp3 to use passphrase
1234567890123<>?=+&% The quick brown fox jumps over the lazy dog:
WLC# set service-profile sp3 wpa-ie psk-phrase "1234567890123<>?=+&% The
quick brown fox jumps over the lazy dog"
See Also
348
set service-profile [rsn-ie | wpa-ie] psk-raw

Configures a raw hexadecimal preshared key (PSK) to use for authenticating RSN or WPA clients,
in a service profile. Radios use the PSK as a pairwise master key (PMK) to derive unique pairwise
session keys for individual WPA clients.
Syntax set service-profile profile-name [rsn-ie | wpa-ie] psk-raw hex
profile-name
rsn-ie |
wpa-ie
hex
A 64-bit ASCII string representing a 32-digit hexadecimal number. Enter the

two-character ASCII form of each hexadecimal number.
Defaults None.
Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 7.1
Command moved to rsn-ie and wpa-ie as part of the mixed cipher

feature.
Usage MSS converts the hexadecimal number into a 256-bit binary number for system use. MSS
also stores the hexadecimal key in the WLC configuration. The binary number is never displayed
in the configuration.
To use PSK authentication, you must enable it and you also must enable RSN-IE or WPA IE.
Examples The following command configures service profile sp3 to use a raw PSK with PSK
clients:
WLC# set service-profile sp3 wpa-ie psk-raw
c25d3fe4483e867d1df96eaacdf8b02451fa0836162e758100f5f6b87965e59d
See Also
349
set service-profile rsn-ie

Enables the Robust Security Network (RSN) Information Element (IE).
The RSN IE advertises the RSN (sometimes called WPA2) authentication methods and cipher
suites supported by radios in the radio profile mapped to the service profile.
Syntax set service-profile profile-name rsn-ie {enable | disable}
auth-dot1x [enable | disable] auth-psk [enable | disable]
cipher-ccmp [enable | disable] cipher-tkip [enable | disable]
cipher-wep104 [enable | disable] cipher-40 [enable | disable]
profile-name
enable
Enables the RSN IE.
disable
Disables the RSN IE.
Defaults Disabled.
Access Enabled.
Usage When the RSN IE is enabled, you vsn enable the cipher suites you want the radios to
support.
Examples The following command enables the RSN IE in service profile sprsn:
WLC# set service-profile sprsn rsn-ie enable
See Also
set service-profile shared-key-auth

Enables shared-key authentication, in a service profile.
Informational Note: Use this command only if advised to do so by Juniper Networks. This command does
not enable preshared key (PSK) authentication for Wi-Fi Protected Access (WPA). To enable PSK encryption
for WPA, use the set service-profile auth-psk command.
Syntax set service-profile profile-name shared-key-auth {enable | disable}
350
profile-name
enable
Enables shared-key authentication.
disable
Disables shared-key authentication.

Defaults Disabled.
Access Enabled.
Usage Shared-key authentication is supported only for encrypted SSIDs. In addition, if you enable
shared-key authentication, RSN, WPA, TKIP, and CCMP must be disabled. By default, RSN, WPA,
and CCMP are already disabled, but TKIP is enabled; you must manually disable TKIP. To disable
TKIP, use the set service-profile cipher-tkip disable command.
Examples The following command enables shared-key authentication in service profile sp4:
WLC# set service-profile sp4 shared-key-auth enable
See Also
set service-profile short-retry-count

Changes the short retry threshold for a service profile. The short retry threshold specifies the
number of times a radio can send a short unicast frame without receiving an acknowledgment. A
short unicast frame is a frame that is shorter than the frag-threshold.
Syntax set service-profile profile-name short-retry-count threshold
profile-name
threshold
Number of times a radio can send the same short unicast frame. You can
enter a value from 1 through 15.
Defaults The default short unicast retry threshold is 5 attempts.

Access Enabled.
Examples The following command changes the short retry threshold for service profile sp1 to 3:
WLC# set service-profile sp1 short-retry-count 3
See Also
set service-profile ssid-name

Configures the SSID name in a service profile.
351
Syntax set service-profile profile-name ssid-name ssid-name

profile-name
ssid-name
Name of up to 32 alphanumeric characters.

You can include blank spaces in the name, if you delimit the name with single
or double quotation marks. You must use the same type of quotation mark
(either single or double) on both ends of the string.
Defaults The default SSID type is crypto (encrypted) and the default name is Juniper.
Access Enabled.
History
Version 3.0
Command introduced
Version 4.0
Support added for blank spaces in the SSID name.
Examples The following command applies the name guest to the SSID managed by service profile
clear_wlan:
WLC# set service-profile clear_wlan ssid-name guest
The following command applies the name corporate users to the SSID managed by service profile
mycorp_srvcprf:
WLC# set service-profile mycorp_srvcprf ssid-name corporate users
See Also
set service-profile ssid-type

Specifies whether the SSID managed by a service profile is encrypted or unencrypted.
Syntax set service-profile profile-name ssid-type [clear | crypto]
profile-name
clear
Wireless traffic for the service profiles SSID is not

encrypted.
crypto
Wireless traffic for the service profiles SSID is encrypted.
Defaults The default SSID type is crypto.

Access Enabled.
Examples The following command changes the SSID type for service profile clear_wlan to clear:
WLC# set service-profile clear_wlan ssid-type clear
352

See Also
set service-profile static-cos

Enables or disables static CoS on a service profile. Static CoS assigns the same CoS level to all
traffic on the service profile SSID, regardless of 802.1p or DSCP markings in the packets
themselves, and regardless of any ACLs that mark CoS. This option provides a simple way to
configure an SSID for priority traffic such as VoIP traffic.
When static CoS is enabled, the standard MSS prioritization mechanism is not used. Instead, the
MP sets CoS as follows:
For traffic from the MP to clients, the MP places the traffic into the forwarding queue that
corresponds to the CoS level configured on the service profile. For example, if the static CoS
level is set to 7, the MP radio places client traffic in its Voice queue.
For traffic from clients to the network, the MP marks the DSCP value in the IP headers of the
tunnel packets used to carry the user data from the MP to the WLC.
Syntax set service-profile profile-name static-cos {enable | disable}
profile-name
enable
Enables static CoS on the service profile.
disable
Disables static CoS on the service profile.
Defaults Static CoS is disabled by default.

Access Enabled.
History
MSS Version 4.2
Command introduced.
MSS Version 7.1
Command deprecated.

Usage The CoS level is specified by the set service-profile cos command.
Examples The following command enables static CoS on service profile sp1:
WLC# set service-profile sp1 static-cos enable
See Also
353
set service-profile tkip-mc-time

Changes the length of time that MP radios use countermeasures if two message integrity code
(MIC) failures occur within 60 seconds. When countermeasures are in effect, MP radios dissociate
all TKIP and WPA WEP clients and refuse all association and reassociation requests until the
countermeasures end.
Syntax set service-profile profile-name tkip-mc-time wait-time
profile-name
tkip-mc-time
Number of milliseconds (ms) countermeasures remain in effect. You can

specify from 0 to 60,000.
Defaults The default countermeasures wait time is 60,000 ms (60 seconds).

Access Enabled.
Usage Countermeasures apply only to TKIP and WEP clients. This includes WPA WEP clients
and non-WPA WEP clients. CCMP clients are not affected.
The TKIP cipher suite must be enabled. The WPA IE also must be enabled.
Examples The following command changes the countermeasures wait time for service profile sp3
to 30,000 ms (30 seconds):
WLC# set service-profile sp3 tkip-mc-time 30000
See Also
set service-profile transmit-rates

Changes the data rates supported by MP radios for a service-profile SSID.
Syntax set service-profile profile-name transmit-rates {11a | 11b | 11g |
11na | 11ng} mandatory rate-list [disabled rate-list] [beacon-rate rate]
[multicast-rate {rate | auto}]
354
profile-name
11a | 11b | 11g | 11na

| 11ng
Radio type.
mandatory rate-list
Set of data transmission rates that clients are required to support in

order to associate with an SSID on an MP radio. A client must
support at least one of the mandatory rates.
These rates are advertised in the basic rate set of 802.11 beacons,
probe responses, and reassociation response frames sent by MP
radios.
Data frames and management frames sent by MP radios use one of
the specified mandatory rates.
The valid rates depend on the radio type:
11a6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0
11b1.0, 2.0, 5.5, 11.0
11g1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0
11na6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0, m0, m1, m2, m3, m4, m5, m6,
m7, m8, m9, m10, m11, m12, m13, m14, m15
11ng1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, 54.0, m0, m1, m2,
m3, m4, m5, m6, m7, m8, m9, m10, m11, m12, m13, m14, m15
Use a comma to separate multiple rates, for example: 6.0,9.0,12.0.

disabled rate-list
Data transmission rates that MP radios do not use to transmit data.

This setting applies only to data sent by the MP radios. The radios
still accepts frames from clients at disabled data rates.
The valid rates depend on the radio type and are the same as the
valid rates for mandatory.
beacon-rate rate
Data rate of beacon frames sent by MP radios. This rate is also used
for probe-response frames.
The valid rates depend on the radio type and are the same as the
valid rates for mandatory. However, you cannot set the beacon rate
to a disabled rate.
multicast-rate
{rate | auto}
Data rate of multicast frames sent by MP radios.

rateSets the multicast rate to a specific rate. The valid rates
depend on the radio type and are the same as the valid rates for
mandatory. However, you cannot set the multicast rate to a disabled
rate.
autoSets the multicast rate to the highest rate that can reach all
clients connected to the MP radio.
Defaults This command has the following defaults:

disabledNone. All rates applicable to the radio type are supported by default.
beacon-rate:
11a6.0
11b2.0
11g2.0
355
multicast-rateauto for all radio types.

Access Enabled.
History
MSS Version 4.2
Command introduced.
MSS Version 7.0
Default rates for the mandatory option were removed.
Usage If you disable a rate, you cannot use the rate as a mandatory rate or the beacon or
multicast rate. All rates that are applicable to the radio type and that are not disabled are
supported by the radio.
Examples The following command sets 802.11a mandatory rates for service profile sp1 to 6 Mbps
and 9 Mbps, disables rates 48 Mbps and 54 Mbps, and changes the beacon rate to 9 Mbps:
WLC# set service-profile sp1 transmit-rates 11a mandatory 6.0,9.0
disabled 48.0,54.0 beacon-rate 9.0
See Also
set radio-profile rate-enforcement on page 320
set service-profile use-client-dscp

Configures MSS to classify the QoS level of IP packets based on their DSCP value, instead of
their 802.11 priority.
Syntax set service-profile profile-name use-client-dscp {enable | disable}
profile-name
enable
Enables mapping QoS level from the DSCP level.
disable
Disables mapping QoS level from the DSCP level.
Defaults Disabled.
Access Enabled.
History
MSS Version 6.0
Command introduced.
MSS Version 7.3
Command deprecated.
Usage If this command is enabled in the service profile, the 802.11 QoS level is ignored, and MSS
classifies QoS level of IP packets based on their DSCP value.
Examples The following command enables mapping the QoS level of IP packets based on their
DSCP value for service profile sp1:
WLC# set service-profile sp1 use-client-dscp enable
See Also
356
show qos on page 99

set service-profile user-idle-timeout

Changes the number of seconds MSS has a session available for a client not sending data and is
not responding to keepalives (idle-client probes). If the timer expires, the client session is changed
to the Dissociated state.
The timer is reset to 0 each time a client sends data or responds to an idle-client probe. If the
idle-client probe is disabled, the timer is reset each time the client sends data.
Syntax set service-profile profile-name user-idle-timeout seconds
profile-name
seconds
Number of seconds a client is allowed to remain idle before MSS

changes the session to the Dissociated state. You can specify from
20 to 86400 seconds.
To disable the timer, specify 0.
Defaults The default user idle timeout is 180 seconds (3 minutes).

Access Enabled.
Examples The following command increases the user idle timeout to 360 seconds (6 minutes):
WLC# set service-profile sp1 user-idle-timeout 360
See Also
set service-profile web-portal-acl

Changes the ACL name MSS uses to filter Web-Portal user traffic during authentication.
Use this command if you create a custom Web-Portal ACL to allow more than just DHCP traffic
during authentication. For example, if you configure an ACL that allows a Web-Portal user to
access a credit card server, this command uses the custom ACL for Web-Portal users that
associate with the service profile SSID.
Syntax set service-profile profile-name web-portal-acl aclname
profile-name
aclname
Name of the ACL to use for filtering Web-Portal user traffic during
authentication.
357
Defaults By default, a service profile web-portal-acl option is unset. However, when you change
the service profile auth-fallthru option to web-portal, MSS sets the web-portal-acl option to
portalacl. (MSS automatically creates the portalacl ACL the first time you set any service profile
auth-fallthru option to web-portal.)
Access Enabled.
Usage The first time you set the service profile auth-fallthru option to web-portal, MSS sets the
web-portal-acl option to portalacl. The value remains portalacl even if you change the
auth-fallthru option again. To change the web-portal-acl value, you must use the set
service-profile web-portal-acl command.
The Web-Portal ACL applies only to users who log on using Web-Portal, and applies only during
authentication. After a Web-Portal user is authenticated, the Web-Portal ACL no longer applies.
ACLs and other user attributes assigned to the username are applied instead.
358
Examples The following command changes the Web-Portal ACL name to on service profile sp3 to
creditsrvr:
WLC# set service-profile sp3 web-portal-acl creditsrvr
See Also
set service-profile web-portal-form

Specifies a custom login page that loads for WebAAA users requesting the SSID managed by the
service profile.
Syntax set service-profile profile-name web-portal-form url
profile-name
url
WLC subdirectory name and HTML page name of the login page. Specify
the full path. For example, corpa-ssid/corpa.html.
Defaults The Juniper Networks Web login page is served by default.

Access Enabled.
History
Version 3.0
Command introduced.
Version 4.0
Option name changed from web-aaa-form to web-portal-form, to reflect

change to portal-based implementation.
Usage It is recommended that you create a subdirectory for the custom page and place all of the
files for the page in that subdirectory. Do not place the custom page in the root directory of the
WLC user file area.
If the custom login page includes gif or jpg images, their path names are interpreted relative to the
directory from which the page is served.
Informational Note: To use WebAAA, the fallthru authentication type in the service profile that manages
the SSID must be set to web-portal. To use WebAAA for a wired authentication port, edit the port configuration
with the set port type wired-auth command.
The web-portal authentication type also requires additional configuration items. (See the
Configuring AAA for Network Users chapter of the Juniper Mobility System Software
Configuration Guide.)
Examples The following commands create a subdirectory named corpa, copy a custom login page
named corpa-login.html and a jpg image named corpa-logo.jpg into that subdirectory, and set the
Web login page for service profile corpa-service to corpa-login.html:
WLC# mkdir corpa
359
WLC# copy tftp://10.1.1.1/corpa-login.html corpa/corpa-login.html

success: received 637 bytes in 0.253 seconds [ 2517 bytes/sec]
WLC# copy tftp://10.1.1.1/corpa-logo.jpg corpa/corpa-logo.jpg
WLC# dir corpa
========================================================================
=======
file:
Filename
Size
file:corpa-login.html
15:42:26
file:corpa-logo.jpg
15:57:11
Total:
Created
637 bytes
Aug 12 2004,
1202 bytes
Aug 12 2004,
1839 bytes used, 206577 Kbytes free
WLC# set service-profile corpa-service web-portal-form

corpa/corpa-login.html
See Also
copy on page 589
dir on page 592
mkdir on page 598
set service-profile web-portal-logout logout-url

Specifies the URL that is requested when the user terminates a session in the Mobility Domain.
Syntax set service-profile profile-name web-portal-logout logout-url url
profile-name
url
Specifies the URL for the Web Portal logout feature. The URL should be of
the form https://host/logout.html.
Defaults By default, the logout URL uses the IP address of the WLC as the host part of the URL.
The host can be either an IP address or a hostname.
Access Enabled.
360
Usage Specifying the URL for the Web Portal logout feature is useful if you want to standardize
the URL across your network. For example, you can configure the logout URL on all of the WLC
switches in the Mobility Domain as wifizone.trpz.com/logout.html, where wifizone.trpz.com
resolves to one of the WLC switches in the Mobility Domain, ideally the seed.
To log out of the network, the user can click End Session in the window, or request the logout URL
directly.
Standardizing the logout URL serves as a backup means for the user to log out in case the
pop-under window is closed inadvertently. Note that if a user requests the logout URL, he or she
must enter a username and password in order to identify the session on the WLC. The username
and password are both required to identify the session. If there is more than one session with the
same username, then requesting the logout URL does not end any session.
Examples The following command configures the Web Portal logout URL as
wifizone.trpz.com/logout.html for service profile sp1.
WLC# set service-profile sp1 web-portal-logout logout-url
https://wifizone.trpz.com/logout.html
See Also
set service-profile web-portal-logout mode on page 361
set service-profile web-portal-logout mode

Enables the Web Portal logout functionality, so that a user can manually terminate his or her
session.
Syntax set service-profile profile-name web-portal-logout mode {enable |
disable}
profile-name
enable
Enables the Web Portal logout functionality
disable
Disables the Web Portal logout functionality.
Defaults Disabled.
Access Enabled.
Usage When Web Portal logout functionality is enabled, after a Web Portal WebAAA user is
successfully authenticated and redirected to the requested page, a pop-under window appears
behind the users browser. The window contains a button labeled End Session. When the user
clicks this button, a URL is requested that terminates the users session in the Mobility Domain.
This feature allows Web Portal users a way to manually log out of the network, instead of
automatically logging out when the Web Portal WebAAA session timeout period expires.
361
Examples The following command enables the Web Portal logout functionality for service profile
sp1.
WLC# set service-profile sp1 web-portal-logout mode enable
See Also
set service-profile web-portal-logout logout-url on page 360
set service-profile web-portal-session-timeout

Changes the number of seconds MSS allows Web Portal WebAAA sessions to remain in the
Deassociated state before being terminated automatically.
Syntax set service-profile name web-portal-session-timeout seconds
name
seconds
Number of seconds MSS allows Web Portal WebAAA sessions to

remain in the Deassociated state before being terminated
automatically. You can specify from 5 to 28800 seconds.
Defaults The default Web Portal WebAAA session timeout is 5 seconds.

Access Enabled.
Usage When a client that has connected through Web Portal WebAAA enters standby or
hibernation mode, the client may be idle for longer than the User idle-timeout period. When the
User idle-timeout period expires, MSS places the client Web Portal WebAAA session in the
Deassociated state. The Web Portal WebAAA session can remain in the Deassociated state for a
configurable amount of time before being terminated automatically. This configurable amount of
time is called the Web Portal WebAAA session timeout period. You can use this command to set
the number of seconds in the Web Portal WebAAA session timeout period.
Note that the Web Portal WebAAA session timeout period applies only to Web Portal WebAAA
sessions already authenticated with a username and password. For all other Web Portal WebAAA
sessions, the default Web Portal WebAAA session timeout period of 5 seconds is used.
Examples The following command allows Web Portal WebAAA sessions to remain in the
Deassociated state 180 seconds before being terminated automatically.
WLC# set service-profile sp1 web-portal-session-timeout 180
See Also
362
set service-profile wep active-multicast-index

Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting
multicast frames.
Syntax set service-profile profile-name wep active-multicast-index num
profile-name
num
WEP key number. You can enter a value from 1 through 4.
Defaults If WEP encryption is enabled and WEP keys are defined, MP radios use WEP key 1 to
encrypt multicast frames, by default.
Access Enabled.
Usage Before using this command, you must configure values for the WEP keys you plan to use.
Use the set service-profile wep key-index command.
Examples The following command configures service profile sp2 to use WEP key 2 for encrypting
multicast traffic:
WLC# set service-profile sp2 wep active-multicast-index 2
See Also
set service-profile wep active-unicast-index

Specifies the static Wired-Equivalent Privacy (WEP) key (one of four) to use for encrypting unicast
frames.
Syntax set service-profile profile-name wep active-unicast-index num
profile-name
num
WEP key number. You can enter a value from 1 through 4.
Defaults If WEP encryption is enabled and WEP keys are defined, MP radios use WEP key 1 to
encrypt unicast frames, by default.
Access Enabled.
Usage Before using this command, you must configure values for the WEP keys you plan to use.
Use the set service-profile wep key-index command.
Examples The following command configures service profile sp2 to use WEP key 4 for encrypting
unicast traffic:
WLC# set service-profile sp2 wep active-unicast-index 4
363
See Also
set service-profile wep key-index

Sets the value of one of four static Wired-Equivalent Privacy (WEP) keys for static WEP
encryption.
Syntax set service-profile profile-name wep key-index num key value
profile-name
key-index num
WEP key index. You can enter a value from 1 through 4.
key value
Hexadecimal value of the key. You can enter a 10-character ASCII string
representing a 5-byte hexadecimal number or a 26-character ASCII string
representing a 13-byte hexadecimal number. You can use numbers or
letters. ASCII characters in the following ranges are supported:
0 to 9
A to F
a to f
Defaults By default, no static WEP keys are defined.

Access Enabled.
Usage MSS automatically enables static WEP when you define a WEP key. MSS continues to
support dynamic WEP.
Examples The following command configures a 5-byte WEP key for key index 1 on service profile
sp2 to aabbccddee:
WLC# set service-profile sp2 wep key-index 1 key aabbccddee
See Also
364
set service-profile wpa-ie

Enables the WPA information element (IE) in wireless frames. The WPA IE advertises the WPA
authentication methods and cipher suites supported by radios in the radio profile mapped to the
service profile.
Syntax set service-profile profile-name wpa-ie {enable | disable}
auth-dot1x [enable | disable] auth-psk [enable | disable]
cipher-ccmp [enable | disable] cipher-tkip [enable | disable]
cipher-wep104 [enable | disable] cipher-40 [enable | disable]
profile-name
enable
Enables the WPA IE.
disable
Disables the WPA IE.
Defaults Disabled.
Access Enabled.
MSS Version 3.0
Command introduced.
MSS Version 7.1
Ciphers moved under this command to support

mixed ciphers per service profile.
Usage When the WPA IE is enabled, you can enable the cipher suites supported by the radios.
Examples The following command enables the WPA IE in service profile sp2:
WLC# set service-profile sp2 wpa-ie enable
See Also
show ap 11n-counters
Displays 802.11n statistics for 802.11n MPs.
Syntax show ap 11n-counters [apnum | radio [1 | 2]]
Defaults None
Access Enabled
365
Usage Displays channel width, data rates, HT modes, and Ethernet links for 802.11n MPs.
Examples Use the following command to display 802.11n statistics for all 802.11n MPs or a single
802.11n radio.
WLC# show ap 11n-counters 3 radio 1
AP: 9980
radio: 1
=================================
Packet stats:
Tx packets count:
999002
Rx packets count:
999001
40MHz Tx packets count:
999004
40MHz Rx packets count:
999003
Tx packets retry count:
999005
Client stats:
Assciated clients:
999006
11n clients:
999007
Powersave clients:
999008
SM powersave clients:
999009
A-MSDU Tx count:
999011
A-MPDU Tx count:
999017
A-MSDU Rx count:
999010
A-MPDU Rx count:
999016
A-MSDU Tx frame count:
999013
A-MPDU Tx frame count:
999019
A-MSDU Rx frame count:
999012
A-MPDU Rx frame count:
999018
A-MSDU retry count:
999014
A-MPDU retry count:
999020
Compound aggregates:
999022
Frame aggregation stats:
size(bytes)
Peak
<=4k
<=8k
<=16k
<=32k
<=64k
----------- ---------- ---------- ---------- ---------- ---------- ---------A-MPDU Tx:

999046
999026
999030
999034
999038
999042
A-MPDU Rx:
999045
999025
999029
999033
999037
999041
A-MSDU Tx:
999044
999024
999028
999032
999036
999040
A-MSDU Rx:
999043
999023
999027
999031
999035
999039
subframes
Peak
<=4k
<=8k
<=16k
<=32k
<=64k
----------- ---------- ---------- ---------- ---------- ---------- ----------
366
A-MPDU Tx:
999070
999050
999054
999058
999062
999066
A-MPDU Rx:
999069
999049
999053
999057
999061
999065
A-MSDU Tx:
999068
999048
999052
999056
999060
999064
A-MSDU Rx:
999067
999047
999051
999055
999059
999063
Table 44.11n Counter Output

Packet stats
Tx packets count Number of packets sent

Rx packets count Number of packets received
40MHz Tx packets count Number of packets sent on the 40 MHz channel
40MHz Rx packets count Number of packets received on the 40 MHz
channel
Tx Packet Retry count Number of packets resent
Client stats
Associated clients Number of clients on the radio

11n clients Number of 11n clients
Powersave clients Number of clients configured for powersave mode
SM powersave clients
Frame Aggregation stats
A-MSDU Tx count Number of MSDU packets sent

A-MSDU Rx count Number of MSDU packets received
A-MSDU Tx frame count Number of MSDU frames sent
A-MSDU Rx frame count Number of MSDU frames received
A-MSDU retry count Number of MSDU packets resent
A-MPDU Tx count Number of MPDU packets sent
A-MPDU Rx count Number of MPDU packets received
A-MPDU Tx frame count Number of MPDU frames sent
A-MPDU Rx frame count Number of MPDU frames received
Compound Aggregates The number of aggregated packets
size
A-MPDU Tx count Number of MSDU packets sent

A-MPDU Rx count Number of MSDU packets received
A-MSDU Tx count Number of MPDU packets sent
A-MSDU Rx count Number of MPDU packets received
Peak The largest size packet sent or received.
A-MPDU Tx count Number of MSDU packets sent
subframes
A-MPDU Rx count Number of MSDU packets received

A-MSDU Tx count Number of MPDU packets sent
A-MSDU Rx count Number of MPDU packets received
Peak The highest number of subframes sent or received.
show ap acl hits

Displays the number of packets filtered by security ACLs (hits) on the specified MP if the MP is
configured to perform local switching. Each time a packet is filtered by a security ACL, the MP ACL
hit counter increments.
Syntax show ap acl hits apnum
apnum
9999.
Defaults None.
Access Enabled.
367
History I
Version 6.0
Command introduced.
Version 6.2
Usage For MSS to count hits for a security ACL, you must specify hits in the set security acl
commands that define ACE rules for the ACL.
Examples To display the security ACL hits on MP 7, type the following command:
WLC# show ap acl hits 7
ACL hit-counters for AP 7
Index Counter
ACL-name
----- -------------------- -------1
0 acl_2
0 acl_175
916 acl_123
See Also
set security acl hit-sample-rate on page 465
set security acl on page 458
show ap acl map

Displays a summary of the security ACLs mapped on an MP.
Syntax show ap acl map apnum
apnum
9999.
Defaults None.
Access Enabled.
History I
Version 6.0
Command introduced.
Version 6.2
Usage This command lists only the ACLs that have been mapped on the specified MP. To list all
committed ACLs, use the show security acl info command. To list ACLs that have not yet been
committed, use the show security acl editbuffer command.
Examples To display a summary of the security ACLs mapped on MP 7, type the following
command:
WLC# show ap acl map 7
ACL
Type Class
Mapping
---------------------------- ---- ------ ------acl_123

368
IP
Static In
acl_133
IP
Static In
acl_124
IP
Static
See Also
clear security acl on page 453
commit security acl on page 456
show ap acl resource-usage

Displays statistics about the resources used by security ACL filtering on the MP.
Syntax show ap acl resource-usage apnum
apnum
9999.
Defaults None.
Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
Usage Use this command with the help of the Juniper Technical Assistance Center (TAC) to
diagnose an ACL resource problem.
Examples To display security ACL resource usage for MP 7, type the following command:
WLC# show ap acl resource-usage 7
AP 7 mapped ACL counters
-------------------------------------------Number of rule groups
Number of rules
Number of maps
show ap arp
Displays the ARP table for a specified MP.
Syntax show ap arp apnum
apnum
9999.
Defaults None.
Access All.
369
History
Version 6.0
Command introduced.
Version 6.2
Examples The following command displays ARP entries for AP 7:

WLC# show ap arp 7
AP 7:
Host
HW Address
VLAN
State
Type
------------------------------ ----------------- ----- -------- ------10.5.4.51
00:0b:0e:00:04:0c
1 EXPIRED
DYNAMIC
10.5.4.53
00:0b:0e:02:76:f7
1 RESOLVED LOCAL

Table 45.Output for show ap arp
Field
Description
Host
IP address, hostname, or alias.
HW Address
MAC address mapped to the IP address, hostname, or alias.
VLAN
VLAN the entry is for.
State
Entry state:
RESOLVINGMSS sent an ARP request for the entry and is waiting for the reply.
RESOLVEDEntry is resolved.
EXPIREDEntry is expired.
Type
Entry type:
DYNAMICEntry was learned from network traffic and ages out if unused for longer
than the ARP aging timeout.
LOCALEntry for the MX MAC address. Each VLAN has one local entry for the
switch MAC address.
PERMANENTEntry does not age out and remains in the configuration even
following a reboot.
STATICEntry does not age out but is removed after a reboot.
See Also
show ap config
Displays a summary of MPs configured on your network.
Syntax show ap config [verbose]
Defaults None
Access Enabled
Examples To display a summary of MPs configured on your network, enter the following
command:
370
WLC# show ap config.

AP
AP Name
Model
auto
3
AP03
Mode
Radio 1 profile
Radio 2 profile
disabled
default
default
default
aaaaaaaa123456
MP-372
show ap config radio

Displays global and radio-specific settings for an MP.
Syntax show ap apnum config [port-list [radio {1 | 2}]]
apnum
1 to 9999.
radio 1
Shows configuration information for radio 1.
radio 2
Shows configuration information for radio 2. (This option does not apply to
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 1.1
New field added: load balancing group.
Version 2.0

Dap and Serial-Id fields added to display for Distributed MPs.
The load balancing group field is displayed only if the MP is a member of
a group.
Version 2.1
Version 3.0
New field, antennatype, to list the external antenna model configured for the
802.11b/g radio in an MP-262.
New fields added:
auto-tune max-power
auto-tune min-client-rate
auto-tune max-retransmissions
beacon field removed
Version 4.0
New field added: fingerprint

This field applies to the display for Distributed MPs only.
371
Field force-image-download added:
Version 5.0
Field auto-tune min-client-rate removed.

Field auto-tune max-retransmissions removed.
Field location added.
Field contact added.
Opon on dap removed.
Version 6.0
Field communication timeout added.

Field load-balance-enable added.
Field force-rebalance added.
Field local-switching added.
Field vlan-profile added.
dded.
Version 6.2
Usage MSS lists information separately for each MP.

Examples The following example shows configuration information for MP 2:
WLC# show ap config 2
AP
2: serial-id: 123456789, AP model: MP-372, bias: high, name: AP02

upgrade-firmware: YES
force-image-download:
NO
communication timeout: 10
location:
contact:
Radio 1: type: 802.11g, mode: disabled, channel: dynamic
tx pwr: 18, profile: default
auto-tune max-power: default,
load-balance-group: ,
load-balance-enable: YES,
force-rebalance: NO,
local-switching: disabled, vlan-profile: default
Table 46.Output for show ap config
372
Field
Description
Port
MX port number to which the MP is connected, if specified for the MP.
AP
Index number that identifies the MP on the WLC.
serial-id
Serial number on the MP.
Table 46.Output for show ap config (continued)

Field
Description
AP model
MP model number.
bias
Bias of the WLC connection to the MP:

High
Low
name
MP access point name, if configured.
upgrade-firmware
State of the firmware upgrade option:

YES (automatic upgrades are enabled)
NO (automatic upgrades are disabled)
force-image-download
State of the option to force the MP to download a software image from the WLC instead
of loading a locally stored image on the MP.
communication timeout
location
Location information for the MP.
contact
Contact information for the MP.
Radio
Radio number. The information listed below this field applies specifically to the radio.
type
Radio type:
802.11a
802.11b
802.11g
mode
Radio state:
Enabled
Disabled
channel
Channel number.
antennatype
External antenna model, if applicable.
tx pwr
Transmit power, in dBm.
profile
Radio profile that manages the radio. Until you assign the radio to a radio profile, MSS
assigns the radio to the default radio profile.
auto-tune max-power
Maximum power level the RF Auto-Tuning feature can set on the radio.
The value default means RF Auto-Tuning can set the power up to the maximum
level allowed for the country of operation.
A specific numeric value means you or another administrator set the maximum
value.
load-balance-group
Names of the RF load-balancing groups to which the MP belongs. If the value is None,
the MP does not belong to any load balancing groups.
This field is displayed only if the MP is a member of a group.
load-balance-enable
If RF load balancing is enabled for this MP.
force-rebalance
If the MP radio disassociates the client sessions and rebalances them whenever a new
MP radio is added to the RF load balancing group.
local-switching
If local packet switching is enabled for the MP.
vlan-profile
The VLAN profile the MP uses for local packet switching, indicating which VLANs are
locally switched.
373
See Also
set ap on page 53
set ap name on page 280
set ap radio antennatype on page 282
show ap counters
Displays MP access point and radio statistics counters.
Syntax show ap counters apnum [radio {1 | 2}]
apnum
1 to 9999.
radio 1
Shows statistics counters for radio 1.
radio 2
Shows statistics counters for radio 2. (This option does not apply to
Defaults None.
Access Enabled.
History
Version 1.0
374
Command introduced.
Version 1.1
New fields added for Wi-Fi Protected Access (WPA):

TKIP Pkt Transfer Ct
TKIP Pkt Replays
CCMP Pkt Decrypt Err
CCMP Pkt Transfer Ct
MIC Error Ct
TKIP Decrypt Err
CCMP Pkt Replays
Version 2.0

New fields added:
Version 4.0
Radio Recv Phy Err Ct

Transmit Retries
Radio Adjusted Tx Pwr
Noise Floor
802.3 Packet Tx Ct
802.3 Packet Rx Ct
No Receive Descriptor
Version 6.0
Option dap removed.

Field Illegal Rates added
Version 6.2
Version 7.1
Added the option voice-details.
Usage To display statistics counters and other information for individual user sessions, use the
show sessions network command.
Examples The following command shows statistics counters for Distributed MP 7:
WLC# show ap counters 7
AP: 7
radio: 1
=================================
LastPktXferRate
PktTxCount
73473
NumCntInPwrSave
MultiPktDrop
LastPktRxSigStrength
-89
MultiBytDrop
LastPktSigNoiseRatio
User Sessions
MIC Error Ct
TKIP Pkt Replays
TKIP Decrypt Err
CCMP Pkt Replays
RadioResets
375
Transmit Retries
60501
15
Noise Floor
-93
802.3 Packet Tx Ct
802.3 Packet Rx Ct 0
Illegal Rates
TxUniPkt
TxUniByte
TxMultiPkt
RxPkt
TxMultiByte
UndcrptPkt
RxByte
UndcrptByte
PhyErr
1.0: 1017
10170
14
8347
3964
2.0: 5643 55683 822545 8697520
1670
8695
5.5:
258
6.0:
51
9.0:
172
53
11.0:
17
998
35
12.0:
26
18.0:
38
24.0:
47
36.0:
48.0:
68
29
54.0:
41 11513
0 12948
TOTL: 6660 55683 832715 8697520

...
Table 47.Output for show ap counters
Field
Description
AP
Distributed MP number.
radio
Radio number.
LastPktXferRate
Data transmit rate, in Mbps, of the last packet received by the MP.
NumCntInPwrSave
Number of clients currently in power save mode.
LastPktRxSigStrength
Signal strength, in dBm, of the last packet received by the MP.
LastPktSigNoiseRatio
Signal-to-noise ratio (SNR), in decibels (dB), of the last packet received by the MP
access point.
This value indicates the strength of the radio signal above the noise floor. For example,
if the noise floor is -88 and the signal strength is -68, the SNR is 20.
If the value is below 10, this indicates a weak signal and might indicate a problem in the
RF environment.
376
Total number of TKIP packets sent and received by the radio.
Table 47.Output for show ap counters (continued)

Field
Description
TKIP Pkt Replays
Number of TKIP packets resent to the MP by a client.

A low value (under about one hundred) does not necessarily indicate a problem.
However, if this counter is increasing steadily or has a very high value (in the hundreds
or more), a Denial of Service (DoS) attack might be occurring. Contact Juniper
Networks TAC.
Number of times a decryption error occurred with a packet encrypted with CCMP.
Occasional decryption errors do not indicate a problem.
However, steadily increasing errors or a high number of errors can indicate that data
loss is occurring in the network. Generally, this is caused by a key mismatch between a
client and the MP. To locate the client that is experiencing decryption errors (and
therefore is likely causing this counter to increment on the MP), use the show
sessions network session-id session-id command for each client on the radio. After
you identify the client that is causing the errors, disable and reenable the client
(wireless NIC).

Total number of CCMP packets sent and received by the radio.

Number of times radar caused packet errors. If this counter increments rapidly, there is
a problem in the RF environment.
This counter increments only when radar is detected. Rate-specific Phy errors are
instead counted in the PhyError columns for individual data rates.
Current power level set on the radio. If RF Auto-Tuning of power is enabled, this value
is the power set by RF Auto-Tuning. If RF Auto-Tuning is disabled, this value is the
statically configured power level.
802.3 Packet Tx Ct
Number of raw 802.3 packets transmitted by the radio. These are LocalTalk (AppleTalk)
frames. This counter increments only if LocalTalk traffic is present.
Number of packets for which the MP could not create a descriptor. A descriptor
describes a received packets size and its location in MP memory. The MP buffers
descriptors, and clears them during interframe spaces.
This counter increments if the MP runs out of buffers for received packets. This
condition can occur when a noise burst temporarily floods the air and the MP attempts
to buffer the noise as packets.
Buffer overruns are normal while an MP is booting. However, if they occur over an
extended period of time when the MP is fully active, this can indicate RF interference.
Illegal Rates
Number of times a client attempted to connect with a disabled data rate.
PktTxCount
Number of packets transmitted by the radio.
MultiPktDrop
Number of multicast packets dropped by the radio due to a buffer overflow on the MP.
This counter increments if there is too much multicast traffic or there is a problem with
the multicast packets. Normally, this counter should be 0.
MultiBytDrop
Number of multicast bytes dropped by the radio due to a buffer overflow on the MP.
(See the description for MultiPktDrop.)
377

Field
Description
User Sessions
Number of clients currently associated with the radio.

Generally, this counter is equal to the number of sessions listed for the radio in show
sessions output. However, the counter can differ from the counter in show sessions
output if a client is associated with the radio but has not yet completed 802.1X
authentication. In this case, the client is counted by this counter but not in the show
sessions output.
Although there is no specific normal range for this counter, a high or low number
relative to other radios can mean the radio is underutilized or overutilized relative to the
other radios. (However, if the clients are VoIP phones, a relatively high number of
clients does not necessarily mean overutilization since voice clients consume less
bandwidth on average than data clients.)
MIC Error Ct
Number of times the radio received a TKIP-encrypted frame with an invalid MIC.
Normally, the value of this counter should always be 0. If the value is not 0, check the
system log for MIC error messages and contact Juniper Networks TAC.
TKIP Decrypt Err
Number of times a decryption error occurred with a packet encrypted with TKIP.
(See the description for CCMP Pkt Decrypt Err.)
CCMP Pkt Replays
Number of CCMP packets that were resent by a client to the MP.
RadioResets
Number of times the radio has been reset. Generally, a reset occurs as a result of RF
(See the description for TKIP Pkt Replays.)

noise. It is normal for this counter to increment a few times per day.
Transmit Retries
Number of times the radio retransmitted a unicast packet because it was not
acknowledged. The MP uses this counter to adjust the transmit data rate for a client, in
order to minimize retries.
The ratio of transmit retries to transmitted packets (TxUniPkt) indicates the overall
transmit quality. A ratio of about 1 retry to 10 transmitted packets indicates good
transmit quality. A ratio of 3 or more to 10 indicates poor transmit quality.
This counter includes unacknowledged probes. Some clients do not respond to probes,
which can make this counter artificially high.
Noise Floor
Received signal strength at which the MP can no longer distinguish 802.11 packets
from ambient RF noise. A value around -90 or higher is good for an 802.11b/g radio. A
value around -80 or higher is good for an 802.11a radio. Values near 0 can indicate RF
interference.
802.3 Packet Rx Ct
Number of raw 802.3 packets received by the radio. These are LocalTalk (AppleTalk)
frames. This counter increments only if LocalTalk traffic is present.
The counters above are global for all data rates. The counters below are for individual data rates.
If counters for lower data rates are incrementing but counters for higher data rates are not incrementing, this can indicate
poor throughput. The poor throughput can be caused by interference. If the cause is not interference or the interference
cannot be eliminated, you might need to relocate the MP in order to use the higher data rates and therefore improve
throughput.
378
TxUniPkt
Number of unicast packets transmitted by the radio.
TxMultiPkt
Number of multicast packets transmitted by the radio.
TxUniByte
Number of unicast bytes transmitted by the radio.
TxMultiByte
Number of multicast bytes transmitted by the radio.
RxPkt
Number of packets received by the radio.

Field
Description
RxByte
Number of bytes received by the radio.
UndcrptPkt
Number of undecryptable packets received by the radio. It is normal for this counter to
increment even in stable networks and does not necessarily indicate an attack. For
example, a client might be sending incorrect key information. However, if the counter
increments rapidly, there might be a problem in the network.
UndcrptByte
Number of undecryptable bytes received by the radio. (See the description for
UndcrptPkt.)
PhyError
Number of packets that could not be decoded by the MP. This condition can have any
of the following causes:
Collision of an 802.11 packet.
Packet whose source is too far away, thus rendering the packet unintelligible by the
time it reaches the MP.
Interference caused by an 802.11b/g phone or other source.
It is normal for this counter to be about 10 percent of the total RxByte count. It is also
normal for higher data rates to have higher Phy error counts than lower data rates.
See Also show sessions network on page 532
show ap counters voice-details

Displays information about VoIP calls on the network.
Syntax show ap counters apnum [radio {1 | 2}] voice-details
Defaults None
Access Enabled
Examples The following command displays voice details for AP 1 and radio 1:
WLC# show ap counters 1 radio 1 voice-details
AP: 1
radio: 1
================================
Current Active Calls
Cumulative
Voice Calls
Quality
BAD
Rejected
POOR
FAIR
GOOD
EXCELLENT
Accepted
-----------------------------------------------------------------------------------Calls
100
0
Percentage
0
379
Table 48.Output for show voice-details

Field
Description
Current Active Call Quality
Calls are rated from Bad to Excellent
Cumulative Accepted
Total number of calls accepted on the network.
Voice Calls Rejected
Total number of calls rejected on the network.
Calls
Number of calls rated Bad to Excellent
Percentage
Percentage of calls per rating category.
show ap fdb
Displays the entries in a specified MP forwarding database.
Syntax show ap fdb {apnum | all | hash-utilization [apnum |all ]}
apnum
1 to 9999.
all
Show all MP forwarding databases.
hash-utilization
Defaults None.
Access All.
History
Version 6.0
Command introduced.
Version 6.2
Examples The following command displays FDB entries for AP 7:

WLC# show ap fdb 7
AP 7:
# = System Entry. $ = Authenticate Entry
VLAN TAG
Dest MAC/Route Des [CoS] Destination Ports
---- ---- ------------------ ----- ----------------4095 4095 00:0b:0e:00:ca:c1

4095
0 00:0b:0e:00:04:0c
CPU
eth0
Table 49 describes the fields in the show ap fdb output.

Table 49.Output for show ap fdb
380
Field
Description
VLAN
VLAN number.
TAG
VLAN tag value. If the interface is untagged, the TAG field is blank.
Dest MAC/Route Des
MAC address of this forwarding entrys destination.
Table 49.Output for show ap fdb (continued)

Field
Description
CoS
Type of entry. The entry types are explained in the first row of the command output.
This Class of Service (CoS) value is not associated with MSS quality of service (QoS)
features.
Destination Ports
MX port associated with the entry. An WLC sends traffic to the destination MAC
address through this port.
See Also
show ap qos-stats
Displays statistics for MP forwarding queues.
Syntax show ap qos-stats [apnum] [clear]
apnum
1 to 9999.
clear
Clears the counters after displaying their current values.
Defaults None.
Access Enabled.
History
Version 4.0
Command introduced.
Version 4.2
TxDrop field added.
Version 5.0
Option clear added.
Version 6.0
Option dap removed.
Version 6.2
Usage Repeating this command with the clear option at regular intervals allows you to monitor
transmission and drop rates.
Examples The following command shows statistics for the MP forwarding queues on a Distributed
MP:
WLC# show ap qos-stats 7
CoS
Tx
Queue
Rx
Rx
Tx
Tx
Tx
Tx
Tx
Kbs
Kbs
%Req
%Max
Packets
Dropped
========================================================================
=======
AP: 7
radio: 1
381
1,2
0
Background
0,3
0
BestEffort
93
4,5
0
Video
6,7
0
Voice
AP: 7
radio: 2
1,2
0
Background
0,3
0
BestEffort
127
4,5
0
Video
6,7
0
Voice

Table 50.Output for show ap qos-stats
Field
Description
CoS
CoS value associated with the forwarding queues.
Queue
Forwarding queue.
AP
Distributed MP number.
radio
Radio number.
Tx Packets
Number of packets transmitted to the air from the queue.
Tx Dropped
Number of packets dropped from the queue instead of being

transmitted.
Some packet drops are normal, especially if the RF environment is
noisy. Also, it is normal for a mildly congested radio to drop
low-priority packets proportionally more often than high-priority
packets. However, continuous packet drops from the Voice queue can
indicate over-subscription or excessive interference in the RF
environment.
382
show ap etherstats
Displays Ethernet statistics for an Ethernet port on an MP.
Syntax show ap etherstats apnum
apnum
1 to 9999.
Defaults None.
Access Enabled.
History
Version 3.0
Command introduced.
Version 6.2
Examples The following command displays Ethernet statistics for the Ethernet ports on Distributed
MP 1:
WLC# show ap etherstats 1
AP: 1
ether: 1
=================================
RxUnicast:
75432
TxGoodFrames:
55210
RxMulticast:
18789
TxSingleColl:
32
RxBroadcast:
RxGoodFrames:
94229
TxLateColl:
TxMaxColl:
RxAlignErrs:
TxMultiColl:
47
RxShortFrames:
TxUnderruns:
RxCrcErrors:
TxCarrierLoss:
RxOverruns:
TxDeferred:
RxDiscards:
AP: 1
150
ether: 2
=================================
RxUnicast:
64379
TxGoodFrames:
60621
RxMulticast:
21798
TxSingleColl:
32
RxBroadcast:
11
RxGoodFrames:
86188
TxLateColl:
TxMaxColl:
RxAlignErrs:
TxMultiColl:
12
RxShortFrames:
TxUnderruns:
RxCrcErrors:
TxCarrierLoss:
RxOverruns:
TxDeferred:
RxDiscards:
111
383

Table 51.Output for show ap etherstats
Field
Description
RxUnicast
Number of unicast frames received.
RxMulticast
Number of multicast frames received.
RxBroadcast
Number of broadcast frames received.
RxGoodFrames
Number of frames received properly from the link.
RxAlignErrs
Number of received frames that were both misaligned and contained a CRC error.
RxShortFrames
Number of received frames that were shorter than the minimum frame length.
RxCrcErrors
Number of received frames that were discarded due to CRC errors.
RxOverruns
Number of frames known to be lost due to a temporary lack of hardware resources.
RxDiscards
Number of frames known to be lost due to a temporary lack of software resources.
TxGoodFrames
Number of frames transmitted properly on the link.
TxSingleColl
Number of transmitted frames that encountered a single collision.
TxLateColl
Number of frames that were not transmitted because they encountered a collision
outside the normal collision window.
TxMaxColl
Number of frames that were not transmitted because they encountered the maximum
allowed number of collisions. Typically, this occurs only during periods of heavy traffic
on the network.
TxMultiColl
Number of transmitted frames that encountered more than one collision.
TxUnderruns
Number of frames that were not transmitted or retransmitted due to temporary lack of
hardware resources.
TxCarrierLoss
Number of frames transmitted despite the detection of a deassertion of CRS during the
transmission.
TxDeferred
Number of frames deferred before transmission due to activity on the link.
show ap group
Deprecated in MSS Version 6.0. To display information about RF load balancing, see show
load-balancing group on page 399.
show ap mesh-links
Displays information about the links an MP has to Mesh APs and Mesh Portal APs.
Syntax show ap mesh-links apnum
apnum
9999.
Defaults None.
Access All.
384
History
Version 6.0
Command introduced.
Version 6.2
Examples The following command mesh link information for AP 7:

WLC# show ap mesh-links 7
AP: 7 IP-addr: 1.1.1.3
Operational Mode: Mesh-Portal
Downlink Mesh-APs
------------------------------------------------BSSID: 00:0b:0e:17:bb:3f (54 Mbps)
packets
bytes
TX:
307
44279
RX:
315
215046
Table 52 describes the fields in the show ap mesh-links output.

Table 52.Output for show ap mesh-links
Field
Description
AP
Identifier for the MP on the WLC.
Name
VLAN name
IP-addr
IP address of the MP.
Operational Mode
If this MP is a Mesh AP or a Mesh Portal AP
Downlink Mesh-APs
Information about the Mesh APs associated with the Mesh Portal MP.
BSSID
The BSSID of the Mesh AP.
TX
The amount of traffic (packets and bytes) transmitted to the Mesh AP.
RX
The amount of traffic (packets and bytes) received from the Mesh AP.
See Also
show ap status
Displays MP access point and radio status information.
Syntax show ap status [[apnum | all | verbose | [radio {1 | 2}] cluster
ip-addr]]
apnum
to 9999.
all
Shows status information for all directly attached MPs and all Distributed MPs
configured on the WLC.
radio 1
Shows status information for radio 1.
385
radio 2
Shows status information for radio 2. (This option does not apply to
cluster
Displays the status of the MPs in a cluster configuration.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 1.1
Radio type fields indicate when 802.11b protection is enabled on an 802.11b/g

radio.
Version 2.0

Option all added.
IP-addr field added for Distributed MPs.
The dual-homed field was removed. (This field was located on the same line as
the Link field.)
Version 3.0
in boot field removed.

operational channel field added
operational power field added
bssid and ssid fields added
Version 3.2
True base MAC addresses of radios are displayed. Previously, the base MAC
address displayed for a radio was the true base MAC address plus 2.
Note that a radios base MAC address is also used as the BSSID of the first
SSID configured on the radio.
Version 4.0
New option added: terse

New option added for show dap status: all
New field added: fingerprint
MP-WLC security status added to State field
The fingerprint field and security state apply to the display for Distributed MPs
only.
Version 4.1
External antenna information added after the radio state information, to indicate
when an antenna has been detected and to indicate the configured antenna
model number.
Auto flag added to indicate operational channel or power settings that are
configured by RF Auto-Tuning.
386
Version 4.2
Radar Scan and Radar Detected flags added to indicate when the Dynamic
Frequency Selection (DFS) feature is scanning for radar or has stopped
transmitting due to detected radar. The flags apply to 802.11a radios only, and
only for country codes where DFS is used.
Version 5.0
RFID Reports field added.
Version 6.0
Option dap removed.

load balance field added
current load field added
Version 6.2
Added index value range of 1 to 9999 for MPs.
Version 7.0
Reformatted output to accomodate 802.11n and cluster configuration. Option

terse removed. Option verbose added. Added status as up or down.
Version 7.1
Added cluster to the options.
Examples The following command displays the status of an MP access point:

WLC# show ap status 9991
Flags: o = operational[0], c = configure[0], d = download[0], b =
boot[0]
x= down a = auto AP, m = mesh AP, p/P = mesh portal (ena/actv), r =
redundant[0]
i = insecure, e = encrypted, u = unencrypted
Radio: E = enabled - 20MHz channel, S = sentry
W/w = enabled - 40MHz wide channel (HTplus/HTminus)
D = admin disabled
AP
Flag IP Address
Uptime
Model
MAC Address
Radio 1 Radio 2
---- ---- --------------- ------------ ----------------- ------- -----------9991 oa-i 129.0.1.10
MP-422
00:0b:0e:00:1b:00 E 6/22 D 44/18 03d21h
The following command uses the verbose option to display all information for MPs:
WLC# show ap status verbose
Rack28-2800-112226# show ap status 9991 verbose
AP: 9991 Name: AUTO-9991
Model: Juniper MP-422, Rev: n/a, Serial number: 108
F/W1 : 1.0
F/W2 : 1.0
S/W
BOOT S/W
: 7.0.1.0.private_032408_1529_jperson
: <unknown>
387
IP-addr: 129.0.1.10 (DHCP, vlan 'apboot'),

Port 1 link: 10/Half , POE: 802.3af
Port 2 link: down , POE: 802.3af
State: operational (encrypted and fingerprint not verified)
Radio 1 Type: 802.11g, State: configure succeeded [Enabled]
Operational channel: 6 (Auto) Operational power: 22
Load balance: enabled, Current load: (unavailable)
RFID reports: Inactive
BSSID1: 00:0b:0e:00:1b:00, SSID: sim-open
Radio 2 Type: 802.11a, State: configure succeeded [Disabled]
Operational channel: 44 (Auto) Operational power: 18
Load balance: enabled, Current load: (unavailable)
RFID reports: Inactive
Table 53.Output for show ap status
Field
Description
Flags
The following flags are displayed as part of the MP status:

o = operational The MP is operational on the network.
c = configure [0] The MP is configured.
d = download [0] The MP is configured to download new software.
b = boot The MP can boot on the network.
x = down The MP is down on the network.
n = unconfigured The MP has no configuration.
a = auto The MP is configured in auto mode.
m = mesh AP The MP is configured for Mesh services.
p/P (ena/actv) = The MP is configured as a Mesh Portal. The lower-case p means
that the portal is inactive, and the upper-case P indicates that the Portal is active.
r = redundant The MP is configured as a redundant AP.
i = insecure The MP is sending network traffic in the clear.
e = encrypted The MP is configured with encryption.
u = unencrypted The MP is configured with unencrypted security.
Radio
The following flags are displayed as part of the radio status:

E = enabled - 20MHz
S = sentry
W/w = enabled - 40MHz wide channel (HTplus/HTminus)
D = admin disabled
IP Address
* = AP behind NAT The MP is configured behind a device with NAT enabled.
AP
Identifier for the MP on the WLC.
Flag
Letters that denote current status as described above.
IP-addr
IP address of the MP. The address is assigned to the MP by a DHCP server.

This field is applicable only if the MP is not directly attached to the WLC.
388
Table 53.Output for show ap status (continued)

Field
Description
Model
MP model number.
MAC Address
The MAC address of the MP.
Radio 1
802.11 type and configuration state of the radio.
Radio 2
Displays current status using the Radio flags.

Displays operational channels.
Uptime
Amount of time since the MP booted using this link.
Table 54.Output for show ap status verbose

Field
Description
AP
The index number of the connected MP
Name
The name of the MP.
Model
MP model number
Revision number
Serial Number
Firmware versions
Software version
Boot software version
IP Address
IP address of the MP. The address is assigned to the MP by a DHCP server.

VLAN assigned to the MP.
This field is applicable only if the MP is configured on the MX as a Distributed MP.
Port 1 link:
Status
Configured duplex speed
PoE type
Port 2 link:
Stauts
Configured duplex speed
PoE type and status
State:
Operational status flags for the MP.

For flag definitions, see the key in the command output.
Uptime
Amount of time since the MP booted using this link.
Radio 1
State, channel, and power information for radio 1:

Radio type 802.11a, 802.11b, 802.11g, 802.11na, or 802.11ng
The state can be D (disabled) or E (enabled).
Operational channel Current channel for radio operations.
Operational power The power level at which the radio is currently operating.
Load balanced Enabled or disabled.
Current load The load on this radio relative to the load balancing group average or
target load.
RFID reports Status of AeroScout asset tag support.
ActiveThe AeroScout Engine has enabled the tag report mode on the MP.
InactiveThe AeroScout Engine has not enabled, or has disabled, the tag report
mode on the MP.
This field is displayed only if the rfid-mode option is enabled on the radio profile that
manages the radio.
BSSID, SSID The base MAC address of the radio and the SSIDs configured on
the radio.
389
Table 54.Output for show ap status verbose

Field
Description
Radio 2
State, channel, and power information for radio 2. See Radio 1 for more information.
show ap vlan
Displays information about locally switched or tunneled VLANs.
Syntax show ap vlan apnum
apnum
9999.
all
Displays all MPs on a VLAN.
Defaults None.
Access All.
History
Version 6.0
Command introduced.
Version 6.2
Introduced index value range of 1 to 9999.
Version 7.0
Added all option.
Examples The following command displays information about the VLANs switched by AP 7:
WLC# show ap vlan 7
AP 7:
VLAN Name
Mode
---- ---------------- ----
Port
Tag
---------------- ----
1 default
local
1 none
2 red
local
radio_1
20
radio_1
21
radio_2
22
radio_1
23
4 green
5 yellow
local
tunnel
WLC_tun
radio_1
24
Table 49 describes the fields in the show ap vlan output.

Table 55.Output for show ap vlan
390
Field
Description
VLAN
VLAN number.
Name
VLAN name
Table 55.Output for show ap vlan

Field
Description
Mode
Whether packets for the VLAN are locally switched by the MP, or are tunneled to an
WLC, which places them on the VLAN.
Port
The port(s) through which VLAN traffic is sent.
TAG
VLAN tag value. If the interface is untagged, none is displayed in the TAG field.
See Also
show auto-tune attributes

Displays the current values of the RF attributes RF Auto-Tuning uses to decide whether to change
channel or power settings.
Syntax show auto-tune attributes [ap apnum [radio {1 | 2| all}]]
apnum
to 9999.
radio 1
Shows RF attribute information for radio 1.
radio 2
Shows RF attribute information for radio 2. (This option does not apply to
radio all
Shows RF attribute information for both radios.
Defaults None.
Access Enabled.
Examples
Version 3.0
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
The following command displays RF attribute information for radio 1 on the directly connected MP
access point on port 2:
WLC# show auto-tune attributes ap 2 radio 1
Auto-tune attributes for port 2 radio 1:
Noise:
-92 Packet Retransmission Count:
Utilization:
CRC Errors count:
0 Phy Errors Count:
0
0
122
391
Table 56.Output for show auto-tune attributes

Field
Description
Noise
Noise threshold on the active channel. RF Auto-Tuning prefers channels with low noise
levels over channels with higher noise levels.
Utilization
Number of multicast packets per second that a radio can send on a channel while
continuously sending fixed size frames over a period of time. The number of packets
that are successfully transmitted indicates how busy the channel is.
CRC Errors count
Number of frames received by the radio on that active channel that had CRC errors. A
high CRC error count can indicate a hidden node or co-channel interference.
Packet Retransmission Count
Number of retransmitted packets sent from the client to the radio on the active channel.
Phy Errors Count
Number of frames received by the MP radio that had physical layer errors on the active
Retransmissions can indicate that the client is not receiving ACKs from the MP radio.
channel. Phy errors can indicate interference from a non-802.11 device.
See Also
show auto-tune neighbors on page 392
show auto-tune neighbors

Displays the other Juniper radios and third-party 802.11 radios that a Juniper radio can hear.
Syntax show auto-tune neighbors [ap apnum [radio {1 | 2| all}]]
apnum
to 9999.
radio 1
Shows neighbor information for radio 1.
radio 2
Shows neighbor information for radio 2. (This option does not apply to
radio all
Shows neighbor information for both radios.
Defaults None.
Access Enabled.
History
Version 3.0
392
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage For simplicity, this command displays a single entry for each Juniper radio, even if the radio
is supporting multiple BSSIDs. However, BSSIDs for third-party 802.11 radios are listed
separately, even if a radio is supporting more than one BSSID.
Information is displayed for a radio if the radio sends beacon frames or responds to probe
requests. Even if the radio SSIDs are unadvertised, Juniper radios detect the empty beacon
frames (beacon frames without SSIDs) sent by the radio, and include the radio in the neighbor list.
Examples The following command displays neighbor information for radio 1 on the directly
connected MP access point on port 2:
WLC# show auto-tune neighbors ap 2 radio 1
Total number of entries for port 2 radio 1: 5
Channel Neighbor BSS/MAC
RSSI
------- ----------------- ---1 00:0b:85:06:e3:60
-46
1 00:0b:0e:00:0a:80
-78
1 00:0b:0e:00:d2:c0
-74
1 00:0b:85:06:dd:00
-50
1 00:0b:0e:00:05:c1
-72

Table 57.Output for show auto-tune neighbors
Field
Description
Channel
Channel on which the BSSID is detected.
Neighbor BSS/MAC
BSSID detected by the radio.
RSSI
Received signal strength indication (RSSI), in decibels referred to 1 milliwatt (dBm).

A higher value indicates a stronger signal.
See Also
show auto-tune attributes on page 391
393
show ap boot-configuration
Displays information about the static IP address configuration (if any) on a Distributed MP.
Syntax show ap boot-configuration apnum
apnum
1 to 9999.
Defaults None.
Access Enabled.
History I
Version 4.2
Command introduced.
Version 6.0
Option dap removed.

Field Mesh added
Field Mesh SSID added
Field Mesh PSK added
Version 6.2
Examples The following command displays static IP configuration information for Distributed MP
1:
WLC# show ap boot-configuration 1
Static Boot Configuration
AP: 7
IP Address:
Disabled
VLAN Tag:
Disabled
Switch:
Disabled
Mesh:
Disabled
IP Address:
Netmask:
Gateway:
VLAN Tag:
Switch IP:
Switch Name:
DNS IP:
Mesh SSID:
Mesh PSK:
394
Table 58.Output for show ap boot-configuration

Field
Description
AP
MP number.
IP address
Whether static IP address assignment is enabled for this Distributed MP.
VLAN Tag
Whether the Distributed MP is configured to use a VLAN tag.
Switch
Whether the Distributed MP is configured to use a manually specified WLC as the boot
Mesh
Whether WLAN mesh services are enabled for this MP.
IP address
The static IP address assigned to this Distributed MP.
Netmask
The subnet mask assigned to this Distributed MP.
device.
Gateway
The IP address of the default gateway assigned to this Distributed MP.
VLAN Tag
The VLAN tag that the Distributed MP is configured to use (if any).
Switch IP
The IP address of the WLC that this Distributed MP is configured to use as its boot
device (if any).
Switch Name
The name of the WLC that this Distributed MP is configured to use as the boot device
(if any).
DNS IP
The IP address of the DNS server that the Distributed MP uses to resolve the name of
Mesh SSID
The WLAN mesh services SSID this MP is configured to use (if any)
Mesh PSK
The preshared key (PSK) the MP uses for authentication with a Mesh Portal AP (if
the WLC used as the boot device.
any).
show ap connection
Displays the system IP address of the MX that booted a Distributed MP.
Syntax show ap connection [apnum | serial-id serial-ID]
apnum
from 1 to 9999.
serial-id serial-ID
MP access point serial ID.
Defaults None.
Access Enabled.
History I
Version 2.0
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage The serial-id parameter displays the active connection for the specified Distributed MP
even if that MP is not configured on this MX. If you instead use the command with the apnum
parameter or without a parameter, connection information is displayed only for Distributed MPs
configured on this WLC.
395
This command provides information only if the Distributed MP is configured on the WLC where you
entered the command. The WLC does not need to be the one that booted the MP, but it must have
the MP in the configuration. Also, the WLC that booted the MP must be in the same Mobility
Domain as the WLC where you entered the command.
If a Distributed MP is configured on this WLC (or another MX in the same Mobility Domain) but
does not have an active connection, the command does not display information for the MP. To
show connection information for Distributed MPs, use the show ap global command on one of the
switches where the MPs are configured.
Examples The following command displays information for all Distributed MPs configured on this
MX switch that have active connections:
WLC# show ap connection
Total number of entries: 2
AP Serial Id
AP IP Address
WLC IP Address
--- ----------- --------------- --------------2
112233
10.10.2.27
10.3.8.111
0333000298
10.10.3.34
10.3.8.111
The following command displays connection information specifically for a Distributed MP with
serial ID 223344:
WLC# show ap connection serial-id 223344
AP Serial Id AP IP Address
WLC IP Address
--- ----------- --------------- --------------9
223344
10.10.4.88
10.9.9.11

Table 59.Output for show ap connection
Field
Description
AP
ID assigned to the Distributed MP.

If the connection is configured on another WLC, this field contains a hyphen ( - ).
Serial Id
Serial ID of the Distributed MP.
AP IP Address
IP address assigned by DHCP to the Distributed MP.
WLC IP Address
System IP address of the MX that the MP has an active connection. This is the WLC
that the MP used for booting and configuration and is using for data transfer.
See Also
396
show ap global
Displays connection information for Distributed MPs configured on an MX .
Syntax show ap global [apnum | serial-id serial-ID]
apnum
serial-id serial-ID
MP access point serial ID.
Defaults None.
Access Enabled.
History
Version 2.0
Command introduced.
Version 6.0
Option dap removed.
Version 6.2
Usage Connections are shown only for the Distributed MPs configured on the WLC that you enter
the command, and only for the Mobility Domain of the WLC.
To show information only for Distributed MPs that have active connections, use the show ap
connection command.
Examples The following command displays connection information for all the Distributed MPs
configured on an WLC:
WLC# show ap global
AP Serial Id
WLC IP Address
Bias
--- ----------- --------------- ---1
11223344
10.3.8.111
HIGH
11223344
10.4.3.2
LOW
332211
10.3.8.111
LOW
332211
10.4.3.2
HIGH
17
0322100185
10.3.8.111
HIGH
0322100185
10.4.3.2
LOW
18
0321500120
10.3.8.111
LOW
0321500120
10.4.3.2
HIGH
397
Table 60.Output for show ap global

Field
Description
AP
ID you assigned to the Distributed MP.

AP numbers are listed only for Distributed MPs configured on this WLC switch. If the
field contains a hyphen ( - ), the Distributed MP configuration displayed in the row of
output is on another WLC switch.
Serial Id
Serial ID of the Distributed MP.
WLC IP Address
System IP address of the MX on which the Distributed MP is configured. A separate

row of output is displayed for each WLC on which the Distributed MP is configured.
Bias
Bias of the WLC for the MP:

High
Low
See Also
set ap on page 53
show ap unconfigured
Displays Distributed MPs that are physically connected to the network but that are not configured
on any WLC switches.
Syntax show ap unconfigured
Defaults None.
Access Enabled.
History
Version 2.0
Command introduced.
Version 6.0
Option dap removed.
Usage This command also displays an MP that is directly connected to an WLC, if the WLC port
connected to the MP is configured as a network port instead of an MP access port, and if the
network port is a member of a VLAN.
If a Distributed MP is configured on an WLC, the MP can appear in the output until the MP is able
to establish a connection with an WLC in a Mobility Domain. After the MP establishes a
connection, the entry for the MP ages out and no longer appears in the command output.
Entries in the command output table age out after two minutes.
Examples The following command displays information for two Distributed MPs that are not
configured:
WLC# show ap unconfigured
398
Serial Id
Model
IP Address
Port Vlan
----------- ------ --------------- ---- -------0333001287
MP-241 10.3.8.54
default
0333001285
MP-252 10.3.8.57
vlan-eng

Table 61.Output for show ap unconfigured
Field
Description
Serial Id
Serial ID of the MP.
Model
MP model number.
IP Address
IP address of the MP. This is the address that the MP receives from a DHCP server.
The MP uses this address to send a Find WLC message to request configuration
information from WLC switches. However, the MP cannot use the address to establish
a connection unless the MP first receives a configuration from an WLC.
Port
Port number on which this WLC received the MP Find WLC message.
VLAN
VLAN that this WLC received the MP Find WLC message.
See Also
show load-balancing group

Displays an RF load balancing groups member radios and current load for each radio.
Syntax show load-balancing group {group-name | all | [ap apnum radio {1 |
2}]}
group-name
Name of an RF load-balancing group configured on the WLC.
all
Displays information for every load-balancing group that has a radio on this
WLC as a member.
apnum
to 9999.
radio {1 | 2}
Shows status information for a radio on an MP. This option displays

information about radios in the same group as the specified radio.
Defaults None.
Access Enabled.
History
Version 6.0
Command introduced.
Version 6.2
399
Usage Use this command to display information about the RF load-balancing groups configured
on the WLC and the individual MP radios in the load-balancing groups.
Examples The following command displays information about the MP radios that are in the same
group as radio 1 on MP 3:
WLC# show load-balancing group ap 3 radio 1
Radios in the same load-balancing group as: ap3/radio1
-------------------------------------------------IP address
AP
------------------ ---10.2.28.200
Radio
Overlap
-----
-------
100/100
The following command displays information about RF load balancing group blue:
WLC# show load-balancing group blue
Load-balancing group: blue
IP address
AP
------------------ ---10.2.28.200
Radio
Clients
-----
-------
Table 62 describes the fields in displayed by the show load-balancing group command.
Table 62.Output for show load-balancing group
Field
Description
IP address
The IP address of the MP in the load-balancing group.
AP
MP number
Radio
Radio number
Overlap
The amount of overlapping coverage area the specified MP radio has with the MP radio
in the list. An overlap of 100/100 indicates that the MP radios have exactly the same
coverage area.
Clients
The current client load on the MP radio.
See Also
show radio-profile
Displays radio profile information.
Syntax show radio-profile {profile | ?}
profile
Displays information about the named radio profile.
Displays a list of radio profiles.
Defaults None.
400
Access Enabled.
History
Version 1.0
Command introduced
Version 1.1
New fields added to indicate the following:

Support of 802.11b/g radios for association by 802.11b clients
Wi-Fi Protected Access (WPA) parameter settings
Version 3.0
Fields removed for items that are no longer managed by radio profiles:
Encrypted Network Name
Clear Network Name
Network name(s) broadcast in the wireless beacon
WEP Key 1 value
WEP Key 2 value
WEP Key 3 value
WEP Key 4 value
WEP Unicast Index
WEP Multicast Index
Shared Key Auth
WPA enabled
These items are now managed by service profiles.
New fields added:
Tune Channel
Tune Power
Tune Channel Interval
Tune Power Interval
Client Backoff Timer
Channel Holddown
Service profiles
Name of the 802.11g field changed from Allow only 802.11g clients in
802.11g networks to Allow 802.11g clients only
Version 4.0
New fields added:

Countermeasures
Active-Scan
WMM enabled
Name of the backoff timer field changed from Client Backoff Timer to
Power Backoff Timer
401
Version 4.2
WMM enabled field renamed to QoS Mode.

Long Retry Limit and Short Retry Limit fields moved to show
service-profile output. (These options are now configurable on a
service-profile basis instead of a radio-profile basis.)
Allow 802.11g clients only field removed. (This option is now configured
using the set service-profile transmit-rates command.)
Version 5.0
New fields added:

Power ramp interval
RFID enabled
WMM Powersave
Power Backoff Timer field removed.
Usage MSS contains a default radio profile. Juniper Networks recommends that you do not
change this profile but instead keep the profile for reference.
Examples The following command shows radio profile information for the default radio profile:
WLC# show radio-profile default
Beacon Interval:
1
100
Max Tx Lifetime:
2000
2000
Max Rx Lifetime:
RTS Threshold:
2346
2346
Frag Threshold:
Long Preamble:
yes
no
Tune Channel:
Tune Power:
3600
no
Tune Channel Interval:
Tune Power Interval:

60
Channel Holddown:
none
Active-Scan:
no
WMM Powersave:
wmm
600
300
yes
no
DTIM Interval:
Power ramp interval:

Countermeasures:
RFID enabled:
QoS Mode:
No service profiles configured.

402
Table 63.Output for show radio-profile

Field
Description
Beacon Interval
Rate (in milliseconds) at which each MP radio in the profile advertises the beaconed
SSID.
DTIM Interval
Number of times after every beacon that each MP radio in the radio profile sends a
delivery traffic indication map (DTIM).
Max Tx Lifetime
Number of milliseconds that a frame received by a radio in the radio profile can remain
in buffer memory.
Max Rx Lifetime
Number of milliseconds that a frame scheduled to be transmitted by a radio in the radio

profile can remain in buffer memory.
RTS Threshold
Minimum length (in bytes) a frame can be for a radio in the radio profile to use the
RTS/CTS method to send the frame. The RTS/CTS method clears the air of other
traffic to avoid corruption of the frame due to a collision with another frame.
Frag Threshold
Maximum length (in bytes) a frame is allowed to be without being fragmented into
multiple frames before transmission by a radio in the radio profile.
Long Preamble
Indicates whether an 802.11b radio that uses this radio profile advertises support for
frames with long preambles only:
YESAdvertises support for long preambles only.
NOAdvertises support for long and short preambles.
Tune Channel
Indicates whether RF Auto-Tuning is enabled for dynamically setting and tuning
Tune Power
Indicates whether RF Auto-Tuning is enabled for dynamically setting and tuning power
channels.
levels.
Tune Channel Interval
Interval, in seconds, at which RF Auto-Tuning decides whether to change the channels

on radios in a radio profile. At the end of each interval, MSS processes the results of
the RF scans performed during the previous interval, and changes radio channels if
needed.
Tune Power Interval
Interval, in seconds, at which RF Auto-Tuning decides whether to change the power

level on radios in a radio profile. At the end of each interval, MSS processes the results
of the RF scans performed during the previous interval, and changes radio power
levels if needed.
Power ramp interval
Number of seconds a radio waits before increasing or decreasing its power by 1 dBm in
response to a power change from RF Auto-Tuning. After each power ramp interval, the
radio increases or decreases the power by another 1 dB until the radio reaches the
power level selected by RF Auto-Tuning.
Channel Holddown
Minimum number of seconds a radio in a radio profile must remain at its current
channel assignment before RF Auto-Tuning can change the channel.
Countermeasures
Indicates whether countermeasures are enabled.
Active-Scan
Indicates whether the active-scan mode of RF detection is enabled.
RFID enabled
Indicates whether AeroScout tag support is enabled.
WMM Powersave
Indicates whether U-APSD support is enabled.
QoS Mode
Indicates the Quality-of-Service setting for MP radio forwarding queues:

wmmMP forwarding queues provide standard priority handling for WMM devices.
svpMP forwarding queues are optimized for SpectraLink Voice Priority (SVP).
For information about the QoS modes, see the Configuring Quality of Service chapter
in the Juniper Mobility System Software Configuration Guide.
403
Table 63.Output for show radio-profile (continued)

Field
Service profiles
Description
Service profiles mapped to this radio profile. Each service profile contains an SSID and
encryption information for that SSID.
When you upgrade from 2.x, MSS creates a default-dot1x service profile for encrypted
SSIDs and a default-clear service profile for unencrypted SSIDs. These default service
profiles contain the default encryption settings for crypto SSIDs and clear SSIDs,
respectively.
See Also
set radio-profile active-scan on page 302
set radio-profile dfs-channels on page 312
set radio-profile max-rx-lifetime on page 314
set radio-profile preamble-length on page 319
set radio-profile rf-scanning mode on page 322
set radio-profile service-profile on page 323
set radio-profile wmm-powersave on page 328
show service-profile
Displays service profile information.
Syntax show service-profile {profile-name | ?}
404
profile-name
Displays information about the named service profile.
Displays a list of service profiles.

Defaults None.
Access Enabled.
History
Version 3.0
Command introduced
Version 4.1
New fields added to indicate the configured SSID default attributes in the
service profile.
Version 4.2
New fields added:

Proxy ARP
DHCP restrict
No broadcast
Short retry limit (moved from show radio-profile output)
Long retry limit (moved from show radio-profile output)
Sygate On-Demand (SODA)
Enforce SODA checks:
SODA remediation ACL
Custom success web-page
Custom failure web-page
Custom logout web-page
Custom agent-directory
Static COS
COS
CAC mode
CAC sessions
User idle timeout
Idle client probing
Web Portal Session Timeout
Transmit rates for 11a / 11b / 11g:
beacon rate
multicast rate
mandatory rate
standard rates
disabled rates
405
Version 5.0
New fields added:

Active call timeout
Keep initial vlan
Web Portal ACL
Version 6.0
New fields added:

Client DSCP
Mesh enabled
Bridging enabled
Load Balance Exempt
Web Portal Logout
Custom Web Portal Logout URL
Examples The following command displays information for service profile sp1:
WLC# show service-profile sp1
ssid-name:
crypto
Beacon:
no
DHCP restrict:
no
Short retry limit:
5
Auth fallthru:
no
Enforce SODA checks:
yes
no
5
ssid-type:
Proxy ARP:
No broadcast:
Long retry limit:
none
yes
Sygate On-Demand (SODA):

SODA remediation ACL:
Custom success web-page:
Custom failure web-page:
Custom logout web-page:
Custom agent-directory:
Static COS:
0
Client DSCP:
none
CAC sessions:
180
Idle client probing:
no
Web Portal Session Timeout:
no
Web Portal ACL:
no
406
corp2
no
no
COS:
CAC mode:
14
User idle timeout:
yes
Keep initial vlan:
Mesh enabled:
Bridging enabled:
Load Balance Exempt:

no
no
Web Portal Logout:
Custom Web Portal Logout URL:

WEP Key 1 value:
<none>
<none>
WEP Key 2 value:
WEP Key 3 value:

<none>
<none>
WEP Key 4 value:
WEP Unicast Index:

1
Shared Key Auth:
WEP Multicast Index:

NO
11a beacon rate:

AUTO
6.0
multicast rate:
11a mandatory rate: 6.0,12.0,24.0 standard rates:

9.0,18.0,36.0,48.0,54.0
11b beacon rate:
AUTO
2.0
multicast rate:
11b mandatory rate: 1.0,2.0 standard rates: 5.5,11.0

11g beacon rate:
AUTO
2.0
multicast rate:
11g mandatory rate: 1.0,2.0,5.5,11.0 standard rates:

6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Table 64.Output for show service-profile
Field
Description
ssid-name
Service set identifier (SSID) managed by this service profile.
ssid-type
SSID type:
cryptoWireless traffic for the SSID is encrypted.
clearWireless traffic for the SSID is unencrypted.
Beacon
Indicates whether the radio sends beacons, to advertise the SSID:

no
yes
Proxy ARP
Indicates whether proxy ARP is enabled. When this feature is enabled, MSS answers
ARP requests on behalf of wireless clients.
DHCP restrict
Indicates whether DHCP Restrict is enabled. When this feature is enabled, MSS allows
only DHCP traffic for a new client until the client has successfully completed
authentication and authorization.
No broadcast
Indicates if broadcast restriction is enabled. When this feature is enabled, MSS sends
ARP requests and DHCP Offers and Acks as unicasts to their target clients instead of
forwarding them as broadcasts.
Short retry limit
Number of times a radio serving the service-profiles SSID can send a short unicast
frame without receiving an acknowledgment.
407
Table 64.Output for show service-profile (continued)

Field
Description
Long retry limit
Number of times a radio serving the service-profile SSID can send a long unicast frame
without receiving an acknowledgment. A long unicast frame is a frame that is equal to
or longer than the RTS threshold.
Auth fallthru
Secondary (fallthru) encryption type when a user tries to authenticate but the WLC
managing the radio does not have an authentication rule with a userglob that matches
the username.
last-resortAutomatically authenticates the user and allows access to the SSID
requested by the user, without requiring a username and password.
noneDenies authentication and prohibits the user from accessing the SSID.
web-portalRedirects the user to a web page for login to the SSID.
Sygate On-Demand (SODA)
Whether SODA functionality is enabled for the service profile. When SODA
functionality is enabled, connecting clients download SODA agent files, which perform
security checks on the client.
Enforce SODA checks
If a client is allowed access to the network after it has downloaded and run the SODA
agent security checks. When SODA functionality is enabled, and the WLC is
configured to enforce SODA checks, then a connecting client must download the
SODA agent files and pass the checks in order to gain access to the network.
SODA remediation ACL
The name of the ACL to be applied to the client if it fails the SODA agent checks. If no
remediation ACL is specified, then a client is disconnected from the network if it fails
the SODA agent checks.
Custom success web-page
The name of the user-specified page that the client loads upon successful completion
of the SODA agent checks. If no page is specified, then the success page is generated
dynamically.
Custom failure web-page
The name of the user-specified page that the client loads if it fails SODA agent checks.
Custom logout web-page
The name of the user-specified page that the client loads upon logging out of the
If no page is specified, then the failure page is generated dynamically.

network, either by closing the SODA virtual desktop, or by requesting the page. If no
page is specified, then the client is disconnected without loading a logout page.
Custom agent-directory
The name of the directory for SODA agent files on the WLC switch, if different from the
default. By default, SODA agent files are stored in a directory with the same name as
the service profile.
Static COS
Indicates whether static CoS assignment is enabled. When this feature is enabled,
MPs assign the CoS value in the COS field to all user traffic forwarded by the MP.
COS
CoS value assigned by the MP to all user traffic, if static CoS is enabled. (If static CoS
is disabled, WMM or ACLs are used to assign CoS.)
Client DSCP
If packets are classified based on client DSCP level instead of 802.11 priority.
CAC mode
Call Admission Control mode:

noneCAC is disabled.
sessionCAC is based on the number of active user sessions. If an MP radio
reaches the maximum number of active user sessions specified in the CAC session
field, the MP radio rejects new connection attempts.
CAC sessions
Maximum number of user sessions that can be active on an MP radio at one time, if the
CAC mode is session. (If the CAC mode is none, this value is not used.)
User idle timeout
Indicates how many seconds a user session can remain idle (indicated by no user
traffic and no reply to client keepalive probes) before the session is changed to the
Disassociated state.
408

Field
Description
Idle client probing
Indicates whether client keepalive probes are enabled.
Keep initial VLAN
Indicates whether the keep-initial-vlan option is enabled.
Web Portal Session Timeout
When a Web Portal WebAAA session is placed in the Deassociated state, how many
seconds the session can remain in that state before being terminated automatically.
Mesh enabled
Whether WLAN mesh services are enabled for the service profile.
Web Portal ACL
Name of the ACL used to filter traffic for Web Portal users associated with this service
profiles SSID while the users are being authenticated.
Bridging enabled
If wireless bridging is enabled for this service profile.
Load Balance Exempt
If the MP radios managed by this service profile are exempted (do not participate in)
RF load balancing.
Web Portal Logout
If the Web Portal WebAAA logout functionality has been enabled.
Custom Web Portal Logout URL If configured, the URL that Web Portal WebAAA users can access in order to terminate
their sessions.
WEP Key 1 value
State of static WEP key number 1. Radios can use this key to encrypt traffic with static
Wired-Equivalent Privacy (WEP):
noneThe key is not configured.
presetThe key is configured.
The WEP parameters apply to traffic only on the encrypted

SSID.
WEP Key 2 value
State of static WEP key number 2:

WEP Key 3 value

WEP Key 4 value

WEP Unicast Index
Index of the static WEP key used to encrypt unicast traffic on an encrypted SSID.
WEP Multicast Index
Index of the static WEP key used to encrypt multicast traffic on an encrypted SSID.
Shared Key Auth
Indicates whether shared-key authentication is enabled.
WPA enabled
or
RSN enabled
Indicates that the Wi-Fi Protected Access (WPA) or Robust Security Network (RSN)
information element (IE) is enabled. Additional fields display the settings of other WPA
or RSN parameters:
ciphersLists the cipher suites advertised by radios in the radio profile mapped to
this service profile.
authenticationLists the authentication methods supported for WPA or RSN clients:
802.1Xdynamic authentication
PSKpreshared key authentication
TKIP countermeasures timeIndicates the amount of time (in ms) MSS enforces
countermeasures following a second message integrity code (MIC) failure within a
60-second period.
These fields are displayed only when the WPA IE or RSN IE is enabled.
409

Field
Description
vlan-name, session-timeout,
These are examples of authorization attributes that are applied by default to a user
service-type
accessing the SSID managed by this service profile (in addition to any attributes
assigned to the user by a RADIUS server or the local database).
Attributes are listed here only if they have been configured as default attribute settings
for the service profile.
See Table
31 on page 206 for a list of authorization attributes and values that can
be assigned to network users.

11a / 11b / 11g transmit rate
fields
Data transmission rate settings for each radio type:

beacon rateData rate of beacon frames sent by MP radios.
multicast rateData rate of multicast frames sent by MP radios. If the rate is auto,
the MP sets the multicast rate to the highest rate that can reach all clients connected
to the radio.
mandatory ratesSet of data transmission rates that clients are required to support
in order to associate with an SSID on an MP radio. A client must support at least one
of the mandatory rates.
standard ratesThe set of valid rates that are neither mandatory nor disabled.
These rates are supported for data transmission from the MP radios.
disabled ratesData transmission rates that MP radios will not use to transmit data.
(The radios will still accept frames from clients at disabled data rates.)

410

show service-profile cac session

Displays current session counts on all MPs using the specified service profile, when
session-based CAC is enabled.
Syntax show service-profile profile-name cac session
profile-name
Displays information about the named service profile.
Defaults None.
Access Enabled.
Examples The following command displays information about session counts for service profile
sp1:
WLC# show service-profile sp1 cac session
Service Profile
sp1
CAC Mode
SESSION
Max Sessions
14
Table 65 describes the fields in displayed by the show service-profile cac session command.
Table 65.Output for show service-profile cac session
Field
Description
Service Profile
Name of the service profile
CAC Mode
CAC mode, either SESSION or NONE
Max Sessions
The number of CAC sessions available on MPs managed by this service profile.
See Also
411

412
STP Commands
Use Spanning Tree Protocol (STP) commands to configure and manage spanning trees on the virtual
LANs (VLANs) configured on an MX, to maintain a loop-free network. This chapter presents STP
commands alphabetically. Use the following table to locate commands in this chapter based on their
use.
STP State
set spantree on page 416

show spantree on page 424
show spantree blockedports on page 426
Bridge Priority
set spantree priority on page 423
Port Cost
set spantree portcost on page 419

set spantree portvlancost on page 421
show spantree portvlancost on page 428
clear spantree portcost on page 414
clear spantree portvlancost on page 415
Port Priority
set spantree portpri on page 421

set spantree portvlanpri on page 422
clear spantree portpri on page 414
clear spantree portvlanpri on page 415
Timers
set spantree fwddelay on page 418

set spantree hello on page 418
set spantree maxage on page 419
Fast Convergence
set spantree portfast on page 420

show spantree portfast on page 427
set spantree backbonefast on page 417
show spantree backbonefast on page 426
set spantree uplinkfast on page 423
show spantree uplinkfast on page 433
Statistics
show spantree statistics on page 429

clear spantree statistics on page 416
413
clear spantree portcost

Resets to the default value the cost of a network port or ports on paths to the STP root bridge in all
VLANs on an MX.
Syntax clear spantree portcost port-list
port-list
List of ports. The port cost is reset on the specified ports.
Defaults None.
Access Enabled.
Usage This command resets the cost in all VLANs. To reset the cost for only specific VLANs, use
the clear spantree portvlancost command.
Examples The following command resets the STP port cost on ports 5 and 6 to the default value:
MX# clear spantree portcost 5-6
See Also
clear spantree portpri

Resets the configuration to the default value for the priority of a network port or ports for selection as
part of the path to the STP root bridge in all VLANs on an MX.
Syntax clear spantree portpri port-list
port-list
List of ports. The port priority is reset to 32 (the default) on the specified ports.
Defaults None.
Access Enabled.
Usage This command resets the priority in all VLANs. To reset the priority for only specific VLANs,
use the clear spantree portvlanpri command.
Examples The following command resets the STP priority on port 9 to the default:
MX# clear spantree portpri 9
See Also
414
STP Commands

clear spantree portvlancost

Resets to the default value the cost of a network port or ports on paths to the STP root bridge for a
specific VLAN on an MX switch, or for all VLANs.
Syntax clear spantree portvlancost port-list {all | vlan vlan-id}
port-list
List of ports. The port cost is reset on the specified ports.
all
Resets the cost for all VLANs.
vlan vlan-id
VLAN name or number. MSS resets the cost for only the specified VLAN.
Defaults None.
Access Enabled.
Usage MSS does not change the port cost for VLANs other than the one(s) you specify.
Examples The following command resets the STP cost for port 12 in VLAN sunflower:
MX# clear spantree portvlancost 12 vlan sunflower
See Also
clear spantree portvlanpri

Resets to the default value the priority of a network port or ports for selection as part of the path to the
STP root bridge, on one VLAN or all VLANs.
Syntax clear spantree portvlanpri port-list {all | vlan vlan-id}
port-list
List of ports. The port priority is reset to 32 (the default) on the specified ports.
all
Resets the priority for all VLANs.
vlan vlan-id
VLAN name or number. MSS resets the priority for only the specified VLAN.
Defaults None.
415
Access Enabled.
Usage MSS does not change the port priority for VLANs other than the one(s) you specify.
Examples The following command resets the STP priority for port 20 in VLAN avocado:
MX# clear spantree portvlanpri 20 vlan avocado
See Also
clear spantree statistics

Clears STP statistics counters for a network port or ports and resets them to 0.
Syntax clear spantree statistics port-list [vlan vlan-id]
port-list
List of ports. Statistics counters are reset on the specified ports.
vlan vlan-id
VLAN name or number. MSS resets statistics counters for only the specified
VLAN.
Defaults None.
Access Enabled.
Examples The following command clears STP statistics counters for ports 5, 11, and 19 through
22, for all VLANs:
MX# clear spantree statistics 5,11,19-22
See Also show spantree statistics on page 429
set spantree
Enables or disables STP on one VLAN or all VLANs configured on an MX.
Syntax set spantree {enable | disable}
[{all | vlan vlan-id | port port-list vlan-id}]
416
enable
Enables STP.
disable
Disables STP.
all
Enables or disables STP on all VLANs.
STP Commands
vlan vlan-id
VLAN name or number. MSS enables or disables STP on only the specified
VLAN, on all ports within the VLAN.
port port-list
vlan-id
Port number or list and the VLAN the ports are in. MSS enables or disables
STP on only the specified ports, within the specified VLAN.
Defaults Disabled.
Access Enabled.
Examples The following command enables STP on all VLANs configured on an MX:
MX# set spantree enable
The following command disables STP on VLAN burgundy:
MX# set spantree disable vlan burgundy
See Also show spantree on page 424
set spantree backbonefast

Enables or disables STP backbone fast convergence on an MX. This feature accelerates port recovery
following the failure of an indirect link.
Syntax set spantree backbonefast {enable | disable}
enable
Enables backbone fast convergence.
disable
Disables backbone fast convergence.
Defaults STP backbone fast path convergence is disabled by default.

Access Enabled.
Usage If you plan to use the backbone fast convergence feature, you must enable it on all the
bridges in the spanning tree.
Examples The following command enables backbone fast convergence:
MX# set spantree backbonefast enable
See Also show spantree backbonefast on page 426
417
set spantree fwddelay

Changes the period of time after a topology change that an MX which is not the root bridge waits to
begin forwarding Layer 2 traffic on one or all of the configured VLANs. (The root bridge always
forwards traffic.)
Syntax set spantree fwddelay delay {all | vlan vlan-id}
delay
Delay value. You can specify from 4 through 30 seconds.
all
Changes the forwarding delay on all VLANs.
vlan vlan-id
VLAN name or number. MSS changes the forwarding delay on only the
specified VLAN.
Defaults The default forwarding delay is 15 seconds.

Access Enabled.
Examples The following command changes the forwarding delay on VLAN pink to 20 seconds:
MX# set spantree fwddelay 20 vlan pink
set spantree hello

Changes the interval between STP hello messages sent by an MX when operating as the root bridge,
on one or all of the configured VLANs.
Syntax set spantree hello interval {all | vlan vlan-id}
interval
Interval value. You can specify from 1 through 10 seconds.
all
Changes the interval on all VLANs.
vlan vlan-id
VLAN name or number. MSS changes the interval on only the specified
VLAN.
Defaults The default hello timer interval is 2 seconds.

Access Enabled.
Examples The following command changes the hello interval for all VLANs to 4 seconds:
MX# set spantree hello 4 all
418
STP Commands
set spantree maxage

Changes the maximum age for an STP root bridge hello packet that is acceptable to an MX acting as a
designated bridge on one or all of its VLANs. After waiting this period of time for a new hello packet,
the MX determines that the root bridge is unavailable and issues a topology change message.
Syntax set spantree maxage aging-time {all | vlan vlan-id}
aging-time
Maximum age value. You can specify from 6 through 40 seconds.
all
Changes the maximum age on all VLANs.
vlan vlan-id
VLAN name or number. MSS changes the maximum age on only the specified
VLAN.
Defaults The default maximum age for root bridge hello packets is 20 seconds.
Access Enabled.
Examples The following command changes the maximum acceptable age for root bridge hello
packets on all VLANs to 15 seconds:
MX# set spantree maxage 15 all
set spantree portcost

Changes the cost that transmission through a network port or ports in the default VLAN on an MX adds
to the total cost of a path to the STP root bridge.
Syntax set spantree portcost port-list cost cost
port-list
List of ports. MSS applies the cost change to all the specified ports.
cost cost
Numeric value. You can specify a value from 1 through 65,535. STP selects
lower-cost paths over higher-cost paths.
Defaults The default port cost depends on the port speed and link type. Table 66 lists the defaults
for STP port path cost.
Table 66.SNMP Port Path Cost Defaults
Port Speed
Link Type
Default Port Path Cost
1000 Mbps
Full Duplex Aggregate Link (Port Group)
19
1000 Mbps
Full Duplex
100 Mbps
19
100 Mbps
Full Duplex
18
100 Mbps
Half Duplex
19
10 Mbps
19
10 Mbps
Full Duplex
95
419
Table 66.SNMP Port Path Cost Defaults (continued)

Port Speed
Link Type
Default Port Path Cost
10 Mbps
Half Duplex
100
Access Enabled.
Usage This command applies only to the default VLAN (VLAN 1). To change the cost of a port in
another VLAN, use the set spantree portvlancost command.
Examples The following command changes the cost on ports 3 and 4 to 20:
MX# set spantree portcost 3,4 cost 20
See Also
set spantree portfast

Enables or disables STP port fast convergence on one or more ports on an MX.
Syntax set spantree portfast port port-list {enable | disable}
port port-list
List of ports. MSS enables the feature on the specified ports.
enable
Enables port fast convergence.
disable
Disables port fast convergence.
Defaults STP port fast convergence is disabled by default.

Access Enabled.
Usage Use port fast convergence on ports that are directly connected to servers, hosts, or other
MAC stations.
Examples The following command enables port fast convergence on ports 9, 11, and 13:
MX# set spantree portfast port 9,11,13 enable
See Also show spantree portfast on page 427
420
STP Commands
set spantree portpri

Changes the STP priority of a network port or ports for selection as part of the path to the STP root
bridge in the default VLAN on an MX.
Syntax set spantree portpri port-list priority value
port-list
List of ports. MSS changes the priority on the specified ports.
priority
value
Priority value. You can specify a value from 0 (highest) through 255 (lowest).
Defaults The default STP priority for all network ports is 128.
Access Enabled.
Usage This command applies only to the default VLAN (VLAN 1). To change the priority of a port
in another VLAN, use the set spantree portvlanpri command.
Examples The following command sets the priority of ports 3 and 4 to 48:
MX# set spantree portpri 3-4 priority 48
See Also
set spantree portvlancost

Changes the cost of a network port or ports on paths to the STP root bridge for a specific VLAN on an
MX switch.
Syntax set spantree portvlancost port-list cost cost {all | vlan vlan-id}
port-list
List of ports. MSS applies the cost change to all the specified ports.
cost cost
Numeric value. You can specify a value from 1 through 65,535. STP selects
lower-cost paths over higher-cost paths.
all
Changes the cost on all VLANs.
vlan vlan-id
VLAN name or number. MSS changes the cost on only the specified VLAN.
Defaults The default port cost depends on the port speed and link type. (See Table 66 on
page 419.)
Access Enabled.
Examples The following command changes the cost on ports 3 and 4 to 20 in VLAN mauve:
421
MX# set spantree portvlancost 3,4 cost 20 vlan mauve

See Also
set spantree portvlanpri

Changes the priority of a network port or ports for selection as part of the path to the STP root bridge,
on one VLAN or all VLANs.
Syntax set spantree portvlanpri port-list priority value {all | vlan vlan-id}
port-list
List of ports. MSS changes the priority on the specified ports.
priority value
Priority value. You can specify a value from 0 (highest) through 255 (lowest).
all
Changes the priority on all VLANs.
vlan vlan-id
VLAN name or number. MSS changes the priority on only the specified
VLAN.
Defaults The default STP priority for all network ports is 128.
Access Enabled.
Examples The following command sets the priority of ports 3 and 4 to 48 on VLAN mauve:
MX# set spantree portvlanpri 3-4 priority 48 vlan mauve
See Also
422
STP Commands
set spantree priority

Changes the STP root bridge priority of an MX switch on one or all of its VLANs.
Syntax set spantree priority value {all | vlan vlan-id}
priority value Priority value. You can specify a value from 0 through 65,535. The bridge with
the lowest priority value is elected to be the root bridge for the spanning tree.
all
Changes the bridge priority on all VLANs.
vlan vlan-id
VLAN name or number. MSS changes the bridge priority on only the specified
VLAN.
Defaults The default root bridge priority for the MX on all VLANs is 32,768.
Access Enabled.
Examples The following command sets the bridge priority of VLAN pink to 69:
MX# set spantree priority 69 vlan pink
set spantree uplinkfast

Enables or disables STP uplink fast convergence on an MX. This feature enables an MX with
redundant links to the network backbone to immediately switch to the backup link to the root bridge if
the primary link fails.
Syntax set spantree uplinkfast {enable | disable}
enable
Enables uplink fast convergence.
disable
Disables uplink fast convergence.
Defaults Disabled.
Access Enabled.
Usage The uplink fast convergence feature is applicable to bridges acting as access switches to
the network core (distribution layer) but are not in the core themselves. Do not enable the feature
on MX switches that are in the network core.
Examples The following command enables uplink fast convergence:
MX# set spantree uplinkfast enable
See Also show spantree uplinkfast on page 433
423
show spantree
Displays STP configuration and port-state information.
Syntax show spantree [port port-list | vlan vlan-id] [active]
port port-list
List of ports. If you do not specify any ports, MSS displays STP information for
all ports.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays STP
information for all VLANs.
active
Displays information for only the active (forwarding) ports.
Defaults None.
Access All.
History
Version 1.0
Command introduced
Version 4.2
Value STP Off added for STP-State and Port-State fields. This state indicates
that STP is disabled on the port. The Disabled state is still used, but only to
indicate that the port is not forwarding traffic.
Examples The following command displays STP information for VLAN default:
MX# show spantree vlan default
VLAN
Spanning Tree Mode
PVST+
Spanning Tree Type
IEEE
Spanning Tree Enabled

Designated Root
00-02-4a-70-49-f7
Designated Root Priority
32768
Designated Root Path Cost
19
Designated Root Port
Root Max Age
20 sec
Hello Time 2 sec
Forward Delay 15 sec
Bridge ID MAC ADDR
00-0b-0e-02-76-f7
Bridge ID Priority
32768
Bridge Max Age 20 sec

Port
Vlan
Hello Time 2 sec

STP-State
Forward Delay 15 sec

Cost
Prio
Portfast
------------------------------------------------------------------
424
Forwarding
19
128
Disabled
STP Off
19
128
Disabled
Disabled
19
128
Disabled
Disabled
19
128
Disabled
STP Commands
Disabled
19
128
Disabled
Disabled
19
128
Disabled
Disabled
19
128
Disabled
Disabled
19
128
Disabled

Table 67.Output for show spantree
Field
Description
VLAN
VLAN number.
Spanning Tree Mode
In the current software version, the mode is always PVST+, which means Per VLAN
Spanning Tree+.
Spanning Tree Type
In the current software version, the type is always IEEE, which means STP is based on
the IEEE 802 standards.
Spanning Tree Enabled
State of STP on the VLAN.
Designated Root
MAC address of the spanning tree root bridge.
Designated Root Priority
Bridge priority of the root bridge.
Designated Root Path Cost
Cumulative cost from this bridge to the root bridge. If this MX is the root bridge, then the
root cost is 0.
Designated Root Port
Port through which this MX reaches the root bridge.

If this MX switch is the root bridge, this field says We are the root.
Root Max Age
Maximum acceptable age for hello packets on the root bridge.
Root Hello Time
Hello interval on the root bridge.
Root Forward Delay
Forwarding delay value on the root bridge.
Bridge ID MAC ADDR
The MX MAC address.
Bridge ID Priority
The MX bridge priority.
Bridge Max Age
The MX maximum acceptable age for hello packets.
Bridge Hello Time
The MX hello interval.
Bridge Forward Delay
The MX forwarding delay value.
Port
Port number.
Note: Only network ports are listed. STP does not apply to MP ports or wired
authentication ports.
Vlan
VLAN ID.
425
Table 67.Output for show spantree (continued)

Field
Description
STP-State
STP state of the port:
or
BlockingThe port is not forwarding Layer 2 traffic but is listening to and forwarding
STP control traffic.
Port-State
DisabledThis state can indicate any of the following conditions:

The port is inactive.
The port is disabled.
STP is enabled on the port but the port is not forwarding traffic. (The port is active
and enabled but STP has just started to come up.)
ForwardingThe port is forwarding Layer 2 traffic.
LearningThe port is learning the locations of other devices in the spanning tree
before changing state to forwarding.
ListeningThe port is comparing its own STP information with information in STP
control packets received by the port to compute the spanning tree and change state
to blocking or forwarding.
STP OffSTP is disabled on the port.
Cost
STP cost of the port.
Prio
STP priority of the port.
Portfast
State of the uplink fast convergence feature:

Enabled
Disabled
See Also show spantree blockedports on page 426
show spantree backbonefast

Indicates whether the STP backbone fast convergence feature is enabled or disabled.
Syntax show spantree backbonefast
Defaults None.
Access All.
Examples The following example shows the command output on an MX with backbone fast
convergence enabled:
MX# show spantree backbonefast
Backbonefast is enabled
See Also set spantree backbonefast on page 417
show spantree blockedports

Lists information about MX ports that STP has blocked on one or all of the VLANs.
Syntax show spantree blockedports [vlan vlan-id]
vlan vlan-id
426
VLAN name or number. If you do not specify a VLAN, MSS displays

information for blocked ports on all VLANs.
STP Commands
Defaults None.
Access All.
Usage The command lists information separately for each VLAN.
Examples The following command shows information about blocked ports on an MX for the
default VLAN (VLAN 1):
MX# show spantree blockedports vlan default
Port
Vlan
Port-State
Cost
Prio
Portfast
-----------------------------------------------------------------------22
190
Blocking
128
Disabled
Number of blocked ports (segments) in VLAN 1 : 1

The port information is the same as the information displayed by the show spantree command. See
show spantree portfast

Displays STP uplink fast convergence information for all network ports or for one or more network
ports.
Syntax show spantree portfast [port-list]
port-list
List of ports. If you do not specify any ports, MSS displays uplink fast
convergence information for all ports.
Defaults None.
Access All.
Examples The following command shows uplink fast convergence information for all ports:
MX# show spantree portfast
Port
Vlan
Portfast
------------------------- ----
----------
disable
disable
disable
enable
disable
disable
disable
disable
427
10
disable
15
disable
16
disable
17
disable
18
disable
19
disable
20
disable
21
disable
22
disable
11
enable
12
disable
13
disable
14
enable

Table 68.Output for show spantree portfast
Field
Description
Port
Port number.
VLAN
VLAN number.
Portfast
State of the uplink fast convergence feature:

Enable
Disable
See Also set spantree portfast on page 420
show spantree portvlancost

Displays the cost of a port on a path to the STP root bridge, for each of the port of the VLANs.
Syntax show spantree portvlancost port-list
port-list
List of ports.
Defaults None.
Access All.
Examples The following command shows the STP port cost of port 1:
MX# show spantree portvlancost 1
port 1 VLAN 1 have path cost 19
See Also
428
STP Commands

show spantree statistics

Displays STP statistics for one or more MX network ports.
Syntax show spantree statistics [port-list [vlan vlan-id]]
port-list
List of ports. If you do not specify any ports, MSS displays STP statistics for
all ports.
vlan vlan-id
statistics for all VLANs.
Defaults None.
Access All.
Usage The command displays statistics separately for each port.
Examples The following command shows STP statistics for port 1:
MX# show spantree statistics 1
BPDU related parameters
Port 1
VLAN 1
spanning tree enabled for VLAN = 1

port spanning tree
enabled
state
Forwarding
port_id
0x8015
port_number
0x15
path cost
0x4
message age (port/VLAN)
0(20)
designated_root
00-0b-0e-00-04-30
designated cost
0x0
designated_bridge
00-0b-0e-00-04-30
designated_port
38
top_change_ack
FALSE
config_pending
FALSE
port_inconsistency
none
Port based information statistics

config BPDU's xmitted(port/VLAN)
0 (1)
config BPDU's received(port/VLAN)
21825 (43649)
429
tcn BPDU's xmitted(port/VLAN)
0 (0)
tcn BPDU's received(port/VLAN)
2 (2)
forward transition count (port/VLAN)
1 (1)
scp failure count
root inc trans count (port/VLAN)
1 (1)
inhibit loopguard
FALSE
loop inc trans count
0 (0)
Status of Port Timers

forward delay timer
INACTIVE
forward delay timer value
15
message age timer
ACTIVE
message age timer value
topology change timer
INACTIVE
topology change timer value
hold timer
INACTIVE
hold timer value
delay root port timer
INACTIVE
delay root port timer value
delay root port timer restarted is
FALSE
VLAN based information & statistics

spanning tree type
ieee
spanning tree multicast address
01-00-0c-cc-cc-cd
bridge priority
32768
bridge MAC address
00-0b-0e-12-34-56
bridge hello time
bridge forward delay
15
topology change initiator:
last topology change occured:
Tue Jul 01 2003 22:33:36.
topology change
FALSE
topology change time
35
topology change detected
FALSE
topology change count
topology change last recvd. from
00-0b-0e-02-76-f6
Other port specific info
430
dynamic max age transition
port BPDU ok count
21825
msg age expiry count
STP Commands
link loading
BPDU in processing
FALSE
num of similar BPDU's to process
received_inferior_bpdu
FALSE
next state
src MAC count
21807
total src MAC count
21825
curr_src_mac
00-0b-0e-00-04-30
next_src_mac
00-0b-0e-02-76-f6

Table 69.Output for show spantree statistics
Field
Description
Port
Port number.
VLAN
VLAN ID.
Spanning Tree enabled for vlan
State of the STP feature on the VLAN.
port spanning tree
State of the STP feature on the port.
state
STP state of the port:

BlockingThe port is not forwarding Layer 2 traffic but is listening to and
forwarding STP control traffic.
DisabledThe port is not forwarding any traffic, including STP control
traffic. The port might be administratively disabled or the link might be
disconnected.
ForwardingThe port is forwarding Layer 2 traffic.
LearningThe port is learning the locations of other devices in the
spanning tree before changing state to forwarding.
ListeningThe port is comparing its own STP information with
information in STP control packets received by the port to compute the
spanning tree and change state to blocking or forwarding.
port_id
STP port ID.
port_number
STP port number.
path cost
Cost to use this port to reach the root bridge. This is part of the total path
cost (designated cost).
message age
Age of the protocol information for a port and the value of the maximum
age parameter (shown in parenthesis) recorded by the switch.
designated_root
MAC address of the root bridge.
designated cost
Total path cost to reach the root bridge.
designated_bridge
Bridge to which this MX forwards traffic away from the root bridge.
designated_port
STP port through which this MX forwards traffic away from the root bridge.
top_change_ack
Value of the topology change acknowledgment flag in the next configured

bridge protocol data unit (BPDU) to be transmitted on the associated port.
The flag is set in reply to a topology change notification BPDU.
431
Table 69.Output for show spantree statistics (continued)

Field
config_pending
Description
Indicates whether a configured BPDU is to be transmitted on expiration of
the hold timer for the port.
port_inconsistency
Indicates whether the port is in an inconsistent state.
config BPDUs xmitted
Number of BPDUs transmitted from the port. A number in parentheses

indicates the number of configured BPDUs transmitted by the MX for this
VLANs spanning tree.
config BPDUs received
Number of BPDUs received by this port. A number in parentheses

indicates the number of configured BPDUs received by the MX switch for
this VLANs spanning tree.
tcn BPDUs xmitted
Number of topology change notification (TCN) BDPUs transmitted on this

port.
tcn BPDUs received
Number of TCN BPDUs received on this port.
forward transition count
Number of times the port state transitioned to the forwarding state.
scp failure count
Number of service control point (SCP) failures.
root inc trans count
Number of times the root bridge changed.
inhibit loopguard
State of the loop guard. In the current release, the state is always FALSE.
loop inc trans count
Number of loops that have occurred.
forward delay timer
Status of the forwarding delay timer. This timer monitors the time spent by
a port in the listening and learning states.
forward delay timer value
Current value of the forwarding delay timer, in seconds.
message age timer
Status of the message age timer. This timer measures the age of the
received protocol information recorded for a port.
message age timer value
Current value of the message age timer, in seconds.
topology change timer
Status of the topology change timer. This timer determines the time period
during which configured BPDUs are transmitted with the topology change
flag set by this MX switch when it is the root bridge, after detection of a
topology change.
topology change timer value
Current value of the topology change timer, in seconds.
hold timer
Status of the hold timer. This timer ensures that configured BPDUs are not
transmitted too frequently through any bridge port.
hold timer value
Current value of the hold timer, in seconds.
delay root port timer
Status of the delay root port timer, which enables fast convergence when
uplink fast convergence is enabled.
delay root port timer value
Current value of the delay root port timer.
delay root port timer restarted is
Whether the delay root port timer has been restarted.
spanning tree type
Type of spanning tree. The type is always IEEE.
spanning tree multicast address
Destination address used to send out configured BPDUs on a bridge port.
bridge priority
STP priority of this MX.
bridge MAC address
MAC address of this MX switch.
bridge hello time
Value of the hello timer interval, in seconds, when this MX switch is the root
or is attempting to become the root.
bridge forward delay
Value of the forwarding delay interval, in seconds, when this MX switch is

the root or is attempting to become the root.
432
STP Commands
Table 69.Output for show spantree statistics (continued)

Field
Description
topology change initiator
Port number that initiated the most recent topology change.
last topology change occurred
System time when the most recent topology change occurred.
topology change
Value of the topology change flag in configuration BPDUs to be transmitted

by this MX switch on VLANs for which the switch is the designated bridge.
topology change time
Time period, in seconds, during which BPDUs are transmitted with the
topology change flag set by this MX switch when it is the root bridge, after
detection of a topology change. It is equal to the sum of the switchs
maximum age and forwarding delay parameters.
topology change detected
Indicates whether a topology change has been detected by the switch.
topology change count
Number of times the topology change has occurred.
topology change last recvd. from
MAC address of the bridge from which the MX last received a topology
change.
dynamic max age transition
Number of times the maximum age parameter was changed dynamically.
port BPDU ok count
Number of valid port BPDUs received.
msg age expiry count
Number of expired messages.
link loading
Indicates whether the link is oversubscribed.
BPDU in processing
Indicates whether BPDUs are currently being processed.
num of similar BPDUs to process
Number of similar BPDUs received on a port that need to be processed.
received_inferior_bpdu
Indicates whether the port has received an inferior BPDU or a response to

a Root Link Query (RLQ) BPDU.
next state
Port state before it is set by STP.
src MAC count
Number of BPDUs with the same source MAC address.
total src MAC count
Number of BPDUs with all the source MAC addresses.
curr_src_mac
Source MAC address of the current received BPDU.
next_src_mac
Other source MAC address from a different source.
See Also clear spantree statistics on page 416
show spantree uplinkfast

Displays uplink fast convergence information for one VLAN or all VLANs.
Syntax show spantree uplinkfast [vlan vlan-id]
vlan vlan-id
Defaults None.
Access All.
Examples The following command shows uplink fast convergence information for all VLANs:
MX# show spantree uplinkfast
VLAN
port
list
433
-----------------------------------------------------------------------1
1(fwd),2,3

Table 70.Output for show spantree uplinkfast
Field
Description
VLAN
VLAN number.
port list
Ports in the uplink group. The port that is forwarding traffic is indicated by fwd. The
other ports are blocking traffic.
See Also set spantree uplinkfast on page 423
434
IGMP Snooping Commands

Use Internet Group Management Protocol (IGMP) snooping commands to configure and manage
multicast traffic reduction on an MX. This chapter presents IGMP snooping commands alphabetically.
Use the following table to locate commands in this chapter based on their use.
IGMP Snooping State
set igmp mrouter on page 437

show igmp on page 443
Proxy Reporting
set igmp proxy-report on page 439
Pseudo-querier
set igmp querier on page 441

show igmp querier on page 447
Timers
set igmp qi on page 440

set igmp oqi on page 438
set igmp qri on page 440
set igmp lmqi on page 436
set igmp rv on page 442
Router Solicitation
set igmp mrsol on page 437

set igmp mrsol mrsi on page 438
Multicast Routers

show igmp mrouter on page 446
Multicast Receivers
set igmp receiver on page 442

show igmp receiver-table on page 448
Statistics
show igmp statistics on page 449

clear igmp statistics on page 435
clear igmp statistics

Clears IGMP statistics counters on one VLAN or all VLANs on an MX and resets them to 0.
Syntax clear igmp statistics [vlan vlan-id]
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, IGMP statistics are
cleared for all VLANs.
Defaults None.
Access Enabled.
Examples The following command clears IGMP statistics for all VLANs:
435
MX# clear igmp statistics

IGMP statistics cleared for all vlans
See Also show igmp statistics on page 449
set igmp
Disables or reenables IGMP snooping on one VLAN or all VLANs on an MX.
Syntax set igmp {enable | disable} [vlan vlan-id]
enable
Enables IGMP snooping.
disable
Disables IGMP snooping.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, IGMP snooping is

disabled or reenabled on all VLANs.
Defaults IGMP snooping is disabled on all VLANs by default.

Access Enabled.
Examples The following command enables IGMP snooping on VLAN orange:
MX# set igmp enable vlan orange
See Also show igmp on page 443
set igmp lmqi

Changes the IGMP last member query interval timer on one VLAN or all VLANs on an MX switch.
Syntax set igmp lmqi tenth-seconds [vlan vlan-id]
lmqi tenth-seconds
Amount of time (in tenths of a second) that the MX waits for a response to
a group-specific query after receiving a leave message for that group,
before removing the receiver that sent the leave message from the list of
receivers for the group. If there are no more receivers for the group, the
switch also sends a leave message for the group to multicast routers.
You can specify a value from 1 through 65,535.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, the timer change
applies to all VLANs.
Defaults The default last member query interval is 10 tenths of a second (1 second).
Access Enabled.
Examples The following command changes the last member query interval on VLAN orange to 5
tenths of a second:
MX# set igmp lmqi 5 vlan orange
436
See Also
set igmp mrouter

Adds or removes a port in an MX list of ports that the MX forwards traffic to multicast routers. Static
multicast ports are immediately added to or removed from the list of router ports and do not age
out.
Syntax set igmp mrouter port port-list {enable | disable}
port port-list
Port list. MSS adds or removes the specified ports in the list of static multicast
router ports.
enable
Adds the port to the list of static multicast router ports.
disable
Removes the port from the list of static multicast router ports.
Defaults By default, no ports are static multicast router ports.

Access Enabled.
Usage You cannot add MP access ports or wired authentication ports as static multicast ports.
However, MSS can dynamically add these port types to the list of multicast ports based on
multicast traffic.
Examples The following command adds port 9 as a static multicast router port:
MX# set igmp mrouter port 9 enable
The following command removes port 9 from the static multicast router port list:
MX# set igmp mrouter port 9 disable
See Also show igmp mrouter on page 446
set igmp mrsol

Enables or disables multicast router solicitation by an MX switch on one VLAN or all VLANs.
Syntax set igmp mrsol {enable | disable} [vlan vlan-id]
enable
Enables multicast router solicitation.
disable
Disables multicast router solicitation.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, multicast router

solicitation is disabled or enabled on all VLANs.
Defaults Multicast router solicitation is disabled on all VLANs by default.
437
Access Enabled.
Examples The following command enables multicast router solicitation on VLAN orange:
MX# set igmp mrsol enable vlan orange
See Also set igmp mrsol mrsi on page 438
set igmp mrsol mrsi

Changes the interval between multicast router solicitations by an MX on one VLAN or all VLANs.
Syntax set igmp mrsol mrsi seconds [vlan vlan-id]
seconds
Number of seconds between multicast router solicitations. You can specify a

value from 1 through 65,535.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS changes the
multicast router solicitation interval for all VLANs.
Defaults The interval between multicast router solicitations is 30 seconds by default.

Access Enabled.
Examples The following example changes the multicast router solicitation interval to 60 seconds:
MX# set igmp mrsol mrsi 60
See Also set igmp mrsol on page 437
set igmp oqi

Changes the IGMP other-querier-present interval timer on one VLAN or all VLANs on an MX
switch.
Syntax set igmp oqi seconds [vlan vlan-id]
oqi seconds
Number of seconds that the MX waits for a general query to arrive before
becoming the querier. You can specify a value from 1 through 65,535.
vlan vlan-id
Defaults The default other-querier-present interval is 255 seconds (4.25 minutes).

Access Enabled.
Usage An MX cannot become the querier unless the pseudo-querier feature is enabled on the
switch. When the feature is enabled, the switch becomes the querier for a subnet so long as the
switch does not receive a query message from a router with a lower IP address than the IP
address of the switch in that subnet. To enable the pseudo-querier feature, use set igmp querier.
438
Examples The following command changes the other-querier-present interval on VLAN orange to
200 seconds:
MX# set igmp oqi 200 vlan orange
See Also
set igmp proxy-report

Disables or reenables proxy reporting by an MX switch on one VLAN or all VLANs.
Syntax set igmp proxy-report {enable | disable} [vlan vlan-id]
enable
Enables proxy reporting.
disable
Disables proxy reporting.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, proxy reporting is

disabled or reenabled on all VLANs.
Defaults Proxy reporting is enabled on all VLANs by default.

Access Enabled.
Usage Proxy reporting reduces multicast overhead by sending only one membership report for a
group to the multicast routers and discarding other membership reports for the same group. If you
disable proxy reporting, the MX sends all membership reports to the routers, including multiple
reports for the same group.
Examples The following example disables proxy reporting on VLAN orange:
MX# set igmp proxy-report disable vlan orange
See Also show igmp on page 443
439
set igmp qi
Changes the IGMP query interval timer on one VLAN or all VLANs on an MX.
Syntax set igmp qi seconds [vlan vlan-id]
qi seconds
Number of seconds that elapse between general queries sent by the MX

when the MX is the querier for the subnet. You can specify a value from 1
through 65,535.
vlan vlan-id
Defaults The default query interval is 125 seconds.

Access Enabled.
Usage The query interval is applicable only when the MX is querier for the subnet. For the MX to
become the querier, the pseudo-querier feature must be enabled on the MX and the MX must
have the lowest IP address among all the devices eligible to become a querier. To enable the
pseudo-querier feature, use the set igmp querier command.
Examples The following command changes the query interval on VLAN orange to 100 seconds:
MX# set igmp qi 100 vlan orange
See Also
set igmp qri

Changes the IGMP query response interval timer on one VLAN or all VLANs on an MX.
Syntax set igmp qri tenth-seconds [vlan vlan-id]
440
qri tenth-seconds
Amount of time (in tenths of a second) that the MX waits for a receiver to
respond to a group-specific query message before removing the receiver
from the receiver list for the group. You can specify a value from 1 through
65,535.
vlan vlan-id
Defaults The default query response interval is 100 tenths of a second (10 seconds).
Access Enabled.
Usage The query response interval is applicable only when the MX is querier for the subnet. For
the MX to become the querier, the pseudo-querier feature must be enabled on the MX and the MX
must have the lowest IP address among all the devices eligible to become a querier. To enable the
pseudo-querier feature, use set igmp querier.
Examples The following command changes the query response interval on VLAN orange to 50
tenths of a second (5 seconds):
MX# set igmp qri 50 vlan orange
See Also
set igmp querier

Enables or disables the IGMP pseudo-querier on an MX, on one VLAN or all VLANs.
Syntax set igmp querier {enable | disable} [vlan vlan-id]
enable
Enables the pseudo-querier.
disable
Disables the pseudo-querier.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, the pseudo-querier is

enabled or disabled on all VLANs.
Defaults The pseudo-querier is disabled on all VLANs by default.

Access Enabled.
Usage Juniper Networks recommends that you use the pseudo-querier only when the VLAN
contains local multicast traffic sources and no multicast router is servicing the subnet.
Examples The following example enables the pseudo-querier on the orange VLAN:
MX# set igmp querier enable vlan orange
See Also show igmp querier on page 447
441
set igmp receiver

Adds or removes a network port in the list of ports on which an MX switch forwards traffic to
multicast receivers. Static multicast receiver ports are immediately added to or removed from the
list of receiver ports and do not age out.
Syntax set igmp receiver port port-list {enable | disable}
port port-list
Network port list. MSS adds the specified ports to the list of static multicast
receiver ports.
enable
Adds the port to the list of static multicast receiver ports.
disable
Removes the port from the list of static multicast receiver ports.
Defaults By default, no ports are static multicast receiver ports.

Access Enabled.
Usage You cannot add MP access ports or wired authentication ports as static multicast ports.
However, MSS can dynamically add these port types to the list of multicast ports based on
multicast traffic.
Examples The following command adds port 7 as a static multicast receiver port:
MX# set igmp receiver port 7 enable
The following command removes port 7 from the list of static multicast receiver ports:
MX# set igmp receiver port 7 disable
See Also show igmp receiver-table on page 448
set igmp rv
Changes the robustness value for one VLAN or all VLANs on an MX switch. Robustness adjusts
the IGMP timers to the amount of traffic loss that occurs on the network.
Syntax set igmp rv num [vlan vlan-id]
num
Robustness value. You can specify a value from 2 through 255. Set the
robustness value higher to adjust for more traffic loss.
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS changes the
robustness value for all VLANs.
Defaults The default robustness value for all VLANs is 2.

Access Enabled.
Examples The following example changes the robustness value on VLAN orange to 4:
MX# set igmp rv 4 vlan orange
442
See Also
set igmp version

Configures the version of IGMP used on a VLAN.
Syntax set igmp version {1 | 2} vlan [vlan-id | all]
Defaults None
Access Enabled
show igmp
Displays IGMP configuration information and statistics for one VLAN or all VLANs.
Syntax show igmp [vlan vlan-id]
VLAN name or number. If you do not specify a VLAN, MSS displays IGMP
vlan vlan-id
Defaults None.
Access All.
Examples The following command displays IGMP information for VLAN orange:
MX# show igmp vlan orange
VLAN: orange
IGMP is enabled
Proxy reporting is on
Mrouter solicitation is on
Querier functionality is off
Configuration values: qi: 125 oqi: 300 qri: 100 lmqi: 10 rvalue: 2
Multicast
router information:
Port Mrouter-IPaddr Mrouter-MAC
Type
TTL
---- --------------- ----------------- ----- ----10
192.28.7.5 00:01:02:03:04:05 dvmrp
Group
Port Receiver-IP
17
Receiver-MAC
TTL
--------------- ---- --------------- ----------------- ----224.0.0.2 none
none
none undef
443
237.255.255.255
10.10.10.11 00:02:04:06:08:0b
258
237.255.255.255
10.10.10.13 00:02:04:06:08:0d
258
237.255.255.255
10.10.10.14 00:02:04:06:08:0e
258
237.255.255.255
10.10.10.12 00:02:04:06:08:0c
258
237.255.255.255
10.10.10.10 00:02:04:06:08:0a
258
Querier information:
Querier for vlan orange
Port Querier-IP
Querier-MAC
TTL
---- --------------- ----------------- ----1 193.122.135.178 00:0b:cc:d2:e9:b4
23
IGMP vlan member ports: 10, 12, 11, 14, 16, 15, 13, 18, 17, 1, 20, 21,
2,
22, 19, 4, 6, 5, 3, 8, 7, 9
IGMP static ports: none
IGMP statistics for vlan orange:
IGMP message type Received Transmitted Dropped
----------------- -------- ----------- ------General-Queries
GS-Queries
Report V1
Report V2
Leave
Mrouter-Adv
Mrouter-Term
Mrouter-Sol
50
101
DVMRP
PIM V1
PIM V2
Topology notifications: 0
Packets with unknown IGMP type: 0
Packets with bad length: 0
Packets with bad checksum: 0
Packets dropped: 4
Table 71.Output for show igmp
444
Field
Description
VLAN
VLAN name. MSS displays information separately for each VLAN.

Table 71.Output for show igmp (continued)

Field
Description
IGMP is enabled (disabled)
IGMP state.
Proxy reporting
Proxy reporting state.
Mrouter solicitation
Multicast router solicitation state.
Querier functionality
Pseudo-querier state.
Configuration values (qi)
Query interval.
Configuration values (oqi)
Other-querier-present interval.
Configuration values (qri)
Query response interval.
Configuration values (lmqi)
Last member query interval.
Configuration values (rvalue)
Robustness value.
Multicast router information
List of multicast routers and active multicast groups. The fields containing this
information are described separately. The show igmp mrouter command shows the
same information.
Port
Number of the physical port through which the MX switch can reach the router.
Mrouter-IPaddr
IP address of the multicast router interface.
Mrouter-MAC
MAC address of the multicast router interface.
Type
How the MX learned that the port is a multicast router port:

conf Static multicast port configured by an administrator
madvMulticast advertisement
querIGMP query
dvmrpDistance Vector Multicast Routing Protocol (DVMRP)
pimv1Protocol Independent Multicast (PIM) version 1
pimv2PIM version 2
TTL
Number of seconds before this entry ages out if not refreshed. For static multicast
router entries, the time-to-live (TTL) value is undef. Static multicast router entries do not
age out.
Group
IP address of a multicast group. The show igmp receiver-table command shows the
same information as these receiver fields.
Port
Physical port through which the MX switch can reach the groups receiver.
Receiver-IP
IP address of the client receiving the group.
Receiver-MAC
MAC address of the client receiving the group.
TTL
Number of seconds before this entry ages out if the MX does not receive a group
membership message from the receiver. For static multicast receiver entries, the TTL
value is undef. Static multicast receiver entries do not age out.
Querier information
Information about the subnet multicast querier. If the querier is another device, the
fields described below are applicable. If the querier is the MX, the output indicates how
many seconds remain until the next general query message. If IGMP snooping does
not detect a querier, the output indicates this. The show igmp querier command
shows the same information.
Querier for vlan
VLAN containing the querier. Information is listed separately for each VLAN.
Querier-IP
IP address of the querier.
Querier-MAC
MAC address of the querier.
TTL
Number of seconds before this entry ages out if the MX does not receive a query
message from the querier.
445
Table 71.Output for show igmp (continued)

Field
Description
IGMP vlan member ports
Physical ports in the VLAN. This list includes all network ports configured to be in the
VLAN and all ports MSS dynamically assigns to the VLAN when a user assigned to the
VLAN becomes a receiver. For example, the list can include an MP access port that is
not configured to be in the VLAN when a user associated with the MP access point on
that port becomes a receiver for a group. When all receivers on a dynamically added
port age out, MSS removes the port from the list.
IGMP static ports
Static receiver ports.
IGMP statistics
Multicast message and packet statistics. These are the same statistics displayed by the
show igmp statistics command.
See Also
show igmp querier on page 447
show igmp receiver-table on page 448
show igmp statistics on page 449
show igmp mrouter

Displays the multicast routers in an MX subnet, on one VLAN or all VLANs. Routers are listed
separately for each VLAN, according to the port number through which the switch can reach the
router.
Syntax show igmp mrouter [vlan vlan-id]
VLAN name or number. If you do not specify a VLAN, MSS displays the
multicast routers in all VLANs.
vlan vlan-id
Defaults None.
Access All.
Examples The following command displays the multicast routers in VLAN orange:
MX# show igmp mrouter vlan orange
Multicast routers for vlan orange
Port Mrouter-IPaddr
Mrouter-MAC
Type
TTL
---- --------------- ----------------- ----- ----10
192.28.7.5 00:01:02:03:04:05 dvmrp
33

Table 72.Output for show igmp mrouter
446
Field
Description
Multicast routers for vlan
VLAN containing the multicast routers. Ports are listed separately for each VLAN.
Port
Number of the physical port through which the MX can reach the router.
Table 72.Output for show igmp mrouter (continued)

Field
Description
Mrouter-IPaddr
IP address of the multicast router.
Mrouter-MAC
MAC address of the multicast router.
Type
How the MX learned that the port is a multicast router port:

conf Static multicast port configured by an administrator
madvMulticast advertisement
querIGMP query
dvmrpDistance Vector Multicast Routing Protocol (DVMRP)
pimv1Protocol Independent Multicast (PIM) version 1
pimv2PIM version 2
TTL
Number of seconds before this entry ages out if unused. For static multicast router
entries, the TTL value is undef. Static multicast router entries do not age out.
See Also
show igmp querier

Displays information about the active multicast querier, on one VLAN or all VLANs. Queriers are
listed separately for each VLAN. Each VLAN can have only one querier.
Syntax show igmp querier [vlan vlan-id]
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays querier
Defaults None.
Access Enabled.
Examples The following command displays querier information for VLAN orange:
MX# show igmp querier vlan orange
Querier for vlan orange
Port Querier-IP
Querier-MAC
TTL
---- --------------- ----------------- ----1 193.122.135.178 00:0b:cc:d2:e9:b4
23
The following command shows the information MSS displays when the querier is the MX:
MX# show igmp querier vlan default
Querier for vlan default:
I am the querier for vlan default, time to next query is 20
The output indicates how many seconds remain before the pseudo-querier on the switch
broadcasts the next general query report to IP address 224.0.0.1, the multicast all-systems group.
447
If IGMP snooping does not detect a querier, the output indicates this finding, as shown in the
following example:
MX# show igmp querier vlan red
Querier for vlan red:
There is no querier present on vlan red
This condition does not necessarily indicate a problem. For example, election of the querier might
be in progress.
Table 73 on page 448 describes the fields in the display when a querier other than the MX switch
is present.
Table 73.Output for show igmp querier
Field
Description
Querier for vlan
VLAN containing the querier. Information is listed separately for each VLAN.
Querier-IP
IP address of the querier interface.
Querier-MAC
MAC address of the querier interface.
TTL
Number of seconds before this entry ages out if the MX switch does not receive a
query message from the querier.
See Also set igmp querier on page 441
show igmp receiver-table

Displays the receivers to which an MX forwards multicast traffic. You can display receivers for all
VLANs, a single VLAN, or a group or groups identified by group address and network mask.
Syntax show igmp receiver-table [vlan vlan-id] [group group-ip-addr/mask-length]
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS

displays the multicast receivers on all VLANs.
group
group-ip-addr/mask-length
IP address and subnet mask of a multicast group, in CIDR

format (for example, 239.20.20.10/24). If you do not specify a
group address, MSS displays the multicast receivers for all
groups.
Defaults None.
Access All.
Examples The following command displays all multicast receivers in VLAN orange:
MX# show igmp receiver-table vlan orange
VLAN: orange
Session
Port Receiver-IP
Receiver-MAC
TTL
--------------- ---- --------------- ----------------- ----224.0.0.2 none

237.255.255.255
448
none
none undef
10.10.10.11 00:02:04:06:08:0b
179
237.255.255.255
10.10.10.13 00:02:04:06:08:0d
179
237.255.255.255
10.10.10.14 00:02:04:06:08:0e
179
237.255.255.255
10.10.10.12 00:02:04:06:08:0c
179
237.255.255.255
10.10.10.10 00:02:04:06:08:0a
179
The following command lists all receivers for multicast groups 237.255.255.1 through
237.255.255.255, in all VLANs:
MX# show igmp receiver-table group 237.255.255.0/24
VLAN: red
Session
Port Receiver-IP
Receiver-MAC
TTL
--------------- ---- --------------- ----------------- ----237.255.255.2
10.10.20.19 00:02:04:06:09:0d
112
237.255.255.119
10.10.30.31 00:02:04:06:01:0b
112
VLAN: green
Session
Port Receiver-IP
Receiver-MAC
TTL
--------------- ---- --------------- ----------------- ----237.255.255.17
11
10.10.40.41 00:02:06:08:02:0c
12
237.255.255.255
10.10.60.61 00:05:09:0c:0a:01
111

Table 74.Output for show igmp receiver-table
Field
Description
VLAN
VLAN that contains the multicast receiver ports. Ports are listed separately for each
VLAN.
Session
IP address of the multicast group being received.
Port
Physical port through which the MX switch can reach the receiver.
Receiver-IP
IP address of the receiver.
Receiver-MAC
MAC address of the receiver.
TTL
Number of seconds before this entry ages out if the MX does not receive a group
membership message from the receiver. For static multicast receiver entries, the TTL
value is undef. Static multicast receiver entries do not age out.
See Also set igmp receiver on page 442
show igmp statistics

Displays IGMP statistics.
Syntax show igmp statistics [vlan vlan-id]
vlan vlan-id
VLAN name or number. If you do not specify a VLAN, MSS displays IGMP
Defaults None.
Access All.
449

Examples The following command displays IGMP statistics for VLAN orange:
MX# show igmp statistics vlan orange
IGMP statistics for vlan orange:
IGMP message type Received Transmitted Dropped
----------------- -------- ----------- ------General-Queries
GS-Queries
Report V1
Report V2
Leave
Mrouter-Adv
Mrouter-Term
Mrouter-Sol
50
101
DVMRP
PIM V1
PIM V2
Topology notifications: 0
Packets with unknown IGMP type: 0
Packets with bad length: 0
Packets with bad checksum: 0
Packets dropped: 4
Table 75.Output for show igmp statistics
Field
Description
IGMP statistics for vlan
VLAN name. Statistics are listed separately for each VLAN.
IGMP message type
Type of IGMP message:

General-QueriesGeneral group membership queries sent by the multicast querier
(multicast router or pseudo-querier).
GS-QueriesGroup-specific queries sent by the the multicast querier to determine
whether there are receivers for a specific group.
Report V1IGMP version 1 group membership reports sent by clients who want to
be receivers for the groups.
Report V2IGMP version 2 group membership reports sent by clients who want to
be receivers for the groups.
LeaveIGMP version 2 leave messages sent by clients who want to stop receiving
traffic for a group. Leave messages apply only to IGMP version 2.
Mrouter-AdvMulticast router advertisement packets. A multicast router sends this
type of packet to advertise the IP address of the sending interface as a multicast
router interface.
450
Table 75.Output for show igmp statistics (continued)

Field
Description
IGMP message type
Type of IGMP message, continued:

Mrouter-TermMulticast router termination messages. A multicast router sends this
type of message when multicast forwarding is disabled on the router interface, the
router interface is administratively disabled, or the router itself is gracefully
shutdown.
Mrouter-SolMulticast router solicitation messages. A multicast client or an MX
switch sends this type of message to immediately solicit multicast router
advertisement messages from the multicast routers in the subnet.
DVMRPDistance Vector Multicast Routing Protocol (DVMRP) messages.
Multicast routers running DVMRP exchange multicast information with these
messages.
PIM V1Protocol Independent Multicast (PIM) version 1 messages. Multicast
routers running PIMv1 exchange multicast information with these messages.
PIM V2PIM version 2 messages.
Received
Number of packets received.
Transmitted
Number of packets transmitted. This number includes both multicast packets originated
by the MX and multicast packets received and then forwarded by the switch.
Dropped
Number of IGMP packets dropped by the MX.
Topology notifications
Number of Layer 2 topology change notifications received by the MX.
Note: In the current software version, the value in this field is always 0.
Packets with unknown IGMP
Number of multicast packets received with an unrecognized multicast type.
type
Packets with bad length
Number of packets with an invalid length.
Packets with bad IGMP
Number of packets with an invalid IGMP checksum value.
checksum
Packets dropped
Number of multicast packets dropped by the MX.
See Also clear igmp statistics on page 435
451
452
Security ACL Commands

Use security ACL commands to configure and monitor security access control lists (ACLs). Security
ACLs filter packets to restrict or permit network usage by certain users or traffic types, and can assign
to packets a class of service (CoS) to define the priority of treatment for packet filtering.
(Security ACLs are different from the location policy on an MX, which helps you locally control user
access. For location policy commands, see Chapter , AAA Commands, on page 167.)
This chapter presents security ACL commands alphabetically. Use the following table to locate
Create Security ACLs

show security acl editbuffer on page 467
show security acl info on page 468
show security acl on page 466
Commit Security ACLs

rollback security acl on page 457
Map Security ACLs
set security acl map on page 464

show security acl map on page 470
clear security acl map on page 455
Monitor Security ACLs
show security acl hits on page 468

set security acl hit-sample-rate on page 465
show security acl resource-usage on page 470
clear security acl

Clears a specified security ACL, an access control entry (ACE), or all security ACLs, from the edit
buffer. When used with the command commit security acl, clears the ACE from the running
configuration.
Syntax clear security acl {acl-name | all} [editbuffer-index]
acl-name
Name of an existing security ACL to clear. ACL names start with a letter
and are case-insensitive.
all
Clears all security ACLs.
editbuffer-index
Number that indicates which access control entry (ACE) in the security
ACL to clear. If you do not specify an ACE, all ACEs are cleared from
the ACL.
453
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 1.1
ACL names changed from case-sensitive to case-insensitive.
Usage This command deletes security ACLs only in the edit buffer. You must use the commit
security acl command with this command to delete the ACL or ACE from the running
configuration and nonvolatile storage.
The clear security acl command deletes a security ACL, but does not stop the current filtering
function if the ACL is mapped to any virtual LANs (VLANs), ports, or virtual ports, or if the ACL is
applied in a Filter-Id attribute to an authenticated user or group of users with current sessions.
Examples The following commands display the current security ACL configuration, clear acl_133
in the edit buffer, commit the deletion to the running configuration, and redisplay the ACL
configuration to show that it no longer contains acl_133:
MX# show security acl info all
ACL information for all
set security acl ip acl_133 (hits #1 0)
--------------------------------------------------------1. deny IP source IP 192.168.1.6 0.0.0.0 destination IP any
--------------------------------------------------------1. permit IP source IP 192.168.0.1 0.0.0.0 destination IP any
enable-hits
--------------------------------------------------------1. deny IP source IP 192.168.1.1 0.0.0.0 destination IP any enable-hits
MX# clear security acl acl_133
MX# commit security acl acl_133
configuration accepted
MX# show security acl info all
enable-hits
454
See Also
clear security acl map

Deletes the mapping between a security ACL and a virtual LAN (VLAN), one or more physical
ports, or a virtual port. Or deletes all ACL maps to VLANs, ports, and virtual ports on an MX .
Informational Note: Security ACLs are applied to users or groups dynamically via the Filter-Id attribute. To
delete a security ACL from a user or group in the local MX database, use the command clear user attr, clear
mac-user attr, clear usergroup attr, or clear mac-usergroup attr. To delete a security ACL from a user or
group on an external RADIUS server, see the documentation for your RADIUS server.
Syntax clear security acl map {acl-name | all} {vlan vlan-id | port port-list
[tag tag-value] | ap apnum} {in | out}
acl-name
Name of an existing security ACL to clear. ACL names start with a letter
and are case-insensitive.
all
Removes security ACL mapping from all physical ports, virtual ports,
and VLANs on an MX switch.
vlan vlan-id
VLAN name or number. MSS removes the security ACL from the
specified VLAN.
port port-list
Port list. MSS removes the security ACL from the specified MX physical
port or ports.
tag tag-value
Tag value that identifies a virtual port in a VLAN. Specify a value from 1
through 4095. MSS removes the security ACL from the specified virtual
port.
ap apnum
One or more MPs, based on their connection IDs. Specify a single

connection ID, or specify a comma-separated list of connection IDs, a
hyphen-separated range, or any combination, with no spaces. MSS
removes the security ACL from the specified MPs.
in
Removes the security ACL from traffic coming into the MX.
out
Removes the security ACL from traffic going out of the MX.
Defaults None.
Access Enabled.
455
History
MSS Version 1.0
MSS
Version
1.1
MSS
Version
2.0
Command introduced
Keyword and variable tag tag-value added to delete security ACL
mapping from virtual ports
ACL names changed from case-sensitive to case-insensitive
Keyword and variable dap dap-num added to delete security ACL mapping
from Distributed MPs
Usage To clear a security ACL map, type the name of the ACL with the VLAN, physical port or
ports, virtual port tag, or Distributed MP and the direction of the packets to stop filtering. This
command deletes the ACL mapping, but not the ACL.
Examples To clear the mapping of security ACL acljoe from port 4 for incoming packets, type the
following command:
MX# clear security acl map acljoe port 4 in
clear mapping accepted
To clear all physical ports, virtual ports, and VLANs of mapped ACLs on an MX for incoming and
outgoing traffic, type the following command:
MX# clear security acl map all
See Also
commit security acl

Saves a security ACL, or all security ACLs, in the edit buffer to the running configuration and
nonvolatile storage on the MX. Or, when used with the clear security acl command, commit
security acl deletes a security ACL, or all security ACLs, from the running configuration and
nonvolatile storage.
Syntax commit security acl {acl-name | all}
acl-name
Name of an existing security ACL to commit. ACL names must start with a
letter and are case-insensitive.
all
Commits all security ACLs in the edit buffer.
Defaults None.
Access Enabled.
456
History
MSS Version 1.0
Command introduced.
MSS Version 1.1
Usage Use the commit security acl command to save security ACLs into, or delete them from,
the permanent configuration. Until you commit the creation or deletion of a security ACL, it is
stored in an edit buffer and is not enforced. After you commit a security ACL, it is removed from the
edit buffer.
A single commit security acl all command commits the creation and/or deletion of whatever
show security acl info all editbuffer shows to be currently stored in the edit buffer.
Examples The following commands commit all the security ACLs in the edit buffer to the
configuration, display a summary of the committed ACLs, and show that the edit buffer has been
cleared:
MX# commit security acl all
MX# show security acl
ACL table
ACL
Type
Class
Mapping
-----------------------
----
------
-------
acl_123
IP
Static
acl_124
IP
Static
MX# show security acl info all editbuffer

acl editbuffer information for all
See Also
rollback security acl on page 457
hit-sample-rate
This command has been renamed in MSS Version 4.1. To configure the hit sample rate, see set
security acl hit-sample-rate on page 465.
rollback security acl

Clears changes made to the security ACL edit buffer since it was last saved. The ACL is rolled
back to its state after the last commit security acl command was entered. All uncommitted ACLs
in the edit buffer are cleared.
457
Syntax rollback security acl {acl-name | all}

acl-name
Name of an existing security ACL to roll back. ACL names must start with
a letter and are case-insensitive.
all
Rolls back all security ACLs in the edit buffer, clearing all uncommitted
ACEs.
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 1.1
ACL names changed from case-sensitive to

case-insensitive.
Examples The following commands show the edit buffer before a rollback, clear any changes in
the edit buffer to security acl_122, and show the edit buffer after the rollback:
ACL edit-buffer information for all
set security acl ip acl_122 (ACEs 3, add 3, del 0, modified 0)
enable-hits
2. deny IP source IP 20.0.2.11 0.0.0.0 destination IP any
3. deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits
MX# rollback security acl acl_122
See Also show security acl on page 466
set security acl

In the edit buffer, creates a security access control list (ACL), adds one access control entry (ACE)
to a security ACL, and/or reorders ACEs in the ACL. The ACEs in an ACL filter IP packets by
source IP address, a Layer 4 protocol, or IP, ICMP, TCP, UDP, MAC address packet information.
Syntax
By source address
set security acl ip acl-name {permit [cos cos] | deny} {source-ip-addr mask |
any} [before editbuffer-index | modify editbuffer-index] [hits]
458
By Layer 4 protocol
set security acl ip acl-name {permit [cos cos] | deny} protocol-number

{source-ip-addr mask | any} {destination-ip-addr mask | any}
[[precedence precedence] [tos tos] | [dscp codepoint]]
[before editbuffer-index | modify editbuffer-index] [hits]
By IP packets
set security acl ip acl-name {permit [cos cos] | deny} ip {source-ip-addr mask |
any} {destination-ip-addr mask | any} [[precedence precedence] [tos tos] | [dscp
codepoint]] [before editbuffer-index | modify editbuffer-index] [hits]
By ICMP packets
set security acl ip acl-name {permit [cos cos] | deny} icmp {source-ip-addr
mask | any} {destination-ip-addr mask | any} [type icmp-type] [code icmp-code]
By TCP packets
set security acl ip acl-name {permit [cos cos] | deny}

tcp {source-ip-addr mask | any [operator port [port2]]} {destination-ip-addr mask | any
[operator port [port2]]} [[precedence precedence] [tos tos] | [dscp codepoint]]
[established] [before editbuffer-index | modify editbuffer-index] [hits]
By UDP packets
set security acl ip acl-name {permit [cos cos] | deny} udp {source-ip-addr mask
| any [operator port [port2]]} {destination-ip-addr mask | any [operator port [port2]]}
By MAC Address
set security acl name acl-name {permit | deny} mac

{src-mac-address|src-mask|any}
[dest-mac-addr|any|bpdu 01:80:C2:00:00:0X|broadcast FF:FF:FF:FF:FF:FF|
multicast X1:XX:XX:XX:XX:XX|pvst 01:00:0C:CC:CC:CD]ethertype
[hex-value|any|arp|ipv4|ipv6] [editaction [before|modify]capture|hits]
459
acl-name
Security ACL name. ACL names must be unique within the MX, must
start with a letter, and are case-insensitive. Specify an ACL name of up
to 32 of the following characters:
Letters a through z and A through Z
Numbers 0 through 9
Hyphen (-), underscore (_), and period (.)
Juniper Networks recommends that you do not use the same name with
different capitalizations for ACLs. For example, do not configure two
separate ACLs with the names acl_123 and ACL_123.
Note: In an ACL name, do not include the term all, default-action, map, help, or
editbuffer.
permit
Allows traffic that matches the conditions in the ACE.
cos cos
For permitted packets, a class-of-service (CoS) level for packet

handling. Specify a value from 0 through 7:
1 or 2Background. Packets are queued in MP forwarding queue
4.
0 or 3Best effort. Packets are queued in MP forwarding queue 3.
4 or 5Video. Packets are queued in MP forwarding queue 2.
Use CoS level 4 or 5 for voice over IP (VoIP) packets other than
SpectraLink Voice Priority (SVP).
6 or 7Voice. Packets are queued in MP forwarding queue 1.
Use 6 or 7 only for VoIP phones that use SVP, not for other types of
traffic
deny
Blocks traffic that matches the conditions in the ACE.
protocol
IP protocol by which to filter packets:

ip
tcp
udp
icmp
A protocol number between 0 and 255.
(For a complete list of IP protocol names and numbers, see
www.iana.org/assignments/protocol-numbers.)
source-ip-addr mask
| any
IP address and wildcard mask of the network or host from of the sent
packet. Specify both address and mask in dotted decimal notation. For
more information, see Wildcard Masks on page 27.
To match on any address, specify any or 0.0.0.0 255.255.255.255.
460
operator port [port2]
Operand and port number(s) for matching TCP or UDP packets to the
number of the source or destination port on source-ip-addr or
destination-ip-addr. Specify one of the following operands and the
associated port:
eqPackets are filtered for only port number.
gtPackets are filtered for all ports that are greater than port
number.
ltPackets are filtered for all ports that are less than port number.
neqPackets are filtered for all ports except port number.
rangePackets are filtered for ports in the range between port and
port2. To specify a port range, enter two port numbers. Enter the
lower port number first, followed by the higher port number.
(For a complete list of TCP and UDP port numbers, see
www.iana.org/assignments/port-numbers.)
destination-ip-addr mask
| any
IP address and wildcard mask of the network or host to that the packet
is sent. Specify both address and mask in dotted decimal notation. For
more information, see Wildcard Masks on page 27.
To match on any address, specify any or 0.0.0.0 255.255.255.255.
type icmp-type
Filters ICMP messages by type. Specify a value from 0 through 255.

(For a list of ICMP message type and code numbers, see
www.iana.org/assignments/icmp-parameters.)
code icmp-code
For ICMP messages filtered by type, additionally filters ICMP messages

by code. Specify a value from 0 through 255. (For a list of ICMP
message type and code numbers, see
www.iana.org/assignments/icmp-parameters.)
precedence
precedence
Filters packets by precedence level. Specify a value from 0 through 7:

0routine precedence
1priority precedence
2immediate precedence
3flash precedence
4flash override precedence
5critical precedence
6internetwork control precedence
7network control precedence
461
tos tos
Filters packets by type of service (TOS) level. Specify one of the

following values, or any sum of these values up to 15. For example, a
tos value of 9 filters packets with the TOS levels minimum delay (8) and
minimum monetary cost (1).
8minimum delay
4maximum throughput
2maximum reliability
1minimum monetary cost
0normal
dscp codepoint
Filters packets by Differentiated Services Code Point (DSCP) value.

You can specify a number from 0 to 63, in decimal or binary format.
Note: You cannot use the dscp option along with the precedence and tos options in
the same ACE. The CLI rejects an ACE that has this combination of options.
established
For TCP packets only, applies the ACE only to established TCP
sessions and not to new TCP sessions.
before editbuffer-index Inserts the new ACE in front of another ACE in the security ACL.
Specify the number of the existing ACE in the edit buffer. Index
numbers start at 1. (To display the edit buffer, use show security acl
editbuffer.)
modify editbuffer-index Replaces an ACE in the security ACL with the new ACE. Specify the
number of the existing ACE in the edit buffer. Index numbers start at 1.
(To display the edit buffer, use show security acl editbuffer.)
hits
Tracks the number of packets that are filtered based on a security ACL,
for all mappings.
Defaults By default, permitted packets are classified based on DSCP value, which is converted
into an internal CoS value in the switchs CoS map. The packet is then marked with a DSCP value
based on the internal CoS value. If the ACE contains the cos option, this option overrides the
switchs CoS map and marks the packet based on the ACE.
Access Enabled.
History
462
MSS Version 1.0
Command introduced
MSS Version 1.1
MSS Version 3.0
capture option deprecated
MSS Version 4.1
The any option is supported for the source or destination IP address and
mask. This option is equivalent to 0.0.0.0 255.255.255.255.
The any option is shown in the configuration file as 0.0.0.0 255.255.255.255,
regardless of whether you specify any or 0.0.0.0 255.255.255.255 when you
configure the ACE.
The dscp codepoint is added. This option enables you to filter based on a
packet Differentiated Services Code Point (DSCP) value.
MSS Version 6.2
Using MAC addresses to define ACLs is now supported.
Usage The MX does not apply security ACLs until you activate them with the commit security
acl command and map them to a VLAN, port, or virtual port, or to a user. If the MX is reset or
restarted, any ACLs in the edit buffer are lost.
You cannot perform ACL functions that include permitting, denying, or marking with a Class of
Service (CoS) level on packets with a multicast or broadcast destination address.
The order of security ACEs in a security ACL is important. Once an ACL is active, the ACEs are
checked according to the order in the ACL. If an ACE criterion is met, the action takes place and
any ACEs that follow are ignored.
ACEs are listed in the order in which you create them, unless you move them. To position security
ACEs within a security ACL, use before editbuffer-index and modify editbuffer-index.
Examples The following command adds an ACE to security acl_123 that permits packets from IP
address 192.168.1.11/24 and counts the hits:
MX# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits
The following command adds an ACE to acl_123 that denies packets from IP address
192.168.2.11:
MX# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0
The following command creates acl_125 by defining an ACE that denies TCP packets from source
IP address 192.168.0.1 to destination IP address 192.168.0.2 for established sessions only, and
counts the hits:
MX# set security acl ip acl_125 deny tcp 192.168.0.1 0.0.0.0 192.168.0.2
0.0.0.0 established hits
The following command adds an ACE to acl_125 that denies TCP packets from source IP address
192.168.1.1 to destination IP address 192.168.1.2, on destination port 80 only, and counts the hits:
MX# set security acl ip acl_125 deny tcp 192.168.1.1 0.0.0.0 192.168.1.2
0.0.0.0 eq 80 hits
Finally, the following command commits the security ACLs in the edit buffer to the configuration:
MX# commit security acl all
See Also
463
set security acl map

Assigns a committed security ACL to a VLAN, physical port or ports, virtual port, or Distributed MP
on the MX switch.
Informational Note: To assign a security ACL to a user or group in the local MX database, use the
command set user attr, set mac-user attr, set usergroup attr, or set mac-usergroup attr with the Filter-Id
attribute. To assign a security ACL to a user or group with Filter-Id on a RADIUS server, see the documentation
for your RADIUS server
Syntax set security acl map acl-name {vlan vlan-id | port port-list [tag tag-list] |
ap apnum} {in | out}
acl-name
Name of an existing security ACL to map. ACL names start with a letter and
are case-insensitive.
vlan vlan-id
VLAN name or number. MSS assigns the security ACL to the specified VLAN.
port port-list
Port list. MSS assigns the security ACL to the specified physical MX port or
ports.
tag tag-list
One or more values that identify a virtual port in a VLAN. Specify a single tag
value from 1 through 4095. Or specify a comma-separated list of values, a
hyphen-separated range, or any combination, with no spaces. MSS assigns
the security ACL to the specified virtual port or ports.
ap apnum
One or more MPs, based on their connection IDs. Specify a single connection
ID, or specify a comma-separated list of connection IDs, a hyphen-separated
range, or any combination, with no spaces. MSS assigns the security ACL to
the specified MPs.
in
Assigns the security ACL to traffic coming into the MX.
out
Assigns the security ACL to traffic coming from the MX.
Defaults None.
Access Enabled.
History
MSS Version 1.0
MSS Version 1.1
Command introduced.
Keyword and variable tag tag-list added to allow security ACL mapping to
virtual ports.
MSS Version 2.0
Keyword and variable dap dap-num added to allow security ACL mapping to
Distributed MPs.
Usage Before you can map a security ACL, you must use the commit security acl command to
save the ACL in the running configuration and nonvolatile storage.
464
For best results, map only one input security ACL and one output security ACL to each VLAN,
physical port, virtual port, or Distributed MP to filter a flow of packets. If more than one security
ACL filters the same traffic, MSS applies only the first ACL match and ignores any other matches.
Examples The following command maps security ACL acl_133 to port 4 for incoming packets:
MX set security acl map acl_133 port 4 in
See Also
set security acl hit-sample-rate

Specifies the time interval, in seconds, that the packet counter for each security ACL is sampled
for display. The counter counts the number of packets filtered by the security ACLor hits.
Syntax set security acl hit-sample-rate seconds
seconds
Number of seconds between samples. A sample rate of 0 (zero) disables

the sample process.
Defaults By default, the hits are not sampled.

Access Enabled.
History
Version 1.0
Command introduced
Version 4.1
Syntax changed from hit-sample-rate seconds to set security acl

hit-sample-rate seconds, to allow the command to be saved in the
configuration file.
Usage To view counter results for a particular ACL, use the show security acl info acl-name
command. To view the hits for all security ACLs, use the show security acl hits command.
Examples The first command sets MSS to sample ACL hits every 15 seconds. The second and
third commands display the results. The results show that 916 packets matching security acl_153
were sent since the ACL was mapped.
MX# set security acl hit-sample-rate 15
MX# show security acl info acl_153
465
ACL information for acl_153

--------------------------------------------------------1. permit IP source IP 20.1.1.1 0.0.0.0 destination IP any enable-hits
MX# show security acl hits
ACL hit counters
Index Counter
ACL-name
----- -------------------- ----------1
0 acl_2
0 acl_175
916 acl_153
See Also
show security acl hits on page 468
show security acl

Displays a summary of the security ACLs that are mapped.
Syntax show security acl
Defaults None.
Access Enabled.
Usage This command lists only the ACLs mapped to something (a user, or VLAN, or port, and so
on). To list all committed ACLs, use the show security acl info command. To list ACLs that are
not yet committed, use the show security acl editbuffer command.
Examples To display a summary of the mapped security ACLs on an MX, type the following
command:
MX# show security acl
ACL table
ACL
Type Class
Mapping
---------------------------- ---- ------ ------acl_123
IP
Static Port 2 In
acl_133
IP
Static Port 4 In
acl_124
IP
Static
See Also
466

show security acl editbuffer on page 467
show security acl dscp

This command has been renamed in MSS Version 4.1. See show qos dscp-table on page 99.
show security acl editbuffer

Displays a summary of the security ACLs that have not yet been committed to the configuration.
Syntax show security acl [info all] editbuffer
info all
Displays the ACEs in each uncommitted ACL. Without this option, only the
ACE names are listed.
Defaults None.
Access Enabled.
Examples To view a summary of the security ACLs in the edit buffer, type the following command:
MX# show security acl editbuffer
ACL edit-buffer table
ACL
Type Status
---------------------------- ---- -------------acl_111
IP
Not committed
acl-a
IP
Not committed
To view details about these uncommitted ACLs, type the following command.
set security acl ip acl-111 (ACEs 3, add 3, del 0, modified 2)
---------------------------------------------------1. permit IP source IP 192.168.254.12 0.0.0.0 destination IP any
2. permit IP source IP 192.168.253.11 0.0.0.0 destination IP any
3. deny SRC source IP 192.168.253.1 0.0.0.255
set security acl ip acl-a (ACEs 1, add 1, del 0, modified 0)
---------------------------------------------------1. permit SRC source IP 192.168.1.1 0.0.0.0
See Also
467

show security acl hits

Displays the number of packets filtered by security ACLs (hits) on the MX. Each time a packet is
filtered by a security ACL, the hit counter increments.
Syntax show security acl hits
Defaults None.
Access Enabled.
Usage For MSS to count hits for a security ACL, you must specify hits in the set security acl
commands that define ACE rules for the ACL.
To display the security ACL hits on an MX, type the following command:
MX# show security acl hits
ACL hit-counters
Index Counter
ACL-name
----- -------------------- -------1
0 acl_2
0 acl_175
916 acl_123
See Also
hit-sample-rate on page 457
show security acl info

Displays the contents of a specified security ACL or all security ACLs that are committedsaved
in the running configuration and nonvolatile storageor the contents of security ACLs in the edit
buffer before they are committed.
Syntax show security acl info [acl-name | all] [editbuffer]
acl-name
Name of an existing security ACL to display. ACL names must start with a
all
Displays the contents of all security ACLs.
editbuffer
Displays the contents of the specified security ACL or all security ACLs that
are stored in the edit buffer after being created with set security acl. If you do
not use this parameter, only committed ACLs are shown.
Defaults None.
468
Access Enabled.
History
MSS Version
1.0
Command introduced
MSS Version
1.1
MSS Version
4.1
The acl-name | all option is no longer required; show security acl info is valid
and displays the same information as security acl info all.
The following command displays the contents of acl_123 in the edit buffer, including the committed
ACE rules 1 and 2 and the uncommit:
Syntax security acl info [acl-name | all] [editbuffer]
acl-name
Name of an existing security ACL to display. ACL names must start with a
all
Displays the contents of all security ACLs.
editbuffer
Displays the contents of the specified security ACL or all security ACLs that
are stored in the edit buffer after being created with set security acl. If you do
not use this parameter, only committed ACLs are shown.
Examples To display the contents of all security ACLs committed on an MX, type the following
command:
MX# show security acl info
enable-hits
enable-hits
The following command displays the contents of acl_123 in the edit buffer, including the
committed ACE rules 1 and 2 and the uncommitted rule 3:
MX# show security acl info acl_123 editbuffer
ACL edit-buffer information for acl_123
469
set security acl ip acl_123 (ACEs 3, add 3, del 0, modified 0)

enable-hits
3. deny SRC source IP 192.168.1.234 255.255.255.255 enable-hits
See Also
show security acl map

Displays the VLANs, ports, and virtual ports on the MX that a security ACL is assigned.
Syntax show security acl map acl-name
acl-name
Name of an existing security ACL to display static mapping. ACL names

must start with a letter and are case-insensitive.
Defaults None.
Access Enabled.
History
MSS Version 1.0
Command introduced
MSS Version 1.1
Examples The following command displays the port to which security ACL acl_111 is mapped:
MX# show security acl map acl_111
ACL acl_111 is mapped to:
Port 4 in
See Also
show security acl resource-usage

Displays statistics about the resources used by security ACL filtering on the MX.
Syntax show security acl resource-usage
Defaults None.
Access Enabled.
470

Usage Use this command with the help of the Juniper Technical Assistance Center (TAC) to
diagnose an ACL resource problem. (To contact TAC, see Contacting the Technical Assistance
Center on page 315.)
Examples To display security ACL resource usage, type the following command:
MX# show security acl resource-usage
ACL resources
Classifier tree counters
-----------------------Number of rules
: 2
Number of leaf nodes
: 1
Stored rule count
: 2
Leaf chain count
: 1
Longest leaf chain
: 2
Number of non-leaf nodes
: 0
Uncompressed Rule Count
: 2
Maximum node depth
: 1
Sub-chain count
: 0
PSCBs in primary memory
: 0 (max: 512)
PSCBs in secondary memory : 0 (max: 9728)

Leaves in primary
: 2 (max: 151)
Leaves in secondary
: 0 (max 12096)
Sum node depth
: 1
Information on Network Processor status

--------------------------------------Fragmentation control
: 0
UC switchdest
: 0
ACL resources
Port number
: 0
Number of action types
: 2
LUdef in use
: 5
Default action pointer
: c8007dc
L4 global
: True
No rules
: False
Non-IP rules
: False
Root in first
: True
Static default action
: False
No per-user (MAC) mapping : True

471
Out mapping
: False
In mapping
: True
No VLAN or PORT mapping
: False
No VPORT mapping
: True
Table 76 explains the fields in the show security acl resource-usage output.
Table 76.show security acl resource-usage Output
Field
Description
Number of rules
Number of security ACEs currently mapped to ports or VLANs.
Number of leaf nodes
Number of security ACL data entries stored in the rule tree.
Stored rule count
Number of security ACEs stored in the rule tree.
Leaf chain count
Number of chained security ACL data entries stored in the rule tree.
Longest leaf chain
Longest chain of security ACL data entries stored in the rule tree.
Number of non-leaf
Number of nodes with no data entries stored in the rule tree.
nodes
Uncompressed Rule
Number of security ACEs stored in the rule tree, including duplicatesACEs in ACLs applied
Count
to multiple ports, virtual ports, or VLANs.
Maximum node depth
Number of data elements in the rule tree, from the root to the furthest data entry (leaf).
Sub-chain count
Sum of action types represented in all security ACL data entries.
PSCBs in primary
Number of pattern search control blocks (PSCBs) stored in primary node memory.
memory
PSCBs in secondary
Number of PSCBs stored in secondary node memory.
memory
Leaves in primary
Number of security ACL data entries stored in primary leaf memory.
Leaves in secondary
Number of ACL data entries stored in secondary leaf memory.
Sum node depth
Total number of security ACL data entries.
Fragmentation control
Control value for handling fragmented IP packets.
Note: The current MSS version filters only the first packet of a fragmented IP packet and
passes the remaining fragments.
UC switchdest
Port number
Number of action types
Number of actions that can be performed by ACLs. This value is always 2, because ACLs can
either permit or deny.
LUdef in use
Number of the lookup definition (LUdef) table currently in use for packet handling.
Default action pointer
Memory address used for packet handling, from which default action data is obtained when
necessary.
472
Table 76.show security acl resource-usage Output (continued)

Field
Description
L4 global
Security ACL mapping on the MX switch:

TrueSecurity ACLs are mapped.
FalseNo security ACLs are mapped.
No rules
Security ACE rule mapping on the MX switch:

TrueNo security ACEs are mapped.
FalseSecurity ACEs are mapped.
Non-IP rules
Non-IP security ACE mapping on the MX switch:

TrueNon-IP security ACEs are mapped.
FalseOnly IP security ACEs are mapped.
Note: The current MSS version supports security ACEs for IP only.
Root in first
Leaf buffer allocation:

TrueEnough primary leaf buffers are allocated in nonvolatile memory to accommodate all
leaves.
FalseInsufficient primary leaf buffers are allocated in nonvolatile memory to accommodate
all leaves.
Static default action
Definition of a default action:

TrueA default action types is defined.
FalseNo default action type is defined.
No per-user (MAC)
mapping
Per-user application of a security ACL with the Filter-Id attribute, on the MX switch:
TrueNo security ACLs are applied to users.
FalseSecurity ACLs are applied to users.
Out mapping
Application of security ACLs to outgoing traffic on the MX switch:

TrueSecurity ACLs are mapped to outgoing traffic.
FalseNo security ACLs are mapped to outgoing traffic.
In mapping
Application of security ACLs to incoming traffic on the MX switch:

TrueSecurity ACLs are mapped to incoming traffic.
FalseNo security ACLs are mapped to incoming traffic.
No VLAN or PORT
mapping
Application of security ACLs to MX VLANs or ports on the MX:

TrueNo security ACLs are mapped to VLANs or ports.
FalseSecurity ACLs are mapped to VLANs or ports.
No VPORT mapping
Application of security ACLs to MX virtual ports on the MX:

TrueNo security ACLs are mapped to virtual ports.
FalseSecurity ACLs are mapped to virtual ports.
473
474
Cryptography Commands
Informational Note: A digital certificate is a form of electronic identification for computers. The MX requires digital certificates to
authenticate communications to RingMaster and Web View, to WebAAA clients, and to Extensible Authentication Protocol (EAP)
clients for which the MX performs all EAP processing. Certificates can be generated on the MX or obtained from a certificate authority
(CA). Keys contained within the certificates allow the MX, the servers, and the wireless clients to exchange information secured by
encryption.
Informational Note: If the MX does not already have certificates, MSS automatically generates the
missing ones the first time the MX boots with MSS Version 4.2 or later. You do not need to install certificates
unless you want to replace the ones automatically generated by MSS. (For more information, see the
Certificates Automatically Generated by MSS section in the Managing Keys and Certificates chapter of the
Juniper Mobility System Software Configuration Guide.)
Informational Note: Before installing a new certificate, verify with the show timedate and show
timezone commands that the MX is set to the correct date, time, and time zone. Otherwise, certificates might
not be installed correctly.
This chapter presents cryptography commands alphabetically. Use the following table to locate commands
Encryption Keys

show crypto key domain on page 487
show crypto key ssh on page 487
PKCS #7 Certificates
crypto generate request on page 479

crypto ca-certificate on page 476
show crypto ca-certificate on page 485
crypto certificate on page 477
show crypto certificate on page 486
PKCS #12 Certificate
crypto otp on page 483

crypto pkcs12 on page 484
Self-Signed Certificate
475
crypto ca-certificate
Installs a certificate authoritys own PKCS #7 certificate into the MX certificate and key storage
area.
Syntax crypto ca-certificate {admin | eap | web} PEM-formatted-certificate
admin
Stores the certificate authoritys certificate that signed the administrative

certificate for the MX.
The administrative certificate authenticates the MX to RingMaster or Web
View.
eap
Stores the certificate authoritys certificate that signed the Extensible

Authentication Protocol (EAP) certificate for the MX.
The EAP certificate authenticates the MX to 802.1X supplicants (clients).
web
Stores the certificate authoritys certificate that signed the WebAAA certificate
for the MX.
The Web certificate authenticates the MX to clients who use WebAAA.
PEM-formatted-ce ASCII text representation of the certificate authority PKCS #7 certificate,

rtificate
consisting of up to 5120 characters that you have obtained from the certificate
authority.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
webaaa option renamed to web
Usage The Privacy-Enhanced Mail protocol (PEM) format is used for representing a PKCS #7
certificate in ASCII text. PEM uses base64 encoding to convert the certificate to ASCII text, then
puts the encoded text between the following delimiters:
-----BEGIN CERTIFICATE---------END CERTIFICATE----To use this command, you must already have obtained a copy of the certificate from the certificate
authority as a PKCS #7 object file. Then do the following:
1. Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi.
2. Enter the crypto ca-certificate command on the CLI command line.
3. When MSS prompts for the PEM-formatted certificate, paste the PKCS #7 object file onto the
command line.
476
Examples The following command adds the certificate from the certificate authority to MX
certificate and key storage:
MX# crypto ca-certificate admin
Enter PEM-encoded certificate
-----BEGIN CERTIFICATE----MIIDwDCCA2qgAwIBAgIQL2jvuu4PO5FAQCyewU3ojANBgkqhkiG9wOBAQUFADCB
mzerMClaweVQQTTooewi\wpoer0QWNFNkj90044mbdrl1277SWQ8G7DiwYUtrqoQplKJvxz
.....
Lm8wmVYxP56M;CUAm908C2foYgOY40=
-----END CERTIFICATE----See Also show crypto ca-certificate on page 485
crypto certificate
Installs one of the MX PKCS #7 certificates into the certificate and key storage area on the MX. The
certificate, which is issued and signed by a certificate authority, authenticates the MX either to
RingMaster or Web View, or to 802.1X supplicants (clients).
Syntax crypto certificate {admin | eap | web} PEM-formatted certificate
admin
Stores the certificate authoritys administrative certificate, which

authenticates the MX switch to RingMaster or Web View.
eap
Stores the certificate authoritys Extensible Authentication Protocol (EAP)

certificate, which authenticates the MX switch to 802.1X supplicants
(clients).
web
Stores the certificate authoritys WebAAA certificate, which authenticates

the MX to clients who use WebAAA.
PEM-formatted
certificate
ASCII text representation of the PKCS #7 certificate, consisting of up to

5120 characters, that you have obtained from the certificate authority.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
Usage To use this command, you must already have generated a certificate request with the
crypto generate request command, sent the request to the certificate authority, and obtained a
signed copy of the MX certificate as a PKCS #7 object file. Then do the following:
1. Open the PKCS #7 object file with an ASCII text editor such as Notepad or vi.
2. Enter the crypto certificate command on the CLI command line.
477
3. When MSS prompts you for the PEM-formatted certificate, paste the PKCS #7 object file in the
command line.
The MX verifies the validity of the public key associated with this certificate before installing it, to
prevent a mismatch between the MX private key and the public key in the installed certificate.
Examples The following command installs a certificate:
MX# crypto certificate admin
Enter PEM-encoded certificate
-----BEGIN CERTIFICATE----MIIBdTCP3wIBADA2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQOExGjAYBgNVBAMU
EXR1Y2hwdWJzQHRycHouY29tMIGfMAOGCSqGSIb3DQEBAQAA4GNADCBiQKBgQC4
.....
2L8Q9tk+G2As84QYLm8wmVY>xP56M;CUAm908C2foYgOY40=
-----END CERTIFICATE----See Also
crypto generate request on page 479
crypto generate key

Generates an RSA public-private encryption key pair that is required for a Certificate Signing
Request (CSR) or a self-signed certificate. For SSH, generates an authentication key.
Syntax crypto generate key {admin | domain | eap | ssh | web}
{128 | 512 | 1024 | 2048}
admin
Generates an administrative key pair for authenticating the MX to

RingMaster or Web View.
domain
Generates a key pair for authenticating management traffic exchanged by

MX switches within a Mobility Domain.
eap
Generates an EAP key pair for authenticating the MX to 802.1X

supplicants (clients).
ssh
Generates a key pair for authenticating the MX to Secure Shell (SSH)

clients.
web
Generates an administrative key pair for authenticating the MX to

WebAAA clients.
128 | 512 | 1024 |

2048
Length of the key pair in bits.

The minimum key length for SSH is 1024. The length 128 applies only to
domain and is the only valid option for it.
Defaults None.
Access Enabled.
478
History
Version 1.0
Command introduced
Version 2.0
Option ssh added for generating an SSH key
Version 3.0
webaaa option added
Version 4.1
Version 5.0
domain option added
Usage You can overwrite a key by generating another key of the same type.
SSH requires an SSH authentication key, but you can allow MSS to generate it automatically. The
first time an SSH client attempts to access the SSH server on an MX, the MX automatically
generates a 1024-byte SSH key. If you want to use a 2048-byte key instead, use the crypto
generate key ssh 2048 command to generate one.
Examples To generate an administrative key for use with RingMaster, type the following
command:
MX# crypto generate key admin 1024
key pair generated
See Also show crypto key ssh on page 487
crypto generate request

Usage Generates a Certificate Signing Request (CSR). This command outputs a PEM-formatted
PKCS #10 text string that you can cut and paste to another location for delivery to a certificate
authority.
This command generates either an administrative CSR for use with RingMaster and Web View, or
an EAP CSR for use with 802.1X clients.
Syntax crypto generate request {admin | eap | web}
admin
Generates a request for an administrative certificate to authenticate the MX

to RingMaster or Web View.
eap
Generates a request for an EAP certificate to authenticate the MX to 802.1X

web
Generates a request for a WebAAA certificate to authenticate the MX to

WebAAA clients.
After type the command, you are prompted for the following variables:
Country Name
string
(Optional) Specify the abbreviation for the country in which the MX is

operating, in 2 alphanumeric characters with no spaces.
State Name string (Optional) Specify the name of the state, in up to 64 alphanumeric
characters. Spaces are allowed.
479
Locality Name
string
(Optional) Specify the name of the locality, in up to 80 alphanumeric

characters with no spaces.
Organizational
Name string
(Optional) Specify the name of the organization, in up to 80 alphanumeric

Organizational
Unit string
(Optional) Specify the name of the organizational unit, in up to

80 alphanumeric characters with no spaces.
Common Name
string
Specify a unique name for the MX, in up to 80 alphanumeric characters with

no spaces. Use a fully qualified name if such names are supported on your
network. This field is required.
Email Address
string
(Optional) Specify your e-mail address, in up to 80 alphanumeric characters

with no spaces.
Unstructured
Name string
(Optional) Specify any name, in up to 80 alphanumeric characters with no

spaces.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1

Maximum string length for State Name increased from two to 64
alphanumeric characters.
Usage To use this command, you must already have generated a public-private encryption key
pair with the crypto generate key command.
Enter crypto generate request admin, crypto generate request eap, or crypto generate
request web and press Enter. When you are prompted, type the identifying values in the fields, or
press Enter if the field is optional. You must enter a common name for the MX.
This command outputs a PKCS #10 text string in Privacy-Enhanced Mail protocol (PEM) format
that you paste to another location for submission to the certificate authority. You then send the
request to the certificate authority to obtain a signed copy of the MX certificate as a PKCS #7
object file.
Examples To request an administrative certificate from a certificate authority, type the following
command:
MX# crypto generate request admin
Country Name: US
State Name: CA
Locality Name: Pleasanton
Organizational Name: Trapeze
480
Organizational Unit: ENG

Common Name: ENG
Email Address: [email protected]
Unstructured Name: admin
CSR for admin is
-----BEGIN CERTIFICATE REQUEST----MIIBuzCCASQCAQAwezELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAmNhMQswCQYDVQQH
EwJjYTELMAkGA1UEChMCY2ExCzAJBgNVBAsTAmNhMQswCQYDVQQDEwJjYTEYMBYG
CSqGSIb3DQEJARYJY2FAY2EuY29tMREwDwYJKoZIhvcNAQkCEwJjYTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEA1zatpYStOjHMa0QJmWHeZPPFGQ9kBEimJKPG
bznFjAC780GcZtnJPGqnMnOKj/4NdknonT6NdCd2fBdGbuEFGNMNgZMYKGcV2JIu
tr*P*z*exECScaNlicKMYa$$LQo621vh67RM1KTMECM6uCBB6XNypIHn1gtrrpL/
LhyGTWUCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAHK5z2kfjBbV/F0b0MyC5S7K
htsw7T4SwmCij55qfUHxsRelggYcw6vJtr57jJ7wFfsMd8C50NcbJLF1nYC9OKkB
hW+5gDPAOZdOnnr591XKz3Zzyvyrktv00rcld8Fo2RtTQ3AOT9cUZqJVelO85GXJ
-----END CERTIFICATE REQUEST----See Also
crypto generate self-signed

Usage Generates a self-signed certificate for either an administrative certificate for use with
RingMaster or an EAP certificate for use with 802.1X wireless users.
Syntax crypto generate self-signed {admin | eap | web}
admin
Generates an administrative certificate to authenticate the MX to RingMaster

or Web View.
eap
Generates an EAP certificate to authenticate the MX to 802.1X supplicants

(clients).
web
Generates a WebAAA certificate to authenticate the MX to WebAAA clients.
After type the command, you are prompted for the following variables:
Country Name
string
(Optional) Specify the abbreviation for the country in which the MX is

operating, in 2 alphanumeric characters with no spaces.
State Name string
(Optional) Specify the abbreviation for the name of the state, in

2 alphanumeric characters with no spaces.
Locality Name
string
(Optional) Specify the name of the locality, in up to 80 alphanumeric

481
Organizational
Name string
(Optional) Specify the name of the organization, in up to 80 alphanumeric

Note: Organizational
Unit string
Note: (Optional) Specify the name of the organizational unit, in up to 80 alphanumeric

Common Name
string
Specify a unique name for the MX, in up to 80 alphanumeric characters with

no spaces. Use a fully qualified name if such names are supported on your
network. This field is required.
Note: If you are generating a WebAAA (web) certificate, use a common name that looks
like a domain name (two or more strings connected by dots, with no spaces). For
example, use common.name instead of common name. The string is not required to be
an actual domain name. It simply needs to be formatted like one.
Email Address
string
(Optional) Specify your email address, in up to 80 alphanumeric characters

with no spaces.
Unstructured Name (Optional) Specify any name, in up to 80 alphanumeric characters with no

string
spaces.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
Usage To use this command, you must already have generated a public-private encryption key
pair with the crypto generate key command.
Examples To generate a self-signed administrative certificate, type the following command:
MX# crypto generate self-signed admin
Country Name:
State Name:
Locality Name:
Organizational Name:
Organizational Unit:
Common Name: [email protected]
Email Address:
Unstructured Name:
success: self-signed cert for admin generated
482
See Also
crypto otp
Usage Sets a one-time password (OTP) for use with the crypto pkcs12 command.
Syntax crypto otp {admin | eap | web} one-time-password
admin
Creates a one-time password for installing a PKCS #12 object file for
an administrative certificate and key pairand optionally the certificate
authoritys own certificateto authenticate the MX switch to
RingMaster or Web View.
eap
Creates a one-time password for installing a PKCS #12 object file for
an EAP certificate and key pairand optionally the certificate
authoritys own certificateto authenticate the MX switch to 802.1X
web
Creates a one-time password for installing a PKCS #12 object file for a
WebAAA certificate and key pairand optionally the certificate
authoritys own certificateto authenticate the MX to WebAAA clients.
one-time-password
Password of at least 1 alphanumeric character, with no spaces, for

clients other than Microsoft Windows clients. The password must be
the same as the password protecting the PKCS #12 object file.
Note: On an MX providing communication to and from Microsoft Windows clients,
use a one-time password of 31 characters or fewer.
The following characters cannot be used as part of the one-time

password of a PKCS #12 file:
Quotation marks ( )
Question mark (?)
Ampersand (&)
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
483
Usage The password allows the public-private key pair and certificate to be installed together from
the same PKCS #12 object file. MSS erases the one-time password after processing the
crypto pkcs12 command or when you reboot the MX.
Juniper Networks recommends that you create a password that is memorable to you but is not
subject to easy guesses or a dictionary attack. For best results, create a password of
alphanumeric uppercase and lowercase characters.
Examples The following command creates the one-time password hap9iN#ss for installing an
EAP certificate and key pair:
MX# crypto generate otp eap hap9iN#ss
OTP set
See Also crypto pkcs12 on page 484
crypto pkcs12
Usage Unpacks a PKCS #12 object file into the certificate and key storage area on the MX. This
object file contains a public-private key pair, an MX certificate signed by a certificate authority, and
the certificate authoritys certificate.
Syntax crypto pkcs12 {admin | eap | web} file-location-url
admin
Unpacks a PKCS #12 object file for an administrative certificate and key
pairand optionally the certificate authoritys own certificatefor
authenticating the MX to RingMaster or Web View.
eap
Unpacks a PKCS #12 object file for an EAP certificate and key
authenticating the MX to 802.1X supplicants (clients).
web
Unpacks a PKCS #12 object file for a WebAAA certificate and key
authenticating the MX switch to WebAAA clients.
file-location-url
Location of the PKCS #12 object file to be installed. Specify a location of

between 1 and 128 alphanumeric characters, with no spaces.
Defaults The password you enter with the crypto otp command must be the same as the one
protecting the PKCS #12 file.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
Usage To use this command, you must have already created a one-time password with the
crypto otp command.
484
You must also have the PKCS #12 object file available. You can download a PKCS #12 object file
via TFTP from a remote location to the local nonvolatile storage system on the MX.
Examples The following commands copy a PKCS #12 object file for an EAP certificate and key
pairand optionally the certificate authoritys certificatefrom a TFTP server to nonvolatile
storage on the MX, create the one-time password hap9iN#ss, and unpack the PKCS #12 file:
MX# copy tftp://192.168.253.1/2048full.p12 2048full.p12
MX# crypto otp eap hap9iN#ss
OTP set
MX# crypto pkcs12 eap 2048full.p12
Unwrapped from PKCS12 file:
keypair
device certificate
CA certificate
See Also crypto otp on page 483
show crypto ca-certificate

Displays information about the certificate authoritys PEM-encoded PKCS #7 certificate.
Syntax show crypto ca-certificate {admin | eap | web}
admin
Displays information about the certificate authoritys certificate that signed the
administrative certificate for the MX.
The administrative certificate authenticates the MX to RingMaster or Web View.
eap
Extensible Authentication Protocol (EAP) certificate for the MX.
The EAP certificate authenticates the MX to 802.1X supplicants (clients).
web
WebAAA certificate for the MX.
The WebAAA certificate authenticates the MX to WebAAA clients.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
Examples To display information about the certificate of a certificate authority, type the following
command:
485
MX# show crypto ca-certificate

Table 77.show crypto ca-certificate Output
Fields
Description
Version
Version of the X.509 certificate.
Serial Number
A unique identifier for the certificate or signature.
Subject
Name of the certificate owner.
Signature Algorithm
Algorithm that created the signature, such as RSA MD5 or RSA SHA.
Issuer
Certificate authority that issued the certificate or signature.
Validity
Time period for which the certificate is valid.
See Also
crypto ca-certificate on page 476
show crypto certificate on page 486
show crypto certificate

Usage Displays information about one of the cryptographic certificates installed on the MX.
Syntax show crypto certificate {admin | eap | web}
admin
Displays information about the administrative certificate that authenticates the

MX to RingMaster or Web View.
eap
Displays information about the EAP certificate that authenticates the MX to

802.1X supplicants (clients).
web
Displays information about the WebAAA certificate that authenticates the MX to

WebAAA clients.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
webaaa option added
Version 4.1
Usage You must have generated a self-signed certificate or obtained a certificate from a certificate
authority before displaying information about the certificate.
Examples To display information about a cryptographic certificate, type the following command:
MX# show crypto certificate eap
Table 78 describes the fields of the display.
486
Table 78.crypto certificate Output

Fields
Description
Version
Version of the X.509 certificate.
Serial Number
A unique identifier for the certificate or signature.
Subject
Name of the certificate owner.
Signature Algorithm
Algorithm that created the signature, such as RSA MD5 or RSA SHA.
Issuer
Certificate authority that issued the certificate or signature.
Validity
Time period for which the certificate is valid.
See Also
show crypto ca-certificate on page 485
show crypto key domain

Usage Displays the checksum (also called a fingerprint) of the public key used to authenticate
management traffic between MX switches.
Syntax show crypto key domain
Defaults None.
Access Enabled.
Examples To display the fingerprint for MX-MX security, type the following command:
MX# show crypto key domain
Domain public key:
e6:43:91:e2:b3:53:ed:46:76:5f:f0:96:3a:3b:86:d3
See Also crypto generate key on page 478
show crypto key ssh

Usage Displays SSH authentication key information. This command displays the checksum (also
called a fingerprint) of the public key. When you connect to the MX with an SSH client, you can
compare the SSH key checksum displayed by the MX with the one displayed by the client to verify
that you really are connected to the MX and not another device. Generally, SSH clients remember
the encryption key after the first connection, so you need to check the key only once.
Syntax show crypto key ssh
Defaults None.
Access Enabled.
Examples To display SSH key information, type the following command:
MX# show crypto key ssh
ec:6f:56:7f:d1:fd:c0:28:93:ae:a4:f9:7c:f5:13:04
See Also crypto generate key on page 478
487
488
RADIUS, LDAP, and Server Groups Commands

Use RADIUS commands to set up communication between an MX switch and groups of up to four
RADIUS servers for remote authentication, authorization, and accounting (AAA) of administrators and
network users. This chapter presents RADIUS commands alphabetically. Use the following table to
locate commands in this chapter based on their uses.
With MSS 7.1, LDAPv3 is now available as an authentication method. You can configure LDAP
servers, LDAP server groups, and LDAP load-balancing across LDAP servers.
Command Auditing
LDAP Servers
clear ldap auth-port on page 490

clear ldap base-dn on page 490
clear ldap bind-mode on page 490
clear ldap deadtime on page 490
clear ldap mac-addr-format on page 491
clear ldap timeout on page 491
ldap-ping on page 494
set ldap on page 496
set ldap server on page 497
LDAP Server Groups
set ldap server group on page 497

set ldap server group load-balance on page 497
RADIUS Client
set radius client system-ip on page 501

clear radius client system-ip on page 492
RADIUS Diagnostics
radping on page 495
RADIUS Servers
set radius on page 498

set authorization dynamic on page 500
set radius das-port on page 500
set radius server on page 503
clear radius on page 491
clear radius server on page 493
show radius on page 507
Server Groups
set server group on page 505

489
set server group load-balance on page 505

clear server group on page 494
RADIUS Proxy

clear radius proxy client on page 493
clear radius proxy port on page 493
(For information about RADIUS attributes, see the RADIUS appendix in the Juniper Mobility System
Software Configuration Guide.)
clear ldap auth-port

Syntax clear ldap auth-port port
Defaults None
Access Enabled
clear ldap base-dn

Syntax clear ldap base-dn basedn
Defaults None
Access Enabled
clear ldap bind-mode

Syntax clear ldap bind-mode [simple-auth | sasl-md5]
Defaults None
Access Enabled
clear ldap deadtime

Syntax clear ldap deadtime min
Defaults None
Access Enabled
Usage Used to clear the deadtime configuration for an LDAP server.
Examples To clear an LDAP deadtime of five minutes, use the following command:
MX# clear ldap deadtime 5
success:change accepted
490
clear ldap mac-addr-format

Syntax clear ldap mac-addr-format format
Defaults None
Access Enabled
Usage Clears the MAC address format from the LDAP configuration.
clear ldap timeout

Syntax clear ldap timeout secs
Defaults None
Access Enabled
clear ldap server

Syntax clear ldap server name
Defaults None
Access Enabled
clear ldap server group

Syntax clear ldap server group name
Defaults None
Access Enabled
clear radius
Usage Resets parameters that were globally configured for RADIUS servers to the default values.
Syntax clear radius {deadtime | key | retransmit | timeout}
deadtime
Number of minutes to wait after declaring an unresponsive RADIUS server

unavailable before retrying the RADIUS server.
key
Password (shared secret key) used to authenticate to the RADIUS server.
retransmit
Number of transmission attempts made before declaring an unresponsive

RADIUS server unavailable.
timeout
Number of seconds to wait for the RADIUS server to respond before

retransmitting.
Defaults Global RADIUS parameters have the following default values:

deadtime0 (zero) minutes (The MX does not designate unresponsive RADIUS servers as
unavailable.)
491
keyNo key
retransmit3 (the total number of attempts, including the first attempt)
timeout5 seconds
Access Enabled.
Usage To override the globally set values on a particular RADIUS server, use the set radius
server command.
Examples To reset all global RADIUS parameters to their factory defaults, type the following
commands:
MX# clear radius deadtime
MX# clear radius key
MX# clear radius retransmit
MX# clear radius timeout
See Also
clear radius das-port

Usage Clears a configured Dynamic RADIUS server authorization port.
Syntax MX# clear radius das-port port_number
Defaults None.
Access Enabled.
Examples To clear a dynamic RADIUS server port of 3799, use the following command:
MX# clear radius das-port 3799
clear radius client system-ip

Usage Removes the MX system IP address from use as the permanent source address in
RADIUS client requests from the MX to the RADIUS server(s).
Syntax clear radius client system-ip
Defaults None.
Access Enabled.
492
Usage The clear radius client system-ip command causes the MX to use the IP address of the
interface through which the MX sends a RADIUS client request as the source IP address. The MX
selects a source interface address based on information in the routing table as the source address
for RADIUS packets leaving the MX.
Examples To clear the system IP address as the permanent source address for RADIUS client
requests, type the following command:
MX# clear radius client system-ip
See Also
clear radius proxy client

Usage Removes RADIUS proxy client entries for third-party APs.
Syntax clear radius proxy client all
Defaults None.
Access Enabled.
Examples The following command clears all RADIUS proxy client entries from the MX:
MX# clear radius proxy client all

See Also set radius proxy client on page 501
clear radius proxy port

Usage Removes RADIUS proxy ports configured for third-party APs.
Syntax clear radius proxy port all
Defaults None.
Access Enabled.
Examples The following command clears all RADIUS proxy port entries from the switch:
MX# clear radius proxy port all
See Also set radius proxy port on page 502
clear radius server

Usage Removes the named RADIUS server from the MX configuration.
493
Syntax clear radius server server-name

server-name
Name of a RADIUS server configured to perform remote AAA services for the
MX.
Defaults None.
Access Enabled.
Examples The following command removes the RADIUS server rs42 from a list of remote AAA
servers:
MX# clear radius server rs42
See Also
clear server group

Usage Removes a RADIUS server group from the configuration, or disables load balancing for the
group.
Syntax clear server group group-name [load-balance]
group-name
Name of a RADIUS server group configured to perform remote AAA services

for MX switches.
load-balance
Ability of group members to share demand for services among servers.
Defaults None.
Access Enabled.
Usage Deleting a server group removes the server group from the configuration. However, the
members of the server group remain.
Examples To remove the server group sg-77 type the following command:
MX# clear server group sg-77
To disable load balancing in a server group shorebirds, type the following command:
MX# set server group shorebirds load-balance disable
See Also set server group on page 505
ldap-ping
Usage Provides a diagnostic tool to enhance troubleshooting capabilities for LDAP servers on the
network.
494
Syntax ldap-ping [group server-group-name | server server-name]

Defaults None
Access Enabled
radping
Usage Provides a diagnostic tool to enhance troubleshooting capabilities for RADIUS servers on
the network. The command sends an authentication request to the RADIUS server to determine if
it is offline.
Syntax MX# radping {server |servername | group servergroup}request [acct-off |
acct-on | acct-start | acct-stop | acct-update | authentication] user
username password password auth-type {plain|mschap2}
server
servername
group
servergroup
Name of a RADIUS server configured to perform remote AAA services for

MX switches.
Name of a RADIUS server group configured to perform remote AAA services
for MX switches.
request
acct-off
acct-on
Send accounting requests to the RADIUS server to collect and start or stop
user statistics.
acct-start
acct-stop
acct-update
authentication
Send an authentication request to the RADIUS server.
user
A user name configured on the RADIUS server.
username
password
The password configured for user.
password
auth-type
The authentication type used by the RADIUS server or server group.
plain|mschap2
Defaults None
Access Enabled.
Examples To verify that a RADIUS server, alpha with the username, smith5, password, swordfish,
is active on the network, type the following command:
MX# radping alpha request authentication user smith5 password swordfish
auth-type mschap2
Sending authentication request to server test-27708 (10.20.30.40:1812)
495
To send an accounting request to the RADIUS server, use the following command:
MX# radping alpha request acct-start
To stop the accounting requests, use the following commands:
MX# radping alpha request acct-stop
set accounting command

Usage Used to configure command auditing on your network. All commands entered using the
CLI are logged to the RADIUS server for auditing purposes.
set ldap
Usage Configure additional settings for an LDAP configuration.
Syntax set ldap [ auth-port port] [base-dn basedn]
[bind-mode simpleauth | sasl-md5] [deadtime mins] [mac-addr-format
hyphens |colons | one-hyphen | raw] [timeout seconds]
auth-port
The designated port used for LDAP authentication.
port
base-dn
The suffix to be appended to a Domain Name.
basedn
bind-mode
simple-auth | sasl-md5
The binding mode for authentication - you can select from

the following:
simple-auth a request for authentication is sent with
the users credentials.
sasl-md5 a response is sent with a sasl-md5
challenge.
deadtime
mins
The deadtime can be configured in minutes with a range of

0 to 1440 minutes. The default value is five minutes.
mac-addr-format
Authentication requires a corresponding MAC address

hyphens | colons | one-hyphen | raw] from the client.
timeout
secs
Configure a length of time that a client can be idle on the

network. It can be a value from 1 second to 65535
seconds. The default value is five seconds.
Defaults None
Access Enabled
496
set ldap server

Add LDAP servers to your network configuration as an authentication method.
Syntax set ldap server server-name address ip-address
Defaults None
Access Enabled
Examples To add a LDAP server with the IP address of 10.1.1.1 to the configuration, enter the
following command:
MX# set ldap server corpnet address 10.1.1.1
set ldap server group

Usage Add LDAP servers to a group for redundancy on the network.
Syntax set ldap server group server-group-name members member-name
Defaults None
Access Enabled
Usage LDAP server groups provide redundancy and load balancing on the network. You can
configure up to four LDAP server groups.
Examples To add LDAP server, testldap, to the server group, corpldap, use the following
command:
MX# set ldap server group corpldap members testldap
set ldap server group load-balance

Usage Allows you to balance traffic between LDAP server groups on your network.
Syntax set ldap server group server-group-name load-balance [enable |
disable]
Defaults None
Access Enabled
Examples To configure load balancing on the server group corplap, use the following command:
MX# set ldap server group corpldap load-balance enable
497
set radius
Usage Configures global defaults for RADIUS servers that do not explicitly set these values
themselves. By default, the MX automatically sets all these values except the password (key).
Syntax set radius {author-password use-mac-address | deadtime minutes |
das-port port encrypted-key string | key string | [mac-addr-format [colons |
hyphens | one-hypen | raw]] retransmit number | timeout seconds}
author-password
Set this option to send the user mac-address as the password.
use-mac-address
das-port port
Set the dynamic authorization port for all DACs. The value can be 1,
65535, or 3799.
deadtime minutes
Number of minutes the MX waits after declaring an unresponsive

RADIUS server unavailable before retrying the RADIUS server. You
can specify from 0 to 1440 minutes.
encrypted-key string
Password (shared secret key) used to authenticate to the RADIUS

server, entered in its encrypted form. You must provide the same
encrypted password that is defined on the RADIUS server. The
password can be 1 to 64 characters long, with no spaces or tabs.
MSS does not encrypt the string you enter, and instead displays the
string in show config and show aaa output exactly as you entered
it.
Note: Use this option only if you are entering the key in the encrypted form. To
enter the key in unencrypted form, use the key string option instead.
key string
Password (shared secret key) used to authenticate to the RADIUS

server, entered in its unencrypted form. You must provide the same
password that is defined on the RADIUS server. The password can
be 1 to 64 characters long, with no spaces or tabs.
MSS encrypts the displayed form of the string in show config and
show aaa output.
Note: Use this option only if you are entering the key in the unencrypted form.
To enter the key in encrypted form, use the encrypted-key string option instead.
mac-addr-format
[colons | hyphens |
one-hyphen | raw]
Sets the MAC address format for all RADIUS servers using the
author-password option. MAC addresses can have the following
formats:
colons12:34:56:78:9a:bc
hyphens123456789abc
one-hyphen 123456789abc
raw123456789abc
498
retransmit number
Number of transmission attempts the MX makes before declaring an

unresponsive RADIUS server unavailable. You can specify from
1 to 100 retries.
timeout seconds
Number of seconds the MX waits for the RADIUS server to respond

before retransmitting. You can specify from 1 to 65,535.
Defaults Global RADIUS parameters have the following default values:

unavailable.)
encrypted-keyNo key
keyNo key
timeout5 seconds
Access Enabled.
History
Version 1.0
Command introduced
Version 4.2
encrypted-key option added
Usage You can specify only one parameter per command line.
Examples The following commands sets the dead time to 5 minutes, the RADIUS key to goody,
the number of retransmissions to 1, and the timeout to 21 seconds on all RADIUS servers
connected to the MX switch:
MX-20# set radius deadtime 5
MX-20# set radius key goody
MX-20# set radius retransmit 1
MX-20# set radius timeout 21
See Also
499
set radius client system-ip

Configure RADIUS to use the client system IP address as the source IP address for all RADIUS
packets.
Syntax set radius client system-ip
Defaults None
Access Enabled
set radius dac

Usage Configure dynamic RADIUS extensions in support of RFC 3576.
Syntax MX#set radius-dac name ip-addr key string [disconnect [enable|disable]
change-of-author[enable|disable] replay-protection [enable|disable]
replay-window seconds]
Defaults None
Access Enabled.
For more information on configuring this feature, see the Mobility System Software Configuration
Guide.
set authorization dynamic

Usage Configures SSIDs for dynamic RADIUS clients.
Syntax MX# set authorization dynamic {ssid [wireless_8021X |8021X |any
|name]
| wired name}
Defaults None.
Access Enabled.
Examples To configure an SSID named dac_clients, use the following command:
MX# set authorization dynamic ssid dac_clients
set radius das-port

Usage Configures the dynamic authorization port for Dynamic RADIUS servers.
Syntax set radius das-port port_number
Defaults None
Access Enabled
500

Examples
MX# set radius das-port 65539
sucess:change accepted
set radius client system-ip

Usage Causes all RADIUS requests to be sourced from the IP address specified by the set
system ip-address command, providing a permanent source IP address for RADIUS packets
sent from the MX.
Syntax set radius client system-ip
Defaults None. If you do not use this command, RADIUS packets leaving the MX have the source
IP address of the outbound interface, which can change as routing conditions change.
Access Enabled.
Usage The MX system IP address must be set before you use this command.
Examples The following command sets the MX system IP address as the address of the RADIUS
client:
MX# set radius client system-ip
See Also
clear radius client system-ip on page 492
set radius proxy client

Usage Adds a RADIUS proxy entry for a third-party AP. The proxy entry specifies the IP address
of the AP and the UDP ports on which the MX listens for RADIUS traffic from the AP.
Syntax set radius proxy client address ip-address
[acct-port acct-udp-port-number] [port udp-port-number] key string
address ip-address
IP address of the third-party AP. Enter the address in dotted decimal

notation.
port udp-port-number
UDP port on which the MX listens for RADIUS access-requests from

the AP.
acct-port
acct-udp-port-number
UDP port on which the MX switch listens for RADIUS

stop-accounting records from the AP.
key string
Password (shared secret key) the MX uses to authenticate and

encrypt RADIUS communication.
Defaults The default UDP port number for access-requests is 1812. The default UDP port number
for stop-accounting records is 1813.
Access Enabled.
501

Users chapter of the Juniper Mobility System Software Advanced Configuration Guide.
Examples The following command configures a RADIUS proxy entry for a third-party AP RADIUS
client at 10.20.20.9, sending RADIUS traffic to the default UDP ports 1812 and 1813 on the MX:
MX# set radius proxy client address 10.20.20.9 key radkey1
See Also
clear radius proxy client on page 493
Usage set radius proxy port
Configures the MX port connected to a third-party AP as a RADIUS proxy for the SSID supported by
the AP.
Syntax set radius proxy port port-list [tag tag-value]
ssid ssid-name
port port-list
MX port(s) connected to the third-party AP.
tag tag-value
802.1Q tag value in packets sent by the third-party AP for the SSID.
ssid ssid-name
SSID supported by the third-party AP.
Defaults None.
Access Enabled.
Users chapter of the Juniper Mobility System Software Advanced Configuration Guide.
Enter a separate command for each SSID, and the tag value that you want the MX to support.
Examples The following command maps SSID mycorp to packets received on port 3 or 4, using
802.1Q tag value 104:
MX# set radius proxy port 3-4 tag 104 ssid mycorp
See Also
clear radius proxy port on page 493
502
set radius server

Usage Configures RADIUS servers and their parameters. By default, the MX automatically sets all
these values except the password (key).
Syntax set radius server server-name [address ip-address] [auth-port port-number]
[acct-port port-number] [timeout seconds] [retransmit number] [deadtime
minutes]
[[key string] | [mac-addr-format [hyphens | colons | one-hyphen |raw]]
[encrypted-key string]][author-password password]
server-name
Unique name for this RADIUS server. Enter an alphanumeric string of

up to 32 characters, with no blanks.
address ip-address
IP address of the RADIUS server. Enter the address in dotted decimal

notation.
auth-port
port-number
UDP port that the MX uses for authentication and authorization.
acct-port port-number UDP port that the MX uses for accounting.

timeout seconds
Number of seconds the MX waits for the RADIUS server to respond

before retransmitting. You can specify from 1 to 65,535 seconds.
retransmit number
Number of transmission attempts made before declaring an

unresponsive RADIUS server unavailable. You can specify from
1 to 100 retries.
deadtime minutes
Number of minutes the MX waits after declaring an unresponsive

RADIUS server unavailable before retrying that RADIUS server.
Specify between 0 (zero) and 1440 minutes (24 hours). A zero value
causes the MX to identify unresponsive servers as available.
key string |
Password (shared secret key) the MX uses to authenticate to RADIUS
encrypted-key string servers. You must provide the same password that is defined on the
RADIUS server. The password can be 1 to 64 characters long, with no
spaces or tabs.
Use the key option to enter the string in its unencrypted form. MSS
encrypts the displayed form of the string in show config and
show aaa output.
To enter the string in its encrypted form instead, use the
encrypted-key option. MSS does not encrypt the string you enter,
and instead displays the string exactly as you enter it.
503
mac-addr-format
hyphen|colons|
one-hyphen|raw
Configures a MAC address format to be sent as a username to a

RADIUS server for MAC authentication. The following formats can be
specified:
hyphens12-34-56-78-9a-bc
colons12:34:56:78:9a:bc
one-hyphen123456-789abc
raw123456789abc
author-password
password
Password used for authorization to a RADIUS server for MAC

authentication. The clients MAC address is sent as the username and
the author-password string is sent as the password. Specify a
password of up to 64 alphanumeric characters with no spaces or tabs.
Defaults Default values are listed below:

auth-portUDP port 1812
acct-portUDP port 1813
timeout5 seconds
unavailable.)
keyNo key
encrypted-keyNo key
author-passwordtrapeze
Access Enabled.
History
Version 1.0
Command introduced
Version 4.2
encrypted-key option added
Usage For a given RADIUS server, the first instance of this command must set both the server
name and the IP address and can include any or all of the other optional parameters. Subsequent
instances of this command can be used to set optional parameters for a given RADIUS server.
To configure the server as a remote authenticator for the MX switch, you must add it to a server
group with the set server group command.
Do not use the same name for a RADIUS server and a RADIUS server group.
Examples To set a RADIUS server named RS42 with IP address 198.162.1.1 to use the default
accounting and authorization ports with a timeout interval of 30 seconds, two transmit attempts,
5 minutes of dead time, a key string of keys4u, and the default authorization password of trapeze,
type the following command:
MX-20# set radius server RS42 address 198.162.1.1 timeout 30 retransmit
2 deadtime 5 key keys4U
504
See Also
set server group

Usage Configures a group of one to four RADIUS servers.
Syntax set server group group-name members server-name1 [server-name2]
[server-name3] [server-name4]
group-name
Server group name of up to 32 characters, with no spaces or tabs.
members
server-name1
The names of one or more configured RADIUS servers. You can enter up to
four server names.
server-name2
server-name3
server-name4
Defaults None.
Access Enabled.
Usage You must assign all group members simultaneously, as shown in the example. To enable
load balancing, use set server group load-balance enable.
Do not use the same name for a RADIUS server and a RADIUS server group.
Examples To set server group shorebirds with members heron, egret, and sandpiper, type the
following command:
MX-20# set server group shorebirds members heron egret sandpiper
See Also
set server group load-balance on page 505
set server group load-balance

Usage Enables or disables load balancing among the RADIUS servers in a server group.
505
Syntax set server group group-name load-balance {enable | disable}

group-name
Server group name of up to 32 characters.
load-balance
enable | disable
Enables or disables load balancing of authentication requests among the

servers in the group.
Defaults Load balancing is disabled by default.

Access Enabled.
Usage You can optionally enable load balancing after assigning the server group members. If you
configure load balancing, MSS sends each AAA request to a separate server, starting with the first
one on the list and skipping unresponsive servers. If no server in the group responds, MSS moves
to the next method configured with set authentication and set accounting.
In contrast, if load balancing is not configured, MSS always begins with the first server in the list
and sends unfulfilled requests to each subsequent server in the group before moving on to the
next configured AAA method.
Examples To enable load balancing between the members of server group shorebirds, type the
following command:
MX-20# set server group shorebirds load-balance enable
To disable load balancing between shorebirds server group members, type the following
command:
MX-20# set server group shorebirds load-balance disable
See Also
show ldap
Usage Displays configuration information about LDAP servers.
Syntax show ldap
Defaults None
Access Enabled
Examples Use the following command to display information about LDAP configurations.
MX# show ldap
LDAP Servers Default Values
auth-port=389, timeout=5(s),
506
deadtime=5(mn)
bind-mode=sasl-md5,
mac-addr-format=hyphens
LDAP Servers
Flags: (state)
U=up, D=down
(bind-mode)
s=simple-auth, m=sasl-md5
(mac-format) h=hyphens, c=colons, o=one-hyphen, r=raw
Server
IP address
Auth Time Deadtime
Flags
Port Out
s:bm
Conf:Rem
FQDN
-------------- --------------- ---- ---- ---------- ------------------------techpubs
10.8.112.212
389
:0m
U:mh
testldap
10.1.1.1
389
:0m
U:mh
trapeze.com
Server groups
techldap: testldap
Table 79.show LDAP output
Field
Description
Default values
LDAP default values for all parameters.
Flags
Indicates the following information:

state - U=up , D=down
bind-mode - s=simple-auth m=sasl-md5
mac-format - h=hyphens, c=colons, o=one-hyphen, r=raw
Server
Name of each LDAP server currently active.
IP Address
IP address of each LDAP server currently active.
Auth Port
UDP port on the MX for transmission of LDAP authorization and authentication

messages. The default port is 389.
Time Out
Number of seconds the MX waits for a LDAP server to respond before

retransmitting. The default is 5 seconds
Dead Time
Number of minutes the MX switch waits after determining a LDAP server is

unresponsive before trying to reconnect with this server. During the dead time,
the LDAP server is ignored by the MX. The default is 0 minutes.
Flags
Current state of each RADIUS server currently active:

UP (operating)
DOWN (unavailable)
FQDN
The fully qualified domain name associated with the LDAP server.
Server Group
Names of LDAP server groups and member servers configured on the MX.
Server Port
The RADIUS server port configured for dynamic authorization.
show radius
Usage Displays configuration information about RADIUS servers.
Syntax show radius
Defaults None
Access Enabled
507
History Command introduced in MSS 6.2.

Examples Use the following command to display information about RADIUS configurations.
MX# show radius
Radius servers Default Values
Auth-Port=1812 Acct-Port=1813 Timeout=5 Acct-Timeout=5
Retrans=3 Deatime=0 Key=(null) Author-Pass=(null)
Radius Servers
Server
IP Address
------- ----------
Auth
Port
Acct
Time
Retry
Port
Out
-------- Time
Dead
-------
------- ------
State
-------
--------
rs1
172.21.14.3 1812
0
1813
UP
rs2
1.1.1.1
1812
1813
UP
dummy
172.21.14.3 1812
1
1813
UP
Server groups
SG1:rs1
SG2:dummy
Radius Dynamic Authorization Configuration
Server port: 3799
Table 80 describes the fields that can appear in the show radius output.
Table 80.show radius Output
Field
Description
Default values
RADIUS default values for all parameters.
Server
Name of each RADIUS server currently active.
IP Address
IP address of each RADIUS server currently active.
Auth Port
UDP port on the MX for transmission of RADIUS authorization and
Acct Port
UDP port on the MX for transmission of RADIUS accounting records. The
authentication messages. The default port is 1812.

default is port 1813
Time Out
Number of seconds the MX waits for a RADIUS server to respond before

retransmitting. The default is 5 seconds
Retry
Number of times the MX switch retransmits a message before determining a

RADIUS server unresponsive. The default is 3 times
Dead Time
Number of minutes the MX switch waits after determining a RADIUS server is

unresponsive before trying to reconnect with this server. During the dead time,
the RADIUS server is ignored by the MX. The default is 0 minutes.
508
Table 80.show radius Output

Field
Description
State
Current state of each RADIUS server currently active:
UP (operating)
DOWN (unavailable)
Server Group
Names of RADIUS server groups and member servers configured on the MX.
RADIUS Dynamic Authorization
If configured, dynamic authentication attributes are displayed.
Configuration
Server Port
The RADIUS server port configured for dynamic authorization.
Dynamic Author
Dynamic Author Clients
The name of the DAC server
IP Address
IP address of the DAC sever
Disconnect
Disconnected clients
Change Author
Enable or disable any changes in authorization
Replay Protect
Enable or disable replay protection
Replay Win
The length of time in seconds to allow for replay.
509
510
802.1X Management Commands

Use 802. IEEE X management commands to modify the default settings for IEEE 802.1X sessions on an
MX. For best results, change the settings only if you are aware of a problem with 802.1X performance on
the MX.
This chapter presents 802.1X commands alphabetically. Use the following table to locate commands in this
chapter based on their use. For information about configuring 802.1X commands for user authentication,
see Chapter , AAA Commands, on page 167.
Caution: 802.1X parameter settings are global for all SSIDs configured on the MX.
Wired Authentication
Port Control
set dot1x port-control on page 518

clear dot1x port-control on page 512
set dot1x authcontrol on page 515
Keys
set dot1x key-tx on page 516

set dot1x tx-period on page 521
clear dot1x tx-period on page 515
set dot1x wep-rekey on page 522
set dot1x wep-rekey-period on page 523
Bonded Authentication
clear dot1x bonded-period on page 512

set dot1x bonded-period on page 516
Reauthentication
set dot1x reauth on page 519

set dot1x reauth-max on page 519
clear dot1x reauth-max on page 513
set dot1x reauth-period on page 520
clear dot1x reauth-period on page 514
Retransmission
set dot1x max-req on page 517

clear dot1x max-req on page 512
Quiet Period and

Timeouts
set dot1x quiet-period on page 518

clear dot1x quiet-period on page 513
set dot1x timeout auth-server on page 520
clear dot1x timeout auth-server on page 514
511
set dot1x timeout supplicant on page 521

clear dot1x timeout supplicant on page 514
Settings, Active Clients, show dot1x on page 523
and Statistics
clear dot1x bonded-period

Usage Resets the Bonded Auth period to its default value.
Syntax clear dot1x max-req
Defaults The default bonded authentication period is 0 seconds.
Access Enabled.
Usage
Examples To reset the Bonded period to its default, type the following command:
MX# clear dot1x bonded-period
See Also
set dot1x bonded-period on page 516
show dot1x on page 523
clear dot1x max-req

Usage Resets to the default setting the number of Extensible Authentication Protocol (EAP)
requests that the MX switch retransmits to a supplicant (client).
Syntax clear dot1x max-req
Defaults The default number is 20.
Access Enabled.
Examples To reset the number of 802.1X requests the MX can send to the default setting, type the
following command:
MX# clear dot1x max-req
See Also
set dot1x max-req on page 517
Usage clear dot1x port-control
Resets all wired authentication ports on the MX to default 802.1X authentication.
Syntax clear dot1x port-control
512
Defaults By default, all wired authentication ports are set to auto and they process authentication
requests as determined by the set authentication dot1X command.
Access Enabled.
Usage This command is overridden by the set dot1x authcontrol command. The clear dot1x
port-control command returns port control to the method configured. This command applies only
to wired authentication ports.
Examples Type the following command to reset the wired authentication port control:
MX# clear dot1x port-control
See Also
clear dot1x quiet-period

Usage Resets the quiet period after a failed authentication to the default setting.
Syntax clear dot1x quiet-period
Defaults The default is 60 seconds.
Access Enabled.
Examples Type the following command to reset the 802.1X quiet period to the default:
MX# clear dot1x quiet-period
See Also
set dot1x quiet-period on page 518
clear dot1x reauth-max

Usage Resets the maximum number of reauthorization attempts to the default setting.
Syntax clear dot1x reauth-max
Defaults The default is 2 attempts.
Access Enabled.
Examples Type the following command to reset the maximum number of reauthorization attempts
to the default:
MX# clear dot1x reauth-max
See Also
513
clear dot1x reauth-period

Usage Resets the time period that must elapse before a reauthentication attempt, to the default
time period.
Syntax clear dot1x reauth-period
Defaults The default is 3600 seconds (1 hour).
Access Enabled.
Examples Type the following command to reset the default reauthentication time period:
MX# clear dot1x reauth-period
See Also
clear dot1x timeout auth-server

Usage Resets to the default setting the number of seconds that must elapse before the MX times
out a request to a RADIUS server.
Syntax clear dot1x timeout auth-server
Access Enabled.
Examples To reset the default timeout for requests to an authentication server, type the following
command:
MX# clear dot1x timeout auth-server
See Also
set dot1x timeout auth-server on page 520
clear dot1x timeout supplicant

Usage Resets to the default setting the number of seconds that must elapse before an
authentication session with a supplicant (client) times out.
Syntax clear dot1x timeout supplicant
Defaults The default for the authentication timeout sessions is 30 seconds.
Access Enabled.
Examples Type the following command to reset the timeout period for an authentication session:
514
MX# clear dot1x timeout supplicant

See Also
set dot1x timeout supplicant on page 521
clear dot1x tx-period

Usage Resets to the default setting the number of seconds that must elapse before the MX
retransmits an EAP over LAN (EAPoL) packet.
Syntax clear dot1x tx-period
Access Enabled.
Examples Type the following command to reset the EAPoL retransmission time:
MX# clear dot1x tx-period
See Also
set dot1x tx-period on page 521
set dot1x authcontrol

Provides a global override mechanism for 802.1X authentication configuration on wired
authentication ports.
Examples This command applies only to wired authentication ports.
Syntax set dot1x authcontrol {enable | disable}
enable
Allows all wired authentication ports running 802.1X to use the

authentication specified per port by the set dot1X port-control command.
disable
Forces all wired authentication ports running 802.1X to unconditionally

accept all 802.1X authentication attempts with an EAP Success message
(ForceAuth).
Defaults By default, authentication control for individual wired authentication is enabled.

Access Enabled.
Examples To enable per-port 802.1X authentication on wired authentication ports, type the
following command:
MX# set dot1x authcontrol enable
success: dot1x authcontrol enabled.
See Also
515

set dot1x bonded-period

Usage Changes the Bonded Auth (bonded authentication) period. The Bonded Auth period is
the number of seconds MSS allows a Bonded Auth user to reauthenticate.
Syntax set dot1x bonded-period seconds
seconds
Number of seconds MSS retains session information for an authenticated

computer while waiting for a client to (re)authenticate on the same computer.
You can change the bonded authentication period to a value from 1 to 300
seconds.
Defaults The default bonded period is 0 seconds, which disables the feature.
Access Enabled.
Usage Normally, the Bonded Auth period needs to be set only if the network has Bonded Auth
clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN. These
clients can be affected by the 802.1X reauthentication parameter or the RADIUS Session-Timeout
parameter.
Juniper Networks recommends that you try 60 seconds, and change the period to a longer value
only if clients are unable to authenticate within 60 seconds.
The bonded authentication period applies only to 802.1X authentication rules that contain the
bonded option.
Examples To set the bonded authentication period to 60 seconds, type the following command:
MX# set dot1x bonded-period 60
See Also
clear dot1x bonded-period on page 512
set dot1x key-tx

Usage Enables or disables the transmission of encryption key information to the supplicant (client)
in EAP over LAN (EAPoL) key messages, after authentication is successful.
Syntax set dot1x key-tx {enable | disable}
enable
Enables transmission of encryption key information to clients.
disable
Disables transmission of encryption key information to clients.
Defaults Key transmission is enabled by default.

Access Enabled.
516

Examples Type the following command to enable key transmission:
MX# set dot1x key-tx enable
success: dot1x key transmission enabled.
See Also show dot1x on page 523
set dot1x max-req

Usage Sets the maximum number of times the MX retransmits an EAP request to a supplicant
(client) before ending the authentication session.
To support SSIDs that have both 802.1X and static WEP clients, MSS sends a maximum of two ID
requests, even if this parameter is set to a higher value. Setting the parameter to a higher value
does affect all other types of EAP messages.
Examples
Syntax set dot1x max-req number-of-retransmissions
number-of-retransmissions
Specify a value between 0 and 10.
Defaults The default number of EAP retransmissions is 2.

Access Enabled.
Examples Type the following command to set the maximum number of EAP request
retransmissions to three attempts:
MX# set dot1x max-req 3
success: dot1x max request set to 3.
See Also
clear dot1x max-req on page 512
set dot1x multicast-rekey

Usage Enables or disables multicast periodic rekeying on the network.
Syntax set dot1x multicast-rekey {enable | disable}
Defaults None
Access Enabled
set dot1x multicast-rekey-period

Usage Enables or disables multicast periodic rekeying with a configurable interval.
Syntax set dot1x multicast-rekey-period [integer]
integer
Configure an integer from 30 to 86400.
517
Defaults None
Access Enabled
set dot1x port-control

Determines the 802.1X authentication behavior on individual wired authentication ports or groups of
ports.
Syntax set dot1x port-control {forceauth | forceunauth | auto} port-list
forceauth
Forces the specified wired authentication port(s) to unconditionally authorize

all 802.1X authentication attempts, with an EAP success message.
forceunauth
Forces the specified wired authentication port(s) to unconditionally reject all

802.1X authentication attempts with an EAP failure message.
auto
Allows the specified wired authentication ports to process 802.1X

authentication normally as determined for the user by the set authentication
dot1X command.
port-list
One or more wired authentication ports for which to set 802.1X port control.
Defaults By default, wired authentication ports are set to auto.

Access Enabled.
Usage This command affects only wired authentication ports.
Examples The following command forces port 19 to unconditionally accept all 802.1X
authentication attempts:
MX# set dot1x port-control forceauth 19
success: authcontrol for 19 is set to FORCE-AUTH.
See Also
set dot1x quiet-period

Usage Sets the number of seconds an MX remains quiet and does not respond to a supplicant
after a failed authentication.
Syntax set dot1x quiet-period seconds
seconds
Specify a value between 0 and 65,535.

Access Enabled.
Examples Type the following command to set the quiet period to 90 seconds:
518
MX# set dot1x quiet-period 90

success: dot1x quiet period set to 90.
See Also
clear dot1x quiet-period on page 513
set dot1x reauth

Usage Determines whether the MX switch allows the reauthentication of supplicants (clients).
Syntax set dot1x reauth {enable | disable}
enable
Permits reauthentication.
disable
Denies reauthentication.
Defaults Reauthentication is enabled by default.

Access Enabled.
Examples Type the following command to enable reauthentication of supplicants (clients):
MX# set dot1x reauth enable
success: dot1x reauthentication enabled.
See Also
set dot1x reauth-max

Usage Sets the number of reauthentication attempts that the MX makes before the supplicant
(client) becomes unauthorized.
If the number of reauthentications for a wired authentication client is greater than the maximum
number of reauthentications allowed, MSS sends an EAP failure packet to the client and removes
the client from the network. However, MSS does not remove a wireless client from the network
under these circumstances.
Examples
Syntax set dot1x reauth-max number-of-attempts
number-of-attempts
Specify a value between 1 and 10.
Defaults The default number of reauthentication attempts is 2.

Access Enabled.
Examples Type the following command to set the number of authentication attempts to 8:
MX# set dot1x reauth-max 8
519
success: dot1x max reauth set to 8.

See Also
clear dot1x reauth-max on page 513
set dot1x reauth-period

Usage Sets the number of seconds that must elapse before the MX switch attempts
reauthentication.
Syntax set dot1x reauth-period seconds
Specify a value between 60 (1 minute) and 1,641,600 (19 days).
seconds
Defaults The default is 3600 seconds (1 hour).

Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 1.1
Maximum value changed.
Usage You also can use the RADIUS session-timeout attribute to set the reauthentication timeout
for a specific client. In this case, MSS uses the timeout that has the lower value. If the
session-timeout is set to fewer seconds than the global reauthentication timeout, MSS uses the
session-timeout for the client. However, if the global reauthentication timeout is shorter than the
session-timeout, MSS uses the global timeout instead.
Examples Type the following command to set the number of seconds to 100 before
reauthentication is attempted:
MX# set dot1x reauth-period 100
success: dot1x auth-server timeout set to 100.
See Also
clear dot1x reauth-period on page 514
set dot1x timeout auth-server

Usage Sets the number of seconds that must elapse before the MX switch times out a request to
a RADIUS authentication server.
Syntax set dot1x timeout auth-server seconds
seconds

Access Enabled.
Examples Type the following command to set the authentication server timeout to 60 seconds:
520
MX# set dot1x timeout auth-server 60

success: dot1x auth-server timeout set to 60.
See Also
set dot1x timeout supplicant

Usage Sets the number of seconds that must elapse before the MX switch times out an
authentication session with a supplicant (client).
Syntax set dot1x timeout supplicant seconds
seconds

Access Enabled.
Examples Type the following command to set the number of seconds for authentication session
timeout to 300:
MX# set dot1x timeout supplicant 300
success: dot1x supplicant timeout set to 300.
See Also
set dot1x tx-period

Usage Sets the number of seconds that must elapse before the MX switch retransmits an EAPoL
packet.
Syntax set dot1x tx-period seconds
seconds

Access Enabled.
Examples Type the following command to set the number of seconds before the MX retransmits
an EAPoL packet to 300:
MX# set dot1x tx-period 300
success: dot1x tx-period set to 300.
See Also
clear dot1x tx-period on page 515
521
set dot1x unicast-rekey

Usage Enables or disables unicast periodic rekeying on the network.
Syntax set dot1x unicast-rekey {enable | disable}
Defaults None
Access Enabled
set dot1x unicast-rekey-period

Usage Enables or disables unicast periodic rekeying with a configurable interval.
set dot1x unicast-rekey-period [integer]
integer
Configure an integer from 30 to 86400.
Defaults None
Access Enabled
set dot1x wep-rekey

Usage Enables or disables Wired Equivalency Privacy (WEP) rekeying for broadcast and
multicast encryption keys.
Syntax set dot1X wep-rekey {enable | disable}
Warning: enable
Warning: Causes the broadcast and multicast keys for WEP to be rotated at an interval set by
the set dot1x wep-rekey-period for each radio, associated VLAN, and encryption type. The MX
generates the new broadcast and multicast keys and pushes the keys to the clients via EAPoL
key messages.
Warning: disable Warning: WEP broadcast and multicast keys are never rotated.
Defaults WEP key rotation is enabled, by default.

Access Enabled.
Usage Reauthentication is not required for WEP key rotation to take place. Broadcast and
multicast keys are always rotated at the same time, so all members of a given radio, VLAN, or
encryption type receive the new keys at the same time.
Examples Type the following command to disable WEP key rotation:
MX# set dot1x wep-rekey disable
success: wep rekeying disabled
See Also
set dot1x wep-rekey-period on page 523
522
set dot1x wep-rekey-period

Usage Sets the interval for rotating the WEP broadcast and multicast keys.
Syntax set dot1x wep-rekey-period seconds
seconds
Specify a value between 30 and 1,641,600 (19 days).
Defaults The default is 1800 seconds (30 minutes).

Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 1.1
Maximum value changed.
Examples Type the following command to set the WEP-rekey period to 300 seconds:
MX# set dot1x wep-rekey-period 300
success: dot1x wep-rekey-period set to 300
See Also
set dot1x wep-rekey on page 522
show dot1x
Usage Displays 802.1X client information for statistics and configuration settings.
Syntax show dot1x {clients | stats | config}
clients
Displays information about active 802.1X clients, including client name,

MAC address, and state.
stats
Displays global 802.1X statistics associated with connecting and

authenticating.
config
Displays a summary of the current configuration.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
523
Version 2.1
Bonded authentication information added to show dot1x config output:

New flag added for Username field. If a user glob is configured for
bonded authentication, an asterisk appears after the user glob.
For example: [email protected] !
New field, Bonded period, added to 802.1X parameter column.
Version 3.1
Format of 802.1X authentication rule information in show dot1x config

output changed. The rules are still listed at the top of the display, but more
information is shown for each rule.
Examples Type the following command to display the 802.1X clients:

MX# show dot1x clients
MAC Address
State
-------------
Vlan
-------
------
Identity
----------
00:20:a6:48:01:1f
Connecting
(unknown)
00:05:3c:07:6d:7c
Authenticated
vlan-it
EXAMPLE\jose
00:05:5d:7e:94:83
Authenticated
vlan-eng
EXAMPLE\singh
00:02:2d:86:bd:38
Authenticated
vlan-eng
[email protected]
00:05:5d:7e:97:b4
Authenticated
vlan-eng
EXAMPLE\havel
00:05:5d:7e:98:1a
Authenticated
vlan-eng
EXAMPLE\nash
00:0b:be:a9:dc:4e
Authenticated
vlan-pm
[email protected]
00:05:5d:7e:96:e3
Authenticated
vlan-eng
EXAMPLE\mishan
00:02:2d:6f:44:77
Authenticated
vlan-eng
EXAMPLE\ethan
00:05:5d:7e:94:89
EXAMPLE\fmarshall
Authenticated
vlan-eng
00:06:80:00:5c:02
EXAMPLE\bmccarthy
Authenticated
vlan-eng
00:02:2d:6a:de:f2
[email protected]
Authenticated
vlan-pm
00:02:2d:5e:5b:76
Authenticated
vlan-pm
EXAMPLE\tamara
00:02:2d:80:b6:e1
Authenticated
vlan-cs
[email protected]
00:30:65:16:8d:69
authenticated
Authenticated
vlan-wep
MAC
00:02:2d:64:8e:1b
Authenticated
vlan-eng
EXAMPLE\wong
Type the following command to display the 802.1X configuration:

MX# show dot1x config
802.1X user policy
---------------------'host/bob-laptop.mycorp.com' on ssid 'mycorp' doing PASSTHRU
524
'bob.mycorp.com' on ssid 'mycorp' doing PASSTHRU (bonded)

802.1X parameter
setting
----------------
-------
supplicant timeout
30
auth-server timeout
30
quiet period
transmit period
reauthentication period
3600
maximum requests
key transmission
enabled
reauthentication
enabled
authentication control
enabled
WEP rekey period
1800
WEP rekey
enabled
Bonded period
60
port 5, authcontrol: auto, max-sessions: 16

Type the following command to display 802.1X statistics:
MX# show dot1x stats
802.1X statistic
value
----------------
-----
Enters Connecting:
709
Logoffs While Connecting:
112
Enters Authenticating:
467
Success While Authenticating:
Timeouts While Authenticating:
52
525
Failures While Authenticating:
Reauths While Authenticating:
Starts While Authenticating:
31
Logoffs While Authenticating:
Starts While Authenticated:
85
Logoffs While Authenticated:
Bad Packets Received:
Table 81 explains the counters in the show dot1x stats output.

Table 81.show dot1x stats Output
Field
Description
Enters Connecting
Number of times that the MX state transitions to the CONNECTING state from any
other state.
Logoffs While Connecting
Number of times that the MX state transitions from CONNECTING to

DISCONNECTED as a result of receiving an EAPoL-Logoff message.
Enters Authenticating
Number of times that the state wildcard transitions.
Success While Authenticating
Number of times the MX state transitions from AUTHENTICATING from

AUTHENTICATED, as a result of an EAP-Response/Identity message being received
from the supplicant (client).
Timeouts While Authenticating
Number of times that the MX state wildcard transitions from AUTHENTICATING to

ABORTING.
Failures While Authenticating
Number of times that the MX state wildcard transitions from AUTHENTICATION to

HELD.
Reauths While Authenticating

ABORTING, as a result of a reauthentication request (reAuthenticate = TRUE).
Starts While Authenticating

ABORTING, as a result of an EAPoL-Start message being received from the Supplicant
(client).
Logoffs While Authenticating

ABORTING, as a result of an EAPoL-logoff message being received from the
Supplicant (client).
Bad Packets Received
526
Number of EAPoL packets received that have an invalid version or type.
Session Management Commands

Use session management commands to display and clear administrative and network user sessions. This
chapter presents session management commands alphabetically. Use the following table to locate
Administrative
Sessions

clear sessions on page 527
Network Sessions

clear sessions network on page 528
Mesh AP Sessions
show sessions mesh-ap on page 532
clear sessions
Usage Clears all administrative sessions, or clears administrative console or Telnet sessions.
Syntax clear sessions {admin | console | telnet client
mesh-ap [session-id session-id]}
admin
Clears sessions for all users with administrative access to the MX through a
Telnet or SSH connection or a console plugged into the switch.
console
console plugged into the switch.
telnet
Telnet connection.
telnet client
[session-id]
Clears all Telnet client sessions from the CLI to remote devices, or clears
an individual session identified by session ID.
mesh-ap
[session-id]
Clears all Mesh AP sessions, or clears an individual Mesh AP session

identified by session ID.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 1.1
New option, client [session-id], added to clear Telnet client sessions.
Version 6.0
New option, mesh-ap, added to clear Mesh AP sessions.
Examples To clear all administrator sessions type the following command:
527
MX# clear sessions admin

This will terminate manager sessions, do you wish to continue? (y|n)
[n]y
To clear all administrative sessions through the console, type the following command:
MX# clear sessions console
[n]y
To clear all administrative Telnet sessions, type the following command:
MX# clear sessions telnet
[n]y
To clear Telnet client session 0, type the following command:
MX# clear sessions telnet client 0
See Also show sessions on page 529
clear sessions network

Usage Clears all network sessions for a specified username or set of usernames, MAC address or
set of MAC addresses, virtual LAN (VLAN) or set of VLANs, or session ID.
Syntax clear sessions network { ap apnum radio radio | mac-addr
mac-addr-glob | session-id local-session-id | ssid name | user user-glob|vlan vlan-glob |
wired}
ap apnum
radio radio
Clears all network sessions for a specified MP and radio. Specify radio 1
or 2.
mac-addr
mac-addr-glob
Clears all network sessions for a MAC address. Specify a MAC address in
hexadecimal numbers separated by colons (:), or use the wildcard
character (*) to specify a set of MAC addresses. (For details, see MAC
Address Globs on page 27.)
session-id
local-session-id
Clears the specified 802.1X network session. To find local session IDs,
use the show sessions command.
ssid name
Clears all network sessions for a named SSID.
user user-glob
Clears all network sessions for a single user or set of users.

Globs on page 27.)
528
vlan vlan-glob
Clears all network sessions on a single VLAN or a set of VLANs.

Specify a VLAN name, use the double-asterisk wildcard character (**) to
specify all VLAN names, or use the single-asterisk wildcard character (*)
to specify a set of VLAN names up to or following the first delimiter
character, either an at sign (@) or a period (.). (For details, see VLAN
Globs on page 28.)
wired
Clears all networks sessions on a wired port.
Defaults None.
Access Enabled.
Usage The clear sessions network command clears network sessions by deauthenticating and,
for wireless clients, disassociating them.
Examples To clear all sessions for MAC address 00:01:02:03:04:05, type the following command:
MX# clear sessions network mac-addr 00:01:02:03:04:05
To clear session 9, type the following command:
MX-20# clear sessions network session-id 9
SM Apr 11 19:53:38 DEBUG SM-STATE: localid 9, mac 00:06:25:09:39:5d,
flags 0000012fh, to change state to KILLING
Localid 9, globalid SESSION-9-893249336 moved from ACTIVE to KILLING
(client=00:06:25:09:39:5d)
To clear the session of user Natasha, type the following command:
MX-20# clear sessions network user Natasha
To clear the sessions of users whose name begins with the characters Jo, type the following
command:
MX-20# clear sessions network user Jo*
To clear the sessions of all users on VLAN red, type the following command:
MX-20# clear sessions network vlan red
See Also
show sessions
Usage Displays session information and statistics for all users with administrative access to the
MX, or for administrative users with either console or Telnet access.
529
Syntax show sessions [admin | console | telnet client]

admin
Displays sessions for all users with administrative access to the MX through a
Telnet or SSH connection or a console plugged into the switch.
console
console plugged into the switch.
telnet
Telnet connection.
telnet clien Displays Telnet sessions from the CLI to remote devices.
t
Defaults None.
Access All, except for show sessions telnet client, which has enabled access.
History
Version 1.0
Command introduced.
Version 1.1
New option, client, added to display Telnet client sessions.
Version 2.0
New field added to list the type of administrative session.
Version 6.2
Added the ability to display all sessions
Examples To display information about all sessions, use the following command:
MX> show sessions
User
Sess
Type
IP or MAC
VLAN
Name
ID
--------------
---------
--------
--------------
------
engineering-05:
0c:78
28*
dot1x
10.7.255.2
yellow
5/1
engineering-79:
86:73
29*
dot1x
10.7.254.3
red
2/1
engineering-1a:
68:78
30*
dot1x
10.7.254.8
red
7/1
Address
AP/
Radio
To view information about sessions of administrative users, type the following command:
MX> show sessions admin
Tty
Username
Time (s)
Type
-------
--------------------
--------
----
3644
Console
tty0
tty2
tech
Telnet
tty3
sshadmin
381
SSH
3 admin sessions
530
To view information about console users sessions, type the following command:
MX> show sessions console
Tty
Username
Time (s)
-------
--------------------
--------
console
8573
1 console session
To view information about Telnet users sessions, type the following command:
MX> show sessions telnet
Tty
Username
Time (s)
-------
--------------------
--------
tty2
sea
7395
To view information about Telnet client sessions, type the following command:
MX# show sessions telnet client
Session
Server Address
Server Port
Client Port
-------
--------------
------------
-----------
192.168.1.81
23
48000
10.10.1.22
23
48001
Table 82 describes the fields of the show sessions admin, show sessions console, and show
sessions telnet displays.
Table 83 describes the fields of the show sessions telnet client display.
Table 82.show sessions admin, show sessions console, and show sessions telnet
Output
Field
Description
Tty
The Telnet terminal number, or console for administrative users connected through the console port.
Username
Up to 30 characters of the name of an authenticated user.
Time (s)
Number of seconds the session has been active.
Type
Type of administrative session:

Console
SSH
Telnet
Table 83.show sessions telnet client Output

Field
Description
Session
Session number assigned by MSS when the client session is established.
Server Address
IP address of the remote device.
Server Port
TCP port number of the remote devices TCP server.
Client Port
TCP port number MSS is using for the client side of the session.
See Also clear sessions on page 527
531
show sessions mesh-ap

Usage Displays summary or verbose information about Mesh AP sessions on the MX.
Syntax show sessions mesh-ap [session-id session-id | verbose]
session-id
local-session-id
Displays the specified Mesh AP session. To determine the local session

ID for a Mesh AP session, use the show sessions mesh-ap command
without the session-id option.
verbose
Provides detailed output for all Mesh AP sessions.
Defaults None.
Access All.
Examples To view information about Mesh AP sessions, type the following command:
MX> show sessions mesh-ap
User
Sess
Name
Radio
ID
---------------------------- ---00:0b:0e:17:bb:3f
AP 2/2
IP or MAC
VLAN
Address
Name
AP/
----------------- ---------------
2* 1.1.1.3
(none)
Table 84 describes the fields of show sessions mesh-ap output.

Table 84.show sessions mesh-ap Output
Field
Description
User Name
The MAC address of the authenticated Mesh AP.
Sess ID
Locally unique number that identifies this session. An asterisk (*) next to a session ID
indicates that the session is fully active.
IP or MAC Address
IP address of the Mesh AP.
VLAN Name
Name of the VLAN associated with the session.
Port/Radio
Number of the port and radio through which the Mesh AP is accessing this session.
See Also clear sessions on page 527
show sessions network

Usage Displays summary or verbose information about all network sessions, or network sessions
for a specified username or set of usernames, MAC address or set of MAC addresses, VLAN or
set of VLANs, or session ID.
Syntax show sessions network [ap apnum | | mac-addr mac-addr-glob |
qos-profile profilename | session-id session-id| ssid ssid-name | statistics |
user user-glob | vlan vlan-glob | | wired ] [verbose]
ap apnum
532
Displays network sessions for a single MP.
user user-glob
Displays all network sessions for a single user or set of users.

Globs on page 27.)
mac-addr
mac-addr-glob
Displays all network sessions for a MAC address. Specify a MAC

address in hexadecimal numbers separated by colons (:).
Or use the wildcard character (*) to specify a set of MAC addresses. (For
details, see MAC Address Globs on page 27.)
qos-profile
profilename
Displays all network sessions for a named QoS profile.
ssid ssid-name
Displays all network sessions for an SSID.
statistics
Displays network statistics.
vlan vlan-glob
Displays all network sessions on a single VLAN or a set of VLANs.

Specify a VLAN name, use the double-asterisk wildcard character (**) to
specify all VLAN names, or use the single-asterisk wildcard character (*)
to specify a set of VLAN names up to or following the first delimiter
character, either an at sign (@) or a period (.). (For details, see VLAN
Globs on page 28.)
session-id
local-session-id
Displays the specified network session. To find local session IDs, use the
show sessions command. The verbose option is not available with this
form of the show sessions network command.
wired
Displays all network sessions on wired authentication ports.
verbose
Provides detailed output for all network sessions or ones displayed by

username, MAC address, or VLAN name.
Defaults None.
Access All.
History
Version 1.0
Command introduced.
Version 4.1
Output added to the show network sessions verbose command to

indicate the users authorization attributes and whether they were
supplied through AAA or through configured SSID defaults in a service
profile.
533
Host name field added to show sessions network verbose output.
Version 4.2
MP serial number added to show sessions network verbose

output.
The following fields added to show sessions network session-id
output:
Local Id
SSID
Last Auth Time
Last Activity
Idle Time-To-Live
Login Type
Protocol
Session CAC
Authentication Method field renamed to EAP Method.
Version 5.0
New values for the source of user attribute values (attributes include
Vlan-Name, Start-Date, and so on.) See Table 86 on page 538.
Usage MSS displays information about network sessions in three types of displays. See the
following tables for field descriptions.
Summary display
See Table 85 on page 537.
Verbose display
show sessions network session-id display
Authorization attribute values can be changed during authorization. If the values are changed,
show sessions output shows the values that are actually in effect following any changes.
Examples To display summary information for all network sessions, type show sessions
network. For example:
MX> show sessions network
User Name SessID Type Address VLAN AP/Radio
--------------------- ------ ----- ----------------- ---------------------TRAPEZE\jjonesg 20* dot1x 172.21.50.151 eng-alpha 20/2
TRAPEZE\jdoe 75* dot1x 172.21.50.97 eng-alpha 2/2
TRAPEZE\lsmith 752* dot1x 172.21.50.89 eng-alpha 20/2
TRAPEZE\lforte 409* dot1x 172.21.52.149 cs-alpha 27/2
TRAPEZE\lcheval 24* dot1x 172.21.50.66 eng-alpha 27/2
TRAPEZE\mjaune 477* dot1x 172.21.52.102 cs-alpha 2/2
TRAPEZE\schat 365* dot1x 172.21.50.135 eng-alpha 27/2
534
TRAPEZE\scottw 333* dot1x 172.21.50.113 eng-alpha 4/2

TRAPEZE\vlait 627* dot1x 172.21.54.134 pm-alpha 22/2
TRAPEZE\zvoiture 5* dot1x 172.21.50.82 eng-alpha 20/2
bjones 672* dot1x 172.21.52.159 cs-alpha 2/1
The following command displays summary information about the sessions for MAC address
00:05:5d:7e:98:1a:
MX> show sessions network mac-addr 00:05:5d:7e:98:1a
User Name
AP/Radio/
Sess
Type
--------------------------- ---- ---------------- ----EXAMPLE\Havel

1/2
13* web
Address
VLAN
-------------10.10.10.40
vlan-eng
The following command displays summary information about all the sessions of users whose
names begin with E:
MX> show sessions network user E*
User Name
AP/Radio/
Sess
Type
--------------------------- ---- ---------------- ----EXAMPLE\Eval

1/2
13*
web
Address
VLAN
-------------10.10.10.39
vlan-eng
(Table 85 on page 537 describes the summary displays of show sessions network commands.)
The following command displays verbose output about the sessions of all current network users:
MX> show sessions network verbose
User Name
Sess Type
Address
VLAN
AP/Radio
---------------------------- ------------------ --------SHUTTLE2\exmpl
7/1
-------- -----------------
3* web
10.8.255.8
default
Client MAC: 00:0b:7d:26:b1:fb GID: SESS-3-00040c-287058-657673d4

State: ACTIVE
(prev AUTHORIZED)
now on: MX 172.16.0.1, port 10, AP/radio 0422900147/1, as of 00:00:22

ago
from: MX 172.16.0.1, port
ago
6, AP/radio 0342900121/1, as of 00:01:07
from: MX 172.16.0.1, port

ago
2, AP/radio 0412900109/1, as of 00:01:53
Host name: shuttle2_laptop

535
Vlan-Name=default (service-profile)
Service-Type=2 (service-profile)
End-Date=52/06/07-08:57 (AAA)
Start-Date=05/04/11-10:00 (AAA)
1 sessions total
(Table 86 on page 538 describes the additional fields of the verbose output of show sessions
network commands.)
The following command displays information about network session 88:
MX# show sessions network session-id 88
Name: Trapeze\jdoeh
Session Id:
88
Global Id:
SESS-88-00040f-876766-623fd6
Login Type: dot1x

SSID:
Rack-39-PM
IP Address:
10.2.39.217
MAC Address: 00:0f:66:f4:71:6d

AP/Radio:
10/1
State:
ACTIVE
Session Tag: 2
Host name: jdoeh-d410
Vlan Name:
default
Up time: 02:54:29
Roaming history:
Switch
AP/Radio
Association Time Duration
---------
---------
---------------
--------
192.168.254.82
3/2
09/21/07 11:16:47
02:54:03
Session Start:
Wed Sep 20 21:19:27 2006 GMT
Last Auth Time:
Wed Apr 20 21:19:26 2006 GMT
Last Activity:
Wed Apr 20 21:19:49 2006 GMT
( <15s ago)
Session Timeout: 0
Idle Time-To-Live: 175
EAP Method:
NONE, using server 172.16.0.1
Protocol: 802.11
CoS: flow-through
Session CAC: disabled
Radio type: 802.11na
Last packet rate: 300Mb/s (m15 40 MHz)
536
Last packet RSSI: -45 dBm

Last packet SNR: 50
Packets
Bytes
-------
-----
Rx Unicast
1814
2522
Rx Multicast
68
7846
Rx Encrypt Err
Tx Unicast
2004
4444900
Rx peak A-MSDU
2048
Rx peak A-MPDU
13
16345
Tx peak A-MSDU
2048
Tx peak A-MPDU
13
16345
Queue
Tx Packets
Tx Dropped
Re-Transmit
Rx Dropped
-------
-----------
-----------
-----------
-----------
Background
Best Effort
30
Queue
Tx Packets
Tx Dropped
Re-Transmit
Rx Dropped
-------
-----------
-----------
-----------
-----------
Video
Voice
11n Capabilities:
Max Rx A-MSDU size: 2K
Max Rx A-MPDU size: 16K
Max Channel Width: 40MHz
For descriptions of the fields of show sessions network session-id output, see Table 87 on
page 539.
Table 85.show sessions network (summary) Output
Field
Description
User Name
Up to 30 characters of the name of the authenticated user of this session.
Note: For a MAC-authenticated session, this value is the client devices MAC address.
Sess ID
Locally unique number that identifies this session. An asterisk (*) next to a session ID
indicates that the session is fully active.
IP or MAC Address
IP address of the session user, or the users MAC address if the user has not yet received an
IP address.
VLAN Name
Port/Radio
Number of the port and radio through which the user is accessing this session.
537
Table 86.Additional show sessions network verbose

Output
Field
Description
Client MAC
MAC address of the session user.
GID
Global session ID, a unique session number within a Mobility Domain.
State
Status of the session:

AUTH, ASSOC REQClient is being associated by the 802.1X protocol.
AUTH AND ASSOCClient is being associated by the 802.1X protocol, and the user is being
authenticated.
AUTHORIZINGUser has been authenticated (for example, by the 802.1X protocol and an
AAA method), and is entering AAA authorization.
AUTHORIZEDUser has been authorized by an AAA method.
ACTIVEUsers AAA attributes have been applied, and the user is active on the network.
DEASSOCIATEDOne of the following:
Wireless client has sent the MX switch a disassociate message.
User associated with one of the current MX switchs MP access points has appeared at another
MX switch in the Mobility Domain.
ROAMING AWAYThe MX switch has been sent a request to transfer the user, who is roaming,
to another MX switch.
STATUS UPDATEDMX switch is receiving a final update from an MP access point about the
user, who has roamed away.
WEB_AUTHINGUser is being authenticated by WebAAA.
WIRED AUTHINGUser is being authenticated by the 802.1X protocol on a wired
KILLINGUsers session is being cleared, because of 802.1X authentication failure, entry of a
clear command, or some other event.
now on
Shows the following information about the MP and radio the session is currently on:
IP address and port number of the MX managing the MP
Serial number and radio number of the MP
Amount of time the session has been on this MP
from
Shows information about the MPs from which the session has roamed. (See the descriptions
above for the now on field.)
Host name
538
Host name of the users networking device.
Table 86.Additional show sessions network verbose

Output (continued)
Field
Description
Vlan-Name
Authorization attributes for the user and how they were assigned (the sources of the attribute
(and other
values).
attributes if set)
For Vlan-Name, the source of the attribute value can be one of the following:
AAAVLAN is from RADIUS or the local database.
initial-assignmentFor a client that has roamed from one MX to another, VLAN is the one
assigned to the user on the MX where the user first accessed the network. (This is the MX
where the clients global session in the Mobility Domain started.)
This authorization source (initial-assignment) is displayed only if the following conditions are true:
The client roamed from another MX.
The service profile for the SSID the user is on is configured to keep the clients initial VLAN
assignment. (This means the keep-initial-vlan option is enabled on the service profile.)
The VLAN is not configured for the user on the roamed-to switch by the local database.
A Location Policy on the roamed-to MX does not set the VLAN.
location policyAttribute value was assigned by a Location Policy.
service-profileAttribute value is configured on the SSID, and was not overridden by other
attribute sources (such as AAA or location policy).
Web PortalSession is for a Web Portal client.
Table 87.show sessions network session-id Output

Field
Description
Local Id
Identifier for the session on this particular MX. (This is the session ID you specify when
entering the show sessions network session-id command.)
Global Id
Unique session identifier within the Mobility Domain.
State
Status of the session:

AUTH, ASSOC REQClient is associating by the 802.1X protocol.
AUTH AND ASSOCClient is associating by the 802.1X protocol, and the user is
authenticating.
AUTHORIZINGUser is authenticated (for example, by the 802.1X protocol and an AAA
method), and is entering AAA authorization.
AUTHORIZEDUser is authorized by an AAA method.
ACTIVEUsers AAA attributes are applied, and the user is active on the network.
State,
DEASSOCIATEDOne of the following:
cont.
Wireless client has sent the MX a disassociate message.

User associated with one of the MPs of the current MX has appeared at another MX in
the Mobility Domain.
ROAMING AWAYThe MX was sent a request to transfer the user, who is roaming, to
another MX.
STATUS UPDATEDMX is receiving a final update from an MP about the user, who has
roamed away.
WEB_AUTHINGUser is authenticating by WebAAA.
WIRED AUTHINGUser is authenticating by the 802.1X protocol on a wired
KILLINGUsers session is cleared, because of 802.1X authentication failure, entry of a
clear command, or some other event.
SSID
Name of the SSID of the user.
AP/Radio
Number of the port and radio that the user is accessing for this session.
539
Table 87.show sessions network session-id Output (continued)

Field
Description
MAC address
MAC address of the session user.
User Name
Name of the authenticated user of this session
IP Address
IP address of the session user.
Vlan Name
Tag
System-wide supported VLAN tag type.
Session Start
Indicates when the session started.
Last Auth Time
Indicates when the most recent authentication of the session occurred.
Last Activity
Indicates when the last activity (transmission) occurred on the session.
Session Timeout
Assigned session timeout in seconds.
Idle Time-To-Live
Number of seconds the session can remain idle before MSS changes the session state to
Login Type
Authentication type used to log onto the network:
Disassociated.
DOT1X
MAC
LAST-RESORT
WEB-PORTAL
EAP Method
Extensible Authentication Protocol (EAP) type used to authenticate the session user, and
the IP address of the authentication server.
Session statistics as
Time the session statistics were last updated from the MP access point, in seconds since a
updated from AP
fixed standard date and time.
Unicast packets in
Total number of unicast packets received from the user by the MX (64-bit counter).
Unicast bytes in
Total number of unicast bytes received from the user by the MX (64-bit counter).
Unicast packets out
Total number of unicast packets sent by the MX to the user (64-bit counter).
Unicast bytes out
Total number of unicast bytes sent by the MX to the user (64-bit counter).
Multicast packets in
Total number of multicast packets received from the user by the MX (64-bit counter).
Multicast bytes in
Total number of multicast bytes received from the user by the MX (64-bit counter).
Number of packets with
Total number of decryption failures.
encryption errors
Number of bytes with
Total number of bytes with decryption errors.
encryption errors
Last packet data rate
Data transmit rate, in megabits per second (Mbps), of the last packet received by the MP
access point.
Last packet signal strength
Signal strength, in decibels referred to 1 milliwatt (dBm), of the last packet received by the
MP access point.
Last packet data S/N ratio
Signal-to-noise ratio of the last packet received by the MP access point.
Protocol
Wireless protocol used.
Session CAC
State of session-based Call Admission Control (CAC) on the SSIDs service profile.
See Also clear sessions network on page 528
show sessions network sip

Usage Displays information about SIP sessions on the network.
540
Syntax show sessions network sip [statistics | verbose | voice-details]

Defaults None
Access Enabled
Examples To display a network session with a SIP configuration, use the following command:
MX# show sessions network sip
1 of 6 sessions matched
User Name
AP/Radio
SessID
--------------------- -----jdoe
12/1
Type
Address
VLAN
----- ----------------- ---------------
49551* dot1x 172.21.50.45
eng-alpha
show sessions network voice-details

Usage Displays information about VoIP sessions on the network.
Syntax show sessions network voice-details
Defaults None
Access Enabled
Examples To display information about VoIP sessions on the network, type the following
command:
MX# show sessions network voice-details
3 sessions total
Name:
TRAPEZE\jdoe
Session ID:
49568
SSID:
alpha-aes
IP:
172.21.50.103
MAC:
00:19:7d:37:f7:96
AP/Radio:
4/2
Protocol:
802.11
Session CAC:
disabled
Radio type:
802.11a
Last packet rate:
36 Mb/s
Last packet RSSI:
-80 dBm
Last packet SNR:
15
Voice Queue:
IDLE
Name:
TRAPEZE\jsmith
Session ID:
49558
541
SSID:
alpha-aes
IP:
172.21.50.51
MAC:
00:13:e8:95:51:8d
AP/Radio:
12/2
Protocol:
802.11
Session CAC:
disabled
Radio type:
802.11a
Last packet rate:
54 Mb/s
Last packet RSSI:
-67 dBm
Last packet SNR:
28
Voice Queue:
IDLE
Name: jjones
Session ID:
49549
SSID:
alpha-tkip
IP:
172.21.50.114
MAC:
00:1e:e5:a7:24:66
AP/Radio:
4/2
Protocol:
802.11
Session CAC:
disabled
Radio type:
802.11a
Last packet rate:
48 Mb/s
Last packet RSSI:
-65 dBm
Last packet SNR:
30
Voice Queue:
IDLE
Table 88.show sessions network voice-details Output
542
Field
Description
Name:
Name of the client
Session ID:
Number that identifies the session.
SSID:
Associated SSID for the session.
IP:
IP address of the client on the network.
MAC:
MAC address of the wireless client.
AP/Radio:
Number of the MP associated with the session and the radio.
Protocol:
Identifies the wireless protocol configured for the session.
Session CAC:
Displays if CAC is enabled in the configuration.
Radio type:
Displays the wireless radio type for the client.
Last Packet Rate:
Indicates network speed for the client.
Last Packet RSSI:
Displays the radio strength of the last transmitted packet.
Last Packet SNR:
Displays the signal to noise ratio of the last transmitted packet.
Table 88.show sessions network voice-details Output

Field
Description
Voice Queue:
Indicates an active voice call for the session.
543
544
RF Detection Commands
MSS automatically performs RF detection scans on enabled and disabled radios to detect rogue
access points. A rogue access point is a BSSID (MAC address associated with an SSID) that does not
belong to a Juniper device and is not a member of the ignore list configured on the seed MX of the
Mobility Domain.
MSS can issue countermeasures against rogue devices to prevent clients from being able to use
them.
You can configure RF detection parameters on individual MX switches.
This chapter presents RF detection commands alphabetically. Use the following table to locate the
commands in this chapter based on usage.
New
New
Spectrum Analysis
Rogue Information
set radio-profile rf-scanning spectral on page 549

set radio-profile rf-scanning spectral priority on page 549
show rfdetect clients on page 558
show rfdetect mobility-domain on page 566
show rfdetect data on page 563
show rfdetect visible on page 569
show rfdetect counters on page 561
Countermeasures
show rfdetect countermeasures on page 560
Classification
set rfdetect classification ad-hoc on page 552

set rfdetect classification default on page 553
set rfdetect classification seen-in-network on page 553
set rfdetect classification ssid-masquerade on page 554
Permitted Vendor List
set rfdetect vendor-list on page 556

show rfdetect vendor-list on page 569
clear rfdetect vendor-list on page 548
Permitted SSID List
set rfdetect ssid-list on page 555

show rfdetect ssid-list on page 569
clear rfdetect ssid-list on page 547
Client Black List
set rfdetect black-list on page 551

set rfdetect black-list dynamic on page 552
New
show rfdetect black-list on page 557

clear rfdetect black-list on page 546
Rogue List
clear rfdetect rogue-list on page 546

show rfdetect rogue-list on page 557
Ignore List
set rfdetect ignore on page 554

show rfdetect neighbor-list on page 565
clear rfdetect neighbor-list on page 547
MP Signatures
set rfdetect signature on page 555
545
Log Messages
set rfdetect log on page 554
MX-to-Client RF Link
rfping on page 548
clear rfdetect rogue-list

Removes a MAC address from the attack list.
Syntax clear rfdetect rogue-list [mac | all]
mac
MAC address you want to remove from the rogue list.
all
Removes all MAC addresses from the rogue list.
Defaults None.
Access Enabled.
History
MSS Version 4.0
Command introduced.
MSS Version 6.2
Input changed from attack-list to rogue-list
Examples The following command clears MAC address 11:22:33:44:55:66 from the rogue list:
MX# clear rfdetect attack-list 11:22:33:44:55:66
success: 11:22:33:44:55:66 is no longer in roguelist.
See Also
set rfdetect rogue-list on page 551
clear rfdetect black-list

Removes a MAC address from the client blacklist.
Syntax clear rfdetect black-list [ mac | all]
mac-addr
MAC address you want to remove from the blacklist.
Defaults None.
Access Enabled.
Examples The following command removes MAC address 11:22:33:44:55:66 from the blacklist:
MX# clear rfdetect black-list 11:22:33:44:55:66
success: 11:22:33:44:55:66 is no longer blacklisted.
See Also
546
clear rfdetect countermeasures mac

clear rfdetect neighbor-list

Removes a device from the neighbor list for RF scans. MSS does not generate log messages or traps
for the devices in the neighbor list.
Syntax clear rfdetect neighbor-list [transmit-mac | oui | all]
transmit-mac
Basic service set identifier (BSSID), which is a MAC address, of the device to remove from the
neighbor list.
oui
A third-party device ID
all
Removes all devices from the neighbor list.
Defaults None.
Access Enabled.
History
MSS Version 3.0
Command introduced.
MSS Version 6.2
Changed ignore to neighbor-list.
Examples The following command removes BSSID aa:bb:cc:11:22:33 from the neighbor list for
RF scans:
MX-20# clear rfdetect neighbor-list aa:bb:cc:11:22:33
success: aa:bb:cc:11:22:33 is no longer on the neighbor-list.
See Also
show rfdetect neighbor-list on page 565
clear rfdetect ssid-list

Removes an SSID from the permitted SSID list.
Syntax clear rfdetect ssid-list ssid-name
ssid-name
SSID name you want to remove from the permitted SSID list.
Defaults None.
Access Enabled.
Examples The following command clears SSID mycorp from the permitted SSID list:
MX# clear rfdetect ssid-list mycorp
success: mycorp is no longer in ssid-list.
547
See Also
clear rfdetect vendor-list

rfping
Provides information about the RF link between the MX and the client based on sending test packets
to the client.
Syntax rfping {mac mac-addr | session-id session-id}
mac-addr
Tests the RF link between the MX and the client with the specified MAC address.
session-id
Tests the RF link between the MX and the client with the specified local session ID.
Defaults None.
Access Enabled.
History
Version 4.2
Command introduced.
Version 6.0
Name of command changed from test rflink to rfping.
Usage Use this command to send test packets to a specified client. The output of the command
indicates the number of test packets received and acknowledged by the client, as well as the client
signal strength and signal-to-noise ratio.
Examples The following command tests the RF link between the MX and the client with MAC
address 00:0e:9b:bf:ad:13:
MX# rfping mac 00:0e:9b:bf:ad:13
RF-Link Test to 00:0e:9b:bf:ad:13 :
Session-Id: 2
Packets Sent Packets Rcvd RSSI SNR RTT (micro-secs)
------------ ------------ ------- ----- ---------------20
20
-68 26
976
Table 89.rfping Output
Field
Description
Packets Sent
The number of test packets sent from the MX to the client.
Packets Rcvd
The number of test packets acknowledged by the client.
RSSI
Received signal strength indication (RSSI)the strength of the RF signal from the client, in decibels referred
SNR
Signal-to-noise ratio (SNR), in decibels (dB), of the data received from the client.
to 1 milliwatt (dBm).
548
Table 89.rfping Output (continued)

Field
Description
RTT (micro-secs)
The round-trip time, in microseconds, for the client response to the test packets.
See Also
set radio-profile rf-scanning spectral

Usage Enables Spectral Analysis on a radio profile. You can only enable Spectral Analysis if DFS
is disabled on the WLA.
Syntax set radio-profile profilename rf-scanning spectral [enable |
disable]
profile-name
enable
Enable spectral scanning
disable
Disable spectral scanning
Defaults The default value is disabled

Access Enabled
Examples The following example enables spectral scanning:
set radio-profile thenamedprofile rf-scanning spectral enable
set radio-profile rf-scanning spectral priority

Usage Sets the behavior of the radio when a spectral sample is received.
Syntax MX# set radio-profile profilename rf-scanning spectral priority
[data-first | spectral-first]
profile-name
data-first
Allows any transmit or receive operation in progress to

complete before taking the spectral sample.
spectral-first
The in-progress frame is discarded.
Defaults The default value is data-first

Access Enabled
Examples To run spectral analysis using the sensor only, configure the radio in sentry mode by
using the following command:
WLC# set ap {apnum | auto} radio {1 | 2} mode sentry
While the radio is in sentry mode, it scans for interference but does not transmit user traffic.
To display spectral analysis information, use the following command:
549
MX# show rfdetect data noise

Source ID
Type
AP
Ch
RSSI
Duty
CIM
Age
---------
----
----
----- ----
----
---
---
fe:00:1f:20:82:80
Unknown
71
-92
100
292
fe:21:6f:46:bd:11
Microwave
43
-85
41
67
fe:21:6f:46:bd:11
Microwave
71
10
-64
50
68
142
fe:21:6f:46:bd:11
Microwave
71
11
-58
44
82
112
fe:32:1f:ed:82:80
Phone
75
-71
22
fe:32:1f:ed:82:80
Phone
75
-71
82
fe:32:6f:46:00:01
Phone
43
-78
67
In the output table, Age refers to the time, in seconds, since the noise was detected on the
network.
MX# show rfdetect data noise verbose
Source ID: fe:21:6f:46:bd:16
Type: Microwave oven
AP Number: 71
AP Name: AP71
Channels: 10 11
RSSI: -64 -58
Duty Cycle: 50 44
Severity(CIM): 68 84
Age: 72 12
To show a summary of the noise interference detected, use the following command:
MX# show rfdetect data noise summary
Channel Interference Measure
550
AP
Name
AP
Chan
ovens
----
------
----
----
----
-----
----
----
----
43
60
AP43
10
24
43
43
AP43
48
51
74
81
AP74
52
21
75
60
AP75
10
15
blue
phone
video
other
WLAN
CQM
-
set rfdetect active-scan

Deprecated in MSS Version 4.0. You now can disable or reenable active scan in individual radio
profiles. See set radio-profile active-scan on page 302.
set rfdetect rogue-list

Usage Adds an entry to the rogue list. The rogue list specifies the MAC addresses of devices that
MSS should issue countermeasures against whenever the devices are detected on the network.
The rogue list can contain the MAC addresses of APs and clients.
Syntax set rfdetect rogue-list mac-addr
MAC address you want to add as a rogue.
mac-addr
Defaults The rogue list is empty by default.

Access Enabled.
MSS Version 4.0
Command introduced.
MSS Version 6.2
Command changed from attack-list to rogue-list.
Usage The rogue list applies only to the MX with the configured list. MX switches do not share
rogue lists.
When on-demand countermeasures are enabled (with the set radio-profile countermeasures
configured command) only those devices configured in the rogue list are subject to
countermeasures. In this case, devices found to be rogues by other means, such as policy
violations or by determining that the device is providing connectivity to the wired network, are not
attacked.
Examples The following command adds MAC address aa:bb:cc:44:55:66 to the attack list:
MX# set rfdetect rogue-list 11:22:33:44:55:66
success:
MAC 11:22:33:44:55:66 is now in roguelist.
See Also
set rfdetect black-list

Usage Adds an entry to the client blacklist. The client blacklist specifies clients that are not
allowed on the network. MSS drops all packets from the clients on the blacklist. The black-list is
shared across a Mobility Domain.
Syntax set rfdetect black-list mac-addr
mac-addr
MAC address you want to place on the black list.
Defaults The client black list is empty by default.

551
Access Enabled.
Usage In addition to manually configured entries, the list can contain entries added by MSS. MSS
can place a client in the blacklist due to an association, reassociation or disassociation flood from
the client.
The client black list applies only to the MX with the configured list. MX switches do not share client
blacklists.
MSS supports up to 1024 clients in the black list.
Examples The following command adds client MAC address 11:22:33:44:55:66 to the black list:
MX# set rfdetect black-list 11:22:33:44:55:66
success:
MAC 11:22:33:44:55:66 is now blacklisted.
See Also
set rfdetect black-list dynamic

Usage Adds the ability to create a dynamic black list of rogue signals.
Syntax set rfdetect black-list dynamic {enable | disable} [duration
seconds]
enable | disable
Enables or disables the dynamic black-list feature.
duration seconds
Length of time that an entry should stay on the black list in seconds.
The range is 1 to 2147483647 seconds.
Defaults None
Access Enabled
Examples To allow an entry to stay on the black-list for 60 seconds, you must first enable the
feature and then configure the duration:
MX# set rdetect black-list dynamic enable
MX# set rfdetect black-list dynamic duration 60
set rfdetect classification ad-hoc

Usage Used to classify devices as ad-hoc devices on the network.
552
Syntax set rfdetect classification ad-hoc [rogue | skip-test]
rogue
Detects ad-hoc networks and classifies them as rogues
skip-test
Omit looking for ad-hoc networks and go to the next classification

step.
Defaults None
Access Enabled
Examples To configure MSS to detect ad-hoc networks and classify them as rogue devices, use
the following command:
MX>set rfdetect classification ad-hoc rogue
set rfdetect classification default

Usage Used to configure the default classification of unknown devices on the network.
Syntax set rfdetect classification default [rogue | suspect | neighbor]
rogue
Sets the default classification as rogue.
suspect
Sets the default classification as suspect.
neighbor
Sets the default classification as neighbor.
Defaults None
Access Enabled
Examples To configure MSS to detect unknown devices and classify them as rogue devices, use
MX>set rfdetect classification default rogue
set rfdetect classification seen-in-network

Usage Used to configure devices seen on the network as rogue devices.
Syntax set rfdetect seen-in-network [rogue | skip-test]
rogue
Sets the classification as rogue.
skip-test
Defaults None
Access Enabled
Examples To configure MSS to detect devices seen on the network and classify them as rogue
devices, use the following command:
MX>set rfdetect classification seen-in-network rogue
553
set rfdetect classification ssid-masquerade

Usage Used to configure devices with spoofed SSIDs as rogue devices.
Syntax set rfdetect ssid-masquerade [rogue | skip-test]
rogue
Sets the classification as rogue.
skip-test
Defaults None
Access Enabled
Examples To configure MSS to detect unknown devices and classify them as rogue devices, use
MX>set rfdetect classification ssid-masquerade rogue
set rfdetect countermeasures

set rfdetect countermeasures mac

set rfdetect ignore

set rfdetect log

Disables or reenables generation of log messages when rogues are detected or when they disappear.
Syntax set rfdetect log {enable | disable}
enable
Enables logging of rogues.
disable
Disables logging of rogues.
Defaults RF detection logging is enabled by default.

Access Enabled.
Usage The log messages for rogues are generated only on the seed and appear only in the
seeds log message buffer. Use the show log buffer command to display the messages in the
seed switchs log message buffer.
Examples The following command enables RF detection logging for the Mobility Domain managed
by this seed switch:
MX-20# set rfdetect log enable
success:
554
rfdetect logging is enabled.
See Also show log buffer on page 630
set rfdetect signature

Usage Enables MP signatures. An MP signature is a set of bits in a management frame sent by
an MP that identifies that MP to MSS. If someone attempts to spoof management packets from a
Juniper MP, MSS can detect the spoof attempt.
Syntax set rfdetect signature {enable | disable}
enable
Enables MP signatures.
disable
Disables MP signatures.
Defaults MP signatures are disabled by default.

Access Enabled.
Usage The command applies only to MPs managed by the MX switch on which you enter the
command. To enable signatures on all MPs in a Mobility Domain, enter the command on each MX
switch in the Mobility Domain.
Informational Note: You must use the same MP signature setting (enabled or disabled) on all MX
switches in a Mobility Domain.
Examples The following command enables MP signatures on an MX:

MX-20# set rfdetect signature enable
success:
signature is now enabled.
set rfdetect signature key

Usage Creates an encrypted RF fingerprint key to use as a signature for an MP.
Syntax set rfdetect signature key encrypted <key_value>
key
16 bytes separated by colons generated by the user. For example,

a1:b2:c3:d4:e5:f6:g7:h8 can be a key value.
encrypted
Encrypts the signature key.
Defaults Disabled by default.

Access Enabled
History Introduced in 5.0
set rfdetect ssid-list

Usage Adds an SSID to the permitted SSID list.The permitted SSID list specifies the SSIDs that
are allowed on the network. If MSS detects packets for an SSID not on the list, the AP sending the
packets is classified as a rogue. MSS issues countermeasures against the rogue if they are
enabled.
555
Syntax set rfdetect ssid-list [ssid-name | ssid*]

ssid-name
SSID name you want to add to the permitted SSID list.
ssid*
SSID glob to add to the permitted SSID list.
Defaults The permitted SSID list is empty by default and all SSIDs are allowed. However, after
you add an entry to the list, MSS allows traffic only for the listed SSIDs.
Access Enabled.
History
MSS Version 4.0
Command introduced.
MSS Version 6.2
Added the ability to use wildcards for SSID names.
Usage The permitted SSID list applies only to the MX with the configured list. MX switches do not
share permitted SSID lists.
If you add a device that MSS has classified as a rogue to the permitted SSID list, but not to the
ignore list, MSS can still classify the device as a rogue. Adding an entry to the permitted SSID list
merely indicates that the device is using an allowed SSID. However, if you want MSS to stop
classifying the device as a rogue, you must add the device MAC address to the ignore list.
Examples The following command adds SSID mycorp to the list of permitted SSIDs:
MX# set rfdetect ssid-list mycorp
success:
ssid mycorp is now in ssid-list.
See Also
set rfdetect vendor-list

show rfdetect classification

Usage Displays information about the RF detect classifications configured on the network.
Syntax show rfdetect classification
Defaults None
Access Enabled
Examples The following shows the RF detect classification on the MX.
MX# show rfdetect classification
Table 90.rf detect Classification Rules
556
User Role
Rules for Classification
Calssfication
If in Rogue list
Rogue
Table 90.rf detect Classification Rules

User Role
Rules for Classification
Calssfication
If AP is part of Mobility Domain
Member
If in the Neighbor List
Neighbor
If SSID Masquerade
Rogue
Client or Client DST MAC seen in

network
Rogue
If Ad hoc device
Rogue
If SSID in SSID list
Neighbor
Default Classification
Suspect
show rfdetect rogue-list

Displays information about the MAC addresses in the rogue list.
Syntax show rfdetect rogue-list
Defaults None.
Access Enabled.
MSS Version 4.0
Command introduced.
MSS Version 6.2
Command changed from attack-list to rogue-list.
The following example shows the rogue list on MX:

MX# show rfdetect rogue-list
Roguelist MAC
Port/Radio/Chan
RSSI
SSID
----------------- ----------------- ------ -----------11:22:33:44:55:66
ap 2/1/11
-53
rogue-ssid
See Also
set rfdetect rogue-list on page 551
show rfdetect black-list

Usage Displays information abut the clients in the client blacklist.
Syntax show rfdetect black-list
Defaults None.
Access Enabled.
557
Examples The following example shows the client blacklist on MX:

MX# show rfdetect black-list
Blacklist MAC
Type
Port
TTL
----------------- ----------------- ------- --11:22:33:44:55:66 configured
11:23:34:45:56:67 assoc req flood
25
See Also
clear rfdetect black-list on page 546
show rfdetect clients

Usage Displays the wireless clients detected by an MX.
Syntax show rfdetect clients [mac mac-addr]
mac mac-addr
Displays detailed information for a specific client.
Defaults None.
Access Enabled.
Examples The following command shows information about all wireless clients detected by an MX
and MPs:
MX# show rfdetect clients
Client MAC
Type Last
Client
Vendor
AP MAC
AP
Vendor
Port/Radio
NoL
/Channel
seen
----------------- ------- ----------------- ------- ------------- ------- ----
558
00:03:7f:bf:16:70 Unknown
intfr 207
Unknown
ap 1/1/6
00:04:23:77:e6:e5
intfr 155
Intel
Unknown
ap 1/1/2
00:05:5d:79:ce:0f
intfr 87
D-Link
Unknown
ap 1/1/149
00:05:5d:7e:96:a7
intfr 117
D-Link
Unknown
ap 1/1/149
00:05:5d:7e:96:ce
intfr 162
D-Link
Unknown
ap 1/1/157
00:05:5d:84:d1:c5
intfr 52
D-Link
Unknown
ap 1/1/1
The following command displays more details about a specific client:

MX# show rfdetect clients mac 00:0c:41:63:fd:6d
Client Mac Address: 00:0c:41:63:fd:6d, Vendor: Linksys
Port: ap 1, Radio: 1, Channel: 11, RSSI: -82, Rate: 2, Last Seen
(secs ago): 84
Bssid: 00:0b:0e:01:02:00, Vendor: Trapeze, Type: intfr, Dst:
ff:ff:ff:ff:ff:ff
Last Rogue Status Check (secs ago): 3
The first line lists information for the client. The other lines list information about the most recent
802.11 packet detected from the client.
Table 91.show rfdetect clients Output
Field
Description
Client MAC
MAC address of the client.
Client Vendor
Company that manufactures or sells the client.
AP MAC
MAC address of the radio with which the rogue client is associated.
AP Vendor
Company that manufactures or sells the AP with which the rogue client is associated.
Port/Radio/Channel
Port number, radio number, and channel number of the radio that detected the rogue.
NoL
Number of listeners. This is the number of MP radios that detected the rogue client.
Type
Classification of the rogue device:
rogueWireless device that is on the network but is not

supposed to be on the network.
intfrWireless device that is not part of your network and
is not a rogue, but might be causing RF interference with
MP radios.
knownDevice that is a legitimate member of the
network.
Last seen
Number of seconds since an MP radio last detected 802.11 packets from the device.
Table 92.show rfdetect clients mac Output

Field
Description
RSSI
Received signal strength indication (RSSI)the strength of the RF signal detected by

the MP radio, in decibels referred to 1 milliwatt (dBm).
Rate
The data rate of the client.
Last Seen
559
Table 92.show rfdetect clients mac Output (continued)

Field
Description
BSSID
MAC address of the SSID with which the rogue client is associated.
Vendor
Company that manufactures or sells the AP with which the rogue client is associated.
Typ

rogueWireless device that is on the network but is not supposed to be on the
network.
intfrWireless device that is not part of your network and is not a rogue, but might
be causing RF interference with MP radios.
knownDevice that is a legitimate member of the network.
Dst
MAC addressed to which the last 802.11 packet detected from the client was
addressed.
Last Rogue Status Check
Number of seconds since the MX looked on the air for the AP that the rogue client is
associated. The MX looks for the client AP by sending a packet from the wired side of
the network addressed to the client, and watching the air for a wireless packet
containing the clients MAC address.
show rfdetect countermeasures

Usage Displays the current status of countermeasures against rogues in the Mobility Domain.
Syntax show rfdetect countermeasures
Defaults None.
Access Enabled.
History
Version 3.0
Command introduced.
Version 4.0
Output no longer lists rogues that countermeasures have not started.
Usage This command is valid only on the seed MX of the Mobility Domain.
Examples The following example displays countermeasures status for the Mobility Domain:
MX# show rfdetect countermeasures
Rogue MAC
Type
Countermeasures
MX-IPaddr
Radio Mac
Port/Radio
/Channel
----------------- ----- ------------------ --------------- ------------00:0b:0e:00:71:c0 intfr
00:0b:0e:44:55:66 10.1.1.23
ap 4/1/6
00:0b:0e:03:00:80 rogue
00:0b:0e:11:22:33 10.1.1.23
ap 2/1/11

Table 93.show rfdetect countermeasures Output
560
Field
Description
Rogue MAC
BSSID of the rogue.
Table 93.show rfdetect countermeasures Output (continued)

Field
Description
Type

network.
intfrWireless device that is not part of your network and is not a rogue, but
might be causing RF interference with MP radios.
Countermeasures Radio MAC
MAC address of the Juniper radio sending countermeasures against the rogue.
MX-IPaddr
System IP address of the MX managing the MP that is sending or will send

countermeasures.
Port/Radio/Channel
Port number, radio number, and channel number of the countermeasures radio.
See Also set radio-profile countermeasures on page 311
show rfdetect counters

Usage Displays statistics for rogue and Intrusion Detection System (IDS) activity detected by the
MPs managed by an MX.
Syntax show rfdetect counters
Defaults None.
Access Enabled.
Examples The following command shows counters for rogue activity detected by an MX:
MX# show rfdetect counters
Type
Current
Total
-------------------------------------------------- -----------------------
Rogue access points

0
Interfering access points

1116
139
Rogue 802.11 clients

0
Interfering 802.11 clients

347
802.11 adhoc clients
1
4
0
Unknown 802.11 clients

965
20
Interfering 802.11 clients seen on wired network

0
561
802.11 probe request flood

0
802.11 authentication flood

0
802.11 null data flood

0
802.11 mgmt type 6 flood

0
802.11 mgmt type 7 flood

0
802.11 mgmt type d flood

0
802.11 mgmt type e flood

0
802.11 mgmt type f flood

0
802.11 association flood

0
802.11 reassociation flood

0
802.11 disassociation flood

0
Weak wep initialization vectors

0
Spoofed access point mac-address attacks

0
Spoofed client mac-address attacks

0
Ssid masquerade attacks

12
562
Spoofed deauthentication attacks

0
Spoofed disassociation attacks

0
Null probe responses

11380
626
Broadcast deauthentications
0
FakeAP ssid attacks

0
FakeAP bssid attacks

0
Netstumbler clients
0
Wellenreiter clients
0
Active scans
4383
1796
Wireless bridge frames

196
196
Adhoc client frames

0
Access points present in attack-list

0
Access points not present in ssid-list

0
Access points not present in vendor-list

0
Clients not present in vendor-list

0
Clients added to automatic black-list

0
show rfdetect data

Usage Displays information about the APs detected by an MX.
You can enter this command on any MX in the Mobility Domain. The output applies only to the MX
on which you enter the command. To display all devices that a specific Juniper radio has detected,
even if the radio is managed by another MX, use the show rfdetect visible command.
To display rogue information for the entire Mobility Domain, use the show rfdetect
mobility-domain command on the seed switch.
Only one MAC address is listed for each Juniper radio, even if the radio is beaconing multiple
SSIDs.
Examples
Syntax show rfdetect data
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced.
Version 2.0
New option, verbose, added to include Juniper devices and devices in the
ignore list.
563
Version 3.0
sweep-name, sentry-sweep, and verbose options deprecated.

Fields rearranged to show BSSID first.
Version 4.0
Vendor, Type, and Flags fields added.
Version 7.0
Added 40 MHz channel information.
Version 7.1
Removed flags from output.
Examples The following command shows the devices detected by the MX during the most recent
RF detection scan:
MX# show rfdetect data
BSSID
Vendor
Class
AP Name
RSSI
Ch
Age
----------------- ------- ----- ------------- ------- -------------
-----
00:07:50:d5:cc:91
r27-cisco1200-2
Cisco intfr
i----w
-61
00:07:50:d5:dc:78
r116-cisco1200-2
Cisco intfr
i----w
-82
00:09:b7:7b:8a:54
Cisco intfr
i-----
-96
00:0a:5e:4b:4a:c0
3Com intfr
i-----
-76
00:0a:5e:4b:4a:c2
-86 tapezewlan
3Com intfr
i-t1--
00:0a:5e:4b:4a:c4
3Com intfr
6
-85 trpz-ccmp
ic----
00:0a:5e:4b:4a:c6
3Com intfr
6
-85 trpz-tkip
i-t---
00:0a:5e:4b:4a:c8
3Com intfr
6
-83 trpz-voip
i----w
00:0a:5e:4b:4a:ca
3Com intfr
6
-85 trpz-webaaa
i-----
SSID
public

Table 94.show rfdetect data Output
564
Field
Description
BSSID
MAC address of the SSID used by the detected device.
Vendor
Company that manufactures or sells the rogue device.
Table 94.show rfdetect data Output (continued)

Field
Description
Class

rogueWireless device that is not supposed to be on the network. The client's MAC
address as well as the client's Destination MAC address are compared to an MX FDB. If
either one of the addresses is in the FDB on ANY MX in the mobility-domain, then the AP
that the client is associated with is classified as a Rogue device.
intfrWireless device that is not part of your network but is not a rogue. The device does
not have an entry in an MX FDB and is not actually on the network, but might be causing
RF interference with MP radios.
AP Name
Name of the AP that detected the rogue.
Channel
The channel that is performing the RF detection.
RSSI
Received signal strength indication (RSSI)the strength of the RF signal detected by the
MP radio, in decibels referred to 1 milliwatt (dBm).
Age
SSID
The SSID of the device
+/-
If the device is using 40 MHz wide channels, the primary channel is listed in the Ch column.
If the secondary channel is above the primary, a - appears next to the channel number. If
the secondary channel is below the primary, a + appears next to the channel number.
See Also
show rfdetect neighbor-list

Usage Displays the BSSIDs of third-party devices that MSS ignores during RF scans. MSS does
not generate log messages or traps for the devices in the ignore list.
Syntax show rfdetect neighbor-list
Defaults None.
Access Enabled.
MSS Version 3.0
Command introduced.
MSS 6.2
Command changed from ignore to neighbor-list.
Examples The following example displays the list of ignored devices:

MX# show rfdetect neighbor-list
Ignore MAC
----------------aa:bb:cc:11:22:33
aa:bb:cc:44:55:66
565
See Also
clear rfdetect neighbor-list on page 547
show rfdetect mobility-domain

Usage Displays the rogues detected by all MX switches in the Mobility Domain during RF
detection scans.
Syntax show rfdetect mobility-domain
[ssid ssid-name | bssid mac-addr]
ssid ssid-name
Displays rogues using the specified SSID.
bssid mac-addr
Displays rogues using the specified BSSID.
Defaults None.
Access Enabled.
History
Version 3.0
Command introduced.
Version 4.0
bssid and ssid options added.

Usage This command is valid only on the seed MX of the Mobility Domain. To display rogue
information for an individual MX, use the show rfdetect data command on that MX.
Examples The following command displays summary information for all SSIDs and BSSIDs
detected in the Mobility Domain:
MX# show rfdetect mobility-domain
Flags: i = infrastructure, a = ad-hoc, u = unresolved
c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w =
WEP(non-WPA)
BSSID
Vendor
Type
Flags
SSID
----------------- ------------ ----- -------------------------------------
566
00:07:50:d5:cc:91
Cisco intfr i----w r27-cisco1200-2
00:07:50:d5:dc:78
Cisco intfr i----w r116-cisco1200-2
00:09:b7:7b:8a:54
Cisco intfr i-----
00:0a:5e:4b:4a:c0
3Com intfr i----- public
00:0a:5e:4b:4a:c2
3Com intfr i----w trapezewlan
00:0a:5e:4b:4a:c4
3Com intfr ic---- trpz-ccmp
00:0a:5e:4b:4a:c6
3Com intfr i----w trpz-tkip
00:0a:5e:4b:4a:c8
3Com intfr i----w trpz-voip

00:0a:5e:4b:4a:ca
3Com intfr i----- trpz-webaaa
The lines in this display are compiled from data from multiple listeners (MP radios). If an item has
the value unresolved, not all listeners agree on the value for that item. Generally, an unresolved
state occurs only when an MP or a Mobility Domain is still coming up, and lasts only briefly.
The following command displays detailed information for rogues using SSID trpz-webaaa.
MX# show rfdetect mobility-domain ssid trpz-webaaa
BSSID: 00:0a:5e:4b:4a:ca Vendor: 3Com SSID: trpz-webaaa
Type: intfr Adhoc: no Crypto-types: clear
MX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/11 Mac:

00:0b:0e:00:0a:6a
Device-type: interfering Adhoc: no Crypto-types: clear
RSSI: -85 SSID: trpz-webaaa
BSSID: 00:0b:0e:00:7a:8a Vendor: Trapeze SSID: trpz-webaaa

Type: intfr Adhoc: no Crypto-types: clear
MX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/1/1 Mac: 00:0b:0e:00:0a:6a

MX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/1 Mac:

00:0b:0e:76:56:82
Two types of information are shown. The lines that are not indented show the BSSID, vendor, and
information about the SSID. The indented lines that follow this information indicate the listeners
(MP radios) that detected the SSID. Each set of indented lines is for a separate MP listener.
In this example, two BSSIDs are mapped to the SSID. Separate sets of information are shown for each of
the BSSIDs, and information about the listeners for each BSSID is shown.
The following command displays detailed information for a BSSID.
MX# show rfdetect mobility-domain bssid 00:0b:0e:00:04:d1
BSSID: 00:0b:0e:00:04:d1 Vendor: Cisco SSID: notmycorp
Type: rogue Adhoc: no Crypto-types: clear
MX-IPaddress: 10.8.121.102 Port/Radio/Ch: 3/2/56 Mac:
00:0b:0e:00:0a:6b
Device-type: rogue Adhoc: no Crypto-types: clear
RSSI: -72 SSID: notmycorp
567
MX-IPaddress: 10.3.8.103 Port/Radio/Ch: ap 1/1/157 Mac:

00:0b:0e:76:56:82
Device-type: rogue Adhoc: no Crypto-types: clear
RSSI: -72 SSID: notmycorp
Table 95.show rfdetect mobility-domain Output
Field
Description
BSSID
Vendor
Type

rogueWireless device that is not supposed to be on the network. The device
has an entry in an MX switchs FDB and is therefore on the network.
intfrWireless device not part of your network but is not a rogue. The device
does not have an entry in an MX FDB and is not actually on the network, but
might be causing RF interference with MP radios.
Flags
Classification and encryption information for the rogue:

The i, a, or u flag indicates the classification.
The other flags indicate the encryption used by the rogue.
SSID
SSID used by the detected device.
Table 96.show rfdetect mobility-domain ssid or bssid Output

Field
Description
BSSID
Vendor
SSID
Type

network.
intfrWireless device that is not part of your network and is not a rogue, but might
be causing RF interference with MP radios.
Adhoc
Indicates whether the rogue is an infrastructure rogue (is using an AP) or is operating in
ad-hoc mode.
Crypto-Types
Encryption type:
clear (no encryption)
ccmp
tkip
wep104 (WPA 104-bit WEP)
wep40 (WPA 40-bit WEP)
wep (non-WPA WEP)
568
MX-IPaddress
System IP address of the MX that detected the rogue.
Port/Radio/Channel
Port number, radio number, and channel number of the radio that detected the rogue.
Mac
MAC address of the radio that detected the rogue.
Table 96.show rfdetect mobility-domain ssid or bssid Output (continued)

Field
Description
Device-type
Device type detected by the MP radio.
Adhoc
Ad-hoc status (yes or no) detected by the MP radio.
Crypto-Types
Encryption type detected by the MP radio.
RSSI
Received signal strength indication (RSSI)the strength of the RF signal detected by

the MP radio, in decibels referred to 1 milliwatt (dBm).
SSID
SSID mapped to the BSSID.
See Also
show rfdetect ssid-list

Usage Displays the entries in the permitted SSID list.
Syntax show rfdetect ssid-list
Defaults None.
Access Enabled.
Examples The following example shows the permitted SSID list on MX:
MX# show rfdetect ssid-list
SSID
----------------mycorp
corporate
guest
See Also
show rfdetect vendor-list

show rfdetect visible

Usage Displays the BSSIDs discovered by a specific Juniper radio. The data includes BSSIDs
transmitted by other Juniper radios as well as by third-party access points.
If a Juniper radio is supporting more than one SSID, each of the corresponding BSSIDs is listed
separately.
569
To display rogue information for the entire Mobility Domain, use the show rfdetect
mobility-domain command on the seed switch.
Examples
Syntax show rfdetect visible mac-addr
Syntax show rfdetect visible ap apnum [radio {1 | 2}]
mac-addr
Base MAC address of the Juniper radio.

Note: To display the base MAC address of a Juniper radio, use the show ap status
command.
apnum
Port connected to the MP access point to display neighboring BSSIDs.
radio 1
Shows neighbor information for radio 1.
radio 2
Shows neighbor information for radio 2. (This option does not apply to
Defaults None.
Access Enabled.
History
Version 3.0
Command introduced.
Version 4.0
Examples To following command displays information about the rogues detected by radio 1 on MP
port 3:
MX# show rfdetect visible ap 3 radio 1
Flags: i = infrastructure, a = ad-hoc
c = CCMP, t = TKIP, 1 = 104-bit WEP, 4 = 40-bit WEP, w =
WEP(non-WPA)
Transmit MAC
Vendor
Type
Ch
RSSI Flags
SSID
----------------- ------- ----- --- ---- -------------------------------------
570
00:07:50:d5:cc:91
Cisco intfr
-60 i----w r27-cisco1200-2
00:07:50:d5:dc:78
Cisco intfr
-82 i----w r116-cisco1200-2
00:09:b7:7b:8a:54
Cisco intfr
-54 i-----
00:0a:5e:4b:4a:c0
3Com intfr
11
-57 i----- public
00:0a:5e:4b:4a:c2
3Com intfr
11
-86 i-t1-- trapezewlan
00:0a:5e:4b:4a:c4
3Com intfr
11
-85 ic---- trpz-ccmp
00:0a:5e:4b:4a:c6
3Com intfr
11
-85 i-t--- trpz-tkip
00:0a:5e:4b:4a:c8
3Com intfr
11
-83 i----w trpz-voip
00:0a:5e:4b:4a:ca
3Com intfr
11
-85 i----- trpz-webaaa
Table 97 describes the fields in this display..

Table 97.show rfdetect visible Output
Transmit MAC
MAC address the rogue device that sent the 802.11 packet detected by the MP
radio.
Transmit MAC
MAC address the rogue device that sent the 802.11 packet detected by the MP
radio.
Type

network.
intfrWireless device not part of your network and is not a rogue, but might be
causing RF interference with MP radios.
Ch
Channel number on which the radio detected the rogue.
RSSI
Received signal strength indication (RSSI)the strength of the RF signal detected

by the MP radio, in decibels referred to 1 milliwatt (dBm).
Flags
Classification and encryption information for the rogue:

The i, a, or u flag indicates the classification.
The other flags indicate the encryption used by the rogue.
SSID
See Also
571
572
LLDP Commands
Link Layer Discovery Protocol (LLDP) is a Layer 2 protocol that allows a network device to advertise its
identity and capabilities on the local network. It is ratified as an IEEE standard. LLDP supports a set of
attributes used to discover neighbor devices. These attributes contain type, length, and value descriptions
and are referred to as TLVs. LLDP supported devices use TLVs to receive and send information to
neighboring devices. Details such as configuration information, device capabilities, and device identity can
be advertised using this protocol.
MSS and WLCs support these basic management TLVs. These are mandatory TLVs:
Port Description
System Name
System Description
System Capabilities
Management Address
Use the following table to locate commands in this chapter based on their use.
set ap apnum auto lldp mode on page 574
set ap apnum lldp mode on page 574
set lldp hold time on page 575
set lldp mode on page 575
LLDP Configuration
Commands on page 574
set lldp transmit-delay on page 577

set port number lldp mode on page 577
set lldp tx interval on page 576
LLDP-MED Commands
on page 578
LLDP Display
Commands on page 579
573
LLDP Configuration Commands

You can configure the frequency of LLDP updates, the amount of time to hold information before discarding it, and
initialization delay time. You can also select the LLDP TLVs to be sent and received.
This chapter presents LLDP commands alphabetically. Use the following table to locate commands in this chapter
based on their use.
set ap apnum auto lldp mode on page 574
set ap apnum lldp mode on page 574
set ap apnum lldp mode

Usage The AP configuration applies to the Ethernet port and the mesh uplink, if one is configured. The AP
configurations of LLDP mode, tx-interval, hold-time, reinit-delay, transmit-delay, and tlv-select all follow the
global configuration on the MX.
Syntax set ap apnum lldp mode {tx | disable}
tx
Set to transmit mode.
disable
Disable transmit mode.
Defaults None
Access Enabled
Examples To se the AP configuration to transmit mode, use the following command:
WLC# set ap apnum lldp mode tx
See Also
set lldp reinit delay on page 575
set lldp tlv select on page 576
set ap apnum auto lldp mode

Usage Specifies the LLDP operational mode at a specific AP or an auto AP.
574
LLDP Commands
Syntax set ap auto lldp mode {tx | disable}

tx
Set the operational mode to transmit
disable
Disable transmit mode.
Defaults The default value is tx.

Access Enabled
Examples To disable the default transmit setting, use the following command:
WLC# set ap auto lldp mode disable
set lldp hold time

Usage Specifies the length of time that a receiving device retains the information sent by it before
discarding the information. It is recommended to set the value to four times the transmit interval
value.
Syntax set lldp hold-time seconds
seconds
Specify the transmit interval value in seconds. The range is 0 to 65535 seconds
Defaults 120 seconds

Access Enabled
Examples The following example sets the transmit interval value to 500 seconds
WLC# set lldp hold-time 500
set lldp mode

Usage This command globally enables or disables LLDP protocol.
Syntax set lldp mode {enable | disable}
enable
Enable LLDP mode.
disable
Disable LLDP mode.
Defaults The default value is enabled. If it is set to disabled, it is disabled on MXs and APs. All
TLVs are discarded.
Defaults Disable
Access Enabled
Examples The following command enables the LLDP protocol:
WLC# set lldp mode enable
set lldp reinit delay

Usage Configure the delay time, in seconds, before LLDP is initialized on any port.
575
Syntax set lldp reinit-delay seconds

seconds
Specify the delay time in seconds. The range is 2 to 5 seconds
Defaults 2 seconds
Access Enabled
Examples The following example sets the delay time to 5 seconds:
WLC# set lldp reinit-delay 5
set lldp tx interval

Usage Specifies the LLDP advertisement interval in seconds.
Syntax set lldp tx-interval seconds
seconds
Specify the advertisement interval value in seconds. The range is 5 to 32786

seconds
Defaults 30 seconds
Access Enabled
Examples The following example sets the advertisement interval to 500 seconds:
WLC# set lldp tx-interval 500
set lldp tlv select

Usage Specifies the system information to send on the network.
Syntax set lldp tlv-select [system-capabilities | system-description |
system-name] {enable | disable}
system-capabilities
Send system capability information.
system-description
Send system description information.
system-name
Send the system name
enable
Enable the command to send system information on the network.
disable
Disable this command and do not send system information.
Defaults All three TLVs are enabled by default.

Access Enabled
Examples To send the system name information, use the following command:
WLC# set lldp tlv-select system-name enable
576
LLDP Commands
set lldp transmit-delay

Usage Specifies the length of time between LLDP frame transmissions.
The transmit-delay parameter limits the rate at which local changes affect LLDP frames and that
the frame sent advertises only the most recent changes. For example, if you changed the WLC
name every 5 minutes, this action triggers the network to send new LLDP advertisements. By
setting the transmit-delay parameter, you can limit the rate at which new LLDP advertisements are
sent on the network.
LLDP frames are sent at each tx-interval seconds, but if local changes occur then the frames are
sent earlier, but not less than transmit-delay seconds apart.
Syntax set lldp transmit-delay seconds
seconds
Specify the transmit delay time in seconds. The range is 1 to 8192 seconds
Defaults 2 seconds
Access Enabled
Examples The following example sets the delay time to 5 seconds:
WLC# set lldp transmit-delay 5
set port number lldp mode

Usage Specifies the LLDP operation mode on the port.
Informational Note: Port list is supported.
Syntax set port number lldp mode {tx | rx | txrx | disable}

tx
Set the LLLDP mode to transmit.
rx
Set the LLLDP mode to receive.
txrx
Set the LLLDP mode to transmit and receive.
disable
Disable the LLDP tx, rx, or txrx mode.
Defaults The default value is txrx.

Access Enabled
Examples The following example sets the port to transmit mode:
WLC# set port number lldp mode tx
577
LLDP-MED Commands
LLDP-MED is an extension to LLDP that operates between endpoint devices such as IP phones and
network devices such as switches. Specifically, it provides support for voice over IP (VoIP) applications and
provides additional TLVs for capabilities discover, network policy, Power over Ethernet (PoE), and
inventory management.
LLDP-MED supports the following TLVs:
LLDP-MED capabilities TLV Allows LLDP-MED endpoints to determine the capabilities of a
connected device and if those capabilities are enabled.
Network Policy TLV Allows both network connectivity devices and endpoints to advertise VLAN
configurations and associated Layer 2 and Layer 3 attributes for the specific appliance on that port.
For example, an MX can notify a VoIP phone to use a specific VLAN.
Power management TLV Enables advanced power management between LLDP-MED endpoint and
network connectivity devices. Allows MXs and VoIP phones to convey power information, such as the
type of power, power priority, and the amount of power required by the device.
Inventory management TLVs Allows an endpoint to transmit detailed inventory information to an MX,
including hardware revision, firmware version, software version, serial number, manufacturer name,
model name, and asset ID.
LLDP and LLDP-MED cannot operate simultaneously on a network. By default, network devices send only
LLDP packets until LLDP-MED packets are received from an endpoint device. The network device then
sends out LLDP-MED packets until it receives LLDP packets.
The following commands configure LLDP-MED on the MX
LLDP Display Commands on page 579
set port portnum lldp med-tlv-select on page 579
set ap llpd med

Usage Configures LLDP-MED for the AP.
Syntax set ap [apnum |auto] lldp med {enable | disable}
apnum
The number of the AP you want to configure.
auto
Use the auto configuration option to automatically retrieve AP configuration

parameters.
enable
Enable LLDP-MED, with configuration options, for the AP.
disable
Disable LLDP-MED, with configuration options, for the AP.
Defaults None
Access Enabled
Examples Use the following command to enable LLDP-MED with the the auto configuration
options:
578
LLDP-MED Commands
LLDP Commands
WLC# set ap auto lldp med enable
set port portnum lldp med

Usage Configures LLDP-MED on the MX. Port list is supported.
Syntax set port portnum lldp med {enable | disable}
enable
Enable LLDP-MED on the MX.
disable
Disable LLDP-MED on the MX.
Defaults None
Access Enabled
Examples Use the following command to enable LLDP-MED on the MX:
WLC# set port portnum lldp med enable
See Also set port portnum lldp med-tlv-select on page 579
set port portnum lldp med-tlv-select

Usage Configures LLDP-MED with a specific TLV. Port list is supported.
Syntax set port portnum lldp med-tlv-select [power-via-mdi | inventory] mode [enable |
disable]
power-via-mdi
LLDP-MED with the MDI power management TLV.
inventory
LLDP-MED with the Inventory TLV.
enable
Enable LLDP-MED with the specified TLV.
disable
Disable LLDP-MED with the specified TLV.
Defaults None
Access Enabled
Examples Use the following command to enable LLDP-MED with the Inventory TLV:
WLC# set port portnum lldp med-tlv-select power-via-mdi mode enable
See Also set ap llpd med on page 578
LLDP Display Commands

The following commands allow you to display LLDP configurations and statistics:
show configuration area lldp on page 580
show configuration area lldp all on page 580
show lldp on page 581
show lldp neighbors on page 582
show lldp counters on page 583
579
show ap lldp apnum neighbors on page 584

show ap lldp num counters on page 584
show configuration area lldp

Usage Shows the LLDP configuration information.
Syntax show configuration area lldp
Defaults None
Access Enabled
Examples Following is sample output for this command:
#Configuration nvgend at 2010-Jan-3 13:24:50
#Image 7.4.1
#Model WLC8
#Last change occurred 2010-Jan-4 11:37:26
set lldp tx-nterval 60
set lldp reinit-delay 4
set lldp tlv-select system-capabilities disable
set port 1 lldp mode rx
set port 3 lldp mode disable
See Also show configuration area lldp all on page 580
show configuration area lldp all

Usage This command shows verbose LLDP configuration information:
Syntax show configuration area lldp all
Defaults None
Access Enabled
WLC# show configuration area lldp all
#Configuration nvgend at 2010-Jan-3 13:24:50
#Image 7.4.1
#Model WLC8
#Last change occurred 2010-Jan-4 11:37:26
set lldp tx-nterval 60
set lldp reinit-delay 4
set lldp tlv-select system-capabilities disable
set port 1 lldp mode rx
580
LLDP Commands
set port 2 lldp mode txrx

set port 3 lldp mode disable
set port 4 lldp mode txrx
See Also show configuration area lldp on page 580
show lldp
Usage Displays global information about LLDP such as protocol running status, transmit
frequency, hold-time, and reinit-delay.
Syntax show lldp
Defaults None
Access Enabled
WLC# show lldp
LLDP
: Enabled
Advertisement interval: 30 seconds

Transmit Delay
: 2 seconds
Reinit Delay
: 2 seconds
Hold Time
: 120 seconds
LLDP TLVs Selected: system-capabilities

system-description
system-name
LLDP Port Configuration:
Port
LLDP
----
----
txrx
disable
tx
txrx
rx
txrx
txrx
txrx
LLDP AP Configuration
AP
LLDP
MED-MODE
MED-TLVs
--
----
--------
--------
tx
enable
power-via-mdi
inventory
581
disable enable
disable disable
show lldp neighbors

Usage Displays information about LLDP neighbors. If the attribute verbose is not specified, only
limited TLV information is displayed.
Syntax show lldp neighbors port portnum [verbose]
verbose
Display robust details about LLDP neighbors. If not specified, only limited
TLV information is displayed.
port
Specify the port from which to clear LLDP neighbors.
portnum
Specify the port number from which to clear LLDP neighbors.
Defaults None
Access Enabled
Examples Following is sample output for this command without the verbose attribute specified:
WLC# show lldp neighbors
LLDP Remote Devices Information
Port
ChassisID
PortID
SystemName
TTL
----
---------
------
----------
---
00:1e:f7:20:4f87
Fa0/5
SQA_Office
100
192.168.111.21
00:0b:0e:d0:93:c0
1
2
AP4
120
00:b0:c2:02:ae:0d eth1
trpz.com
120
192.168.111.22
AVA4C357E
120
00:0b:0e:d0:93:e0
Following is sample output for this command with the port, portnum, and verbose attributes
specified:
WLC# show lldp neighbors port portnum verbose
Received from Local Port 1, TTL 100 Seconds, 81 seconds remaining
ChassisID Type:
MAC Address
ChassisID:
00:1e:f7:20:4f:87
PortID Type:
Interface Name
PortID:
Fa0/5
System Name:
SQA_OFFICE
System Description TLV

Description:
(TBD)
Port Description TLV

Description:
FastEthernet0/5
System Capabilities TLV

582
LLDP Commands
Support Capabilities: Bridge, Router

Enabled Capabilities: Bridge, Router
Management Address TLV
Type:
IPv4
Address: 192.168.107.1
Interface Subtype: iflndex
Interface Number:
107
Unknown ORG TLV

OUI: 0080c2
Subtype: 1
Length: 2
Data:
0001
MAC/PHY Configuration/Status TLV

Auto-negotiation Support: Supported
Auto-negotiation Status:
Enabled
PMD Auto-neg Adv Cap: 100BASE=TX Full-Duplex, 100BASE-TX

Half-Duplex, 10BASE-T Full-Duplex, 10BASE-T Half-Duplex
Operational MAU Type: 100BASE-TX Full-Duplex
See Also
show ap lldp apnum neighbors on page 584
clear lldp neighbors on page 585
show lldp counters

Usage Displays information such as number of packets sent and received, number of packets
discarded, and number of unrecognized TLVs for LLDP.
Syntax show lldp counters
Defaults None
Access Enabled
583

WLC# show lldp counters
Port Tx Frames Rx Frames Rx Errors Rx Dropped Unknown TLV DROPPED
TLV Expired
---- --------- --------- --------- ---------- ----------- ------------------544
540
0
0
1080
0
5
See Also clear lldp counters on page 585
show ap lldp apnum neighbors

Usage Displays information about AP neighbors.
Syntax show ap lldp apnum neighbors [verbose]
verbose
Display robust details about LLDP AP neighbors.
Defaults None
Access Enabled
Examples To display verbose information about LLDP AP neighbors, use the following command:
show ap lldp apnum neighbors verbose
See Also clear lldp neighbors on page 585
show ap lldp num counters

Usage Display the number of packets sent and received, number discarded, and number of
unrecognized TLVs.
Syntax show ap lldp num counters
Defaults None
Access Enabled
584
LLDP Commands

WLC# show ap lldp num counters
AP Tx Frames Rx Frames RX Errors RX Dropped Unknown TLV Dropped TLV
Expired
-- --------- --------- --------- ---------- ----------- ----------1 544 0 0 0 1080 0 5
See Also
clear AP apnum lldp counters on page 586
clear lldp counters on page 585
clear lldp neighbors

Usage Deletes LLDP information about neighbors. If the port is specified, the LLDP information
received from that port is deleted.
Syntax clear lldp neighbors [port portnum]
port
Specify the port from which to clear LLDP neighbors.
portnum
Specify the port number from which to clear LLDP neighbors.
Defaults None
Access Enabled
See Also show lldp neighbors on page 582
clear lldp counters

Usage Resets all LLDP counters to zero.
Syntax clear lldp counters
Defaults None
Access Enabled
Defaults None
Examples To clear the LLDP counters, us the following command:
WLC# clear lldp counters
See Also
clear AP apnum lldp counters on page 586
585
clear AP apnum lldp counters

Usage Reset all LLDP counters to zero on the specified AP.
Syntax clear AP apnum lldp counters
Defaults None
Access Enabled
Examples To reset the LLDP counters, us the following command:
WLC# clear AP apnum lldp counters
See Also
show ap lldp num counters on page 584
586
File Management Commands

Use file management commands to manage system files and to display software and boot information.
This chapter presents file management commands alphabetically. Use the following table to locate
Software Version
reset system on page 599

Boot Settings
set boot partition on page 603

set boot configuration-file on page 603
set boot backup-configuration on page 602
clear boot config on page 589
clear boot backup-configuration on page 589
File Management
dir on page 592

copy on page 589
md5 on page 597
delete on page 592
mkdir on page 598
rmdir on page 601
Configuration File

load config on page 596
System Backup and

Restore
backup on page 587

restore on page 600
backup
Usage Creates an archive of MX system files and optionally, user file, in Unix tape archive (tar)
format.
587
Syntax backup system [tftp:/ip-addr/]filename [all | critical]

[tftp:/ip-addr/]filename
Name of the archive file to create. You can store the file locally in
the switchs nonvolatile storage or on a TFTP server.
all
Backs up system files and all the files in the user files area.
The user files area contains the set of files listed in the file
section of dir command output.
critical
Backs up system files only, including the configuration file used

when booting, and certificate files. The size of an archive
created by this option is generally 1MB or less.
Defaults The default is all.

Access Enabled.
Usage You can create an archive located on a TFTP server or in the nonvolatile storage of the
MX. If you specify a TFTP server as part of the filename, the archive is copied directly to the TFTP
server and not stored locally on the MX.
Use the critical option if you want to back up or restore only the system-critical files required to
operate and communicate with the MX. Use the all option if you also want to back up or restore
WebAAA pages, backup configuration files, image files, and any other files stored in the user files
area of nonvolatile storage.
The maximum supported file size is 32 MB. If the file size of the tarball is too large, delete
unnecessary files (such as unneeded copies of system image files) and try again, or use the
critical option instead of the all option.
Neither option archives image files or any other files listed in the Boot section of dir command
output. The all option archives image files only if they are present in the user files area.
Archive files created by the all option are larger than files created by the critical option. The file
size depends on the files in the user area, and the file can be quite large if the user area contains
image files.
The backup command places the boot configuration file into the archive. (The boot configuration
file is the Configured boot configuration in the show boot command output.) If the running
configuration contains unsaved changes, these changes are not in the boot configuration file and
are not archived. To make sure the archive contains the configuration currently running on the MX,
use the save config command to save the running configuration to the boot configuration file,
before using the backup command.
Examples The following command creates an archive of the system-critical files and copies the
archive directly to a TFTP server. The filename in this example includes a TFTP server IP address,
so the archive is not stored locally on the switch.
MX# backup system tftp:/10.10.20.9/sysa_bak critical
success: sent 28263 bytes in 0.324 seconds [ 87231 bytes/sec]
See Also
dir on page 592
588
restore on page 600
clear boot backup-configuration

Usage Clears the filename specified as the backup configuration file. In the event that MSS
cannot read the configuration file at boot time, a backup configuration file is not used.
Syntax clear boot backup-configuration
Defaults None.
Access Enabled.
Examples The following command clears the name specified as the backup configuration file from
the configuration of the MX:
MX# clear boot backup-configuration
success: Backup boot config filename was cleared.
See Also
set boot backup-configuration on page 602
clear boot config

Usage Resets to the factory default the configuration that MSS loads during a reboot.
Syntax clear boot config
Defaults None.
Access Enabled.
Examples The following commands back up the configuration file on an MX, reset the switch to its
factory default configuration, and reboot the MX:
MX# copy configuration tftp://10.1.1.1/backupcfg
MX# clear boot config
success: Reset boot config to factory defaults.
MX# reset system force
...... rebooting ......
See Also
copy
Usage Performs the following copy operations:
Copies a file from a FTP or TFTP server to nonvolatile storage.
589
Copies a file from nonvolatile storage or temporary storage to a FTP or TFTP server.
Copies a file securely using SCP (Secure Copy Protocol).
Copies a file from one area in nonvolatile storage to another.
Copies a file to a new filename in nonvolatile storage.
Syntax copy source-url destination-url
source-url
Name and location of the file to copy. The uniform resource locator (URL) can be
one of the following:
file:[subdirname/]filename
ftp://ip-addr/[subdirname/]filename
scp://ip-addr/[subdirname/]filename
tftp://ip-addr/[subdirname/]filename
tmp:filename
For the filename, specify between 1 and 128 alphanumeric characters, with no
spaces. Enter the IP address in dotted decimal notation.
The subdirname/ option specifies a subdirectory.
destination-url
Name of the copy and the location to place the copy. The URL can be one of the
following:
file:[subdirname/]filename
ftp://ip-addr/[subdirname/]filename
scp://ip-addr/[subdirname/]filename
tftp://ip-addr/[subdirname/]filename
If you are copying a system image file into nonvolatile storage, the filename must
include the boot partition name. You can specify one of the following:
boot0:/filename
boot1:/filename
Defaults None.
Access Enabled.
History
590
Version 1.0
Command introduced
Version 1.1
Enhanced to allow copying files from one area in nonvolatile storage to

another and from one name to another in the same area
Version 3.0
Subdirectory support added
Version 7.1
FTP and SCP added as protocols.

Usage The filename and file:filename URLs are equivalent. You can use either URL to refer to a
file in an MX nonvolatile memory. The tftp://ip-addr/filename URL refers to a file on a TFTP server.
If DNS is configured on the MX, you can specify a TFTP server hostname as an alternative to
specifying the IP address.
The tmp:filename URL specifies a file in temporary storage. You can copy a file out of temporary
storage but you cannot copy a file into temporary storage. Temporary storage is reserved for use
by MSS.
If you are copying a system image file into nonvolatile storage, the filename must be preceded by
the boot partition name, which can be boot0 or boot1. Enter the filename as boot0:/filename or
boot1:/filename. You must specify the boot partition that was not used to load the currently
running image.
The maximum supported file size for TFTP is 32 MB.
Examples The following command copies a file called floormx from nonvolatile storage to a TFTP
server:
MX# copy floormx tftp://10.1.1.1/floormx
The following command copies a file called closetmx from a TFTP server to nonvolatile storage:
MX# copy tftp://10.1.1.1/closetmx closetmx
The following command copies system image MX020101.020 from a TFTP server to boot partition
1 in nonvolatile storage:
MX# copy tftp://10.1.1.107/MX020101.020 boot1:MX020101.020
........................................................................
....................................success: received 9163214 bytes in
105.939 seconds [ 86495 bytes/sec]
The following commands rename test-config to new-config by copying it from one name to the
other in the same location, then deleting test-config:
MX# copy test-config new-config
MX# delete test-config
success: file deleted.
The following command copies file corpa-login.html from a TFTP server into subdirectory corpa in
an MX switchs nonvolatile storage:
MX# copy .1.1.1/corpa-login.html corpa/corpa-login.html
success: received 637 bytes itftp://10n 0.253 seconds [ 2517 bytes/sec]
See Also
delete on page 592
dir on page 592
591
delete
Usage Deletes a file.
Warning: MSS does not prompt you to verify if you want to delete a file. When you press Enter after typing a
delete command, MSS immediately deletes the specified file.
Informational Note: MSS does not allow you to delete the currently running software image file or the
running configuration.
Syntax delete url

Filename. Specify between 1 and 128 alphanumeric characters, with no
spaces.
url
If the file is in a subdirectory, specify the subdirectory name, followed by a

forward slash, in front of the filename. For example: subdir_a/file_a.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
Subdirectory support added, to delete a file that is in a subdirectory
Usage You might want to copy the file to a TFTP server as a backup before deleting the file.
Examples The following commands copy file testconfig to a TFTP server and delete the file from
nonvolatile storage:
MX# copy testconfig tftp://10.1.1.1/testconfig
MX# delete testconfig
Examples The following command deletes file dang_doc from subdirectory dang:
MX# delete dang/dang_doc
See Also
copy on page 589
dir on page 592
dir
Usage Displays a list of the files in nonvolatile storage and temporary files.
592
Syntax dir [subdirname] | [file:] | [core:] | [boot0:] | [boot1:]

subdirname
Subdirectory name. If you specify a subdirectory name, the command lists

the files in that subdirectory. Otherwise, the command lists the files in the root
directory and also lists the subdirectories.
file:
Limits dir output to the contents of the user files area
core:
Limits dir output to the contents of the /tmp/core subdirectory
boot0:
Limits dir output to the contents of the boot0 partition
boot1:
Limits dir output to the contents of the boot1 partition
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 1.1
Enhanced to list the image files in the boot partitions and indicate the partition
that was used to load the currently running image
Version 3.0
subdirectory option added, to list the files in the specified subdirectory
Version 4.1
core:, file:, boot0:, and boot1: options added, to limit the output to the
specified category
Examples The following command displays the files in the root directory:
MX# dir
========================================================================
=======
file:
Filename
Size
file:configuration
15:02:32
48 KB
Jul 12 2005,
file:corp2:corp2cnfig
22:20:04
17 KB
Mar 14 2005,
corp_a/
19:15:48
file:dangcfg
22:20:04
old/
17:23:44
512 bytes
14 KB
512 bytes
Created
May 21 2004,
Mar 14 2005,
May 16 2004,
file:pubsconfig-april062005
21:08:30
40 KB
May 09 2005,
file:sysa_bak
19:18:44
12 KB
Mar 15 2005,
593
file:testback
16:37:18
Total:
28 KB
Apr 19 2005,
159 Kbytes used, 207663 Kbytes free
========================================================================
=======
Boot:
Filename
Size
Created
boot0:mx040100.020
15:54:08
9780 KB
Aug 23 2005,
*boot1:mx040100.020
21:09:56
9796 KB
Aug 28 2005,
Boot0: Total:
Boot1: Total:
========================================================================
=======
temporary files:
Filename
Size
core:command_audit.cur
21:11:41
37 bytes
Total:
Created
Aug 28 2005,
The following command displays the files in the old subdirectory:

MX# dir old
========================================================================
=======
file:
Filename
Size
Created
file:configuration.txt
22:55:44
3541 bytes
Sep 22 2003,
file:configuration.xml
22:55:44
24 KB
Sep 22 2003,
Total:
The following command limits the output to the contents of the user files area:
MX# dir file:
========================================================================
=======
file:
594
Filename
Size
file:configuration
15:02:32
48 KB
Created
Jul 12 2005,
file:corp2:corp2cnfig
22:20:04
corp_a/
19:15:48
17 KB
512 bytes
file:dangcfg
22:20:04
14 KB
dangdir/
17:23:44
512 bytes
Mar 14 2005,
May 21 2004,
Mar 14 2005,
May 16 2004,
file:pubsconfig-april062005
21:08:30
40 KB
May 09 2005,
file:sysa_bak
19:18:44
12 KB
Mar 15 2005,
file:testback
16:37:18
28 KB
Apr 19 2005,
Total:
The following command limits the output to the contents of the /tmp/core subdirectory:
MX# dir core:
========================================================================
=======
file:
Filename
Size
core:command_audit.cur
21:11:41
37 bytes
Total:
Created
Aug 28 2005,
The following command limits the output to the contents of the boot0 partition:
MX# dir boot0:
========================================================================
=======
file:
Filename
Size
boot0:mx040100.020
15:54:08
Total:
9780 KB
Created
Aug 23 2005,
595
Table 98 describes the fields in the dir output.

Table 98.Output for dir
Field
Description
Filename
Filename or subdirectory name.

For files, the directory name is shown in front of the filename (for example,
file:configuration). The file: directory is the root directory.
For subdirectories, a forward slash is shown at the end of the subdirectory name (for
example, old/ ).
In the boot partitions list (Boot:), an asterisk (*) indicates the boot partition from which
the currently running image was loaded and the image filename.
Size
Size in Kbytes or bytes.
Created
System time and date when the file was created or copied onto the MX.
Total
Number of kilobytes in use to store files and the number that are still free.
See Also
copy on page 589
delete on page 592
load config
Caution: This command completely removes the running configuration and replaces it with the
configuration contained in the file. Juniper Networks recommends that you save a copy of the
current running configuration to a backup configuration file before loading a new configuration.
Loads configuration commands from a file and replaces the MX running configuration with the
commands in the loaded file.
Syntax load config [url]
url

spaces.
If the file is in a subdirectory, specify the subdirectory name, followed by a
forward slash, in front of the filename. For example:
backup_configs/config_c.
Defaults The default file location is nonvolatile storage.

Informational Note: The current version supports loading a configuration file only from the MX
nonvolatile storage. You cannot load a configuration file directly from a TFTP server.
If you do not specify a filename, MSS uses the same configuration filename that was used for the
previous configuration load. For example, if the MX used configuration for the most recent
configuration load, MSS uses configuration again unless you specify a different filename. To
display the filename of the configuration file MSS loaded during the last reboot, use the show
boot command.
596
Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
Subdirectory support added, to load a file that is in a subdirectory
Usage This command completely replaces the running configuration with the configuration in the
file.
Examples The following command reloads the configuration from the most recently loaded
configuration file:
MX# load config
Reloading configuration may result in lost of connectivity, do you wish
to continue? (y/n) [n]y
success: Configuration reloaded
The following command loads configuration file testconfig1:
MX# load config testconfig1
Reloading configuration may result in lost of connectivity, do you wish
to continue? (y/n) [n]y
success: Configuration reloaded
See Also
md5
Usage Calculates the MD5 checksum for a file in the MX nonvolatile storage.
Syntax md5 [boot0: | boot1:]filename
boot0: | boot1:
Boot partition into which you copied the file.
filename
Name of the file.
Defaults None.
Access Enabled.
Usage You must include the boot partition name in front of the filename. If you specify only the
filename, the CLI displays a message stating that the file does not exist.
Examples The following command calculates the checksum for image file MX040003.020 in boot
partition 0:
pubs# md5 boot0:MX040003.020
MD5 (boot0:MX040003.020) = b9cf7f527f74608e50c70e8fb896392a
597
See Also
copy on page 589
dir on page 592
mkdir
Usage Creates a new subdirectory in nonvolatile storage.
Syntax mkdir [subdirname]
subdirname
Subdirectory name. Specify between 1 and 32 alphanumeric characters, with

no spaces.
Defaults None.
Access Enabled.
Examples The following commands create a subdirectory called corp2 and display the root
directory to verify the result:
MX# mkdir corp2
MX# dir
========================================================================
=======
file:
Filename
Size
file:configuration
18:20:53
17 KB
file:configuration.txt
18:55:17
Created
May 21 2004,
379 bytes
May 09 2004,
corp2/
19:22:09
512 bytes
May 21 2004,
corp_a/
19:15:48
512 bytes
May 21 2004,
file:dangcfg
18:30:44
13 KB
May 16 2004,
dangdir/
17:23:44
512 bytes
May 16 2004,
old/
21:58:48
512 bytes
Sep 23 2003,
Total:
========================================================================
=======
Boot:
598
Filename
Size
*boot0:bload
19:02:16
Created
746 KB
May 09 2004,
*boot0:mx030000.020
18:58:16
8182 KB
May 09 2004,
boot1:mx030000.020
18:01:02
8197 KB
May 21 2004,
Boot0: Total:
Boot1: Total:
========================================================================
=======
temporary files:
Filename
Total:
Size
Created
See Also
dir on page 592
rmdir on page 601
reset system
Usage Restarts an MX and reboots the software.
Syntax reset system [force]
force
Immediately restarts the system and reboots, without comparing the running
configuration to the configuration file.
Defaults None.
Access Enabled.
Usage If you do not use the force option, the command first compares the running configuration
to the configuration file. If the running configuration and configuration file do not match, MSS does
not restart the MX but instead displays a message advising you to either save the configuration
changes or use the force option.
Examples The following command restarts an MX that does not have any unsaved configuration
changes:
MX# reset system
This will reset the entire system. Are you sure (y/n)y
The following commands attempt to restart an MX switch with a running configuration with
unsaved changes, and then force the MX to restart:
MX# reset system
error: Cannot reset, due to unsaved configuration changes. Use "reset
system force" to override.
599
MX# reset system force

...... rebooting ......
See Also
restore
Usage Unzips a system archive created by the backup command and copies the files from the
archive onto the switch.
Syntax restore system [tftp:/ip-addr/]filename [all | critical] [force]
[tftp:/ip-addr/]filename
Name of the archive file to load. The archive can be located in the
MX nonvolatile storage or on a TFTP server.
all
Restores system files and the user files from the archive.
critical
Restores system files only, including the configuration file used

when booting, and certificate files.
force
Replaces files on the MX with those in the archive, even if the MX is not the same
as the one from which the archive was created.
CAUTION! Do not use this option unless advised to do so by Juniper Networks
TAC. If you restore MX system files from one MX onto another MX, you must
generate new key pairs and certificates on the MX.
Defaults The default is critical.

Access Enabled.
Usage If a file in the archive has a counterpart on the switch, the archive version of the file
replaces the file on the MX. The restore command does not delete files that do not have
counterparts in the archive. For example, the command does not completely replace the user files
area. Instead, files in the archive are added to the user files area. A file in the user area is replaced
only if the archive contains a file with the same name.
Informational Note: If the archives files cannot fit on the MX, the restore operation fails. Juniper
Networks recommends deleting unneeded image files before creating or restoring an archive.
The backup command stores the MAC address of the switch in the archive. By default, the
restore command works only if the MAC address in the archive matches the MAC address of the
switch where the restore command is entered. The force option overrides this restriction and
allows you to unpack an archive from one MX onto another MX.
Informational Note: Do not use the force option unless you are certain you want to replace the MX
files with files from another MX. If you restore one MX system files onto another MX, you must generate
new key pairs and certificates on the MX.
600
If the configuration running on the MX is different from the one in the archive or you renamed the
configuration file, and you want to retain changes made after the archive was created, see the
Managing System Files chapter of the Juniper Mobility System Software Configuration Guide.
Examples The following command restores system-critical files on a MX from archive sysa_bak:
MX# restore system tftp:/10.10.20.9/sysa_bak
success: restore complete.
See Also backup on page 587
rmdir
Usage Removes a subdirectory from nonvolatile storage.
Syntax rmdir [subdirname]
Subdirectory name. Specify between 1 and 32 alphanumeric characters,
with no spaces.
subdirname
Defaults None.
Access Enabled.
Usage MSS does not allow the subdirectory to be removed unless it is empty. Delete all files from
the subdirectory before attempting to remove it.
Examples The following example removes subdirectory corp2:
MX# rmdir corp2
See Also
dir on page 592
mkdir on page 598
save config
Usage Saves the running configuration to a configuration file.
Syntax save config [filename]
filename
Name of the configuration file. Specify between 1 and 128 alphanumeric

characters, with no spaces.
To save the file in a subdirectory, specify the subdirectory name, followed by
a forward slash, in front of the filename. For example:
Defaults By default, MSS saves the running configuration as the configuration filename used
during the last reboot.
Access Enabled.
601
History
Version 1.0
Command introduced
Version 3.0
Subdirectory support added, to save the configuration file to a subdirectory
Usage If you do not specify a filename, MSS replaces the configuration file loaded during the most
recent reboot. To display the filename of the configuration file MSS loaded during the most recent
reboot, use the show boot command.
The command completely replaces the specified configuration file with the running configuration.
Examples The following command saves the running configuration to the configuration file loaded
during the most recent reboot. In this example, the filename used during the most recent reboot is
configuration.
MX# save config
Configuration saved to configuration.
The following command saves the running configuration to a file named testconfig1:
MX# save config testconfig1
Configuration saved to testconfig1.
See Also
set boot backup-configuration

Usage Specifies the name of a backup configuration file to be used if the current configuration file
cannot be read by the MX at boot time.
Syntax set boot backup-configuration filename
filename
Name of the file to use as a backup configuration file if MSS cannot read the MX configuration file.
Defaults By default, there is no backup configuration file.

Access Enabled.
Examples The following command specifies a file called backup.cfg as the backup configuration
file on the MX:
MX# set boot backup-configuration backup.cfg
success: backup boot config filename set.
See Also
clear boot backup-configuration on page 589
602
set boot configuration-file

Usage Changes the configuration file to load after rebooting.
Syntax set boot configuration-file filename
filename

spaces.
To load the file from a subdirectory, specify the subdirectory name, followed
by a forward slash, in front of the filename. For example:
Defaults The default configuration filename is configuration.

Access Enabled.
History
Version 1.0
Command introduced
Version 3.0
Subdirectory support added, to load a configuration file from a subdirectory
Usage The file must be located in the MX nonvolatile storage.

Examples The following command sets the boot configuration file to testconfig1:
MX# set boot configuration-file testconfig1
success: boot config set.
set boot partition

Specifies the boot partition in which to look for the system image file following the next system reset,
software reload, or power cycle.
Syntax set boot partition {boot0 | boot1}
boot0
Boot partition 0.
boot1
Boot partition 1.
Defaults By default, an MX uses the same boot partition for the next software reload that was
used to boot the currently running image.
Access Enabled.
Usage To determine the boot partition used to load the currently running software image, use the
dir command.
Examples The following command sets the boot partition for the next software reload to partition 1:
MX# set boot partition boot1
success: Boot partition set to boot1.
See Also
copy on page 589
603
dir on page 592

show boot
Usage Displays the system image and configuration filenames used after the last reboot and
configured for use after the next reboot.
Syntax show boot
Defaults None.
Access Access.
History
Version 1.0
Command introduced
Version 1.1
The following fields were removed because they are not applicable in 1.1:
Last boot status
Unpacking status
Version 2.1
New field, Product model, added
Version 4.1
New fields, Configured boot version and Backup boot configuration, added
Examples The following command shows the boot information for an MX:
MX# show boot
Configured boot version:
4.1.0.65
Configured boot image:
boot1:mx040100.020
Configured boot configuration:
file:configuration
Backup boot configuration:
file:backup.cfg
Booted version:
4.1.0.65
Booted image:
boot1:mx040100.020
Booted configuration:
file:configuration
Product model:
MX
Table 99 describes the fields in the show boot output.

Table 99.Output for show boot
Field
Description
Configured boot version
Software version the MX runs when the software is rebooted.
Configured boot image
Boot partition and image filename MSS uses to boot when the software is rebooted.
Configured boot configuration
Configuration filename MSS uses to boot when the software is rebooted.
Backup boot configuration
The name of the configuration file to be used in the event that MSS cannot read the
configured boot configuration file next time the software is rebooted.
Booted version
604
Software version the MX is running.
Table 99.Output for show boot (continued)

Field
Description
Booted image
Boot partition and image filename MSS used the last time the software was rebooted.
MSS is running this software image.
Booted configuration
Configuration filename MSS used to load the configuration the last time the software
was rebooted.
See Also
clear boot config on page 589
set boot configuration-file on page 603
show config
Usage Displays the configuration running on the MX.
Syntax show config [all | cluster | local] [area area]
area area
Configuration area. You can specify one of the following:

aaa
acls
ap
ap-trace
arp
eapol
httpd
ip
ip-config
l2acl
load-balancing
log
mobility-domain
network-domain
ntp
port-group
port config
qos
radio-profile
rfdetect
service-profile
sm
605
snmp
snoop
spantree
system
trace
vlan
vlan-fdb
vlan-profile
If you do not specify a configuration area, nondefault information for all
areas is displayed.
cluster
Displays only the cluster configuration on the MX.
local
Displays only the local configuration on the MX.
all
Includes configuration items set to the default values.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 2.1
New comment added to the comments at top of the file, to list the model number
Version 3.0
New options added for area:

radio-profile
rfdevice
service-profile
rf-detection option removed. (Use rfdevice instead.)
Version 4.0
New options added for remote traffic monitoring: snoop

rfdevice changed to rfdetect
Version 4.1
New options added: l2acl, network-domain, and qos
Version 4.2
Option portgroup renamed to port-group for consistency with clear port-group,

set port-group, and show port-group commands.
Version 7.0
Added the options cluster and local to support Virtual Controller Cluster
configuration.
Usage If you do not use one of the optional parameters, configuration commands that set
nondefault values are displayed for all configuration areas. If you specify an area, commands are
displayed for that area only. If you use the all option, the display also includes commands for
configuration items that are set to the default values.
Examples The following command shows configuration information for VLANs:
MX# show config area vlan
606
# Configuration nvgen'd at 2004-5-21 19:36:48

# Image 3.0.0
# Model MX
# Last change occurred at 2004-5-21 18:20:50
set vlan 1 port 1
See Also
show version
Usage Displays software and hardware version information for an MX and, optionally, for any
attached MPs.
Syntax show version [details]
Includes additional software build information and information about the MP
configured on the MX.
details
Defaults None
Access All.
History
Version 1.0
Command introduced
Version 2.1
Label of Port field in detailed display modified to Port/DAP
Examples The following command displays version information for an MX:

MX# show version
Mobility System Software, Version: 4.1.0 QA 67
Copyright (c) 2002, 2003, 2004, 2005 Trapeze Networks, Inc. All
rights reserved.
Build Information: (build#67) TOP 2005-07-21 04:41:00
Model:
MX
Hardware
Mainboard:
version 24 ; revision 3 ; FPGA version 24
PoE board:
version 1 ; FPGA version 6
Serial number
0321300013
Flash:
4.1.0.14
Kernel:
3.0.0#20: Fri May 20 17:43:51 PDT 2005
BootLoader:
4.10 / 4.1.0
- md0a
The following command displays additional software build information and MP information:
607
MX# show version details

Mobility System Software, Version: 4.1.0 QA 67
Copyright (c) 2002, 2003, 2004, 2005 Trapeze Networks, Inc. All
rights reserved.
Build Information: (build#67) TOP 2005-07-21 04:41:00
Label:
4.1.0.67_072105_MX20
Build Suffix:
-d-O1
Model:
MX
Hardware
Mainboard:
version 24 ; revision 3 ; FPGA version 24
CPU Model:
750 (Revision 3.1)
PoE board:
version 1 ; FPGA version 6
Serial number
0321300013
Flash:
4.1.0.14
Kernel:
3.0.0#20: Fri May 20 17:43:51 PDT 2005
BootLoader:
4.10 / 4.1.0
Port/ AP AP Model
- md0a
Serial #
Versions
-------- ---------- -------------- -----------------------11
/-
MP-352
0424902948
H/W
: A
F/W1 : 5.6
F/W2 : 5.6
S/W
: 4.1.0.67_072105_0432__AP
BOOT S/W : 4.0.3.15_062705_0107__AP
608
Table 100 describes the fields in the show version output.

Table 100.Output for show version
Field
Description
Build Information
Factory timestamp of the image file.
Label
Software version and build date.
Build Suffix
Build suffix.
Model
Build model.
Hardware
Version information for the MX motherboard and Power over Ethernet (PoE) board.
Serial number
Serial number of the MX.
Flash
Flash memory version.
Kernel
Kernel version.
BootLoader
Boot code version.
Port/AP
Port number connected to an MP.
AP Model
MP model number.
Serial #
MP serial number.
Versions
MP hardware, firmware, and software versions.
See Also show boot on page 604
609
610
Trace Commands
Use trace commands to perform diagnostic routines. While MSS allows you to run many types of traces,
this chapter describes commands for those traces you are most likely to use. For a complete listing of the
types of traces MSS allows, type the set trace ? command.
Warning: Using the set trace command can have adverse effects on system performance. Juniper Networks
recommends that you use the lowest levels possible for initial trace commands, and slowly increase the levels
to get the data you need.
This chapter presents trace commands alphabetically. Use the following table to locate commands in this
chapter based on their use.
Trace
set trace sm on page 615

set trace dot1x on page 614
set trace authentication on page 613
set trace authorization on page 613
show trace on page 616
save trace on page 612
clear log trace on page 611
clear log trace

Usage Deletes the log messages stored in the trace buffer.
Syntax clear log trace
Defaults None.
Access Enabled.
Examples To delete the trace log, type the following command:
MX# clear log trace
See Also
set log on page 628
show log buffer on page 630
clear trace
Usage Deletes running trace commands and ends trace processes.
611
Syntax clear trace {trace-area | all}

trace-area
Ends a particular trace process. Specify one of the following keywords to end the
traces documented in this chapter:
authorizationEnds an authorization trace
dot1xEnds an 802.1X trace
authenticationEnds an authentication trace
smEnds a session manager trace
all
Ends all trace processes.
Defaults None.
Access Enabled.
Examples To clear all trace processes, type the following command:
MX# clear trace all
success: clear trace all
To clear the session manager trace, type the following command:
MX# clear trace sm
success: clear trace sm
See Also
save trace
Usage Saves the accumulated trace data for enabled traces to a file in the MX nonvolatile
storage.
Syntax save trace filename
filename
Name for the trace file. To save the file in a subdirectory, specify the subdirectory
name, then a slash. For example: traces/trace1
Defaults None.
Access Enabled.
Examples To save trace data into the file trace1 in the subdirectory traces, type the following
command:
MX# save trace traces/trace1
612
Trace Commands
set trace authentication

Usage Traces authentication information.
Syntax set trace authentication [ip-addr ip address] [mac-addr mac-address]
[port port-num] [user username] [level level]
ip-addr ip address
Specify an IP address in the IPv4 format.
mac-addr mac-address
Traces a MAC address. Specify a MAC address, using colons to

separate the octets (for example, 00:11:22:aa:bb:cc).
port port-num
Traces a port number. Specify an MX port number between 1 and 22.
user username
Traces a user. Specify a username of up to 32 alphanumeric

level level
Determines the quantity of information included in the output. You

can set the level with an integer from 1 to 10, where level 10
provides the most information. Levels 1 through 5 provide
user-readable information. If you do not specify a level, level 5 is the
default.
Defaults The default trace level is 5.

Access Enabled.
History
MSS Version 1.0
Command introduced.
MSS Version 7.0
The option ip-addr was added.

Examples The following command starts a trace for information about user jose authentication:
MX# set trace authentication user jose
See Also
clear trace on page 611
set trace authorization

Usage Traces authorization information.
Syntax set trace authorization [ip-addr ip address][mac-addr mac-address]
[port port-num] [user username] [level level]
ip-addr ip address

port port-num
Traces a port number. Specify an MX port number between 1 and 22.
613
user username

level level

default.

Access Enabled..
MSS Version 1.0
Command introduced.
MSS Version 7.0
Examples The following command starts a trace for information for authorization for MAC address
00:01:02:03:04:05:
MX# set trace authorization mac-addr 00:01:02:03:04:05
See Also
set trace dot1x

Usage Traces 802.1X sessions.
Syntax set trace dot1x [ip-addr ip address][mac-addr mac-address] [port port-num]
[user username] [level level]
ip-addr ip address

port port-num
Traces a port number. Specify an MX port number between 1 and

22.
user username

level level

default.

Access Enabled.
614
Trace Commands
History
MSS Version 1.0
Command introduced.
MSS Version 7.0
Examples The following command starts a trace for the 802.1X sessions for MAC address
00:01:02:03:04:05:
MX# set trace dot1x mac-addr 00:01:02:03:04:05:
See Also
set trace sm
Usage Traces session manager activity.
Syntax set trace sm [ip-addr ip address][mac-addr mac-address] [port port-num]
[user username] [level level]
ip-addr ip address

port port-num
Traces a port number. Specify an MX port number between 1 and

22.
user username

characters, with no spaces.
level level

default.

Access Enabled.
History .
MSS Version 1.0
Command introduced.
MSS Version 7.0
615
Examples Type the following command to trace session manager activity for MAC address
00:01:02:03:04:05:
MX# set trace sm mac-addr 00:01:02:03:04:05:
See Also
show trace
Usage Displays information about traces that are currently configured on the MX, or all possible
trace options.
Syntax show trace [all]
all
Displays all possible trace options and their configuration.
Defaults None.
Access Enabled.
Examples To view the traces currently running, type the following command:
MX# show trace
milliseconds spent printing traces: 1885.614
Trace Area
Filter
Level Mac
User
Port
-------------------- ----- ----------------- ----------------- ---dot1x

0
sm
0
See Also
616
Snoop Commands
Use snoop commands to monitor wireless traffic, by using an MP as a sniffing device. The MP copies the
sniffed 802.11 packets and sends the copies to an observer, typically a protocol analyzer such as Ethereal
or Tethereal.
(For more information, including setup instructions for the monitoring station, see the Remotely Monitoring
Traffic section in the Troubleshooting an MX Switch chapter of the Trapeze Mobility System Software
Configuration Guide.)
This chapter presents snoop commands alphabetically. Use the following table to locate commands in this
chapter based on their use.
clear snoop on page 617
clear snoop map on page 618
Remote monitoring
(snooping)
set snoop on page 618

set snoop map on page 621
set snoop mode on page 622
new
set snoop transmitter on page 622

show snoop info on page 624
show snoop map on page 624
show snoop on page 623
show snoop stats on page 625
clear snoop
Usage Deletes a snoop filter.
Syntax clear snoop filter-name
filter-name
Name of the snoop filter.
Defaults None.
Access Enabled.
Examples The following command deletes snoop filter snoop1:
MX# clear snoop snoop1
See Also
617
clear snoop map

Usage Removes a snoop filter from an MP radio.
Examples clear snoop map filter-name ap apnum radio {1 | 2}
filter-name
ap apnum
Number of an MP to which to snoop filter is mapped.
radio 1
Radio 1 of the MP.
radio 2
Defaults None.
Access Enabled.
Examples The following command removes snoop filter snoop2 from radio 2 on Distributed MP 3:
MX# clear snoop map snoop2 ap 3 radio 2
The following command removes all snoop filter mappings from all radios:
MX# clear snoop map all
See Also
set snoop
Usage Configures a snoop filter.
618
Snoop Commands
Syntax set snoop filter-name [condition-list] [observer ip-addr] [snap-length num]

filter-name
Name for the filter. The name can be up to 15 alphanumeric characters, with
no spaces.
condition-list
Match criteria for packets. Conditions in the list are ANDed. Therefore, to be
copied and sent to an observer, a packet must match all criteria in the
condition-list. You can specify up to eight of the following conditions in a filter,
in any order or combination:
frame-type {eq | neq} {beacon | control | data | management | probe}
channel {eq | neq} channel
bssid {eq | neq} bssid
src-mac {eq | neq | lt | gt} mac-addr
dest-mac {eq | neq | lt | gt} mac-addr
host-mac {eq | neq | lt | gt} mac-addr
mac-pair mac-addr1 mac-addr2
direction {eq | neq} {transmit | receive}
To match on packets to or from a specific MAC address, use the dest-mac or
src-mac option. To match on both send and receive traffic for a host
address, use the host-mac option. To match on a traffic flow (source and
destination MAC addresses), use the mac-pair option. This option matches
for either direction of a flow, and either MAC address can be the source or
destination address.
If you omit a condition, all packets match that condition. For example, if you
omit frame-type, all frame types match the filter.
For most conditions, you can use eq (equal) to match only on traffic that
matches the condition value. Use neq (not equal) to match only on traffic that
is not equal to the condition value.
The src-mac, dest-mac, and host-mac conditions also support lt (less than)
and gt (greater than).
observer ip-addr Specifies the IP address of the station where the protocol analyzer is located.
If you do not specify an observer, the MP radio still counts the packets that
match the filter.
619
snap-length
num
Specifies the maximum number of bytes to capture. If you do not specify a

length, the entire packet is copied and sent to the observer. Juniper
Networks recommends specifying a snap length of 100 bytes or less.
tx-mode
Configured as either tzsp or batched-tzsp:

tzsp - captured packets are transmitted to the observer as soon as they
are captured by the filter. This is the default value.
batched-tzsp - captured packets are batched together in a single packet
and transmitted to the observer.
Defaults No snoop filters are configured by default.

Access Enabled.
History
Version 4.0
Command introduced
Version 5.0
New Boolean operators: lt (less than) and gt (greater than). The new
options apply to src-mac, dest-mac, and host-mac.
Version 6.0
Direction filter added.
Version 7.5
tx-mode added.
Usage Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear)
version is sent to the observer.
For best results:
Do not specify an observer that is associated with the MP configured with the snoop filter. This
configuration causes an endless cycle of snoop traffic.
If the snoop filter is running on a Distributed MP, and the MP used a DHCP server in its local
subnet to configure the IP information, and the MP did not receive a default router (gateway)
address as a result, the observer must also be in the same subnet. Without a default router, the
MP cannot find the observer.
The MP with a snoop filter forwards snooped packets directly to the observer. This is a one-way
communication, from the MP to the observer. If the observer is not present, the MP still sends
the snoop packets, which uses bandwidth. If the observer is present but is not listening to TZSP
traffic, the observer continuously sends ICMP error indications back to the MP. These ICMP
messages can affect network and MP performance.
Examples The following command configures a snoop filter named snoop1 that matches on all
traffic, and copies the traffic to the device that has IP address 10.10.30.2:
MX# set snoop snoop1 observer 10.10.30.2 snap-length 100
The following command configures a snoop filter named snoop2 that matches on all data traffic
between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address
11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3:
MX# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff
11:22:33:44:55:66 observer 10.10.30.3 snap-length 100
620
Snoop Commands
The following command captured 802.11 packets to small sizes to make wired header information
more significant by compacting multiple frame headers into a single UDP packet which reduces
the overhead of UDP/IP headers and the packet forwarding load within the network.
set snoop filter filter-name {condition-list} {observer ip-addr}
where
{observer ip-addr}
is the snoop observer configured using the next command:
set snoop observer ip-addr { snap-length length}|{interval interval}|
{transmission-mode tx-mode}
set snoop map

Usage Maps a snoop filter to a radio on an MP. A snoop filter does not take effect until you map it
to a radio and enable the filter.
Syntax set snoop map filter-name ap apnum radio {1 | 2}
filter-name
ap ap-num
Number of an MP to which to map the snoop filter.
radio 1
Radio 1 of the MP.
radio 2
Defaults Snoop filters are unmapped by default.

Access Enabled.
Usage You can map the same filter to more than one radio. You can map up to eight filters to the
same radio. If more than one filter has the same observer, the MP sends only one copy of a packet
that matches a filter to the observer. After the first match, the MP sends the packet and stops
comparing the packet against other filters for the same observer.
If the filter does not have an observer, the MP still maintains a counter of the number of packets
that match the filter. (See show snoop stats on page 625.)
Examples The following command maps snoop filter snoop1 to radio 2 on MP 3:
MX# set snoop map snoop1 ap 3 radio 2
See Also
621

set snoop mode

Usage Enables a snoop filter. A snoop filter does not take effect until you map it to an MP radio
and enable the filter.
The filter mode is retained even if you disable and reenable the radio, or restart the MP or the MX
switch. Once the filter is enabled, you must use the disable option to disable it.
Examples set snoop {filter-name | all} mode {enable | disable}
filter-name | all}
Name of the snoop filter. Specify all to enable all snoop filters.
enable
Enables the snoop filter.
disable
Disables the snoop filter.
Defaults Snoop filters are disabled by default.

Access Enabled.
History
Version 4.0
Command introduced
Version 6.0
Removed stop-after option.

Filter mode made persistent across restarts
Examples The following command enables snoop filter snoop1:

MX# set snoop snoop1 mode enable
success: filter 'snoop1' enabled
See Also
set snoop transmitter

Usage Allows the exclusion of packets transmitted by MPs in a Mobility Domain.
622
Snoop Commands
Syntax set snoop-filter name transmitter-type [eq | neq] member-ap

filter-name
transmitter-type
Sets the transmitter type.
member-ap
The Mobility Domain.
Defaults None.
Access Enabled.
Examples To configure a snoop filter that allows you to filter all packets transmitted by MPs that
are members of a mobility domain, use the following command:
MX# set snoop-filter name transmitter-type [eq | neq] member-ap
show snoop
Usage Displays the MP radio mapping for all snoop filters. To display the mappings for a specific
MP radio, use the show snoop map command.
Syntax show snoop
Defaults None.
Access Enabled.
Examples The following command shows the MP radio mappings for all snoop filters configured
on an MX switch:
MX# show snoop
AP: 3
Radio: 2
snoop1
snoop2
AP: 2
Radio: 2
snoop2
The following example shows transmission mode output:

MX# show snoop info observer 192.168.100.1
192.168.100.1:
snap-length 60
interval 1000
transmission-mode: batched-tzsp
See Also
set snoop transmitter on page 622
623
show snoop info

Usage Shows the configured snoop filters.
Syntax show snoop filter-name
filter-name
Defaults None.
Access Enabled.

Examples The following command shows the snoop filters configured in the examples above:
MX# show snoop info
snoop1:
observer 10.10.30.2 snap-length 100
all packets
snoop2:
observer 10.10.30.3 snap-length 100
frame-type eq data
mac-pair (aa:bb:cc:dd:ee:ff, 11:22:33:44:55:66)
See Also
show snoop map

Usage Shows the MP radios mapped to a specific snoop filter. To display the mappings for all
snoop filters, use the show snoop command.
Examples
Syntax show snoop map filter-name
filter-name
Defaults None.
Access Enabled.

The following command shows the mapping for snoop filter snoop1:
MX# show snoop map snoop1
filter 'snoop1' mapping
AP: 3
Radio: 2
See Also
624
Snoop Commands
show snoop stats

Usage Displays statistics for enabled snoop filters.
Examples show snoop stats [filter-name [ap-num [radio {1 | 2}]]
filter-name
ap ap-num
Number of an MP to which the snoop filter is mapped.
radio 1
Radio 1 of the MP.
radio 2
Defaults None.
Access Enabled.
Usage The MP retains statistics for a snoop filter until the filter is changed or disabled. The MP
then clears the statistics.
Examples The following command shows statistics for snoop filter snoop1:
MX# show snoop stats snoop1
Filter
AP Radio
Rx Match
Tx Match
Dropped
===================================================================
snoop1
96

Table 101.show snoop status Output Fields
Field
Description
Filter
AP
MP containing the radio that the filter is mapped.
Radio
Radio to which the filter is mapped.
Rx Match
Number of packets received by the radio that match the filter.
Tx Match
Number of packets sent by the radio that match the filter.
Dropped
Number of packets that matched the filter but that were not copied to the observer
due to memory or network problems.
625
626
System Log Commands

Use the system log commands to record information for monitoring and troubleshooting. MSS system logs
are based on RFC 3164, which defines the log protocol.
This chapter presents system log commands alphabetically. Use the following table to locate commands in
this chapter based on their use.
System Logs
set log on page 628

set log mark on page 630
show log buffer on page 630
show log config on page 632
show log trace on page 633
clear log on page 627
clear log
Usage Clears the log messages stored in the log buffer, or removes the configuration for a syslog
server and stops sending log messages to that server.
Syntax clear log [buffer | server ip-addr
buffer
Deletes the log messages stored in nonvolatile storage.
server ip-addr
Deletes the configuration for and stops sending log messages to the syslog
server at this IP address. Specify an address in dotted decimal notation.
Defaults None.
Access Enabled.
Examples To stop sending system logging messages to a server at 192.168.253.11, type the
following command:
MX# clear log server 192.168.253.11
Type the following command to clear all messages from the log buffer:
MX# clear log buffer
See Also
clear log trace on page 611
set log on page 628
627
set log
Usage Enables or disables logging of MX and MP events to the MX log buffer or other logging
destination and sets the level of the events logged. For logging to a syslog server only, you can
also set the facility logged.
Syntax set log {buffer | console | current | sessions | trace} [severity
severity-level] [enable | disable]
set log server ip-addr [port port-number] severity severity-level [local-facility

facility-level]
buffer
Sets log parameters for the log buffer in nonvolatile storage.
console
Sets log parameters for console sessions.
current
Sets log parameters for the current Telnet or console session. These
settings are not stored in nonvolatile memory.
server ip-addr
Sets log parameters for a syslog server. Specify an address in dotted

decimal notation.
sessions
Sets the default log values for Telnet sessions. You can set defaults for the
following log parameters:
Severity
Logging state (enabled or disabled)
To override the session defaults for an individual session, type the set log
command from within the session and use the current option.
trace
Sets log parameters for trace files.
port port-number
Sets the TCP port for sending messages to the syslog server. You can
specify a number from 1 to 65535. The default syslog port is 514.
severity
severity-level
Logs events at a severity level greater than or equal to the level specified.
Specify one of the following:
emergencyThe MX is unusable.
alertAction must be taken immediately.
criticalYou must resolve the critical conditions. If the conditions are
not resolved, the MX can reboot or shut down.
errorThe MX is missing data or is unable to form a connection.
warningA possible problem exists.
noticeEvents that potentially can cause system problems have
occurred. These are logged for diagnostic purposes. No action is
required.
infoInformational messages only. No problem exists.
debugOutput from debugging.
628
System Log Commands
local-facility For messages sent to a syslog server, maps all messages of the severity
facility-level
you specify to one of the standard local log facilities defined in RFC 3164.
You can specify one of the following values:
0maps all messages to local0.
If you do not specify a local facility, MSS sends the messages with their
default MSS facilities. For example, AAA messages are sent with facility 4
and boot messages are sent with facility 20 by default.
enable
Enables messages to the specified target.
disable
Disables messages to the specified target.
Defaults
Events at the error level and higher are logged to the MX console.
Events at the error level and higher are logged to the MX system buffer.
Trace logging is enabled, and debug-level output is stored in the MX trace buffer.
Access Enabled.
History
Version 1.0
Command introduced
Version 4.2
Option port added.
Usage Using the command with only enable or disable turns logging on or off for the target at all
levels. For example, entering set log buffer enable with no other keywords turns on logging to the
system buffer of all facilities at all levels. Entering set log buffer disable with no other keywords
turns off all logging to the buffer.
Examples To log only emergency, alert, and critical system events to the console, type the
following command:
MX# set log console severity critical enable
See Also
629
set log mark

Usage Configures MSS to generate mark messages at regular intervals. The mark messages
indicate the current system time and date. Juniper Networks can use the mark messages to
determine the approximate time when a system restart or other event causing a system outage
occurred.
Syntax set log mark [enable | disable] [severity level]
[interval interval]
enable
Enables the mark messages.
disable
Disables the mark messages.
severity level
Log severity at which the messages are logged:

emergency
alert
critical
error
warning
notice
info
debug
interval interval
Interval at which MSS generates the mark messages. You can specify
from 1 to 2147483647 seconds.
Defaults Mark messages are disabled by default. When messages are enabled, MSS generates
a message at the notice level once every 300 seconds by default.
Access Enabled.
Examples The following command enables mark messages:
MX# set log mark enable
See Also show log config on page 632
set log trace mbytes

This command is deprecated in MSS Version 4.0.
show log buffer

Usage Displays system information stored in the nonvolatile log buffer or the trace buffer.
Syntax show log buffer [{+|-}number-of-messages] [facility facility-name]
[matching string] [severity severity-level]
buffer
630
Displays the log messages in nonvolatile storage.
System Log Commands
+|-number-of-messages
Displays the number of messages specified as follows:

A positive number (for example, +100), displays that number of
log entries starting from the oldest in the log.
A negative number (for example, -100) displays that number of log
entries starting from newest in the log.
facility facility-name
Area of MSS that is sending the log message. Type a space and a
question mark (?) after show log buffer facility for a list of valid
facilities.
matching string
Displays messages that match a stringfor example, a username or

IP address.
severity severity-level
Displays messages at a severity level greater than or equal to the

level specified. Specify one of the following:
emergencyThe MX is unusable.
criticalYou must resolve the critical conditions. If the conditions
are not resolved, the MX can reboot or shut down.
required.
Defaults None.
Access Enabled.
History
Version 1.0
Command introduced
Version 5.0
Option COPP removed. The option is not applicable to MSS Version 5.0.
Usage The debug level produces a lot of messages, and many can appear to be cryptic. Debug
messages are used primarily by Juniper Networks for troubleshooting and are not intended for
administrator use.
Examples Type the following command to see the facilities that you can view event messages
archived in the buffer:
MX# show log buffer facility ?
631
<facility name>
Select one of: KERNEL, AAA, SYSLOGD, ACL,
APM, ARP, ASO, BOOT, CLI, CLUSTER, CRYPTO, DOT1X, NET, ETHERNET,
GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM,
ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET,
TFTP, TLS, TUNNEL, VLAN, X509, XML, MP, RAPDA, WEBVIEW, EAP, FP, STAT,
SSHD, SUP, DNSD, CONFIG, BACKUP.
The following command displays logged messages for the AAA facility:
MX# show log buffer facility AAA
AAA Jun. 25 09:11:32.579848 ERROR AAA_NOTIFY_ERR: AAA got SM special
event (98) on locality 3950 which is gone
See Also
show log config

Usage Displays log configuration information.
Syntax show log config
Defaults None.
Access Enabled.
Examples To display how logging is configured, type the following command:
MX# show log config
632
Logging console:
disabled
Logging console severity:
DEBUG
Logging sessions:
disabled
Logging sessions severity:
INFO
Logging buffer:
enabled
Logging buffer severity:
WARNING
Logging trace:
enabled
Logging trace severity:
DEBUG
Logging buffer size:
10485760 bytes
Log marking:
disabled
Log marking severity:
NOTICE
Log marking interval:
300 seconds
Logging server:
172.21.12.19 port 514 severity EMERGENCY
Current session:
disabled
Current session severity:
INFO
System Log Commands
See Also
set log on page 628
show log trace

Usage Displays system information stored in the nonvolatile log buffer or the trace buffer.
Syntax show log trace [{+|-|/}number-of-messages] [facility facility-name]
[matching string] [severity severity-level]
trace
Displays the log messages in the trace buffer.
+|-|/number-of-messag Displays the number of messages specified as follows:

es
A positive number (for example, +100), displays that number of log
entries starting from the oldest in the log.
A negative number (for example, -100) displays that number of log
entries starting from newest in the log.
A number preceded by a slash (for example, /100) displays that
number of the most recent log entries in the log, starting with the
least recent.
facility
facility-name
Area of MSS that is sending the log message. Type a space and a
question mark (?) after show log trace facility for a list of valid facilities.
matching string
Displays messages that match a stringfor example, a username or IP

address.
severity
severity-level
Displays messages at a severity level greater than or equal to the level

specified. Specify one of the following:
emergencyThe MX switch is unusable.
criticalYou must resolve the critical conditions. If the conditions are
not resolved, the MX can reboot or shut down.
required.
Defaults None.
Access Enabled.
633
History
Version 1.0
Command introduced
Version 5.0
Option COPP removed. The option is not applicable to MSS Version 5.0.
Examples Type the following command to see the facilities for which you can view event
messages archived in the buffer:
MX# show log trace facility ?
<facility name>
Select one of: KERNEL, AAA, SYSLOGD, ACL,
APM, ARP, ASO, BOOT, CLI, CLUSTER, CRYPTO, DOT1X, ENCAP, ETHERNET,
GATEWAY, HTTPD, IGMP, IP, MISC, NOSE, NP, RAND, RESOLV, RIB, ROAM,
ROGUE, SM, SNMPD, SPAN, STORE, SYS, TAGMGR, TBRIDGE, TCPSSL, TELNET,
TFTP, TLS, TUNNEL, VLAN, X509, XML, MP, RAPDA, WEBVIEW, EAP, PORTCONFIG,
FP.
The following command displays the newest five trace log entries for the ROGUE facility:
MX# show log trace +5 facility ROGUE
ROGUE Oct 28 16:30:19.695141 ERROR ROGUE_AP_ALERT: Xmtr Mac
01:0b:0e:ff:00:3b Po
rt 7 Radio 1 Chan 36 RSSI 18 Tech DOT_11A SSID trapeze
ROGUE Oct 28
16:30:19.7046
37 ERROR ROGUE_AP_ALERT: Xmtr Mac 01:0b:0e:00:09:5f Port 7 Radio 1 Chan
36 RSSI
15 Tech DOT_11A SSID examplewlan
ROGUE Oct 28 16:30:19.711253 ERROR
ROGUE_AP_ALER
T: Xmtr Mac 01:0b:0e:00:06:b7 Port 7 Radio 1 Chan 36 RSSI 36 Tech
DOT_11A SSID wlan-7
ROGUE Oct 28 16:30:19.717954 ERROR ROGUE_AP_ALERT: Xmtr Mac
00:0b:0e:00:0
6:8f Port 7 Radio 1 Chan 36 RSSI 13 Tech DOT_11A SSID trapeze
ROGUE Oct
28 16:30:
19.727069 ERROR ROGUE_AP_ALERT: Xmtr Mac 01:0b:0e:da:da:dd Port 7 Radio
1 Chan 3
6 RSSI 22 Tech DOT_11A SSID trapeze
See Also
634
Boot Prompt Commands

Boot prompt commands enable you to perform basic tasks, including booting a system image file, from the
boot prompt (boot>). A CLI session enters the boot prompt if MSS does not boot successfully or you
intentionally interrupt the boot process. To interrupt the boot process, press q followed by Enter (return).
Warning: Generally, boot prompt commands are used only for troubleshooting. Juniper Networks
recommends that you use these commands only when working with Juniper to diagnose a system issue. In
particular, commands that change boot parameters can interfere with an MX ability to boot successfully.
This chapter presents boot prompt commands alphabetically. Use the following table to locate commands
Command Information
ls on page 643
help on page 643
Booting
boot on page 636

reset on page 645
autoboot on page 635
dhcp on page 640
File Management
dir on page 641

fver on page 642
version on page 648
Boot Profile
show on page 646
Management
create on page 639

next on page 644
change on page 638
delete on page 640
Diagnostics
diag on page 641

test on page 647
autoboot
Usage Displays or changes the state of the autoboot option. The autoboot option controls whether
an MX automatically boots a system image after initializing the hardware, following a system reset
or power cycle.
635
Syntax autoboot [ON | on | OFF | off]

ON
Enables the autoboot option.
on
Same effect as ON.
OFF
Disables the autoboot option.
off
Same effect as OFF.
Defaults The autoboot option is enabled by default.

Access Boot prompt.
Examples The following command displays the current setting of the autoboot option:
boot> autoboot
The autoboot flag is on.
See Also boot on page 636
boot
Usage Loads and executes a system image file.
Syntax boot [BT=type] [DEV=device] [FN=filename] [HA=ip-addr] [FL=num]
[OPT=option] [OPT+=option]
BT=type
Boot type:
cCompact flash. Boots using nonvolatile storage or a flash card.
nNetwork. Boots using a TFTP server.
DEV=device
Location of the system image file:

c:Nonvolatile storage area containing boot partition 0
d:Nonvolatile storage area containing boot partition 1
e:Primary partition of the flash card in the flash card slot
f:Secondary partition of the flash card in the flash card slot
boot0boot partition 0
When the boot type is n (network), the device can be one of the following:
emac1Port 1 on an WLCR-2
mgmt or tsec0The 10/100 port labelled Mgmt on an WLC-200 or
WLC-216
636
FN=filename
System image filename.
HA=ip-addr
Host address (IP address) of a TFTP server. This parameter applies only
when the boot type is n (network).
FL=num
Number representing the bit settings of boot flags to pass to the booted
system image. Use this parameter only if advised to do so by Juniper
Networks.
OPT=option
String up to 128 bytes of boot options to pass to the booted system image
instead of the boot option(s) in the currently active boot profile. The options
temporarily replace the options in the boot profile. Use this parameter only if
advised to do so by Juniper Networks.
OPT+=option
String up to 128 bytes of boot options to pass to the booted system image in
addition to the boot option(s) in the currently active boot profile. The options
are appended to the options already in the boot profile. Use this parameter
only if advised to do so by Juniper Networks.
Defaults The boot settings in the currently active boot profile are used by default.
Access Boot prompt.
Usage If you use an optional parameter, the parameter setting overrides the setting of the same
parameter in the currently active boot profile. However, the boot profile itself is not changed. To
display the currently active boot profile, use the show command. To change the currently active
boot profile, use the change command.
Examples The following command loads system image file WLC010101.020 from boot partition 1:
boot> boot FN=WLC010101.020 DEV=boot1
Compact Flash load from boot1:testcfg matches WLC010101.020.
unzip: Inflating ramdisk_1.1.1.. OK
unzip file len 36085486 OK
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003
The NetBSD Foundation, Inc.
All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993

The Regents of the University of California.
All rights reserved.
Power Cycle Reboot

Detecting hardware...done.
readclock: 2003-10-8 2:9:50.67 UTC=>1065578990.670000 (1064992894)
init: Creating mfs /dev
erase ^H, werase ^W, kill ^U, intr ^C, status ^T
Doing Juniper mounts and links
Starting nos_mon...
nos_mon:ps: not found
SYSLOGD Oct 08 02:10:05.477814 CRITICAL SYSTEM_READY: The system has
finished booting.
Copyright (c) 2002, 2003
637

Username:
Password:
See Also
change on page 638
show on page 646
change
Usage Changes parameters in the currently active boot profile. (For information about boot
profiles, see show on page 646.)
Syntax change
Defaults The default boot type is c (compact flash). The default filename is default. The default
flags setting is 0x00000000 (all flags disabled) and the default options list is run=nos;boot=0. The
default device setting is the boot partition specified by the most recent set boot partition
command typed at the Enabled level of the CLI, or boot 0 if the command has never been typed.
After you type the change command, the system interactively displays the current setting of each
parameter and prompts you for the new setting. When prompted, type the new setting, press Enter
to accept the current setting, or type . (period) to change the setting to the default value. To back
up to the previous parameter, type - (hyphen).
For information about each of the boot parameters you can set, see show on page 646.
Access Boot prompt.
Examples The following command enters the configuration mode for the currently active boot
profile, changes the device to boot1, and leaves the other parameters with their current settings:
boot> change
Changing the default configuration is not recommended.
Are you sure that you want to proceed? (y/n)y
BOOT TYPE:
[c]
DEVICE:
[boot0:]boot1
FILENAME:
[default]
FLAGS:
[0x00000000]
OPTIONS:
[run=nos;boot=0]
The following command enters the configuration mode for the currently active boot profile and
configures the WLC (in this example, an WLCR-2) to boot using a TFTP server:
boot> change
Changing the default configuration is not recommended.
Are you sure that you want to proceed? (y/n)y
638
BOOT TYPE:
[c]> n
DEVICE:
[boot0:]> emac1
FILENAME:
[default]> bootfile
HOST IP:
[0.0.0.0]> 172.16.0.1
LOCAL IP:
[0.0.0.0]> 172.16.0.21
GATEWAY IP:
[0.0.0.0]> 172.16.0.20
IP MASK:
[0.0.0.0]> 255.255.255.0
FLAGS:
[0x00000000]>
OPTIONS:
[run=nos;boot=0]>
See Also
boot on page 636
create on page 639
delete on page 640
dhcp on page 640
next on page 644
show on page 646
create
Usage Creates a new boot profile. (For information about boot profiles, see show on page 646.)
An MX can have up to four boot profiles. The boot profiles are stored in slots, numbered
0 through 3. When you create a new profile, the system uses the next available slot for the profile.
If all four slots already contain profiles and you try to create a fifth profile, the WLC displays a
message advising you to change one of the existing profiles instead.
To make a new boot profile the currently active boot profile, use the next command. To change
boot parameter settings, use the change command.
Syntax create
Defaults The new boot profile has the same settings as the currently active boot profile by default.
Access Boot prompt.
Examples The following command creates a new boot profile in slot 1 on an MX that currently has
only one boot profile, in slot 0:
boot> create
BOOT Index:
BOOT TYPE:
DEVICE:
boot1:
FILENAME:
default
FLAGS:
00000000
OPTIONS:
run=nos;boot=0
639
See Also
change on page 638
delete on page 640
next on page 644
show on page 646
delete
Usage Removes the currently active boot profile. (For information about boot profiles, see show
on page 646.)
When you type the delete command, the next-lower numbered boot profile becomes the active
profile. For example, if the currently active profile is number 3, profile number 2 becomes active
after you type delete to delete profile 3. You cannot delete boot profile 0.
Examples
Syntax delete
Defaults None.
Access Boot prompt.
Examples To remove the currently active boot profile, type the following command:
boot> delete
BOOT Index:
BOOT TYPE:
DEVICE:
boot1:
FILENAME:
default
FLAGS:
00000000
OPTIONS:
run=nos;boot=0
See Also
change on page 638
create on page 639
next on page 644
show on page 646
dhcp
Usage Displays or changes the state of the DHCP option. The DHCP option controls whether an
MX uses DCHP to obtain its IP address when it is booted using a TFTP server.
640
Syntax dhcp [ON | on | OFF | off]

ON
Enables the DHCP option.
on
Same effect as ON.
OFF
Disables the DHCP option.
off
Same effect as OFF.
Defaults The DHCP option is disabled by default.

Access Boot prompt.
Examples The following command displays the current setting of the DHCP option:
boot> dhcp
DHCP is currently enabled.
The following command disables the DHCP option:
boot> dhcp
DHCP is currently disabled.
diag
Usage Accesses the diagnostic mode.
Syntax diag
Defaults The diagnostic mode is disabled by default.
Access Boot prompt.
Usage Access to the diagnostic mode requires a password, which is not user configurable. Use
this mode only if advised to do so by Juniper Networks.
dir
Usage Displays the boot code and system image files on an MX switch.
Syntax dir [c: | d: | e: | f: | boot0 | boot1]
c:
Nonvolatile storage area containing boot partition 0 (primary).
d:
Nonvolatile storage area containing boot partition 1 (secondary).
e:
Primary partition of the flash card in the flash card slot.
f:
Secondary partition of the flash card in the flash card slot.
boot0
Boot partition 0.
boot1
Boot partition 1.
Defaults None.
641
Access Boot prompt.

Usage To display the system image software versions, use the fver command. This command
does not list the boot code versions. To display the boot code versions, use the version command.
Examples The following command displays all the boot code and system image files on an MX
switch:
boot> dir
Internal Compact Flash Directory (Primary):
WLC010101.020
5523634 bytes
BLOAD
696176 bytes
BSTRAP
38056 bytes
Internal Compact Flash Directory (Secondary):

WLC010101.020
5524593 bytes
See Also
fver on page 642
version on page 648
fver
Usage Displays the version of a system image file installed in a specific location on an MX.
Syntax fver {c: | d: | e: | f: | boot0: | boot1:} [filename]
e:
Primary partition of the flash card in the flash card slot.
f:
Secondary partition of the flash card in the flash card slot.
boot0
Boot partition 0.
boot1
Boot partition 1.
Defaults None.
Access Boot prompt.
Usage To display the image filenames, use the dir command. This command does not list the
boot code versions. To display the boot code versions, use the version command.
Examples The following command displays the system image version installed in boot partition 1:
boot> fver boot1
File boot1:default version is 1.1.0.98.
See Also
dir on page 641
version on page 648
642
help
Usage Displays a list of all the boot prompt commands or detailed information for an individual
command.
If you specify a command name, detailed information is displayed for that command. If you do not
specify a command name, all the boot prompt commands are listed.
Examples
Syntax help [command-name]
Boot prompt command.
command-name
Defaults None.
Access Boot prompt.

Examples The following command displays detailed information for the fver command:
boot> help fver
fver
Display the version of the specified device:filename.
USAGE: fver
[c:file|d:file|e:file|f:file|boot0:file|boot1:file|boot2:file|boo
t3:file]
Command to display the version of the compressed image file
associated with the given device:filename.
See Also ls on page 643
ls
Usage Displays a list of the boot prompt commands.
To display help for an individual command, type help followed by the command name (for
example, help boot).
Syntax ls
Defaults None.
Access Boot prompt.
Examples To display a list of the commands available at the boot prompt, type the following
command:
boot> ls
ls
help
autoboot
option.
Display a list of all commands and descriptions.

Display help information for each command.
Display the state of, enable, or disable the autoboot
boot
Load and execute an image using the current boot
configuration profile.
643
change
Change the current boot configuration profile.
create
Create a new boot configuration profile.
delete
Delete the current boot configuration profile.
next
Select the next boot configuration profile.
show
Display the current boot configuration profile.
dir
Display the contents of the specified boot partition.
fver
Display the version of the loadable image specified by
device:filename.
version
information.
reset
Display HW and Bootstrap/Bootloader version

Reset the system.
test
Display the state of, enable, or disable the tests
diag
Access the diagnostic command CLI.
option.
See Also help on page 643
next
Usage Activates and displays the boot profile in the next boot profile slot. (For information about
boot profiles, see show on page 646.)
An MX contains 4 boot profile slots, numbered 0 through 3. This command activates the boot
profile in the next slot, in ascending numerical order. If the currently active slot is 3, the command
activates the boot profile in slot 0.
Syntax next
Defaults None.
Access Boot prompt.
Examples To activate the boot profile in the next slot and display the profile, type the following
command:
boot> next
644
BOOT Index:
BOOT TYPE:
DEVICE:
boot1:
FILENAME:
testcfg
FLAGS:
00000000
OPTIONS:
run=nos;boot=0
See Also
change on page 638
create on page 639
delete on page 640
show on page 646
reset
Usage Resets an MX hardware.
After resetting the hardware, the reset command attempts to load a system image file only if other
boot settings are configured to do so.
Syntax reset
Defaults None.
Access Boot prompt.
Examples To immediately reset the system, type the following command at the boot prompt:
boot> reset
Juniper Networks WLC Bootstrap 1.17 Release
Testing Low Memory 1 ............
Testing Low Memory 2 ............
CISTPL_VERS_1:
4.1
<SanDisk> <SDP> <5/3 0.6>
Reset Cause (0x02) is COLD

Juniper Networks WLC Bootstrap/Bootloader
Version
1.6.5
Release
Bootstrap 0 version:
1.17
Active
Bootloader 0 version:
1.6.5
Active
1.17
1.6.3
WLC Board Revision:
3.
WLC Controller Revision:
24.
POE Board Revision:
POE Controller Revision:
BOOT Index:
BOOT TYPE:
DEVICE:
boot1:
FILENAME:
default
FLAGS:
00000000
OPTIONS:
run=nos;boot=0
645
show
Usage Displays the currently active boot profile. A boot profile is a set of parameters that an MX
uses to control the boot process. Each boot profile contains the following parameters:
Boot typeEither compact flash (local device on the MX) or network (TFTP)
Boot deviceLocation of the system image file
FilenameSystem image file
FlagsNumber representing the bit settings of boot flags to pass to the booted system image.
OptionsString up to 128 bytes of boot options to pass to the booted system image
An MX can have up to four boot profiles, numbered 0 through 3. Only one boot profile can be
active at a time. You can create, change, and delete boot profiles. You also can activate another
boot profile in place of the currently active one.
Syntax show
Defaults None.
Access Boot prompt.
Examples To display the currently active boot profile, type the following command at the boot
prompt:
boot> show
BOOT Index:
BOOT TYPE:
DEVICE:
boot1:
FILENAME:
default
FLAGS:
00000000
OPTIONS:
run=nos;boot=0
The following is an example of a boot profile from an WLCR-2 that is booted with a software image
downloaded from a TFTP server. In the example, when the WLCR-2 boots, it downloads a system
image file called bootfile located on a TFTP server with address 172.16.0.1.
boot> show
646
BOOT Index:
BOOT TYPE:
DEVICE:
emac1
FILENAME:
bootfile
HOST IP:
172.16.0.1
LOCAL IP:
172.16.0.21
GATEWAY IP:
172.16.0.20
IP MASK:
255.255.255.0
FLAGS:
00000000
OPTIONS:
run=nos

Table 102.Output for show
Field
Description
BOOT Index
Boot profile slot, which can be a number from 0 to 3.
BOOT TYPE
Boot type:
cCompact flash. Boots using nonvolatile storage or a flash card.
nNetwork. Boots using a TFTP server.
DEVICE
Location of the system image file:

c:Nonvolatile storage area containing boot partition 0
d:Nonvolatile storage area containing boot partition 1
e:Primary partition of the flash card in the flash card slot
f:Secondary partition of the flash card in the flash card slot
When the boot type is Network, the device can be one of the following:
mgmt or tsec0The 10/100 port labelled Mgmt on an WLC-200 or WLC-216
HOST IP
For network booting, the IP address of the host with the system image.
LOCAL IP
For network booting, the IP address of the WLC. If the DHCP option is enabled, this
does not need to be specified.
GATEWAY IP
For network booting, the default router (gateway) used by the WLC. If the DHCP option
IP MASK
For network booting, the subnet mask. If the DHCP option is enabled, this does not
is enabled, this does not need to be specified.

need to be specified.
FILENAME
System image file name.
FLAGS
Number representing the bit settings of boot flags to pass to the booted system image.
OPTIONS
String up to 128 bytes of boot options to pass to the booted system image.
See Also
change on page 638
create on page 639
delete on page 640
dhcp on page 640
next on page 644
test
Usage Displays or changes the state of the poweron test flag. The poweron test flag controls
whether an MX performs a set of self tests prior to the boot process.
647
Syntax test [ON | on | OFF | off]

ON
Enables the poweron test flag.
on
Same effect as ON.
OFF
Disables the poweron test flag.
off
Same effect as OFF.
Defaults The poweron test flag is disabled by default.

Access Boot prompt.
Examples The following command displays the current setting of the poweron test flag:
boot> test
The diagnostic execution flag is not set.
version
Usage Displays version information for the MX hardware and boot code.
Syntax version
Defaults None.
Access Boot prompt.
Usage This command does not list the system image file versions installed in the boot partitions.
To display system image file versions, use the dir or fver command.
648
Examples To display hardware and boot code version information, type the following command at
the boot prompt:
boot> version
Juniper Networks WLC Bootstrap/Bootloader
Version
1.6.5
Release
1.17
Active
1.6.5
Active
1.17
1.6.3
WLC Board Revision:
3.
WLC Controller Revision:
24.
POE Board Revision:
POE Controller Revision:
See Also
dir on page 641
fver on page 642
649
650

Juniper WLC 100

Uploaded by

Copyright:

Available Formats

Juniper WLC 100

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Juniper WLC 100

Uploaded by

Copyright:

Available Formats

Mobility System Software

7.5 Command Reference Guide

7.5 Command Reference Guide

Juniper Networks, Inc.

2011 Juniper Networks, Inc. All rights reserved.

Copyright 2011, Juniper Networks, Inc.

Copyright 2011, Juniper Networks, Inc. All rights reserved.

Copyright 2011, Juniper Networks, Inc.

7.5 Command Reference Guide

Copyright 2011, Juniper Networks, Inc.

Introducing the Juniper Networks Mobility System

Introducing the Juniper Networks Mobility System

Juniper Networks Mobility System

Copyright 2011, Juniper Networks, Inc.

Juniper Networks Mobility System

RingMaster Configuration Guide Instructions for planning, configuring, deploying, and

Documentation Symbols Key

Informational Note: Indicates important features or instructions.

Warning: Alerts you to the risk of personal injury or death.

Documentation Symbols Key

Copyright 2011, Juniper Networks, Inc.

Introducing the Juniper Networks Mobility System

Text and Syntax Conventions

Text and Syntax Conventions

Bold text like this

Represents text that you type.

Represents text that you type.

Represents output that appears on the

user@host> show chassis alarms

No alarms currently active

Italic text like this

Introduces important new terms.

A policy term is a named structure that defines

Identifies book names.

match conditions and actions.

Junos OS System Basics

Identifies RFC and Internet draft

RFC 1997, BGP

Represents variables (options for which you substitute

Configure the machines domain name:

a value) in commands or configuration statements.

Plain text like this

To configure a stub area,

Represents names of configuration statements,

The console port is

Enclose optional keywords or variables.

stub <default-metric metric>;

Indicates a choice between the mutually exclusive

keywords or variables on either side of the symbol. The

(string1 | string2 | string3)

set of choices is often enclosed in parentheses for

Indicates a comment specified on the same line as the

rsvp { # Required for dynamic MPLS only

configuration statement to which it applies

Identify a level in the configuration hierarchy.

Identifies a leaf statement at a configuration hierarchy

Copyright 2011, Juniper Networks, Inc.

Text and Syntax Conventions

Requesting Technical Support

Copyright 2011, Juniper Networks, Inc.